From: Hendrik B. <nh...@us...> - 2010-06-03 21:05:01
|
Update of /cvsroot/arianne/stendhal_website/content/account In directory sfp-cvsdas-4.v30.ch3.sourceforge.com:/tmp/cvs-serv14828/content/account Modified Files: loginhistory.php Added Files: remindpassword.email approve.php changepassword.php login.php login.css logout.php remind.php Log Message: use nice urls for account related pages, moved pages from /login to /content/account --- NEW FILE: login.php --- <?php require_once('scripts/account.php'); class LoginPage extends Page { public function writeHtmlHeader() { echo '<title>Login'.STENDHAL_TITLE.'</title>'; echo '<meta name="robots" content="noindex">'."\n"; } function writeContent() { /** * Checks to see if the user has submitted his * username and password through the login form, * if so, checks authenticity in database and * creates session. */ if(isset($_POST['sublogin'])){ /* Check that all fields were typed in */ if(!$_POST['user'] || !$_POST['pass']){ die('You didn\'t fill in a required field.'); } /* Spruce up username, check length */ $_POST['user'] = trim($_POST['user']); if(strlen($_POST['user']) > 30){ startBox("Login failed"); echo "Sorry, the username is longer than 30 characters, please shorten it."; endBox(); return; } /* We first check that the username is not banned. */ $result = confirmValidStatus($_POST['user']); /* Check error codes */ if($result == 2){ /* * If result==1 then username doesn't exist, so we let the password check handle it. */ startBox("Login failed"); echo "Sorry. Your account is blocked by multiple passwords failures or it has been banned."; endBox(); return; } /* Checks that username is in database and password is correct */ $md5pass = strtoupper(md5($_POST['pass'])); $result = confirmUser($_POST['user'], $md5pass); if ($result === 2) { /* We need to check the pre-Marauroa 2.0 passwords */ $md5pass = strtoupper(md5(md5($_POST['pass'],true))); $result = confirmUser($_POST['user'], $md5pass); } /* Here we log the login attempt, with username, IP and whether failed or successful */ logUserLogin($_POST['user'], $_SERVER['REMOTE_ADDR'], $result == 0); /* Check error codes */ if($result != 0){ startBox("Login failed"); echo "Sorry. You mispelled either username or password.<br>Make sure you have an account at Stendhal."; endBox(); return; } /* Username and password correct, register session variables */ $_POST['user'] = stripslashes($_POST['user']); $_SESSION['username'] = $_POST['user']; $_SESSION['password'] = $md5pass; /** * This is the cool part: the user has requested that we remember that * he's logged in, so we set two cookies. One to hold his username, * and one to hold his md5 encrypted password. We set them both to * expire in 100 days. Now, next time he comes to our site, we will * log him in automatically. */ if(isset($_POST['remember'])){ setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/"); setcookie("cookpass", $_SESSION['password'], time()+60*60*24*100, "/"); } $url = "/"; // TODO: find a better way to whitelist parameters without hardcoding them. if ($_POST['url'] == "content/account/meeting") { $url = "/index.php?id=content/account/meeting"; } echo "<meta http-equiv=\"Refresh\" content=\"1;url=".$url."\">"; startBox("Login"); echo '<h1>Login correct.</h1> Moving to main page.'; endBox(); } else { startBox("Login"); ?> <div class="bubble"> Remember not to disclose your username or password to anyone, not even friends or administrators.<br> Check that this webpage URL matchs your game server name. </div> <form action="" method="post"> <table> <tr><td>Username:</td><td><input type="text" name="user" maxlength="30"></td></tr> <tr><td>Password:</td><td><input type="password" name="pass" maxlength="30"></td></tr> <tr><td colspan="2" align="left"><input type="checkbox" name="remember"> <font size="2">Remember me next time</font></td></tr> <tr><td colspan="2" align="right"><input type="submit" name="sublogin" value="Login"></td></tr> </table> <?php // TODO: merge _GET and _POST if (isset($_GET['url'])) { echo '<input type="hidden" name="url" value="'.htmlspecialchars($_GET['url']).'">'; } if (isset($_POST['url'])) { echo '<input type="hidden" name="url" value="'.htmlspecialchars($_POST['url']).'">'; } ?> </form> <?php endBox(); } } } $page = new LoginPage(); ?> --- NEW FILE: remind.php --- <?php require_once('scripts/account.php'); class RemindPage extends Page { public function writeHtmlHeader() { echo '<title>Password Reset'.STENDHAL_TITLE.'</title>'; echo '<meta name="robots" content="noindex">'."\n"; } function writeContent() { /* It is composed of two steps: a) User click new password and we email a md5(rand()) to him IF the account is registered with stendhal. b) The user confirms the link and we effectively change the password. */ if(isset($_POST["forgotpassword"])) { if(!isset($_POST["email"]) or !isset($_POST["account"])) { die('You didn\'t fill in a required field.'); } $email=mysql_real_escape_string($_POST["email"]); if(existsUser($email)) { $signature=strtoupper(md5(rand())); /* Good, store it... */ $username=getUser($email); $query='insert into remind_password values("'.$username.'","'.$signature.'",null)'; if(!mysql_query($query, getWebsiteDB())) { echo '<span class="error">There has been a problem while sending your password.</span>'; die(); } /* Remove the entry or anything 48 hours old.*/ $q = "delete from remind_password where datediff(now(),requested)>2"; $result = mysql_query($q,getWebsiteDB()); /* ...and email */ $server=$_SERVER["SERVER_NAME"]; $location=str_replace("/index.php","",$_SERVER["PHP_SELF"]); $clientip=$_SERVER['REMOTE_ADDR']; $body=file_get_contents("login/remindpassword.email"); /* Fill variables */ $body=str_replace("[SERVER]",$server.$location,$body); $body=str_replace("[SIGNATURE]",$signature,$body); $body=str_replace("[CLIENTIP]",$clientip,$body); if($body==false) { echo '<span class="error">There has been a problem while getting password email template.</span>'; die(); } $headers = 'From: no...@st...'; if(!mail($email,"Password reset request",$body,$headers)) { echo '<span class="error">There has been a problem while sending your password email.</span>'; die(); } startBox("Password reset link emailed"); ?> We have just sent you a link to reset your password.<br> Check you inbox and follow the email instructions. <p> Back to <a href="?">Main</a> <?php endBox(); } else { startBox("Unregistered account"); ?> The email that you have written is not registered in this server.<p> If you don't remind your email there is no way of reseting your password. <p> Back to <a href="?">Main</a> <?php endBox(); } } else { startBox("Forgot your password?"); ?> In case you have forgotten your new password or your account information we can send you it to your email account that you used to create your stendhal account.<p> <form action="" method="post"> <table> <tr><td>Email address:</td><td><input type="text" name="email" maxlength="90"></td></tr> <tr><td>Account:</td><td><input type="text" name="account" maxlength="90"></td></tr> <tr><td><input type="checkbox" name="knowaccount" checked>I do remember my account name.</td></tr> <tr><td colspan="2" align="right"><input type="submit" name="forgotpassword" value="Get new password"></td></tr> </table> </form> <?php endBox(); } } } $page = new RemindPage(); ?> --- NEW FILE: login.css --- .bubble { background-color: yellow; color: black; border: 1px solid black; font-family: arial; font-size: 10px; padding: 3px; margin: 6px; } --- NEW FILE: changepassword.php --- <?php require_once('scripts/account.php'); function validateParameters() { $username = $_SESSION['username']; if(!checkLogin()){ return "You need to login first"; } /* Check that all fields were typed in */ if(!$_SESSION['username'] || !$_POST['pass']){ return 'You didn\'t fill in a required field.'; } /* Checks that username is in database and password is correct */ $md5pass = strtoupper(md5($_POST['pass'])); $result = confirmUser($username, $md5pass); if ($result === 2) { /* We need to check the pre-Marauroa 2.0 passwords */ $md5pass = strtoupper(md5(md5($_POST['pass'],true))); $result = confirmUser($username, $md5pass); } /* Check error codes */ if($result != 0){ logUserPasswordChange($username, $_SERVER['REMOTE_ADDR'], '', 0); return 'Incorrect password, please try again.'; } if($_POST['newpass']!=$_POST['newpass_retype']) { return 'Password incorrectly typed.'; } if(strlen($_POST['newpass']) < 6) { return 'The password needs to be at least 6 characters long.'; } return ""; } function changePassword() { $username = $_SESSION['username']; /* Verify that user is in database */ $md5newpass = strtoupper(md5($_POST['newpass'])); $q = "update account set password='".mysql_real_escape_string($md5newpass)."' where username = '".mysql_real_escape_string($username)."'"; $result = mysql_query($q,getGameDB()); if(mysql_affected_rows()!=1) { die('Problem updating database'); } /* Here we log the pw change, with user id, IP and hash of the old pass */ $md5pass = strtoupper(md5($_POST['pass'])); logUserPasswordChange($username, $_SERVER['REMOTE_ADDR'], $md5pass, 1); /* Username and password correct, register session variables */ $_POST['user'] = $username; $_SESSION['username'] = $username; $_SESSION['password'] = $md5newpass; echo "<meta http-equiv=\"Refresh\" content=\"5;url=?\">"; startBox("Password Change"); echo '<h1>Your password has been changed successfully.</h1> <h4>Remember to update and re-save any login profile you may have stored.</h4> Moving to main page.'; endBox(); } function handleValidationError($error) { startBox("Password Change Failed"); echo '<p>'.htmlspecialchars($error).'</p>'; endBox(); } class ChangePasswordPage extends Page { public function writeHtmlHeader() { echo '<title>Change Password'.STENDHAL_TITLE.'</title>'; echo '<meta name="robots" content="noindex">'."\n"; } function writeContent() { /** * Checks to see if the user has submitted his * username and password through the login form, * if so, checks authenticity in database and * creates session. */ if(isset($_POST['sublogin'])){ $error = validateParameters(); if ($error == '') { changePassword(); } else { handleValidationError($error); } } else { startBox("Change password"); ?> <form action="" method="post"> <table> <tr><td>Old Password:</td><td><input type="password" name="pass" maxlength="30"></td></tr> <tr><td>New Password:</td><td><input type="password" name="newpass" maxlength="30"></td></tr> <tr><td>Retype new Password:</td><td><input type="password" name="newpass_retype" maxlength="30"></td></tr> <tr><td colspan="2" align="right"><input type="submit" name="sublogin" value="Change Password"></td></tr> </table> </form> <?php endBox(); } } } $page = new ChangePasswordPage(); ?> --- NEW FILE: approve.php --- <?php include_once('scripts/mysql.php'); function createRandomPassword() { $chars = "abcdefghijkmnopqrstuvwxyz023456789"; $i = 0; $pass = '' ; $amount=strlen($chars); while ($i <= 7) { $num = rand() % $amount; $pass = $pass . $chars[$num]; $i++; } return $pass; } class ApprovePage extends Page { public function writeHtmlHeader() { echo '<title>Approve Password Reset'.STENDHAL_TITLE.'</title>'; echo '<meta name="robots" content="noindex">'."\n"; } function writeContent() { if(!isset($_GET["sign"])) { die('You didn\'t fill in a required field.'); } $signature=$_GET["sign"]; $signature=mysql_real_escape_string($signature); /* * Get the user name from the username<->hash relation */ $query='select username from remind_password where confirmhash="'.$signature.'"'; $result = mysql_query($query, getWebsiteDB()); if(mysql_numrows($result)!=1) { mysql_free_result($result); startBox("No such username"); ?> We are unable to find a valid username associated to that email account.<p> Your password can not be reset. <p> Back to <a href="?">Main</a> <?php endBox(); } else { $row=mysql_fetch_assoc($result); $username=$row["username"]; mysql_free_result($result); /* Remove the entry or anything 48 hours old.*/ $q = "delete from remind_password where username = '".mysql_real_escape_string($username)."' or datediff(now(),requested)>2"; $result = mysql_query($q,getWebsiteDB()); /* * Create a random password for it and set it. */ $newpassword=createRandomPassword(); $md5newpass = strtoupper(md5($newpassword)); $q = "update account set password='".mysql_real_escape_string($md5newpass)."' where username = '".mysql_real_escape_string($username)."'"; $result = mysql_query($q,getGameDB()); /* * Show user the new password. */ startBox("New password generated"); ?> Per your request we have reset the password of your account "<b><?php echo $username; ?></b>".<br> Your new password is "<b><?php echo $newpassword; ?></b>". <p> Store it on a secure place. <?php endBox(); } } } $page = new ApprovePage(); ?> --- NEW FILE: logout.php --- <?php require_once('scripts/account.php'); class LogoutPage extends Page { public function writeHtmlHeader() { echo '<title>Logout'.STENDHAL_TITLE.'</title>'; echo '<meta name="robots" content="noindex">'."\n"; } function writeContent() { /** * Delete cookies - the time must be in the past, * so just negate what you added when creating the * cookie. */ if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){ setcookie("cookname", "", time()-60*60*24*100, "/"); setcookie("cookpass", "", time()-60*60*24*100, "/"); } ?> <html> <title>Logging Out</title> <body> <?php startBox("Logout"); if(!checkLogin()){ echo "You are not currently logged in, logout failed. Back to <a href=\"?\">main</a>"; } else{ /* Kill session variables */ unset($_SESSION['username']); unset($_SESSION['password']); $_SESSION = array(); // reset session array session_destroy(); // destroy session. echo "<meta http-equiv=\"Refresh\" content=\"0;url=?\">"; echo "<h1>Logged Out</h1>\n"; echo "You have successfully <b>logged out</b>.<p>Back to <a href=\"?\">main</a>"; } endBox(); } } $page = new LogoutPage(); ?> Index: loginhistory.php =================================================================== RCS file: /cvsroot/arianne/stendhal_website/content/account/loginhistory.php,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** loginhistory.php 3 Jun 2010 20:27:18 -0000 1.4 --- loginhistory.php 3 Jun 2010 21:04:53 -0000 1.5 *************** *** 44,48 **** echo '<p>This is a list of your most recent logins and password changes. ' .'If you suspect unauthorized access to your account, please ' ! . '<a href="/index.php?id=login/changepassword">change your password</a>' .' immediately and contact <code>/support</code> in game.</p>'; --- 44,48 ---- echo '<p>This is a list of your most recent logins and password changes. ' .'If you suspect unauthorized access to your account, please ' ! . '<a href="'.rewriteURL('/account/change-password.html').'">change your password</a>' .' immediately and contact <code>/support</code> in game.</p>'; --- NEW FILE: remindpassword.email --- Hi Someone has requested that the password for your account be reset. If you did not make this request, please simply disregard this e-mail; it is sent only to the address on file for your account, and will become invalid after 48 hours, so you do not have to worry about your account being taken over. To choose a new password, please go to the following URL: http://[SERVER]/?id=login/approve&sign=[SIGNATURE] This request originated from [CLIENTIP] Sincerely, The Stendhal Team |