html/includes/authenticate.inc.php

<?php 

@ini_set("session.gc_maxlifetime","0"); 

session_start();
if(isset($_GET['logout']) && $_SESSION['authenticated']) {
  mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('" . $_SESSION['username'] . "', '".$_SERVER["REMOTE_ADDR"]."', 'logged out')");
  unset($_SESSION);
  session_destroy();
  header('Location: /');
  setcookie ("username", "", time() - 60*60*24*100, "/");
  setcookie ("password", "", time() - 60*60*24*100, "/");
  $auth_message = "Logged Out";
}

if(isset($_POST['username']) && isset($_POST['password'])){
  $_SESSION['username'] = mres($_POST['username']);
  $_SESSION['password'] = mres($_POST['password']);
}

if(isset($_COOKIE['username']) && isset($_COOKIE['password'])){
  $_SESSION['username'] = mres($_COOKIE['username']);
  $_SESSION['password'] = mres($_COOKIE['password']);
}

if(isset($_SERVER['REMOTE_USER'])) {
  $_SESSION['username'] = mres($_SERVER['REMOTE_USER']);
  // we don't set a password here because we're using HTTP AUTH
}

$auth_success = 0;

if (isset($_SESSION['username']))
{
  if ($config['auth_mechanism'] == "mysql" || $config['auth_mechanism'] == "http-auth" || !$config['auth_mechanism'])
  {
       $sql = "SELECT username FROM `users` WHERE `username`='".$_SESSION['username'];
       if ($config['auth_mechanism'] != "http-auth") 
       {
           $encrypted = md5($_SESSION['password']);
           $sql .=       "' AND `password`='".$encrypted."';";
       } else { 
           $sql .= "';"; 
       }
       $query = mysql_query($sql);
    $row = @mysql_fetch_array($query);
    if($row['username'] && $row['username'] == $_SESSION['username']) {
      $auth_success = 1;
       } else {
         $_SESSION['username'] = $config['http_auth_guest'];
         $auth_success = 1;
       }
  }
  else if ($config['auth_mechanism'] == "ldap")
  {
    $ds=@ldap_connect($config['auth_ldap_server'],$config['auth_ldap_port']);
    if ($ds)
    {
      if (ldap_bind($ds, $config['auth_ldap_prefix'] . $_SESSION['username'] . $config['auth_ldap_suffix'], $_SESSION['password']))
      {
        if (!$config['auth_ldap_group'])
        {
          $auth_success = 1;
        }
        else
        { 
          if (ldap_compare($ds,$config['auth_ldap_group'],'memberUid',$_SESSION['username']))
          {
            $auth_success = 1;
          }
        }
      }
    }
  }
  else
  {
    echo "ERROR: no valid auth_mechanism defined.";
    exit();
  }
}

if ($auth_success) {
  $sql = "SELECT * FROM `users` WHERE `username`='".$_SESSION['username']."'";
  $query = mysql_query($sql);
  $row = @mysql_fetch_array($query);
  $_SESSION['userlevel'] = $row['level'];
  $_SESSION['user_id'] = $row['user_id'];
  if(!$_SESSION['authenticated']) {
    $_SESSION['authenticated'] = true;
    mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('".$_SESSION['username']."', '".$_SERVER["REMOTE_ADDR"]."', 'logged in')");
    header("Location: ".$_SERVER['REQUEST_URI']);
  }
  if(isset($_POST['remember'])) {
    setcookie("username", $_SESSION['username'], time()+60*60*24*100, "/");
    setcookie("password", $_SESSION['password'], time()+60*60*24*100, "/");
  }
} 
elseif (isset($_SESSION['username'])) { 
  $auth_message = "Authentication Failed"; 
  unset ($_SESSION['authenticated']);
  mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('".$_SESSION['username']."', '".$_SERVER["REMOTE_ADDR"]."', 'authentication failure')");
} 
?>
Initial Import 2007-04-03 14:10:23 +00:00			`<?php`

updates 2009-05-11 14:59:40 +00:00			`@ini_set("session.gc_maxlifetime","0");`

fix login and some other things 2009-03-17 20:26:29 +00:00			`session_start();`
ldap access filtering by group 2010-01-16 22:57:10 +00:00			`if(isset($_GET['logout']) && $_SESSION['authenticated']) {`
fix 2010-01-02 17:47:06 +00:00			mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('" . $_SESSION['username'] . "', '".$_SERVER["REMOTE_ADDR"]."', 'logged out')");
updates and fixes 2009-06-19 10:43:02 +00:00			`unset($_SESSION);`
Initial Import 2007-04-03 14:10:23 +00:00			`session_destroy();`
			`header('Location: /');`
updates and fixes 2009-06-19 10:43:02 +00:00			`setcookie ("username", "", time() - 606024*100, "/");`
			`setcookie ("password", "", time() - 606024*100, "/");`
fixing authentication 2008-11-26 12:55:55 +00:00			`$auth_message = "Logged Out";`
Initial Import 2007-04-03 14:10:23 +00:00			`}`

ldap access filtering by group 2010-01-16 22:57:10 +00:00			`if(isset($_POST['username']) && isset($_POST['password'])){`
updates and fixes 2009-06-19 10:43:02 +00:00			`$_SESSION['username'] = mres($_POST['username']);`
			`$_SESSION['password'] = mres($_POST['password']);`
			`}`

ldap access filtering by group 2010-01-16 22:57:10 +00:00			`if(isset($_COOKIE['username']) && isset($_COOKIE['password'])){`
updates and fixes 2009-06-19 10:43:02 +00:00			`$_SESSION['username'] = mres($_COOKIE['username']);`
			`$_SESSION['password'] = mres($_COOKIE['password']);`
			`}`

Add HTTP-Auth (thanks Allen Parker <parker a isohunt o com>) 2010-02-28 02:20:05 +00:00			`if(isset($_SERVER['REMOTE_USER'])) {`
			`$_SESSION['username'] = mres($_SERVER['REMOTE_USER']);`
			`// we don't set a password here because we're using HTTP AUTH`
			`}`

more fixes and updates from sid3windr 2009-12-31 19:06:05 +00:00			`$auth_success = 0;`
updates and fixes 2009-06-19 10:43:02 +00:00
Add HTTP-Auth (thanks Allen Parker <parker a isohunt o com>) 2010-02-28 02:20:05 +00:00			`if (isset($_SESSION['username']))`
more fixes and updates from sid3windr 2009-12-31 19:06:05 +00:00			`{`
Add HTTP-Auth (thanks Allen Parker <parker a isohunt o com>) 2010-02-28 02:20:05 +00:00			`if ($config['auth_mechanism'] == "mysql" \|\| $config['auth_mechanism'] == "http-auth" \|\| !$config['auth_mechanism'])`
avoid error on ldap bind when session has expired 2010-01-05 20:06:24 +00:00			`{`
Add HTTP-Auth (thanks Allen Parker <parker a isohunt o com>) 2010-02-28 02:20:05 +00:00			$sql = "SELECT username FROM `users` WHERE `username`='".$_SESSION['username'];
			`if ($config['auth_mechanism'] != "http-auth")`
			`{`
			`$encrypted = md5($_SESSION['password']);`
			$sql .= "' AND `password`='".$encrypted."';";
			`} else {`
			`$sql .= "';";`
			`}`
			`$query = mysql_query($sql);`
avoid error on ldap bind when session has expired 2010-01-05 20:06:24 +00:00			`$row = @mysql_fetch_array($query);`
			`if($row['username'] && $row['username'] == $_SESSION['username']) {`
			`$auth_success = 1;`
Add HTTP-Auth (thanks Allen Parker <parker a isohunt o com>) 2010-02-28 02:20:05 +00:00			`} else {`
			`$_SESSION['username'] = $config['http_auth_guest'];`
			`$auth_success = 1;`
			`}`
more fixes and updates from sid3windr 2009-12-31 19:06:05 +00:00			`}`
Add HTTP-Auth (thanks Allen Parker <parker a isohunt o com>) 2010-02-28 02:20:05 +00:00			`else if ($config['auth_mechanism'] == "ldap")`
more fixes and updates from sid3windr 2009-12-31 19:06:05 +00:00			`{`
avoid error on ldap bind when session has expired 2010-01-05 20:06:24 +00:00			`$ds=@ldap_connect($config['auth_ldap_server'],$config['auth_ldap_port']);`
			`if ($ds)`
more fixes and updates from sid3windr 2009-12-31 19:06:05 +00:00			`{`
avoid error on ldap bind when session has expired 2010-01-05 20:06:24 +00:00			`if (ldap_bind($ds, $config['auth_ldap_prefix'] . $_SESSION['username'] . $config['auth_ldap_suffix'], $_SESSION['password']))`
			`{`
ldap access filtering by group 2010-01-16 22:57:10 +00:00			`if (!$config['auth_ldap_group'])`
			`{`
			`$auth_success = 1;`
			`}`
			`else`
			`{`
			`if (ldap_compare($ds,$config['auth_ldap_group'],'memberUid',$_SESSION['username']))`
			`{`
			`$auth_success = 1;`
			`}`
			`}`
avoid error on ldap bind when session has expired 2010-01-05 20:06:24 +00:00			`}`
more fixes and updates from sid3windr 2009-12-31 19:06:05 +00:00			`}`
			`}`
avoid error on ldap bind when session has expired 2010-01-05 20:06:24 +00:00			`else`
			`{`
			`echo "ERROR: no valid auth_mechanism defined.";`
			`exit();`
			`}`
more fixes and updates from sid3windr 2009-12-31 19:06:05 +00:00			`}`

			`if ($auth_success) {`
			$sql = "SELECT * FROM `users` WHERE `username`='".$_SESSION['username']."'";
			`$query = mysql_query($sql);`
			`$row = @mysql_fetch_array($query);`
updates and fixes 2009-06-19 10:43:02 +00:00			`$_SESSION['userlevel'] = $row['level'];`
			`$_SESSION['user_id'] = $row['user_id'];`
			`if(!$_SESSION['authenticated']) {`
			`$_SESSION['authenticated'] = true;`
			mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('".$_SESSION['username']."', '".$_SERVER["REMOTE_ADDR"]."', 'logged in')");
			`header("Location: ".$_SERVER['REQUEST_URI']);`
			`}`
more fixes and updates from sid3windr 2009-12-31 19:06:05 +00:00			`if(isset($_POST['remember'])) {`
updates and fixes 2009-06-19 10:43:02 +00:00			`setcookie("username", $_SESSION['username'], time()+606024*100, "/");`
			`setcookie("password", $_SESSION['password'], time()+606024*100, "/");`
			`}`
more fixes and updates from sid3windr 2009-12-31 19:06:05 +00:00			`}`
Add HTTP-Auth (thanks Allen Parker <parker a isohunt o com>) 2010-02-28 02:20:05 +00:00			`elseif (isset($_SESSION['username'])) {`
updates and fixes 2009-06-19 10:43:02 +00:00			`$auth_message = "Authentication Failed";`
			`unset ($_SESSION['authenticated']);`
			mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('".$_SESSION['username']."', '".$_SERVER["REMOTE_ADDR"]."', 'authentication failure')");
			`}`
Initial Import 2007-04-03 14:10:23 +00:00			`?>`