2 /****************************************************************/
4 /****************************************************************/
5 /* Copyright (c) 2002-2008 by Greg Gay & Joel Kronenberg */
6 /* Adaptive Technology Resource Centre / University of Toronto */
9 /* This program is free software. You can redistribute it and/or*/
10 /* modify it under the terms of the GNU General Public License */
11 /* as published by the Free Software Foundation. */
12 /****************************************************************/
13 // $Id: login.php 7396 2008-04-15 19:46:57Z cindy $
15 $_user_location = 'public';
16 define('AT_INCLUDE_PATH', 'include/');
17 require (AT_INCLUDE_PATH.'vitals.inc.php');
21 Add aditional libraries required by ATutor.ldap.mod
23 require ('admin/ldap_lib.php');
24 require (AT_INCLUDE_PATH.'lib/rsa.inc.php');
27 if (isset($_GET['course'])) {
28 $_GET['course'] = intval($_GET['course']);
33 // check if we have a cookie
34 if (!$msg->containsFeedbacks()) {
35 if (isset($_COOKIE['ATLogin'])) {
36 $cookie_login = $_COOKIE['ATLogin'];
38 if (isset($_COOKIE['ATPass'])) {
39 $cookie_pass = $_COOKIE['ATPass'];
43 if (isset($cookie_login, $cookie_pass) && !isset($_POST['submit'])) {
45 $this_login = $cookie_login;
46 $this_password = $cookie_pass;
49 } else if (isset($_POST['submit'])) {
51 $this_password = $_POST['form_password_hidden'];
52 $this_login = $_POST['form_login'];
53 $auto_login = isset($_POST['auto']) ? intval($_POST['auto']) : 0;
55 $hash_password = $addslashes($_POST['form_hash_password']);
59 RSA Decoded, required by ldap.mod
61 $auth_string = rsa_decode(PRIVATE_KEY, $_POST['form_password_ldap']);
63 if ($auth_string = rsa_decode(PRIVATE_KEY, $_POST['form_password_ldap'])){
64 if(check_valid_login($auth_string)){
65 $this_password_ldap = check_valid_login($auth_string);
68 $msg->addError('INVALID_LOGIN_RSA_TIMEOUT');
69 header('Location: login.php');
73 $msg->addError('INVALID_LOGIN_RSA');
74 header('Location: login.php');
81 if (isset($this_login, $this_password)) {
82 if (version_compare(PHP_VERSION, '5.1.0', '>=')) {
83 session_regenerate_id(TRUE);
87 if ($_GET['course']) {
88 $_POST['form_course_id'] = intval($_GET['course']);
90 $_POST['form_course_id'] = intval($_POST['form_course_id']);
92 $this_login = $addslashes($this_login);
93 $this_password = $addslashes($this_password);
96 // check if that cookie is valid
97 //$sql = "SELECT member_id, login, first_name, second_name, last_name, preferences, password AS pass, language, status FROM ".TABLE_PREFIX."members WHERE login='$this_login' AND password='$this_password'";
98 $sql = "SELECT member_id, login, first_name, second_name, last_name, preferences,password AS pass, language, status FROM ".TABLE_PREFIX."members WHERE login='$this_login' AND SHA1(CONCAT(password, '$tstu_salt'))='$this_password'";
102 $sql = "SELECT member_id, login, first_name, second_name, last_name, preferences, language, status, password AS pass FROM ".TABLE_PREFIX."members WHERE (login='$this_login' OR email='$this_login') AND SHA1(CONCAT(password, '$_SESSION[token]'))='$this_password'";
104 $result = mysql_query($sql, $db);
106 if (($row = mysql_fetch_assoc($result)) && ($row['status'] == AT_STATUS_UNCONFIRMED)) {
107 $msg->addError('NOT_CONFIRMED');
108 } else if ($row && $row['status'] == AT_STATUS_DISABLED) {
109 $msg->addError('ACCOUNT_DISABLED');
111 $_SESSION['valid_user'] = true;
112 $_SESSION['member_id'] = intval($row['member_id']);
113 $_SESSION['login'] = $row['login'];
114 assign_session_prefs(unserialize(stripslashes($row['preferences'])));
115 $_SESSION['is_guest'] = 0;
116 $_SESSION['lang'] = $row['language'];
117 $_SESSION['course_id'] = 0;
119 if ($auto_login == 1) {
120 $parts = parse_url($_base_href);
121 // update the cookie.. increment to another 2 days
122 $cookie_expire = time()+172800;
123 setcookie('ATLogin', $this_login, $cookie_expire, $parts['path'], $parts['host'], 0);
124 setcookie('ATPass', sha1($row['pass'].$tstu_salt), $cookie_expire, $parts['path'], $parts['host'], 0);
127 $sql = "UPDATE ".TABLE_PREFIX."members SET creation_date=creation_date, last_login=NOW() WHERE member_id=$_SESSION[member_id]";
128 mysql_query($sql, $db);
130 $msg->addFeedback('LOGIN_SUCCESS');
131 header('Location: bounce.php?course='.$_POST['form_course_id']);
134 // check if it's an admin login.
135 $sql = "SELECT login, `privileges`, language FROM ".TABLE_PREFIX."admins WHERE login='$this_login' AND SHA1(CONCAT(password, '$_SESSION[token]'))='$this_password' AND `privileges`>0";
136 $result = mysql_query($sql, $db);
138 if ($row = mysql_fetch_assoc($result)) {
139 $sql = "UPDATE ".TABLE_PREFIX."admins SET last_login=NOW() WHERE login='$this_login'";
140 mysql_query($sql, $db);
142 $_SESSION['login'] = $row['login'];
143 $_SESSION['valid_user'] = true;
144 $_SESSION['course_id'] = -1;
145 $_SESSION['privileges'] = intval($row['privileges']);
146 $_SESSION['lang'] = $row['language'];
148 write_to_log(AT_ADMIN_LOG_UPDATE, 'admins', mysql_affected_rows($db), $sql);
150 $msg->addFeedback('LOGIN_SUCCESS');
152 header('Location: admin/index.php');
159 Add LDAP auth provided by ATutor.ldap.mod
161 if (ldap_bind_connect($this_login,$this_password_ldap)){
162 if ($arr = get_ldap_entry_info($this_login,$this_password_ldap, $hash_password)){
163 if (insert_user_info($arr)){
164 $sql = "SELECT member_id, login, preferences, language, status FROM ".TABLE_PREFIX."members WHERE login='$this_login'";
165 $result = mysql_query($sql, $db);
166 if (($row = mysql_fetch_assoc($result)) && ($row['status'] == AT_STATUS_UNCONFIRMED)) {
167 $msg->addError('NOT_CONFIRMED');
168 } else if ($row && $row['status'] == AT_STATUS_DISABLED) {
169 $msg->addError('ACCOUNT_DISABLED');
171 $_SESSION['valid_user'] = true;
172 $_SESSION['member_id'] = intval($row['member_id']);
173 $_SESSION['login']= get_login($_SESSION['member_id']);
174 assign_session_prefs(unserialize(stripslashes($row['preferences'])));
175 $_SESSION['is_guest'] = 0;
176 $_SESSION['lang'] = $row['language'];
177 $_SESSION['course_id'] = 0;
178 add_ldap_log('YOUR LDAP SERVER'); #Define LDAP server name or Null
180 $msg->addFeedback('LOGIN_SUCCESS');
181 header('Location: bounce.php?course='.$_POST['form_course_id']);
184 $msg->addError('INVALID_LOGIN');
192 $_SESSION['session_test'] = TRUE;
194 if (isset($_SESSION['member_id'])) {
195 $sql = "DELETE FROM ".TABLE_PREFIX."users_online WHERE member_id=$_SESSION[member_id]";
196 $result = @mysql_query($sql, $db);
199 unset($_SESSION['login']);
200 unset($_SESSION['valid_user']);
201 unset($_SESSION['member_id']);
202 unset($_SESSION['is_admin']);
203 unset($_SESSION['course_id']);
204 unset($_SESSION['is_super_admin']);
205 unset($_SESSION['dd_question_ids']);
207 // Refresh the security token
210 $_SESSION['prefs']['PREF_FORM_FOCUS'] = 1;
212 /*****************************/
213 /* template starts down here */
215 $onload = 'document.form.form_login.focus();';
217 $savant->assign('course_id', $_GET['course']);
219 if (isset($_GET['course']) && $_GET['course']) {
220 $savant->assign('title', ' '._AT('to1').' '.$system_courses[$_GET['course']]['title']);
222 $savant->assign('title', ' ');
225 header('P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"');
226 $savant->display('login.tmpl.php');