Odyssey
lnappusermaint.i
1 <?php
2 /* This file will do the user maintenance..
3  * Goal is to have it do the user maintenace/settings
4  * The difference will be how it is called...
5  * Options are {
6  * newuser - This is a new user, they will need to setup all their user
7  credentials. they have already saved the the -- Error with
8  email existing should go back to main screen... I like that..
9  Otherwise, the new user will look at similar form as security
10  form/ Security questions, confidence word
11  * newmiruser - This is a new MIR-authenticated user. The new user will
12  * just need security questions and confidence word.
13  * confirmuser - This has the potential of two things, there are two levels..
14  Confirm identity of computer -- Check if cookie exists for this
15  computer, if not we challenge them.
16  Confirm password, once we know the computer is recognized we
17  will authenticate password and show them their confidence
18  word
19 * modifyuser - This will be the security section for the user, it will allow
20  for the user to change security questions/password/confidence word
21 
22 */
23 
24 
25 $SHOW_SETTINGS = Array('PASSWORD' => 0, 'SECURITY' => 0, 'CONFIDENCE' => 0);
26 $SHOW_SETTINGS_TOTAL_SECURITY = 3;
27 // * SET SHOW_SETTINGS FOR EACH TYPE
28 switch ($form_code) {
29  case "newuser":
30  case "newmiruser":
31  $SHOW_SETTINGS['PASSWORD'] = 0;
32  $SHOW_SETTINGS['EMAIL'] = 0;
33  $SHOW_SETTINGS['SECURITY'] = 1;
34  $SHOW_SETTINGS['CONFIDENCE'] = 1;
35  break;
36  case "confirmuser":
37  $SHOW_SETTINGS['PASSWORD'] = 0;
38  $SHOW_SETTINGS['EMAIL'] = 0;
39  $SHOW_SETTINGS['SECURITY'] = 1;
40  $SHOW_SETTINGS['CONFIDENCE'] = 1;
41  break;
42  case "modifyuser":
43  $SHOW_SETTINGS['PASSWORD'] = 1;
44  $SHOW_SETTINGS['EMAIL'] = 1;
45  $SHOW_SETTINGS['SECURITY'] = 1;
46  $SHOW_SETTINGS['CONFIDENCE'] = 1;
47  break;
48 }
49 
50 $SQL_FIELDS_UPDATE = "";
51 $SQL_FIELDS_UPDATE_SECURITY = "";
52 $FORM_VALIDATION_ERROR = "";
53 $form_validated_device = false; // * There is an exception when flowing from the device authtentication to the user
54  // * The device cookie is NOT set, however, I will cause a loop if I send back to the
55  // * intro screen.. this value will be set to true when the device cookie was just set and assumed true
56 $JSON_FormPopulate = ""; // As I validate any form values, I want to set this option
57  // so I can autopopulate the fields
58 
59 define("LOCAL_USER_QUERY_SRC_USERID", 1);
60 define("LOCAL_USER_QUERY_SRC_EMAIL", 0);
61 define("REFRESH_USER_DATA", true);
62 /* ** LOAD An array with the Challenge Questions */
63 $DMSAPP_QuestMaster_Ary = array();
64 // ** Load and populate value for the challenge questions
65 $sql = "SELECT * FROM cuquestmaster WHERE quest_lang = 'en_US' ORDER BY quest_text ";
66 $qst_rs = db_query($sql, $dbh);
67 $qst_cnt = 0;
68 while ($qst_row = db_fetch_array($qst_rs, $qst_cnt++)){
69  $DMSAPP_QuestMaster_Ary[$qst_row['quest_id']] = disp_text($qst_row['quest_text']);
70 }
71 db_free_result($qst_rs);
72 
73 // ** savesettings if for modifieduser security OR newuser during first save
74 if (isset($_POST['savesettings']) && isset($_POST['form_key'])) {
75 
76  $user_sql_where = "";
77  // ** IF DMS_CURRENTUSERID is NOT SET && form_key "isset" then I want to decrypt this value -- this will be userid
78  if ($DMSAPP_CURRENTUSERID == "" && isset($_POST['form_key'])) {
79  $l_user = decrypt($_POST['form_key'], $MasterKey);
80 
81  if ($l_user == intval($l_user)) {
82  // ** ALL GOOD SET THE CURRENT USER
83  $DMSAPP_CURRENTUSERID = $l_user;
84  } else {
85  $FORM_VALIDATION_ERROR = "An error occurred.";
86  }
87  }
88 
89  // ** LOAD CURRENT RECORD
90  $user_row = ReturnUserRecord(LOCAL_USER_QUERY_SRC_USERID, $DMSAPP_CURRENTUSERID);
91 
92  // ** Save FORM FIRST
93  // ** Save Settings
94  // * Validate the entries HERE
95  // ** CHECK EMAIL FIELD
96  $upd_email = false; // When this is true, there is a where exists that will get added onto the update clause
97  if ($SHOW_SETTINGS['EMAIL']) {
98  // ** Check to see if the email is different..
99  if (trim(strtolower($_POST['chg_email'])) != trim(strtolower($user_row['email']))) {
100  // ** The email is different make sure it is NOT already used
101  $sql = "SELECT count(*) FROM {$DB_TABLE_PREFIX}user where email = '" . save_text(strtolower($_POST['chg_email']), 50) . "' AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "' AND coalesce(userlogintype, '') <> 'H' ";
102 
103  $email_rs = db_query($sql, $dbh);
104  list ($email_row_count) = db_fetch_row($email_rs);
105  if ($email_row_count > 0 ) {
106  // * email already used
107  $FORM_VALIDATION_ERROR .= "<li>The email you entered has already been used.</li>";
108  }
109  if ($FORM_VALIDATION_ERROR == "") {
110  // OKAY TO UPDATE THE FIELDS
111  $SQL_FIELDS_UPDATE .= ($SQL_FIELDS_UPDATE == "" ? "" : ", ") . " email = '" . save_text(strtolower($_POST['chg_email']), 50) . "' ";
112  $user_sql_where = " AND NOT EXISTS (SELECT * FROM {$DB_TABLE_PREFIX}user WHERE email = '" . save_text(strtolower($_POST['chg_email']), 50) . "' AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "' AND coalesce(userlogintype, '') <> 'H') ";
113  }
114 
115  }
116  $JSON_FormPopulate .= ($JSON_FormPopulate != '' ? ", " : "") . "'chg_email':'" . disp_text($_POST['chg_email']) . "' ";
117  }
118 
119  // * Validate Password
120  if ($SHOW_SETTINGS['PASSWORD']) {
121 
122  // NEW Passwords are entered, then they must match
123  if (strlen($_POST['chg_pwd_new']) > 0 || strlen($_POST['chg_pwd_conf']) > 0) {
124 
125  if ($_POST['chg_pwd_new'] <> $_POST['chg_pwd_conf']) {
126  // ** PWD ERROR -- DO NOT MATCH
127  $FORM_VALIDATION_ERROR .= "<li>The new passwords do not match.</li>";
128  }
129  // ** Need to make sure the CURRENT PASSWORD IS CORRECT
130  if ($_POST['chg_pwd_old'] == '') {
131  $FORM_VALIDATION_ERROR .= "<li>The current password must entered to make changes.</li>";
132  } else {
133 
134  if (trim($user_row['pwd']) == '' || !password_verify(trim($_POST['chg_pwd_old']), trim($user_row['pwd']))) {
135  $FORM_VALIDATION_ERROR .= "<li>The current password is not correct.</li>";
136  } else {
137  // validate the password
138  $mpmsg = "";
139  $passwordNew = $_POST['chg_pwd_new'];
140 
141  if (key_exists("configPassword", $configOptions)) {
142  $pwdRules = json_decode($configOptions['configPassword'], true);
143  } else {
144  $pwdRules["len"] = 8;
145  $pwdRules["upper"] = 1;
146  $pwdRules["lower"] = 1;
147  $pwdRules["spec"] = 0;
148  $pwdRules["digit"] = 1;
149  }
150 
151  if ( strlen($passwordNew) < $pwdRules["len"] ) {
152  $mpmsg .= "Password is too short<br>";
153  }
154  if ( strlen($passwordNew) > 20 ) {
155  $mpmsg .= "Password is too long<br>";
156  }
157  $numDigitCount = 0;
158  $numUpperCharCount = 0;
159  $numLowerCharCount = 0;
160  $numSpecialCharCount = 0;
161  $notAllowedCount = 0;
162  for ( $i = 0; $i < strlen( $passwordNew ); $i++ )
163  {
164  $ch = substr( $passwordNew, $i, 1 );
165  if ($ch >= '0' && $ch <= '9') { $numDigitCount++; }
166  else if ($ch >= 'A' && $ch <= 'Z') { $numUpperCharCount++; }
167  else if ($ch >= 'a' && $ch <= 'z') { $numLowerCharCount++; }
168  else if ( $ch != ',' && strpos( $passSpecial, $ch ) >= 0 ) { $numSpecialCharCount++; }
169  else { $notAllowedCount++; }
170  }
171  if ( $pwdRules["upper"] > 0 && $numUpperCharCount < $pwdRules["upper"] )
172  {
173  $plural = $pwdRules["upper"] > 1 ? 's' : '';
174  $mpmsg .= "Need at least {$pwdRules["upper"]} UPPER CASE letter$plural<br>";
175  }
176  if ( $pwdRules["lower"] > 0 && $numLowerCharCount < $pwdRules["lower"] )
177  {
178  $plural = $pwdRules["lower"] > 1 ? 's' : '';
179  $mpmsg .= "Need at least {$pwdRules["lower"]} lower case letter$plural<br>";
180  }
181  if ( $pwdRules["spec"] > 0 && $numSpecialCharCount < $pwdRules["spec"] )
182  {
183  $plural = $pwdRules["spec"] > 1 ? 's' : '';
184  $mpmsg .= "Need at least {$pwdRules["spec"]} special character$plural<br>";
185  }
186  if ( $pwdRules["digit"] > 0 && $numDigitCount < $pwdRules["digit"] )
187  {
188  $plural = $pwdRules["digit"] > 1 ? 's' : '';
189  $mpmsg .= "Need at least {$pwdRules["digit"]} digit$plural<br>";
190  }
191 
192  if ( strlen( $mpmsg ) > 0 ) {
193  $FORM_VALIDATION_ERROR .= $mpmsg;
194  }
195  }
196  }
197 
198  // ** ONLY SET THE PWD FIELD IF PWD INFO IS ENTERED
199  if ($FORM_VALIDATION_ERROR == "") {
200  // OKAY TO UPDATE THE FIELDS
201  $SQL_FIELDS_UPDATE .= ($SQL_FIELDS_UPDATE == "" ? "" : ", ") . " pwd = '" . password_hash($_POST['chg_pwd_conf'], PASSWORD_DEFAULT) . "' ";
202  }
203  }
204 
205  }
206 
207  // * Validate Security
208  $user_auto_set_pwd = 0; // ** THIS SHOULD ONLY BE SET when it is the
209  // ** FIRST TIME IN and the user just SET their challenge
210  // * words.. this prevents a double login that was occurring
211  if ($SHOW_SETTINGS['SECURITY']) {
212  // * Be sure none of the entries match..
213  // * Be sure there are answers for each
214  $selected_questid = "";
215 
216  if ($form_code == 'confirmuser' || $form_code == 'newuser' || $form_code == "newmiruser" ) {
217  // ** I want to verify if they have already saved challenge questions..
218  // * if not, then I want to establish the password cookie here...
219  // ** NOW CHECK TO SEE IF THEY HAVE QUESTIONS ENTERED
220  $sql = "SELECT COUNT(u_qs.userid) as quest_select
221  FROM {$DB_TABLE_PREFIX}user_questselect as u_qs
222  WHERE u_qs.userid = " . $user_row['userid'];
223  $cnt_rs = db_query($sql, $dbh);
224  $cnt_row = db_fetch_assoc($cnt_rs);
225 
226  if ($cnt_row['quest_select'] == 0) {
227  // * SET THE PASSWORD COOKIE
228  $user_auto_set_pwd = 1;
229  }
230  }
231 
232  for ($idx = 0; $idx < $SHOW_SETTINGS_TOTAL_SECURITY; $idx++) {
233 
234  $fld_quest = "chg_qst_$idx";
235  $fld_resp = "chg_resp_$idx";
236  // * Validate the question ID SELECTED
237  if (strlen($_POST[$fld_quest]) == 0) {
238  // Question NOT selected
239  $FORM_VALIDATION_ERROR .= "<li>A challenge question must be select for question " . ($idx + 1) . ".</li>";
240  } else {
241  // * be sure they don't double select questions
242 
243  if (strstr($selected_questid, ":" . intval($_POST[$fld_quest]) . ":")) {
244  // * QUESTION already selected
245  $FORM_VALIDATION_ERROR .= "<li>The challenge question for question " . ($idx + 1) . " has already been used.</li>";
246  } else {
247  $selected_questid .= ":" . intval($_POST[$fld_quest]) . ":";
248  }
249  }
250  // * Validate the answer
251  if (strlen($_POST[$fld_resp]) == 0) {
252  // ** ERROR -- Response was NOT entered for this question
253  $FORM_VALIDATION_ERROR .= "<li>A response must be entered for question " . ($idx + 1) . "</li>";
254  }
255 
256  if ($FORM_VALIDATION_ERROR == "") {
257  $SQL_FIELDS_UPDATE_SECURITY .= "INSERT INTO {$DB_TABLE_PREFIX}user_questselect (userid, questid, user_answer) VALUES ('" . intval($DMSAPP_CURRENTUSERID) . "', " . intval($_POST[$fld_quest]) . ", '" . save_text($_POST[$fld_resp]) . "'); ";
258  }
259  $JSON_FormPopulate .= ($JSON_FormPopulate != "" ? ", " : "") . "$fld_quest: '" . disp_text($_POST[$fld_quest], true) . "', $fld_resp: '" . disp_text($_POST[$fld_resp], true) . "' ";
260  }
261  }
262  // * Validate Confidence
263  if ($SHOW_SETTINGS['CONFIDENCE']) {
264 
265  if (strlen($_POST['app_confword']) == 0) {
266  // * Confidence word is empty
267  $FORM_VALIDATION_ERROR .= "<li>A confidence word must be entered to continue.</li>";
268  }
269  if ($FORM_VALIDATION_ERROR == "") {
270  // OKAY TO UPDATE THE FIELDS
271  $SQL_FIELDS_UPDATE .= ($SQL_FIELDS_UPDATE == "" ? "" : ", ") . " confidenceword = '" . save_text($_POST['app_confword']) . "' ";
272  }
273  $JSON_FormPopulate .= ($JSON_FormPopulate != "" ? ", " : "") . "app_confword: '" . disp_text($_POST['app_confword'], true) . "' ";
274  }
275 
276  $user_sql_update = "";
277  if ($FORM_VALIDATION_ERROR == "") {
278 
279  // ** UPDATE THE ASSOCIATED USER TABLES
280  if (strlen($SQL_FIELDS_UPDATE) > 0) {
281  $user_sql_update .= "UPDATE {$DB_TABLE_PREFIX}user
282  SET $SQL_FIELDS_UPDATE
283  WHERE userid = " . intval($DMSAPP_CURRENTUSERID) . "
284  $user_sql_where; ";
285  }
286  if (strlen($SQL_FIELDS_UPDATE_SECURITY) > 0) {
287  $user_sql_update .= " DELETE FROM {$DB_TABLE_PREFIX}user_questselect WHERE userid = '" . intval($DMSAPP_CURRENTUSERID) . "'; " . $SQL_FIELDS_UPDATE_SECURITY;
288  }
289 
290 
291  if ($user_sql_update != "") {
292  // ** SEND THE Query to the database
293 
294  $upd_rs = db_query($user_sql_update, $dbh);
295  if ($upd_rs) {
296  // ** SUCCESS
297  // * GO TO MAIN SCREEN
298 
299  // SET THE DEVICE COOKIE
300 
301  // ** NEED TO GET THE EMAIL FROM THE USER RECORD
302  // $sql = "SELECT *
303  // FROM {$DB_TABLE_PREFIX}user
304  // WHERE userid = " . intval($DMSAPP_CURRENTUSERID) . "; ";
305  // $user_rs = db_query($sql, $dbh);
306  // $user_row = db_fetch_array($user_rs);
307 
308  $user_row = ReturnUserRecord(LOCAL_USER_QUERY_SRC_USERID, $DMSAPP_CURRENTUSERID, REFRESH_USER_DATA);
309 
310  // $DMSAPP_LOGINTYPE comes from AppMain but might not be set up, so use what is in the user row
311  $loginType = $user_row["userlogintype"];
312  $user_device_cookiename = ReturnDeviceCookieName($DMSAPP_CURRENTCUCODE, $loginType, trim($user_row['email']), $user_row['userid']);
313  $setCookieVal = sha1($DMSAPP_SECRET_KEY . trim($user_row['pwd']) . trim($user_row['email']) . trim($user_row['confidenceword']) . trim($user_row['banking_user_id']));
314 
315 // print "SET DEVICE COOKIE - $user_device_cookiename :: $setCookieVal ";exit;
316 
317  // not sure if chksecure is available so set to be a session unless explicityly asked
318  $pSessionCookie = $_POST["chksecure"] != "Y";
319  SetLnappDeviceCookie($HB_ENV, $user_device_cookiename, $setCookieVal, $pSessionCookie);
320 
321  if ($user_auto_set_pwd == 1) {
322  DMSAppSetCookie($HB_ENV, $user_row['userid'], $loginType);
323  }
324 
325  $set_desc = "User settings successfully updated.";
326  header("Location: {$self}f=portal&msg=" . urlencode($set_desc));
327  exit;
328 
329  } else {
330  // ** FAILURE
331  // ** ERROR POSTING -- Reload the same form
332  $error_save_form = " ERROR Saving";
333  print $error_save_form;
334  exit;
335  }
336  }
337  } else {
338  // ** ERRORS EXISTED -- Reload requested for and print error information at the top
339  $error_save_form = " ERROR Saving -- validation";
340  }
341 } else if($form_code == "confirmuser") {
342 
343  $user_failedloginattempts = 0;
344  if (isset($_POST['confchallenge'])) {
345  // -- We are confirming the Challenge Question -- DEVICE COOKIE
346  // * WE are Confirming the User -- LOAD user record
347 
348 // $sql = "SELECT *
349 // FROM {$DB_TABLE_PREFIX}user
350 // WHERE email = '" . save_text(strtolower($_POST['loginemail']), 50) . "' ";
351 // $user_rs = db_query($sql, $dbh);
352 // $user_row = db_fetch_array($user_rs);
353 
354  $user_row = ReturnUserRecord(LOCAL_USER_QUERY_SRC_EMAIL, strtolower($_POST['loginemail']));
355 
356 // print_r($user_row);
357 
358 
359  $user_failedloginattempts = intval($user_row['failedloginattempts']);
360  if (isset($user_row)) {
361  // * Check the response
362  $sql = "SELECT user_answer
363  FROM {$DB_TABLE_PREFIX}user_questselect as u_qs
364  JOIN {$DB_TABLE_PREFIX}user as u on u.challenge_quest_id = u_qs.questid and u.userid = u_qs.userid
365  WHERE u.email = '" . save_text(strtolower($_POST['loginemail']), 50) . "'
366  AND u.cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "'
367  AND coalesce(userlogintype, '') <> 'H' ";
368  $valid_rs = db_query($sql, $dbh);
369 
370  $valid_row = db_fetch_array($valid_rs);
371 
372  if (trim(strtolower($valid_row['user_answer'])) == trim(strtolower($_POST['chg_resp']))) {
373 
374  // ** Lookup the user and get the question
375  $user_device_cookiename = ReturnDeviceCookieName($DMSAPP_CURRENTCUCODE, DMSAPP_CONST_APP_LOGIN, trim(strtolower($_POST['loginemail'])), $user_row['userid']);
376 
377  $setCookieVal = sha1($DMSAPP_SECRET_KEY . trim($user_row['pwd']) . trim($user_row['email']) . trim($user_row['confidenceword']) . trim($user_row['banking_user_id']));
378 
379  $pSessionCookie = $_POST["chksecure"] != "Y";
380 
381  SetLnappDeviceCookie($HB_ENV, $user_device_cookiename, $setCookieVal, $pSessionCookie);
382 
383 
384  // ** values match
385  // * reset the challenge question id
386  $sql = "UPDATE {$DB_TABLE_PREFIX}user
387  SET challenge_quest_id = -1
388  WHERE email = '" . save_text(strtolower($_POST['loginemail']), 50) . "'
389  AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "'
390  AND coalesce(userlogintype, '') <> 'H' ";
391  $upd_rs = db_query($sql, $dbh);
392 
393  // header("Location: {$self}f=confirmuser");
394  // exit;
395  // ** FALL BACK THROUGH THIS CODE TO ALLOW USER TO ENTER PASSWORD
396  $form_validated_device = true;
397  } else {
398  // * VALUES DO NOT MATCH
399  // * Update the number of failed logins
400  $sql = "UPDATE {$DB_TABLE_PREFIX}user
401  SET failedloginattempts = COALESCE(failedloginattempts, 0) + 1
402  WHERE email = '" . save_text(strtolower($_POST['loginemail']), 50) . "'
403  AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "'
404  AND coalesce(userlogintype, '') <> 'H' ";
405  $upd_rs = db_query($sql, $dbh);
406 
407  $user_failedloginattempts += 1;
408  /// * PROBLEM POSTIN -- USER NOT FOUND
409  $FORM_VALIDATION_ERROR .= "Your answer did not match the answer on record for this question.";
410 
411  }
412  } else {
413  //print "FORM ERROR";
414  $FORM_VALIDATION_ERROR .= "The user record was not found.";
415  }
416  // ** fall through to regular code -- this should then inquire for user password
417  } elseif (isset($_POST['confpassword'])) {
418 //print "TOW";
419 // print "password - " . $_POST['confpassword'];
420  // * Confirming the password -- DEVICE COOKIE MUST BE GOOD
421  // ** Confirm the password and create the user ticket
422 // $sql = "SELECT *
423 // FROM {$DB_TABLE_PREFIX}user
424 // WHERE email = '" . save_text(strtolower($_POST['loginemail']), 50) . "' ";
425 //
426 // $user_rs = db_query($sql, $dbh);
427 // $user_row = db_fetch_array($user_rs);
428 
429  $user_row = ReturnUserRecord(LOCAL_USER_QUERY_SRC_EMAIL, strtolower($_POST['loginemail']));
430  $user_failedloginattempts = intval($user_row['failedloginattempts']);
431 // print_r($user_row);
432 // print_r($_POST);
433 //print "<br> loginpqassword " . $_POST['loginpassword'] . " db - " . trim($user_row['pwd']) . " :: " . password_verify($_POST['loginpassword'], trim($user_row['pwd']));
434 
435 
436 
437  if (password_verify($_POST['loginpassword'], trim($user_row['pwd']))) {
438  // ** The passwords match.. Do I just send to portal from HERE...
439  // * Or it may need to go back to where they were...
440  // ** similar to homebanking TxURI... where the requested link is requested..
441  // * FOr time being send to portal
442 
443  // ** upadte the database to reflect they have been logged in
444  $sql = "UPDATE {$DB_TABLE_PREFIX}user
445  SET failedloginattempts = 0
446  WHERE email = '" . save_text(strtolower($_POST['loginemail']), 50) . "'
447  AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "'
448  AND coalesce(userlogintype, '') <> 'H' ";
449  $upd_rs = db_query($sql, $dbh);
450 
451  // ** NOW CHECK TO SEE IF THEY HAVE QUESTIONS ENTERED
452  $sql = "SELECT COUNT(u_qs.userid) as quest_select
453  FROM {$DB_TABLE_PREFIX}user_questselect as u_qs
454  WHERE u_qs.userid = " . $user_row['userid'];
455  $cnt_rs = db_query($sql, $dbh);
456  $cnt_row = db_fetch_assoc($cnt_rs);
457 
458  $user_failedloginattempts = 0;
459  if ($cnt_row['quest_select'] == 0) {
460  // ** THEY DO NOT HAVE QUESTIONS --
461  // * GOAL is to have them revalidate their password.. which will then redirect them to
462  // * select questions
463  $User_Quest_Set = 0;
464  $DMSAPP_CURRENTUSERID = $user_row['userid'];
465  // ** CHANGE TEH form_code to 'newuser'
466  $form_code = "newuser";
467 
468  } else {
469  $User_Quest_Set = 1;
470  DMSAppSetCookie($HB_ENV, $user_row['userid'], DMSAPP_CONST_APP_LOGIN);
471 
472  header("Location: {$self}f=portal");
473  exit;
474  }
475 
476 
477 
478  } else {
479 // print "Why HERE";
480  $sql = "UPDATE {$DB_TABLE_PREFIX}user
481  SET failedloginattempts = COALESCE(failedloginattempts, 0) + 1
482  WHERE email = '" . save_text(strtolower($_POST['loginemail']), 50) . "'
483  AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "'
484  AND coalesce(userlogintype, '') <> 'H' ";
485  $upd_rs = db_query($sql, $dbh);
486 
487  $user_failedloginattempts += 1;
488  // ** Need to report there was an error with password
489  $FORM_VALIDATION_ERROR .= "<li>The password you entered did not match.</li>";
490  // * this should fall through to the password entry form again
491  }
492 
493  } else {
494  // ** WE may be directed here.. FORCED EXPIRED TICKET..
495  // * message for expired ticket
496 //print "THRUEE current " . $DMSAPP_CURRENTUSERID . " email " . $DMSAPP_CURRENTEMAIL;
497 
498  // ** If both of these have values.. then assume they are set and
499  // The user simply timed out..
500  if ($DMSAPP_CURRENTUSERID > 0 && $DMSAPP_CURRENTEMAIL != '') {
501  $FORM_VALIDATION_ERROR .= "<li>Your session has expired. Please confirm your password.</li>";
502  }
503  }
504  // ** AT THIS POINT -- CHECK TO SEE IF FAILED LOGIN ATTEMPTS EXCEED
505  // ** not really happy here, but the code is not straight forward ... sigh.. my bad
506  // ** So I am going to setup a local value.. then if the user is confirming from
507  // * The entry screen, or they have 'wrong' pwd/challenge then
508 
509 
510 } else {
511 
512  // ** Load values from Database if this is for MODIFY USER
513  // * Load user info
514  if ($DMSAPP_CURRENTUSERID != "" && $form_code == "modifyuser") {
515 //print "LOAD FROM DB FIRST TIMER";
516  $sql = "SELECT * FROM {$DB_TABLE_PREFIX}user
517  WHERE userid = '$DMSAPP_CURRENTUSERID'";
518 
519  $user_rs = db_query($sql, $dbh);
520  if ($user_rs) {
521  $user_row = db_fetch_array($user_rs);
522  //** Make sure the CU matches expected CU
523  if (trim($user_row['cu']) == $DMSAPP_CURRENTCUCODE) {
524  // ** Add fields to JSON Loading object
525  // ** Email somewhere ??
526  // ** PWD -- NO DEFAULT ENTRY..
527  // * challenge question
528  if ($SHOW_SETTINGS['CONFIDENCE']) {
529  $JSON_FormPopulate .= ($JSON_FormPopulate != '' ? ", " : "") . "app_confword: '" . disp_text($user_row['confidenceword']) . "' ";
530  }
531  if ($SHOW_SETTINGS['EMAIL']) {
532  $JSON_FormPopulate .= ($JSON_FormPopulate != '' ? ", " : "") . "'chg_email':'" . disp_text($user_row['email']) . "' ";
533  }
534  // * Load Security questions
535  $sql = "SELECT * FROM {$DB_TABLE_PREFIX}user_questselect
536  WHERE userid = '$DMSAPP_CURRENTUSERID'";
537  $secur_rs = db_query($sql, $dbh);
538  $secur_idx = 0;
539  while ($secur_row = db_fetch_array($secur_rs, $secur_idx)) {
540 
541  // Add options to the JSON Object
542  $JSON_FormPopulate .= ($JSON_FormPopulate != '' ? ", " : "") . "chg_qst_$secur_idx: '" . disp_text($secur_row['questid']) . "', chg_resp_$secur_idx: '" . disp_text($secur_row['user_answer']) . "' ";
543 
544  $secur_idx++;
545  }
546  } else {
547  // ** ERROR -- CU FOR MEmber does not match expected value
548  $error_loadform = 2;
549  }
550  } else {
551  // ** COULD NOT FIND USER -- ERROR HERE
552  $error_loadform = 2;
553  }
554  }
555 }
556 
557 switch ($form_code):
558  case "savesettings":
559 
560  break;
561  case "newuser":
562 
563  $mpmsg = '';
564  if ($DMSAPP_CURRENTUSERID == "") {
565 // test password
566 
567  // ** I will need to first confirm if the email is already present for the
568  // CU selected
569  $sql = "SELECT count(*) as email_login_count
570  FROM {$DB_TABLE_PREFIX}user
571  WHERE email = '" . save_text(strtolower($_POST['confirmemail']), 50) . "'
572  AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "'
573  AND coalesce(userlogintype, '') <> 'H' ";
574 
575  $h_resp = db_query($sql, $dbh);
576  if ($h_resp) {
577  // * now check to see results
578  list($email_login_count) = db_fetch_array($h_resp, 0);
579  if ($email_login_count == 0) {
580  // now test to make sure the password meets the requirements
581  $passwordNew = $_POST["apppasswd"];
582  $passwordConfirm = $_POST["confirmpasswd"];
583  $passwdMsg = "";
584 
585  if ( $passwordNew <> $passwordConfirm ) {
586  // ** PWD ERROR -- DO NOT MATCH
587  $passwdMsg .= "<li>The new passwords do not match.</li>";
588  }
589 
590  // validate the password
591  if (key_exists("configPassword", $configOptions)) {
592  $pwdRules = json_decode($configOptions['configPassword'], true);
593  } else {
594  $pwdRules["len"] = 8;
595  $pwdRules["upper"] = 1;
596  $pwdRules["lower"] = 1;
597  $pwdRules["spec"] = 0;
598  $pwdRules["digit"] = 1;
599  }
600 
601  if ( strlen($passwordNew) < $pwdRules["len"] ) {
602  $mpmsg .= "Password is too short, ";
603  }
604  if ( strlen($passwordNew) > 20 ) {
605  $mpmsg .= "Password is too long, ";
606  }
607  $numDigitCount = 0;
608  $numUpperCharCount = 0;
609  $numLowerCharCount = 0;
610  $numSpecialCharCount = 0;
611  $passSpecial = Get_PwdSpecialCharacters();
612  $notAllowedCount = 0;
613  for ( $i = 0; $i < strlen( $passwordNew ); $i++ )
614  {
615  $ch = substr( $passwordNew, $i, 1 );
616  if ($ch >= '0' && $ch <= '9') { $numDigitCount++; }
617  else if ($ch >= 'A' && $ch <= 'Z') { $numUpperCharCount++; }
618  else if ($ch >= 'a' && $ch <= 'z') { $numLowerCharCount++; }
619  else if ( $ch != ',' && strpos( $passSpecial, $ch ) >= 0 ) { $numSpecialCharCount++; }
620  else { $notAllowedCount++; }
621  }
622  if ( $pwdRules["upper"] > 0 && $numUpperCharCount < $pwdRules["upper"] )
623  {
624  $plural = $pwdRules["upper"] > 1 ? 's' : '';
625  $mpmsg .= "Need at least {$pwdRules["upper"]} UPPER CASE letter$plural, ";
626  }
627  if ( $pwdRules["lower"] > 0 && $numLowerCharCount < $pwdRules["lower"] )
628  {
629  $plural = $pwdRules["lower"] > 1 ? 's' : '';
630  $mpmsg .= "Need at least {$pwdRules["lower"]} lower case letter$plural, ";
631  }
632  if ( $pwdRules["spec"] > 0 && $numSpecialCharCount < $pwdRules["spec"] )
633  {
634  $plural = $pwdRules["spec"] > 1 ? 's' : '';
635  $mpmsg .= "Need at least {$pwdRules["spec"]} special character$plural, ";
636  }
637  if ( $pwdRules["digit"] > 0 && $numDigitCount < $pwdRules["digit"] )
638  {
639  $plural = $pwdRules["digit"] > 1 ? 's' : '';
640  $mpmsg .= "Need at least {$pwdRules["digit"]} digit$plural, ";
641  }
642 
643  if ( strlen( $mpmsg ) > 0 ) {
644  $passwdMsg .= urlencode($mpmsg);
645  // ** REDIRECT
646  header("Location: {$self}status=11&msg=$passwdMsg");
647  exit;
648  }
649 
650  // ** SUCCESS -- CONTINUE WITH THIS FORM..
651  // * First Get the next sequence ID
652  $sql = "SELECT nextval('{$DB_TABLE_PREFIX}user_userid_seq'::text) as userid ";
653  $id_rs = db_query($sql, $dbh);
654  list($user_id) = db_fetch_array($id_rs);
655  db_free_result($id_rs);
656 
657  $saved_pwd = password_hash($_POST['confirmpasswd'], PASSWORD_DEFAULT);
658 
659  // ** FIRST INSERT THE USER RECORD INTO THE
660  $sql = "INSERT INTO {$DB_TABLE_PREFIX}user
661  (userid, email, pwd, allow_e_comm, cu)
662  (SELECT
663  $user_id,
664  '" . save_text(strtolower($_POST['confirmemail']), 50) . "',
665  '" . save_text($saved_pwd) . "',
666  0,
667  '" . save_text($DMSAPP_CURRENTCUCODE) . "'
668 
669  WHERE NOT EXISTS (SELECT * FROM {$DB_TABLE_PREFIX}user WHERE
670  email = '". save_text(strtolower($_POST['confirmemail']), 50) . "'
671  AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "'
672  AND coalesce(userlogintype, '') <> 'H'))"
673  ;
674 
675 //print "sql - $sql <br><br>userid - $user_id";
676  $saved_resp = db_query($sql, $dbh);
677  if (db_affected_rows($saved_resp) == 0) {
678 //print "ONE";
679  // * AN ERROR OCCURRED -- The email ended up being inserted even tho I
680  // * just checked.. I am sayin it is an already used email
681  // ** USER ALREADY EXISTS
682  // ** REDIRECT
683  header("Location: {$self}status=1");
684  exit;
685  } else {
686 //print "TWO";
687  // ** SUCCESS --
688  // ** Do the normal SET COOKIE for successful login
689  DMSAppSetCookie($HB_ENV, $user_id, DMSAPP_CONST_APP_LOGIN, true);
690  // ** COOKIE was JUST set -- Set this value now
691  $DMSAPP_CURRENTUSERID = $user_id;
692  }
693  // ** Continue loading form -- this takes them to the security page
694 
695  } else {
696  // ** USER ALREADY EXISTS
697  // ** REDIRECT
698  header("Location: {$self}status=1");
699  exit;
700  }
701  } else {
702  // * An error occurred with the database, need some sort of handling for
703  // an error occurring
704  $error_loadform = 2;
705  }
706  } else {
707  // ** LOAD THE FORM DURING POSTING THE SETTINGS -- possible validation error
708 
709  }
710 
711  // ** FALL INTO THE MODIFY USER SCREEN
712  case "modifyuser":
713  case "newmiruser":
714  if ($error_loadform == 0):
715  // if we are a newmiruser then we don't have a user id
716  if ( $form_code == "newmiruser" ) {
717  // new MIR users may not be home banking members
718  $sql = "SELECT *
719  FROM {$DB_TABLE_PREFIX}user
720  WHERE session_account = '" . save_text($_POST['member'], 12) . "'
721  AND cu = '$DMSAPP_CURRENTCUCODE'
722  AND userlogintype = 'N'";
723 
724  $user_rs = db_query($sql, $dbh);
725  if ( $user_row = db_fetch_array($user_rs) ) {
726  // get the id
727  $DMSAPP_CURRENTUSERID = $user_row["userid"];
728  } else {
729  // dang! couldn't find it
730  header("Location: {$self}f=intro&status=999");
731  exit;
732  }
733  }
734 
735  // * Create the JSON object for populating the fields
736  // ** Load values from Previous Posting of form
737  $JSON_FormPopulate ="{" . $JSON_FormPopulate . "}";
738 
739  // build up the password requirements message
740  if (key_exists("configPassword", $configOptions)) {
741  $pwdRules = json_decode($configOptions['configPassword'], true);
742  } else {
743  $pwdRules["len"] = 8;
744  $pwdRules["upper"] = 1;
745  $pwdRules["lower"] = 1;
746  $pwdRules["spec"] = 0;
747  $pwdRules["digit"] = 1;
748  }
749 
750  $passwordRequirements = "";
751  $passwordRequirements .= "&bull; At least {$pwdRules["len"]} characters<br>";
752  if ( $pwdRules["upper"] > 0 ) {
753  $plural = $pwdRules["upper"] > 1 ? "s" : "";
754  $passwordRequirements .= "&bull; At least {$pwdRules["upper"]} UPPER CASE character$plural<br>";
755  }
756  if ( $pwdRules["lower"] > 0 ) {
757  $plural = $pwdRules["lower"] > 1 ? "s" : "";
758  $passwordRequirements .= "&bull; At least {$pwdRules["lower"]} lower case character$plural<br>";
759  }
760  if ( $pwdRules["spec"] > 0 ) {
761  $specialCharList = Get_PwdSpecialCharacters();
762  $plural = $pwdRules["spec"] > 1 ? "s" : "";
763  $passwordRequirements .= "&bull; At least {$pwdRules["spec"]} special character$plural ($specialCharList)<br>";
764  }
765  if ( $pwdRules["digit"] > 0 ) {
766  $plural = $pwdRules["digit"] > 1 ? "s" : "";
767  $passwordRequirements .= "&bull; At least {$pwdRules["digit"]} digit$plural<br>";
768  }
769 
770 ?>
771  <style>
772  .input input { margin-left:1em;}
773  .input label { margin-left:0px; font-size:larger; padding:1em;}
774  @media only screen and (max-width: 479px) {
775  .passwordrequirements {display: inline-block; float:none; margin-left:20px;}
776  }
777  </style>
778  <div class="container-fluid">
779 
780  <div class="row">
781  <div class="lnapp-form-section lnapp-summary-wrap col-xs-12 col-md-offset-3 col-md-6" style="">
782  <div id="summary-container" class="validity-summary-container errors" >
783  <div class="alert alert-danger">
784  <p><em>You may not continue. the following errors were encountered:</em></p>
785  <ul>
786  <?php echo $FORM_VALIDATION_ERROR; ?>
787  </ul>
788  </div>
789  </div>
790  </div>
791  </div>
792 
793 
794 
795 
796  <form id="app_settings" name="app_settings" action="<?php echo $self; ?>f=<?php echo $form_code; ?>" method="post">
797  <input type="hidden" name="form_set" value="<?php echo $form_code; ?>">
798  <input type="hidden" name="form_key" value="<?php echo encrypt($DMSAPP_CURRENTUSERID, $MasterKey); ?>">
799  <div id="content-single">
800  <div class="form-container">
801  <?php if ($SHOW_SETTINGS['EMAIL']): ?>
802 
803  <div class="row">
804  <div class="col-xs-12 col-sm-offset-3 col-sm-6">
805  <div class="panel panel-default">
806  <div class="panel-heading">
807  <h2 class="panel-title">Email</h2>
808  </div>
809  <div class="panel-body">
810 
811  <div class="form-horizontal">
812  <div class="form-group">
813  <label for="chg_email" class="col-sm-2 control-label">Email</label>
814  <div class="col-sm-10">
815  <input id="chg_email" name="chg_email" type="text" x-size="20" class="email form-control" title="Email" value=""/>
816  </div>
817  </div>
818  </div>
819 
820  </div>
821  </div>
822  </div>
823  </div>
824 
825 
826  <?php endif; ?>
827  <?php if ($SHOW_SETTINGS['PASSWORD']): ?>
828 
829 
830 
831  <div class="row">
832  <div class="col-xs-12 col-sm-offset-3 col-sm-6">
833  <div class="panel panel-default">
834  <div class="panel-heading">
835  <h2 class="panel-title">Password</h2>
836  </div>
837  <div class="panel-body">
838 
839  <div class="form-horizontal">
840  <div class="form-group">
841  <label for="chg_pwd_old" class="col-sm-2 control-label">Current Password</label>
842  <div class="col-sm-10">
843  <input id="chg_pwd_old" name="chg_pwd_old" type="password" x-size="12" class="curpwd form-control" title="Current Password"/>
844  </div>
845  </div>
846  <div class="row">
847  <div class="col-xs-12 col-sm-6">
848  <div class="form-group">
849  <label for="chg_pwd_new" class="col-sm-4 control-label">New Password</label>
850  <div class="col-sm-8">
851  <input id="chg_pwd_new" name="chg_pwd_new" type="password" size="12" class="newpwd form-control"title="New Password"/>
852  </div>
853  </div>
854  <div class="form-group">
855  <label for="chg_pwd_conf" class="col-sm-4 control-label">Confirm</label>
856  <div class="col-sm-8">
857  <input id="chg_pwd_conf" name="chg_pwd_conf" type="password" size="12" class="newpwd form-control" title="Confirmation Password"/>
858  </div>
859  </div>
860  </div>
861  <div class="col-xs-12 col-sm-6">
862  <div class="alert alert-info ">
863  <div style="color:red; margin-top:5px;">Password Requirements</div>
864  <?php echo $passwordRequirements ?>
865  </div>
866 
867  </div>
868  </div>
869 
870  </div>
871  </div>
872  </div>
873 
874  </div>
875  </div>
876  <?php endif; ?>
877  <?php if ($SHOW_SETTINGS['SECURITY']): ?>
878 
879  <div class="row">
880  <div class="col-xs-12 col-sm-offset-3 col-sm-6">
881  <div class="panel panel-default">
882  <div class="panel-heading">
883  <h2 class="panel-title">Challenge Questions</h2>
884  </div>
885  <div class="panel-body">
886 
887  <div class="form-horizontal">
888  <div class="form-group">
889  <label for="chg_qst_0" class="col-xs-12 ">Question 1</label>
890  <div class="col-xs-12">
891  <select id="chg_qst_0" name="chg_qst_0" class="form-control" title="Question 1">
892  <option value="">Please select a challenge question</option>
893  <?php print ReturnQuestMasterOption(); ?>
894  </select>
895  </div>
896  </div>
897  <div class="form-group">
898  <label for="chg_resp_0" class="sr-only col-xs-12">Response 1</label>
899  <div class="col-xs-12">
900  <input id="chg_resp_0" class="form-control" name="chg_resp_0" type="text" size="30" maxlength="100" placeholder="Response 1" title="Response 1"/>
901  </div>
902  </div>
903 
904  <div class="form-group">
905  <label for="chg_qst_1" class="col-xs-12">Question 2</label>
906  <div class="col-xs-12">
907  <select id="chg_qst_1" name="chg_qst_1" class="form-control" title="Question 2">
908  <option value="">Please select a challenge question</option>
909  <?php print ReturnQuestMasterOption(); ?>
910  </select>
911  </div>
912  </div>
913  <div class="form-group">
914  <label for="chg_resp_1" class="sr-only col-sm-2 control-label">Response 2</label>
915  <div class="col-xs-12">
916  <input id="chg_resp_1" class="form-control" name="chg_resp_1" type="text" size="30" maxlength="100" placeholder="Response 2" title="Response 2"/>
917  </div>
918  </div>
919 
920  <div class="form-group">
921  <label for="chg_qst_2" class="col-xs-12">Question 3</label>
922  <div class="col-xs-12">
923  <select id="chg_qst_2" name="chg_qst_2" class="form-control" title="Question 3">
924  <option value="">Please select a challenge question</option>
925  <?php print ReturnQuestMasterOption(); ?>
926  </select>
927  </div>
928  </div>
929  <div class="form-group">
930  <label for="chg_resp_2" class="sr-only col-sm-2 control-label">Response 3</label>
931  <div class="col-xs-12">
932  <input id="chg_resp_2" class="form-control" name="chg_resp_2" type="text" size="30" maxlength="100" placeholder="Response 3" title="Response 3"/>
933  </div>
934  </div>
935 
936  </div>
937  </div>
938  </div>
939 
940  </div>
941  </div>
942 
943 
944  <?php endif; ?>
945 
946  <?php if ($SHOW_SETTINGS['CONFIDENCE']): ?>
947 
948  <div class="row">
949  <div class="col-xs-12 col-sm-offset-3 col-sm-6">
950  <div class="panel panel-default">
951  <div class="panel-heading">
952  <h2 class="panel-title">Confidence Word</h2>
953  </div>
954  <div class="panel-body">
955 
956  <div class="form-horizontal">
957  <div class="form-group">
958 
959  <label for="app_confword" class="sr-only control-label col-sm-2">Confidence Word</label>
960  <div class="col-sm-10">
961  <input id="app_confword" class="form-control" name="app_confword" type="text" size="30" maxlength="30" class="confidence" placeholder="Confidence Word" title="Confidence Word"/>
962  </div>
963 
964  </div>
965 
966  </div>
967  </div>
968  </div>
969 
970  </div>
971  </div>
972 
973  <?php endif; ?>
974  </div>
975 
976  <div class="row">
977  <div class="col-xs-12 col-sm-offset-3 col-sm-6">
978 
979  <label class="submit">
980  <a class="k-button k-primary" role="button" href="#" id='linkFormPost' label='Submit'><span>Save Settings</span></a>
981  <input type="hidden" name="savesettings" value="1">
982  <script language="javascript">
983  $(function(){
984  $('a[id^=linkFormPost]').click(function(){
985  $('#app_settings').submit();
986  });
987  });
988  </script>
989  </label>
990  </div>
991  </div>
992  </div>
993  </form>
994  <script language="javascript">
995  $.validity.setup({ outputMode:"summary" });
996 
997  $(function() {
998  $("#app_settings").validity(function() {
999 
1000 
1001  <?php if ($SHOW_SETTINGS['PASSWORD']): ?>
1002  if ($("#chg_pwd_new").val() != "") {
1003  $('#chg_pwd_old')
1004  .require('Current password must be entered to enter new password.');
1005 
1006  // check the requirements
1007  var newPassword = $("#chg_pwd_new").val();
1008  $("#chg_pwd_new").minLength(<?php echo $pwdRules["len"] ?>, "New password too short.");
1009 
1010  if ( <?php echo $pwdRules["digit"] ?> > 0 ) {
1011  var test = newPassword;
1012  if ( test.replace(/[^0-9]/g,"").length < <?php echo $pwdRules["digit"] ?> ) {
1013  $("#chg_pwd_new").assert(false, "Not enough digits in password.");
1014  }
1015  }
1016 
1017  if ( <?php echo $pwdRules["upper"] ?> > 0 ) {
1018  var test = newPassword;
1019  if ( test.replace(/[^A-Z]/g,"").length < <?php echo $pwdRules["upper"] ?> ) {
1020  $("#chg_pwd_new").assert(false, "Not enough upper-case characters in password.");
1021  }
1022  }
1023 
1024  if ( <?php echo $pwdRules["lower"] ?> > 0 ) {
1025  var test = newPassword;
1026  if ( test.replace(/[^a-z]/g,"").length < <?php echo $pwdRules["lower"] ?> ) {
1027  $("#chg_pwd_new").assert(false, "Not enough lower-case characters in password.");
1028  }
1029  }
1030  }
1031  $('input.newpwd').equal("New passwords field do not match.");
1032  <?php endif; ?>
1033  <?php if ($SHOW_SETTINGS['EMAIL']): ?>
1034  $('input.email')
1035  .require('#{field} is required')
1036  .match('email', '#{field} must be formatted as an email.')
1037  ;
1038  <?php endif; ?>
1039  <?php if ($SHOW_SETTINGS['SECURITY']): ?>
1040  $("[id^='chg_resp']")
1041  .require('#{field} is required');
1042  $("[id^='chg_qst']")
1043  .require('#{field} is required')
1044  .distinct('Different challenge questions must be selected.');
1045  <?php endif; ?>
1046  <?php if ($SHOW_SETTINGS['CONFIDENCE']): ?>
1047  $("[id^='app_confword']")
1048  .require('#{field} is required');
1049  <?php endif; ?>
1050  });
1051  <?php print ($FORM_VALIDATION_ERROR != "" ? "$('#summary-container').css('display', 'inline-block');" : ""); ?>
1052  });
1053  <?php print (strlen($JSON_FormPopulate) > 0 ? "$('#app_settings').populate($JSON_FormPopulate);\n" : ""); ?>
1054 
1055  </script>
1056 <?php
1057  endif; // ** if ($error_loadform == 0):
1058  break;
1059 
1060  case "confirmuser":
1061 
1062  // ** We have 2 Cookies --
1063  // ** DEVICE -- This means the user has successfully confirmed the identity
1064  // ** of this device by means of answering a challenge questions
1065  // ** USERID -- This means the user MUST first answer a challenge question
1066  // ** and then correctly fill in their user password
1067 
1068  // ** DEVICE CHECK
1069  // * Check for existance of correct cookie
1070  //$user_device_cookiename = "{$DB_TABLE_PREFIX}{$DMSAPP_CURRENTCUCODE}Tu0geethSaith7ch" . trim($_POST['loginemail']);
1071 
1072  // ** There may be one of two options --
1073  // ** 1 - We are Posting and have an email in $_POST['loginemail']
1074  // ** 2 - There is NO USER TICKET -- $DMSAPP_CURRENTEMAIL will be blank
1075 
1076  if (isset($_POST['loginemail'])) {
1077  $l_email = trim(strtolower($_POST['loginemail']));
1078  } else {
1079  $l_email = $DMSAPP_CURRENTEMAIL;
1080  }
1081  $user_row = ReturnUserRecord(LOCAL_USER_QUERY_SRC_EMAIL, $l_email);
1082  if (isset($user_row['userid'])) {
1083  if (intval($user_row['failedloginattempts']) >= $DMSAPP_FAILEDLOGINATTEMPTS) {
1084  header("Location: {$self}f=intro&status=8");
1085  exit;
1086  }
1087 
1088  $user_device_cookiename = ReturnDeviceCookieName($DMSAPP_CURRENTCUCODE, DMSAPP_CONST_APP_LOGIN, $l_email, $user_row['userid']);
1089  $User_Device_Set = 0;
1090  $User_Pwd_Set = 0;
1091  $User_Quest_Set = 0;
1092 
1093  // * Validate the data -- Must look up the email in the dB.. If NOT FOUND, then
1094  // * return to previous screen
1095  /*
1096  if (!isset($user_row)) {
1097  $sql = "SELECT *
1098  FROM {$DB_TABLE_PREFIX}user
1099  WHERE email = '" . save_text($l_email, 50) . "' ";
1100 
1101  if ($user_rs = db_query($sql, $dbh)) {
1102  $user_row = db_fetch_array($user_rs);
1103  }
1104  }
1105  */
1106 
1107  if ($form_validated_device) {
1108  // The user successfully passed challenge question setting the device cookie -- so now ask for password
1109  $User_Device_Set = 1;
1110 
1111  } elseif (isset($_COOKIE[$user_device_cookiename])) {
1112 
1113  // ** Validate the information for the cookie is set correctly
1114  // sha1({ENCRYPTEDPWD}{email}{confword})
1115  $expectedCookieVal = sha1($DMSAPP_SECRET_KEY . trim($user_row['pwd']) . trim($user_row['email']) . trim($user_row['confidenceword']) . trim($user_row['banking_user_id']));
1116 
1117  // ** Now verify if the Device Cookie matches expected value
1118  if ($expectedCookieVal == $_COOKIE[$user_device_cookiename]) {
1119  // * Correct Device Cookie -- Force password confirmation
1120  $User_Device_Set = 1;
1121  } else {
1122  // * Incorrect cookie values -- Force Device Challenge
1123  $User_Device_Set = 0;
1124  }
1125  } else {
1126  // * AUTO FAIL DEVICE COOKIE --
1127  // * RECONFIRM DEVICE with SECURITY QUESTIONS
1128  $User_Device_Set = 0;
1129  }
1130  } else {
1131 
1132  // * Incorrect User was entered
1133  // * Redirect back to intro screen
1134  // * Unable to find the email -- no need to update failed logins
1135  if (isset($_POST['loginemail'])) {
1136  header("Location: {$self}f=intro&status=2");
1137  } else {
1138  // ** LOGIN NOT TOTALLY KNOWN .. redirect to main screen.. no message...
1139  header("Location: {$self}f=intro");
1140  }
1141  exit;
1142  }
1143 
1144 
1145  /*print "Cookie value - " . $DMSAPP_USERID_CookieString;
1146  // ** Lookup the posted user
1147  $sql = "SELECT *
1148  FROM {$DB_TABLE_PREFIX}user
1149  WHERE email = '" . save_text($_POST['loginemail'], 50) . "' ";
1150 
1151 
1152  $user_rs = db_query($sql, $dbh);
1153  $user_row = db_fetch_array($user_rs);
1154  DMSAppSetCookie($HB_ENV, $user_row['userid']);
1155  print "SET COOKIE " . $user_row['userid'];
1156 // exit;
1157 */
1158  // ** First Check to see if device is NOT SET
1159  $form_pwd_script = "
1160  <script>
1161  " . ($FORM_VALIDATION_ERROR != "" ? "$('#summary-container').css('display', 'inline-block');" : "") . "
1162  </script> ";
1163 
1164  // ** NEED TO CHECK TO MAKE SURE THEY HAVE ENTERED SECURITY QUESTIONS
1165  $sql = "SELECT COUNT(u_qs.userid) as quest_select
1166  FROM {$DB_TABLE_PREFIX}user_questselect as u_qs
1167  JOIN {$DB_TABLE_PREFIX}user as u on u.userid = u_qs.userid
1168  WHERE email = '" . save_text($l_email, 50) . "'
1169  AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "'
1170  AND coalesce(userlogintype, '') <> 'H' ";
1171  $cnt_rs = db_query($sql, $dbh);
1172  $cnt_row = db_fetch_assoc($cnt_rs);
1173 
1174  if ($cnt_row['quest_select'] == 0) {
1175  // ** THEY DO NOT HAVE QUESTIONS --
1176  // * GOAL is to have them revalidate their password.. which will then redirect them to
1177  // * select questions
1178  $User_Quest_Set = 0;
1179  } else {
1180  $User_Quest_Set = 1;
1181  }
1182 
1183  if ($User_Device_Set == 0 && $User_Quest_Set > 0) {
1184  // ** CHALLENGE SECURITY QUESTION....
1185  // ** Find out if we have a previous attempt at device login and already
1186  // * have a challenge question
1187 
1188  if ($user_row['challenge_quest_id'] > 0) {
1189  $select_questid = $user_row['challenge_quest_id'];
1190 
1191  } else {
1192 
1193  // ** NO PREVIOUS CHALLENGE PICK A RANDOM
1194  // * First pick ONE of the multiple security questions this user
1195  // * may have
1196  $sql = "SELECT *
1197  FROM {$DB_TABLE_PREFIX}user_questselect as u_qs
1198  JOIN {$DB_TABLE_PREFIX}user as u on u.userid = u_qs.userid
1199  WHERE email = '" . save_text($l_email, 50) . "'
1200  AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "'
1201  AND coalesce(userlogintype, '') <> 'H'
1202  ORDER BY RANDOM() LIMIT 1";
1203 
1204  $qst_rs = db_query($sql, $dbh);
1205  $qst_row = db_fetch_array($qst_rs);
1206 
1207  $select_questid = $qst_row['questid'];
1208  // ** INSERT THE QuestID as the question that must be answered
1209  $sql = "UPDATE {$DB_TABLE_PREFIX}user
1210  SET challenge_quest_id = " . intval($select_questid) . "
1211  WHERE email = '" . save_text($l_email, 50) . "'
1212  AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "'
1213  AND coalesce(userlogintype, '') <> 'H' ";
1214 
1215 
1216  if (!$upd_rs = db_query($sql, $dbh)) {
1217  // ** UNKNOWN ERROR BACK TO INTRO
1218  header("Location: {$self}f=intro&status=999");
1219  exit;
1220  }
1221 
1222  }
1223 
1224  // ** Display the CHALLENGE FORM
1225  $challenge_quest_text = $DMSAPP_QuestMaster_Ary[$select_questid];
1226 
1227  print <<< challenge_form
1228 
1229  <div class="container-fluid">
1230 
1231  <div class="row">
1232  <div class="lnapp-form-section lnapp-summary-wrap col-xs-12 col-md-offset-3 col-md-6" style="">
1233  <div id="summary-container" class="validity-summary-container errors" >
1234  <div class="alert alert-danger">
1235  <p><em>You may not continue. the following errors were encountered:</em></p>
1236  <ul>
1237  $FORM_VALIDATION_ERROR
1238  </ul>
1239  </div>
1240  </div>
1241  </div>
1242  </div>
1243 
1244  <form id="app_settings" name="app_settings" action="{$self}f=confirmuser" method="post">
1245  <input type="hidden" name="form_set" value="$form_code">
1246  <input type="hidden" name="loginemail" value="$l_email">
1247 
1248  <div class="row">
1249  <div class="col-xs-12 col-sm-offset-3 col-sm-6">
1250 
1251  <div class="alert alert-warning" role="alert">
1252  <strong>We do not recognize the device you are using.</strong><br>
1253  Please answer the question below to confirm your identity.
1254  </div>
1255 
1256  <div class="panel panel-default">
1257  <div class="panel-heading">
1258  <h2 class="panel-title">Challenge Question</h2>
1259  </div>
1260  <div class="panel-body">
1261  <div class="form-horizontal">
1262  <div class="form-group">
1263  <label class='col-xs-12' for="chg_resp">$challenge_quest_text</label>
1264  <div class="col-xs-12">
1265  <input id="chg_resp" class="form-control" name="chg_resp" type="text" size="30" maxlength="100" class="text-input"/>
1266  </div>
1267  </div>
1268 
1269  <div class="form-group">
1270  <div class="col-xs-12">
1271  <div class="radio">
1272  <label>
1273  <input type='radio' id='chksecureY' name='chksecure' value='Y' checked/>
1274  Yes, remember it
1275  </label>
1276  <br/>
1277  <small>
1278  <em>
1279  For your convenience, we will not require additional authentication when you log in from this device.
1280  We may occasionally require additional authentication to make sure you still want the system to recognize this device.
1281  </em>
1282  </small>
1283  </div>
1284  </div>
1285  <div class="col-xs-12">
1286  <div class="radio">
1287  <label>
1288  <input type='radio' id='chksecureN' name='chksecure' value='N' />
1289  No, do not remember it
1290  </label>
1291  <br/>
1292  <small>
1293  <em>
1294  We will continue to require additional authentication whenever you log in from this device.
1295  </em>
1296  </small>
1297  </div>
1298  </div>
1299  </div>
1300  </div>
1301  </div>
1302  </div>
1303  </div>
1304  </div>
1305  <div class="row">
1306  <div class="col-xs-12 col-sm-offset-3 col-sm-6">
1307 
1308  <input type="hidden" name="confchallenge" value="Confirm Answer">
1309  <a class="k-button k-primary" href="#" id='linkFormPost' label='Submit'><span>Confirm Answer</span></a>
1310 
1311  </div>
1312  </div>
1313 
1314 
1315  $form_pwd_script
1316  <script type="text/javascript">
1317  $(document).ready(function() {
1318 
1319  \$('#app_settings').bind("keydown", function(event) {
1320  // track enter key
1321  var keycode = (event.keyCode ? event.keyCode : (event.which ? event.which : event.charCode));
1322  if (keycode == 13) { // keycode for enter key
1323  // force the 'Enter Key' to implicitly click the Update button
1324  \$('#app_settings').submit();
1325  return false;
1326  } else {
1327  return true;
1328  }
1329  }); // end of function
1330 
1331  \$('#linkFormPost').click(function() {
1332  \$("#app_settings").submit();
1333  });
1334  $('#chg_resp').focus();
1335  }); // end of document ready
1336  </script>
1337 
1338  </form>
1339  </div>
1340 challenge_form;
1341 
1342  } else if ($User_Pwd_Set == 0) {
1343  // ** Now I need to confirm the password
1344 
1345  $print_confword = '';
1346  if ($User_Quest_Set > 0 ) {
1347  $confWord = "" . disp_text($user_row['confidenceword']);
1348  $print_confword = "<label class='col-xs-12' for='chg_resp'>Confidence Word:</label><div class='col-xs-12'><input id='chg_resp' class='form-control' name='chg_resp' type='text' size='30' maxlength='100' class='text-input' value='$confWord' disabled/></div>";
1349 
1350  } else {
1351  if ($FORM_VALIDATION_ERROR == '') {
1352  $FORM_VALIDATION_ERROR = "User registration was not completed. Please confirm your password.";
1353  }
1354  }
1355  if ($FORM_VALIDATION_ERROR != '') {
1356  }
1357  print <<< password_form
1358 
1359  <div class="container-fluid">
1360  <div class="row">
1361  <div class="lnapp-form-section lnapp-summary-wrap col-xs-12 col-md-offset-3 col-md-6">
1362  <div id="summary-container" class="validity-summary-container errors" >
1363  <div class="alert alert-danger">
1364  <p><em>You may not continue. the following errors were encountered:</em></p>
1365  <ul>
1366  $FORM_VALIDATION_ERROR
1367  </ul>
1368  </div>
1369  </div>
1370  </div>
1371  </div>
1372 
1373  <form id="app_settings" name="app_settings" action="{$self}f=confirmuser" method="post">
1374  <input type="hidden" name="form_set" value="$form_code">
1375  <input type="hidden" name="loginemail" value="$l_email">
1376  <div class="row">
1377  <div class="col-xs-12 col-sm-offset-3 col-sm-6">
1378  <div class="panel panel-default">
1379  <div class="panel-heading">
1380  <h2 class="panel-title">Enter Password</h2>
1381  </div>
1382  <div class="panel-body">
1383  <div class="form-horizontal">
1384  <div class="form-group">
1385  $print_confword
1386  </div>
1387  <div class="form-group">
1388  <label class='col-xs-12' for="loginpassword">Password:</label>
1389  <div class="col-xs-12">
1390  <input id="loginpassword" name="loginpassword" type="password" size="30" maxlength="100" class="form-control"/>
1391  </div>
1392  </div>
1393 
1394  <div class="row">
1395  <div class="col-xs-12 col-sm-6">
1396  <input type="hidden" name="confpassword" value="Login">
1397  <a class="k-button k-primary" href="#" id='linkFormPost' label='Submit'><span>Login</span></a>
1398  </div>
1399  </div>
1400 
1401  $form_pwd_script
1402  <script type="text/javascript">
1403  $(document).ready(function() {
1404 
1405  \$('#app_settings').bind("keydown", function(event) {
1406  // track enter key
1407  var keycode = (event.keyCode ? event.keyCode : (event.which ? event.which : event.charCode));
1408  if (keycode == 13) { // keycode for enter key
1409  // force the 'Enter Key' to implicitly click the Update button
1410  \$('#app_settings').submit();
1411  return false;
1412  } else {
1413  return true;
1414  }
1415  }); // end of function
1416 
1417  \$('#linkFormPost').click(function() {
1418  \$("#app_settings").submit();
1419  });
1420 
1421  $('#loginpassword').focus();
1422  }); // end of document ready
1423  </script>
1424  </div>
1425  </div>
1426  </div>
1427  </div>
1428  </div>
1429  </form>
1430 password_form;
1431  if ($FORM_VALIDATION_ERROR != '') {
1432  print "<script language='javascript'>$('#summary-container').css('display', 'inline-block');</script>";
1433  }
1434 
1435  } else {
1436 
1437  // * NOT SURE WHY I AM HERE .. force back to into...
1438  header("Location: {$self}f=intro&status=999");
1439  exit;
1440  }
1441 
1442 ?>
1443 
1444 
1445 <?php break; ?>
1446 
1447 
1448 <?php
1449  break;
1450  default:
1451  $error_loadform = 2;
1452  endswitch;
1453 
1454 function ReturnQuestMasterOption() {
1455  global $DMSAPP_QuestMaster_Ary;
1456 
1457  $Ret_Option = "";
1458  // * This will return an <option> list of all the challenge questions
1459  foreach ($DMSAPP_QuestMaster_Ary as $rowkey => $rowval) {
1460  $Ret_Option .= "<option value='$rowkey'>$rowval</option>";
1461  }
1462 
1463  return $Ret_Option;
1464 }
1465 
1466 // function ReturnUserRecord($p_user_rs, $p_user_row, $p_user_id)
1467 // ** p_SrcType -- This will determine if the query is based on teh user_id or Email
1468  // values are {0, 1} 0 - email; 1 - userid
1469 // ** p_SrcValue -- This is the value that will be in where clause
1470 function ReturnUserRecord($p_SrcType, $p_SrcValue, $p_RefreshData = false) {
1471  global $dbh, $DB_TABLE_PREFIX, $DMSAPP_CURRENTCUCODE;
1472  static $l_user_rs, $l_user_row;
1473 
1474  $ret_user_row;
1475  // ** If user_row is NOT set AND user_rs is NOT set AND the database handle IS set
1476  // * then perform the query to get the user_row
1477  // * otherwise simply return the user_row we received
1478 
1479  if ((!isset($l_user_rs) && !isset($l_user_row) && isset($dbh)) || (isset($dbh) && $p_RefreshData)) {
1480 
1481  $sql = "SELECT *
1482  FROM {$DB_TABLE_PREFIX}user ";
1483  if ($p_SrcType) {
1484  $sql .= " WHERE userid = " . intval($p_SrcValue) . "; ";
1485  } else {
1486  $sql .= " WHERE email = '" . save_text($p_SrcValue, 50) . "' AND cu = '" . save_text($DMSAPP_CURRENTCUCODE) . "'; ";
1487  }
1488 
1489  $l_user_rs = db_query($sql, $dbh);
1490  // ** Grab the first row that i get
1491  $l_user_row = db_fetch_array($l_user_rs);
1492  } else {
1493 
1494  // Just return the l_user_row that we already have..
1495  }
1496 
1497  return $l_user_row;
1498 }
Generated by   doxygen 1.8.15