package C4::Auth;
+
+# Copyright 2000-2002 Katipo Communications
+#
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# Koha; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+
use strict;
+use Digest::MD5 qw(md5_base64);
+
+
require Exporter;
use C4::Database;
}
my $sessionID=$query->cookie('sessionID');
my $message='';
- warn "SID: ".$sessionID;
my $dbh=C4Connect();
my $sth=$dbh->prepare("select userid,ip,lasttime from sessions where sessionid=?");
$sth->execute($sessionID);
if ($sth->rows) {
my ($userid, $ip, $lasttime) = $sth->fetchrow;
- if ($lasttime<time()-40 && $userid ne 'tonnesen') {
+ if ($lasttime<time()-45 && $userid ne 'tonnesen') {
# timed logout
- warn "$sessionID logged out due to inactivity.";
$message="You have been logged out due to inactivity.";
my $sti=$dbh->prepare("delete from sessions where sessionID=?");
$sti->execute($sessionID);
+ my $scriptname=$ENV{'SCRIPT_NAME'};
+ my $selfurl=$query->self_url();
+ $sti=$dbh->prepare("insert into sessionqueries (sessionID, userid, value) values (?, ?, ?)");
+ $sti->execute($sessionID, $userid, $selfurl);
open L, ">>/tmp/sessionlog";
my $time=localtime(time());
printf L "%20s from %16s logged out at %30s (inactivity).\n", $userid, $ip, $time;
} elsif ($ip ne $ENV{'REMOTE_ADDR'}) {
# Different ip than originally logged in from
my $newip=$ENV{'REMOTE_ADDR'};
- warn "$sessionID came from a new ip address (authenticated from $ip, this request from $newip).";
$message="ERROR ERROR ERROR ERROR<br>Attempt to re-use a cookie from a different ip address.<br>(authenticated from $ip, this request from $newip)";
} else {
my $cookie=$query->cookie(-name => 'sessionID',
-value => $sessionID,
-expires => '+1y');
- warn "$sessionID had a valid cookie.";
my $sti=$dbh->prepare("update sessions set lasttime=? where sessionID=?");
$sti->execute(time(), $sessionID);
return ($userid, $cookie, $sessionID);
- warn "$sessionID wasn't in sessions table.";
if ($authnotrequired) {
my $cookie=$query->cookie(-name => 'sessionID',
-value => '',
my $userid=$query->param('userid');
my $password=$query->param('password');
if (checkpw($dbh, $userid, $password)) {
- #if (($userid eq 'librarian' || $userid eq 'tonnesen' || $userid eq 'patron') && $password eq 'koha') {
- my $sti=$dbh->prepare("insert into sessions (sessionID, userid, ip,lasttime) values (?, ?, ?, ?)");
+ my $sti=$dbh->prepare("delete from sessions where sessionID=? and userid=?");
+ $sti->execute($sessionID, $userid);
+ $sti=$dbh->prepare("insert into sessions (sessionID, userid, ip,lasttime) values (?, ?, ?, ?)");
$sti->execute($sessionID, $userid, $ENV{'REMOTE_ADDR'}, time());
+ $sti=$dbh->prepare("select value from sessionqueries where sessionID=? and userid=?");
+ $sti->execute($sessionID, $userid);
+ if ($sti->rows) {
+ my $stj=$dbh->prepare("delete from sessionqueries where sessionID=?");
+ $stj->execute($sessionID);
+ my ($selfurl) = $sti->fetchrow;
+ print $query->redirect($selfurl);
+ exit;
+ }
open L, ">>/tmp/sessionlog";
my $time=localtime(time());
printf L "%20s from %16s logged in at %30s.\n", $userid, $ENV{'REMOTE_ADDR'}, $time;
close L;
- return ($userid, $sessionID, $sessionID);
+ my $cookie=$query->cookie(-name => 'sessionID',
+ -value => $sessionID,
+ -expires => '+1y');
+ return ($userid, $cookie, $sessionID);
} else {
if ($userid) {
$message="Invalid userid or password entered.";
inactivity for the purposes of this demo. You can navigate to the Circulation
or Acquisitions modules and you should see an indicator in the upper left of
the screen saying who you are logged in as. If you want to try it out with
- a longer timout period, log in as tonnesen/koha and the timeout period will
- be 10 minutes.
+ a longer timout period, log in as tonnesen/koha and there will be no
+ timeout period.
+ <p>
+ You can also log in using a patron cardnumber. Try V10000008 and
+ V1000002X with password koha.
</td>
</tr>
</table>
my $sth=$dbh->prepare("select password from borrowers where userid=?");
$sth->execute($userid);
if ($sth->rows) {
- my ($cryptpassword) = $sth->fetchrow;
- if (crypt($password, $cryptpassword) eq $cryptpassword) {
+ my ($md5password) = $sth->fetchrow;
+ if (md5_base64($password) eq $md5password) {
return 1;
}
}
my $sth=$dbh->prepare("select password from borrowers where cardnumber=?");
$sth->execute($userid);
if ($sth->rows) {
- my ($cryptpassword) = $sth->fetchrow;
- if (crypt($password, $cryptpassword) eq $cryptpassword) {
+ my ($md5password) = $sth->fetchrow;
+ if (md5_base64($password) eq $md5password) {
return 1;
}
}