[trainer]

[QUOTE]Originally posted by Axel Foley
Hi PPN, first of all, great hack.

I needed a hack to log ALL the logins of my users, failed and successful ones. A few of my users have reported stolen passwords and I couldn't tell them WHEN during the week they logged on, but just the LAST login. So I was looking for a logging hack.

I took yours and I made some modifications:

PHP Code:

      if ($user['password']!=md5($password)) {  // check password

        // HACK: Login Log (Failed login)
        $ipaddress=iif(getenv("REMOTE_ADDR")!="",getenv("REMOTE_ADDR"),$HTTP_HOST);
        $DB_site->query("INSERT INTO loginlog (loginid, ip, username, password, userid, atime, success, reason) VALUES ('','$ipaddress', '$username', '$password', '$user[userid]', '".time()."', '0', 'WRONGPW')");
        // HACK: Login Log (Failed login)

        eval("standarderror(\"".gettemplate("error_wrongpassword")."\");");
        exit;
      }
      $userid=$user[userid];
    } else { // invalid username entered

        // HACK: Login Log (Failed login)
        $ipaddress=iif(getenv("REMOTE_ADDR")!="",getenv("REMOTE_ADDR"),$HTTP_HOST);
        $DB_site->query("INSERT INTO loginlog (loginid, ip, username, password, userid, atime, success, reason) VALUES ('','$ipaddress', '$username', '$password', '$user[userid]', '".time()."', '0', 'WRONGUSER')");
        // HACK: Login Log (Failed login)

        eval("standarderror(\"".gettemplate("error_wrongusername")."\");");
        exit;
    }

    // HACK: Login Log (Successful login)
    $ipaddress=iif(getenv("REMOTE_ADDR")!="",getenv("REMOTE_ADDR"),$HTTP_HOST);
    $DB_site->query("INSERT INTO loginlog (loginid, ip, username, password, userid, atime, success, reason) VALUES ('','$ipaddress', '$username', '$password', '$user[userid]', '".time()."', '1', 'LOGINOK')");
    // HACK: Login Log (Successful login) 


In this way I can log TWO TYPES of FAILED LOGINS, and all the successful logins too. I added two fields to the database.

It works, now I only have to modify your control panel for the hack to query all the fields etc.

The only thing that I don't like is that if users have set automatic login via cookies their successful logins aren't logged (haven't tried with unsuccessful logins via cookie). So I was thinking about DISABLING automatic login via cookies, just to have complete control over the logins. We have had a supermoderator whose pw was stolen by an admin of a 2.0.3 vB forum. I'm very angry so I want to extend the logging features of vB in order to prevent this from happening.

I hope you like these ideas, you could also make it an option WHAT TO LOG (failure, successful and both).

Could you also give me a hint on the BEST way to disable the automatic login via cookie for ALL my users, prevent them from changing that option and to delete the cookie?

Thanks man, you've made a great job and if you make these modifications your hack will be GREAT. Like an OS event logging system.