cu_credentials.i

<?php
/*
 * Script: cu_credentials
 * Purpose:  This script will contain function to determine the security status
 *            of the member.
 *
 *            Check_HomeCU_Status
 *            Check_Member_Credentials
 *            returnaddress
 *            Check_Member_Login
 *            Check_Member_UseAlias
 */

/* NOTE: This function is being deprecated. Use the following function, LoadCUAdmin().
 * Function: Check_HomeCU_Status
 * Purpose:   This will check the status of the homebanking_status as well as the
 *              status of the current credit union and database connection
 *            IT will set global values of some common variables that will be used later
 *
 * NOTE ***
 *    This is being rewritten a little. -- This function will NOT set the loginscript
 *        to call, that needs to be done by the script calling this one
 *
 * Parameters:
 *              p_dbh - database handle
 * Returns:
 * GLOBALS SET:
 *              cver -- Cookie Version
 *              loginscript -- used for homebanking, but need to set
 *              loginpath   -- path where login script will exist
 *              TicketDomain -- The cookie domain
 *              offline -- credit union offline status
 *              cu -- cu code
 */
function Check_HomeCU_Status(&$p_dbh, &$p_hb_env) {

// SHOULD BE ALREADY SET IN dbenv  $GLOBALS['TicketDomain'] = ".homecu.net";                   //Which domain shall we protect?

  $p_hb_env['cu'] = substr(filter_input(INPUT_GET, 'cu', FILTER_SANITIZE_STRING, array('flags' => (FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH))), 0, 12);
  if ($p_hb_env['cu'] == '' && in_array(basename($_SERVER['SCRIPT_NAME']), array('OFXRequest.prg', 'hcuAppFeed.prg'))) {
    $p_hb_env['cu'] = substr(filter_input(INPUT_POST, 'ORG', FILTER_SANITIZE_STRING, array('flags' => (FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH))), 0, 12);
    $p_hb_env['no_cookies'] = true;
  }
  if ($p_hb_env['homebanking_status'] != "O") {
    $p_dbh = db_pconnect($p_hb_env['SYSENV']['db']);
  // *** SYSTEM IS SET TO BE ONLINE --- LOAD VALUES FROM DATABASE
    // * LOAD the fields from the Database, these may be overriden later by cookie
    // * values -- the dual naming pre-auth and coookie values is a pain..
      // * They should be changed to be the same.

    if ($p_dbh) {
      // ** Database Was successfully loaded

      $sql="SELECT cookie_ver, loginscript, offlinestat, offlineblurb, trmemomaxlen, min_chlng_qst,
                   livewait, trim(lastupdate), flagset, flagset2, flagset3, histdays, trmemomaxlen,
                    coalesce(retrylimit,5), coalesce(gracelimit,5), orgname, pname, rt, tz, livebatch
            FROM cuadmin
            WHERE cu = '{$p_hb_env['cu']}'";
      $sth = db_query($sql, $p_dbh);

      if (db_num_rows($sth) > 0) {
        list ($cver, $loginscript, $offline, $offlinemsg, $trmemomaxlen, $min_chlng_qst, $livewait,
                $lastupdate, $flagset, $flagset2, $flagset3, $histdays, $trmemomaxlen,
                $failedremain, $forceremain, $orgname, $pname, $rt, $tz, $livebatch) = db_fetch_array($sth,0);

        $p_hb_env['cver'] = ($cver == 'F' ? 'F' : 'L');

        $p_hb_env['offline'] = (trim($offline) == '' ? 'N' : trim($offline));
        $p_hb_env['offlinemsg'] = $offlinemsg;
        $p_hb_env['trmemomaxlen'] = intval($trmemomaxlen);
        $p_hb_env['cu_chgqst_count'] = intval($min_chlng_qst);

        $p_hb_env['livewait'] = (is_null($livewait) ? "300" : $livewait);
        $p_hb_env['lastupdate'] = (trim($lastupdate)=="" ? "Unknown" : urlencode(trim($lastupdate)));
        $p_hb_env['flagset'] = (is_null($flagset) ? 0 : $flagset);
        $p_hb_env['flagset2'] = (is_null($flagset2) ? 0 : $flagset2);
        $p_hb_env['flagset3'] = (is_null($flagset3) ? 0 : $flagset3);
        $p_hb_env['histdays'] = (is_null($histdays) ? 0 : $histdays);
        $p_hb_env['trmemomaxlen'] = (is_null($trmemomaxlen) ? 0 : $trmemomaxlen);
        $p_hb_env['failedremain'] = $failedremain;
        $p_hb_env['forceremain'] = $forceremain;
        $p_hb_env['orgname'] = trim($orgname);
        $p_hb_env['pname'] = trim($pname);
        $p_hb_env['rt'] = trim($rt);
        $p_hb_env['chome'] = strtolower($p_hb_env['cu']);
        $p_hb_env['live'] = (trim($livebatch) == 'L' ? 1 : 0);
        $p_hb_env['tz'] = trim($tz) == "" ? "US/Mountain" : ((strpos($tz,"/") === false ) ? "US/" . trim($tz) : trim($tz));
      }

    } else {

      $p_hb_env['cver'] = "F";
      $p_hb_env['loginscript'] = "cuauth";
      $p_hb_env['offline'] = "Y";
      $p_hb_env['offlinemsg'] = "We are currently working on the system.";
    }
  } else {
  // *** SYSTEM IS SET TO OFFLINE -- Set the variables accordingly
    // ** Set the version to legacy and force the login script to be 'cuauth'
      // * cuauth will then display the offline message

    $p_hb_env['cver'] = "F";
    $p_hb_env['loginscript'] = "cuauth";
    $p_hb_env['offline'] = "Y";
    $p_hb_env['offlinemsg'] = "We are currently working on the system.";
  }

  // ** SET THE GLOBAL VALUES
  // print "BEFORE - {$p_hb_env['Cu']} :: ";
  $p_hb_env['Flang'] = '';      // Initialize the value
  if ( HCU_array_key_exists( "no_cookies", $p_hb_env )  ) {
      $p_hb_env['Flang'] = 'en_US';
  } else {
      // ** SET the language -- FROM THE GET
      // ** At this time, I am going to try and change this so it will only evaluate
      // ** Flang from the cookie for Flang. It will only get value from there
      $cookieName = $p_hb_env['cu'] . '_lang';
      if (HCU_array_key_exists( $cookieName, $_COOKIE)) {
        $p_hb_env['Flang'] = $_COOKIE[$cookieName];
      }
  }
    // ** LOGIN PATH MAY NEED TO BE SET SOMEWHERE ELSE -- PER homecu request script
  /**
   * @var string currentscript - the current script running, should be able to use this in place of hard coding script name
   */
  $p_hb_env['currentscript'] = basename($_SERVER['SCRIPT_NAME']);

  $p_hb_env['remoteIp'] = filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_SANITIZE_STRING);
/*
 * Values set in HB_ENV INSTEAD

  $GLOBALS['cver'] = $cver;
  $GLOBALS['loginscript'] = $loginscript;
  $GLOBALS['offline'] = $offline;
  $GLOBALS['offlinemsg'] = $offline;
  $GLOBALS['cu'] = $cu;
 */
  return ($offline == 'N' ? FALSE : TRUE);
}

/*
 * Function: LoadCUAdmin
 * Purpose:   This will check the status of the homebanking_status as well as the
 *              status of the given credit union and database connection
 *            It will set global values of some credit union specific variables that will be used later.
 *
 * NOTE ***
 *    This is being rewritten a little. -- This function will NOT set the loginscript
 *        to call, that needs to be done by the script calling this one
 *    Caller also needs to pass in the CU and database handle.
 *
 * Parameters:
 *              pDbh - database handle
 *              pCU - Credit Union code
 *              pEnv - reference to Environment structure
 * Returns:
 * GLOBALS SET:
 *              cver -- Cookie Version
 *              loginscript -- used for homebanking, but need to set
 *              loginpath   -- path where login script will exist
 *              TicketDomain -- The cookie domain
 *              offline -- credit union offline status
 */
function LoadCUAdmin( $pDbh, $pCU, &$pEnv ) {
  $isOffline = true;      // assume the worst
  $isValidCU = false;

// SHOULD BE ALREADY SET IN dbenv  $GLOBALS['TicketDomain'] = ".homecu.net";                   //Which domain shall we protect?
  if ($pEnv['homebanking_status'] != "O") {
  // *** SYSTEM IS SET TO BE ONLINE --- LOAD VALUES FROM DATABASE
    // * LOAD the fields from the Database, these may be overriden later by cookie
    // * values -- the dual naming pre-auth and coookie values is a pain..
      // * They should be changed to be the same.

      # Check $pCU before using it, since it is not escaped in the sql below
      # ctype_alnum ensures not empty / null, and contains only letters / digits
    if ( $pDbh && ctype_alnum($pCU) ) {
      // ** Database Was successfully loaded & cu value appears reasonable

      $sql="SELECT cu, cookie_ver, loginscript, offlinestat, offlineblurb, trmemomaxlen, min_chlng_qst,
                   livewait, trim(lastupdate), flagset, flagset2, flagset3, histdays, trmemomaxlen,
                    coalesce(retrylimit,5), coalesce(gracelimit,5), orgname, pname, rt, tz, livebatch
            FROM cuadmin
            WHERE cu = '{$pCU}'";
      $sth = db_query($sql, $pDbh);

      if (db_num_rows($sth) > 0) {
        list ($cu, $cver, $loginscript, $offline, $offlinemsg, $trmemomaxlen, $min_chlng_qst, $livewait,
                $lastupdate, $flagset, $flagset2, $flagset3, $histdays, $trmemomaxlen,
                $failedremain, $forceremain, $orgname, $pname, $rt, $tz, $livebatch) = db_fetch_array($sth,0);

        $pEnv['cver'] = ($cver == 'F' ? 'F' : 'L');

        $pEnv['offline'] = (trim($offline) == '' ? 'N' : trim($offline));
        $pEnv['offlinemsg'] = $offlinemsg;
        $pEnv['trmemomaxlen'] = intval($trmemomaxlen);
        $pEnv['cu_chgqst_count'] = intval($min_chlng_qst);

        $pEnv['livewait'] = ((is_null($livewait) || $livewait == "0") ? "300" : $livewait);
        $pEnv['lastupdate'] = (trim($lastupdate)=="" ? "Unknown" : urlencode(trim($lastupdate)));
        $pEnv['flagset'] = (is_null($flagset) ? 0 : $flagset);
        $pEnv['flagset2'] = (is_null($flagset2) ? 0 : $flagset2);
        $pEnv['flagset3'] = (is_null($flagset3) ? 0 : $flagset3);
        $pEnv['histdays'] = (is_null($histdays) ? 0 : $histdays);
        $pEnv['trmemomaxlen'] = (is_null($trmemomaxlen) ? 0 : $trmemomaxlen);
        $pEnv['failedremain'] = $failedremain;
        $pEnv['forceremain'] = $forceremain;
        $pEnv['orgname'] = trim($orgname);
        $pEnv['pname'] = trim($pname);
        $pEnv['rt'] = trim($rt);
        $pEnv['chome'] = trim(strtolower($cu));
        $pEnv['live'] = (trim($livebatch) == 'L' ? 1 : 0);
        $pEnv['tz'] = trim($tz) == "" ? "US/Mountain" : ((strpos($tz,"/") === false ) ? "US/" . trim($tz) : trim($tz));

        $isOffline = !( $pEnv['offline'] == "N" );
        $isValidCU = true;
      }
    }
  }

  if ( $isOffline ) {
  // *** SYSTEM IS SET TO OFFLINE -- Set the variables accordingly
    // ** Set the version to legacy and force the login script to be 'cuauth'
      // * cuauth will then display the offline message
    $pEnv['cver'] = "F";
    $pEnv['loginscript'] = "cuauth";
    $pEnv['offline'] = "Y";
    $pEnv["offlinemsg"] = HCU_array_key_exists("offlinemsg", $pEnv) ? trim($pEnv["offlinemsg"]) : "";
    $pEnv['offlinemsg'] = $pEnv["offlinemsg"] == "" ? "We are currently working on the system." : $pEnv["offlinemsg"];
  }

/*
 * Values set in HB_ENV INSTEAD

  $GLOBALS['cver'] = $cver;
  $GLOBALS['loginscript'] = $loginscript;
  $GLOBALS['offline'] = $offline;
  $GLOBALS['offlinemsg'] = $offline;
  $GLOBALS['cu'] = $cu;
 */
  return $isValidCU;
} // end LoadCUAdmin

/**
 *        This function needs to be called by scripts at the top of their page.
 *        It will check to see if the user needs to be redirected to any of
 *        the settings pages.  This is a change from the class HomeCU where
 *        redirect is handled by the login script.  This will check in ONE
 *        place and always handle the same.  Possible bringin up an in between
 *        screen that has a list of items that will need to be set
 *
 * @param integer $p_dbh This is the dB handle, $dbh
 * @param array $p_hb_env This is the value fo the $HB_ENV array for the Home Banking Environment
 * @param class $p_mc This is the class value for the
 *
 * @return array Array ([code] => "", [severity] => "", [errors] => "")
 *
 *          000 -- everything was OK, no changes
 *            -- If 000 is not set, then the code returned will determine
 *            -- the security item to process first in priority
 *          010  -- Redirect member to the SET ALL settings, however, they MAY NOT SKIP
 *          011  -- Redirect member to the SET ALL settings, similar to OLD MbrSetCfg
 *          012  -- Redirect member to the password settings
 *          013  -- Redirect member to the email settings
 *          014  -- Redirect member to the user alias settings
 *       severity {ERROR, SUCCESS}
 */
function Check_Member_Settings($p_dbh, $p_hb_env, $p_mc) {

  $retAry = Array("code" => "000", "severity" => "SUCCESS", "errors" => Array());
  // * Also check the value of sC, expected values are {1 -- In process of setting, 2 -- Skip until later}
    // * it was discussed with miki on whether to use an alternate flag on end of cookie
    // * or use msg_tx. At the time this was decided msg_tx only had one remaining bit left
    // * and I needed two.  Changes to cuusers is of course time sensitive
  // * sC is NOT in the hash of the cookie.  So I want to check to make sure they
    // * don't somehow change the value to 2 allowing them to skip while the forceremain is 0

  // * it is possible I may want this script to update the fremain..

  // If sC is NOT '2' (they pressed wait on the change security option ||
    // forceremain is 0, we will force the issue if they have no more secuirty graces
/*
  $mbrInfo = GetUserInfo($p_dbh, $p_hb_env, $p_mc, Array("user_name_alias" => $p_hb_env['Cn'], "cu" => $p_hb_env['Cu']));
  // ** if we were able to retrieve the member data
  $freset = 0;
  if ($mbrInfo['status']['code'] == '000') {
    $freset = $mbrInfo['data']['cuusers_forcereset'];
  }
*/

  // ** First Check to see if we are offline -- security questions are NOT allowed
    // * as readonly -- So I will always set the flag to false in case the calling
    // * script has it set to true.
    // * If the system is offline, I simply want to return A success -- when
    // * the system comes back online - the problem will be corrected
  $p_hb_env['allowReadonly'] = false;

  if (!hcu_checkOffline($p_dbh, $p_hb_env)) {
    return $retAry;
  }


  // ** Determine if the member needs to set Security Questions -- 2 factor only
  // * TRUE - if freset is SET
  // *            OR
  // *        if NO challenge questions are set, then enter here as well
  $aryMfaQuest = GetChallengeQuestions('CURRENT', $p_dbh, $p_hb_env, $p_mc, $p_hb_env['Cn']);

  // ** HANDLE NO Challenge questions separately FROM RESET CHALLENGE
    // * do NOT allow the user to bypass the settings if they have NO challenge questions
  // ** ONLY do one or the other of the challenge question errors
    // ** ONLY when CU is NOT setup to use MFA Secure Access Codes 'CU3_MFA_AUTHCODE'
  if (($p_hb_env['cver'] == "F") && ($aryMfaQuest['mfacount'] == 0 && intval($p_hb_env['cu_chgqst_count']) > 0) && !($p_hb_env['Fset3'] & GetFlagsetValue('CU3_MFA_AUTHCODE'))) {
//  // ** IF fremain is counted down to zero, then they may NOT skip
    // * THEY MAY NOT SKIP THIS OPTION
    // ** Prioritize this security option
    $retAry['code'] = ($retAry['code'] == '000' ? "010" : $retAry['code']);
    $retAry['severity'] = "ERROR";
    $retAry['errors'][] = $p_mc->msg("Need challenge questions");
  } else {
    if (($p_hb_env['cver'] == "F") && ($p_hb_env['Ffreset'])) {
  //  // ** IF fremain is counted down to zero, then they may NOT skip
      if (intval(HCU_array_key_value('sC', $p_hb_env)) != '2' || $p_hb_env['Ffremain'] == 0) {
        // ** Prioritize this security option
        $retAry['code'] = ($retAry['code'] == '000' ? "011" : $retAry['code']);
        $retAry['severity'] = "ERROR";
        $retAry['errors'][] = $p_mc->msg("Need challenge questions");
      }
    }
  }

  // ** Determine if the member needs to reset their password
  //  * TRUE if Ffchg has been set other than 0

  if ($p_hb_env['Ffchg'] ==  'Y') {
    if (intval(HCU_array_key_value('sC', $p_hb_env)) != '2') {
      $retAry['code'] = ($retAry['code'] == '000' ? "012" : $retAry['code']);
      $retAry['severity'] = "ERROR";
      $retAry['errors'][] = $p_mc->msg("Password flagged reset");
    }
  }

  // ** Is the member required to verify the email?
  if (($p_hb_env['Fmsg_tx'] & GetMsgTxValue('MSGTX_FORCE_EM')) !== 0) {
    if (intval(HCU_array_key_value('sC', $p_hb_env)) != '2') {
      $retAry['code'] = ($retAry['code'] == '000' ? "013" : $retAry['code']);
      $retAry['severity'] = "ERROR";
      $retAry['errors'][] = $p_mc->msg("Bad Email Flag");
      //"Bad Email Flag"
    }
  }

  // ** Is the member required to validate/enter their user alias?
  if ( ($p_hb_env['Fset2'] & $GLOBALS['CU2_ALIAS_REQ']) == $GLOBALS['CU2_ALIAS_REQ']) {
    // CURRENTLY the cookie ONLY contains the ACTUAL member number, IT does not
      // contain the useralias.
      // A solution for now is to retrieve the mbrInfo record from cuusers.
      // Evaluate the actual alias field,

    // ** LONG TERM SOLUTION
    // * Currently this will only retrieve the record for credit union REQUIRING the MemberInfo
    // * Need to add the login UserAlias to the cookie, such as Ca (Credit Union Alias).

    $mbrInfo = GetUserInfo($p_dbh, $p_hb_env, $p_mc, Array("user_id" => $p_hb_env['Uid'], "cu" => $p_hb_env['Cu']));
    // ** if we were able to retrieve the member data
    if ($mbrInfo['status']['code'] == '000') {
      if (!Check_Member_UseAlias($mbrInfo['data']['cuusers_user_name'])) {
        if (intval(HCU_array_key_value('sC', $p_hb_env)) != '2') {
          $retAry['code'] = ($retAry['code'] == '000' ? "014" : $retAry['code']);
          $retAry['severity'] = "ERROR";
          $retAry['errors'][] = $p_mc->msg("Alias required");
        }
      }
    }
  }
    // ** NOTHING HERE - SKIP


  return $retAry;
}
/**
 *            This function will evaluate the username that is passed to it
 *              and determine if we compare the username or useralias in cuusers
 * @param string p_username username to evaluate
 * @return bool {True} -- The username will query useralias in the database {False} -- The username will query username in the cuusers tables (STANDARD)
 *
 * # NOT NEEDED FOR ODYSSEY - Everybody logs in with a username for Odyssey
 */
function Check_Member_UseAlias($p_username) {
    return preg_match("/\D/",$p_username);
}

/**
 * This verifies the security credentials of the 'device' and 'member' cookies.
 * It will also set some of the GLOBAL values that are used throughout home banking,
 *
 * 4/17/17 Function validates the Ticket cookie and, if the Ticket passes,
 * uses ticket values to add / updates values in hb_env array
 * Nothing addresses the device cookie here - see hcuLogin for that?
 *
 * @param   $hb_env     array   Reference to HB_ENV to allow easy changes to values
 * @param   $ticket     string  The session string from the ticket cookie or appcode
 * @return  array               Associative array of results:
 *                               [
 *                                  'result'=>value,  // 1 = ticket is valid, 0 = ticket failed
 *                                  'resdesc'=>value, // failure reason or '' if ticket is valid
 *                               ]
 */
function Check_Member_Credentials (&$hb_env, $ticket) {
  $retVal = Array("result"=>"", "resdesc"=>"");

  $debug = 0;     // * when set, the retdesc will be logged

  $retVal['result'] = 1;      // ** ASSUME SUCCESS --- PROVE FAILURE
  // unset $chome so failed cookies will leave it blank.

  $returnArray = CheckSessionTicket($hb_env, $ticket);
  // returns Array("result"=>array(), "resdesc"=>"");

  if ( !is_array( $returnArray['result'] ) ) {
    // Pull username from ticket because we don't have it
    $username = '';
    if ($ticket) {
      $matches = [];
      if (preg_match('/Cn=(.+?)\b/', $ticket, $matches)) {
        $username = $matches[1];
      }
    }
    $config = FeatureGateConfig::GetInstance($hb_env['dbh']);
    $logTicketCheckGate = new CreditUnionGate(CreditUnionGate::LOG_TICKET_CHECK_FEATURE, $config);
    if ($logTicketCheckGate->WillPass($hb_env['cu'], ['username' => $username])) {
      $hb_env['SYSENV']['logger']->info("[CheckCredentialsFailure] ticket=$ticket; resdesc={$returnArray['resdesc']}");
    }
    // THE SECURITY VERIFICATION FAILED!
    $retVal['result'] = 0;
    $retVal["resdesc"] = $returnArray["resdesc"];

    // do NOT set the GLOBAL VALUES FROM the cookie
    // They will be REQUIRED TO LOGIN
    if ($debug) {
      syslog(LOG_ERR, $retVal['resdesc']);
    }

  } else {
    // ** VERIFICATION PASSED
    // ** SET GLOBAL VALUES
    $allowENV=array('Ctime'=>'Time','Ce'=>'Expires','Cu'=>'CU',
          'Cn'=>'Login Member','Uid'=>'Login User ID','Clw'=>'Wait','Clu'=>'Last Update',
          'Fplog'=>'Prior Login','Fflog'=>'Last Failed',
          'Ffchg'=>'Force Change','Ffreset'=>'Force Reset','Ffremain'=>'Fails Remaining',
          'Fmsg_tx'=>'Msg Status','Fset'=>'Flagset 1','Fset2'=>'Flagset 2',
          'Fset3'=>'Flagset 3', 'Ca' => "Admin user (user hub member account list)",
          'Fhdays'=>'History Days','Ml'=>'Email Address','platform'=>'Client platform',
          'sC'=>'Security Challenge Status', 'testmenu'=>'Show Test Menu', 'sid'=>'Session Id');

    // ** SET THE VALUES IN THE HB_ENV array --
    # $tarr is built (above) from ticket cookie; then
    # values from $tarr which have keys present in $allowENV
    # are used to add/update values in $p_hb_env
    $hb_env = array_replace( $hb_env, array_intersect_key( $returnArray["result"], $allowENV ) );

    // ** For some values, there is a Cookie fieldname and there there is the actual
      // * fieldname
    // ['Clu'] == ['lastupdate']
    $hb_env['lastupdate'] = $hb_env['Clu'];
  }

  return $retVal;
}

/**
 * Check the passed in session string and check the hash for validity. Return the
 * component parts in an array for the caller to use.
 *
 * Returns: result = false on failure, array if successful
 */
function CheckSessionTicket( $pHBEnv, $sessionStr ) {
  try {
    $retVal = Array( "result" => array(), "resdesc" => "" );

    if ( empty($sessionStr) ) {
      // No Ticket
      throw new Exception( "Ticket not found {$pHBEnv['cu']}" );
    }

    $tarr = array();
    parse_str( $sessionStr, $tarr );

    $now = time();
    if ( $tarr['Ce'] < $now ) {
        // ticket has expired
        throw new Exception( "{$tarr['Cu']}:{$tarr['Uid']} Ticket Expired {$tarr['Ce']} < $now" );
    }

    if ( $pHBEnv['cu'] != "" &&
         $pHBEnv['cu'] != $tarr['Cu'] ) {
        // Different CU requested
        throw new Exception( "{$tarr['Cu']}:{$tarr['Uid']} Ticket Switch cu from {$tarr['Cu']} to {$pHBEnv['cu']}" );
    }

    // 2-Factor Ticket cookie
    // ** Verify ALL expected pieces exist in cookie

    if (is_null($tarr['Ch']) || is_null($tarr['Cn']) || is_null($tarr['Uid']) ||
        is_null($tarr['Ctime']) || is_null($tarr['Ce']) ||
        is_null($tarr['Cu']) || is_null($tarr['Clw'])  ||
        is_null($tarr['Clu']) || is_null($tarr['Fplog']) || is_null($tarr['Fflog']) ||
        is_null($tarr['Ffchg']) || is_null($tarr['Ffremain']) ||
        is_null($tarr['Fmsg_tx']) || is_null($tarr['Fset']) ||
        is_null($tarr['Fset2']) || is_null($tarr['Fhdays']) || is_null($tarr["Ca"]) ||
        is_null($tarr['Fset3']) || is_null($tarr['Ml']) || is_null($tarr["platform"]) || is_null($tarr["sid"])) {
      //Partial ticket, try again
      throw new Exception( "{$tarr['Cu']}:{$tarr['Cn']} Partial Ticket" );
    }

    $secret = $pHBEnv['secret'];

    // 2-Factor Ticket cookie
    // ** Recreate the hash from ALL the pieces and verify they are the same
    if ($tarr['Ch'] != MD5($secret .
      MD5(join(':',
        [
          $secret,
          $tarr['Ctime'], $tarr['Ce'], $tarr['Cu'], $tarr['Cn'], $tarr['Uid'],
          $tarr['Clw'], urlencode(trim($tarr['Clu'])), urlencode(trim($tarr['Fplog'])), urlencode(trim($tarr['Fflog'])),
          $tarr['Ffchg'], $tarr['Ffreset'],
          $tarr['Ffremain'], $tarr['Fmsg_tx'], $tarr['Fset'],
          $tarr['Fset2'], $tarr['Fset3'], $tarr['Fhdays'],
          urlencode($tarr['Ml']), trim($tarr["Ca"]), trim($tarr["platform"]), $tarr["sid"]
        ]
      )))) {
      // hash doesn't match, someone is hacking
        throw new Exception( "{$tarr['Cu']}:{$tarr['Uid']} Ticket Hash Mismatch" );
      }

    $retVal["result"] = $tarr;
  } catch (Exception $err) {
    $retVal["result"] = false;
    $retVal["resdesc"] = $err->getMessage();
  }

  // log every occurance EXCEPT missing cookie
  if ( !empty($_COOKIE['Ticket']) ) {
    // apache_note sets variables for web server logging.  Used later to split
    // web logfiles by credit union
    // ONLY add the note when we have ticket values
    apache_note("user_name","{$tarr['Cu']}:{$tarr['Uid']}");
  }

  return $retVal;
} // end CheckSessionTicket

/**
 * MWS 7/14/2016
 * Removed the SetReturnAddress Function
 * Changed GetReturnAddress to ALWAYS return main_url, but removed the setcookie portion
 * Always redirects to main login page - v2 has NEVER respected the return address cookie
 */
function GetReturnAddress ($p_hb_env, $p_bolforce_setcookie = 0) {

  $return_address = $p_hb_env['loginpath'] . "/{$p_hb_env['defaultScript']}?{$p_hb_env['cuquery']}";

  return $return_address;
}

function GetUserbyName($p_dbh, $cu, $username) {
  $return_ary = array();
  // ** QUERY THE USER INFORMATION
  $sqluser = "SELECT cuuser.user_id as user_id, trim(cuuser.user_name) as user_name, trim(cuuser.passwd) as passwd,
                forcechange as fchange, coalesce(forceremain,0) as fremain, failedremain, pwchange as pchange,
                trim(email) as email, confidence, cuuser.group_id as cuuser_group_id,
                lastlogin as llog, failedlogin as flog, coalesce(msg_tx,0) as msg_tx, userflags & " . GetUserFlagsValue('MEM_FORCE_RESET') . "::int4 as freset,
                userflags, coalesce(challenge_quest_id,0) as savecqid,
                coalesce(cuadmin.flagset,0) as flagset, coalesce(cuadmin.flagset2,0) as flagset2, coalesce(cuadmin.flagset3,0) as flagset3,
                cuadmin.livewait, trim(cuadmin.lastupdate) as lastupdate, cuadmin.min_chlng_qst as min_chlng_qst,
                cuadmin.pname, coalesce(histdays,0) as fhdays, coalesce(gracelimit,0) as grace, trmemomaxlen, mfaquest, primary_account, trim(cuadmin.cu) as cu

              FROM {$cu}user as cuuser
              JOIN cuadmin on cuadmin.cu = '" . prep_save($cu) . "'
              WHERE lower(cuuser.user_name) = '" . prep_save(strtolower($username)) . "' ";

  $mbr_sth = db_query($sqluser, $p_dbh);
  if (db_num_rows($mbr_sth) == 1) {
    $return_ary = db_fetch_assoc($mbr_sth,0);
    $return_ary['rowfound'] = 1;
    $mbrMfaQuest = HCU_MFADecode(HCU_JsonDecode($return_ary['mfaquest']));
    $return_ary['savecqid'] = $mbrMfaQuest['challenge'];
    $return_ary['chcount'] = $mbrMfaQuest['mfacount'];
    $return_ary['authcode'] = $mbrMfaQuest['authcode'];
    $return_ary['authexpires'] = $mbrMfaQuest['authexpires'];
    $return_ary['mfadate'] = $mbrMfaQuest['mfadate'];

    $FORCEUPDATE = 0;
    if ($return_ary['fchange'] == 'Y') {
      $FORCEUPDATE += 1; #password
    }

    if (($return_ary['msg_tx'] & GetMsgTxValue('MSGTX_FORCE_EM')) || $return_ary['email'] == '') {
      $FORCEUPDATE += 2; # email
    }
    if (intval($return_ary['flagset3'] & GetFlagsetValue('CU3_MFA_AUTHCODE')) == 0 &&
        ( $return_ary['freset'] ==  GetUserFlagsValue('MEM_FORCE_RESET') || $return_ary['chcount'] < $return_ary['min_chlng_qst'])
      ) {
      $FORCEUPDATE += 4; #challenge questions
    }
    if (($return_ary['flagset2'] & GetFlagsetValue('CU2_ALIAS_REQ')) && !Check_Member_UseAlias($return_ary['user_name'])) {
      $FORCEUPDATE += 8;
    }

//    if ( intval($return_ary['flagset3'] & $GLOBALS['CU3_MFA_AUTHCODE']) > 0 && $return_ary['freset'] == 2   ) {
//            $FORCEUPDATE += 16; #phone numbers
//    }
    $return_ary['forceupdate'] = $FORCEUPDATE;


    if ($return_ary['failedremain'] <= 0 || ( ($return_ary['forceupdate'] & 29) > 0 && $return_ary['fremain'] <= 0 )) {

      $return_ary['lockedacct'] = 1;
    } else {
      $return_ary['lockedacct'] = 0;
    }

  } else {
    $return_ary['rowfound'] = 0;
  }


return $return_ary;

}

/*
 * Function: BankingVerifyCredentials
 *
 *  MWS 10/15/2015 -- New function for verifying credentials.
 *                    Started from Check_Member_Login
 *                    LEGACY VERIFCATION REMOVED
 *
 * Purpose:  To check all components of a member login and return the status.
 *            this will leave it up to the calling script to correctly identify
 *            the problem and work appropriately.
 * Parameters:  Need to pass in the information that I have for the member..
 *              p_dbh  - current database handle
 *              p_mode -  This is the mode we are trying to evaluate -- This will
 *                       help determine the proper message to return
 *                {
 *                  ChkLegacy     - Legacy evaluation, only username and password required
 *                  ChkMember     -
 *                  ChkPass       - Primarily Checking for Password
 *                  ChkChallenge  - Primarily Checking for Challenge Question
 *                  ChkEmail      - Primarily Checking For Email
 *                }
 *          NOTE p_hb_env are passed BY REFERENCE .. CHANGES WILL STICK
 *              p_hb_env - this is the GLOBAL HomeBanking Environment Array
 *              p_mc     - This is the current selected language class
 *              pLoginType - type of platform logging in: DSK = desktop, MBL (default) = Mobile
 *
 * Returns: This will return a standard array with information about how the information
 *            checked out.
 * ReturnArray
 *            retVal['status'] - Values
 *                    000 -- Authentication Complete, the user may be authenticated
 *                    010 --  username complete
 *                    020 --  email complete
 *                    030 --  challenge complete
 *                    040 --  password complete becomes 000
 *
 *                    ERRORS
 *                    100 -- UNEXPECTED ERROR -- FAIL ALTOGETEHR
 *                    110 -- username NOT entered
 *                    111 -- username failed
 *                    112 -- Account is LOCKED
 *                    120 -- email failed
 *                    130 -- challenge failed
 *                    135 -- authcode failed
 *                    140 -- Password Failed
 *
 *            retVal['dispmsg'][] -- This will be an ARRAY of messages to display back to the user
 *                              it will already be taking into account the current
 *                              language requirements.
 *
 *            retVal['nextstep'] -- This will direct the script on what is needed
 *                      next.  If the script can be setup directly , it will hopefully
 *                      feel easier to identify problems.
 *              {
 *                StepLegacy -- We need the username / password screen, legacy DISPLAY
 *                StepMember -- We need to show the username screen 2Factor
 *                StepEmail  -- We need the email
 *                StepChallenge -- We need to show challenge questions
 *                StepSecureAccess -- We need to send a secure access code
 *                StepPass   -- We need the Password, which may also show the secret word
 *                StepNone   -- This is used when we need to stop processing..
 *                StepFWDEmail  -- Redirect to EMAIL VERIFICATION
 *                StepFWDPWD    -- Redirect to Password Change
 *                StepFWDAlias  -- Redirect to UserAlias, which is required
 *                StepFWDCHG    -- Redirect to Challenge Questions
 *              }
 */
function BankingVerifyCredentials($p_dbh, $p_mode, &$p_hb_env, $p_mc, $pLoginType = "MBL") {
    /*
     * If username is not entered and posted here, then this function returned an
     * empty nextstep.  Causing the upgrade home banking to display NO form.
     * Defaulting the return to array to be on the Member screen should prevent that
     * problem. Note foreseeing a problem with mobile
     */
    $retVal = Array("status" => "100", "dispmsg" => Array(), "nextstep" => "StepMember");


    /*
     * Process -- 2Factor
     *
     *          2Factor -- Many steps.. more than 2!
     *                  -- Hoping a building block approach works
     *                  1 - Check username
     *                  2 - Check for device cookie
     *                    a FOUND -- set the email, challenge questions? OR TRUST??
     *                    b NOT FOUND
     *                      1 - Check for email
     *                      2 - Check for challenge questions
     *                  3 - Check for password
     *
     */

    // ** upd_mbr_force --  This value will be set WHEN the member is able to bypass
    // challenge questions, upon force reset OR FIRST TIME LOGIN - THIS WILL
    // Ensure they are sent to the set challenge screen.
    // *
    $upd_mbr_force = 0;

    // ** 2FACTOR VALIDATION
    // ** First thing is First Check the username
    $username = trim($p_hb_env['username']);
    $cu = trim($p_hb_env['cu']);
    // * check for no invalid characters and not empty
    if (hcuCheckUsername($username)) {
      // get the userrec and status info from the db
      $userrec = GetUserbyName($p_dbh, $cu, $username);
      if ( $userrec['rowfound'] != 1) {

        /*
         * username was NOT FOUND
         *
         * For an invalid username the flow is
         *
         * ____________________________
         * |                           |
         * |      ENTER USER NAME      |
         * |-----------\/--------------|
         * |                           |
         * |      ENTER PASSWORD       |
         * |                           |
         * |-----------\/--------------|
         * |                           |
         * |   USER LOGIN W/ ERROR     |
         * |___________________________|
         *
         */

        // ** To be here we have a username -- so we first set the next step to 'StepPass'
        $retVal['status'] = "030";
        $retVal['dispmsg'][] = '';
        $retVal['nextstep'] = 'StepPass';
        // ** Next check to see if we have the password
        if (strlen($p_hb_env['password']) > 0) {
          // ** We have the password -- we assume they just entered password -
            // -- invalid user so there is no need to query the database
            // *** SEND BACK TO MEMBER SCREEN WITH ERROR ****

            // ** I don't see why we would track bogus username entries at this point

            $retVal['status'] = "140";
            $retVal['dispmsg'][] = $p_mc->msg("Invalid Login Password");
            $retVal['nextstep'] = "StepMember";

        }

      } else {
        // make sure we got a row
        // * SET KNOWN VALUES HERE ---
        // * OTHERS WILL BE SET ON PASSWORD AUTHENTICATION
        $p_hb_env['confidence'] = $userrec['confidence'];

        // Locked account? value set in GetUserbyName
        if ($userrec['lockedacct']) {
          apache_note("user_name", "{$cu}:_Fl_{$userrec['user_name']}/{$username}"); # this will capture same value twice - use UID or Primary Acct instead?

          $userMemReset = $userrec['flagset'] & GetFlagsetValue('CU_MEMRESET');
          $userForceReset = $userrec['userflags'] & GetUserFlagsValue('MEM_FORCE_RESET');
          $userFailedRemain = $userrec['failedremain'] >= 0;

          if ($userMemReset && !$userForceReset && $userFailedRemain) {
            if ($pLoginType == "MBL") {
              $resetlink = $p_hb_env['loginpath'] . "/resetpwd.prg?cu={$p_hb_env['cu']}&Flang={$p_hb_env['Flang']}";
            } elseif ($pLoginType == "DSK") { // DSK
              $resetlink = $p_hb_env['loginpath'] . "/hcuResetPwd.prg?cu={$p_hb_env['cu']}";
            } else {  // Apps "APP" iPhone or "ADA" android
              ($resetlink = '');
            }
            $retVal['status'] = "112";
            $retVal['dispmsg'][] = $p_mc->combo_msg('Account is Locked Reset', 0, '#link#', "$resetlink");
            // ** what if I leave it up to the requesting script to replace the link??
            $retVal['nextstep'] = "StepMember";
          } else {
            $retVal['status'] = "112";
            $retVal['dispmsg'][] = $p_mc->msg('Account is Locked');
            $retVal['nextstep'] = "StepMember";
            // $err_string=$MC->msg('Account is Locked');
          }
        } else {
          // check if 2factor cookie (device cookie) exists
          // and content matches and force reset is not set
          // * Match the 2 Factor Cookie
          if (isValidDeviceCookie($cu, $userrec) || IsValidMammothDeviceCookie($p_hb_env, $cu, $userrec)) {
            // ** USERNAME -- AUTHENTICATED
            // ** 2 FACTOR COOKIE PRE ESTABLISHED -- AUTHENTICATED
            // ** Need the Password Screen
            // ** RESET the username here -- Above we may strip ZEROS from the beginning
            // * or other characters.  So reset here so the remaining screens have the
            // * correct username value
            $p_hb_env['username'] = $username;

            $retVal['status'] = "030";
            $retVal['dispmsg'][] = ''; //$p_mc->msg('Please Enter Password');
            $retVal['nextstep'] = "StepPass";

            // * ALSO -- At this time, we know email is okay. (because we matched the 2-factor cookie
            //   SO set the email to what is saved.  member will NOT be reentering.
            $p_hb_env['email'] = $userrec['email'];
          } else {
            // ** 2 Factor Challenge FAILED -- OR was FORCED TO RESET -- DO THAT HERE
            // ** RESET the username here -- Above we may strip ZEROS from the beginning
            // * or other characters.  So reset here so the remaining screens have the
            // * correct username value
            $p_hb_env['username'] = $username;

            $retVal['status'] = "010";
            $retVal['dispmsg'][] = ""; //$p_mc->msg('Additional Authentication');
            $retVal['nextstep'] = "StepEmail";
          }

          // ** IF Next Step is StepEmail.. BUT IF HAVE AN EMAIL, then I want to
          // * verify that now and move forward to NEXT
          if ($retVal['nextstep'] == 'StepEmail' && trim($p_hb_env['email']) != '') {

            // ** HAVE VALUES FROM ABOVE
            // If there's a saved email and it doesn't match
            $email = trim($p_hb_env['email']);
            if (!isValidEmail($email, $userrec)) {
              // Track Failure
              // email failed
              apache_note("user_name", "{$cu}:_Fm_{$userrec['user_name']}/{$username}");
              // ** OLD $sth = db_query("select fail2factor('{$p_hb_env['cu']}','$saveuser',{$GLOBALS['MEM_LOGIN_FAILED_EMAIL']})", $p_dbh);
              $sth = UpdateMemberFailedLogin($p_dbh, $p_hb_env['cu'], $userrec['user_name'], $GLOBALS['MEM_LOGIN_FAILED_EMAIL']);
              TrackUserLogin($p_dbh, array('Cu' => $cu, 'Uid' => $userrec['user_id'], 'user_name' => $userrec['user_name']), $pLoginType, $GLOBALS['MEM_LOGIN_FAILED_EMAIL'], $_SERVER['REMOTE_ADDR'], array('UA' => $_SERVER['HTTP_USER_AGENT']));

              $retVal['status'] = "120";
              // ** IF WE are here -- I want to ignore any previous messages. cleare out the dispmsg first WHY?
              $retVal['dispmsg'] = Array();
              $retVal['dispmsg'][] = $p_mc->msg('Invalid Login Email');
              $retVal['nextstep'] = "StepMember";
            } else {
              $retVal['status'] = "020";
              $retVal['dispmsg'][] = "";
//                  $p_hb_env['SYSENV']['logger'] -> info(__LINE__ . " userrec {$userrec['flagset3']} p_hb_env flagset3 {$p_hb_env['flagset3']} GLOBAL {$GLOBALS['CU3_MFA_AUTHCODE']}");

              if (intval($p_hb_env['flagset3'] & $GLOBALS['CU3_MFA_AUTHCODE'])) {
                $retVal['nextstep'] = "StepSecureAccess";
              } else {
                $retVal['nextstep'] = "StepChallenge";
              }
            }
          } elseif ($retVal['nextstep'] == 'StepEmail' && trim($p_hb_env['email']) == '') {
            // ** EMAIL HAS NOT BEEN ENTERED -- INFORM THEM
            $retVal['dispmsg'][] = $p_mc->msg('Additional Authentication');
          }
          // ** If Next Step is StepChallenge and I have challenge questions answered
          //** Then answer that
          //  When the process has required Challenge, then this will have to be passed
          // ** along no matter what.  So what will happen is when the member
          // ** finally logs in, it actually logs in everything

          if ($retVal['nextstep'] == "StepChallenge") {
            if ($userrec['freset'] == 0 && $userrec['chcount'] > 0) {
              if (HCU_array_key_exists("challengeresponses", $p_hb_env) && count($p_hb_env['challengeresponses']) > 0) {
                if (isValidChallenge($userrec, $p_hb_env['challengeresponses'])) {
                  $retVal['status'] = "030";
                  $retVal['dispmsg'][] = ''; //$p_mc->msg('Please Enter Password');
                  $retVal['nextstep'] = "StepPass";
                } else {
                  apache_note("user_name", "{$cu}:_Fq_{$userrec['user_name']}/{$username}");
                  $sth = UpdateMemberFailedLogin($p_dbh, $cu, $userrec['user_name'], $GLOBALS['MEM_LOGIN_FAILED_QST']);
                  TrackUserLogin($p_dbh, array('Cu' => $cu, 'Uid' => $userrec['user_id'], 'user_name' => $userrec['user_name']), $pLoginType, $GLOBALS['MEM_LOGIN_FAILED_QST'], $_SERVER['REMOTE_ADDR'], array('UA' => $_SERVER['HTTP_USER_AGENT']));

                  $retVal['status'] = "130";
                  $retVal['dispmsg'][] = $p_mc->msg('Invalid Login Challenge');
                  $retVal['nextstep'] = "StepMember";
                }
              }
            } elseif ($userrec['chcount'] == 0 || $userrec['freset'] == GetUserFlagsValue('MEM_FORCE_RESET')) {
              // ** IF NO QUESTIONS WERE FOUND SKIP StepChallenege
              // * WE WILL SKIP CHALLENGE QUESTIONS -- SEND THEM TO PASSWORD
              $retVal['nextstep'] = "StepPass";
              $upd_mbr_force = 1;
            }
          }
          if ($retVal['nextstep'] == "StepSecureAccess") {
            if ($userrec['freset'] == GetUserFlagsValue('MEM_FORCE_RESET')) {
              /*
               * IF Force Security Reset is then skip to password screen.
               */
              $retVal['nextstep'] = "StepPass";
            } else {
              if (!empty($p_hb_env['authcode'])) {
                if (isValidAuthcode($userrec, $p_hb_env['authcode'])) {
                  $retVal['status'] = "030";
                  $retVal['dispmsg'][] = ''; //$p_mc->msg('Please Enter Password');
                  $retVal['nextstep'] = "StepPass";
                } else {
                  apache_note("user_name", "{$cu}:_Fq_{$userrec['user_name']}/{$username}");
                  $sth = UpdateMemberFailedLogin($p_dbh, $cu, $userrec['user_name'], $GLOBALS['MEM_LOGIN_FAILED_SAC']);
                  TrackUserLogin($p_dbh, array('Cu' => $cu, 'Uid' => $userrec['user_id'], 'user_name' => $userrec['user_name']), $pLoginType, $GLOBALS['MEM_LOGIN_FAILED_SAC'], $_SERVER['REMOTE_ADDR'], array('UA' => $_SERVER['HTTP_USER_AGENT']));

                  $retVal['status'] = "135";
                  $retVal['dispmsg'][] = $p_mc->msg('Invalid Login Challenge');
                  $retVal['nextstep'] = "StepMember";
                }
              }
            }
          }

          // ** If Next Step is StepPass and I have a password,
          // ** Validate the password
          if (strlen($p_hb_env['password']) > 0 && $retVal['nextstep'] == 'StepPass') {
            /*
             * Mammoth,
             * if password len at least 4 char, and live, and username all digits, and
             * (userrec['rowfound']=0 or userrec['passwd']=='NULL PASSWORD')
             * try to get a member record from the core
             *
             * Odyssey
             * login will only be possible for existing user / member records
             * Auto-activating from the core by matching pin will still be
             * offered, but handled separately, & may be controlled by monitor
             * settings (activate by MIR, activate by PIN, no auto activate, etc)
             */
# if (isValidPass($userrec,$p_hb_env['password'])) {
            $minLenPassword = (strlen(trim($p_hb_env['password'])) < 4 ? false : true);

            if ($minLenPassword && $userrec['rowfound'] > 0) {

              $mbrMfaQuest = HCU_MFADecode(HCU_JsonDecode($userrec['mfaquest']));

              # why are we matching email here?
              if ((strtolower(trim($userrec['email'])) == strtolower(trim($p_hb_env['email'])) || trim($userrec['email']) == '') && password_verify($p_hb_env['password'], $userrec['passwd'])) {
                //  SUCCESSFUL PASSWORD MATCH
                //

                $freset = (is_null($userrec['freset']) ? 0 : $userrec['freset']);
//                                $pchange = (is_null($userrec['pchange']) ? date('Ymd') : $userrec['pchange']);
                // ** SET THE CORRECT VALUES FOR MEMBER ENVIRONMENT
                $p_hb_env['Uid'] = $userrec['user_id'];
                $p_hb_env['Cn'] = $userrec['user_name'];
                $p_hb_env['Ce'] = time() + $p_hb_env['SYSENV']['ticket']['expires'];
                $p_hb_env['Clw'] = $userrec['livewait'];
                $p_hb_env['Clu'] = (empty($userrec['lastupdate']) ? $p_mc->msg("Unknown") : urlencode(trim($userrec['lastupdate'])));
                $p_hb_env['lastupdate'] = (empty($userrec['lastupdate']) ? "Unknown" : urlencode(trim($userrec['lastupdate'])));
                $p_hb_env['Fplog'] = (empty($userrec['llog']) ? $p_mc->msg("None") : urlencode(trim($userrec['llog'])));
                $p_hb_env['Fflog'] = (empty($userrec['flog']) ? $p_mc->msg("None") : urlencode(trim($userrec['flog'])));
                $p_hb_env['Ffchg'] = (is_null($userrec['fchange']) ? 'N' : $userrec['fchange']);
                $p_hb_env['Ffremain'] = (is_null($userrec['fremain']) || $userrec['fremain'] == 0 ? $userrec['grace'] : $userrec['fremain']);
                $p_hb_env['Fmsg_tx'] = $userrec['msg_tx'];
                $p_hb_env['Fset'] = $userrec['flagset'];
                $p_hb_env['Fset2'] = $userrec['flagset2'];
                $p_hb_env['Fset3'] = $userrec['flagset3'];
                $p_hb_env['Fhdays'] = $userrec['fhdays'];
                $p_hb_env['Ml'] = $userrec['email'];
                $p_hb_env['Ffreset'] = $userrec['freset'];

                // * Add this for use later possibly in 2Factor cookie
                $p_hb_env['savepass'] = $userrec['passwd'];
                $p_hb_env['savemail'] = $userrec['email'];

                // Set the sid at this point.  It is not updated from this point.
                $p_hb_env["sid"] = strval(time());

                // make sure the force security is set so member can't avoid 2-factor forever

                $f2sql = '';
                /*
                 * UPDATE USERS FLAGS / EMAIL
                 *
                 * IF upd_mbr_force is set then set the forceremain to the Credit Union Value
                 * ELSE
                 * SET EMAIL - if it was blank and we now have a value
                 *         - Why update the email if it's already set? In upgrade it always set the email
                 *           - mws 3/16/2016 - if they got here, they have a successful login if email isn't
                 *                             blank then they must have already matched the email -- so why save
                 *
                 * Record Audit trail ONLY if email was changed FROM blank
                 *
                 */

                // ** Setup the user update array if Member was Forced to Challenge OR email was updated

                $updateEmail = (trim($userrec['email']) == '' && trim($p_hb_env['email']) > '');

                if ($upd_mbr_force || $updateEmail) {
                  $updTable = array('user' => array(
                                array(
                                  "_action" => "update",
                                  "user_id" => $p_hb_env['Uid']
                                )
                              )
                  );
                  if ($upd_mbr_force) {
                    // * SET the MEM_FORCE_RESET bit in userflags
                    // * If value is NULL then set to MEM_FORCE_RESET
                    $valueUserFlag = ($userrec['userflags'] == '' ? $GLOBALS['MEM_FORCE_RESET'] : ($userrec['userflags'] | $GLOBALS['MEM_FORCE_RESET']));
                    $updTable['user'][0]['userflags'] = $valueUserFlag;
                    $updTable['user'][0]['forceremain'] = $userrec['fremain'];
                    $freset |= $GLOBALS['MEM_FORCE_RESET'];
                  }
                  if ($updateEmail) {
                    $updTable['user'][0]['email'] = trim($p_hb_env['email']);
                  }
                  // * Update the records -- ONLY SAVE AUDIT RECORD IF UPDATING EMAIL
                  $updateResults = DataUserTableUpdate($p_dbh, $p_hb_env, $p_mc, $updTable, $userrec['user_id'], 'U_UPD', $pLoginType, $p_hb_env['currentscript'], 'U', ($upd_mbr_force ? "Force Mbr Update / " : "") . ($updateEmail ? "Set Email" : ""), $userrec['user_name'], $p_hb_env['email'], $p_hb_env['remoteIp'], !$updateEmail);
//                                $userupd = GetUserbyName($p_dbh, $cu, $username);
//                                $p_hb_env['SYSENV']['logger'] -> info(__LINE__ . " userrec " . print_r($userupd,true));
                }
                $p_hb_env['Ffreset'] = $userrec['freset'];

                // SET THE MEMBER COOKIE
                $now = time();

                apache_note("user_name", "{$cu}:{$username}");

                $baseCookie = BuildBaseSessionTicket( $p_hb_env );
                $mycookie = "Ctime=$now&Cn={$userrec['user_name']}&Uid={$userrec['user_id']}&Ml=" . urlencode($userrec['email']) . "&Ca=";

                // ** Check for testmenu param -- If set to 1, then I want to add it to cookie
                if (intval(HCU_array_key_value('testmenu', $p_hb_env['HCUPOST'])) == 1) {
                  $mycookie .= "&testmenu=1";
                }
                // ** SET THE COOKIE
                // * *OLD FAILS SetTicket($p_hb_env, "", $mycookie);
                SetTicket($p_hb_env, $baseCookie, $mycookie);

                // ** Log success
//                                $must = ($userrec['freset'] == 2 ? 'Y' : $p_hb_env['Ffchg']);
                // ** BY BEING HERE -- I know that if the CU is set to ReadOnly
                // ** and the script allows ReadOnly access, then at this point
                // ** I need to check real offline status -- So I will set a temp
                // ** flag to capture script flag setting for allowReadonly, and
                // ** reset the allowReadonly to false
                // ** Then call hcu_checkoffilne -- If it comes back true, then
                // ** based on the previous hcu_offline being true and this offline
                // ** being false, that can only happen if the difference is the
                // ** readonly status -- AND such, I do NOT want to update the
                // ** forceremain or pwchange in logtrack. So I will set values
                // ** to prevent those flags from being set
                // ** fchange/pchange affect the logtrack function
                // * if fchange is Y - then the forcremain is decremented
                // * if fchange is N - and the CU require members to update stale pwd's
                // * the forcechange is set
                // ** I propose, if the system is in READONLY mode
                // ** To set the fchange to 'N'
                // ** set the pchange to now()
                // ** This will prevent the two methods from being true in the log track function
                // ** and the forceremain will not be decremented or activated
                // ** HB_ENV['allowReadonly'] is set in the previous script, and would have stopped
                // ** if it was NOT readonly
                $tempReadonly = $p_hb_env['allowReadonly'];
                $p_hb_env['allowReadonly'] = false;

                if (!hcu_checkOffline($p_dbh, $p_hb_env)) {
                  $funcFchange = "N";
                  // ** By passing in tomorrows date, it should prevent the password stale comparison
                  // * from returning true.  Sending the log track into the "final" else statement
                  $funcPchange = date('Y-m-d', mktime(0, 0, 0, date("m"), date("d") + 1, date("Y")));
                } else {
                  $funcFchange = ($userrec['freset'] == 2 ? 'Y' : $p_hb_env['Ffchg']);
                  $funcPchange = (is_null($userrec['pchange']) ? date('Ymd') : $userrec['pchange']);
                }
                $p_hb_env['allowReadonly'] = $tempReadonly;

                // ** PREPARE THE mfaquest --
                // The challenge key must be reset to 0 for SUCCESSFUL LOGINS
                // and the sac code and expiration must be reset empty for SUCCESSFUL LOGINS
                $mbrMfaQuest['challenge'] = 0;
                $mbrMfaQuest['authcode']='';
                $mbrMfaQuest['authexpires']='';

                // $sth = db_query("select hcumbrlogintrack('{$p_hb_env['cu']}','" . prep_save($saveuser) . "','$funcFchange','$funcPchange','{$pLoginType}')", $p_dbh);
//                           $p_hb_env['SYSENV']['logger'] -> info(__LINE__ . " UpdateMemberLoginTrack (dbh, {$p_hb_env['cu']}, {$username}, {$funcFchange}, {$funcPchange}, {$pLoginType}, {$mbrMfaQuest})");
                $sth = UpdateMemberLoginTrack($p_dbh, $p_hb_env['cu'], $username, $funcFchange, $funcPchange, $pLoginType, $mbrMfaQuest);
                TrackUserLogin($p_dbh, array('Cu' => $p_hb_env['cu'], 'Uid' => $userrec['user_id'], 'user_name' => $username), $pLoginType, 0, $_SERVER['REMOTE_ADDR'], array('UA' => $_SERVER['HTTP_USER_AGENT']));

                // ** If chkSecure is selected -- Then
                if ($p_hb_env['HCUPOST']['chksecure'] == 'Y') {
                  SetDeviceCookie($p_hb_env, $userrec);
                }

                // ** Always force to the next screen, this will handle any redirection
                $retVal['status'] = "000";
                $retVal['dispmsg'][] = "";
                $retVal['nextstep'] = "StepNone";
              } else {
                // *  Track failure
                // ** password failed
                apache_note("user_name", "{$cu}:_Fp_{$username}");
                $sth = UpdateMemberFailedLogin($p_dbh, $cu, $userrec['user_name'], $GLOBALS['MEM_LOGIN_FAILED_PWD']);
                TrackUserLogin($p_dbh, array('Cu' => $cu, 'Uid' => $userrec['user_id'], 'user_name' => $userrec['user_name']), $pLoginType, $GLOBALS['MEM_LOGIN_FAILED_PWD'], $_SERVER['REMOTE_ADDR'], array('UA' => $_SERVER['HTTP_USER_AGENT']));
                $retVal['status'] = "140";
                $retVal['dispmsg'][] = $p_mc->msg("Invalid Login Password");
                $retVal['nextstep'] = "StepMember";
              }
            } else {
                // * Track failure (no user record or min password length fail)
                $logFlag = $minLenPassword ? "Fn" : "Fp";
                $logUID = $minLenPassword ? 0 : $userrec['user_id'];
                # need a valid code for invalid user name?
                $logCode = $minLenPassword ? $GLOBALS['MEM_LOGIN_FAILED_PWD'] : 0;
                apache_note("user_name", "{$cu}:_{$logFlag}_{$username}");
                $sth = UpdateMemberFailedLogin($p_dbh, $cu, $username, $logCode);
                TrackUserLogin($p_dbh, array('Cu' => $cu, 'uid' => $logUID, 'user_name' => $username), $pLoginType, $logCode, $_SERVER['REMOTE_ADDR'], array('UA' => $_SERVER['HTTP_USER_AGENT']));
                // $err_string = $MC->msg("Invalid Login Password");
                $retVal['status'] = "140";
                $retVal['dispmsg'][] = $p_mc->msg("Invalid Login Password");
                $retVal['nextstep'] = "StepMember";
            }
          }
        }
      }  // rowfound
    } else {
      /* INVALID USER NAME ENTERED -- most likely a space was entered, but includes other characters like ; or , refer to hcuCheckUsername*/
      // ** To be here we have a username -- so we first set the next step to 'StepPass'
      $retVal['status'] = "030";
      $retVal['dispmsg'][] = '';
      $retVal['nextstep'] = 'StepPass';
      // ** Next check to see if we have the password
      if (strlen($p_hb_env['password']) > 0) {
        // ** We have the password -- we assume they just entered password -
          // -- invalid user so there is no need to query the database
          // *** SEND BACK TO MEMBER SCREEN WITH ERROR ****

          // ** I don't see why we would track bogus username entries at this point

          $retVal['status'] = "140";
          $retVal['dispmsg'][] = $p_mc->msg("Invalid Login Password");
          $retVal['nextstep'] = "StepMember";

      }
    }   // hcuCheckUserName
    return $retVal;
}

/**
 *
 * @param string $email email entered by member
 * @param array $userrec result of GetUserbyName or similar
 * @return boolean
 *
 * returns true if email is set in db and entered email matches,
 * or if email in db is empty and entered email has valid format
 */
function isValidEmail($email, $userrec) {
    if ((trim($userrec['email']) > '' && strtolower(trim($userrec['email'])) == strtolower(trim($email))) ||
        (trim($userrec['email']) == ''  && validateEmail($email))) {
        $return_val = true;
    } else {
        $return_val = false;
    }
    return $return_val;
}
function activateWithCorePin($userrec, $p_hb_env) {
    $insflag = ($userrec['rowfound'] == 0 ? 1 : 0);
// password given and username is all digits and
// no cuuser record or NULL PASSWORD rec
// try to get user info from the core cu
// run the query again if the fetch was successful

/*
 * check to see if the username is all digits - indicating member account number
 * check to see if that account is already a primaryAccout - if so, not eligible to activate
 * add default group records, username records, etc. as needed
 */
    list ($status, $asofdate, $reason) = fetch_user($cu, $username, $p_hb_env['password'], $insflag);
    if ($status == "100" || $status == "101") {
        // ** Re Retrieve the user record
        $userrec = GetUserbyName($p_dbh, $cu, $username);
//        $p_hb_env['SYSENV']['logger'] -> info(__LINE__ . "GetUserbyName returns: " . print_r($userrec,true));
    } elseif ($status == "200" || $status == "201" || $status == "202") {
        $retVal['status'] = "140";
        $retVal['dispmsg'][] = $p_mc->msg("CU System Unavailable");
        $retVal['nextstep'] = "StepMember";
    } else {
        // don't return the core status here
        $retVal['status'] = "140";
        $retVal['nextstep'] = "StepMember";
    }
    return $retVal;
}

/**
 *
 * @param array $userrec user info from db as returned by GetUserbyName
 * @param array $challengeresponses posted responses from the member
 * @return boolean returns true if posted responses match db
 *              will also return true if force reset is on
 *              or if member has zero challenge questions defined
 */
function isValidChallenge($userrec, $challengeresponses) {

    // * Create the MFA Quest Array
    $aryMfaQuest = HCU_JsonDecode($userrec['mfaquest']);
    $mbrMfaQuest = HCU_MFADecode($aryMfaQuest);
    $savecqid = $mbrMfaQuest['challenge'];
    $chcount = $mbrMfaQuest['mfacount'];
    // If force reset is NOT set and we HAVE some challenge questions
    // ** having problems with this statement...
    // freset is set then we will be LATER setting challenge questions,
    // * no need to set right now
    $fail = 0;

    // ** VALIDATE ANSWERS IF THERE ARE ANY
    if (count($challengeresponses) > 0) {

        /*
         * VALIDATE ANSWERS
         * IF savecqid has a value and CU configured for only one answer,
         * then ONLY validate that answer
         *
         * chcount being greater than one MEANS the aryMfaQuest array contains
         * an 'answers' key, is an array and has at least one value
         */

        /*
         * I think looking at $mbrMfaQuest (result of HCU_MFADecode) may work
         * without having examine Random challenge setting as it always returns
         * an array
         */
        $aryMfaAnswers = $aryMfaQuest['answers'];   // Set the array
        if (($userrec['flagset2'] & $GLOBALS['CU2_RANDOM_CHAL']) == $GLOBALS['CU2_RANDOM_CHAL'] && $mbrMfaQuest['challenge'] > 0) {
            // * Set a single key array
            $mfaAnswerIdx = Array($mbrMfaQuest['challenge']);
        } else {
            // * Set an array of all the keys in answers
            $mfaAnswerIdx = array_keys($aryMfaAnswers);
        }

        // ** NOW EVALUATE THE ANSWERS
        foreach (array_intersect_key($aryMfaAnswers, array_flip($mfaAnswerIdx)) as $qid => $qanswer) {
            $response = "qid$qid";
            if (strtolower(trim($qanswer)) != strtolower(trim($challengeresponses[$response]))) {
                $fail++;
            }
        }
    }
    if ($fail == 0) {
        $retVal = true;
    } else {
        $retVal = false;
    }
    return $retVal;
}
/**
 *
 * @param array $userrec user info from db as returned by GetUserbyName
 * @param string $authcode authcode entered by member
 * @return boolean returns true if posted response match db
 */
function isValidAuthcode($userrec, $authcode) {

    // * Create the MFA Quest Array
    $aryMfaQuest = HCU_JsonDecode($userrec['mfaquest']);
    $mbrMfaQuest = HCU_MFADecode($aryMfaQuest);

    // ** VALIDATE AuthCode IF it hasn't expired
    if ( $mbrMfaQuest['authexpires'] >  time()  && trim($mbrMfaQuest['authcode']) > '' &&
            strtolower($authcode) == strtolower($mbrMfaQuest['authcode'])
        ) {
        $retVal = true;
    } else {
        $retVal = false;
    }
    return $retVal;
}

/**
 *
 * @param string $cu client code
 * @param array $userrec result of GetUserbyName or similar
 * @return boolean
 *
 * returns true if device cookie content matches and Force Reset is not set,
 * otherwise returns false.
 */
function isValidDeviceCookie($cu, $userrec) {


    $mfaMode = (intval($userrec['flagset3'] & GetFlagsetValue('CU3_MFA_AUTHCODE')));
    //$mfaDate = HCU_array_key_exists("mfadate", $userrec) ? $userrec['mfadate'] : "";
    $mfaDate = HCU_array_key_value("mfadate", $userrec);

    $cookieParams = array ( "cu" => $cu,
                            "user_name" => $userrec['user_name'],
                            "saved_pass" => $userrec['passwd'],
                            "saved_email" => $userrec['email'],
                            "saved_confidence" => $userrec['confidence'],
                            "mfa_mode" => $mfaMode,
                            "mfa_date" => $mfaDate,
                            "persists_time" => 0        // are not actually creating a cookie for use
                          );

    $cookieInfo = CreateDeviceCookie( $cookieParams);

    if (!empty($_COOKIE[$cookieInfo["name"]]) && ($cookieInfo["content"] == $_COOKIE[$cookieInfo["name"]]) && ($userrec['freset'] != GetUserFlagsValue('MEM_FORCE_RESET'))) {
        $return_val = true;
    } else {
        $return_val = false;
    }
    return $return_val;
}

/**
 * If allowed, recognize if it is a valid Mammoth device cookie and replace it with a
 * new device cookie. Because Mammoth is account based and Odyssey is user based get
 * all the accounts related to the user because we don't know which one was the Mammoth
 * one.
 *
 * @param array $pHBEnv     Environment
 * @param string $pCu       CU code
 * @param array $pUserRec   Result of GetUserbyName or similar
 * @return boolean
 *
 * Returns true if Mammoth device cookie is allowed AND have valid contents
 *   and Force Reset is not set,
 * otherwise returns false.
 */
function IsValidMammothDeviceCookie( $pHBEnv, $pCu, $pUserRec ) {
    $retVal = false;    // assume not valid

    // check if allowed
    if ( ($pHBEnv["flagset3"] & GetFlagsetValue("CU3_ALLOW_COOKIE_MIGRATION")) > 0 &&
         $pUserRec['freset'] != GetUserFlagsValue('MEM_FORCE_RESET') ) {
        // get the possible account numbers
        $sql = "SELECT DISTINCT ua.accountnumber
                FROM {$pCu}user u
                INNER JOIN {$pCu}useraccounts ua on ua.user_id = u.user_id
                WHERE u.user_name ilike '{$pHBEnv["username"]}'";

        $rs = db_query( $sql, $pHBEnv["dbh"] );

        $row = 0;
        while ( $aRow = db_fetch_array( $rs, $row++ ) ) {
            $thisAccount = $aRow["accountnumber"];
            $mammothCookieName = Return2FactorName( $pHBEnv['cu'], $pHBEnv['2factorkey'], trim($thisAccount) );

            if ( isset( $_COOKIE[$mammothCookieName] ) ) {
              // check the contents
              $mammothCookieContent = sha1( trim($pUserRec["passwd"]) . trim($pUserRec["email"]) . trim($pUserRec["confidence"]) );

              $retVal = $mammothCookieContent == $_COOKIE[$mammothCookieName];

              // test if we are going to say it's valid
              if ( $retVal ) {
                  // we need to set up some variables the new device cookie will need
                  $pHBEnv["Cn"] = $pUserRec['user_name'];
                  $pHBEnv["Fset3"] = $pUserRec['flagset3'];
                  $pHBEnv["savepass"] = trim( $pUserRec["passwd"] );
                  $pHBEnv["savemail"] = trim( $pUserRec["email"] );

                  // remove the old one first in case the cookie names are the same
                  $inThePast = time() - 3600 * 24;
                  HCU_setcookie_env( $pHBEnv['SYSENV'], $mammothCookieName, "", $inThePast );

                  // replace the old device cookie with a new one
                  SetDeviceCookie( $pHBEnv, $pUserRec);
              }

              // exit the loop
              break;
            }

        }
    }

    return $retVal;
} // end IsValidMammothDeviceCookie


/*
 * Function: CreateDeviceCookie
 * Purpose:  Create the 2Factor Device cookie so it can be used by browser and apps
 *
 * $param array pCookieParams --
 *                        string cu -- Credit union name (UPPER CASE)
 *                        string user_name  -- username
 *                        string saved_pass -- saved password
 *                        string saved_email -- saved email
 *                        string saved_confidence -- saved confidence word
 *                        integer mfa_mode -- integer value of flag if AuthCode or not
 *                        string mfa_date -- The date associated with the last mfa update.  Can
 *                                                   be obtained from the function GetUserByName
 *                        integer persists_time -- how long (in seconds) the device cookie persists
 *
 * @return cookie name, cookie content, and expire time as an array
 */
function CreateDeviceCookie( $pCookieParams) {
  $cookieName = Return2FactorName($pCookieParams["cu"], Get2FactorKeyString(), trim($pCookieParams["user_name"]));

  $cookieContent = hash_hmac('sha384',GetDeviceCookieContentString(),trim($pCookieParams["saved_pass"]) . trim(strtolower($pCookieParams["saved_email"])) . trim(strtolower($pCookieParams["saved_confidence"])) . $pCookieParams["mfa_mode"] . $pCookieParams["mfa_date"]);

  $expire = time() + $pCookieParams["persists_time"];

  return array( "name" => $cookieName, "content" => $cookieContent, "expire" => $expire);
}

/*
 * Function: SetDeviceCookie
 * Purpose:  To manage the 2Factor Device cookie -- At this time it is Browser based, but
 *    returns the cookie info for other environments to use.
 *
 * @param array p_hb_env -- The current HB_ENV value
 * @param array pUserRec -- An array of User Record values.  Can be obtained from the function GetUserByName
 *                          [mfadate] - The date associated with the last mfa update
 * @return array cookieInfo -- name, content, expire
 */
function SetDeviceCookie($p_hb_env, $pUserRec) {

  $now = time();

  if (sizeof($_COOKIE) > 6
    && !preg_match("/^199.184.207/",$_SERVER['REMOTE_ADDR'])
    && !preg_match("/^192.168/",$_SERVER['REMOTE_ADDR'])) {

    $emsg = "{$_SERVER['REMOTE_ADDR']} {$p_hb_env['cu']}:{$p_hb_env['Cn']} " . date('Y-m-d H:i:s') .   " " . sizeof($_COOKIE) .  " Cookies";
    $p_hb_env['SYSENV']['logger']->warning($emsg);
  }


  // ** Make sure the COOKIES ARE KEPT TO MINIMUM FOR the browser, these add to
      // * size of packet being sent back to server from client

  if (sizeof($_COOKIE) > 23) {
    reset ($_COOKIE);
    $persists = ($now - 3600);
    foreach ($_COOKIE as $cookiename => $cookiecontent) {
      if (!preg_match("/^(Tx_mURI|Ticket|webconnect)/",$cookiename)) {
        HCU_setcookie_env($p_hb_env['SYSENV'], $cookiename, "", $persists);
      }
    }
  }

  // Get the MFA mode (authcode or not) flag
  $mfaMode = (intval($p_hb_env['Fset3'] & GetFlagsetValue('CU3_MFA_AUTHCODE')));

  // Get the mfadate from the UserRec
  $mfaDate = HCU_array_key_value("mfadate", $pUserRec);

  $cookieParams = array ( "cu" => $p_hb_env["cu"],
                          "user_name" => $p_hb_env["Cn"],
                          "saved_pass" => $p_hb_env["savepass"],
                          "saved_email" => $p_hb_env['savemail'],
                          "saved_confidence" => $p_hb_env['confidence'],
                          "mfa_mode" => $mfaMode,
                          "mfa_date" => $mfaDate,
                          "persists_time" => $p_hb_env['SYSENV']['ticket']['persists']
                        );

  $cookieInfo = CreateDeviceCookie( $cookieParams);

  // OLD REMOVE setcookie($cookiename, $cookiecontent, $persists, "/", $p_hb_env['TicketDomain'], 1);
  HCU_setcookie_env($p_hb_env['SYSENV'], $cookieInfo["name"], $cookieInfo["content"], $cookieInfo["expire"]);

  return $cookieInfo;
}

/**
 * TrackUserLogin
 *  Write a user login tracking record
 * @param integer $p_dbh - current database handle
 * @param array $p_hb_env - current HB_ENV array (expecting Cu, user_id, user_name)
 * @param string $pLoginType - platform used: CLS, DSK, MBL, APP, ADA
 * @param integer $status - result code for login status
 *          0 = successful login
 *          $MEM_LOGIN_FAILED_EMAIL = 4;
 *          $MEM_LOGIN_FAILED_QST = 8;
 *          $MEM_LOGIN_FAILED_PWD = 16;
 *          $MEM_LOGIN_FAILED_ALIAS = 64;
 * @param string $p_ipaddr - remote ip address
 *          will be cast as inet for insert
 * @param array $p_meta - content for metadata

 * @return nothing returned
 */
function TrackUserLogin($p_dbh, $p_hb_env, $pLoginType, $status, $p_ipaddr, $p_meta) {
//    if ($status == 0) {   # if we need to turn off failure logging
    /*
     * only add a tracking record if we have a valid Uid.  Tracking failures for
     * non-existent login id may fill the table surprisingly fast, especially
     * if someone is deliberately hacking.  These attempts should still be in
     * the web log if we had to find them
     */
    if (!empty($p_hb_env['Uid'])) {
        $Cu = $p_hb_env['Cu'];
        $user_id = (empty($p_hb_env['Uid']) ? 0 : $p_hb_env['Uid']);
        $user_name = prep_save($p_hb_env['user_name'], 50);

        $callback = function(&$item, $key) {
            $item = utf8_encode($item);
        };
        array_walk($p_meta, $callback);

        $meta = prep_save(json_encode($p_meta));
        if ($Cu <> '') {
            $sql = "insert into {$Cu}userlogins (user_id, user_name, login_dt, hcucode, status, remote_ip, metadata)
            values ('$user_id', E'{$user_name}', CURRENT_TIMESTAMP, '{$pLoginType}', {$status}, '{$p_ipaddr}', E'{$meta}')";
            $sth = db_query($sql, $p_dbh);
        }
    }
//    } # if we need to turn off failure logging
    return;
}

/*
 * Function: Return2FactorName
 * Purpose:  This will return the name of the 2 Factor hash, which is a combo
 *            cu, secret key , username
 * Parameters:
 *            p_cu - CU Code
 *            p_key - secret key
 *            p_username - member username -- ALWAYS the username, not cellalias
 * Returns:
 *            Returns the hashed string
 */
function Return2FactorName($p_cu, $p_key, $p_username) {

  return sha1(trim($p_cu) . $p_key . trim($p_username));

}


function mobile_formatnumber($p_nbr, $p_show_separator = true) {

  $inc_comma = ($p_show_separator ? ",": "");
  if (is_numeric($p_nbr)) {
    return number_format($p_nbr, 2, ".", $inc_comma);
  } else {
    return $p_nbr;
  }
}
function mobile_displayhtml($text,$charset='ISO-8859-1') {
  return htmlspecialchars(trim($text),ENT_QUOTES,$charset,false);
}
function mobile_formatdate($p_date) {
  // ** ONLY FORMAT A VALID DATE
  $retVal = "";
  $timestamp = "";

  // ** Make accommdations for a N/A coming through on the date
    // Make sure NOT to format this date
  if (trim($p_date) != "N/A") {
    if (($timestamp = strtotime($p_date)) !== false) {
      $retVal = date("m/d/y", $timestamp);
    }
  } else {
    $retVal = $p_date;
  }
  return $retVal;
}
function mobile_formatdate_ipay($p_date) {
  // ** ipay seems to format dates as YYYY-MM-DDT00:00:00
  // ** I want to just return the informatin in the standard MM/DD/YYYY format
  $retVal = substr($p_date, 5, 2) . "/" . substr($p_date, 8, 2) . "/" . substr($p_date, 2, 2);

  return $retVal;
}

/**
 *  Get_SpecialPwdCharacters
 *
 *  This will return a comma delimited string of the special characters that are
 *   supported when special characters are required.
 *
 * @param none
 *
 * @return string - Returns a comma-delimited list of the special characters.
 */
function Get_PwdSpecialCharacters() {
  return "!,@,#,$,%,^,&,*,?,_,~,-,(,)";
} // end Get_SpecialPwdCharacters

/**
 * check_alias_available
 *
 * Check to see if a user alias is currently available in the system
 *
 * @param integer $p_dbh  - Current database handle
 * @param array $p_hb_env - Current HB_ENV array
 *                USES
 *                cu - CU Code  UPPER CASE
 *                Uid - CURRENT Authenticated User - User ID
 * @param string $p_useralias - User alias we are checking to see if it already exists
 * @return boolean - {true, false} true - if the user alias IS available, false
 *      if the user alias is NOT available
 */
function check_alias_available($p_dbh, $p_hb_env, $p_useralias) {
  // Check database to see if anyone else is using this alias
  $sql = "SELECT count(*)
          FROM {$p_hb_env['Cu']}user
          WHERE
                (lower(user_name) = '" . strtolower(prep_save($p_useralias, 50)) . "'
                  AND user_id <> '{$p_hb_env['Uid']}') ";
  $uniq_rs = db_query($sql, $p_dbh);
  list($uniq_cnt) = db_fetch_array($uniq_rs, 0);

  $uniq_cnt = ($uniq_cnt == 0 ? 0 : 1);

  // * if uniq_cnt is 0 then the alias is available, return True, else false
  return ($uniq_cnt == 0 ? true : false);
}

/**
 * Get_AccountHPRDetails
 *  Get the Holds/Pending/Requested for a specified account key
 *  It will call the 3 data functions that will retrieve the data
 *
 * @param integer $p_dbh - current database handle
 * @param array $p_hb_env - current HB_ENV array
 * @param object $p_mc - the current MC lanaguage class
 * @param string $p_acct_key - the current account key string
 *      format AcctType|AcctNbr|Suffix|CertNo {only for deposit type}
 * @return array
 */
function Get_AccountHPRDetails($p_dbh, $p_hb_env, $p_mc, $p_acct_key) {
  $retDetails = Array("holds" => Array(), "pending" => Array(), "requests" => Array());

  // ** RETRIEVE HOLDS
  $AcctHolds_ary = Get_HoldDetails($p_dbh, $p_hb_env, $p_acct_key);
  if ($AcctHolds_ary['status']['code'] == '000') {
    if (HCU_array_key_exists( $p_acct_key, $AcctHolds_ary )) {
      // ** SUCCESSFUL - SET THE HOLDS ARRAY
      $retDetails['holds'] = HCU_array_key_value( $p_acct_key, $AcctHolds_ary );
    }
  }

  // ** RETRIEVE PENDING
  $AcctPend_ary = Get_PendDetails($p_dbh, $p_hb_env, $p_acct_key);

  if ($AcctPend_ary['status']['code'] == '000') {
    if (HCU_array_key_exists( $p_acct_key, $AcctPend_ary )) {
      // ** SUCCESSFUL - set the pending array
      $retDetails['pending'] = HCU_array_key_value( $p_acct_key, $AcctPend_ary );
    }
  }

  // ** RETRIEVE REQUESTS
  $AcctReq_ary = Get_ReqDetails($p_dbh, $p_hb_env, $p_acct_key);

  if ($AcctReq_ary['status']['code'] == '000') {
    // ** SUCCESSFUL -- set the requests array
    // ** reset the fields within the array as the keys are NOT consistent
    if (HCU_array_key_exists('acctlist', $AcctReq_ary)) {
      if (count($AcctReq_ary['acctlist'][$p_acct_key]) > 0) {
        foreach ($AcctReq_ary['acctlist'][$p_acct_key] as $request_details) {
          // ** Add new item
          $retDetails['requests'][] = Array (
                          "amount" => $request_details['amount'],
                          "postdate" => HCU_array_key_value('date', $request_details),
                          "description" => $request_details['txdesc'],
                          "traceno" => $request_details['id']
                          );
        }
      }
    }
    //$retDetails['requests'] = $AcctReq_ary['acctlist'][$p_acct_key];
  }

  return $retDetails;
}

/*
 * Function: Return_Random4Challenege
 * Purpose:  This will parse the cookie PWDCHG and retrieve p1, which is the
 *           random number that will be used to decrypt the challenge serialized hash
 * Paremeters: $p_hb_env -- HB_ENV
 * Returns:  This will return an empty string OR the value if the expires was good
 *             and the
 */
function Return_Random4Challenge($p_hb_env) {
  $retVal = "";
  // ** GET THE COOKIE CONTENTS
  if ($_COOKIE['PWDCHG']) {
    $cookieval = $_COOKIE['PWDCHG'];

    $cookie_arr = Array();
    parse_str($cookieval, $cookie_arr);
    // ** FIRST Make sure the HASH MAKES SENSE
    if ($cookie_arr['p3'] == MD5($p_hb_env['secret'] . MD5(join (':', array($cookie_arr['p1'], $cookie_arr['p2']))))) {
      // ** NOW BE SURE OF TIME
      if ($cookie_arr['p2'] > time()) {
        $retVal = intval($cookie_arr['p1']);
      } else {
      }
    } else {
    }
  }

  return $retVal;
}

function hcuCheckUsername($username) {
   $pass_val = false;
    // Check the given username
    // Not empty, and not containing \`,"; or whitespace
    if (
          $username > '' && !(preg_match("/[\\\`,\"\s;]/", $username))
       ) {
      $pass_val = true;
    } else {
      $pass_val = false;
    }
    return $pass_val;

    }

    /**
     *
     * Generate a random Access code
     *
     * @param integer $length how long the code should be - default 6 digits
     * @param integer $ttl how long before the code expires - default 40 minutes
     *
     * @return array (Authcode, AuthExpires)
     */
    function generateAuthcode($length = 6, $ttl = 2400) {
        $length = intval($length);
        # valid range 6 to 10 digits, default 6 digits
        $length = ($length < 6 || $length >10 ? 6 : $length);
        $ttl = intval($ttl);
        # valid range 15 minutes to 3 hours, default 40 minutes
        $ttl = ($ttl < 900 || $ttl > 10800 ? 2400 : $ttl);
        $result = substr(str_repeat('0',$length) . rand(0,pow(10,$length)),-$length,$length);
    return array('authcode' => $result, 'authexpires' => time() + $ttl);
}
/**
 *
 * Update the user record to save authcode & expires timestamp
 *
 * @param integer $p_dbh   - Current Database handle for Update_MemberInfo
 * @param array $p_hb_env  - Current HB_ENV Update_MemberInfo uses hb_env['Cu']
 * @param object $p_mc     - This points to the current MC value for the language class
 *                           Update_MemberInfo uses MC for error strings
 * @param array $userrec result of GetUserbyName or similar
 *               will be updated with new authcode / mfaquest array values
 * @param string $authcode newly-generated authcode for member
 * @param timestamp $authexpires expiration timestamp for $authcode
 *
 * @return boolean TRUE/FALSE
 */
function setAuthcode ($p_dbh, $p_hb_env, $p_mc, &$userrec, $authcode, $authexpires) {

    // Save information to the MFA array for the user identified in $userrec
    // leave as discrete function for now, because we may redesign.  So just
    // save the values here
    // save authcode and authexpires as part of mfaquest array
    // also update userrec (or call GetUserbyName) so script has current values

                /*
                 * **********************
                 * UPDATE [cucode]user TABLE WITH AUTHCODE INFO
                 * **********************
                 */

                $retVal = TRUE;

                $mbrMfa = HCU_MFADecode(HCU_JsonDecode($userrec['mfaquest']));
                $mbrMfa['authcode'] = $authcode;
                $mbrMfa['authexpires'] = $authexpires;

                $mbrSaveMfa = PrepareMfaQuestString($mbrMfa);

                $userrec['authcode'] = $authcode;
                $userrec['authexpires'] = $authexpires;
                $userrec['mfaquest'] = $mbrSaveMfa;

                // ** update the user table
                $upd_list_array = serialize(Array("mfaquest" => $mbrSaveMfa));
                $upd_keys_array = serialize(Array("user_name" => $userrec['user_name']));
                $updateResponse = Update_MemberInfo($p_dbh, $p_hb_env, $p_mc, $upd_list_array, $upd_keys_array);

                if ($updateResponse['status']['code'] != '000') {
                  // ** Unable to process for some reason...
                  // ** What to do next
                  // throw new Exception('User Record Not Updated', '905');
                    $retVal = FALSE;
                }
    return $retVal;
}

function setAdminAuthcode ($dbh, $Cu, $Cn, $authcode) {
                 /*
                 * **********************
                 * UPDATE cuadminusers TABLE WITH AUTHCODE INFO
                 * **********************
                 */

                $retVal = TRUE;

                $altIP = $_SERVER['REMOTE_ADDR'];
                $timeStamp = time();

                // pin|ip|timestamp started|retry count
                $saveUserConfirm = $authcode . "|" . $altIP . "|" . $timeStamp . "|0";

                // ** update the cuadminuser table
                $sql = "Update cuadminusers SET userconfirm = '$saveUserConfirm' WHERE cu = '$Cu' AND user_name = '$Cn'";
                $sth = db_query($sql,$dbh);
                if ($sth < 1) {
                  // ** Unable to process for some reason...
                  // ** What to do next
                  // throw new Exception('User Record Not Updated', '905');
                  $retVal = FALSE;
                }

    return $retVal;
}

/**
 *
 * Send the authcode using the selected transport method
 *
 * @param integer $dbh - Current Database handle
 * @param array $p_hb_env  - Current HB_ENV SendLongCodeSMS uses it
 * @param array $userrec result of GetUserbyName or similar
 * @param string $retSendTo HCU_PayloadEncode value containing method and destination
 * @param string $retSendFrm valid sms # or email address (validate before call)
 *
 * @return boolean TRUE / FALSE
 */
function sendAuthcode ($dbh, $p_hb_env, $userrec, $retSendTo) {

    $unmasked = HCU_PayloadDecode($userrec['cu'], $retSendTo, false);
    $retSendHow = $unmasked[0];
    $retSendTo = $unmasked[1];
    $MsgFromName = $p_hb_env['orgname']; # encoding / escaping needed? Handle empty?
    $MsgSubj = trim($p_hb_env['orgname']) . " Authentication Request";

    // * get the current code from the userrec
    $hcuAuth = $userrec['authcode'];
    $hcuExpires = $userrec['authexpires'];
    $timeExpire = round( ($userrec['authexpires'] - time()) / 60 );

    // $MsgBody = "Code: $hcuAuth good until " . gmdate("m/d/Y H:i:s e", $hcuExpires);
    // $MsgBody = "Access Code $hcuAuth expires in 20 minutes";

    if ($retSendHow == 'S') {
        // style the message for SMS
        $MsgBody = "Code: $hcuAuth\n";
        $MsgBody .= "Sent from {$p_hb_env['orgname']}\n";
        $MsgBody .= "Secure Access Code expires in $timeExpire minutes.\n";

        // Send a message to the user
        // ** Be sure to strip out just the number from the retSendto
        // Just to be certain strip out the potential + from prepended number
        $retSendTo = preg_replace('/^([\+]{0,1})(\d+)(\@.*)/', '$2', $retSendTo);

        if ($p_hb_env['flagset3'] & GetFlagsetValue('CU3_LONGCODE_MFA')) {
          $retSendFrm = GetCuSMSFrom($dbh, $userrec['cu']);

          // ** USE LONG CODE FOR SENDING AUTH CODE
          $msg_response = SendLongCodeSMS($GLOBALS['HOMECU_LONGCODE_API_KEY'], $GLOBALS['HOMECU_LONGCODE_URL'], $retSendFrm, $retSendTo, $MsgBody, $p_hb_env);
        } else {
          // ** USE AMAZON AWS SERVICE
          $msg_response = SendAwsSMS($retSendTo, $p_hb_env['orgname'], $MsgBody, true);
        }

    } elseif ($retSendHow == 'E') {
        // style the message for HTML email
        $MsgBody = "Code: $hcuAuth <br><br>";
        $MsgBody .= "Sent from {$p_hb_env['orgname']}<br><br>";
        $MsgBody .= "Secure Access Code expires in $timeExpire minutes.<br>";

        # send to the email address stored in the userrec
        // mail to the user
        $retSendFrm = GetCuEmailFrom($dbh, $userrec['cu']);
        $notify = new ErrorMail;
        $notify->header = "Content-type: text/html";
        $notify->mailto = $retSendTo;
        $notify->mailfromname = $MsgFromName;
        $notify->mailfrom = $retSendFrm;
        $notify->subject = $MsgSubj;
        $notify->msgbody = "$MsgBody";
        $notify->callingfunction = __FUNCTION__;
        $notify->file = __FILE__;
        $notify->cu = $userrec['cu'];

        $notify->SendMail();
        $msg_response = TRUE;
    } else {
        # error - invalid method
        $msg_response = FALSE;
    }
    return $msg_response;
}

function sendAdminAuthcode ($dbh, $Cu, $authResp, $retSendTo, $retSendHow) {

  // get the organization name
  $sql = "SELECT orgname FROM cuadmin WHERE cu = '$Cu'";
  $sth = db_query( $sql, $dbh );
  $orgName = db_fetch_array( $sth, 0 )[0];

  $MsgFromName = $orgName;
  $MsgSubj = trim($orgName) . " Authentication Request";

  // * get the current code
  $hcuAuth = $authResp['authcode'];
  $hcuExpires = $authResp['authexpires'];

  $timeExpire = round( ($authResp['authexpires'] - time()) / 60 );

  if ($retSendHow == 'sms') {
      // style the message for SMS
      $MsgBody = "Sent from {$orgName}\n\n";
      $MsgBody .= "Secure Access Code expires in $timeExpire minutes.\n";
      $MsgBody .= "Code: $hcuAuth";

      // Send a message to the user
      // ** Be sure to strip out just the number from the retSendto
      // Just to be certain strip out the potential + from prepended number
      $retSendTo = preg_replace('/^([\+]{0,1})(\d+)(\@.*)/', '$2', $retSendTo);

        // ** USE AMAZON AWS SERVICE
        $msg_response = SendAwsSMS($retSendTo, $orgName, $MsgBody, true);

  } elseif ($retSendHow == 'email') {
      // style the message for HTML email
      $MsgBody = "Sent from {$orgName}<br><br>";
      $MsgBody .= "Secure Access Code expires in $timeExpire minutes.<br>";
      $MsgBody .= "Code: $hcuAuth";

      # send to the email address stored in the userrec
      // mail to the user
      $retSendFrm = GetCuEmailFrom($dbh, $Cu);
      $notify = new ErrorMail;
      $notify->header = "Content-type: text/html";
      $notify->mailto = $retSendTo;
      $notify->mailfromname = $MsgFromName;
      $notify->mailfrom = $retSendFrm;
      $notify->subject = $MsgSubj;
      $notify->msgbody = "$MsgBody";
      $notify->callingfunction = __FUNCTION__;
      $notify->file = __FILE__;
      $notify->cu = $Cu;
      $notify->SendMail();
      $msg_response = TRUE;
  } else {
      # error - invalid method
      $msg_response = FALSE;
  }
  return $msg_response;
}

/**
 * GetUserContacts get user contact info, including email from {cu}user table
 * and phone numbers stored in {Cu}usercontact table
 * Only email / phone numbers that pass inspection via validateEmail and
 * hcuCheckPhone are included
 *
 * Also retrieves the 'from' email address and longcode from cuadmnotify. Use
 * longcode where role='txtbanking' and email where role='email_securitychgfrom'
 * @param integer $p_dbh   - Current Database handle
 * @param array $p_hb_env  - Current HB_ENV
 * @param array $userrec result of GetUserbyName or similar
 *
 * @return array contact list
 */
function GetUserContacts($p_dbh, $p_hb_env, $userrec) {
    $retList = array('EMAIL' => array(), 'SMS' => array(), 'Found' => 0, 'GotIt' => 0);
    # load email from {cu}user record
    if (trim($userrec['email']) > '' && validateEmail($userrec['email'])) {
        $key = HCU_PayloadEncode($p_hb_env['Cu'], array('E',trim($userrec['email'])), false);
        $retList['EMAIL'][$key] = hcuMaskEmail(trim($userrec['email']));
        $retList['Found']++;
    }
    # get phones from {cu}usercontact
    $sql = "select uc.phones from {$p_hb_env['Cu']}usercontact as uc "
    . "join {$p_hb_env['Cu']}user as cu_user on cu_user.contact = uc.contact_id "
    . "where cu_user.user_id = " . intval($userrec['user_id']) . ";";
    $sth = db_query($sql, $p_dbh);
    if (db_num_rows($sth) == 1) {
        list($phones) = db_fetch_array($sth, 0);
        if ($phones != "" && $phones != "[]") {
            $phones = HCU_JsonDecode($phones);
            if (is_array($phones)) {
                foreach ($phones as $phtype=>$phnum) {
                  /*
                   * phnum can be an array or a single value
                   *   This will need to be tolerant of both cases
                   */
                  if (is_array($phnum)) {
                    /* Array of Phone number for this type {mobile, home, work} */
                    for ($phIdx = 0; $phIdx < count($phnum); $phIdx++) {
                      if ($phnum[$phIdx] != "" && hcuCheckPhone($phnum[$phIdx])) {
                        $key = HCU_PayloadEncode($p_hb_env['Cu'], array('S',preg_replace('/\D/', '', $phnum[$phIdx])), false);
                        $retList['SMS'][$key] = hcuMaskPhone($phnum[$phIdx]);
                        $retList['Found']++;
                      }

                    }
                  } else {
                    /* Single phone number for this type */
                    if ($phnum != "" && hcuCheckPhone($phnum)) {
                      $key = HCU_PayloadEncode($p_hb_env['Cu'], array('S',preg_replace('/\D/', '', $phnum)), false);
                      $retList['SMS'][$key] = hcuMaskPhone($phnum);
                      $retList['Found']++;
                    }
                  }
                }
            }
        }
    }
    // * If we have a valid authcode, allow for 'I already have a code' feature
    $aryMfaQuest = HCU_JsonDecode($userrec['mfaquest']);
    $mbrMfaQuest = HCU_MFADecode($aryMfaQuest);
    if ( $mbrMfaQuest['authexpires'] >  (time() + 120)  && trim($mbrMfaQuest['authcode']) > '' ) {
        # if we have a code good for at least 2 more minutes, send the link
        $retList['GotIt'] = true;
    }
    return $retList;
}

/**
 * Returns a longcode for sending SMS.  Uses the cuadmnotify email saved for
 * txtbanking role, or picks random from HomeCU longcodes if cu setting is
 * not valid
 *
 * @param integer $dbh current database handle
 * @param string $cu
 * @return string longcode
 */
function GetCuSMSFrom($dbh, $cu) {

  $sendfrom = '';
  $sql = "SELECT trim(email) FROM cuadmnotify
          WHERE cu = '$cu' and role = 'txtbanking' ";

    $sth = db_query($sql, $dbh);

  if (db_num_rows($sth) == 1) {
    list($sendfrom) = db_fetch_array($sth,0);
  }

  $pattern = '/^[+]{0,1}[0-9]{1,12}$/';
  if (empty($sendfrom) || !preg_match($pattern, $sendfrom)) {
    # invalid long code - get one from longcode round-robin
    $LONGCODE_ROUNDROBIN = array('+12672458136', '+12082982149', '+16017142198', '+12082547302', '+16017142199', '+13306492200');

    $index = rand(0, sizeof($LONGCODE_ROUNDROBIN) - 1);
    $sendfrom = $LONGCODE_ROUNDROBIN[$index];

  }
  return $sendfrom;
}
/**
 * Returns an email return address.  Uses the cuadmnotify email saved for
 * securitychgfrom role, or noreply@homecu.com if cu setting is not valid
 *
 * Should probably also nag support@homecu.com or somebody at the cu
 * if using default, but not until I'm done testing...
 *
 * @param integer $dbh current database handle
 * @param string $cu
 * @return string email address
 */
function GetCuEmailFrom($dbh, $cu) {
  $sql = "SELECT trim(email) FROM cuadmnotify
          WHERE cu = '$cu' and role = 'securitychgfrom' ";

    $sth = db_query($sql, $dbh);
  if (db_num_rows($sth) == 1) {
    list($sendfrom) = db_fetch_array($sth,0);
  }
  if (trim($sendfrom) == '' || !validateEmail($sendfrom) ) {
    # set default - also nag support@homecu.com to fix it?
    $sendfrom = 'noreply@homecu.com';
  }
  return $sendfrom;
}

/**
 *
 * @param string $phone
 * @return boolean
 *
 * Checks if the given string, stripped of any non-digits, contains
 * exactly 10 characters
 */
function hcuCheckPhone($phone) {
    $retVal = TRUE;
    # strip punctuation
    $phone = preg_replace('/\D/', '', $phone);
    if (!is_numeric($phone) || $phone <= 0 || strlen($phone) != 10) {
        $retVal = FALSE;
    }
    return $retVal;
}
/**
 * Return the given string formatted as a phone number with only the last
 * 4 digits showing.  No validation is performed on the string phone number
 * Use hcuCheckPhone to verify it first
 *
 * @param string $phone
 * @return string masked phone number
 *
 */
function hcuMaskPhone($phone) {
    # strip punctuation & apply mask
    $phone = preg_replace('/\D/', '', $phone);
//    $phnum = substr($phnum, 0, 3) . "-" . substr($phnum, 3, 3) . "-" . substr($phnum, 6);
    $phone = "xxx-xxx-" . substr($phone, 6);

    return $phone;
}
/**
 * Return the given string with only the 1st and last characters showing before
 * the '@' with the rest of the string masked.
 * No validation is performed on the string email address - use validateEmail
 * to verify it first.
 *
 * @param string $email
 * @return string masked email
 */
function hcuMaskEmail($email) {
    $marker = strpos($email,'@');
    $retVal = substr_replace($email,str_repeat('.',$marker - 2), 1,$marker -2);

    /*
     * this method showed up to 3 char before the '@' and up to 3 char after '@'
     *
    if ($marker > 3 ) {
        $retVal = substr($email, 0, 3) . str_repeat('x',$marker - 3);
    } else {
        $retVal = substr($email,0,$marker);
    }
     */

    /*
     * the following leaves the dot in place - but I didn't like it
     * as much as I thought I would
     *
    $lastdot = strrpos($email,'.');
    if ($lastdot - $marker > 4) {
        $retVal .= substr($email, $marker, 4) . str_repeat('x',$lastdot - ($marker + 4));
    } else {
        $retVal .= substr($email, $marker, $lastdot - $marker);
    }
    $retVal .= '.' . str_repeat('x',strlen($email) - ($lastdot + 1));
     */

/*
 *
    if (strlen($email) > ($marker + 4) ) {
        $retVal .= substr($email, $marker, 4) . str_repeat('x',strlen($email) - ($marker + 4));
    } else {
        $retVal .= substr($email, $marker, 2) . str_repeat('x',strlen($email) - ($marker + 2));
    }
 */

    return $retVal;
}