forked from Katak-support/Katak-support
-
Notifications
You must be signed in to change notification settings - Fork 0
/
login.php
158 lines (147 loc) · 7.7 KB
/
login.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
<?php
/*********************************************************************
login.php
User and client Login
Copyright (c) 2012-2014 Katak Support
http://www.katak-support.com/
Released under the GNU General Public License WITHOUT ANY WARRANTY.
Derived from osTicket v1.6 by Peter Rotich.
See LICENSE.TXT for details.
$Id: $
**********************************************************************/
require_once('main.inc.php');
if(!defined('INCLUDE_DIR')) die(_('Fatal error!'));
define('USERINC_DIR',INCLUDE_DIR.'user/');
define('KTKUSERINC',TRUE); //make includes happy
if(!$cfg->getUserLogRequired())
$inc = 'login.inc.php';
else
$inc = 'clientlogin.inc.php';
$loginmsg=_('Authentication Required');
// User login
if($_POST && (!empty($_POST['lemail']) && !empty($_POST['lticket']))):
// $loginmsg=_('Authentication Required');
$email=trim($_POST['lemail']);
$ticketID=trim($_POST['lticket']);
//$_SESSION['_user']=array(); #Uncomment to disable login strikes.
//Check time for last max failed login attempt strike.
$loginmsg=_('Invalid login');
if($_SESSION['_user']['laststrike']) {
if((time() - $_SESSION['_user']['laststrike']) < $cfg->getClientLoginTimeout()) {
$loginmsg=_('Excessive failed login attempts');
$errors['err']=_('You\'ve reached maximum failed login attempts allowed. Try again later or <a href="open.php">open a new ticket</a>');
}else{ //Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_user']['laststrike']=null;
$_SESSION['_user']['strikes']=0;
}
}
//See if we can fetch local ticket id associated with the ID given
if(!$errors && is_numeric($ticketID) && Validator::is_email($email) && ($tid=Ticket::getIdByExtId($ticketID))) {
//At this point we know that a ticket with the given number exists.
$ticket= new Ticket($tid);
//TODO: 1) Check how old the ticket is...3 months max?? 2) Must be the latest 5 tickets??
//Check the email given.
if($ticket->getId() && strcasecmp($ticket->getEMail(),$email)==0){
//valid email match...create session goodies for the user.
$user = new UserSession($email,$ticket->getId());
$_SESSION['_user']=array(); //clear.
$_SESSION['_user']['userID'] =$ticket->getEmail(); //Email
$_SESSION['_user']['key'] =$ticket->getExtId(); //Ticket ID --acts as password when used with email. See above.
$_SESSION['_user']['token'] =$user->getSessionToken();
$_SESSION['TZ_OFFSET']=$cfg->getTZoffset();
$_SESSION['daylight']=$cfg->observeDaylightSaving();
//Log login info...
$msg=sprintf("%s/%s " . _("logged in"),$ticket->getEmail(),$ticket->getExtId());
Sys::log(LOG_DEBUG,'User login',$msg,$ticket->getEmail());
//Redirect tickets.php
session_write_close();
session_regenerate_id();
@header("Location: tickets.php");
require_once('tickets.php'); //Just incase. of header already sent error.
exit;
}
}
//If we get to this point we know the login failed.
$_SESSION['_user']['strikes']+=1;
if(!$errors && $_SESSION['_user']['strikes']>$cfg->getClientMaxLogins()) {
$loginmsg=('Access Denied');
$errors['err']=_('Forgot your login info? Please <a href="open.php">open a new ticket</a>.');
$_SESSION['_user']['laststrike']=time();
$alert= _('Excessive login attempts by a user')."\n\n".
_('Email') . ': '. $email . "\n" .
_('Ticket No.') . ': ' . $_POST['lticket']."\n".
'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" .
_('Time') . ": " . date('M j, Y, g:i a T') . "\n".
_('Attempts No.') . ' '.$_SESSION['_user']['strikes'];
Sys::log(LOG_ALERT,'Excessive login attempts (user)',$alert,$email,($cfg->alertONLoginError()));
}elseif($_SESSION['_user']['strikes']%2==0){ //Log every other failed login attempt as a warning.
$alert= _('Failed login attempts by a user') . "\n\n" .
_('Email').': ' . $email . "\n" .
_('Ticket No.') . ' ' . $_POST['lticket'] . "\n" .
_('Attempts No.') . ' ' . $_SESSION['_user']['strikes'];
Sys::log(LOG_WARNING,'Failed login attempt (user)',$alert,$email);
}
endif;
// Client login
if($_POST && (!empty($_POST['username']) && !empty($_POST['passwd']))):
// $loginmsg=_('Authentication Required');
$email=trim($_POST['username']);
//$_SESSION['_user']=array(); #Uncomment to disable login strikes.
//Check time for last max failed login attempt strike.
$loginmsg=_('Invalid login');
if($_SESSION['_user']['laststrike']) {
if((time() - $_SESSION['_user']['laststrike']) < $cfg->getClientLoginTimeout()) {
$loginmsg=_('Excessive failed login attempts');
$errors['err']=_('You\'ve reached maximum failed login attempts allowed. Try again later.');
}else{ //Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_user']['laststrike']=null;
$_SESSION['_user']['strikes']=0;
}
}
// Check password
if (!$errors && ($thisuser = new ClientSession($_POST['username'])) && $thisuser->check_passwd($_POST['passwd'])) {
$_SESSION['_user']=array(); //clear.
$_SESSION['_user']['userID'] =$thisuser->getEmail(); //Email
$_SESSION['_user']['key'] =$thisuser->getId(); //Ticket ID --acts as password when used with email. See above.
$_SESSION['_user']['token'] =$thisuser->getSessionToken();
$_SESSION['TZ_OFFSET']=$cfg->getTZoffset();
$_SESSION['daylight']=$cfg->observeDaylightSaving();
// Update last login
$thisuser->update_lastlogin($thisuser->getId());
//Log login info...
$msg=sprintf("%s/%s " . _("logged in"),$thisuser->getEmail(),$thisuser->getId());
Sys::log(LOG_DEBUG,'Client login',$msg,$thisuser->getEmail());
//Redirect tickets.php
session_write_close();
session_regenerate_id();
@header("Location: tickets.php");
require_once('tickets.php'); //Just incase. of header already sent error.
exit;
}
//If we get to this point we know the login failed.
$_SESSION['_user']['strikes'] += 1;
if(!$errors && $_SESSION['_user']['strikes']>$cfg->getClientMaxLogins()) {
$loginmsg=_('Access Denied');
$errors['err']=_('Forgot your login info? Please ask at the customer service.');
$_SESSION['_user']['laststrike']=time();
$alert= _('Excessive login attempts by a client')."\n\n".
_('Email') . ': ' . $email . "\n" .
_('Password') . ': ' . $_POST['passwd']."\n".
'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" .
_('Time') . ": " . date('M j, Y, g:i a T') . "\n".
_('Attempts No.') . ' '.$_SESSION['_user']['strikes'];
Sys::log(LOG_ALERT,'Excessive login attempts (client)',$alert,$email,($cfg->alertONLoginError()));
}elseif($_SESSION['_user']['strikes']%2==0){ //Log every other failed login attempt as a warning.
$alert=_('Failed login attempts by a client') . "\n\n" .
_('Email'). ': ' . $email . "\n" .
_('Password') . ' ' . $_POST['passwd'] . "\n" .
_('Attempts No.') . ' ' . $_SESSION['_user']['strikes'];
Sys::log(LOG_WARNING,'Failed login attempt (client)',$alert,$email);
}
endif;
require(USERINC_DIR.'header.inc.php');
require(USERINC_DIR.$inc);
require(USERINC_DIR.'footer.inc.php');
?>