4 * Copyright (C) 2016-2017 Jerry Padgett <sjpadgett@gmail.com>
5 * Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
19 * @author Jerry Padgett <sjpadgett@gmail.com>
20 * @author Cassian LUP <cassi.lup@gmail.com>
21 * @author Jerry Padgett <sjpadgett@gmail.com>
22 * @link http://www.open-emr.org
25 //starting the PHP session (also regenerating the session id to avoid session fixation attacks)
27 session_regenerate_id(true);
30 //landing page definition -- where to go if something goes wrong
31 $landingpage = "index.php?site=".$_SESSION['site_id'];
34 //checking whether the request comes from index.php
35 if (!isset($_SESSION['itsme'])) {
37 header('Location: '.$landingpage.'&w');
41 require_once (dirname( __FILE__
)."/lib/appsql.class.php" );
42 $logit = new ApplicationTable();
44 if (!isset($_POST['uname']) ||
empty($_POST['uname'])) {
46 header('Location: '.$landingpage.'&w&c');
49 if (!isset($_POST['pass']) ||
empty($_POST['pass'])) {
51 header('Location: '.$landingpage.'&w&c');
57 if (!empty($_POST['languageChoice'])) {
58 $_SESSION['language_choice'] = (int)$_POST['languageChoice'];
60 else if (empty($_SESSION['language_choice'])) {
61 // just in case both are empty, then use english
62 $_SESSION['language_choice'] = 1;
65 // keep the current session language token
68 //Settings that will override globals.php
73 require_once('../interface/globals.php');
74 require_once("$srcdir/authentication/common_operations.php");
75 require_once("$srcdir/user.inc");
76 $password_update=isset($_SESSION['password_update']);
77 unset($_SESSION['password_update']);
78 $plain_code= $_POST['pass'];
80 $authorizedPortal=false; //flag
81 DEFINE("TBL_PAT_ACC_ON","patient_access_onsite");
82 DEFINE("COL_PID","pid");
83 DEFINE("COL_POR_PWD","portal_pwd");
84 DEFINE("COL_POR_USER","portal_username");
85 DEFINE("COL_POR_SALT","portal_salt");
86 DEFINE("COL_POR_PWD_STAT","portal_pwd_status");
87 $sql= "SELECT ".implode(",",array(COL_ID
,COL_PID
,COL_POR_PWD
,COL_POR_SALT
,COL_POR_PWD_STAT
))
88 ." FROM ".TBL_PAT_ACC_ON
89 ." WHERE ".COL_POR_USER
."=?";
90 $auth = privQuery($sql, array($_POST['uname']));
93 $logit->portalLog('login attempt','',($_POST['uname'].':invalid username'),'','0');
95 header('Location: '.$landingpage.'&w');
98 if(empty($auth[COL_POR_SALT
]))
100 if(SHA1($plain_code)!=$auth[COL_POR_PWD
])
102 $logit->portalLog('login attempt','',($_POST['uname'].':pass not salted'),'','0');
104 header('Location: '.$landingpage.'&w');
107 $new_salt=oemr_password_salt();
108 $new_hash=oemr_password_hash($plain_code,$new_salt);
109 $sqlUpdatePwd= " UPDATE " . TBL_PAT_ACC_ON
110 ." SET " .COL_POR_PWD
."=?, "
111 . COL_POR_SALT
. "=? "
112 ." WHERE ".COL_ID
."=?";
113 privStatement($sqlUpdatePwd,array($new_hash,$new_salt,$auth[COL_ID
]));
116 if(oemr_password_hash($plain_code,$auth[COL_POR_SALT
])!=$auth[COL_POR_PWD
])
118 $logit->portalLog('login attempt','',($_POST['uname'].':invalid password'),'','0');
120 header('Location: '.$landingpage.'&w');
126 $_SESSION['portal_username']=$_POST['uname'];
127 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
129 if ($userData = sqlQuery($sql, array($auth['pid']) )) { // if query gets executed
131 if (empty($userData)) {
132 $logit->portalLog('login attempt','',($_POST['uname'].':not active patient'),'','0');
134 header('Location: '.$landingpage.'&w');
137 if ($userData['email'] != $_POST['passaddon']) {
138 $logit->portalLog('login attempt','',($_POST['uname'].':invalid email'),'','0');
140 header('Location: '.$landingpage.'&w');
144 if ($userData['allow_patient_portal'] != "YES") {
145 // Patient has not authorized portal, so escape
147 header('Location: '.$landingpage.'&w');
151 if ($auth['pid'] != $userData['pid']) {
152 // Not sure if this is even possible, but should escape if this happens
154 header('Location: '.$landingpage.'&w');
158 if ( $password_update)
160 $code_new=$_POST['pass_new'];
161 $code_new_confirm=$_POST['pass_new_confirm'];
162 if(!(empty($_POST['pass_new'])) && !(empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
163 $new_salt=oemr_password_salt();
164 $new_hash=oemr_password_hash($code_new,$new_salt);
166 // Update the password and continue (patient is authorized)
167 privStatement("UPDATE ".TBL_PAT_ACC_ON
168 ." SET ".COL_POR_PWD
."=?,".COL_POR_SALT
."=?,".COL_POR_PWD_STAT
."=1 WHERE id=?", array($new_hash,$new_salt,$auth['id']) );
169 $authorizedPortal = true;
170 $logit->portalLog('password update',$auth['pid'],($_SESSION['portal_username'].': '.$_SESSION['ptName'].':success'));
173 if ($auth['portal_pwd_status'] == 0) {
174 if(!$authorizedPortal) {
175 // Need to enter a new password in the index.php script
176 $_SESSION['password_update'] = 1;
177 header('Location: '.$landingpage);
182 if ($auth['portal_pwd_status'] == 1) {
183 // continue (patient is authorized)
184 $authorizedPortal = true;
187 if ($authorizedPortal) {
188 // patient is authorized (prepare the session variables)
189 unset($_SESSION['password_update']); // just being safe
190 unset($_SESSION['itsme']); // just being safe
191 $_SESSION['pid'] = $auth['pid'];
192 $_SESSION['patient_portal_onsite_two'] = 1;
194 $tmp = getUserIDInfo($userData['providerID']);
195 $_SESSION['providerName'] = $tmp['fname'].' '.$tmp['lname'];
196 $_SESSION['providerUName'] = $tmp['username'];
197 $_SESSION['sessionUser'] = '-patient-'; //$_POST['uname'];
198 $_SESSION['providerId'] = $userData['providerID']?
$userData['providerID']:'undefined';
199 $_SESSION['ptName'] = $userData['fname'].' '.$userData['lname'];
201 $logit->portalLog('login',$_SESSION['pid'],($_SESSION['portal_username'].': '.$_SESSION['ptName'].':success'));
204 $logit->portalLog('login','',($_POST['uname'].':not authorized'),'','0');
206 header('Location: '.$landingpage.'&w');
211 else { //problem with query
213 header('Location: '.$landingpage.'&w');
216 //require_once('summary_pat_portal.php');
218 //require_once('home.php');
219 header('Location: ./home.php');