<?php echo $config_app_name; ?>

(NOW() - INTERVAL 5 MINUTE)")); $failed_login_count = $row['failed_login_count']; // Login brute force check if ($failed_login_count >= 10) { // Logging mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent'"); // Send an alert only count hits 10 to reduce flooding alerts (using 1 as "default" company) if ($failed_login_count == 10) { mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Lockout', notification = '$ip was locked out for repeated failed login attempts.', notification_timestamp = NOW() company_id = '1'"); } // Inform user $response = '

IP Lockout - Please try again later.

'; } else { // Passed login brute force check $email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email'])); $password = $_POST['password']; if (isset($_POST['current_code'])) { $current_code = strip_tags(mysqli_real_escape_string($mysqli, $_POST['current_code'])); } $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_settings on users.user_id = user_settings.user_id WHERE user_email = '$email' AND user_archived_at IS NULL AND user_status = 1")); if ($row && password_verify($password, $row['user_password'])) { // User variables $token = $row['user_token']; $user_name = strip_tags(mysqli_real_escape_string($mysqli, $row['user_name'])); $user_id = $row['user_id']; // Session info $_SESSION['user_id'] = $user_id; $_SESSION['user_name'] = $user_name; $_SESSION['user_role'] = $row['user_role']; $_SESSION['csrf_token'] = bin2hex(random_bytes(78)); // Setup encryption session key if (isset($row['user_specific_encryption_ciphertext']) && $row['user_role'] > 1) { $user_encryption_ciphertext = $row['user_specific_encryption_ciphertext']; $site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password); generateUserSessionKey($site_encryption_master_key); // Setup extension if (isset($row['user_extension_key']) && !empty($row['user_extension_key'])) { // Extension cookie // Note: Browsers don't accept cookies with SameSite None if they are not HTTPS. setcookie("user_extension_key", "$row[user_extension_key]", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']); // Set PHP session in DB, so we can access the session encryption data (above) $user_php_session = session_id(); mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'"); } } if (empty($token)) { // Full Login successful $_SESSION['logged'] = TRUE; mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $user_id"); // Show start page/dashboard depending on role if ($row['user_role'] == 2) { header("Location: dashboard_technical.php"); } else { header("Location: dashboard_financial.php"); } } else { // Prompt for MFA $token_field = "

"; require_once("rfc6238.php"); if (TokenAuth6238::verify($token, $current_code)) { // Full login (with MFA) successful $_SESSION['logged'] = TRUE; mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login 2FA', log_action = 'Success', log_description = '$user_name successfully logged in using 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); // Show start page/dashboard depending on role if ($row['user_role'] == 2) { header("Location: dashboard_technical.php"); } else { header("Location: dashboard_financial.php"); } } else { mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = '2FA Failed', log_description = '$user_name failed 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); $response = "

Please Enter 2FA Key!

"; } } } else { mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()"); $response = "

Incorrect username or password.

"; } } } ?> <?php echo $config_app_name; ?> | Login

Looking for the Client Portal?