Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- # AUTHENTICATION CONTROLLER:
- error_reporting(E_ALL);
- session_start();
- # require config:
- require_once $_SERVER['DOCUMENT_ROOT'] . "shoppingCART/lib/constants.inc.php";
- # get the database:
- require DATABASE;
- # get auth library:
- require AUTH_LIB;
- # get output lib:
- require_once OUTPUT;
- # variables required:
- $form_token = hash('sha512', rand() . md5(rand() ) ); # required when submitting the login form.
- $ip_address = $_SERVER['REMOTE_ADDR'];
- $user_agent = $_SERVER['HTTP_USER_AGENT'];
- $failed_attempts = array();
- $max_failed_attempts = 5;
- $error = array(); # array to collect errors
- # set the sessions:
- if (!isset($_SESSION['form_token']) && !isset($_SESSION['form_token_start']) )
- {
- $_SESSION['form_token'] = $form_token;
- $_SESSION['form_token_start'] = time();
- }
- # calculate token age:
- $token_age = time() - $_SESSION['form_token_start'];
- # check if session has expired:
- if ($token_age < 900)
- {
- # check if correct submit button was clicked and that everything was filled in:
- if (isset($_POST['username']) && isset($_POST['password'])
- && isset($_POST['action']) && $_POST['action'] == "Sign In"
- && $_SESSION['form_token'] === $_POST['form_token']
- )
- {
- if (!empty($_POST['username']) && !empty($_POST['password']))
- {
- # make user input safe:
- $username = userInput($_POST['username']);
- $password = userInput($_POST['password']);
- # check if valid username and password:
- if (validUser($username, $password) )
- {
- # get the users url token from the datbase:
- $user = getUserDetails($username);
- foreach ($user as $user_value)
- {
- $url_token = $user_value['url_token'];
- }
- # the following token will now be used in each request the user makes:
- $user_token = hash('sha256', rand() . $user_agent . $ip_address . $url_token);
- setcookie("user_token", "$user_token-$ip_address", time()+4500);
- if (!isset($_SESSION['user_token']) )
- {
- $_SESSION['user_token'] = $user_token;
- }
- echo "<a href='?token=$user_token'>Click here</a>";
- echo "<p>" . $username; # REDIRECT TO USER HOME HERE, show content here
- die();
- }
- else
- {
- # FAILED login attempt:
- $failed_attempts[] = 1;
- $error['invalid'][] = "Username or Password is invalid.";
- $_SESSION['form_token'] = $form_token; # generate new form token
- }
- }
- else
- {
- # empty username or password
- $failed_attempts[] = 1;
- $error['empty'][] = "Enter a Username and Password.";
- $_SESSION['form_token'] = $form_token; # generate new form token
- }
- }
- }
- else
- {
- $error['timeout'] = "Session Expired.";
- }
- # after user has been validated, check that this is the correct cookie:
- if (isset($_COOKIE['user_token']) && $_SESSION['user_token'])
- {
- if (isset($_GET['token']))
- {
- $cookie = explode("-", $_COOKIE['user_token']);
- if ($cookie[0] === $_GET['token'] && $cookie[1] === $_SERVER['REMOTE_ADDR']) # match ip address
- {
- $session_token = $_SESSION['user_token'];
- $ip_address = $_SERVER['REMOTE_ADDR'];
- setcookie("user_token", "$session_token-$ip_address", time()+4500 ); #allowed to continue, otherwise show form
- }
- }
- }
- else
- {
- require h_LOGIN; # show html form
- die();
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement