Hello there,
I have this as login in function for an application.
function login($username, $password)
{
$db =& $this->db;
Kit::ClassLoader('userdata');
if (Config::Version('DBVersion') < 62) {
// We can't do CSPRNG because the field doesn't exist, so we need to do standard user login
// This can ONLY happen during an upgrade.
$dbh = PDOConnect::init();
$sth = $dbh->prepare('SELECT UserID, UserName, UserPassword, UserTypeID FROM `user` WHERE UserName = :userName');
$sth->execute(array('userName' => $username));
$rows = $sth->fetchAll();
if (count($rows) != 1) {
setMessage(__('Username or Password incorrect'));
return false;
}
$userInfo = $rows[0];
// Check the password using a MD5
if ($userInfo['UserPassword'] != md5($password)) {
setMessage(__('Username or Password incorrect'));
return false;
}
}
else {
// Get the SALT for this username
if (!$userInfo = $db->GetSingleRow(sprintf("SELECT UserID, UserName, UserPassword, UserTypeID, CSPRNG FROM `user` WHERE UserName = '%s'", $db->escape_string($username)))) {
setMessage(__('Username or Password incorrect'));
return false;
}
// User Data Object to check the password
$userData = new Userdata($db);
// Is SALT empty
if ($userInfo['CSPRNG'] == 0) {
// Check the password using a MD5
if ($userInfo['UserPassword'] != md5($password)) {
setMessage(__('Username or Password incorrect'));
return false;
}
// Now that we are validated, generate a new SALT and set the users password.
$userData->ChangePassword(Kit::ValidateParam($userInfo['UserID'], _INT), null, $password, $password, true /* Force Change */);
} else {
// Check the users password using the random SALTED password
if ($userData->validate_password($password, $userInfo['UserPassword']) === false) {
setMessage(__('Username or Password incorrect'));
return false;
}
}
}
// there is a result so we store the userID in the session variable
$_SESSION['userid'] = Kit::ValidateParam($userInfo['UserID'], _INT);
$_SESSION['username'] = Kit::ValidateParam($userInfo['UserName'], _USERNAME);
$_SESSION['usertype'] = Kit::ValidateParam($userInfo['UserTypeID'], _INT);
// Set the User Object
$this->usertypeid = $_SESSION['usertype'];
$this->userid = $_SESSION['userid'];
// update the db
// write out to the db that the logged in user has accessed the page
$SQL = sprintf("UPDATE user SET lastaccessed = '" . date("Y-m-d H:i:s") . "', loggedin = 1 WHERE userid = %d", $_SESSION['userid']);
$db->query($SQL) or trigger_error(__('Can not write last accessed info.'), E_USER_ERROR);
// Switch Session ID's
global $session;
$session->setIsExpired(0);
$session->RegenerateSessionID(session_id());
return true;
}
i am trying to squeeze in an alternative authentication for users on ldap as such if local authentication fails
// alternativelly validate against Tivoli Directory server
$ldap_host = "www.zflexldap.com:389";
$password = "password";
// Tivoli Directory DN
$ldap_dn = "ou=users,ou=guests,dc=zflexsoftware,dc=com";
// connect to active directory
$ldap = ldap_connect($ldap_host)
or die("Couldn't connect to LDAP Server");
//username specified on post form is from TDS server
// $dn = "uid=".$username.",";
$dn = "uid=guest1,ou=users,ou=guests,dc=zflexsoftware,dc=com";
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
// verify user and password
if($bind = @ldap_bind($ldap, $dn, $password))
all attempts thou has been breaking the application.
thanks