| [ Index ] |
|
Code source de b2evolution 2.1.0-beta |
1 <?php 2 /** 3 * This is the login form 4 * 5 * This file is part of the evoCore framework - {@link http://evocore.net/} 6 * See also {@link http://sourceforge.net/projects/evocms/}. 7 * 8 * @copyright (c)2003-2007 by Francois PLANQUE - {@link http://fplanque.net/} 9 * 10 * {@internal License choice 11 * - If you have received this file as part of a package, please find the license.txt file in 12 * the same folder or the closest folder above for complete license terms. 13 * - If you have received this file individually (e-g: from http://evocms.cvs.sourceforge.net/) 14 * then you must choose one of the following licenses before using the file: 15 * - GNU General Public License 2 (GPL) - http://www.opensource.org/licenses/gpl-license.php 16 * - Mozilla Public License 1.1 (MPL) - http://www.opensource.org/licenses/mozilla1.1.php 17 * }} 18 * 19 * {@internal Open Source relicensing agreement: 20 * }} 21 * 22 * @package htsrv 23 * 24 * {@internal Below is a list of authors who have contributed to design/coding of this file: }} 25 * @author fplanque: Francois PLANQUE. 26 */ 27 if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page directly.' ); 28 29 // Do not cache this page, because the JS password random salt has to match the one stored in the current session: 30 header_nocache(); // do not cache this page, because the JS password salt has to match the session cookie 31 32 33 // TODO: dh> the message below should also get displayed in _reg_form. 34 // E.g., the user might have clicked accidently on an old password change link. 35 if( $Session->has_User() ) 36 { // The user is already logged in... 37 $tmp_User = & $Session->get_User(); 38 if( $tmp_User->validated ) 39 { // User is not validated (he may have been invalidated) 40 // dh> TODO: validate $redirect_to param! 41 // TODO: prevent "endless loops" with $redirect_to here, too 42 $Messages->add( sprintf( T_('Note: You are already logged in as %s!'), $tmp_User->get('login') ) 43 .' <a href="'.htmlspecialchars($redirect_to).'">'.T_('Continue').' »</a>', 'note' ); 44 } 45 unset($tmp_User); 46 } 47 48 49 /** 50 * Include page header (also displays Messages): 51 */ 52 $page_title = T_('Login form'); 53 $page_icon = 'icon_login.gif'; 54 55 /* 56 fp> The login page is small. Let's use it as a preloader for the backoffice (which is awfully slow to initialize) 57 fp> TODO: find a javascript way to preload more stuff (like icons) WITHOUT delaying the browser autocomplete of the login & password fields 58 dh> 59 // include jquery JS: 60 require_js( '#jquery#' ); 61 62 $(function(){ 63 alert("Document is ready"); 64 }); 65 See also http://www.texotela.co.uk/code/jquery/preload/ - might be a good opportunity to take a look at jQuery for you.. :) 66 */ 67 68 69 require_js( 'functions.js' ); 70 71 $transmit_hashed_password = (bool)$Settings->get('js_passwd_hashing') && !(bool)$Plugins->trigger_event_first_true('LoginAttemptNeedsRawPassword'); 72 if( $transmit_hashed_password ) 73 { // Include JS for client-side password hashing: 74 require_js( 'md5.js' ); 75 require_js( 'sha1.js' ); 76 } 77 78 /** 79 * Login header 80 */ 81 require dirname(__FILE__).'/_html_header.inc.php'; 82 83 84 // The login form has to point back to itself, in case $htsrv_url_sensitive is a "https" link and $redirect_to is not! 85 $Form = & new Form( $htsrv_url_sensitive.'login.php', 'evo_login_form', 'post', 'fieldset' ); 86 87 $Form->begin_form( 'fform' ); 88 89 $Form->hiddens_by_key( $_POST, /* exclude: */ array('login_action', 'login', 'action') ); // passthrough POSTed data (when login is required after having POSTed something) 90 $Form->hidden( 'redirect_to', url_rel_to_same_host($redirect_to, $htsrv_url_sensitive) ); 91 92 if( isset( $action, $reqID, $sessID ) && $action == 'validatemail' ) 93 { // the user clicked the link from the "validate your account" email, but has not been logged in; pass on the relevant data: 94 $Form->hidden( 'action', 'validatemail' ); 95 $Form->hidden( 'reqID', $reqID ); 96 $Form->hidden( 'sessID', $sessID ); 97 } 98 99 // fp>SUSPECT 100 if( $transmit_hashed_password ) 101 { // used by JS-password encryption/hashing: 102 $pwd_salt = $Session->get('core.pwd_salt'); 103 if( empty($pwd_salt) ) 104 { // Do not regenerate if already set because we want to reuse the previous salt on login screen reloads 105 // fp> Question: the comment implies that the salt is reset even on failed login attemps. Why that? I would only have reset it on successful login. Do experts recommend it this way? 106 // but if you kill the session you get a new salt anyway, so it's no big deal. 107 // At that point, why not reset the salt at every reload? (it may be good to keep it, but I think the reason should be documented here) 108 $pwd_salt = generate_random_key(64); 109 $Session->set( 'core.pwd_salt', $pwd_salt, 86400 /* expire in 1 day */ ); 110 } 111 $Form->hidden( 'pwd_salt', $pwd_salt ); 112 $Form->hidden( 'pwd_hashed', '' ); // gets filled by JS 113 } 114 // SUSPECT<fp 115 116 $Form->begin_fieldset(); 117 118 echo '<div class="center notes">'.T_('You will have to accept cookies in order to log in.').'</div>'; 119 120 $Form->text_input( 'login', $login, 16, T_('Login'), '', array( 'maxlength' => 20, 'class' => 'input_text' ) ); 121 122 $pwd_note = '<a href="'.$htsrv_url_sensitive.'login.php?action=lostpassword&redirect_to=' 123 .rawurlencode( url_rel_to_same_host($redirect_to, $htsrv_url_sensitive) ); 124 if( !empty($login) ) 125 { 126 $pwd_note .= '&login='.rawurlencode($login); 127 } 128 $pwd_note .= '">'.T_('Lost password ?').'</a>'; 129 130 $Form->password_input( 'pwd', '', 16, T_('Password'), array( 'note'=>$pwd_note, 'maxlength' => 50, 'class' => 'input_text' ) ); 131 132 133 134 // Allow a plugin to add fields/payload 135 $Plugins->trigger_event( 'DisplayLoginFormFieldset', array( 'Form' => & $Form ) ); 136 137 echo $Form->fieldstart; 138 echo $Form->inputstart; 139 140 $Form->submit( array( 'login_action[login]', T_('Log in!'), 'search' ) ); 141 142 if( strpos( $redirect_to, $admin_url ) !== 0 143 && strpos( $ReqHost.$redirect_to, $admin_url ) !== 0 // if $redirect_to is relative 144 && ! is_admin_page() ) 145 { // provide button to log straight into backoffice, if we would not go there anyway 146 $Form->submit( array( 'login_action[redirect_to_backoffice]', T_('Log into backoffice!'), 'search' ) ); 147 } 148 echo $Form->inputend; 149 echo $Form->fieldend; 150 151 $Form->end_fieldset(); 152 153 $Form->end_form(); 154 155 ?> 156 157 <script type="text/javascript"> 158 // Autoselect login text input or pwd input, if there's a login already: 159 var login = document.getElementById('login'); 160 if( login.value.length > 0 ) 161 { // Focus on the password field: 162 document.getElementById('pwd').focus(); 163 } 164 else 165 { // Focus on the login field: 166 login.focus(); 167 } 168 169 170 <?php 171 // fp>SUSPECT 172 if( $transmit_hashed_password ) 173 { 174 ?> 175 // Hash the password onsubmit and clear the original pwd field 176 // TODO: dh> it would be nice to disable the clicked/used submit button. That's how it has been when the submit was attached to the submit button(s) 177 addEvent( document.getElementById("evo_login_form"), "submit", function(){ 178 // this.value = '<?php echo TS_('Please wait...') ?>'; 179 var form = document.getElementById('evo_login_form'); 180 181 // Calculate hashed password and set it in the form: 182 if( form.pwd_hashed && form.pwd && form.pwd_salt && typeof hex_sha1 != "undefined" && typeof hex_md5 != "undefined" ) 183 { 184 // We first hash to md5, because that's how the passwords are stored in the database 185 // We then hash with the salt using SHA1 (fp> can't we do that with md5 again, in order to load 1 less Javascript library?) 186 // NOTE: MD5 is kind of "weak" and therefor we also use SHA1 187 form.pwd_hashed.value = hex_sha1( hex_md5(form.pwd.value) + form.pwd_salt.value ); 188 form.pwd.value = "hashed_<?php echo $Session->ID /* to detect cookie problems */ ?>"; 189 } 190 return true; 191 }, false ); 192 <?php 193 } 194 // <fp 195 ?> 196 </script> 197 198 199 <div class="login_actions" style="text-align:right"> 200 <?php user_register_link( '', '', '', '#', true /*disp_when_logged_in*/ )?> 201 202 203 <?php 204 if( empty($login_required) 205 && strpos($redirect_to, $admin_url) !== 0 206 && strpos($ReqHost.$redirect_to, $admin_url ) !== 0 ) 207 { // No login required, allow to pass through 208 // TODO: dh> validate redirect_to param?! 209 echo ' · <a href="'.htmlspecialchars(url_rel_to_same_host($redirect_to, $ReqHost)).'">' 210 ./* Gets displayed as link to the location on the login form if no login is required */ T_('Abort login!').'</a>'; 211 } 212 ?> 213 </div> 214 215 216 <?php 217 require dirname(__FILE__).'/_html_footer.inc.php'; 218 219 220 /* 221 * $Log: _login_form.main.php,v $ 222 * Revision 1.2 2007/06/30 22:03:34 fplanque 223 * cleanup 224 * 225 * Revision 1.1 2007/06/25 11:02:37 fplanque 226 * MODULES (refactored MVC) 227 * 228 * Revision 1.45 2007/06/19 22:50:41 blueyed 229 * todo 230 * 231 * Revision 1.44 2007/04/26 00:11:10 fplanque 232 * (c) 2007 233 * 234 * Revision 1.43 2007/01/25 21:55:02 blueyed 235 * Only display "·" if text follows with the links in the bottom right 236 * 237 * Revision 1.42 2007/01/20 01:44:56 blueyed 238 * todo 239 * 240 * Revision 1.41 2007/01/19 03:06:56 fplanque 241 * Changed many little thinsg in the login procedure. 242 * There may be new bugs, sorry. I tested this for several hours though. 243 * More refactoring to be done. 244 * 245 * Revision 1.40 2007/01/18 23:59:29 fplanque 246 * Re: Secunia. Proper sanitization. 247 * 248 * Revision 1.38 2007/01/18 18:50:12 blueyed 249 * Escape $redirect_to in "Bypass login..." link. Fixes http://secunia.com/cve_reference/CVE-2007-0175/ 250 * 251 * Revision 1.37 2007/01/14 21:18:48 fplanque 252 * bugfix 253 * 254 * Revision 1.36 2006/12/28 19:15:42 fplanque 255 * bugfix: don't lose redirect_to on repeated login failures 256 * 257 * Revision 1.35 2006/12/28 15:44:30 fplanque 258 * login refactoring / simplified 259 * 260 * Revision 1.34 2006/12/22 20:11:02 blueyed 261 * todo, doc, cleanup 262 * 263 * Revision 1.33 2006/12/15 22:54:14 fplanque 264 * allow disabling of password hashing 265 * 266 * Revision 1.32 2006/12/09 01:55:36 fplanque 267 * feel free to fill in some missing notes 268 * hint: "login" does not need a note! :P 269 * 270 * Revision 1.31 2006/12/06 23:32:35 fplanque 271 * Rollback to Daniel's most reliable password hashing design. (which is not the last one) 272 * This not only strengthens the login by providing less failure points, it also: 273 * - Fixes the login in IE7 274 * - Removes the double "do you want to memorize this password' in FF. 275 * 276 * Revision 1.30 2006/12/06 23:25:32 blueyed 277 * Fixed bookmarklet plugins (props Danny); removed unneeded bookmarklet handling in core 278 * 279 * Revision 1.29 2006/12/05 01:41:22 blueyed 280 * Removed markers, as requested 281 * 282 * Revision 1.28 2006/12/04 20:51:39 blueyed 283 * Use TS_() for JS strings 284 * 285 * Revision 1.27 2006/12/04 00:18:52 fplanque 286 * keeping the login hashing 287 * 288 * Revision 1.24 2006/12/03 20:11:18 fplanque 289 * SUSPECT code. Not releasable. Discussion by email. 290 * 291 * Revision 1.23 2006/11/29 20:04:35 blueyed 292 * More cleanup for login-password hashing 293 * 294 * Revision 1.22 2006/11/29 03:25:54 blueyed 295 * Enhanced password hashing during login: get the password salt through async request + cleanup 296 * 297 * Revision 1.21 2006/11/28 02:52:26 fplanque 298 * doc 299 * 300 * Revision 1.20 2006/11/24 18:27:26 blueyed 301 * Fixed link to b2evo CVS browsing interface in file docblocks 302 * 303 * Revision 1.19 2006/11/18 02:51:47 blueyed 304 * Use only one "password lost?" variant 305 * 306 * Revision 1.18 2006/10/23 22:19:03 blueyed 307 * Fixed/unified encoding of redirect_to param. Use just rawurlencode() and no funky & replacements 308 * 309 * Revision 1.17 2006/10/17 19:54:39 blueyed 310 * Select pwd input by JS, if theres a login already given. 311 * 312 * Revision 1.16 2006/10/15 21:30:46 blueyed 313 * Use url_rel_to_same_host() for redirect_to params. 314 * 315 * Revision 1.15 2006/10/14 16:27:05 blueyed 316 * Client-side password hashing in the login form. 317 * 318 * Revision 1.14 2006/10/12 23:48:15 blueyed 319 * Fix for if redirect_to is relative 320 * 321 */ 322 ?>
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Thu Nov 29 23:58:50 2007 | par Balluche grâce à PHPXref 0.7 |
|
|