4 * Copyright (C) 2016-2017 Jerry Padgett <sjpadgett@gmail.com>
5 * Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
19 * @author Cassian LUP <cassi.lup@gmail.com>
20 * @author Jerry Padgett <sjpadgett@gmail.com>
21 * @link http://www.open-emr.org
24 // starting the PHP session (also regenerating the session id to avoid session fixation attacks)
26 session_regenerate_id(true);
29 // landing page definition -- where to go if something goes wrong
30 $landingpage = "index.php?site=" . $_SESSION['site_id'];
33 // checking whether the request comes from index.php
34 if (! isset($_SESSION['itsme'])) {
36 header('Location: ' . $landingpage . '&w');
41 if (! isset($_POST['uname']) ||
empty($_POST['uname'])) {
43 header('Location: ' . $landingpage . '&w&c');
47 if (! isset($_POST['pass']) ||
empty($_POST['pass'])) {
49 header('Location: ' . $landingpage . '&w&c');
53 require_once(dirname(__FILE__
) . "/lib/appsql.class.php");
54 $logit = new ApplicationTable();
57 if (! empty($_POST['languageChoice'])) {
58 $_SESSION['language_choice'] = (int) $_POST['languageChoice'];
59 } else if (empty($_SESSION['language_choice'])) {
60 // just in case both are empty, then use english
61 $_SESSION['language_choice'] = 1;
63 // keep the current session language token
66 // Settings that will override globals.php
71 require_once('../interface/globals.php');
72 require_once("$srcdir/authentication/common_operations.php");
73 require_once("$srcdir/user.inc");
74 $password_update = isset($_SESSION['password_update']);
75 unset($_SESSION['password_update']);
76 $plain_code = $_POST['pass'];
78 $authorizedPortal = false; // flag
79 DEFINE("TBL_PAT_ACC_ON", "patient_access_onsite");
80 DEFINE("COL_PID", "pid");
81 DEFINE("COL_POR_PWD", "portal_pwd");
82 DEFINE("COL_POR_USER", "portal_username");
83 DEFINE("COL_POR_SALT", "portal_salt");
84 DEFINE("COL_POR_PWD_STAT", "portal_pwd_status");
85 $sql = "SELECT " . implode(",", array(
91 )) . " FROM " . TBL_PAT_ACC_ON
. " WHERE " . COL_POR_USER
. "=?";
92 $auth = privQuery($sql, array(
95 if ($auth === false) {
96 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid username'), '', '0');
98 header('Location: ' . $landingpage . '&w&u');
102 if (empty($auth[COL_POR_SALT
])) {
103 if (SHA1($plain_code) != $auth[COL_POR_PWD
]) {
104 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':pass not salted'), '', '0');
106 header('Location: ' . $landingpage . '&w&p');
110 $new_salt = oemr_password_salt();
111 $new_hash = oemr_password_hash($plain_code, $new_salt);
112 $sqlUpdatePwd = " UPDATE " . TBL_PAT_ACC_ON
. " SET " . COL_POR_PWD
. "=?, " . COL_POR_SALT
. "=? " . " WHERE " . COL_ID
. "=?";
113 privStatement($sqlUpdatePwd, array(
119 $tmp = oemr_password_hash($plain_code, $auth[COL_POR_SALT
]);
120 if ($tmp != $auth[COL_POR_PWD
]) {
121 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid password'), '', '0');
123 header('Location: ' . $landingpage . '&w&p');
128 $_SESSION['portal_username'] = $_POST['uname'];
129 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
131 if ($userData = sqlQuery($sql, array(
133 ))) { // if query gets executed
135 if (empty($userData)) {
136 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':not active patient'), '', '0');
138 header('Location: ' . $landingpage . '&w');
142 if ($userData['email'] != $_POST['passaddon']) {
143 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid email'), '', '0');
145 header('Location: ' . $landingpage . '&w');
149 if ($userData['allow_patient_portal'] != "YES") {
150 // Patient has not authorized portal, so escape
151 $logit->portalLog('login attempt', '', ($_POST['uname'] . ':allow portal turned off'), '', '0');
153 header('Location: ' . $landingpage . '&w');
157 if ($auth['pid'] != $userData['pid']) {
158 // Not sure if this is even possible, but should escape if this happens
160 header('Location: ' . $landingpage . '&w');
164 if ($password_update) {
165 $code_new = $_POST['pass_new'];
166 $code_new_confirm = $_POST['pass_new_confirm'];
167 if (! (empty($_POST['pass_new'])) && ! (empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
168 $new_salt = oemr_password_salt();
169 $new_hash = oemr_password_hash($code_new, $new_salt);
171 // Update the password and continue (patient is authorized)
173 "UPDATE " . TBL_PAT_ACC_ON
. " SET " . COL_POR_PWD
. "=?," . COL_POR_SALT
. "=?," . COL_POR_PWD_STAT
. "=1 WHERE id=?",
180 $authorizedPortal = true;
184 ($_SESSION['portal_username'] . ': ' . $_SESSION['ptName'] . ':success')
189 if ($auth['portal_pwd_status'] == 0) {
190 if (! $authorizedPortal) {
191 // Need to enter a new password in the index.php script
192 $_SESSION['password_update'] = 1;
193 header('Location: ' . $landingpage);
198 if ($auth['portal_pwd_status'] == 1) {
199 // continue (patient is authorized)
200 $authorizedPortal = true;
203 if ($authorizedPortal) {
204 // patient is authorized (prepare the session variables)
205 unset($_SESSION['password_update']); // just being safe
206 unset($_SESSION['itsme']); // just being safe
207 $_SESSION['pid'] = $auth['pid'];
208 $_SESSION['patient_portal_onsite_two'] = 1;
210 $tmp = getUserIDInfo($userData['providerID']);
211 $_SESSION['providerName'] = $tmp['fname'] . ' ' . $tmp['lname'];
212 $_SESSION['providerUName'] = $tmp['username'];
213 $_SESSION['sessionUser'] = '-patient-'; // $_POST['uname'];
214 $_SESSION['providerId'] = $userData['providerID'] ?
$userData['providerID'] : 'undefined';
215 $_SESSION['ptName'] = $userData['fname'] . ' ' . $userData['lname'];
217 $logit->portalLog('login', $_SESSION['pid'], ($_SESSION['portal_username'] . ': ' . $_SESSION['ptName'] . ':success'));
219 $logit->portalLog('login', '', ($_POST['uname'] . ':not authorized'), '', '0');
221 header('Location: ' . $landingpage . '&w');
224 } else { // problem with query
226 header('Location: ' . $landingpage . '&w');
229 header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
230 header("Cache-Control: no-cache");
231 header("Pragma: no-cache");
232 header('Location: ./home.php');