fixing authentication

git-svn-id: http://www.observium.org/svn/observer/trunk@317 61d68cd4-352d-0410-923a-c4978735b2b8
2024-10-07 16:52:45 +00:00 · 2008-11-26 12:55:55 +00:00
parent 6a96f5170c
commit e97df43c41
3 changed files with 72 additions and 24 deletions
--- a/html/includes/authenticate.inc
+++ b/html/includes/authenticate.inc
@@ -1,37 +1,42 @@
 <?php 

+function check_auth($username, $password) {
+  $encrypted = md5($password);
+  $sql = "select username, level, user_id from users where username='$username' and password='$encrypted'";
+  $query = mysql_query($sql);
+  $row = mysql_fetch_row($query);
+
+  if ($row[0] == $username) { return $row[1]; } else { return FALSE; }
+
+}
+
 if($_GET['logout']) {
  session_start();
+  $olduser = $_SESSION['username'];
  session_destroy();
  header('Location: /');
  setcookie ("username", "", time() - 3600);
  setcookie ("encrypted", "", time() - 3600);
-  echo("$_COOKIE[username]");
-
+  mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('$olduser', '".$_SERVER["REMOTE_ADDR"]."', 'logged out')");
+  $auth_message = "Logged Out";
 } else {

  session_start();  

-  if($_POST['username'] && $_POST['password']){ 
-    $_SESSION['username']=$_POST['username']; 
-    $_SESSION['password']=$_POST['password'];   
-    $_SESSION['encrypted'] = md5($_SESSION['password']);
-  } elseif($_COOKIE['username'] && $_COOKIE['encrypted'] && !$_SESSION['authenticated']) {
-    $_SESSION['username']=$_COOKIE['username'];
-    $_SESSION['encrypted']=$_COOKIE['encrypted'];
-  }
+  if($_POST['username'] && $_POST['password']){
+    $username = mres($_POST['username']);
+    $password = mres($_POST['password']);
+    $userlevel = check_auth($username,$password);
+    if($userlevel) {
+      $_SESSION['userlevel'] = $userlevel;
+      $_SESSION['authenticated'] = true;
+      $_SESSION['username'] = $_POST['username'];
+      mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('$username', '".$_SERVER["REMOTE_ADDR"]."', 'logged in')");
+    } else { 
+      $auth_message = "Authentication Failed"; 
+      mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('$username', '".$_SERVER["REMOTE_ADDR"]."', 'authentication failure')");
+    } 

-
-  $sql = "select username, level, user_id from users where username='" . mres($_SESSION['username']) . "' and password='" . mres($_SESSION['encrypted']) . "'"; 
-  $query = mysql_query($sql);
-  $row = mysql_fetch_row($query);
-
-  if ( $_SESSION['username'] != "" && $row[0] == $_SESSION['username'] ) {
-    $_SESSION['userlevel'] = $row[1];
-    $_SESSION['authenticated'] = true;
-    $_SESSION['user_id'] = $row[2];
-    setcookie("username", $username);
-    setcookie("encrypted", $encrypted);
  }
 }

--- a/html/pages/logon.inc
+++ b/html/pages/logon.inc
@@ -22,11 +22,17 @@
            </tr>
            <tr>
              <td colspan=2 align='right'><input name='submit' type='submit' value='Login'></td>
-            </tr>
-          </table>
+            </tr>");
+
+if($auth_message) {
+
+echo("<tr><td colspan=2><span style='font-weight: bold; color: #cc0000;'>$auth_message</span></td></tr>");
+
+}
+
+echo("          </table>
      </form></td>
    </tr>
  </table>
 </center>");
-
 ?>
--- a/html/pages/syslog.php
+++ b/html/pages/syslog.php
@@ -1,4 +1,41 @@
 <meta http-equiv="refresh" content="60">
+<div style="background-color: #eeeeee; padding: 10px;">
+<form id="form1" name="form1" method="post" action="">
+  <label><strong>Search</strong>
+    <input type="text" name="search" id="search" />
+  </label>
+  <label>
+    <strong>Program</strong>
+    <select name="program" id="program">
+      <option value="">All Programs</option>
+      <?php
+        $query = mysql_query("SELECT `program` FROM `syslog` GROUP BY `program` ORDER BY `program`");
+        while($data = mysql_fetch_array($query)) {
+          echo("<option value='".$data['program']."'>".$data['program']."</option>");
+        }
+      ?>
+    </select>
+  </label>
+  <label>
+    <strong>Device</strong>
+    <select name="device" id="device">
+      <option value="">All Devices</option>
+      <?php
+        $query = mysql_query("SELECT * FROM `devices` ORDER BY `hostname`");
+        while($data = mysql_fetch_array($query)) {
+          echo("<option value='".$data['device_id']."'");
+            
+          echo(">".$data['hostname']."</option>");
+        }
+      ?>
+    </select>
+  </label>
+
+  <input type=submit value=Search>
+
+</form>
+</div>
+
 <?

 $sql = "SELECT *, DATE_FORMAT(datetime, '%D %b %T') AS date from syslog ORDER BY datetime DESC LIMIT 1000";