-
Notifications
You must be signed in to change notification settings - Fork 0
/
signin.php
142 lines (105 loc) · 3.96 KB
/
signin.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
<?php
/*
Runner's Medium
http://www.runnersmedium.com/
signin.php
user signin and & auth using persistent cookies and throttled to 2 seconds
copyright 2009 Mark Baltrusaitis <http://josieprogramme.com>
*/
require('lib/base.php');
// redirect to home?
if ($user->signinCheck()) {
redirect(home());
}
$username = null;
$password = null;
$rememberme = false;
if (isset($_POST['action']) && $_POST['action'] == 'Sign In') {
// post vars
if (isset($_POST['username'])) {
$username = $_POST['username'];
}
if (isset($_POST['password'])) {
$password = $_POST['password'];
}
if (isset($_POST['rememberme']) && $_POST['rememberme'] == '1') {
$rememberme = true;
}
// escape
$sqlusername = mysql_real_escape_string($username);
$sqlpassword = mysql_real_escape_string($password);
// authenticate user, throttle to 2 seconds
$result = $conn->query("SELECT id, username, units FROM users
WHERE (username = '$sqlusername' OR email = '$sqlusername')
AND password = MD5('$sqlpassword')
AND lastfail < ADDTIME(NOW(), -2) LIMIT 1");
if ($conn->rowCount($result) == 1) {
$line = $conn->fetchAssoc($result);
// create persistent cookie
if ($rememberme) {
// create and store secondary identifier and token so we dont have to store username or password in the cookie
$salt = 'BALTRUSAITIS';
$cookieid = md5($salt . md5($line['username'] . $salt));
$token = md5(uniqid(rand(), true));
// update last login and store cookieid & token, kill two birds with one query
$conn->query('UPDATE users SET lastlogin = CURDATE(), cookie = \''.mysql_real_escape_string($cookieid).'\', token = \''.mysql_real_escape_string($token).'\'
WHERE id = '.mysql_real_escape_string($line['id']).' LIMIT 1');
// set to expire in 1 week
$timeout = time() + 60 * 60 * 24 * 7;
// set the cookie
setcookie('auth', $cookieid.':'.$token, $timeout);
} else {
// just update last login
$conn->query('UPDATE users SET lastlogin = CURDATE() WHERE id = '.mysql_real_escape_string($line['id']).' LIMIT 1');
}
// call user signin, this redirects the user
$user->signin($line['id'], $line['username'], home(), $line['units']);
} else {
// signin failed
$error = 'your username and/or password were incorrect';
// update last failure column to throttle logins
$conn->query("UPDATE users SET lastfail = NOW() WHERE username = '$sqlusername' OR email = '$sqlusername' LIMIT 1");
}
}
// output buffered header xhtml
$title = 'Runner\'s Medium - Signin';
require('header.php');
?>
<div id="content">
<h2>Sign In</h2>
<?php
// echo any messages
if (isset($error)) {
echo '<div id="error"><span class="oops">Oops</span> '.$error.'</div>';
} else if (isset($message)) {
echo '<div id="message"><span class="ok">Okay</span> '.$message.'<a class="close" onclick="closeMessage();">x</a></div>';
}
?>
<form action="" method="post" id="signinform">
<fieldset>
<label for="username">Username or Email</label>
<input name="username" id="username" type="text" />
<label for="password">Password</label>
<input name="password" id="password" type="password" />
<?php
// check remember me?
if ($rememberme) {
$check = 'checked="checked"';
} else {
$check = '';
}
?>
<br class="clear" />
<input name="rememberme" id="rememberme" type="checkbox" value="1" class="check" <?php echo $check; ?> />
<label class="check" for="rememberme">Remember me</label>
<input name="action" type="submit" id="signinbtn" value="Sign In" class="button" />
</fieldset>
</form>
<p>
Have you <a href="<?php echo lost(); ?>">lost your password?</a>
</p>
</div>
<?php
// output buffered footer xhtml
require('footer.php');
?>