login.php

Internet Task Management System可以让用户分配和管理一个组织内的任务。ITMS可以发送任务管理通知

<?php

/*
 * ITMS ValleyData source file version 1.0 May 11, 2001
 *
 * Responsible for making sure the user is always authenticated
 *
 * Behavior: This code segment is intended to be included on a page.
 *     It will check to see if the user has logged in (info stored in cookie)
 *     If they are logged in, then update the exparationtime and checksum cookies.
 *     If they are just pretneding to be logged in, log them out, and notify the administrator.
 *     If they are not logged in, then present them with the login box.
 *     If they enter the right info in the box, then set the cookies.
 *     If they enter the wrong info in the box, then show them the box again.
 *     If they don't enter anything in the box, then send them away (to logout.php?).
 *
 *
 * Info to store in cookie regarding login:
 *     username
 *     exparationtime
 *     isAdmin
 *     checksum = md5(password+username+exparationtime+isAdmin+"junk")?
 *
 *
 * Refrences:
 *   http://www.php.net/manual/en/function.header.php
 *   http://www.php.net/manual/en/features.http-auth.php
 *   http://www.php.net/manual/en/features.cookies.php
 *
 * Note: Don't forget to clean ALL user input.  That includes input sent via the username/password dialog box!
 *
 *
 * Internet Task Management System: An online system used for recording information about and assigning tasks and processes.
 * Copyright (C) 2001  ValleyData Programming Group
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * See file named "gpl.txt" included with source code or
 * visit http://www.gnu.org/copyleft/gpl.txt on the internet.
 */


//$user = $PHP_AUTH_USER;
//$pass = $PHP_AUTH_PW;

extract($_REQUEST); //Added 5/16/2003 by Matt Palmerlee for ITMS Build 110 (Register Globals Fix)
extract($_SERVER); //Added 5/16/2003 by Matt Palmerlee for ITMS Build 110 (Register Globals Fix)

//to login an ITMS user though the DB alone (using the ldap table)
function db_login_user($username, $password)
{
    global $isAdmin;
    global $user_id;
    global $hash;
    global $HTTP_COOKIE_VARS;


    $user = make_clean($username);
    $pass = make_clean($password);

    if(isset($user_id) || isset($isAdmin) || isset($hash)) //if they are already logged in
    {
        if($HTTP_COOKIE_VARS["timer"] == "on" && $hash == md5($user.$user_id.$isAdmin.$pass."alk4d")) 
        {
            return true;
        }
        else
        {
            ($SECURE_COOKIES == "true")? $SSL=1: $SSL=0;
            setcookie("user", "", time()-360000, "", "", $SSL); 
            setcookie("pass", "",  time()-360000, "", "", $SSL);
            setcookie("isAdmin", "",  time()-360000, "", "", $SSL);
            setcookie("user_id", "",  time()-360000, "", "", $SSL);
            setcookie("hash", "",  time()-360000, "", "", $SSL);
            //setcookie("user"); 
            //setcookie("pass");
            //setcookie("isAdmin");
            //setcookie("user_id");
            //setcookie("hash");
        }
    }
    else //if we have to authenticate the user
    {
        db_open();
        db_use();
        $query = "SELECT user_id, isadmin FROM users WHERE name = '$user'";
        $result = db_query($query); //get the user's info
        $row = db_fetch_row($result);
        if($row)
        {
            $user_id = $row["USER_ID"]; //***Caps Updated***
            $query = "SELECT * FROM ldap WHERE name = '$user'";
            $result = db_query($query); //get the password from ldap table
            if($result)
            {
                $ldap_row = db_fetch_row($result);
                $cryptpass = $ldap_row["PASSWORD"];

                if($cryptpass == crypt($pass, substr($cryptpass, 0, 2)))//encrypt the password
                {
                    if($row["ISADMIN"])//***Caps Updated***
                    {
                        $isAdmin = true;
                    }
					$query_update = "UPDATE users SET last_logged_in=sysdate WHERE user_id='$user_id'";
					db_query($query_update);
                    return true;
                }
                else
                {
                    message_box("Incorrect Username and/or Password", "error");
                    error_out("Password didn't match for user: " . $user, "LOG_INFO");
                }
            }//end if result
            else
            {
                error_out("Couldn't Query LDAP table", "LOG_INFO");
            }
           
        }//end if row
		else if($user != "")
		{
			message_box("Incorrect Username and/or Password", "error");
			error_out("Password didn't match for user: " . $user, "LOG_INFO");
		}
    }//end else logging in
    return false;
} //end function db_login_user

//to login an ITMS user though the LDAP directory as well as the DB
function ldap_login_user($username, $password)
{
    global $isAdmin;
    global $user_id;
    global $hash;
	
	global $LDAP_SERVER_ADDRESS;
	global $LDAP_SERVER_PORT;
	global $LDAP_BASE_DN;
    global $HTTP_COOKIE_VARS;


    $user = make_clean($username);
    $pass = make_clean($password);

    if(isset($user_id) || isset($isAdmin) || isset($hash)) //if they are already logged in
    {
        if($HTTP_COOKIE_VARS["timer"] == "on" && $hash == md5($user.$user_id.$isAdmin.$pass."alk4d"))
        {
            return true;
        }
        else
        {
            ($SECURE_COOKIES == "true")? $SSL=1: $SSL=0;
            setcookie("user", "", time()-360000, "", "", $SSL); 
            setcookie("pass", "",  time()-360000, "", "", $SSL);
            setcookie("isAdmin", "",  time()-360000, "", "", $SSL);
            setcookie("user_id", "",  time()-360000, "", "", $SSL);
            setcookie("hash", "",  time()-360000, "", "", $SSL);
            //setcookie("user"); 
            //setcookie("user"); 
            //setcookie("pass");
            //setcookie("isAdmin");
            //setcookie("user_id");
            //setcookie("hash");
        }
    }
    else //if we need to authenticate them
    {
        db_open();
        db_use();
        $query = "SELECT user_id, isadmin FROM users WHERE name = '$user'";
        $result = db_query($query); //get user info
        $row = db_fetch_row($result);
        if($row)
        {
			$user_id = $row["user_id"];

			$ds=ldap_connect($LDAP_SERVER_ADDRESS, $LDAP_SERVER_PORT);  // must be a valid LDAP server!


			if ($ds)
			{ 
				$r=ldap_bind($ds);     // this is an "anonymous" bind, typically
									   // read-only access

				// Search surname entry
				$sr=ldap_search($ds, "cn=$user, " . $LDAP_BASE_DN, "(objectclass=person)");  

				$info = ldap_get_entries($ds, $sr);

				ldap_close($ds);
			} 
			else
			{
				echo "<h4>Unable to connect to LDAP server</h4>";
			}


			$cryptpass = $info[0]["password"][0];
			if($cryptpass == crypt($pass, substr($cryptpass, 0, 2))) //encrypt password
			{
				if($row["isadmin"])
				{
					$isAdmin = true;
				}
				db_open();
				db_use();
				$query_update = "UPDATE users SET last_logged_in=sysdate WHERE user_id='$user_id'";
				db_query($query_update);
				return true;
			}
			else
			{
				message_box("Incorrect Username and/or Password", "error");
				error_out("Password didn't match for user: " . $user, "LOG_INFO");
			}
           
        }//end if row
		else if($user != "")
		{
			message_box("Incorrect Username and/or Password", "error");
			error_out("Password didn't match for user: " . $user, "LOG_INFO");
		}
    }//end else logging in
    return false;
}//end ldap_login_user

$LOGIN_HTML = <<<EOP
<html>
<head>
<title>ITMS Login</title>
<link rel="stylesheet" type="text/css" href="itms.css">
<SCRIPT LANGUAGE="JavaScript">
<!--
function login()
{
    document.cookie = "user=" + document.login_form.user.value;
    document.cookie = "pass=" + document.login_form.pass.value;
    document.location = "$PHP_SELF";
    return true;
}
//-->
</SCRIPT>
</head>
<body onload="document.login_form.user.focus()">
<form name="login_form" method="post" action="$PHP_SELF">
<div align=center>
<IMG src="images/itms_login.jpg" WIDTH="$LOGO_WIDTH_LOGIN" HEIGHT="$LOGO_HEIGHT_LOGIN" border=0 alt="ITMS">
<br>
<IMG SRC="images/itms_login_long.jpg" WIDTH="400" HEIGHT="41" BORDER=0 ALT="">
<table>
<tr>
    <td>
         Username:<input type="text" name="user" size="45">
	</td>
</tr>
<tr>
    <td>
        Password:<input type="password" name="pass" size="45">
    </td>
</tr>
<tr>
   <td class="menu-selected">
        <input type="button" value="Login" onClick="login();">
   </td>
</tr>
<tr>
	<td class="table-separator-even">
	<div align="center">
	<font COLOR="#003399" size="1">
	ITMS version 1.0 Copyright &copy; 2001, ValleyData Programming Group<br>
    ITMS comes with ABSOLUTELY NO WARRANTY;<br>
    This is free software, and you are welcome to redistribute it
    under certain conditions;<br>
    Please see the gpl.txt file for more info<br>
	</font>
	</div>
	</td>
</tr>
</table>
</div>
</form>
</body>
</html>
EOP;

if($ENABLE_LDAP == "true")
{
    if(ldap_login_user($user, $pass)) //ensure the user is logged in through LDAP
    {
        ($SECURE_COOKIES == "true")? $SSL=1: $SSL=0;
        setcookie("user", $user, 0, "", "", $SSL); 
        setcookie("pass", $pass, 0, "", "", $SSL);
        setcookie("isAdmin", $isAdmin, 0, "", "", $SSL);
        setcookie("user_id", $user_id, 0, "", "", $SSL);
        setcookie("hash", md5($user.$user_id.$isAdmin.$pass."alk4d"), 0, "", "", $SSL);
    }
    else //otherwise make them login
    {
        print($LOGIN_HTML);
        exit;
    }
}
else //LDAP disabled
{
    if(db_login_user($user, $pass)) //ensure the user is logged in through DB
    {
        ($SECURE_COOKIES == "true")? $SSL=1: $SSL=0;
        setcookie("user", $user, 0, "", "", $SSL); 
        setcookie("pass", $pass, 0, "", "", $SSL);
        setcookie("isAdmin", $isAdmin, 0, "", "", $SSL);
        setcookie("user_id", $user_id, 0, "", "", $SSL);
        setcookie("hash", md5($user.$user_id.$isAdmin.$pass."alk4d"), 0, "", "", $SSL);
    }
    else //otherwise make them login
    {
        print($LOGIN_HTML);
        exit;
    }
}
?>