xref: /web-master/include/login.inc (revision 5b8719f2) 
1<?php
2/* Force https */
3/*
4if (!isset($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != "on") {
5    $name = basename($_SERVER["SCRIPT_NAME"]);
6    if ($name === 'login.php') {
7        header("Location: https://master.php.net/" . $name);
8    } else {
9        header("Location: https://master.php.net/manage/" . $name);
10    }
11    exit;
12}
13 */
14
15session_start();
16/* $Id$ */
17
18require 'cvs-auth.inc';
19require 'functions.inc';
20
21// User not logged in
22$cuser = $cpw = FALSE;
23
24if (isset($_POST["user"], $_POST["pw"])) {
25    list($cuser, $cpw) = [$_POST['user'], $_POST['pw']];
26} elseif (isset($_SESSION["credentials"]) && count($_SESSION["credentials"]) == 2) {
27    list($cuser, $cpw) = $_SESSION["credentials"];
28}
29
30// Login form, if the user is not yet logged in
31if (!$cuser || !$cpw || !verify_password($cuser,$cpw)) {
32    $_SESSION = [];
33    session_destroy();
34
35    // IS_DEV was 1 or 0 until 22 Feb 2012. It's now a @php.net username hint.
36    $cuser = '';
37    if (isset($_COOKIE['IS_DEV']) && !is_numeric($_COOKIE['IS_DEV'])) {
38        $cuser = hsc($_COOKIE['IS_DEV']);
39    } else {
40        if (!empty($_POST['user'])) {
41            $cuser = hsc($_POST['user']);
42        }
43    }
44?>
45
46<html>
47<head>
48 <title>You must log in!</title>
49</head>
50<body>
51<form method="post" action="<?php echo $_SERVER['SCRIPT_NAME'], query_string();?>">
52<?php preserve_form_fields();?>
53<input type="hidden" name="save" value="1" />
54<table>
55 <tr>
56  <th align="right">Username:</th>
57  <td><input type="text" name="user" value="<?php echo $cuser;?>" />@php.net
58 </tr>
59 <tr>
60  <th align="right">Password:</th>
61  <td><input type="password" name="pw" value="<?php echo hsc($cpw);?>" />
62<?php if ($cpw): ?>
63        <a href="/forgot.php" /> Forgot your password?</a>
64<?php endif ?>
65    </td>
66 </tr>
67 <tr>
68  <td></td><td><input type="submit" value="Login" /></td>
69 </tr>
70<?php if ($cpw): ?>
71<?php
72    $msgs = [
73        "Nope.. Wrong (username?) password",
74        "Nope.. Thats not it",
75        "This isn't going very well..",
76    ];
77    shuffle($msgs);
78    $msg = array_pop($msgs);
79?>
80 <tr>
81 <td colspan="2"><?php echo $msg ?></td>
82 </tr>
83<?php endif ?>
84</table>
85</form>
86</body>
87</html>
88<?php
89  exit;
90}
91
92session_regenerate_id();
93// At this point, we have logged in successfully
94$_SESSION["credentials"] = [$cuser, $cpw];
95$_SESSION["username"] = $cuser;
96
97// Killing magic cookie
98setcookie("MAGIC_COOKIE","",$ts-3600,'/','.php.net');
99setcookie("MAGIC_COOKIE","",$ts-3600,'/');
100
101// Set a cookie to tell various .php.net services that the user is probably logged in
102// The username is saved here so we can automagically fill it in during login prompts
103setcookie("IS_DEV", $cuser, $ts+3600*24*12, '/', '.php.net', false, true);
104
105
106
107// ----------------------------------------------------------------------------------
108
109function query_string()
110{
111    if (!empty($_SERVER['QUERY_STRING'])) {
112        return hsc("?{$_SERVER['QUERY_STRING']}");
113    }
114}
115
116function preserve_form_fields()
117{
118    if (isset($_POST['in']) && is_array($_POST['in'])) {
119        foreach ($_POST['in'] as $k => $v) {
120            echo "<input type=\"hidden\" name=\"in[", hsc($k),
121                 "]\" value=\"", hsc($v), "\" />\n";
122        }
123    }
124}
125