<?php
/*
* ITMS ValleyData source file version 1.0 May 11, 2001
*
* Responsible for making sure the user is always authenticated
*
* Behavior: This code segment is intended to be included on a page.
* It will check to see if the user has logged in (info stored in cookie)
* If they are logged in, then update the exparationtime and checksum cookies.
* If they are just pretneding to be logged in, log them out, and notify the administrator.
* If they are not logged in, then present them with the login box.
* If they enter the right info in the box, then set the cookies.
* If they enter the wrong info in the box, then show them the box again.
* If they don't enter anything in the box, then send them away (to logout.php?).
*
*
* Info to store in cookie regarding login:
* username
* exparationtime
* isAdmin
* checksum = md5(password+username+exparationtime+isAdmin+"junk")?
*
*
* Refrences:
* http://www.php.net/manual/en/function.header.php
* http://www.php.net/manual/en/features.http-auth.php
* http://www.php.net/manual/en/features.cookies.php
*
* Note: Don't forget to clean ALL user input. That includes input sent via the username/password dialog box!
*
*
* Internet Task Management System: An online system used for recording information about and assigning tasks and processes.
* Copyright (C) 2001 ValleyData Programming Group
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* See file named "gpl.txt" included with source code or
* visit http://www.gnu.org/copyleft/gpl.txt on the internet.
*/
//$user = $PHP_AUTH_USER;
//$pass = $PHP_AUTH_PW;
extract($_REQUEST); //Added 5/16/2003 by Matt Palmerlee for ITMS Build 110 (Register Globals Fix)
extract($_SERVER); //Added 5/16/2003 by Matt Palmerlee for ITMS Build 110 (Register Globals Fix)
//to login an ITMS user though the DB alone (using the ldap table)
function db_login_user($username, $password)
{
global $isAdmin;
global $uid;
global $hash;
global $HTTP_COOKIE_VARS;
$user = make_clean($username);
$pass = make_clean($password);
if(isset($uid) || isset($isAdmin) || isset($hash)) //if they are already logged in
{
if($HTTP_COOKIE_VARS["timer"] == "on" && $hash == md5($user.$uid.$isAdmin.$pass."alk4d"))
{
return true;
}
else
{
($SECURE_COOKIES == "true")? $SSL=1: $SSL=0;
setcookie("user", "", time()-360000, "", "", $SSL);
setcookie("pass", "", time()-360000, "", "", $SSL);
setcookie("isAdmin", "", time()-360000, "", "", $SSL);
setcookie("uid", "", time()-360000, "", "", $SSL);
setcookie("hash", "", time()-360000, "", "", $SSL);
//setcookie("user");
//setcookie("pass");
//setcookie("isAdmin");
//setcookie("uid");
//setcookie("hash");
}
}
else //if we have to authenticate the user
{
db_open();
db_use();
$query = "SELECT uid, isadmin FROM users WHERE name = '$user'";
$result = db_query($query); //get the user's info
$row = db_fetch_row($result);
if($row)
{
$uid = $row["uid"];
$query = "SELECT * FROM ldap WHERE name = '$user'";
$result = db_query($query); //get the password from ldap table
if($result)
{
$ldap_row = db_fetch_row($result);
$cryptpass = $ldap_row["password"];
if($cryptpass == crypt($pass, substr($cryptpass, 0, 2)))//encrypt the password
{
if($row["isadmin"])
{
$isAdmin = true;
}
$query_update = "UPDATE users SET last_logged_in='NOW()' WHERE uid='$uid'";
db_query($query_update);
return true;
}
else
{
message_box("Incorrect Username and/or Password", "error");
error_out("Password didn't match for user: " . $user, "LOG_INFO");
}
}//end if result
else
{
error_out("Couldn't Query LDAP table", "LOG_INFO");
}
}//end if row
else if($user != "")
{
message_box("Incorrect Username and/or Password", "error");
error_out("Password didn't match for user: " . $user, "LOG_INFO");
}
}//end else logging in
return false;
} //end function db_login_user
//to login an ITMS user though the LDAP directory as well as the DB
function ldap_login_user($username, $password)
{
global $isAdmin;
global $uid;
global $hash;
global $LDAP_SERVER_ADDRESS;
global $LDAP_SERVER_PORT;
global $LDAP_BASE_DN;
global $HTTP_COOKIE_VARS;
$user = make_clean($username);
$pass = make_clean($password);
if(isset($uid) || isset($isAdmin) || isset($hash)) //if they are already logged in
{
if($HTTP_COOKIE_VARS["timer"] == "on" && $hash == md5($user.$uid.$isAdmin.$pass."alk4d"))
{
return true;
}
else
{
($SECURE_COOKIES == "true")? $SSL=1: $SSL=0;
setcookie("user", "", time()-360000, "", "", $SSL);
setcookie("pass", "", time()-360000, "", "", $SSL);
setcookie("isAdmin", "", time()-360000, "", "", $SSL);
setcookie("uid", "", time()-360000, "", "", $SSL);
setcookie("hash", "", time()-360000, "", "", $SSL);
//setcookie("user");
//setcookie("pass");
//setcookie("isAdmin");
//setcookie("uid");
//setcookie("hash");
}
}
else //if we need to authenticate them
{
db_open();
db_use();
$query = "SELECT uid, isadmin FROM users WHERE name = '$user'";
$result = db_query($query); //get user info
$row = db_fetch_row($result);
if($row)
{
$uid = $row["uid"];
$ds=ldap_connect($LDAP_SERVER_ADDRESS, $LDAP_SERVER_PORT); // must be a valid LDAP server!
if ($ds)
{
$r=ldap_bind($ds); // this is an "anonymous" bind, typically
// read-only access
// Search surname entry
$sr=ldap_search($ds, "cn=$user, " . $LDAP_BASE_DN, "(objectclass=person)");
$info = ldap_get_entries($ds, $sr);
ldap_close($ds);
}
else
{
echo "<h4>Unable to connect to LDAP server</h4>";
}
$cryptpass = $info[0]["password"][0];
if($cryptpass == crypt($pass, substr($cryptpass, 0, 2))) //encrypt password
{
if($row["isadmin"])
{
$isAdmin = true;
}
db_open();
db_use();
$query_update = "UPDATE users SET last_logged_in='NOW()' WHERE uid='$uid'";
db_query($query_update);
return true;
}
else
{
message_box("Incorrect Username and/or Password", "error");
error_out("Password didn't match for user: " . $user, "LOG_INFO");
}
}//end if row
else if($user != "")
{
message_box("Incorrect Username and/or Password", "error");
error_out("Password didn't match for user: " . $user, "LOG_INFO");
}
}//end else logging in
return false;
}//end ldap_login_user
$LOGIN_HTML = <<<EOP
<html>
<head>
<title>ITMS Login</title>
<link rel="stylesheet" type="text/css" href="itms.css">
<SCRIPT LANGUAGE="JavaScript">
<!--
function login()
{
document.cookie = "user=" + document.login_form.user.value;
document.cookie = "pass=" + document.login_form.pass.value;
document.location = "$PHP_SELF";
return true;
}
//-->
</SCRIPT>
</head>
<body onload="document.login_form.user.focus()">
<form name="login_form" method="post" action="$PHP_SELF">
<div align=center>
<IMG src="images/itms_login.jpg" WIDTH="$LOGO_WIDTH_LOGIN" HEIGHT="$LOGO_HEIGHT_LOGIN" border=0 alt="ITMS">
<br>
<IMG SRC="images/itms_login_long.jpg" WIDTH="400" HEIGHT="41" BORDER=0 ALT="">
<table>
<tr>
<td>
Username:<input type="text" name="user" size="45">
</td>
</tr>
<tr>
<td>
Password:<input type="password" name="pass" size="45">
</td>
</tr>
<tr>
<td class="menu-selected">
<input type="button" value="Login" onClick="login();">
</td>
</tr>
<tr>
<td class="table-separator-even">
<div align="center">
<font COLOR="#003399" size="1">
ITMS version 1.0 Copyright © 2001, ValleyData Programming Group<br>
ITMS comes with ABSOLUTELY NO WARRANTY;<br>
This is free software, and you are welcome to redistribute it
under certain conditions;<br>
Please see the gpl.txt file for more info<br>
</font>
</div>
</td>
</tr>
</table>
</div>
</form>
</body>
</html>
EOP;
if($ENABLE_LDAP == "true")
{
if(ldap_login_user($user, $pass)) //ensure the user is logged in through LDAP
{
($SECURE_COOKIES == "true")? $SSL=1: $SSL=0;
setcookie("user", $user, 0, "", "", $SSL);
setcookie("pass", $pass, 0, "", "", $SSL);
setcookie("isAdmin", $isAdmin, 0, "", "", $SSL);
setcookie("uid", $uid, 0, "", "", $SSL);
setcookie("hash", md5($user.$uid.$isAdmin.$pass."alk4d"), 0, "", "", $SSL);
}
else //otherwise make them login
{
print($LOGIN_HTML);
exit;
}
}
else //LDAP disabled
{
if(db_login_user($user, $pass)) //ensure the user is logged in through DB
{
($SECURE_COOKIES == "true")? $SSL=1: $SSL=0;
setcookie("user", $user, 0, "", "", $SSL);
setcookie("pass", $pass, 0, "", "", $SSL);
setcookie("isAdmin", $isAdmin, 0, "", "", $SSL);
setcookie("uid", $uid, 0, "", "", $SSL);
setcookie("hash", md5($user.$uid.$isAdmin.$pass."alk4d"), 0, "", "", $SSL);
}
else //otherwise make them login
{
print($LOGIN_HTML);
exit;
}
}
?>