4 * Copyright (C) 2016-2017 Jerry Padgett <sjpadgett@gmail.com>
5 * Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
19 * @author Cassian LUP <cassi.lup@gmail.com>
20 * @author Jerry Padgett <sjpadgett@gmail.com>
21 * @link http://www.open-emr.org
24 // starting the PHP session (also regenerating the session id to avoid session fixation attacks)
26 session_regenerate_id(true);
29 // landing page definition -- where to go if something goes wrong
30 $landingpage = "index.php?site=" . urlencode($_SESSION['site_id']);
33 // checking whether the request comes from index.php
34 if (! isset($_SESSION['itsme'])) {
36 header('Location: ' . $landingpage . '&w');
41 if (! isset($_POST['uname']) ||
empty($_POST['uname'])) {
43 header('Location: ' . $landingpage . '&w&c');
47 if (! isset($_POST['pass']) ||
empty($_POST['pass'])) {
49 header('Location: ' . $landingpage . '&w&c');
54 if (! empty($_POST['languageChoice'])) {
55 $_SESSION['language_choice'] = (int) $_POST['languageChoice'];
56 } else if (empty($_SESSION['language_choice'])) {
57 // just in case both are empty, then use english
58 $_SESSION['language_choice'] = 1;
60 // keep the current session language token
63 // Settings that will override globals.php
68 require_once('../interface/globals.php');
69 require_once(dirname(__FILE__
) . "/lib/appsql.class.php");
70 $logit = new ApplicationTable();
71 require_once("$srcdir/authentication/common_operations.php");
72 require_once("$srcdir/user.inc");
73 $password_update = isset($_SESSION['password_update']);
74 unset($_SESSION['password_update']);
75 $plain_code = $_POST['pass'];
77 $authorizedPortal = false; // flag
78 DEFINE("TBL_PAT_ACC_ON", "patient_access_onsite");
79 DEFINE("COL_PID", "pid");
80 DEFINE("COL_POR_PWD", "portal_pwd");
81 DEFINE("COL_POR_USER", "portal_username");
82 DEFINE("COL_POR_SALT", "portal_salt");
83 DEFINE("COL_POR_PWD_STAT", "portal_pwd_status");
84 $sql = "SELECT " . implode(",", array(
90 )) . " FROM " . TBL_PAT_ACC_ON
. " WHERE " . COL_POR_USER
. "=?";
91 $auth = privQuery($sql, array(
94 if ($auth === false) {
95 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid username'), '', '0');
97 header('Location: ' . $landingpage . '&w&u');
101 if (empty($auth[COL_POR_SALT
])) {
102 if (SHA1($plain_code) != $auth[COL_POR_PWD
]) {
103 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':pass not salted'), '', '0');
105 header('Location: ' . $landingpage . '&w&p');
109 $new_salt = oemr_password_salt();
110 $new_hash = oemr_password_hash($plain_code, $new_salt);
111 $sqlUpdatePwd = " UPDATE " . TBL_PAT_ACC_ON
. " SET " . COL_POR_PWD
. "=?, " . COL_POR_SALT
. "=? " . " WHERE " . COL_ID
. "=?";
112 privStatement($sqlUpdatePwd, array(
118 $tmp = oemr_password_hash($plain_code, $auth[COL_POR_SALT
]);
119 if ($tmp != $auth[COL_POR_PWD
]) {
120 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid password'), '', '0');
122 header('Location: ' . $landingpage . '&w&p');
127 $_SESSION['portal_username'] = $_POST['uname'];
128 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
130 if ($userData = sqlQuery($sql, array(
132 ))) { // if query gets executed
134 if (empty($userData)) {
135 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':not active patient'), '', '0');
137 header('Location: ' . $landingpage . '&w');
141 if ($userData['email'] != $_POST['passaddon'] && $GLOBALS['enforce_signin_email']) {
142 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid email'), '', '0');
144 header('Location: ' . $landingpage . '&w');
148 if ($userData['allow_patient_portal'] != "YES") {
149 // Patient has not authorized portal, so escape
150 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':allow portal turned off'), '', '0');
152 header('Location: ' . $landingpage . '&w');
156 if ($auth['pid'] != $userData['pid']) {
157 // Not sure if this is even possible, but should escape if this happens
159 header('Location: ' . $landingpage . '&w');
163 if ($password_update) {
164 $code_new = $_POST['pass_new'];
165 $code_new_confirm = $_POST['pass_new_confirm'];
166 if (! (empty($_POST['pass_new'])) && ! (empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
167 $new_salt = oemr_password_salt();
168 $new_hash = oemr_password_hash($code_new, $new_salt);
170 // Update the password and continue (patient is authorized)
172 "UPDATE " . TBL_PAT_ACC_ON
. " SET " . COL_POR_PWD
. "=?," . COL_POR_SALT
. "=?," . COL_POR_PWD_STAT
. "=1 WHERE id=?",
179 $authorizedPortal = true;
183 ($_SESSION['portal_username'] . ': ' . $_SESSION['ptName'] . ':success')
188 if ($auth['portal_pwd_status'] == 0) {
189 if (! $authorizedPortal) {
190 // Need to enter a new password in the index.php script
191 $_SESSION['password_update'] = 1;
192 header('Location: ' . $landingpage);
197 if ($auth['portal_pwd_status'] == 1) {
198 // continue (patient is authorized)
199 $authorizedPortal = true;
202 if ($authorizedPortal) {
203 // patient is authorized (prepare the session variables)
204 unset($_SESSION['password_update']); // just being safe
205 unset($_SESSION['itsme']); // just being safe
206 $_SESSION['pid'] = $auth['pid'];
207 $_SESSION['patient_portal_onsite_two'] = 1;
209 $tmp = getUserIDInfo($userData['providerID']);
210 $_SESSION['providerName'] = $tmp['fname'] . ' ' . $tmp['lname'];
211 $_SESSION['providerUName'] = $tmp['username'];
212 $_SESSION['sessionUser'] = '-patient-'; // $_POST['uname'];
213 $_SESSION['providerId'] = $userData['providerID'] ?
$userData['providerID'] : 'undefined';
214 $_SESSION['ptName'] = $userData['fname'] . ' ' . $userData['lname'];
216 $logit->portalLog('login', $_SESSION['pid'], ($_SESSION['portal_username'] . ': ' . $_SESSION['ptName'] . ':success'));
218 $logit->portalLog('login', '', ($_POST['uname'] . ':not authorized'), '', '0');
220 header('Location: ' . $landingpage . '&w');
223 } else { // problem with query
225 header('Location: ' . $landingpage . '&w');
228 header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
229 header("Cache-Control: no-cache");
230 header("Pragma: no-cache");
231 header('Location: ./home.php');