Setting cookie domain wide instead of only yourls/admin/

[Github/YOURLS.git] / includes / functions-auth.php

<?php\r
// Check for valid user. Returns true or an error message\r
function yourls_is_valid_user() {\r
\r
        // Logout request\r
        if( isset( $_GET['mode'] ) && $_GET['mode'] == 'logout') {\r
                setcookie('yourls_username', null, time() - 3600);\r
                setcookie('yourls_password', null, time() - 3600);\r
                return 'Logged out successfully';\r
        }\r
        \r
        // Check cookies or login request. Login form has precedence.\r
        global $yourls_user_passwords;\r
        foreach($yourls_user_passwords as $valid_user => $valid_password) {\r
                if ( \r
                        // Checking against POST data\r
                        (       isset($_REQUEST['username'])\r
                                && $valid_user == $_REQUEST['username']\r
                                && isset($_REQUEST['password'])\r
                                && $valid_password == $_REQUEST['password']\r
                        )\r
                        or\r
                        // Checking against encrypted COOKIE data\r
                        (       isset($_COOKIE['yourls_username'])\r
                                && yourls_salt($valid_user) == $_COOKIE['yourls_username']\r
                                && isset($_COOKIE['yourls_password'])\r
                                && yourls_salt($valid_password) == $_COOKIE['yourls_password'] \r
                        )\r
                ) {\r
                        // (Re)store encrypted cookie and tell it's ok\r
                        if ( !defined('YOURLS_API') or YOURLS_API != true ) {\r
                                // No need to store a cookie when used in API mode.\r
                                setcookie('yourls_username', yourls_salt( $valid_user ), time() + (60*60*24*7), '/' );\r
                                setcookie('yourls_password', yourls_salt( $valid_password ), time() + (60*60*24*7), '/' );\r
                        }\r
                        define('YOURLS_USER', $valid_user);\r
                        return true;\r
                }\r
        }\r
        \r
        if ( isset($_REQUEST['username']) || isset($_REQUEST['password']) ) {\r
                return 'Invalid username or password';\r
        } else {\r
                return 'Please log in';\r
        }\r
}\r
\r
\r
// Return salted string\r
function yourls_salt( $string ) {\r
        $salt = defined('YOURLS_COOKIEKEY') ? YOURLS_COOKIEKEY : md5(__FILE__) ;\r
        return md5 ($string . YOURLS_COOKIEKEY);\r
}\r
\r
// Display the login screen. Nothing past this point.\r
function yourls_login_screen( $error_msg = '' ) {\r
        yourls_html_head( 'login' );\r
?>\r
<div id="login">\r
        <form method="post" action="?"> <?php // reset any QUERY parameters ?>\r
                <p>\r
                        <img src="<?php echo YOURLS_SITE; ?>/images/yourls-logo.png" alt="YOURLS" title="YOURLS" />\r
                </p>\r
                <?php\r
                        if(!empty($error_msg)) {\r
                                echo '<p class="error">'.$error_msg.'</p>';\r
                        }\r
                ?>\r
                <p>\r
                        <label for="username">Username</label><br />\r
                        <input type="text" id="username" name="username" size="30" class="text" />\r
                </p>\r
                <p>\r
                        <label for="password">Password</label><br />\r
                        <input type="password" id="password" name="password" size="30" class="text" />\r
                </p>\r
                <p style="text-align: right;">\r
                        <input type="submit" id="submit" name="submit" value="Login" class="button" />\r
                </p>\r
        </form>\r
        <script type="text/javascript">$('#username').focus();</script>\r
</div>\r
<?php\r
yourls_html_footer();\r
die();\r
}