<?php header("X-Frame-Options: DENY"); sec_session_start();

1. <?php
2. header("X-Frame-Options: DENY");
3. sec_session_start();
4.  
5.  
6. // controllo autenticazione........
7.  
8. if(checkAuth()){
9. $user = trim($_POST['user']);
10. $pass = trim($_POST['pass']);
11. $captcha_response = trim($_POST['g-recaptcha-response']);
12.  
13. if(isset($user) && isset($pass) && isset($captcha_response) && $user != "" && $pass != "" && $captcha_response != "" && captchaControl($captcha_response)){
14. //captcha valido
15. $account = getAccount(); /* recupero dati account*/
16. cleanExpiredAttemps();
17. if(checkAttempsValidation()){
18. //controllo dati
19. if($user == $account->user && MD5($pass) == $account->pass){
20. //dati validi
21. //autentico
22. autenticate();
23.  
24.  
25. //send mail
26. $mails = getMails();
27. $arr = json_decode(file_get_contents("http://ip-api.com/json/".getIp()),true);
28. $mailMsg = "Login success
29.  
30. Date: ". date('D, d M Y H:i:s')."
31. Ip: ".getIp()."
32. Citta (circa): ".$arr['city']."
33. Provider: ".$arr['isp'];
34.  
35. for($i = 0;$i < $mails->lenght;$i++){
36. mail($mails[$i],"Login effettuato",$mailMsg);
37. }
38.  
39. }else{
40. //dati non validi
41. //login attemps +1
42. addLoginAttemp();
43. outputLoginForm();
44. }
45. }else{
46.  
47. //send mail
48. $mails = getMails();
49. $arr = json_decode(file_get_contents("http://ip-api.com/json/".getIp()),true);
50. $mailMsg = "Login wrong 3 times:
51.  
52. Date: ". date('D, d M Y H:i:s')."
53. Ip: ".getIp()."
54. City (circa): ".$arr['city']."
55. Provider: ".$arr['isp'];
56.  
57. for($i = 0;$i < $mails->lenght;$i++){
58. mail($mails[$i],"Login effettuato",$mailMsg);
59. }
60. echo "<p align='center'>Ti sei collegato troppe volte<br>sarai disconnesso per 1 ora<br></p>";
61. outputLoginForm();
62. }
63.  
64. }else{
65. //chiedi login
66. outputLoginForm();
67. }
68. }
69.  
70. //************************************************************************************************************************* *****//
71.  
72. echo "autenticato";
73.  
74.  
75.  
76.  
77.  
78. //************************************************************************************************************************* *****//
79.  
80. function outputLoginForm(){
81. die ("<meta name='viewport' content='width=450px', initial-scale=1.0'>
82. <style>
83.  
84. input{
85. margin-bottom: 5px;
86. width: 100%;
87. height: 25px;
88.  
89. }
90. form{
91. padding: 10px;
92. border: 1px solid #dddddd;
93. width: 300px;
94. margin: 0 auto;
95. }
96. div{
97. margin-bottom: 5px;
98. }
99. h2{
100. margin: 0;
101. margin-bottom: 3px;
102. text-align: center;
103. }
104. </style>
105. <script src='https://www.google.com/recaptcha/api.js'></script>
106. <form action='#' method='post'>
107. <h2>Login</h2>
108. <input name='user' placeholder='username'><br>
109. <input type='password' name='pass' placeholder='password'><br>
110. <input type='hidden' name='view' value='home'>
111. <div class='g-recaptcha' data-sitekey='6LdybQcUAAAAADckezXhCvnYziDhLCwKwKrdVyFE'></div>
112. <input type='submit'>
113. </form>");
114. }
115.  
116. //************************************************************************************************************************* *****//
117.  
118. function cleanExpiredAttemps(){
119. $mysqli = openDatabaseConn();
120. if ($query = $mysqli->prepare("SELECT id,ip,last_attemp_time from login_attemps")) {
121. $result = $query->execute(); /* execute query */
122. $query->store_result();
123. $query->bind_result($id,$ip,$last_attemp_time);
124. if($result){
125. if($query->num_rows > 0){
126.  
127. //se ce ne uno o piu
128. $query2 = $mysqli->prepare("DELETE from login_attemps WHERE id = ?");
129. $query2->bind_param("i",$id_query2);
130. for($i = 0;$i < $query->num_rows; $i++){
131. $query->fetch();
132. if((time() - $last_attemp_time > 3600)){
133. $id_query2 = $id;
134. $query2->execute();
135. }
136. }
137. $query2->close();
138. }
139. }else{
140. echo "Errore sconosciuto<br>";
141. outputLoginForm();
142. }
143.  
144. $query->close();
145. }else{
146. echo "Errore sconosciuto<br>";
147. outputLoginForm();
148. }
149.  
150. closeDatabaseConn($mysqli);
151. }
152.  
153. //************************************************************************************************************************* *****//
154.  
155. function checkAttempsValidation(){
156. $mysqli = openDatabaseConn();
157.  
158. if ($query = $mysqli->prepare("SELECT * from login_attemps WHERE ip = ?")) {
159. $query->bind_param("s",getIp()); /*bind params*/
160. $result = $query->execute(); /* execute query */
161. $query->store_result();
162. if($query->num_rows < 3 && $result){
163. return true;
164. }else{
165. return false;
166. }
167. $query->close(); /* close statement */
168. }
169. closeDatabaseConn($mysqli);
170. }
171.  
172. //************************************************************************************************************************* *****//
173.  
174. function addLoginAttemp(){
175. $mysqli = openDatabaseConn();
176.  
177. if ($query = $mysqli->prepare("INSERT into login_attemps (ip,last_attemp_time) VALUES (?,?)")) {
178. $query->bind_param("si",getIp(),time()); /*bind params*/
179. $result = $query->execute(); /* execute query */
180. $query->close(); /* close statement */
181. }
182. closeDatabaseConn($mysqli);
183. }
184.  
185. //************************************************************************************************************************* *****//
186.  
187. function captchaControl($response){
188. $secret = "...";
189. $remoteIp = getIp();
190. $request = "https://www.google.com/recaptcha/api/siteverify?secret=$secret&response=$response&remoteip= $remoteIp";
191.  
192. $arr = json_decode($request);
193. $result = $arr['success'];
194.  
195. return $result;
196. }
197.  
198. //************************************************************************************************************************* *****//
199.  
200. class account{
201. public $user;
202. public $pass;
203.  
204. public function account($user,$pass){
205. $this->user = $user;
206. $this->pass = $pass;
207.  
208. }
209. }
210.  
211. //************************************************************************************************************************* *****//
212.  
213. function getAccount(){
214.  
215. $mysqli = openDatabaseConn();
216.  
217. if ($query = $mysqli->prepare("SELECT user,pass FROM login_account")) {
218.  
219. $result = $query->execute(); /* execute query */
220. if($result){
221. $query->bind_result($db_user,$db_pass); /* bind result variables */
222. $query->fetch();
223. $account = new account($db_user,$db_pass);
224. $query->close(); /* close statement */
225. }else{
226. outputLoginForm();
227. }
228.  
229.  
230. }
231.  
232. closeDatabaseConn($mysqli);
233.  
234. return $account;
235. }
236.  
237. //************************************************************************************************************************* ****//
238.  
239. function getMails(){
240.  
241. $mysqli = openDatabaseConn();
242.  
243. if ($query = $mysqli->prepare("SELECT mail FROM mail_account_to_notify")) {
244.  
245. $query->execute(); /* execute query */
246. $query->store_result();
247. $query->bind_result($mail); /* bind result variables */
248. for($i = 0; $i < $query->num_rows; $i++){
249. $query->fetch();
250. $mails[$i] = $mail;
251. }
252.  
253. $query->close(); /* close statement */
254. }
255.  
256. closeDatabaseConn($mysqli);
257.  
258. return $mails;
259. }
260.  
261. //************************************************************************************************************************* *****//
262.  
263. function sec_session_start() {
264. $session_name = 'sec_session_id'; // Imposta un nome di sessione
265. $secure = false; // Imposta il parametro a true se vuoi usare il protocollo 'https'.
266. $httponly = true; // Questo impedirà ad un javascript di essere in grado di accedere all'id di sessione.
267. ini_set('session.use_only_cookies', 1); // Forza la sessione ad utilizzare solo i cookie.
268. $cookieParams = session_get_cookie_params(); // Legge i parametri correnti relativi ai cookie.
269. session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $ httponly);
270. session_name($session_name); // Imposta il nome di sessione con quello prescelto all'inizio della funzione.
271. session_start(); // Avvia la sessione php.
272. session_regenerate_id(); // Rigenera la sessione e cancella quella creata in precedenza.
273. }
274.  
275. //************************************************************************************************************************* *****//
276. function autenticate(){
277. //inserire in current login
278. $mysqli = openDatabaseConn();
279.  
280. if ($query = $mysqli->prepare("INSERT into current_login (ip,security_code,time) VALUES (?,?,?)")) {
281. $security_code = generateSecurityCode();
282. $query->bind_param("ssi",getIp(),$security_code,time()); /*bind params*/
283. $result = $query->execute(); /* execute query */
284. $query->close(); /* close statement */
285. }
286. closeDatabaseConn($mysqli);
287. if($result){
288. $_SESSION['security_code'] = $security_code;
289. }else{
290. //arresta tutto ,richiedi dati
291. echo "Errore sconosciuto<br>";
292. outputLoginForm();
293. }
294.  
295.  
296. }
297.  
298. //************************************************************************************************************************* *****//
299.  
300. function checkAuth(){
301. //controllo autenticazione
302. $mysqli = openDatabaseConn();
303.  
304. //check expiring
305. if ($query = $mysqli->prepare("SELECT login_id,time from current_login")) {
306.  
307. $result = $query->execute(); /* execute query */
308. $query->store_result();
309. if($result){
310. if($query->num_rows > 1){
311. echo "1";
312. //se ce ne piu di uno
313. $query2 = $mysqli->prepare("DELETE from current_login");
314. $query2->execute();
315. $query2->close();
316.  
317. echo "<p align='center'>Errore<br></p>";
318. outputLoginForm();
319. }else if($query->num_rows == 1){
320. echo "2";
321. $query->bind_result($login_id,$time);
322. $query->fetch();
323.  
324. if((time()-$time) >= 1200){
325. echo "3";
326. //scaduto
327. $query3 = $mysqli->prepare("DELETE from current_login WHERE login_id = ?");
328. $query3->bind_param("i",$login_id);
329. $query3->execute();
330. $query3->close();
331. }
332. }
333. }else{
334. echo "Errore sconosciuto<br>";
335. outputLoginForm();
336. }
337. }else{
338. echo "Errore sconosciuto<br>";
339. outputLoginForm();
340. }
341.  
342. $query->close();
343.  
344.  
345. if ($query = $mysqli->prepare("SELECT ip,security_code,time from current_login")) {
346. $result = $query->execute(); /* execute query */
347. $query->store_result();
348. if($result){
349. if($query->num_rows == 0){
350. echo "4";
351. return true;
352. }else if($query->num_rows == 1){
353. echo "5";
354. $query->bind_result($ip,$security_code,$time);
355. $query->fetch();
356. if($ip == getIp() && $security_code == $_SESSION['security_code'] && (time()-$time) < 1200){
357. echo "6";
358. return false;
359. }else{
360. echo "7";
361. echo "<p align='center'>Utente gia' collegato<br></p>";
362. outputLoginForm();
363. }
364. }else if($query->num_rows > 1){
365. echo "8";
366. $query2 = $mysqli->prepare("DELETE from current_login");
367. $query2->execute();
368. $query2->close();
369. return true;
370. }else{
371. echo "<p align='center'>Errore sconosciuto<br></p>";
372. outputLoginForm();
373. }
374. }else{
375. echo "<p align='center'>Errore sconosciuto<br></p>";
376. outputLoginForm();
377. }
378. $query->close(); /* close statement */
379.  
380. }
381.  
382. closeDatabaseConn($mysqli);
383.  
384. }
385.  
386. //************************************************************************************************************************* *****//
387.  
388. function openDatabaseConn(){
389.  
390. $mysqli = new mysqli("host", "user", "pass", "db");
391.  
392. if (mysqli_connect_errno()) {
393. echo "<p align='center'>Connect failed: ".mysqli_connect_error()."<br></p>";
394. outputLoginForm(); ///////////////////////////////////////////////////////////////////
395. }
396. return $mysqli;
397. }
398.  
399. //************************************************************************************************************************* *****//
400.  
401. function closeDatabaseConn($conn){
402. $conn->close(); /*close connection*/
403. }
404.  
405. //************************************************************************************************************************* *****//
406.  
407. function generateSecurityCode(){
408. $string = "";
409. $arr = array("a","b","c","d","e","f","g","h","i","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","k","j","A","B","C","D", "E","F","G","H","I","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","K","J","0","1","2","3","4","5","6","7 ","8","9");
410. for($i = 0; $i < 32;$i++){
411. $string .= $arr[rand(1,60)];
412. }
413. return $string;
414. }
415.  
416. //************************************************************************************************************************* *****//
417.  
418. function getIp(){
419. $ipaddress = '';
420. if (getenv('HTTP_CLIENT_IP'))
421. $ipaddress = getenv('HTTP_CLIENT_IP');
422. else if(getenv('HTTP_X_FORWARDED_FOR'))
423. $ipaddress = getenv('HTTP_X_FORWARDED_FOR');
424. else if(getenv('HTTP_X_FORWARDED'))
425. $ipaddress = getenv('HTTP_X_FORWARDED');
426. else if(getenv('HTTP_FORWARDED_FOR'))
427. $ipaddress = getenv('HTTP_FORWARDED_FOR');
428. else if(getenv('HTTP_FORWARDED'))
429. $ipaddress = getenv('HTTP_FORWARDED');
430. else if(getenv('REMOTE_ADDR'))
431. $ipaddress = getenv('REMOTE_ADDR');
432. else
433. $ipaddress = '';
434.  
435. return $ipaddress;
436. }
437.  
438. //************************************************************************************************************************* *****//
439. ?>