pwd. Sets user if applicable, returns bool function yourls_check_username_password() { global $yourls_user_passwords; if( isset( $yourls_user_passwords[ $_REQUEST['username'] ] ) && yourls_check_password_hash( $yourls_user_passwords[ $_REQUEST['username'] ], $_REQUEST['password'] ) ) { yourls_set_user( $_REQUEST['username'] ); return true; } return false; } // Check a REQUEST password sent in plain text against stored password which can be a salted hash function yourls_check_password_hash( $stored, $plaintext ) { if ( substr( $stored, 0, 4 ) == 'md5:' and strlen( $stored ) == 42 ) { // Stored password is a salted hash: "md5:<$r = rand(10000,99999)>:" // And 42. Of course. http://www.google.com/search?q=the+answer+to+life+the+universe+and+everything list( $temp, $salt, $md5 ) = explode( ':', $stored ); return( $stored == 'md5:'.$salt.':'.md5( $salt.$plaintext ) ); } else { // Password was sent in clear $message = ''; $message .= yourls__( 'Notice: your password is stored as clear text in your config.php' ); $message .= yourls__( 'Did you know you can easily improve the security of your YOURLS install by encrypting your password?' ); $message .= yourls__( 'See UsernamePassword for details' ); yourls_add_notice( $message, 'notice' ); return( $stored == $plaintext ); } } // Check auth against encrypted COOKIE data. Sets user if applicable, returns bool function yourls_check_auth_cookie() { global $yourls_user_passwords; foreach( $yourls_user_passwords as $valid_user => $valid_password ) { if( yourls_salt( $valid_user ) == $_COOKIE['yourls_username'] && yourls_salt( $valid_password ) == $_COOKIE['yourls_password'] ) { yourls_set_user( $valid_user ); return true; } } return false; } // Check auth against signature and timestamp. Sets user if applicable, returns bool function yourls_check_signature_timestamp() { // Timestamp in PHP : time() // Timestamp in JS: parseInt(new Date().getTime() / 1000) global $yourls_user_passwords; foreach( $yourls_user_passwords as $valid_user => $valid_password ) { if ( ( md5( $_REQUEST['timestamp'].yourls_auth_signature( $valid_user ) ) == $_REQUEST['signature'] or md5( yourls_auth_signature( $valid_user ).$_REQUEST['timestamp'] ) == $_REQUEST['signature'] ) && yourls_check_timestamp( $_REQUEST['timestamp'] ) ) { yourls_set_user( $valid_user ); return true; } } return false; } // Check auth against signature. Sets user if applicable, returns bool function yourls_check_signature() { global $yourls_user_passwords; foreach( $yourls_user_passwords as $valid_user => $valid_password ) { if ( yourls_auth_signature( $valid_user ) == $_REQUEST['signature'] ) { yourls_set_user( $valid_user ); return true; } } return false; } // Generate secret signature hash function yourls_auth_signature( $username = false ) { if( !$username && defined('YOURLS_USER') ) { $username = YOURLS_USER; } return ( $username ? substr( yourls_salt( $username ), 0, 10 ) : 'Cannot generate auth signature: no username' ); } // Check if timestamp is not too old function yourls_check_timestamp( $time ) { $now = time(); // Allow timestamp to be a little in the future or the past -- see Issue 766 return yourls_apply_filter( 'check_timestamp', abs( $now - $time ) < YOURLS_NONCE_LIFE, $time ); } // Store new cookie. No $user will delete the cookie. function yourls_store_cookie( $user = null ) { if( !$user ) { $pass = null; $time = time() - 3600; } else { global $yourls_user_passwords; if( isset($yourls_user_passwords[$user]) ) { $pass = $yourls_user_passwords[$user]; } else { die( 'Stealing cookies?' ); // This should never happen } $time = time() + YOURLS_COOKIE_LIFE; } $domain = yourls_apply_filter( 'setcookie_domain', parse_url( YOURLS_SITE, 1 ) ); $secure = yourls_apply_filter( 'setcookie_secure', yourls_is_ssl() ); $httponly = yourls_apply_filter( 'setcookie_httponly', true ); if ( !headers_sent() ) { // Set httponly if the php version is >= 5.2.0 if( version_compare( phpversion(), '5.2.0', 'ge' ) ) { setcookie('yourls_username', yourls_salt( $user ), $time, '/', $domain, $secure, $httponly ); setcookie('yourls_password', yourls_salt( $pass ), $time, '/', $domain, $secure, $httponly ); } else { setcookie('yourls_username', yourls_salt( $user ), $time, '/', $domain, $secure ); setcookie('yourls_password', yourls_salt( $pass ), $time, '/', $domain, $secure ); } } } // Set user name function yourls_set_user( $user ) { if( !defined( 'YOURLS_USER' ) ) define( 'YOURLS_USER', $user ); }