query($query); $bLoginAttempted = false; $bCannotLogin = false; $intNthAttempt = 0; if ($result!==false && $result->RecordCount() >= 1) { $bLoginAttempted = true; $field = $result->FetchRow(); $intNthAttempt = $field['number_attempts']; if ($intNthAttempt>=$maxLoginAttempt){ $bCannotLogin = true; } $iLastAttempt = strtotime($field['last_attempt']); if (time() > $iLastAttempt + $timeOutTime){ $bCannotLogin = false; $query = "DELETE FROM failed_login_attempts WHERE ip='$sIp';"; $result = $db->query($query) or die ($query."
".$db->ErrorMsg()); } } if(!$bCannotLogin){ $query = "SELECT * FROM users WHERE users_name=".$db->qstr($postuser); $result = $db->SelectLimit($query, 1) or die ($query."
".$db->ErrorMsg()); if ($result->RecordCount() < 1) { $query = fGetLoginAttemptUpdateQry($bLoginAttempted,$sIp); $result = $db->Execute($query) or die ($query."
".$db->ErrorMsg());; if ($result) { // wrong or unknown username $loginsummary .= "

".T_("Incorrect username and/or password!")."


"; if ($intNthAttempt+1>=$maxLoginAttempt) $loginsummary .= sprintf(T_("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."
"; $loginsummary .= "
".T_("Continue")."
 \n"; } } else { $fields = $result->FetchRow(); if (SHA256::hashing($_POST['password']) == $fields['password']) { // Anmeldung ERFOLGREICH if (strtolower($_POST['password'])=='password') { $_SESSION['pw_notify']=true; $_SESSION['flashmessage']=T_("Warning: You are still using the default password ('password'). Please change your password and re-login again."); } else { $_SESSION['pw_notify']=false; } // Check if the user has changed his default password session_regenerate_id(); $_SESSION['loginID'] = intval($fields['uid']); $_SESSION['user'] = $fields['users_name']; $_SESSION['full_name'] = $fields['full_name']; // Compute a checksession random number to test POSTs $_SESSION['checksessionpost'] = sRandomChars(10); $login = true; $loginsummary .= "
\n"; $loginsummary .= "
" . T_("Logged in") . "
"; $loginsummary .= "
".sprintf(T_("Welcome %s!"),$_SESSION['full_name'])."
 "; $loginsummary .= "
\n"; $_SESSION['USER_RIGHT_SUPERADMIN'] = 0; if ($fields['superadmin'] == 1) { $_SESSION['USER_RIGHT_SUPERADMIN'] = 1; } //go to queXS $loc = ""; if ($_SESSION['USER_RIGHT_SUPERADMIN'] == 1) $loc = "admin"; else { $utest = $db->GetOne("SELECT username FROM client WHERE username = '" . $_SESSION['user'] . "'"); if (!empty($utest)) $loc = "client"; } header('Location: ' . QUEXS_URL . $loc); die(); } else { $query = fGetLoginAttemptUpdateQry($bLoginAttempted,$sIp); $result = $db->Execute($query) or die ($query."
".$db->ErrorMsg());; if ($result) { // wrong or unknown username $loginsummary .= "

".T_("Incorrect username and/or password!")."
"; if ($intNthAttempt+1>=$maxLoginAttempt) $loginsummary .= sprintf(T_("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."
"; $loginsummary .= "
".T_("Continue")."
 \n"; } } } } else{ $loginsummary .= "

".sprintf(T_("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."
"; $loginsummary .= "
".T_("Continue")."
 \n"; } } } } elseif ($action == "logout") { killSession(); $logoutsummary = '

'.T_("Logout successful."); } // unsets all Session variables to kill session function killSession() //added by Dennis { // Delete the Session Cookie $CookieInfo = session_get_cookie_params(); if ( (empty($CookieInfo['domain'])) && (empty($CookieInfo['secure'])) ) { setcookie(session_name(), '', time()-3600, $CookieInfo['path']); } elseif (empty($CookieInfo['secure'])) { setcookie(session_name(), '', time()-3600, $CookieInfo['path'], $CookieInfo['domain']); } else { setcookie(session_name(), '', time()-3600, $CookieInfo['path'], $CookieInfo['domain'], $CookieInfo['secure']); } unset($_COOKIE[session_name()]); foreach ($_SESSION as $key =>$value) { //echo $key." = ".$value."
"; unset($_SESSION[$key]); } $_SESSION = array(); // redundant with previous lines session_unset(); @session_destroy(); } function fGetLoginAttemptUpdateQry($la,$sIp) { $timestamp = date("Y-m-d H:i:s"); if ($la) $query = "UPDATE failed_login_attempts" ." SET number_attempts=number_attempts+1, last_attempt = '$timestamp' WHERE ip='$sIp'"; else $query = "INSERT INTO failed_login_attempts(ip, number_attempts,last_attempt)" ." VALUES('$sIp',1,'$timestamp')"; return $query; }