ck_aticket.i

<?php

// BUG alert: IE needs at least 2 dots in the domain.

function ReturnAddress($pSysEnv)
{
    // Called when the cookie is missing, expired, or damaged.  Sets return address to the name of the current script so cu_login knows where to go afterwards.
    HCU_setcookie_env($pSysEnv, "Tx_aURI", $_SERVER['PHP_SELF'] . "?" . urlencode($_SERVER['QUERY_STRING']), 0);
}

$result= true;
$tarr = array();
try
{
    // Validate Ticket
    if (empty($_COOKIE['aTicket']))
        throw new exception("No ticket", 1);
    $ticket = $_COOKIE['aTicket'];
    if ($SYSENV['require_encryption'] && !HCU_http_encrypted()) {
        throw new exception("Something is wrong not referencing https", 2);
    }

    // parse_str puts all the cookie values as variables in this script. So now I have variables $Cu, $Cn, $Cip, etc., corresponding to everything I put in the Ticket cookie.
    parse_str($ticket, $tarr);

    if (isset($skip_time) == false || (isset($skip_time) == true and $skip_time == false))
    {
        $now = time();
        if ($tarr['Ce'] < $now)
        {
            throw new exception("Ticket has expired", 3);
        }
    }

    if (isset($cu) && $cu != $tarr['Cu'])
    {
        throw new exception("Different CU requested", 4);
    }

    if (is_null($tarr['Ch']) || is_null($tarr['Cn']) || is_null($tarr['Ctime']) || is_null($tarr['Ce']) || is_null($tarr['Cu']) || is_null($tarr['Cip']) || is_null($tarr['Cl']) ||
        is_null($tarr['Cd']) || is_null($tarr['Clu']))
    {
        throw new exception("Partial ticket, try again", 5);
    }

    $secret = 'xogich6RFoogeid4';
    if ($tarr['Ch'] != MD5($secret . MD5(join(':', array($secret, $tarr['Cip'], $tarr['Ctime'], $tarr['Ce'], $tarr['Cl'], $tarr['Cu'], $tarr['Cn'], $tarr['Cd'], urlencode($tarr['Clu']),
        urlencode($tarr['Fplog']), urlencode($tarr['Fflog']), $tarr['Ffchg'], $tarr['Ffremain'], $tarr['Fset'], $tarr['Fset2'], $tarr['Fset3'])))))
    {
        throw new exception("hash doesn't match, someone is hacking", 6);
    }
}
catch(exception $e)
{
    $result= false;
}

if (isset($tarr["Cu"]) && isset($tarr["Cn"])) // After log out and when re-signing on, there is a case where these are defined: hence a couple of E_NOTICEs in the console.
    // apache_note sets variables for web server logging.  Used later to split web logfiles by credit union
    apache_note('user_name', "{$tarr['Cu']}:{$tarr['Cn']}");

if (!$result && $frm_login == false)
{
    // if any of the cookie tests failed set the return address, redirect to login, and then exit so the rest of the current script doesn't get executed.
    ReturnAddress($SYSENV);
    header("Location: ${menu_link}?ft=71");
    exit;
}
// good cookie -- warm it up to extend the expiration timestamp.
else
{
    $Ctime = time();
    $expires = $Ctime + (array_key_exists('inactive', $SYSENV['ticket']) ? $SYSENV['ticket']['inactive'] : 600);
    Set_aTicket($SYSENV, $_COOKIE['aTicket'], "&Ctime=$Ctime&Ce=$expires");

    $allowC = array('Ctime' => 'Time', 'Ce' => 'Expires', 'Cu' => 'CU', 'Cn' => 'Login Name', 'Clu' => 'Last Update', 'Cip' => 'IPaddr', 'Cd' => 'DB', 'Cl' => 'LiveBatch',
        'Fplog' => 'Last Login', 'Fflog' => 'Failed Login', 'Ffchg' => 'Force Change', 'Ffremain' => 'Failed Remaining', 'Fset' => 'Flagset 1', 'Fset2' => 'Flagset 2', 'Fset3' => 'Flagset 3');
    extract(array_intersect_key($tarr, $allowC), EXTR_OVERWRITE);

    $Clu = urldecode($Clu);
    $Fflog = urldecode($Fflog);
    $Fplog = urldecode($Fplog);
}