forked from lirantal/daloradius
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dologin.php
85 lines (70 loc) · 3.62 KB
/
dologin.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?php
/*
*********************************************************************************************************
* daloRADIUS - RADIUS Web Platform
* Copyright (C) 2007 - Liran Tal <liran@enginx.com> All Rights Reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
*********************************************************************************************************
* Description:
* performs the logging-in authorization. First creates a random session_id to be assigned to this session and then
* validates the operators credentials in the database
*
* Authors: Liran Tal <liran@enginx.com>
*
*********************************************************************************************************
*/
// first we create a random session key
$REMOTE_ADDR = $_SERVER['REMOTE_ADDR']; // get client ip address
srand((double)microtime()*1000000 ); // initialize random seed
$rand = rand(1,9); // generate a random number between 1 to 9
$session_id = $rand.substr(md5($REMOTE_ADDR), 0, 11+$rand); /* append the random number to the beginning
of the session_id string followed by a substring of the md5 ip address hash with a dynamic length of anything between 11 to 16 digits (the max length of
the md5 hash) */
$session_id .= substr(md5(rand(1,1000000)), rand(1,32-$rand), 21-$rand); // further add a dynamic length digits to
// to the session_id string composed of the
// md5 hash for random number
session_id($session_id); // apply the session_id that we created
//session_set_cookie_params(3600); // deprecated, unsupported in older IE browsers, set's the session timeout
// to 3600 seconds (1 hour)
ini_set('session.gc_maxlifetime', 60*60); // replaces the session_set_cookie_params directive
session_start(); // initiate the session
$errorMessage = '';
$location_name = $_POST['location']; // we need to set location name session variable before opening the database
$_SESSION['location_name'] = $location_name; // since the whole point is to authenticate to a spefific pre-defined database server
include 'library/opendb.php';
$operator_user = $dbSocket->escapeSimple($_POST['operator_user']);
$operator_pass = $dbSocket->escapeSimple($_POST['operator_pass']);
// check if the user id and password combination exist in database
$sql = "SELECT id, username FROM ".$configValues['CONFIG_DB_TBL_DALOOPERATORS']." WHERE username = '".
$operator_user."' AND password = '".$operator_pass."'";
$res = $dbSocket->query($sql);
if ($res->numRows() == 1) {
// the user id and password match,
// set the session
$row = $res->fetchRow(DB_FETCHMODE_ASSOC);
$operator_id = $row['id'];
$_SESSION['daloradius_logged_in'] = true;
$_SESSION['operator_user'] = $operator_user;
$_SESSION['operator_id'] = $operator_id;
// lets update the lastlogin time for this operator
$date = date("Y-m-d H:i:s");
$sql = "UPDATE ".$configValues['CONFIG_DB_TBL_DALOOPERATORS']." SET lastlogin='$date' WHERE username='$operator_user'";
$res = $dbSocket->query($sql);
// after login we move to the main page
header('Location: index.php');
exit;
} else {
header('Location: login.php?error=an error occured');
exit;
}
include 'library/closedb.php';
?>