<?php
/******************************************************************************************
Copyright (c) 2013 Christopher W. Olsen <cwolsen@ubixtechnologies.com>
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of
conditions, the following disclaimer and the list of authors. Redistributions in binary
form must reproduce the above copyright notice, this list of conditions, the following
disclaimer and the list of authors in the documentation and/or other materials provided
with the distribution. Neither the name of the uBix Cube Project nor the names of its
contributors may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
$Id: session.php 279 2013-05-08 18:13:26Z reddawg $
*****************************************************************************************/
/* User Account Level Definitions */
define("G_ADMIN",0);
define("G_ACCOUNTING",10);
define("G_USER",100);
class ubSession {
public $aid;
public $gid;
public $account_number;
/* Account Information */
public $first_name;
public $last_name;
public $email;
private $STV;
private $data;
private $idletime;
private $minGID;
/* Constructor used to set up defaults and pointer to main DATA */
public function __construct(&$_data,$_idletime = 1800,$_STV) {
$this->data = $_data;
$this->idletime = $_idletime;
$this->STV = $_STV;
}
public function Validate($_minGID = G_ADMIN,$getAD = 0) {
$this->minGID = $_minGID;
/* Clean Up Expired Sessions */
$query = "DELETE FROM sessions WHERE expire <= " . time();
mysql_query($query,$this->data['ubixdb']);
if (isset($this->data['recpass']) && $this->data['recpass'] == 'p') {
$this->session_recoverPassword();
}
else if (isset($this->data['logout']) && $this->data['logout'] == 'yes') {
$query = "DELETE FROM sessions WHERE sessionid = '" . $this->STV . "'";
mysql_query($query,$this->data['ubixdb']);
$this->session_new();
}
else if ($this->STV != '' && !isset($this->data['login'])) {
$this->session_continue();
}
else
$this->session_new($this->data);
if ($getAD == 1)
$this->session_getAccountInfo();
} /* End DoSession */
/* Continue the session */
private function session_continue() {
$query = "SELECT aid,gid,account_number FROM sessions WHERE sessionid = '" . $this->STV . "'";
$result = mysql_query($query,$this->data['ubixdb']);
if (mysql_numrows($result) > 0) {
$this->aid = mysql_result($result,0,'aid');
$this->gid = mysql_result($result,0,'gid');
$this->account_number = mysql_result($result,0,'account_number');
if ($this->gid > $this->minGID)
$this->session_accessDenied();
$exp = time() + $this->idletime;
$query = "UPDATE sessions SET expire = $exp WHERE sessionid = '" . $this->STV . "'";
$result = mysql_query($query,$this->data['ubixdb']);
Header("Set-Cookie: STV=" . $this->STV . "; path=/;");
}
else {
header("Set-Cookie: STV=; path=/;");
$this->data['bdy'] = "<p align=\"center\" class=\"error\">Your login has expired.</p>";
$this->session_new();
exit;
}
} /* End session_continue */
private function session_accessDenied() {
$this->data['bdy'] = "<p align=\"center\" class=\"error\">Access Denied</p>";
$this->data['login'] = '';
$this->session_new();
}
private function session_getAccountInfo() {
$query = "SELECT first_name,last_name,email FROM accounts WHERE aid = " . $this->aid;
$result = mysql_query($query,$this->data['ubixdb']);
$qData = mysql_fetch_assoc($result);
if ($qData !== null) {
$this->first_name = $qData['first_name'];
$this->last_name = $qData['last_name'];
$this->email = $qData['email'];
return(1);
}
else
return(0);
}
/* Password Recovery */
private function session_recoverPassword() {
if ($this->data['rstep'] == "") {
$this->data['bdy'] = "<form method=\"post\" action=\"" . $this->data['PHP_SELF'] . "\">\n";
$this->data['bdy'] .= "<input type=\"hidden\" name=\"data[rstep]\" value=\"1\">\n";
$this->data['bdy'] .= "<h1>Please enter your e-mail to help recover your access</h1>\n";
$this->data['bdy'] .= "E-Mail Address: <input type=\"text\" name=\"data[email]\"><br>\n";
$this->data['bdy'] .= "<input type=\"submit\" value=\"Continue\">\n";
$this->data['bdy'] .= "</form>\n";
}
else {
$query = "select firstname,lastname,username,pass from users where email like '" . $this->data['email'] ."'";
$result = mysql_query($query, $this->data['fboxdb']);
if (mysql_numrows($result) > 0) {
$username = mysql_result($result,0,'username');
$pass = mysql_result($result,0,'pass');
$message = "Here are your account details:\n\nUsername: $username\nPassword: $pass\n\nCustomer Service\n\n";
$to = mysql_result($result,0,'firstname') . " " . mysql_result($result,0,'lastname') . " <$this->data[email]>";
mail($to,"FreedomBox: Password Recovery",$message,"From: FreedomBox Support <support@freedombox.com>");
$this->data['bdy'] = "Your login information has been sent to " . $this->data['email'] . "<br>";
$this->data['bdy'] .= "Please <a href=\"/\">Click Here</a> to login.";
}
else {
$this->data['bdy'] = "We could not locate " . $this->data['email'] ." in our system.<br>";
$this->data['bdy'] .= "Please <a href=\"/?data[recpass]=p\">Click Here</a> to try again.";
}
}
$this->data['tpl']->define(array('index'=>"index/index_login.html"));
$this->data['tpl']->assign('BODY',$this->data['bdy']);
$this->data['tpl']->parse('INDEX', array("index"));
$this->data['tpl']->FastPrint("INDEX");
exit(0x0);
} /* End session_recoverPassword */
private function session_new() {
if (!isset($this->data['login']) || $this->data['login'] == '') {
$this->data['login'] = "yes";
if (!isset($this->data['bdy']))
$this->data['bdy'] = "";
$this->data['bdy'] .= "<FORM METHOD=\"POST\" ACTION=\"" . $this->data['url'] . "\">\n";
$this->data['bdy'] .= "<h1>Welcome To The uBix Cube Managmenet Portal</h1>\n";
$this->data['bdy'] .= "<table border=\"0\">\n";
//while (list($key,$val) = each($this->data)) {
foreach ($this->data as $key => $val) {
if ($key == "login")
$val = "yes";
if (($key != "tpl") && ($key != "bdy") && is_string($val))
$this->data['bdy'] .= "<input type=\"hidden\" name=\"data[" . $key . "]\" value=\"" . $val . "\">\n";
}
if (isset($this->data['username']))
$this->data['bdy'] .= "<TR><TD>Username:</TD><TD><INPUT TYPE=TEXT NAME=\"data[username]\" VALUE=\"" . $this->data['username'] . "\"></TD></TR>\n";
else
$this->data['bdy'] .= "<TR><TD>Username:</TD><TD><INPUT TYPE=TEXT NAME=\"data[username]\" VALUE=\"\"></TD></TR>\n";
$this->data['bdy'] .= "<TR><TD>Password:</TD><TD><INPUT TYPE=PASSWORD NAME=data[pass] VALUE=\"\"></TD></TR>\n";
$this->data['bdy'] .= "<TR><TD> </TD><TD><INPUT TYPE=SUBMIT NAME=\"sub\" VALUE=\"Login\"></TD></TR>\n";
$this->data['bdy'] .= "<tr><td colspan=\"2\"><a href=\"?data[recpass]=p\">Forgot username/password?</a></td></tr>\n";
$this->data['bdy'] .= "</table>\n</FORM>\n";
$this->data['tpl']->define(array("index"=>"index/index_login.html"));
$this->data['tpl']->assign('BODY',$this->data['bdy']);
$this->data['tpl']->parse('INDEX', array("index"));
$this->data['tpl']->FastPrint("INDEX");
exit;
}
else {
$query = "SELECT aid,gid,account_number,password FROM accounts WHERE username = '" . $this->data['username'] . "'";
$result = mysql_query($query,$this->data['ubixdb']);
if (mysql_numrows($result) > 0) {
if (urlencode($this->data['pass']) != mysql_result($result,0,'password')) {
$this->data['bdy'] = "<p align=\"center\" class=\"error\">Sorry Incorrect Password.</p>";
$this->data['login'] = '';
$this->session_new();
}
else {
$this->aid = mysql_result($result,0,'aid');
$this->gid = mysql_result($result,0,'gid');
$this->account_number = mysql_result($result,0,'account_number');
if ($this->gid > $this->minGID)
$this->session_accessDenied();
$account_number = mysql_result($result,0,'account_number');
$exp = time() + $this->idletime;
$exp2 = time() + 27200;
$expires = date("D, d-M-Y H:i:s",$exp2);
srand((double)microtime()*1000000);
$session = md5(rand(0,9999999));
$this->STV = $session;
$query = "INSERT INTO sessions (sessionid,aid,gid,account_number,expire) VALUES('$session'," . $this->aid . "," . $this->gid .",'" . $this->account_number . "',$exp)";
mysql_query($query,$this->data['ubixdb']);
$time = time();
$query = "UPDATE accounts SET lastlogon = $time WHERE aid = " . $this->aid;
mysql_query($query,$this->data['ubixdb']);
Header("Set-Cookie: STV=$session; path=/;");
}
}
else {
$this->data[bdy] .= "<p align=\"center\" class=\"error\">Sorry This User Does Not Exist</p>";
$this->data[login]='';
$this->session_new();
}
}
} /* End session_new() */
} /* End Class */
?>
Christopher W. Olsen