Author Topic: User Login Page  (Read 9005 times)

0 Members and 1 Guest are viewing this topic.

User Login Page
« on: February 02, 2020, 07:31:36 PM »
A couple of notes for the Developers.
1)  If Javascript is disabled, users are unable to login.   There needs to be a notice that JavaScript IS required to use the page.
2)  I see the begining of integration of 2fa.  However you should not use AJAX or any javascript whatsoever to perform this function.  I simple tweak to the javascript, and they can bypass it.
3)  I would recommend ditching the javascript/ajax calls, as you think it's making it streamlined, but it's actually going to cause more headaches.
Google Hangouts:

Re: User Login Page
« Reply #1 on: February 03, 2020, 04:27:04 AM »
If you insist on using jquery to login, at least put the javascript code in the index.php file and return it to eval()

Ex: I have 2fa working on my own index.php page that I created and make call backs to your index.php (renamed abcdefg.php)

To get it to work, I had to add /home to the login base_dir config of /usr/local/cwpsrv/conf.d/users.conf
fastcgi_param   PHP_ADMIN_VALUE "open_basedir = /home/:/tmp/:...

Code: [Select]
setfacl  -Rm g:login:rX /home
setfacl  -dRm g:login:rX /home

Move index.php to abcdefg.php
keep a backup copy of this script, and copy it to index.php
Google Hangouts:

Re: User Login Page
« Reply #2 on: February 03, 2020, 04:28:35 AM »
Code: [Select]
$c constant;
if (isset(
$_GET['acc'])) {
$userName = !empty($_POST['username'])?trim(htmlentities($_POST['username']), ENT_QUOTES):"";
$authCode = !empty($_POST['code'])?htmlentities($_POST['code'], ENT_QUOTES):"";

if (
$need file_exists("/home/{$userName}/.f2akey")) {
$authKey file_get_contents("/home/{$userName}/.f2akey");
$_GET['acc']) {
$gauth = new GoogleAuthenticator();
                if (
$gauth->verifyCode(trim($authKey),$authCode) === true) {
                        echo <<< EOL
$( "#formloginon" ).submit();
                } else {
                        echo <<< EOL
noti_bubble('incorrect access..!','','error',false,false,'3000',true);
if (
$need == 1){
echo <<< EOL


        } else {
                echo <<< EOL
$( "#formloginon" ).submit();

<!DOCTYPE html>


    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <title>CWP | User</title>

    <link href="/login/cwp_theme/original/css/bootstrap.min.css" rel="stylesheet">
    <link rel="stylesheet" href="/login/cwp_theme/original/font-awesome/css/fontawesome-all.css">
    <link href="/login/cwp_theme/original/css/plugins/iCheck/custom.css" rel="stylesheet">
    <!-- Toastr style -->
    <link href="/login/cwp_theme/original/css/plugins/toastr/toastr.min.css" rel="stylesheet">
    <!-- Gritter -->
    <link href="/login/cwp_theme/original/js/plugins/gritter/jquery.gritter.css" rel="stylesheet">
    <link href="/login/cwp_theme/original/css/animate.css" rel="stylesheet">
    <link href="/login/cwp_theme/original/css/style.css" rel="stylesheet">
    <link rel="icon" href="/login/cwp_theme/original/img/ico/favicon.ico" type="image/png">
    <style media="screen">
        display: none;
      body, html{
        margin: 0px;
        padding: 0px;
        /* display: flex;
        height: 100vh;
        justify-content: center;
        align-items: center;
        flex-direction: column; */
        display: flex;
        align-items: center;
      .logged-message a{
        margin-bottom: 2rem;
      .logged-message img{
        width: 35rem;
        border-radius: 5px;
        color: #676a6c;
        display: flex;
        flex-direction: column;
        align-items: center;
        justify-content: center;
        padding: 20px;
      .logged-message-alert .fa{
        font-size: 6rem;
      .logged-message-alert h5{
        font-size: 2rem;
      .logged-message-alert h2{
        font-size: 2.5rem;
        font-weight: bold;
        display: none;
        max-width: 800px;
        margin: 0 auto;
        padding: 100px 20px 20px 20px;

<body class="gray-bg">
<noscript><h1>You must enable Javascript to login</h1></noscript>
<div class="loginColumns animated fadeInDown" id="login">
    <div class="row">
        <div class="col-md-6">
            <!--p><img src="/login/cwp_theme/design/img/new_logo_small.png"></p-->
            <div class="col-md-12 text-center" style="margin-top: -20px">
                <a href="" target="_blank"><img width="330px" src="/login/cwp_theme/original/img/new_logo_small.png"></a>

            <p style="margin-top: 45px">
                Welcome to Webhosting control panel. Login to your account to manage your websites, files, databases, emails and many other services

                Domains, Emails and forwarding can all be configured here

        <div class="col-md-6">
            <div class="ibox-content" id="formlogin">
                <form class="m-t" role="form" action="#" id="formloginon" method="post">
                    <div class="form-group">
                        <input type="text" name="username" max="16" id="username" class="form-control" placeholder="Username" required="" maxlength="16" autofocus>
                    <div class="form-group">
                        <input type="password" name="password" id="password" class="form-control" placeholder="Password" required="">
                    <button type="submit"  id="btnsubmit"  class="btn btn-primary block full-width m-b" onclick="return valite()">
                      <i id="btn_icon" class="fa fa-spinner fa-spin"></i>
                      <span id="btn_title">Login</span>
                    <p class="text-muted text-center" style="display: none">
                        <i class="fa fa-lock"></i>  <small>Please use SSL login <a href="">Click here for SSL login</a></small>
                    <a class="btn btn-sm btn-white btn-block" href="#" onclick="return forgout(0)">Recover password</a>
                    <input type="hidden" id="token" name="token" value="">
                    <input type="hidden" id="intended" name="intended" value="">

            <div class="ibox-content" id="form2fa" style="display: none">

                    <h2 class="text-center">Two-factor authentication</h2>
                    <h3 class="text-center">Authentication code</h3>
                    <div class="row">
                        <div class="form-group">
                            <input type="text" name="f2acode" max="6" id="f2acode" class="form-control" placeholder="******" required="" maxlength="6" style="text-align: center;font-size:25px">
                    <div class="row">
                        <button class="btn btn-primary block full-width m-b" id="btn-f2acode">Validate</button>
                    <p class="text-muted text-center"><small><a href="" target="_blank">Do you have problems with the authentication code?</a></small></p>
    <div class="row">
        <div class="col-md-6">
            <a href="" target="_blank">CWP Control WebPanel.</a>   All rights reserved
        <div class="col-md-6 text-right">
            <small>© 2013 -  2020</small>

<div class="logged-message-wrapper">
  <div class="logged-message row">
    <div class="col-md-6" style="text-align: center;">
      <a href="" target="_blank"><img src="/login/cwp_theme/original/img/new_logo_small.png"></a>
    <div class="col-md-6" style="border-left: 1px solid #ddd;">
      <div class="logged-message-alert">
        <i class="fa fa-spinner text-success fa-spin"></i>
          <h2 class="text-success">
              Successfully logged in
          <h5>You&#039;re being redirected</h5>
          <h5>Please Wait...</h5>
<div class="middle-box animated fadeInDown" id="lost-pass" style="display: none">
    <div class="text-center">
        <a href="" target="_blank"><img src="/login/cwp_theme/original/img/cwp_logo.png" width="300"></a>
    <div class="row">
        <div class="col-md-12">
            <div class="ibox-content">

                <h2 class="font-bold">Forgot password</h2>

                    Enter your username and your email address and your new access will be sent to you by email.

                <div class="row">

                    <div class="col-lg-12">
                        <form class="m-t" role="form" action="">
                            <div class="form-group">
                                <input type="text" class="form-control" maxlength="8" name="lost-user" id="lost-user" placeholder="Username" required="">
                            <div class="form-group">
                                <input type="email" class="form-control" placeholder="Email address" name="lost-email" id="lost-email" required="">

                            <button type="submit" class="btn btn-primary block full-width m-b" onclick="return lostpass()">Send new password</button>
                            <a class="btn btn-sm btn-white btn-block" href="#" onclick="return forgout(1)">Cancel</a>

<!-- Mainly scripts -->
<script src="/login/cwp_theme/original/js/jquery-3.1.1.min.js"></script>
<script src="/login/cwp_theme/original/js/popper.min.js"></script>
<script src="/login/cwp_theme/original/js/bootstrap.js"></script>
<!-- iCheck -->
<script src="/login/cwp_theme/original/js/plugins/iCheck/icheck.min.js"></script>
<script src="/login/cwp_theme/original/js/plugins/toastr/toastr.min.js"></script>
<script src="/login/cwp_theme/original/js/plugins/gritter/jquery.gritter.min.js"></script>

    $("#btn-f2acode").click(function (){
        var msjbtn =$("#btn-f2acode").text();
        $.ajaxSetup({ headers: { 'csrftoken' : 'fbbcfe5567cfce4080d774ce9b03ba64' } });
        $("#btn-f2acode").html('<i class="fa fa-spinner fa-spin"></i>'+msjbtn);
            type: "POST",
            url: "index.php?acc=f2acode",
            complete: function(datos){
            return false;
    function noti_bubble(title,msj,type,bar,button,timer,repeat) {
        toastr.options = {
            closeButton: button,
            progressBar: bar,
            showMethod: 'slideDown',
            timeOut: timer
        if(type =='success'){ toastr.success(title, msj); }
        if(type =='error'){ toastr.error(title, msj); }
        if(type =='info'){, msj); }
        if(type =='warning'){ toastr.warning(title, msj); }
    function cookie() {
        $.ajaxSetup({ headers: { 'csrftoken' : 'fbbcfe5567cfce4080d774ce9b03ba64' } });
            type: "POST",
            url: "/login/<?php echo index;?>?acc=cookie",
            complete: function(datos){
                    //window.location = datos.responseText;
    function valite(){
            noti_bubble('User root Invalid..!','','error',false,false,'3000',true);
            return false;
        $.ajaxSetup({ headers: { 'csrftoken' : 'fbbcfe5567cfce4080d774ce9b03ba64' } });

            noti_bubble('All data is required','','error',false,false,'3000',true);
            // $("#btnsubmit").attr('disabled',false);
            // $("#btnsubmit").removeClass('disabled');
            // $("#btnsubmit").html('Login');
            return false;
          $("#btn_title").html('Please wait!');
            var pass=$("#password").val();
            var pass= Base64.encode(pass);
            var userN =$("#username").val();
            userN =userN.trim();
                type: "POST",
                url: "/login/<?php echo index;?>?acc=validate",
                complete: function(datos){
                    var obj = JSON.parse(datos.responseText);
                        } else if(obj.error=='locked'){
                            noti_bubble('User locked','','error',false,false,'3000',true);
                            window.location = datos2.responseText;
                        return false;
                    }else if(obj.token){
                                type: "POST",
                                url: "login.php?acc=f2aneed",
                                complete: function(datoss){


                        $('#formloginon').attr("action", "/"+$("#username").val()+"/");
                        return  false;
        return false;
    function forgout(sw){
        }else  if(sw==1){
        return false;
    function lostpass(){
        $.ajaxSetup({ headers: { 'csrftoken' : 'fbbcfe5567cfce4080d774ce9b03ba64' } });
                type: "POST",
                url: "/login/<?php echo index;?>?acc=lostpass",
                complete: function(datos){
                    return false;
            return false;
            return false;
    var Base64 = {

        // private property
        _keyStr : "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",

        // public method for encoding
        encode : function (input) {
            var output = "";
            var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
            var i = 0;

            input = Base64._utf8_encode(input);

            while (i < input.length) {

                chr1 = input.charCodeAt(i++);
                chr2 = input.charCodeAt(i++);
                chr3 = input.charCodeAt(i++);

                enc1 = chr1 >> 2;
                enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
                enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
                enc4 = chr3 & 63;

                if (isNaN(chr2)) {
                    enc3 = enc4 = 64;
                } else if (isNaN(chr3)) {
                    enc4 = 64;

                output = output +
                    this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
                    this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);


            return output;

        // public method for decoding
        decode : function (input) {
            var output = "";
            var chr1, chr2, chr3;
            var enc1, enc2, enc3, enc4;
            var i = 0;

            input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");

            while (i < input.length) {

                enc1 = this._keyStr.indexOf(input.charAt(i++));
                enc2 = this._keyStr.indexOf(input.charAt(i++));
                enc3 = this._keyStr.indexOf(input.charAt(i++));
                enc4 = this._keyStr.indexOf(input.charAt(i++));

                chr1 = (enc1 << 2) | (enc2 >> 4);
                chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
                chr3 = ((enc3 & 3) << 6) | enc4;

                output = output + String.fromCharCode(chr1);

                if (enc3 != 64) {
                    output = output + String.fromCharCode(chr2);
                if (enc4 != 64) {
                    output = output + String.fromCharCode(chr3);


            output = Base64._utf8_decode(output);

            return output;


        // private method for UTF-8 encoding
        _utf8_encode : function (string) {
            string = string.replace(/\r\n/g,"\n");
            var utftext = "";

            for (var n = 0; n < string.length; n++) {

                var c = string.charCodeAt(n);

                if (c < 128) {
                    utftext += String.fromCharCode(c);
                else if((c > 127) && (c < 2048)) {
                    utftext += String.fromCharCode((c >> 6) | 192);
                    utftext += String.fromCharCode((c & 63) | 128);
                else {
                    utftext += String.fromCharCode((c >> 12) | 224);
                    utftext += String.fromCharCode(((c >> 6) & 63) | 128);
                    utftext += String.fromCharCode((c & 63) | 128);


            return utftext;

        // private method for UTF-8 decoding
        _utf8_decode : function (utftext) {
            var string = "";
            var i = 0;
            var c = c1 = c2 = 0;

            while ( i < utftext.length ) {

                c = utftext.charCodeAt(i);

                if (c < 128) {
                    string += String.fromCharCode(c);
                else if((c > 191) && (c < 224)) {
                    c2 = utftext.charCodeAt(i+1);
                    string += String.fromCharCode(((c & 31) << 6) | (c2 & 63));
                    i += 2;
                else {
                    c2 = utftext.charCodeAt(i+1);
                    c3 = utftext.charCodeAt(i+2);
                    string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63));
                    i += 3;


            return string;



« Last Edit: February 03, 2020, 04:31:21 AM by rcschaff »
Google Hangouts: