* @copyright 2009 Deon George * @link http://osb.leenooks.net * * @link http://www.agileco.com/ * @copyright 2004-2008 Agileco, LLC. * @license http://www.agileco.com/agilebill/license1-4.txt * @author Tony Landis * @package AgileBill * @subpackage Core:Login */ /** * The main AgileBill Login Class * * @package AgileBill * @subpackage Core:Login */ class CORE_login_handler { /** * Login to OSB */ public function login($VAR,$md5=true) { global $C_translate, $C_debug; $db = &DB(); # check that the username/password are both set if ((! $VAR['_username']) || (! $VAR['_password'])) { $C_debug->alert($C_translate->translate('login_enter_both','','')); return false; } $pass = $md5 ? md5($VAR['_password']) : $VAR['_password']; # Check the database for a match $rs = $db->Execute( sqlSelect('account','id,status,username,password,date_expire', array('where'=>array('username'=>$VAR['_username'],'password'=>$pass)))); if (! $rs || ! $rs->RecordCount() == 1) { $C_debug->alert($C_translate->translate('login_un_pw_failed','','')); # Log as a failed login $this->lock_check($VAR,0,$VAR['_username']); return false; } # Get the account id $id = $rs->fields['id']; # Check that their is no lock on this account id or IP address: if ($this->locked($id)) { $C_debug->alert($C_translate->translate('login_locked','','')); return; } if ($rs->fields['date_expire'] == 0 || ! $rs->fields['date_expire']) $date_expire = time()+99; else $date_expire = $rs->fields['date_expire']; # Check that it is an active account if ($rs->fields['status'] != 1 || $date_expire <= time()) { # Inactive account $C_debug->alert($C_translate->translate('login_inactive','','')); # Log as failed login $this->lock_check($VAR,0,$id); return; } else { # Active account - check for password sharing if login_share module is installed include_once(PATH_CORE.'list.inc.php'); $C_list = new CORE_list; if ($C_list->is_installed('login_share')) { include_once(PATH_MODULES.'login_share/login_share.inc.php'); $share = new login_share; if (! $share->login($id,$VAR['_username'])) { # Shared account alert $C_debug->alert($C_translate->translate('shared_account','login_share','')); # Log as failed login $this->lock_check($VAR,0,$id); return; } } } # Set the expiry date of the login session $date_expire = time()+(SESSION_EXPIRE*60); # Update the DB $rs = $db->Execute( sqlUpdate($db,'session',array('ip'=>USER_IP,'date_expire'=>$date_expire,'logged'=>1,'account_id'=>$id),array('id'=>SESS))); # Delete any old sessions for this account $rs = $db->Execute(sqlDelete($db,'session',sprintf('account_id=%s AND id!="%s"',$id,SESS))); # Return logged in message $C_debug->alert($C_translate->translate('login_success','','')); # Get the last successful login: $rs = $db->Execute( sqlSelect('login_log','ip,date_orig',array('where'=>array('account_id'=>$id,'status'=>1),'orderby'=>'date_orig DESC','limit'=>1))); if ($rs && $rs->RecordCount()) $C_debug->alert( str_replace('%DATE%', sprintf('%s %s',date(UNIX_DATE_FORMAT,$rs->fields['date_orig']),date(DEFAULT_TIME_FORMAT,$rs->fields['date_orig'])), str_replace('%IP%',sprintf('%s',$rs->fields['ip']),_('Last successful login was on %DATE% from %IP%')))); # Log the successful login $this->lock_check($VAR,1,$id); } public function logout($VAR) { global $C_debug,$C_translate; $db = &DB(); # Logout the current session by editing the database record $db->Execute(sqlUpdate($db,'session',array('logged'=>0),array('id'=>SESS))); # Delete any session caches! $db->Execute(sqlDelete($db,'session_auth_cache',array('session_id'=>SESS))); # logout success: $C_debug->alert($C_translate->translate('logout_success','','')); } # @todo this should move to login_lock.inc.php private function locked($account_id) { global $C_list; include_once(PATH_CORE.'list.inc.php'); $C_list = new CORE_list; if (! $C_list->is_installed('login_lock')) return false; $db = &DB(); $rs = $db->Execute( sqlSelect('login_lock','id', array('where'=> sprintf('ip=::%s:: AND date_expire>=%s %s',USER_IP,time(),$account_id ? sprintf('AND account_id=%s',$account_id) : '')))); if ($rs && $rs->RecordCount()) return true; else return false; } # @todo this should move to login_lock.inc.php private function lock_check($VAR,$status,$account_id) { global $C_list; include_once(PATH_CORE.'list.inc.php'); $C_list = new CORE_list; $db = &DB(); # Create the appropriate login attempt record. $db->Execute(sqlInsert($db,'login_log',array('ip'=>USER_IP,'account_id'=>$account_id,'date_orig'=>time(),'status'=>$status))); # if this is a successfull login, we can now exit... if ($status == 1 || ! $C_list->is_installed('login_lock')) return true; # Determine the time period to check for login attempts after: $date_orig = time()-(LOGIN_ATTEMPT_TIME*60); # Check the database for all the failed login attempts from this IP withing the time period defined in the setup. $rs = $db->Execute(sqlSelect('login_log','COUNT(id) as id',array('where'=>sprintf('ip=::%s:: AND date_orig>=%s AND status=0',USER_IP,$date_orig)))); # Check that it does not exceed the allowed failed login attempts if ($rs && $rs->fields['id']>=LOGIN_ATTEMPT_TRY) { # Get the time this login block will expire: $date_expire = time()+(LOGIN_ATTEMPT_LOCK*60); # Delete all old blocks for this ip $result = $db->Execute(sqlDelete($db,'login_lock',array('ip'=>USER_IP))); # Create a block on this login $result = $db->Execute(sqlInsert($db,'login_lock',array('ip'=>USER_IP,'date_orig'=>time(),'date_expire'=>$date_expire))); } } } ?>