nexusphp/public/takelogin.php

<?php
require_once("../include/bittorrent.php");
header("Content-Type: text/html; charset=utf-8");
if (!mkglobal("username:password"))
	die();
dbconn();
require_once(get_langfile_path("", false, get_langfolder_cookie()));
failedloginscheck ();
cur_user_check () ;
$ip = getip();
function bark($text = "")
{
  global $lang_takelogin;
  $text =  ($text == "" ? $lang_takelogin['std_login_fail_note'] : $text);
  stderr($lang_takelogin['std_login_fail'], $text,false);
}
if ($iv == "yes")
	check_code ($_POST['imagehash'], $_POST['imagestring'],'login.php',true);
$res = sql_query("SELECT id, passhash, secret, enabled, status, two_step_secret FROM users WHERE username = " . sqlesc($username));
$row = mysql_fetch_array($res);

if (!$row)
	failedlogins();
if ($row['status'] == 'pending')
	failedlogins($lang_takelogin['std_user_account_unconfirmed']);

if (!empty($row['two_step_secret'])) {
    if (empty($_POST['two_step_code'])) {
        failedlogins($lang_takelogin['std_require_two_step_code']);
    }
    $ga = new \PHPGangsta_GoogleAuthenticator();
    if (!$ga->verifyCode($row['two_step_secret'], $_POST['two_step_code'])) {
        failedlogins($lang_takelogin['std_invalid_two_step_code']);
    }
}
$log = "user: {$row['id']}, ip: $ip";
if ($row["passhash"] != md5($row["secret"] . $password . $row["secret"])) {
    login_failedlogins();
}
$locationInfo = get_ip_location_from_geoip($ip);
$thisLoginLog = \App\Models\LoginLog::query()->create([
    'ip' => $ip,
    'uid' => $row['id'],
    'country' => $locationInfo['country_en'] ?? '',
    'city' => $locationInfo['city_en'] ?? '',
    'client' => 'Web',
]);
$lastLoginLog = \App\Models\LoginLog::query()->where('uid', $row['id'])->orderBy('id', 'desc')->first();
if (
    $lastLoginLog && $lastLoginLog->country && $lastLoginLog->city
    && $locationInfo['country_en'] && $locationInfo['city_en']
    && ($lastLoginLog->country != $locationInfo['country_en'] || $lastLoginLog->city != $locationInfo['city_en'])
) {
    $command = sprintf("user:login_notify --this_id=%s --last_id=%s", $thisLoginLog->id, $lastLoginLog->id);
    do_log("[LOGIN_NOTIFY], user: {$row['id']}, $command");
    executeCommand($command, "string", true, false);
}
if ($row["enabled"] == "no")
	bark($lang_takelogin['std_account_disabled']);

if (isset($_POST["securelogin"]) && $_POST["securelogin"] == "yes")
{
	$securelogin_indentity_cookie = true;
    /**
     * Not IP related
     * @since 1.8.0
     */
//	$passh = md5($row["passhash"].$ip);
	$passh = md5($row["passhash"]);
	$log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, md5: $passh";
}
else
{
	$securelogin_indentity_cookie = false;
	$passh = md5($row["passhash"]);
    $log .= ",  passhash: {$row['passhash']}, md5: $passh";
}

if ($securelogin=='yes' || (isset($_POST["ssl"]) && $_POST["ssl"] == "yes"))
{
	$pprefix = "https://";
	$ssl = true;
}
else
{
	$pprefix = "http://";
	$ssl = false;
}
if ($securetracker=='yes' || (isset($_POST["trackerssl"] ) && $_POST["trackerssl"] == "yes"))
{
	$trackerssl = true;
}
else
{
	$trackerssl = false;
}

do_log($log);

if (isset($_POST["logout"]) && $_POST["logout"] == "yes")
{
	logincookie($row["id"], $passh,1,900,$securelogin_indentity_cookie, $ssl, $trackerssl);
	//sessioncookie($row["id"], $passh,true);
}
else
{
	logincookie($row["id"], $passh,1,get_setting('system.cookie_valid_days', 365) * 86400,$securelogin_indentity_cookie, $ssl, $trackerssl);
	//sessioncookie($row["id"], $passh,false);
}

if (!empty($_POST["returnto"]))
	header("Location: " . $pprefix . "$BASEURL/{$_POST['returnto']}");
else
	header("Location: " . $pprefix . "$BASEURL/index.php");
?>