Rev 12 | Details | Compare with Previous | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
12 | daniel-mar | 1 | <?php |
2 | |||
14 | daniel-mar | 3 | if (!defined('WBLEGAL')) die('Kann nicht ohne Personal WebBase ausgeführt werden.'); |
12 | daniel-mar | 4 | |
5 | if (!isset($secretkey)) $secretkey = ''; |
||
6 | |||
7 | if (!$konfiguration[$modul]['enabled']) |
||
8 | { |
||
9 | echo $header; |
||
10 | echo '<h1>'.my_htmlentities($modulueberschrift).'</h1>'; |
||
11 | echo 'Der Administrator hat die Schnellanmeldung deaktiviert.'; |
||
12 | echo $footer; |
||
13 | } |
||
14 | else |
||
15 | { |
||
16 | $erfolg = 0; |
||
17 | |||
18 | $res = db_query("SELECT `username`, `passwort`, `fastlogin_secret`, `last_login`, `last_login_ip` FROM `".$mysql_zugangsdaten['praefix']."users` WHERE `gesperrt` = '0' AND `fastlogin_secret` != ''"); |
||
19 | while ($row = db_fetch($res)) |
||
20 | { |
||
21 | // Gastzugang verbieten. Es wird nicht geprüft, ob Gastaccount aktiviert ist oder nicht. (siehe user_login) |
||
22 | if (($row['username'] != $konfiguration['main_gastzugang']['gast_username']) && ($row['passwort'] != md5($konfiguration['main_gastzugang']['gast_passwort']))) // TODO: use sha3 hash, salted and peppered |
||
23 | { |
||
24 | $dec = ib_decrypt($secretkey, $row['fastlogin_secret']); |
||
25 | $ary = explode("\n", $dec); |
||
26 | |||
27 | if ((count($ary) == 4)) |
||
28 | { |
||
29 | if (( $ary[0] == $row['username']) && ($ary[1] == special_hash($ary[0])) && |
||
30 | (md5($ary[2]) == $row['passwort']) && ($ary[3] == special_hash($ary[2])) ) // TODO: use sha3 hash, salted and peppered |
||
31 | { |
||
32 | $erfolg = 1; |
||
33 | break; |
||
34 | } |
||
35 | } |
||
36 | } |
||
37 | } |
||
38 | |||
39 | if ($erfolg) |
||
40 | { |
||
41 | // @session_unset(); |
||
42 | // @session_destroy(); |
||
43 | |||
14 | daniel-mar | 44 | $_SESSION['wb_user_type'] = '1'; |
12 | daniel-mar | 45 | $_SESSION['ib_user_username'] = $ary[0]; |
46 | $_SESSION['ib_user_passwort'] = $ary[2]; |
||
47 | |||
48 | $rs = db_query("SELECT NOW()"); |
||
49 | $rw = db_fetch($rs); |
||
50 | |||
51 | $_SESSION['last_login'] = $row['last_login']; |
||
52 | $_SESSION['last_login_ip'] = $row['last_login_ip']; |
||
53 | db_query("UPDATE `".$mysql_zugangsdaten['praefix']."users` SET `last_login` = '".$rw[0]."', `last_login_ip` = '".$_SERVER['REMOTE_ADDR']."' WHERE `username` = '".db_escape($ary[0])."'"); |
||
54 | |||
55 | header('location: index.php'); |
||
56 | } |
||
57 | else |
||
58 | { |
||
59 | echo $header; |
||
60 | echo '<h1>'.my_htmlentities($modulueberschrift).'</h1>'; |
||
61 | echo 'Authentifizierung war nicht erfolgreich! Möglichweise ist die Schnellanmelde-URL abgelaufen.'; |
||
62 | echo $footer; |
||
63 | } |
||
64 | } |
||
65 | |||
66 | ?> |