Odyssey
hcu_login.prg
1 <?php
2 /*
3  Name: hcu_login
4  Purpose: This will show the login page, allowing the user to
5  enter username and password, then use radius to authenticate
6  Date: 8/2006
7 */
8 
9 
10  // ** SERVER LOCATION OF MAIN SCRIPTS --- This will be MORK later on
11  $menu_link = "https://www.homecu.net/hcuadm";
12 
13 $monLibrary= dirname(__FILE__) . "/../library";
14 require_once("$monLibrary/cu_top.i");
15 
16 
17 $dms_ok=array('username'=>'string','user_password'=>'string',
18 'btnLogin'=>'string');
19 
20 dms_import($dms_ok);
21 
22  $default_retries = 5;
23 
24  // The Tx_hURI cookie is set in ck_hticket cookie check. It tells where to go
25  // after successful login
26 
27  $return_address = urldecode($_COOKIE['Tx_hURI']);
28 
29  $ip_address = $_SERVER['REMOTE_ADDR'];
30 
31 
32  // The ip_address is used later to catch address spoofing. But Proxy servers
33  // confuse the address, so if X-Forward-For is set we use it instead.
34 
35  if(isset($btnLogin)) {
36  $mode = "VALIDATE";
37  } else {
38  $mode = "LOGIN";
39  }
40 
41  $err_string = "";
42  $tas_no = "";
43  // ** FIRST CHECK VALIDATION
44 
45  if ($mode == "VALIDATE") {
46 
47  // check the user entries to make sure we have a valid user
48 
49  $sql= "SELECT user_name, passwd, ip_range, allowed_scripts, forcechange, failedremain, forceremain
50  FROM dmsmonitorusers
51  WHERE user_name = '" . prep_save($username, 12) . "' ";
52 
53  // print $link."\n";
54 
55  $user_rs = db_query( $sql, $link);
56 
57  // print $user_rs."\n";
58 
59  if (!$user_rs) {
60 
61  $err_string = "Invalid Username or Password";
62  // print "here";
63 
64  }
65 
66  if (!list($db_username, $saved_passwd, $db_ip_range,
67  $db_allowed_scripts, $db_forcechg, $db_failr, $db_forcer) =
68  db_fetch_array($user_rs)) {
69 
70 
71 
72  $err_string = "Invalid Username or Password";
73  } else {
74 
75  $saved_passwd = preg_replace("/ +$/","", $saved_passwd);
76 
77  // For development use the following check
78 
79  if (!password_verify($user_password, $saved_passwd)) {
80  $err_string = "Invalid Username or Password";
81 
82  // ** Update the failed retry limit -- and the last failed login attempt date
83  $sql = "UPDATE dmsmonitorusers
84  SET failedremain =
85  CASE WHEN failedremain > 0 THEN failedremain - 1
86  WHEN failedremain is null THEN ({$default_retries} -1)
87  ELSE failedremain
88  END,
89  failedlogin = to_char(now(),'YYYY/MM/DD HH24:MI:SS')
90  WHERE user_name = '" . prep_save($username, 12) . "' ";
91  $update_rs = db_query( $sql, $link);
92 
93  if ($db_failr <= 1 || ($db_forcechg == 'Y' && $db_forcer <= 0)) {
94  $err_string = "Account is Locked";
95  }
96 
97  } else {
98 
99  // ** Successful --- make sure to record a good login
100  $sql = "UPDATE dmsmonitorusers
101  SET
102  failedremain = '{$default_retries}',
103  priorlogin = lastlogin,
104  lastlogin = to_char(now(),'YYYY/MM/DD HH24:MI:SS')
105  WHERE user_name = '" . prep_save($username, 12) . "' ";
106 
107  $update_rs = db_query( $sql, $link);
108  }
109  }
110  db_free_result($user_rs);
111 
112  if ($err_string == "") {
113 
114  // ** Bake the Cookie!!!
115 
116  DMSBakeCookie($username, $db_forcechg, '');
117  header("Location: " . $GLOBALS['return_address']);
118  exit;
119  } else {
120  $mode = "LOGIN"; // Change to setting of login, so they can be forced to reenter the information
121  }
122 
123  }
124 
125 
126 
127  // ** IF VALIDATION FAILED OR REGULAR LOGIN, then SHOW LOGIN SCREEN
128  if ($mode == "LOGIN") {
129  cu_header("HomeCU Monitor Login");
130  print "<LINK REL=stylesheet HREF=\"/monitor/css/monitor.css\" TYPE=\"text/css\">";
131  print <<<EOF
132 
133 
134 
135  <br><br><br><br>
136 
137  <CENTER>
138  <FONT SIZE=+1 COLOR="#FF0000">$err_string</FONT>
139  <FORM NAME="login" ACTION="hcu_login.prg" METHOD="post">
140 
141  <table cellpadding="3" cellspacing="0" border="0" width="300" class='dmsbg'><tr><td>
142  <table cellpadding="1" cellspacing="0" border="0" width="100%" bgcolor="white">
143  <tr>
144  <td colspan="2" class="bar" align="center">
145  HomeCU Monitor Login
146  </td>
147  </tr>
148  <tr>
149  <td nowrap align="right" class="hdr">
150  Username:
151  </td>
152  <td nowrap class='dtl'>
153  <input type="text" name="username" size="15" maxlength="12" value="">
154  </td>
155  </tr>
156  <tr>
157  <td nowrap align="right" class="hdr">
158  Password:
159  </td>
160  <td nowrap class='dtl'>
161  <input type="password" name="user_password" size="10" maxlength="12">
162  </td>
163  </tr>
164  <tr>
165  <td class='dtl'>&nbsp;</td>
166  <td nowrap class='dtl'>
167  <input type="submit" name="btnLogin" Value="Login">
168  </td>
169  </tr>
170  </table>
171  </td></tr>
172  </table>
173  <script language="javascript">
174  <!--
175  function field_focus() {
176  self.focus();
177  document.login.username.focus();
178  }
179  window.onload = field_focus;
180  // -->
181  </script>
182  </FORM>
183 EOF;
184  }
185 
186 
187 
188 function DMSBakeCookie ($username, $fchange, $lastupdate) {
189 
190  global $ip_address;
191  global $chome;
192  global $cupg;
193  global $self;
194  global $host;
195  global $MC;
196  global $Flang;
197  global $SYSENV;
198 
199 
200  $secret = 'xoiilh6RFoogeMb4';
201 
202  $now = time();
203 
204 
205  $expires = $now + (86400 * 30);
206  $hash = MD5( $secret .
207  MD5(join (':', array($secret, $now,
208  $expires, $username, $lastupdate)))
209  );
210 
211  // apache_note function sets some variables for the web server logging process.
212  // They are used later to split the logs by credit union. Not needed elsewhere.
213 
214  apache_note("user_name","M:${username}");
215  $mycookie="Ctime=$now&Hu=$username&Ch=$hash&Ce=$expires&Clu=$lastupdate";
216 
217  // finally set the cookie, and redirect browser to Tx_hURI location
218 
219  HCU_setcookie_env($SYSENV, "HCUTicket","$mycookie",0);
220 
221  // if forcechange flag is on, redirect to Passchange instead
222 
223  if ($fchange == "Y") {
224  // ** Force them to the main user screen to change their password
225 
226  header($menu_link . "hcuusers.prg?act=1&un=" . urlencode($username));
227  } else {
228  echo "Location: " . $GLOBALS['return_address'];
229  header("Location: " . $GLOBALS['return_address']);
230  exit;
231  }
232 }
233 
234 ?>
Generated by   doxygen 1.8.15