db->select('wu.*', $modx->getFullTableName('web_users'), "wu.id='".$modx->db->escape($id)."'"); if($row = $modx->db->getRow($ds)) { $username = $row["username"]; list($newpwd,$newpwdkey) = explode("|",$row['cachepwd']); if($newpwdkey!=$pwdkey) { $output = webLoginAlert("Invalid password activation key. Your password was NOT activated."); return; } // activate new password $modx->db->update( array( 'password' => md5($newpwd), 'cachepwd' => '', ), $modx->getFullTableName('web_users'), "id='{$row['id']}'" ); // unblock user by resetting "blockeduntil" $modx->db->update( array( 'blockeduntil' => 0, ), $modx->getFullTableName('web_user_attributes'), "internalKey='{$row['id']}'" ); // invoke OnWebChangePassword event $modx->invokeEvent("OnWebChangePassword", array( "userid" => $id, "username" => $username, "userpassword" => $newpwd )); if(!$pwdActId) $output = webLoginAlert("Your new password was successfully activated."); else { // redirect to password activation notification page $url = $modx->makeURL($pwdActId); $modx->sendRedirect($url,0,'REDIRECT_REFRESH'); } } else { // error $output = webLoginAlert("Error while loading user account. Please contact the Site Administrator"); } return; } # process password reminder if ($isPWDReminder==1) { $email = $_POST['txtwebemail']; $webpwdreminder_message = $modx->config['webpwdreminder_message']; $emailsubject = $modx->config['emailsubject']; $emailsender = $modx->config['emailsender']; $site_name = $modx->config['site_name']; // lookup account $ds = $modx->db->select( 'wu.*, wua.fullname', $modx->getFullTableName('web_users')." AS wu INNER JOIN ".$modx->getFullTableName('web_user_attributes')." AS wua ON wua.internalkey=wu.id", "wua.email='".$modx->db->escape($email)."'"); if($row = $modx->db->getRow($ds)) { $newpwd = webLoginGeneratePassword(8); $newpwdkey = webLoginGeneratePassword(8); // activation key //save new password $modx->db->update( array( 'cachepwd' => "{$newpwd}|{$newpwdkey}", ), $modx->getFullTableName('web_users'), "id='{$row['id']}'" ); // built activation url $xhtmlUrlSetting = $modx->config['xhtml_urls']; $modx->config['xhtml_urls'] = false; if($_SERVER['SERVER_PORT']!='80') { $url = $modx->config['server_protocol'].'://'.$_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT'].$modx->makeURL($modx->documentIdentifier,'',"webloginmode=actp&wli=".$row['id']."&wlk=".$newpwdkey); } else { $url = $modx->config['server_protocol'].'://'.$_SERVER['SERVER_NAME'].$modx->makeURL($modx->documentIdentifier,'',"webloginmode=actp&wli=".$row['id']."&wlk=".$newpwdkey); } $modx->config['xhtml_urls'] = $xhtmlUrlSetting; // replace placeholders and send email $message = str_replace("[+uid+]",$row['username'],$webpwdreminder_message); $message = str_replace("[+pwd+]",$newpwd,$message); $message = str_replace("[+ufn+]",$row['fullname'],$message); $message = str_replace("[+sname+]",$site_name,$message); $message = str_replace("[+semail+]",$emailsender,$message); $message = str_replace("[+surl+]",$url,$message); if (!ini_get('safe_mode')) $sent = mail($email, "New Password Activation for $site_name", $message, "From: ".$emailsender."\r\n"."X-Mailer: MODX Content Manager - PHP/".phpversion(), "-f {$emailsender}"); else $sent = mail($email, "New Password Activation for $site_name", $message, "From: ".$emailsender."\r\n"."X-Mailer: MODX Content Manager - PHP/".phpversion()); if(!$sent) { // error $output = webLoginAlert("Error while sending mail to $email. Please contact the Site Administrator"); return; } if(!$pwdReqId) $output = webLoginAlert("Please check your email account ($email) for login instructions."); else { // redirect to password request notification page $url = $modx->makeURL($pwdReqId); $modx->sendRedirect($url,0,'REDIRECT_REFRESH'); } } else { $output = webLoginAlert("We are sorry! We cannot locate an account using that email."); } return; } # process logout if ($isLogOut==1){ $internalKey = $_SESSION['webInternalKey']; $username = $_SESSION['webShortname']; // invoke OnBeforeWebLogout event $modx->invokeEvent("OnBeforeWebLogout", array( "userid" => $internalKey, "username" => $username )); // if we were launched from the manager // do NOT destroy session if(isset($_SESSION['mgrValidated'])) { unset($_SESSION['webShortname']); unset($_SESSION['webFullname']); unset($_SESSION['webEmail']); unset($_SESSION['webValidated']); unset($_SESSION['webInternalKey']); unset($_SESSION['webValid']); unset($_SESSION['webUser']); unset($_SESSION['webFailedlogins']); unset($_SESSION['webLastlogin']); unset($_SESSION['webnrlogins']); unset($_SESSION['webUsrConfigSet']); unset($_SESSION['webUserGroupNames']); unset($_SESSION['webDocgroups']); } else { // Unset all of the session variables. // $_SESSION = array(); // destroy session cookie if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', 0, MODX_BASE_URL); } session_destroy(); // $sessionID = md5(date('d-m-Y H:i:s')); // session_id($sessionID); // startCMSSession(); // session_destroy(); } // invoke OnWebLogout event $modx->invokeEvent("OnWebLogout", array( "userid" => $internalKey, "username" => $username )); // redirect to first authorized logout page $url = preserveUrl($loHomeId); $modx->sendRedirect($url,0,'REDIRECT_REFRESH'); return; } # process login $username = $modx->db->escape(htmlspecialchars($_POST['username'], ENT_QUOTES)); $givenPassword = $modx->db->escape($_POST['password']); $captcha_code = isset($_POST['captcha_code'])? $_POST['captcha_code']: ''; $rememberme = $_POST['rememberme']; // invoke OnBeforeWebLogin event $modx->invokeEvent("OnBeforeWebLogin", array( "username" => $username, "userpassword" => $givenPassword, "rememberme" => $rememberme )); $ds = $modx->db->select( 'wu.*, wua.fullname', $modx->getFullTableName('web_users')." AS wu, ".$modx->getFullTableName('web_user_attributes')." AS wua", "BINARY wu.username='{$username}' AND wua.internalKey=wu.id"); $row = $modx->db->getRow($ds); if(!$row) { $output = webLoginAlert("Incorrect username or password entered!"); return; } $internalKey = $row['id']; $dbasePassword = $row['password']; $failedlogins = $row['failedlogincount']; $blocked = $row['blocked']; $blockeduntildate = $row['blockeduntil']; $blockedafterdate = $row['blockedafter']; $registeredsessionid = $row['sessionid']; $role = $row['role']; $lastlogin = $row['lastlogin']; $nrlogins = $row['logincount']; $fullname = $row['fullname']; //$sessionRegistered = checkSession(); $email = $row['email']; // load user settings if($internalKey){ $result = $modx->db->select('setting_name, setting_value', $modx->getFullTableName('web_user_settings'), "webuser='{$internalKey}'"); while ($row = $modx->db->getRow($result)) { $modx->config[$row['setting_name']] = $row['setting_value']; } } if($failedlogins>=$modx->config['failed_login_attempts'] && $blockeduntildate>time()) { // blocked due to number of login errors. session_destroy(); session_unset(); $output = webLoginAlert("Due to too many failed logins, you have been blocked!"); return; } if($failedlogins>=$modx->config['failed_login_attempts'] && $blockeduntildatedb->update( array( 'failedlogincount' => 0, 'blockeduntil' => (time()-1), ), $modx->getFullTableName('web_user_attributes'), "internalKey='{$internalKey}'" ); } if($blocked=="1") { // this user has been blocked by an admin, so no way he's loggin in! session_destroy(); session_unset(); $output = webLoginAlert("You are blocked and cannot log in!"); return; } // blockuntil if($blockeduntildate>time()) { // this user has a block until date session_destroy(); session_unset(); $output = webLoginAlert("You are blocked and cannot log in! Please try again later."); return; } // blockafter if($blockedafterdate>0 && $blockedafterdateconfig['allowed_ip'])) { if (strpos($modx->config['allowed_ip'],$_SERVER['REMOTE_ADDR'])===false) { $output = webLoginAlert("You are not allowed to login from this location."); return; } } // allowed days if (isset($modx->config['allowed_days'])) { $date = getdate(); $day = $date['wday']+1; if (strpos($modx->config['allowed_days'],"$day")===false) { $output = webLoginAlert("You are not allowed to login at this time. Please try again later."); return; } } // invoke OnWebAuthentication event $rt = $modx->invokeEvent("OnWebAuthentication", array( "userid" => $internalKey, "username" => $username, "userpassword" => $givenPassword, "savedpassword" => $dbasePassword, "rememberme" => $rememberme )); // check if plugin authenticated the user if (!$rt||(is_array($rt) && !in_array(TRUE,$rt))) { // check user password - local authentication if($dbasePassword != md5($givenPassword)) { $output = webLoginAlert("Incorrect username or password entered!"); $newloginerror = 1; } } if(isset($modx->config['use_captcha']) && $modx->config['use_captcha']==1 && isset($_POST['cmdwebsignup'])) { if($_SESSION['veriword']!=$captcha_code) { $output = webLoginAlert("The security code you entered didn't validate! Please try to login again!"); $newloginerror = 1; } } if(isset($newloginerror) && $newloginerror==1) { $failedlogins += $newloginerror; if($failedlogins>=$modx->config['failed_login_attempts']) { //increment the failed login counter, and block! $modx->db->update( array( 'failedlogincount' => $failedlogins, 'blocked' => 1, 'blockeduntil' => (time()+($modx->config['blocked_minutes']*60)), ), $modx->getFullTableName('web_user_attributes'), "internalKey='{$internalKey}'" ); } else { //increment the failed login counter $modx->db->update( array( 'failedlogincount' => $failedlogins, ), $modx->getFullTableName('web_user_attributes'), "internalKey='{$internalKey}'" ); } session_destroy(); session_unset(); return; } $currentsessionid = session_id(); if(!isset($_SESSION['webValidated'])) { $modx->db->update( "failedlogincount=0, logincount=logincount+1, lastlogin=thislogin, thislogin=".time().", sessionid='{$currentsessionid}'", $modx->getFullTableName('web_user_attributes'), "internalKey='{$internalKey}'" ); } $_SESSION['webShortname']=$username; $_SESSION['webFullname']=$fullname; $_SESSION['webEmail']=$email; $_SESSION['webValidated']=1; $_SESSION['webInternalKey']=$internalKey; $_SESSION['webValid']=base64_encode($givenPassword); $_SESSION['webUser']=base64_encode($username); $_SESSION['webFailedlogins']=$failedlogins; $_SESSION['webLastlogin']=$lastlogin; $_SESSION['webnrlogins']=$nrlogins; $_SESSION['webUserGroupNames'] = ''; // reset user group names // get user's document groups $ds = $modx->db->select( 'uga.documentgroup', $modx->getFullTableName('web_groups')." AS ug INNER JOIN ".$modx->getFullTableName('webgroup_access')." AS uga ON uga.webgroup=ug.webgroup", "webuser='{$internalKey}'" ); $_SESSION['webDocgroups'] = $modx->db->getColumn('documentgroup', $ds); $ds = $modx->db->select( 'wgn.name', $modx->getFullTableName('webgroup_names')." AS wgn INNER JOIN ".$modx->getFullTableName('web_groups')." AS wg ON wg.webgroup=wgn.id AND wg.webuser='{$internalKey}'" ); $grpNames= $this->db->getColumn("name", $ds); $_SESSION['webUserGroupNames']= $grpNames; if($rememberme) { $_SESSION['modx.web.session.cookie.lifetime']= intval($modx->config['session.cookie.lifetime']); } else { $_SESSION['modx.web.session.cookie.lifetime']= 0; } $log = new logHandler; $log->initAndWriteLog("Logged in", $_SESSION['webInternalKey'], $_SESSION['webShortname'], "58", "-", "WebLogin"); // get login home page $ok=false; if(isset($modx->config['login_home']) && $id=$modx->config['login_home']) { if ($modx->getPageInfo($id)) $ok = true; } if (!$ok) { // check if a login home id page was set foreach($liHomeId as $id) { $id = trim($id); if ($modx->getPageInfo($id)) {$ok=true; break;} } } // update active users list if redirectinq to another page if($id!=$modx->documentIdentifier) { if (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP");else if(getenv("HTTP_X_FORWARDED_FOR")) $ip = getenv("HTTP_X_FORWARDED_FOR");else if(getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR");else $ip = "UNKNOWN";$_SESSION['ip'] = $ip; $itemid = isset($_REQUEST['id']) ? $_REQUEST['id'] : 'NULL' ;$lasthittime = time();$a = 998; if($a!=1) { // web users are stored with negative id $sql = "REPLACE INTO ".$modx->getFullTableName('active_users')." (internalKey, username, lasthit, action, id, ip) values(-{$_SESSION['webInternalKey']}, '{$_SESSION['webShortname']}', '{$lasthittime}', '{$a}', {$itemid}, '{$ip}')"; $modx->db->query($sql); } } // invoke OnWebLogin event $modx->invokeEvent("OnWebLogin", array( "userid" => $internalKey, "username" => $username, "userpassword" => $givenPassword, "rememberme" => $_POST['rememberme'] )); // redirect if(isset($_REQUEST['refurl']) && !empty($_REQUEST['refurl'])) { // last accessed page $targetPageId= urldecode($_REQUEST['refurl']); if (strpos($targetPageId, 'q=') !== false) { $urlPos = strpos($targetPageId, 'q=')+2; $alias = substr($targetPageId, $urlPos); $aliasLength = (strpos($alias, '&'))? strpos($alias, '&'): strlen($alias); $alias = substr($alias, 0, $aliasLength); $url = $modx->config['base_url'] . $alias; } elseif (intval($targetPageId)) { $url = preserveUrl($targetPageId); } else { $url = urldecode($_REQUEST['refurl']); } $modx->sendRedirect($url); } else { // login home page $url = preserveUrl($id); $modx->sendRedirect($url); } return; ?>