$https = isset($secure) ? $secure : (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
// Set session cookie options
- session_set_cookie_params($limit, $path, $domain, $https, true);
+ if (version_compare(PHP_VERSION, '5.2', '<')) // avoid failure on older php versions
+ session_set_cookie_params($limit, $path, $domain, $https);
+ else
+ session_set_cookie_params($limit, $path, $domain, $https, true);
+
session_start();
// Make sure the session hasn't expired, and destroy it if it has
// Create new session without destroying the old one
session_regenerate_id();
-
// Grab current session ID and close both sessions to allow other scripts to use them
$newSession = session_id();
session_write_close();
kill_login();
die();
}
-//----------------------------------------------------------------------------------------
-// set to reasonable values if not set in config file (pre-2.3.12 installations)
-if (!isset($login_delay))
+function password_reset_fail()
+{
+ global $path_to_root;
+
+ echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Email") . "<b></font><br><br>";
+ echo "<b>" . _("The email address does not exist in the system.") . "<b><br><br>";
+
+ echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
+ echo "<br><a href='$path_to_root/index.php?reset=1'>" . _("Try again") . "</a>";
+ echo "</center>";
+
+ kill_login();
+ die();
+}
+
+function password_reset_success()
{
- $login_delay = 10;
- $login_max_attempts = 3;
+ global $path_to_root;
+
+ echo "<center><br><br><font size='5' color='green'><b>" . _("New password sent") . "<b></font><br><br>";
+ echo "<b>" . _("A new password has been sent to your mailbox.") . "<b><br><br>";
+
+ echo "<br><a href='$path_to_root/index.php'>" . _("Login here") . "</a>";
+ echo "</center>";
+
+ kill_login();
+ die();
}
function check_faillog()
$user = $_SESSION["wa_current_user"]->user;
- if (@$login_delay && ($login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$login_max_attempts) && (time() < $login_faillog[$user]['last'] + $login_delay))
+ if (@$login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$login_max_attempts) && (time() < $login_faillog[$user]['last'] + $login_delay))
return true;
return false;
$msg .= "*/\n";
$msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
- $filename = $path_to_root."/faillog.php";
+ $filename = $path_to_root."/tmp/faillog.php";
if ((!file_exists($filename) && is_writable($path_to_root)) || is_writable($filename))
{
$path_to_root = ".";
}
+//----------------------------------------------------------------------------------------
+// set to reasonable values if not set in config file (pre-2.3.12 installations)
+
+if ((!isset($login_delay)) || ($login_delay < 0))
+ $login_delay = 10;
+
+if ((!isset($login_max_attempts)) || ($login_max_attempts < 0))
+ $login_max_attempts = 3;
+
+
// Prevent register_globals vulnerability
if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
die("Restricted access");
include_once($path_to_root . "/admin/db/security_db.inc");
include_once($path_to_root . "/includes/lang/language.php");
include_once($path_to_root . "/config_db.php");
-@include_once($path_to_root . "/faillog.php");
include_once($path_to_root . "/includes/ajax.inc");
include_once($path_to_root . "/includes/ui/ui_msgs.inc");
include_once($path_to_root . "/includes/prefs/sysprefs.inc");
include_once($path_to_root . "/config.php");
get_text_init();
+if ($login_delay > 0)
+ @include_once($path_to_root . "/tmp/faillog.php");
+
// Page Initialisation
if (!isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language'))
{
// logout.php is the only page we should have always
// accessable regardless of access level and current login status.
-if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
+if (!defined('FA_LOGOUT_PHP_FILE')){
login_timeout();
if (!$_SESSION["wa_current_user"]->logged_in())
{
+ if (@$allow_password_reset && !$allow_demo_mode
+ && (isset($_GET['reset']) || isset($_POST['email_entry_field']))) {
+ if (!isset($_POST["email_entry_field"])) {
+ include($path_to_root . "/access/password_reset.php");
+ exit();
+ }
+ else {
+ if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
+ for ($i = 0; $i < count($db_connections); $i++) {
+ if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) {
+ $_POST["company_login_name"] = $i;
+ unset($_POST["company_login_nickname"]);
+ break 1; // cannot pass variables to break from PHP v5.4 onwards
+ }
+ }
+ }
+ $_succeed = isset($db_connections[$_POST["company_login_name"]]) &&
+ $_SESSION["wa_current_user"]->reset_password($_POST["company_login_name"],
+ $_POST["email_entry_field"]);
+ if ($_succeed)
+ {
+ password_reset_success();
+ }
+
+ password_reset_fail();
+ }
+ }
// Show login screen
if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
{
// Incorrect password
login_fail();
}
+ elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post'])
+ {
+ // in case of GET request redirect to avoid confirmation dialog
+ // after return from menu option
+ header("HTTP/1.1 303 See Other");
+ header("Location: ".$_SESSION['timeout']['uri']);
+ exit();
+ }
$lang = &$_SESSION['language'];
$lang->set_language($_SESSION['language']->code);
}
// We quote all values later with db_escape() before db update.
$_POST = strip_quotes($_POST);
-?>
\ No newline at end of file
+?>