<?php
session_start();
%PLEAZE_NO_CACHE%

$pdo = new PDO('mysql:host=%DB_SERVER%;dbname=%DB_NAME%', '%DB_USERNAME%', '%DB_PASSWORD%');
$statement = $pdo->prepare('SELECT id, authentication_algorithm, authentication_salt, authentication_string FROM users WHERE name = :username;');
$result = $statement->execute(array('username' => $_POST['username']));
if ($statement->rowCount() > 0) {
  //existing user name
  $dbentry = $statement->fetch();
  //chechk for correct password
  if ($dbentry['authentication_string'] == hash($dbentry['authentication_algorithm'], $_POST['password'] . $dbentry['authentication_salt'])) {
    //password correct
    $_SESSION['user_id'] = $dbentry['id'];
    // IP and user agent string are used to prevent cheap session stealing
    $_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
    $_SESSION['user_http_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
    header("Location: https://%DOMAIN_NAME%%CONTENT_DIR%/userhome/");
  } else {
    //password inorrect
    header("Location: https://%DOMAIN_NAME%%CONTENT_DIR%/login/?error=credentials");
    die();
  }
} else {
  //wrong user name
  header("Location: https://%DOMAIN_NAME%%CONTENT_DIR%/login/?error=credentials");
  die();
}
?>