pwd. Sets user if applicable, returns bool function yourls_check_username_password() { global $yourls_user_passwords; if( isset( $yourls_user_passwords[ $_REQUEST['username'] ] ) && yourls_check_password_hash( $yourls_user_passwords[ $_REQUEST['username'] ], $_REQUEST['password'] ) ) { yourls_set_user( $_REQUEST['username'] ); return true; } return false; } // Check a REQUEST password sent in plain text against stored password which can be a salted hash function yourls_check_password_hash( $stored, $plaintext ) { if ( substr( $stored, 0, 4 ) == 'md5:' and strlen( $stored ) == 42 ) { // Stored password is a salted hash: "md5:<$r = rand(10000,99999)>:" // And 42. Of course. http://www.google.com/search?q=the+answer+to+life+the+universe+and+everything list( $temp, $salt, $md5 ) = split( ':', $stored ); return( $stored == 'md5:'.$salt.':'.md5( $salt.$plaintext ) ); } else { // Password was sent in clear yourls_add_notice( 'Notice: your password is stored as clear text in your config.php. Did you know you can easily improve the security of your YOURLS install by encrypting your password? See UsernamePassword for details', 'notice' ); return( $stored == $plaintext ); } } // Check auth against encrypted COOKIE data. Sets user if applicable, returns bool function yourls_check_auth_cookie() { global $yourls_user_passwords; foreach( $yourls_user_passwords as $valid_user => $valid_password ) { if( yourls_salt( $valid_user ) == $_COOKIE['yourls_username'] && yourls_salt( $valid_password ) == $_COOKIE['yourls_password'] ) { yourls_set_user( $valid_user ); return true; } } return false; } // Check auth against signature and timestamp. Sets user if applicable, returns bool function yourls_check_signature_timestamp() { // Timestamp in PHP : time() // Timestamp in JS: parseInt(new Date().getTime() / 1000) global $yourls_user_passwords; foreach( $yourls_user_passwords as $valid_user => $valid_password ) { if ( ( md5( $_REQUEST['timestamp'].yourls_auth_signature( $valid_user ) ) == $_REQUEST['signature'] or md5( yourls_auth_signature( $valid_user ).$_REQUEST['timestamp'] ) == $_REQUEST['signature'] ) && yourls_check_timestamp( $_REQUEST['timestamp'] ) ) { yourls_set_user( $valid_user ); return true; } } return false; } // Check auth against signature. Sets user if applicable, returns bool function yourls_check_signature() { global $yourls_user_passwords; foreach( $yourls_user_passwords as $valid_user => $valid_password ) { if ( yourls_auth_signature( $valid_user ) == $_REQUEST['signature'] ) { yourls_set_user( $valid_user ); return true; } } return false; } // Generate secret signature hash function yourls_auth_signature( $username = false ) { if( !$username && defined('YOURLS_USER') ) { $username = YOURLS_USER; } return ( $username ? substr( yourls_salt( $username ), 0, 10 ) : 'Cannot generate auth signature: no username' ); } // Check if timestamp is not too old function yourls_check_timestamp( $time ) { $now = time(); // Allow timestamp to be a little in the future or the past -- see Issue 766 return yourls_apply_filter( 'check_timestamp', abs( $now - $time ) < YOURLS_NONCE_LIFE, $time ); } // Store new cookie. No $user will delete the cookie. function yourls_store_cookie( $user = null ) { if( !$user ) { $pass = null; $time = time() - 3600; } else { global $yourls_user_passwords; if( isset($yourls_user_passwords[$user]) ) { $pass = $yourls_user_passwords[$user]; } else { die( 'Stealing cookies?' ); // This should never happen } $time = time() + YOURLS_COOKIE_LIFE; } $domain = yourls_apply_filter( 'setcookie_domain', parse_url( YOURLS_SITE, 1 ) ); $secure = yourls_apply_filter( 'setcookie_secure', yourls_is_ssl() ); $httponly = yourls_apply_filter( 'setcookie_httponly', true ); if ( !headers_sent() ) { // Set httponly if the php version is >= 5.2.0 if( version_compare( phpversion(), '5.2.0', 'ge' ) ) { setcookie('yourls_username', yourls_salt( $user ), $time, '/', $domain, $secure, $httponly ); setcookie('yourls_password', yourls_salt( $pass ), $time, '/', $domain, $secure, $httponly ); } else { setcookie('yourls_username', yourls_salt( $user ), $time, '/', $domain, $secure ); setcookie('yourls_password', yourls_salt( $pass ), $time, '/', $domain, $secure ); } } } // Set user name function yourls_set_user( $user ) { if( !defined( 'YOURLS_USER' ) ) define( 'YOURLS_USER', $user ); }