1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

<?php
ob_Start();
$currentCookieParams = session_get_cookie_params();
// Cookie secure
session_set_cookie_params($currentCookieParams['lifetime'], $currentCookieParams['path'], $currentCookieParams['domain'], true, true);

$ok = @session_start();
if ($ok === false) {
	header('Location:index.php');
	exit();
}

header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
require_once("../common.php");
require_once("../classes/class.factory.php");
require_once("../classes/constant.inc");

if ((isset($_POST['posted'])) &&
	(isset($_POST['login'])) &&
	(isset($_POST['password'])) &&
	(isset($_SESSION['OUTcaptcha'])) &&
	(isset($_POST['captcha']))) {

	if ($_SESSION['OUTcaptcha'] != $_POST['captcha']){
		die("ERROR: Wrong captcha, try again.");
	}

	date_default_timezone_set('Europe/Paris');
	$login = trim(sanitizeInput($_POST["login"]));

	if (!isValidEmail($login)) die("ERROR: Invalid Email");
	$password = trim(sanitizeInput($_POST["password"]));

	$result = factory::isValidUser($login, $password);

	if ($result != false) {

		session_regenerate_id(true);		// regenerate session identifier after verifying to elimiate session fixation attack
		$_SESSION['fmsuserid'] = strtolower($login);
		$_SESSION['fmsuserrole'] = $result;
		$_SESSION['fmswg'] = INSTANCE;

		$_SESSION["fmsuseragent"] = md5(ENCKEY . $_SERVER['HTTP_USER_AGENT']);				// to protect against session hijacking						
		$_SESSION['fmslastactivity'] = time();
		$ipaddress = getIPaddress();
		$_SESSION['fmssignature'] = md5("Ucx327Jh%" . $ipaddress . "iPCc");

		ob_end_clean();
		die("Login successful..");
	} else {
		session_destroy();
		die("ERROR: Unable to login. Please contact IPCC secretariat if you are a valid user.");
	}
} else {
	die("ERROR: Problem with the website, not your login. Try refreshing the page.");
}
ob_flush();