<?php //A secure database would be used. $db="database.txt"; if ($_GET['ns'] and $_COOKIE['LogIn']) { $fh=fopen($db,'a'); fwrite($fh,"{$_GET['ns']}>{$_COOKIE['LogIn']}\n"); fclose($fh); die("Success - check your other computer."); } if ($_GET['check']) { if (file_exists($db)) $sessions=file($db); else die(); foreach ($sessions as $k => $value) { $d=explode(">",$value); if ($d[0]==$_GET['check']) { setcookie('LogIn',$d[1],time()+24*60*60); //Delete the disposable key unset($sessions[$k]); $fh=fopen($db,"w"); foreach($sessions as $value) fwrite($fh,$value); fclose($fh); die("Success"); } } die(); } switch ($_GET['action']) { case "login": if ($_POST['username']) { setcookie('LogIn',htmlentities($_POST['username']),time()+24*60*60); die("<script>window.location='?action='</script>"); } else echo "<form method='post'>Enter username:<input type='text' name='username'><input type='submit' value='Log in'></form>"; break; case "qrlogin": $key=md5(time()); //Don't care about security for the sake of this proof-of-concept echo "<body onload=\"ajax(page,'scriptoutput');\">"; google_qr("http://mitxela.com/temp/QRlogin.php?ns=".$key,200); ?><script type="text/javascript"> var page = "QRlogin.php?check=<?php echo $key; ?>"; function ajax(url,target) { // native XMLHttpRequest object //document.getElementById(target).innerHTML = 'Loading...'; if (window.XMLHttpRequest) { req = new XMLHttpRequest(); req.onreadystatechange = function() {ajaxDone(target);}; req.open("GET", url, true); req.send(null); // IE/Windows ActiveX version } else if (window.ActiveXObject) { req = new ActiveXObject("Microsoft.XMLDOM"); if (req) { req.onreadystatechange = function() {ajaxDone(target);}; req.open("GET", url, true); req.send(null); } } setTimeout("ajax(page,'scriptoutput')", 1000); } function ajaxDone(target) { // only if req is "loaded" if (req.readyState == 4) { // only if "OK" if (req.status == 200 || req.status == 304) { results = req.responseText; if (results=="Success") {window.location='?action=';} document.getElementById(target).innerHTML = results; } else { document.getElementById(target).innerHTML="ajax error:\n" + req.statusText; } } } </script> <div id='scriptoutput'></div> </body><? break; case "logout": setcookie('LogIn',"",-1); die("<script>window.location='?action='</script>"); default: if ($_COOKIE['LogIn']) echo"You are logged in as {$_COOKIE['LogIn']}. <br/><br/>Note the log-in cookie expires after a day - on your average social networking site, people usually tick 'keep me logged in'.<br/><br/><a href='?action=logout'>Log out</a>"; else echo "You are not logged in.<br/><br/><a href='?action=login'>Log in via user name</a><br/><br/><a href='?action=qrlogin'>Log in via QR code</a>"; } function google_qr($url,$size ='150',$EC_level='L',$margin='0'){ $url = urlencode($url); echo '<img src="http://chart.apis.google.com/chart?chs='.$size.'x'.$size.'&cht=qr&chld='.$EC_level.'|'.$margin.'&chl='.$url.'" alt="QR code" width="'.$size.'" height="'.$size.'"/>'; } ?>