diff --git a/class2.php b/class2.php
index 7bd7759f1..d905156be 100644
--- a/class2.php
+++ b/class2.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/class2.php,v $
-|     $Revision: 1.59 $
-|     $Date: 2008-05-29 21:12:42 $
+|     $Revision: 1.60 $
+|     $Date: 2008-06-13 20:20:20 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -429,6 +429,15 @@ $tp->sch_load();
 if ($pref['user_tracking'] == "session")
 {
 	session_start();
+  if (!isset($_SESSION['challenge']))
+  {	// New session
+	$_SESSION['challenge'] = sha1(time().session_id());		// Create a unique challenge string for CHAP login
+  }
+  $ubrowser = md5('E107'.$_SERVER['HTTP_USER_AGENT']);
+  if (!isset($_SESSION['ubrowser'])) 
+  {
+    $_SESSION['ubrowser'] = $ubrowser;
+  }
 }
 
 define("e_SELF", ($pref['ssl_enabled'] == '1' ? "https://".$_SERVER['HTTP_HOST'] : "http://".$_SERVER['HTTP_HOST']) . ($_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME']));
@@ -765,12 +774,14 @@ if ($pref['maintainance_flag'] && ADMIN == FALSE && strpos(e_SELF, "admin.php")
 
 $sql->db_Mark_Time('(Start: Login/logout/ban/tz)');
 
-if (isset($_POST['userlogin']) || isset($_POST['userlogin_x'])) {
+if (isset($_POST['userlogin']) || isset($_POST['userlogin_x'])) 
+{
 	e107_require_once(e_HANDLER."login.php");
-	$usr = new userlogin($_POST['username'], $_POST['userpass'], $_POST['autologin']);
+	$usr = new userlogin($_POST['username'], $_POST['userpass'], $_POST['autologin'],varset($_POST['hashchallenge'],''));
 }
 
-if (e_QUERY == 'logout') 
+if ((e_QUERY == 'logout') || (($pref['user_tracking'] == "session") && isset($_SESSION['ubrowser']) && ($_SESSION['ubrowser'] != $ubrowser)))
+//if (e_QUERY == 'logout') 
 {
   if (USER)
   {
@@ -1272,6 +1283,7 @@ function init_session() {
 	if (!isset($_COOKIE[e_COOKIE]) && !isset($_SESSION[e_COOKIE]) && !isset($_E107['cli']))
 	{
 		define("USER", FALSE);
+		define('USERID', 0);
 		define("USERTHEME", FALSE);
 		define("ADMIN", FALSE);
 		define("GUEST", TRUE);
@@ -1289,12 +1301,14 @@ function init_session() {
         	list($uid, $upw)= explode(".", $cli_log);
 		}
 
-		if (empty($uid) || empty($upw)) {
+		if (empty($uid) || empty($upw)) 
+		{
 			cookie(e_COOKIE, "", (time() - 2592000));
 			$_SESSION[e_COOKIE] = "";
 			session_destroy();
 			define("ADMIN", FALSE);
 			define("USER", FALSE);
+			define('USERID', 0);
 			define("USERCLASS", "");
 			define("LOGINMESSAGE",CORE_LAN10."<br /><br />");
 			return (FALSE);
@@ -1344,25 +1358,32 @@ function init_session() {
 
 			$user_pref = ($result['user_prefs']) ? unserialize($result['user_prefs']) : '';
 
-			if (isset($_POST['settheme'])) {
+			if (isset($_POST['settheme'])) 
+			{
 				$user_pref['sitetheme'] = ($pref['sitetheme'] == $_POST['sitetheme'] ? "" : $_POST['sitetheme']);
 				save_prefs("user");
 			}
 
 			define("USERTHEME", (isset($user_pref['sitetheme']) && file_exists(e_THEME.$user_pref['sitetheme']."/theme.php") ? $user_pref['sitetheme'] : FALSE));
 			global $ADMIN_DIRECTORY, $PLUGINS_DIRECTORY;
-			if ($result['user_admin']) {
+			if ($result['user_admin']) 
+			{
 				define("ADMIN", TRUE);
 				define("ADMINID", $result['user_id']);
 				define("ADMINNAME", $result['user_name']);
 				define("ADMINPERMS", $result['user_perms']);
 				define("ADMINEMAIL", $result['user_email']);
 				define("ADMINPWCHANGE", $result['user_pwchange']);
-			} else {
+			} 
+			else 
+			{
 				define("ADMIN", FALSE);
 			}
-		} else {
+		} 
+		else 
+		{
 			define("USER", FALSE);
+			define('USERID', 0);
 			define("USERTHEME", FALSE);
 			define("ADMIN", FALSE);
 			define("CORRUPT_COOKIE", TRUE);
@@ -1375,6 +1396,8 @@ function init_session() {
 	define('e_NOBODY_REGEXP', "(^|,)".e_UC_NOBODY."(,|$)");
 }
 
+
+
 $sql->db_Mark_Time('Start: Go online');
 if(!isset($_E107['no_online']) && varset($pref['track_online']))
 {
diff --git a/e107_admin/auth.php b/e107_admin/auth.php
index 27420026a..92fa8ec08 100644
--- a/e107_admin/auth.php
+++ b/e107_admin/auth.php
@@ -11,9 +11,9 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_admin/auth.php,v $
-|     $Revision: 1.2 $
-|     $Date: 2007-08-25 05:48:53 $
-|     $Author: e107coders $
+|     $Revision: 1.3 $
+|     $Date: 2008-06-13 20:20:20 $
+|     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
 
@@ -49,21 +49,51 @@ else
 			}
 		}
 
-		$row = $authresult = $obj->authcheck($_POST['authname'], $_POST['authpass']);
-		if ($row[0] == "authfail") {
+	require_once(e_HANDLER.'user_handler.php');
+	$row = $authresult = $obj->authcheck($_POST['authname'], $_POST['authpass'], varset($_POST['hashchallenge'],''));
+	if ($row[0] == "authfail") 
+	{
+	  $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",LAN_ROLL_LOG_11,"U: ".$tp->toDB($_POST['authname']),FALSE,LOG_TO_ROLLING);
 			echo "<script type='text/javascript'>document.location.href='../index.php'</script>\n";
 			header("location: ../index.php");
 			exit;
-		} else {
+	} 
+	else 
+	{
+	  $cookieval = $row['user_id'].".".md5($row['user_password']);
 
-			$userpass = md5($_POST['authpass']);
-			$cookieval = $row['user_id'].".".md5($userpass);
+//	  $sql->db_Select("user", "*", "user_name='".$tp -> toDB($_POST['authname'])."'");
+//	  list($user_id, $user_name, $userpass) = $sql->db_Fetch();
 
-			$sql->db_Select("user", "*", "user_name='".$tp -> toDB($_POST['authname'])."'");
-			list($user_id, $user_name, $userpass) = $sql->db_Fetch();
-			if ($pref['user_tracking'] == "session") {
+	  // Calculate class membership - needed for a couple of things
+	  // Problem is that USERCLASS_LIST just contains 'guest' and 'everyone' at this point
+	  $class_list = explode(',',$row['user_class']);
+	  if ($row['user_admin'] && strlen($row['user_perms']))
+	  {
+		$class_list[] = e_UC_ADMIN;
+		if (strpos($row['user_perms'],'0') === 0)
+		{
+		  $class_list[] = e_UC_MAINADMIN;
+		}
+	  }
+	  $class_list[] = e_UC_MEMBER;
+	  $class_list[] = e_UC_PUBLIC;
+
+	  $user_logging_opts = array_flip(explode(',',varset($pref['user_audit_opts'],'')));
+	  if (isset($user_logging_opts[USER_AUDIT_LOGIN]) && in_array(varset($pref['user_audit_class'],''),$class_list))
+	  {  // Need to note in user audit trail
+		$admin_log->user_audit(USER_AUDIT_LOGIN,'', $user_id,$user_name);
+	  }
+
+	  $edata_li = array("user_id" => $row['user_id'], "user_name" => $row['user_name'], 'class_list' => implode(',',$class_list));
+	  $e_event->trigger("login", $edata_li);
+
+	  if ($pref['user_tracking'] == "session") 
+	  {
 				$_SESSION[$pref['cookie_name']] = $cookieval;
-			} else {
+	  } 
+	  else 
+	  {
 				cookie($pref['cookie_name'], $cookieval, (time()+3600 * 24 * 30));
 			}
 			echo "<script type='text/javascript'>document.location.href='admin.php'</script>\n";
@@ -73,7 +103,8 @@ else
 	$e_sub_cat = 'logout';
 	require_once(e_ADMIN."header.php");
 
-	if (ADMIN == FALSE) {
+	if (ADMIN == FALSE) 
+	{
 		$obj = new auth;
 		$obj->authform();
 		require_once(e_ADMIN."footer.php");
@@ -84,7 +115,6 @@ else
 //------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
 class auth
 {
-
 	function authform()
 	{
 		/*
@@ -95,24 +125,32 @@ class auth
 		# - scope		public
 		*/
 
-		global $use_imagecode, $sec_img,$imode;
+		global $use_imagecode, $sec_img,$imode, $pref;
 
         $text = "<div style='padding:20px;text-align:center'>
-			<form method='post' action='".e_SELF."'>\n
+			<form method='post' action='".e_SELF."'";
+		if (varsettrue($pref['password_CHAP'],0))
+		{
+		  $text .= " onsubmit='hashLoginPassword(this)'";
+		}
+		$text .= ">\n
 			<table style='width:50%' class='fborder'>
 			<tr>
             <td rowspan='4' style='vertical-align:middle;width:65px'>".(file_exists(THEME."images/password.png") ? "<img src='".THEME_ABS."images/password.png' alt='' />\n" : "<img src='".e_IMAGE."packs/".$imode."/generic/password.png' alt='' />\n" )."</td>
 			<td style='width:35%' class='forumheader3'>".ADLAN_89."</td>
-			<td class='forumheader3' style='text-align:center'><input class='tbox' type='text' name='authname' size='30' value='$authname' maxlength='20' />\n</td>
+			<td class='forumheader3' style='text-align:center'><input class='tbox' type='text' name='authname' id='username' size='30' value='' maxlength='".varset($pref['loginname_maxlength'],30)."' />\n</td>
 
 			</tr>
 			<tr>
 			<td style='width:35%' class='forumheader3'>".ADLAN_90."</td>
-			<td class='forumheader3' style='text-align:center'><input class='tbox' type='password' name='authpass' size='30' value='' maxlength='20' />\n</td>
+			<td class='forumheader3' style='text-align:center'><input class='tbox' type='password' name='authpass' id='userpass' size='30' value='' maxlength='30' />\n";
+		if (isset($_SESSION['challenge']) && varset($pref['password_CHAP'],0)) $text .= "<input type='hidden' name='hashchallenge' id='hashchallenge' value='{$_SESSION['challenge']}' />\n\n";
+		$text .= "</td>
 			</tr>
 			";
 
-		if ($use_imagecode) {
+		if ($use_imagecode) 
+		{
 			$text .= "
 			<tr>
 			<td style='width:35%' class='forumheader3'>".ADLAN_152."</td>
@@ -139,7 +177,7 @@ class auth
 		$au->tablerender(ADLAN_92, $text);
 	}
 
-	function authcheck($authname, $authpass)
+	function authcheck($authname, $authpass, $authresponse = '')
 	{
 		/*
 		# Admin auth check
@@ -148,28 +186,50 @@ class auth
 		# - return                                boolean if fail, else result array
 		# - scope                                        public
 		*/
-		global $tp;
+		global $tp, $pref;
 		$sql_auth = new db;
-		$authname = $tp -> toDB(preg_replace("/\sOR\s|\=|\#/", "", $authname));
-		if ($sql_auth->db_Select("user", "*", "user_loginname='$authname' AND user_admin='1' "))
+		$reason = '';
+		$user_info = new UserHandler;
+
+		$authname = $tp -> toDB(preg_replace("/\sOR\s|\=|\#/", "", trim($authname)));
+		$authpass = trim($authpass);
+		if (($authpass == '') || ($authname == '')) $reason = 'np';
+		if (strlen($authname) > varset($pref['loginname_maxlength'],30))  $reason = 'lu';
+
+		if (!$reason)
+		{
+		  if ($sql_auth->db_Select("user", "*", "user_loginname='{$authname}' AND user_admin='1' "))
 		{
 			$row = $sql_auth->db_Fetch();
 		}
+		  elseif ($sql_auth->db_Select("user", "*", "user_name='{$authname}' AND user_admin='1' "))
+		  {
+			$row = $sql_auth->db_Fetch();
+			$authname = $row['user_loginname'];
+		  }
 		else
 		{
-			if ($sql_auth->db_Select("user", "*", "user_name='$authname' AND user_admin='1' "))
+			$reason = 'iu';
+		  }
+		}
+		if (!$reason && ($row['user_id']))
+		{	// Can validate password
+		  if (($authresponse && isset($_SESSION['challenge'])) && ($authresponse != $_SESSION['challenge']))
+		  {  // Verify using CHAP (can't handle login by email address - only loginname - although with this code it does still work if the password is stored unsalted)
+			if (($pass_result = $user_info->CheckCHAP($_SESSION['challenge'], $authresponse, $authname, $row['user_password'])) !== PASSWORD_INVALID)
 			{
-				$row = $sql_auth->db_Fetch();
+			  return $$row;
 			}
 		}
-		if($row['user_id'])
-		{
-			if($row['user_password'] == md5($authpass))
+		  else
+		  {	// Plaintext password
+			if (($pass_result = $user_info->CheckPassword($authpass, $authname,$row['user_password'])) !== PASSWORD_INVALID)
 			{
 				return $row;
 			}
 		}
-		return array("authfail");
+		}
+		return array("authfail", "reason" => $reason);
 	}
 }
 
diff --git a/e107_admin/prefs.php b/e107_admin/prefs.php
index 91aab5b4f..128c259e0 100644
--- a/e107_admin/prefs.php
+++ b/e107_admin/prefs.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_admin/prefs.php,v $
-|     $Revision: 1.13 $
-|     $Date: 2008-03-23 21:53:34 $
+|     $Revision: 1.14 $
+|     $Date: 2008-06-13 20:20:20 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -440,36 +440,41 @@ $text .= "</table></div>";
 // =========== Registration Preferences. ==================
 
 $text .= "<div id='registration' style='display:none; text-align:center'><table style='width:100%' class='fborder'>
+	<colgroup>
+	<col style='width:50%' />
+	<col style='width:50%' />
+	</colgroup>
 	<tr>
 	<td class='fcaption' title='".PRFLAN_80."' style='text-align:left;' colspan='2'>".PRFLAN_28."</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_29."<br /><span class='smalltext'>".PRFLAN_30."</span></td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_29."<br /><span class='smalltext'>".PRFLAN_30."</span></td>
+	<td style='text-align:right' class='forumheader3'>
 	<input type='radio' name='user_reg' value='1'".($pref['user_reg'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
 	<input type='radio' name='user_reg' value='0'".(!$pref['user_reg'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_141."<br /></td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_141."<br /></td>
+	<td style='text-align:right' class='forumheader3'>
 	<input type='radio' name='xup_enabled' value='1'".($pref['xup_enabled'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
 	<input type='radio' name='xup_enabled' value='0'".(!$pref['xup_enabled'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_154."</td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_154."</td>
+	<td style='text-align:right' class='forumheader3'>
 
 	<select name='user_reg_veri' class='tbox'>";
 	$veri_list[0] = PRFLAN_152;
 	$veri_list[1] = PRFLAN_31;
 	$veri_list[2] = PRFLAN_153;
 
-	foreach($veri_list as $v => $v_title){
+	foreach($veri_list as $v => $v_title)
+	{
 		$sel = ($pref['user_reg_veri'] == $v) ? "selected='selected'" : "";
     	$text .= "<option value='$v' $sel>".$v_title."</option>\n";
 	}
@@ -478,48 +483,48 @@ $text .= "<div id='registration' style='display:none; text-align:center'><table
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_160."<br /></td>
-	<td class='forumheader3' style='width:50%;text-align:right' >
+	<td class='forumheader3'>".PRFLAN_160."<br /></td>
+	<td class='forumheader3' style='text-align:right' >
 	<input type='radio' name='signup_remote_emailcheck' value='1'".($pref['signup_remote_emailcheck'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
 	<input type='radio' name='signup_remote_emailcheck' value='0'".(!$pref['signup_remote_emailcheck'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_167."<br /></td>
-	<td class='forumheader3' style='width:50%;text-align:right' >
+	<td class='forumheader3'>".PRFLAN_167."<br /></td>
+	<td class='forumheader3' style='text-align:right' >
 	<input type='radio' name='disable_emailcheck' value='1'".($pref['disable_emailcheck'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
 	<input type='radio' name='disable_emailcheck' value='0'".(!$pref['disable_emailcheck'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_32."<br /><span class='smalltext'>".PRFLAN_33."</span></td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_32."<br /><span class='smalltext'>".PRFLAN_33."</span></td>
+	<td style='text-align:right' class='forumheader3'>
 	<input type='radio' name='anon_post' value='1'".($pref['anon_post'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
 	<input type='radio' name='anon_post' value='0'".(!$pref['anon_post'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_45."<br /><span class='smalltext'>".PRFLAN_46." <a href='http://www.cdt.org/legislation/105th/privacy/coppa.html'>".PRFLAN_94."</a></span></td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_45."<br /><span class='smalltext'>".PRFLAN_46." <a href='http://www.cdt.org/legislation/105th/privacy/coppa.html'>".PRFLAN_94."</a></span></td>
+	<td style='text-align:right' class='forumheader3'>
 	<input type='radio' name='use_coppa' value='1'".($pref['use_coppa'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
 	<input type='radio' name='use_coppa' value='0'".(!$pref['use_coppa'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_58."<br /><span class='smalltext'>".PRFLAN_59."</span></td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_58."<br /><span class='smalltext'>".PRFLAN_59."</span></td>
+	<td style='text-align:right' class='forumheader3'>
 	<input type='radio' name='membersonly_enabled' value='1'".($pref['membersonly_enabled'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
 	<input type='radio' name='membersonly_enabled' value='0'".(!$pref['membersonly_enabled'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".CUSTSIG_16."<br /><span class='smalltext'>".PRFLAN_78."</span></td>
-	<td class='forumheader3' style='width:50%;text-align:right' >
+	<td class='forumheader3'>".CUSTSIG_16."<br /><span class='smalltext'>".PRFLAN_78."</span></td>
+	<td class='forumheader3' style='text-align:right' >
 	<input type='text' class='tbox' size='3' name='signup_pass_len' value='".$pref['signup_pass_len']."' />
 	</td>
 	</tr>
@@ -527,37 +532,44 @@ $text .= "<div id='registration' style='display:none; text-align:center'><table
 
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_136."</td>
-	<td class='forumheader3' style='width:50%;text-align:right' >
+	<td class='forumheader3'>".PRFLAN_136."</td>
+	<td class='forumheader3' style='text-align:right' >
 	<input type='text' class='tbox' size='3' name='signup_maxip' value='".$pref['signup_maxip']."' />
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".CUSTSIG_18."<br /><span class='smalltext'>".CUSTSIG_19."</span></td>
-	<td class='forumheader3' style='width:50%;text-align:right' >
+	<td class='forumheader3'>".CUSTSIG_18."<br /><span class='smalltext'>".CUSTSIG_19."</span></td>
+	<td class='forumheader3' style='text-align:right' >
 	<textarea class='tbox' name='signup_disallow_text' cols='1' rows='3' style='width: 80%;'>".$pref['signup_disallow_text']."</textarea>
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_155.":</td>
-	<td class='forumheader3' style='width:50%;text-align:right' >
+	<td class='forumheader3'>".PRFLAN_155.":</td>
+	<td class='forumheader3' style='text-align:right' >
 	".r_userclass('displayname_class',$pref['displayname_class'],'off','nobody,public,admin,classes')."
 	<input class='button' type='submit' name='submit_resetdisplaynames' value='".PRFLAN_156."' />
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_158.":</td>
-	<td class='forumheader3' style='width:50%;text-align:right' >
+	<td class='forumheader3'>".PRFLAN_192.":<br /><span class='smalltext'>".PRFLAN_193."</span></td>
+	<td class='forumheader3' style='text-align:right' >
+	<input type='text' class='tbox' size='30' name='predefinedLoginName' value='".varset($pref['predefinedLoginName'],'')."' /><br />".PRFLAN_194."
+	</td>
+	</tr>
+
+	<tr>
+	<td class='forumheader3'>".PRFLAN_158.":</td>
+	<td class='forumheader3' style='text-align:right' >
 	<input type='text' class='tbox' size='3' name='displayname_maxlength' value='".varset($pref['displayname_maxlength'],15)."' />
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_172.":</td>
-	<td class='forumheader3' style='width:50%;text-align:right' >
+	<td class='forumheader3'>".PRFLAN_172.":</td>
+	<td class='forumheader3' style='text-align:right' >
 	<input type='text' class='tbox' size='3' name='loginname_maxlength' value='".varset($pref['loginname_maxlength'],30)."' />
 	</td>
 	</tr>
@@ -735,33 +747,48 @@ $text .= "<div id='textpost' style='display:none; text-align:center'>
 $text .= pref_submit();
 $text .= "</table></div>";
 
+
+	function multi_radio($name, $textsVals, $currentval = '')
+	{
+	  $ret = '';
+	  $gap = '';
+	  foreach ($textsVals as $v => $t)
+	  {
+	    $sel = ($v == $currentval) ? " checked='checked'" : "";
+		$ret .= $gap."<input type='radio' name='{$name}' value='{$v}'{$sel} /> ".$t."\n";
+		$gap = "&nbsp;&nbsp;";
+	  }
+	  return $ret;
+	}
+
+
 // Security Options. .
 $hasGD = extension_loaded("gd");
 
 $text .= "<div id='security' style='display:none; text-align:center'>
 	<table style='width:100%' class='fborder'>
+	<colgroup>
+	<col style='width:50%' />
+	<col style='width:50%' />
+	</colgroup>
 	<tr>
 	<td class='fcaption' title='".PRFLAN_80."' style='text-align:left;' colspan='2'>".PRFLAN_47."</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_60."<br /><span class='smalltext'>".PRFLAN_61."</span> </td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
-	<input type='radio' name='ssl_enabled' value='1'".($pref['ssl_enabled'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
-	<input type='radio' name='ssl_enabled' value='0'".(!$pref['ssl_enabled'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
+	<td class='forumheader3'>".PRFLAN_60."<br /><span class='smalltext'>".PRFLAN_61."</span> </td>
+	<td style='text-align:right' class='forumheader3'>".
+		multi_radio('ssl_enabled',array('1' => PRFLAN_112, '0' => PRFLAN_113),$pref['ssl_enabled'])."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_76.": </td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_76.": </td>
+	<td style='text-align:right' class='forumheader3'>
 	";
 	if($hasGD)
 	{
-	$text .= "
-	<input type='radio' name='signcode' value='1'".($pref['signcode'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
-	<input type='radio' name='signcode' value='0'".(!$pref['signcode'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
-	";
+	  $text .= multi_radio('signcode', array('1' =>PRFLAN_112,'0' => PRFLAN_113), $pref['signcode']);
 	}
 	else
 	{
@@ -772,15 +799,12 @@ $text .= "<div id='security' style='display:none; text-align:center'>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_81.": </td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_81.": </td>
+	<td style='text-align:right' class='forumheader3'>
 	";
 	if($hasGD)
 	{
-	$text .= "
-	<input type='radio' name='logcode' value='1'".($pref['logcode'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
-	<input type='radio' name='logcode' value='0'".(!$pref['logcode'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
-	";
+	  $text .= multi_radio('logcode', array('1' =>PRFLAN_112,'0' => PRFLAN_113), $pref['logcode']);
 	}
 	else
 	{
@@ -791,82 +815,108 @@ $text .= "<div id='security' style='display:none; text-align:center'>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_138.": </td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_138.": </td>
+	<td style='text-align:right' class='forumheader3'>
 	";
 	if($hasGD)
 	{
-	$text .= "
-	<input type='radio' name='fpwcode' value='1'".($pref['fpwcode'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
-	<input type='radio' name='fpwcode' value='0'".(!$pref['fpwcode'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
-	";
+	  $text .= multi_radio('fpwcode', array('1' =>PRFLAN_112,'0' => PRFLAN_113), $pref['fpwcode']);
 	}
 	else
 	{
 		$text .= PRFLAN_133;
 	}
+	
 	$text .= "
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_92.": </td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
-	<input type='radio' name='user_reg_secureveri' value='1'".($pref['user_reg_secureveri'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
-	<input type='radio' name='user_reg_secureveri' value='0'".(!$pref['user_reg_secureveri'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
+	<td class='forumheader3'>".PRFLAN_92.": </td>
+	<td style='text-align:right' class='forumheader3'>".
+	  multi_radio('user_reg_secureveri',array('1' => PRFLAN_112, '0' => PRFLAN_113),$pref['user_reg_secureveri'])."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_129.":<br /><span class='smalltext'>".PRFLAN_130."</span> </td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
-	<input type='radio' name='disallowMultiLogin' value='1'".($pref['disallowMultiLogin'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
-	<input type='radio' name='disallowMultiLogin' value='0'".(!$pref['disallowMultiLogin'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
+	<td class='forumheader3'>".PRFLAN_129.":<br /><span class='smalltext'>".PRFLAN_130."</span> </td>
+	<td style='text-align:right' class='forumheader3'>".
+	multi_radio('disallowMultiLogin',array('1' => PRFLAN_112, '0' => PRFLAN_113),$pref['disallowMultiLogin'])."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_48.": </td>
-	<td style='width:50%; text-align:right' class='forumheader3'>". ($pref['user_tracking'] == "cookie" ? "<input type='radio' name='user_tracking' value='cookie' checked='checked' /> ".PRFLAN_49 : "<input type='radio' name='user_tracking' value='cookie' /> ".PRFLAN_49). ($pref['user_tracking'] == "session" ? "<input type='radio' name='user_tracking' value='session' checked='checked' /> ".PRFLAN_50 : "<input type='radio' name='user_tracking' value='session' /> ".PRFLAN_50)."
+	<td class='forumheader3'>".PRFLAN_184.": <br /><span class='smalltext'>".PRFLAN_185."</span></td>
+	<td style='text-align:right' class='forumheader3'>".
+		multi_radio('allowEmailLogin',array('1' => PRFLAN_186, '0' => PRFLAN_187),varset($pref['allowEmailLogin'],0))."
+	</td>
+	</tr>
+	
+	<tr>
+	<td class='forumheader3'>".PRFLAN_48.": </td>
+	<td style='text-align:right' class='forumheader3'>".
+	multi_radio('user_tracking', array('cookie' => PRFLAN_49, 'session' => PRFLAN_50), $pref['user_tracking'])."
 	<br />
 	".PRFLAN_55.": <input class='tbox' type='text' name='cookie_name' size='20' value='".$pref['cookie_name']."' maxlength='20' />
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_40."<br /><span class='smalltext'>".PRFLAN_41."</span></td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
-	<input type='radio' name='profanity_filter' value='1'".($pref['profanity_filter'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
-	<input type='radio' name='profanity_filter' value='0'".(!$pref['profanity_filter'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
+	<td class='forumheader3'>".PRFLAN_188.": <br /><span class='smalltext'>".PRFLAN_191."</span></td>
+	<td style='text-align:right' class='forumheader3'>".
+		multi_radio('passwordEncoding',array('0' => PRFLAN_189, '1' => PRFLAN_190),varset($pref['passwordEncoding'],0))."
+	</td>
+	</tr>
+	
+	<tr>
+	<td class='forumheader3'>".PRFLAN_178."<br /><span class='smalltext'>".PRFLAN_179."</span></td>
+	<td style='text-align:right' class='forumheader3'>
+	<select name='password_CHAP' class='tbox'>";
+    $CHAP_list[0] = PRFLAN_180;
+    $CHAP_list[1] = PRFLAN_181;
+    $CHAP_list[2] = PRFLAN_182;
+
+	foreach($CHAP_list as $ab=>$ab_title){
+		$sel = ($pref['password_CHAP'] == $ab) ? "selected='selected'" : "";
+    	$text .= "<option value='$ab' $sel>".$ab_title."</option>\n";
+	}
+
+	$text .="</select>\n
+	<br /><span class='smalltext'>".PRFLAN_183."</span></td>
+	</tr>
+
+	<tr>
+	<td class='forumheader3'>".PRFLAN_40."<br /><span class='smalltext'>".PRFLAN_41."</span></td>
+	<td style='text-align:right' class='forumheader3'>".
+	multi_radio('profanity_filter', array('1' => PRFLAN_112, '0' => PRFLAN_113), $pref['profanity_filter'])."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_42.": </td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_42.": </td>
+	<td style='text-align:right' class='forumheader3'>
 	<input class='tbox' type='text' name='profanity_replace' size='30' value='".$pref['profanity_replace']."' maxlength='20' />
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_43.": </td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_43.": </td>
+	<td style='text-align:right' class='forumheader3'>
 	<textarea class='tbox' name='profanity_words' cols='59' rows='2' style='width:100%'>".$pref['profanity_words']."</textarea>
 	<br />".PRFLAN_44."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_35.": </td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
-	<input type='radio' name='antiflood1' value='1'".($pref['antiflood1'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
-	<input type='radio' name='antiflood1' value='0'".(!$pref['antiflood1'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
+	<td class='forumheader3'>".PRFLAN_35.": </td>
+	<td style='text-align:right' class='forumheader3'>".
+	multi_radio('antiflood1',array('1' => PRFLAN_112, '0' => PRFLAN_113),$pref['antiflood1'])."
 	</td>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_36.": </td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_36.": </td>
+	<td style='text-align:right' class='forumheader3'>
 	<input class='tbox' type='text' name='antiflood_timeout' size='3' value='".$pref['antiflood_timeout']."' maxlength='3' />
 	<br />
 	<b class=\"smalltext\" >".PRFLAN_38."</b>
@@ -875,8 +925,8 @@ $text .= "<div id='security' style='display:none; text-align:center'>
 
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_37."<br /><span class='smalltext'>".PRFLAN_91."</span></td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
+	<td class='forumheader3'>".PRFLAN_37."<br /><span class='smalltext'>".PRFLAN_91."</span></td>
+	<td style='text-align:right' class='forumheader3'>
 	<select name='autoban' class='tbox'>";
     $autoban_list[0] = PRFLAN_113;
     $autoban_list[1] = PRFLAN_144;
@@ -892,10 +942,9 @@ $text .= "<div id='security' style='display:none; text-align:center'>
 	</tr>
 
 	<tr>
-	<td style='width:50%' class='forumheader3'>".PRFLAN_139.":</td>
-	<td style='width:50%; text-align:right' class='forumheader3'>
-	<input type='radio' name='adminpwordchange' value='1'".($pref['adminpwordchange'] ? " checked='checked'" : "")." /> ".PRFLAN_112."&nbsp;&nbsp;
-	<input type='radio' name='adminpwordchange' value='0'".(!$pref['adminpwordchange'] ? " checked='checked'" : "")." /> ".PRFLAN_113."
+	<td class='forumheader3'>".PRFLAN_139.":</td>
+	<td style='text-align:right' class='forumheader3'>".
+	multi_radio('adminpwordchange',array('1' => PRFLAN_112, '0' => PRFLAN_113),$pref['adminpwordchange'])."
 	</td>
 	</tr>
 	";
diff --git a/e107_admin/sql/core_sql.php b/e107_admin/sql/core_sql.php
index 9acc4547b..8b44daa22 100644
--- a/e107_admin/sql/core_sql.php
+++ b/e107_admin/sql/core_sql.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_admin/sql/core_sql.php,v $
-|     $Revision: 1.10 $
-|     $Date: 2008-05-24 12:45:27 $
+|     $Revision: 1.11 $
+|     $Date: 2008-06-13 20:20:20 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -495,7 +495,7 @@ CREATE TABLE user (
   user_name varchar(100) NOT NULL default '',
   user_loginname varchar(100) NOT NULL default '',
   user_customtitle varchar(100) NOT NULL default '',
-  user_password varchar(32) NOT NULL default '',
+  user_password varchar(50) NOT NULL default '',
   user_sess varchar(100) NOT NULL default '',
   user_email varchar(100) NOT NULL default '',
   user_signature text NOT NULL,
@@ -522,7 +522,7 @@ CREATE TABLE user (
   user_xup varchar(100) NOT NULL default '',
   PRIMARY KEY  (user_id),
   UNIQUE KEY user_name (user_name),
-  KEY user_ban_index (user_ban)
+  KEY join_ban_index (user_join,user_ban)
 ) TYPE=MyISAM;
 # --------------------------------------------------------
 
diff --git a/e107_admin/users.php b/e107_admin/users.php
index 2b3b28ab0..0b1402c83 100644
--- a/e107_admin/users.php
+++ b/e107_admin/users.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_admin/users.php,v $
-|     $Revision: 1.15 $
-|     $Date: 2008-06-06 19:14:20 $
+|     $Revision: 1.16 $
+|     $Date: 2008-06-13 20:20:20 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -52,6 +52,9 @@ require_once("auth.php");
 
 require_once(e_HANDLER."form_handler.php");
 require_once(e_HANDLER."userclass_class.php");
+require_once(e_HANDLER.'user_handler.php');
+$user_info = new UserHandler;
+$user_data = array();
 
 $rs = new form;
 
@@ -215,12 +218,19 @@ if (isset($_POST['adduser']))
 	}
 
 
+	if (isset($_POST['generateloginname']))
+	{
+	  $loginname = $user_info->generateUserLogin($pref['predefinedLoginName']);
+	}
+	else
+	{
 	$loginname = trim(preg_replace('/&nbsp;|\#|\=|\$/', "", strip_tags($_POST['loginname'])));
 	if ($loginname != $_POST['loginname'])
 	{
 	  message_handler('P_ALERT',USRLAN_152);
 	  $error = TRUE;
 	}
+	}
 	if ((strlen($loginname) > varset($pref['loginname_maxlength'],30)) || (strlen($loginname) < 3))
 	{
 	  message_handler('P_ALERT',USRLAN_154);
@@ -233,11 +243,18 @@ if (isset($_POST['adduser']))
 	}
 
 
+	if (isset($_POST['generatepassword']))
+	{
+	  $_POST['password1'] = $user_info->generateRandomString('**********');		// 10-char password should be enough
+	}
+	else
+	{
 	if ($_POST['password1'] != $_POST['password2']) 
 	{
 	  message_handler("P_ALERT", USRLAN_67);
 	  $error = TRUE;
 	}
+	}
 
 	if ($_POST['name'] == "" || $_POST['password1'] == "" || $_POST['password2'] = "") 
 	{
@@ -260,20 +277,21 @@ if (isset($_POST['adduser']))
 	  $error = TRUE;
 	}
 
-	if (!$error) 
-	{
+	// Always save some of the entered data - then we can redisplay on error
 	  $user_data['user_name'] = $displayname;
 	  $user_data['user_loginname'] = $loginname;
 	  $user_data['user_class'] = implode(",", $_POST['userclass']);
-	  $user_data['user_password'] = md5($_POST['password1']);
 	  $user_data['user_email'] = $tp->toDB($_POST['email']);
 	  $user_data['user_hideemail'] = 1;
-	  $user_data['user_join'] = time();
-	  $user_data['user_lastvisit'] = time();
-	  $user_data['user_currentvisit'] = time();
-	  $user_data['user_pwchange'] = time();
 	  $user_data['user_login'] = $tp->toDB($_POST['realname']);
 
+	if (!$error) 
+	{
+	  $user_data['user_password'] = $user_info->HashPassword($_POST['password1'],$loginname);
+	  $user_data['user_join'] = time();
+	  $user_data['user_lastvisit'] = 0;
+	  $user_data['user_currentvisit'] = 0;
+	  $user_data['user_pwchange'] = 0;
 	  if (admin_update($sql -> db_Insert("user", $user_data), 'insert', USRLAN_70))
 	  {
 		// Add to admin log
@@ -293,6 +311,8 @@ if (isset($_POST['adduser']))
 			$message = USRLAN_159;
 		  }
 		}
+		if (isset($_POST['generateloginname'])) $message .= '<br /><br />'.USRLAN_173.': '.$loginname;
+		if (isset($_POST['generatepassword'])) $message .= '<br /><br />'.USRLAN_172.': '.$_POST['password1'];
 	  }
 	}
 	if (isset($message)) $user->show_message($message);
@@ -592,7 +612,7 @@ switch ($action)
 	break;
 
   case "create" :
-	$user->add_user();
+	$user->add_user($user_data);
 	break;
 
   default :
@@ -1106,37 +1126,40 @@ class users
 
 
 
-	function add_user() 
+	// Add a new user - may be passed existing data if there was an entry error on first pass
+	function add_user($user_data) 
 	{
 		global $rs, $ns, $pref, $e_userclass;
 		if (!is_object($e_userclass)) $e_userclass = new user_class;
-		$text = "<div style='text-align:center'>". $rs->form_open("post", e_SELF, "adduserform")."
+		$text = "<div style='text-align:center'>". $rs->form_open("post", e_SELF.(e_QUERY ? '?'.e_QUERY : ''), "adduserform")."
 			<table style='".ADMIN_WIDTH."' class='fborder'>
 			<tr>
 			<td style='width:30%' class='forumheader3'>".USRLAN_61."</td>
 			<td style='width:70%' class='forumheader3'>
-			".$rs->form_text("name", 40, "", 30)."
+			".$rs->form_text("name", 40, varset($user_data['user_name'],""), 30)."
 			</td>
 			</tr>
 
 			<tr>
 			<td style='width:30%' class='forumheader3'>".USRLAN_128."</td>
 			<td style='width:70%' class='forumheader3'>
-			".$rs->form_text("loginname", 40, "", 30)."
+			".$rs->form_text("loginname", 40, varset($user_data['user_loginname'],""), 30)."&nbsp;&nbsp;
+			".$rs->form_checkbox('generateloginname',1,varset($pref['predefinedLoginName'],FALSE)).USRLAN_170."
 			</td>
 			</tr>
 
 			<tr>
 			<td style='width:30%' class='forumheader3'>".USRLAN_129."</td>
 			<td style='width:70%' class='forumheader3'>
-			".$rs->form_text("realname", 40, "", 30)."
+			".$rs->form_text("realname", 40, varset($user_data['user_login'],""), 30)."
 			</td>
 			</tr>
 
 			<tr>
 			<td style='width:30%' class='forumheader3'>".USRLAN_62."</td>
 			<td style='width:70%' class='forumheader3'>
-			".$rs->form_password("password1", 40, "", 20)."
+			".$rs->form_password("password1", 40, "", 20)."&nbsp;&nbsp;
+			".$rs->form_checkbox('generatepassword',1,FALSE).USRLAN_171."
 			</td>
 			</tr>
 			<tr>
@@ -1148,12 +1171,13 @@ class users
 			<tr>
 			<td style='width:30%' class='forumheader3'>".USRLAN_64."</td>
 			<td style='width:70%' class='forumheader3'>
-			".$rs->form_text("email", 60, "", 100)."
+			".$rs->form_text("email", 60, varset($user_data['user_email'],""), 100)."
 			</td>
 			</tr>\n";
 
 
-		$temp = $e_userclass->vetted_tree('userclass[]',array($e_userclass,'checkbox_desc'), varset($pref['initial_user_classes'],''), 'classes');
+		if (!isset($user_data['user_class'])) $user_data['user_class'] = varset($pref['initial_user_classes'],'');
+		$temp = $e_userclass->vetted_tree('userclass',array($e_userclass,'checkbox_desc'), $user_data['user_class'], 'classes');
 
 
 		if ($temp) 
diff --git a/e107_files/chap_script.js b/e107_files/chap_script.js
new file mode 100644
index 000000000..894fbcd60
--- /dev/null
+++ b/e107_files/chap_script.js
@@ -0,0 +1,408 @@
+<!--
+/*
+  JS for logon.
+*/
+
+var challenge;
+
+function getChallenge()
+{
+  temp = document.getElementById('hashchallenge');
+  if (temp)
+  {
+	challenge = temp.value;
+	temp.value = '';
+  }
+}
+
+// Called on form submit entered into password field
+// Passed current form
+function hashLoginPassword(doForm)
+{
+  if (typeof(hex_md5) == "undefined") return;
+  if (typeof(challenge) == "undefined") return;
+
+  doForm.hashchallenge.value = hex_md5(hex_md5(hex_md5(doForm.userpass.value) + doForm.username.value) + challenge);
+  doForm.userpass.value = "";		// Don't send plaintext password back 
+  return true;
+}
+
+
+/*
+ * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
+ * Digest Algorithm, as defined in RFC 1321.
+ * Version 2.2-alpha Copyright (C) Paul Johnston 1999 - 2005
+ * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
+ * Distributed under the BSD License
+ * See http://pajhome.org.uk/crypt/md5 for more info.
+ */
+
+/*
+ * Configurable variables. You may need to tweak these to be compatible with
+ * the server-side, but the defaults work in most cases.
+ */
+var hexcase = 0;   /* hex output format. 0 - lowercase; 1 - uppercase        */
+var b64pad  = ""; /* base-64 pad character. "=" for strict RFC compliance   */
+
+/*
+ * These are the functions you'll usually want to call
+ * They take string arguments and return either hex or base-64 encoded strings
+ */
+function hex_md5(s)    { return rstr2hex(rstr_md5(str2rstr_utf8(s))); }
+function b64_md5(s)    { return rstr2b64(rstr_md5(str2rstr_utf8(s))); }
+function any_md5(s, e) { return rstr2any(rstr_md5(str2rstr_utf8(s)), e); }
+function hex_hmac_md5(k, d)
+  { return rstr2hex(rstr_hmac_md5(str2rstr_utf8(k), str2rstr_utf8(d))); }
+function b64_hmac_md5(k, d)
+  { return rstr2b64(rstr_hmac_md5(str2rstr_utf8(k), str2rstr_utf8(d))); }
+function any_hmac_md5(k, d, e)
+  { return rstr2any(rstr_hmac_md5(str2rstr_utf8(k), str2rstr_utf8(d)), e); }
+
+/*
+ * Perform a simple self-test to see if the VM is working
+ */
+function md5_vm_test()
+{
+  return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72";
+}
+
+/*
+ * Calculate the MD5 of a raw string
+ */
+function rstr_md5(s)
+{
+  return binl2rstr(binl_md5(rstr2binl(s), s.length * 8));
+}
+
+/*
+ * Calculate the HMAC-MD5, of a key and some data (raw strings)
+ */
+function rstr_hmac_md5(key, data)
+{
+  var bkey = rstr2binl(key);
+  if(bkey.length > 16) bkey = binl_md5(bkey, key.length * 8);
+
+  var ipad = Array(16), opad = Array(16);
+  for(var i = 0; i < 16; i++)
+  {
+    ipad[i] = bkey[i] ^ 0x36363636;
+    opad[i] = bkey[i] ^ 0x5C5C5C5C;
+  }
+
+  var hash = binl_md5(ipad.concat(rstr2binl(data)), 512 + data.length * 8);
+  return binl2rstr(binl_md5(opad.concat(hash), 512 + 128));
+}
+
+/*
+ * Convert a raw string to a hex string
+ */
+function rstr2hex(input)
+{
+  var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
+  var output = "";
+  var x;
+  for(var i = 0; i < input.length; i++)
+  {
+    x = input.charCodeAt(i);
+    output += hex_tab.charAt((x >>> 4) & 0x0F)
+           +  hex_tab.charAt( x        & 0x0F);
+  }
+  return output;
+}
+
+/*
+ * Convert a raw string to a base-64 string
+ */
+function rstr2b64(input)
+{
+  var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+  var output = "";
+  var len = input.length;
+  for(var i = 0; i < len; i += 3)
+  {
+    var triplet = (input.charCodeAt(i) << 16)
+                | (i + 1 < len ? input.charCodeAt(i+1) << 8 : 0)
+                | (i + 2 < len ? input.charCodeAt(i+2)      : 0);
+    for(var j = 0; j < 4; j++)
+    {
+      if(i * 8 + j * 6 > input.length * 8) output += b64pad;
+      else output += tab.charAt((triplet >>> 6*(3-j)) & 0x3F);
+    }
+  }
+  return output;
+}
+
+/*
+ * Convert a raw string to an arbitrary string encoding
+ */
+function rstr2any(input, encoding)
+{
+  var divisor = encoding.length;
+  var i, j, q, x, quotient;
+
+  /* Convert to an array of 16-bit big-endian values, forming the dividend */
+  var dividend = Array(Math.ceil(input.length / 2));
+  for(i = 0; i < dividend.length; i++)
+  {
+    dividend[i] = (input.charCodeAt(i * 2) << 8) | input.charCodeAt(i * 2 + 1);
+  }
+
+  /*
+   * Repeatedly perform a long division. The binary array forms the dividend,
+   * the length of the encoding is the divisor. Once computed, the quotient
+   * forms the dividend for the next step. All remainders are stored for later
+   * use.
+   */
+  var full_length = Math.ceil(input.length * 8 /
+                                    (Math.log(encoding.length) / Math.log(2)));
+  var remainders = Array(full_length);
+  for(j = 0; j < full_length; j++)
+  {
+    quotient = Array();
+    x = 0;
+    for(i = 0; i < dividend.length; i++)
+    {
+      x = (x << 16) + dividend[i];
+      q = Math.floor(x / divisor);
+      x -= q * divisor;
+      if(quotient.length > 0 || q > 0)
+        quotient[quotient.length] = q;
+    }
+    remainders[j] = x;
+    dividend = quotient;
+  }
+
+  /* Convert the remainders to the output string */
+  var output = "";
+  for(i = remainders.length - 1; i >= 0; i--)
+    output += encoding.charAt(remainders[i]);
+
+  return output;
+}
+
+/*
+ * Encode a string as utf-8.
+ * For efficiency, this assumes the input is valid utf-16.
+ */
+function str2rstr_utf8(input)
+{
+  var output = "";
+  var i = -1;
+  var x, y;
+
+  while(++i < input.length)
+  {
+    /* Decode utf-16 surrogate pairs */
+    x = input.charCodeAt(i);
+    y = i + 1 < input.length ? input.charCodeAt(i + 1) : 0;
+    if(0xD800 <= x && x <= 0xDBFF && 0xDC00 <= y && y <= 0xDFFF)
+    {
+      x = 0x10000 + ((x & 0x03FF) << 10) + (y & 0x03FF);
+      i++;
+    }
+
+    /* Encode output as utf-8 */
+    if(x <= 0x7F)
+      output += String.fromCharCode(x);
+    else if(x <= 0x7FF)
+      output += String.fromCharCode(0xC0 | ((x >>> 6 ) & 0x1F),
+                                    0x80 | ( x         & 0x3F));
+    else if(x <= 0xFFFF)
+      output += String.fromCharCode(0xE0 | ((x >>> 12) & 0x0F),
+                                    0x80 | ((x >>> 6 ) & 0x3F),
+                                    0x80 | ( x         & 0x3F));
+    else if(x <= 0x1FFFFF)
+      output += String.fromCharCode(0xF0 | ((x >>> 18) & 0x07),
+                                    0x80 | ((x >>> 12) & 0x3F),
+                                    0x80 | ((x >>> 6 ) & 0x3F),
+                                    0x80 | ( x         & 0x3F));
+  }
+  return output;
+}
+
+/*
+ * Encode a string as utf-16
+ */
+function str2rstr_utf16le(input)
+{
+  var output = "";
+  for(var i = 0; i < input.length; i++)
+    output += String.fromCharCode( input.charCodeAt(i)        & 0xFF,
+                                  (input.charCodeAt(i) >>> 8) & 0xFF);
+  return output;
+}
+
+function str2rstr_utf16be(input)
+{
+  var output = "";
+  for(var i = 0; i < input.length; i++)
+    output += String.fromCharCode((input.charCodeAt(i) >>> 8) & 0xFF,
+                                   input.charCodeAt(i)        & 0xFF);
+  return output;
+}
+
+/*
+ * Convert a raw string to an array of little-endian words
+ * Characters >255 have their high-byte silently ignored.
+ */
+function rstr2binl(input)
+{
+  var output = Array(input.length >> 2);
+  for(var i = 0; i < output.length; i++)
+    output[i] = 0;
+  for(var i = 0; i < input.length * 8; i += 8)
+    output[i>>5] |= (input.charCodeAt(i / 8) & 0xFF) << (i%32);
+  return output;
+}
+
+/*
+ * Convert an array of little-endian words to a string
+ */
+function binl2rstr(input)
+{
+  var output = "";
+  for(var i = 0; i < input.length * 32; i += 8)
+    output += String.fromCharCode((input[i>>5] >>> (i % 32)) & 0xFF);
+  return output;
+}
+
+/*
+ * Calculate the MD5 of an array of little-endian words, and a bit length.
+ */
+function binl_md5(x, len)
+{
+  /* append padding */
+  x[len >> 5] |= 0x80 << ((len) % 32);
+  x[(((len + 64) >>> 9) << 4) + 14] = len;
+
+  var a =  1732584193;
+  var b = -271733879;
+  var c = -1732584194;
+  var d =  271733878;
+
+  for(var i = 0; i < x.length; i += 16)
+  {
+    var olda = a;
+    var oldb = b;
+    var oldc = c;
+    var oldd = d;
+
+    a = md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936);
+    d = md5_ff(d, a, b, c, x[i+ 1], 12, -389564586);
+    c = md5_ff(c, d, a, b, x[i+ 2], 17,  606105819);
+    b = md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330);
+    a = md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897);
+    d = md5_ff(d, a, b, c, x[i+ 5], 12,  1200080426);
+    c = md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341);
+    b = md5_ff(b, c, d, a, x[i+ 7], 22, -45705983);
+    a = md5_ff(a, b, c, d, x[i+ 8], 7 ,  1770035416);
+    d = md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417);
+    c = md5_ff(c, d, a, b, x[i+10], 17, -42063);
+    b = md5_ff(b, c, d, a, x[i+11], 22, -1990404162);
+    a = md5_ff(a, b, c, d, x[i+12], 7 ,  1804603682);
+    d = md5_ff(d, a, b, c, x[i+13], 12, -40341101);
+    c = md5_ff(c, d, a, b, x[i+14], 17, -1502002290);
+    b = md5_ff(b, c, d, a, x[i+15], 22,  1236535329);
+
+    a = md5_gg(a, b, c, d, x[i+ 1], 5 , -165796510);
+    d = md5_gg(d, a, b, c, x[i+ 6], 9 , -1069501632);
+    c = md5_gg(c, d, a, b, x[i+11], 14,  643717713);
+    b = md5_gg(b, c, d, a, x[i+ 0], 20, -373897302);
+    a = md5_gg(a, b, c, d, x[i+ 5], 5 , -701558691);
+    d = md5_gg(d, a, b, c, x[i+10], 9 ,  38016083);
+    c = md5_gg(c, d, a, b, x[i+15], 14, -660478335);
+    b = md5_gg(b, c, d, a, x[i+ 4], 20, -405537848);
+    a = md5_gg(a, b, c, d, x[i+ 9], 5 ,  568446438);
+    d = md5_gg(d, a, b, c, x[i+14], 9 , -1019803690);
+    c = md5_gg(c, d, a, b, x[i+ 3], 14, -187363961);
+    b = md5_gg(b, c, d, a, x[i+ 8], 20,  1163531501);
+    a = md5_gg(a, b, c, d, x[i+13], 5 , -1444681467);
+    d = md5_gg(d, a, b, c, x[i+ 2], 9 , -51403784);
+    c = md5_gg(c, d, a, b, x[i+ 7], 14,  1735328473);
+    b = md5_gg(b, c, d, a, x[i+12], 20, -1926607734);
+
+    a = md5_hh(a, b, c, d, x[i+ 5], 4 , -378558);
+    d = md5_hh(d, a, b, c, x[i+ 8], 11, -2022574463);
+    c = md5_hh(c, d, a, b, x[i+11], 16,  1839030562);
+    b = md5_hh(b, c, d, a, x[i+14], 23, -35309556);
+    a = md5_hh(a, b, c, d, x[i+ 1], 4 , -1530992060);
+    d = md5_hh(d, a, b, c, x[i+ 4], 11,  1272893353);
+    c = md5_hh(c, d, a, b, x[i+ 7], 16, -155497632);
+    b = md5_hh(b, c, d, a, x[i+10], 23, -1094730640);
+    a = md5_hh(a, b, c, d, x[i+13], 4 ,  681279174);
+    d = md5_hh(d, a, b, c, x[i+ 0], 11, -358537222);
+    c = md5_hh(c, d, a, b, x[i+ 3], 16, -722521979);
+    b = md5_hh(b, c, d, a, x[i+ 6], 23,  76029189);
+    a = md5_hh(a, b, c, d, x[i+ 9], 4 , -640364487);
+    d = md5_hh(d, a, b, c, x[i+12], 11, -421815835);
+    c = md5_hh(c, d, a, b, x[i+15], 16,  530742520);
+    b = md5_hh(b, c, d, a, x[i+ 2], 23, -995338651);
+
+    a = md5_ii(a, b, c, d, x[i+ 0], 6 , -198630844);
+    d = md5_ii(d, a, b, c, x[i+ 7], 10,  1126891415);
+    c = md5_ii(c, d, a, b, x[i+14], 15, -1416354905);
+    b = md5_ii(b, c, d, a, x[i+ 5], 21, -57434055);
+    a = md5_ii(a, b, c, d, x[i+12], 6 ,  1700485571);
+    d = md5_ii(d, a, b, c, x[i+ 3], 10, -1894986606);
+    c = md5_ii(c, d, a, b, x[i+10], 15, -1051523);
+    b = md5_ii(b, c, d, a, x[i+ 1], 21, -2054922799);
+    a = md5_ii(a, b, c, d, x[i+ 8], 6 ,  1873313359);
+    d = md5_ii(d, a, b, c, x[i+15], 10, -30611744);
+    c = md5_ii(c, d, a, b, x[i+ 6], 15, -1560198380);
+    b = md5_ii(b, c, d, a, x[i+13], 21,  1309151649);
+    a = md5_ii(a, b, c, d, x[i+ 4], 6 , -145523070);
+    d = md5_ii(d, a, b, c, x[i+11], 10, -1120210379);
+    c = md5_ii(c, d, a, b, x[i+ 2], 15,  718787259);
+    b = md5_ii(b, c, d, a, x[i+ 9], 21, -343485551);
+
+    a = safe_add(a, olda);
+    b = safe_add(b, oldb);
+    c = safe_add(c, oldc);
+    d = safe_add(d, oldd);
+  }
+  return Array(a, b, c, d);
+}
+
+/*
+ * These functions implement the four basic operations the algorithm uses.
+ */
+function md5_cmn(q, a, b, x, s, t)
+{
+  return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s),b);
+}
+function md5_ff(a, b, c, d, x, s, t)
+{
+  return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t);
+}
+function md5_gg(a, b, c, d, x, s, t)
+{
+  return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t);
+}
+function md5_hh(a, b, c, d, x, s, t)
+{
+  return md5_cmn(b ^ c ^ d, a, b, x, s, t);
+}
+function md5_ii(a, b, c, d, x, s, t)
+{
+  return md5_cmn(c ^ (b | (~d)), a, b, x, s, t);
+}
+
+/*
+ * Add integers, wrapping at 2^32. This uses 16-bit operations internally
+ * to work around bugs in some JS interpreters.
+ */
+function safe_add(x, y)
+{
+  var lsw = (x & 0xFFFF) + (y & 0xFFFF);
+  var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
+  return (msw << 16) | (lsw & 0xFFFF);
+}
+
+/*
+ * Bitwise rotate a 32-bit number to the left.
+ */
+function bit_rol(num, cnt)
+{
+  return (num << cnt) | (num >>> (32 - cnt));
+}
+//-->
\ No newline at end of file
diff --git a/e107_files/def_e107_prefs.php b/e107_files/def_e107_prefs.php
index 363bbc117..9e1e32d49 100644
--- a/e107_files/def_e107_prefs.php
+++ b/e107_files/def_e107_prefs.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_files/def_e107_prefs.php,v $
-|     $Revision: 1.10 $
-|     $Date: 2008-03-17 20:48:48 $
+|     $Revision: 1.11 $
+|     $Date: 2008-06-13 20:20:20 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -41,10 +41,12 @@ City, State, Country
   'adminstyle' => 'classis',
   'sitedisclaimer' => LAN_PREF_3,
   'newsposts' => '10',
+
   'flood_protect' => '1',
   'flood_timeout' => '5',
   'flood_time' => '30',
   'flood_hits' => '100',
+
   'anon_post' => '0',
   'user_reg' => '1',
   'use_coppa' => '1',
@@ -68,8 +70,6 @@ City, State, Country
   'meta_tag' => '',
   'user_reg_veri' => '1',
   'email_notify' => '0',
-  'user_tracking' => 'cookie',
-  'cookie_name' => 'e107cookie',
   'resize_method' => 'gd2',
   'im_path' => '/usr/X11R6/bin/',
   'im_width' => '120',
@@ -156,10 +156,18 @@ City, State, Country
   'comments_disabled' => '0',
   'memberlist_access' => '253',
   'check_updates' => '0',
+
   'enable_rdns' => '0',
   'enable_rdns_on_ban' => '0',
   'ban_max_online_access' => '100,200',
-  'ban_retrigger' => '0'
+  'ban_retrigger' => '0',
+
+  'user_tracking' => 'cookie',
+  'cookie_name' => 'e107cookie',
+  'passwordEncoding' => 0,			// Legacy encoding
+  'allowEmailLogin' => 0,			// Disabled by default
+  'password_CHAP' => '0',			// Disabled by default
+  'predefinedLoginName' => ''		// Allow user to define own login name by default
 
 );
 
diff --git a/e107_files/shortcode/batch/signup_shortcodes.php b/e107_files/shortcode/batch/signup_shortcodes.php
index 3e0a8d401..ebf8cc786 100755
--- a/e107_files/shortcode/batch/signup_shortcodes.php
+++ b/e107_files/shortcode/batch/signup_shortcodes.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_files/shortcode/batch/signup_shortcodes.php,v $
-|     $Revision: 1.10 $
-|     $Date: 2008-01-15 21:57:31 $
+|     $Revision: 1.11 $
+|     $Date: 2008-06-13 20:20:21 $
 |     $Author: e107steved $
 |
 | Mods to show extended field categories
@@ -90,7 +90,11 @@ SC_END
 
 
 SC_BEGIN SIGNUP_LOGINNAME
-global $rs;
+global $rs, $pref;
+if (varsettrue($pref['predefinedLoginName']))
+{
+  return LAN_SIGNUP_67;
+}
 $log_name_length = varset($pref['loginname_maxlength'],30);
 return $rs->form_text("loginname", $log_name_length+5,  ($_POST['loginname'] ? $_POST['loginname'] : $loginname), $log_name_length);
 SC_END
diff --git a/e107_files/utilities/passcalc.php b/e107_files/utilities/passcalc.php
new file mode 100644
index 000000000..f3484dfd9
--- /dev/null
+++ b/e107_files/utilities/passcalc.php
@@ -0,0 +1,126 @@
+<?php
+
+require('..\..\class2.php');
+require_once(e_HANDLER.'user_handler.php');
+$user_info = new userHandler;
+
+define('LAN_PCALC_01','E107 Password Calculation Utility');
+define('LAN_PCALC_02','Login Name');
+define('LAN_PCALC_03','Desired password');
+define('LAN_PCALC_04','Calculate');
+define('LAN_PCALC_05','Invalid login name');
+define('LAN_PCALC_06','Errors Found!!!');
+define('LAN_PCALC_07','Calculated hash:');
+define('LAN_PCALC_08','Password invalid');
+define('LAN_PCALC_09','Confirm password');
+define('LAN_PCALC_10','Passwords don\'t match!');
+define('LAN_PCALC_11', 'Password Calculation');
+
+
+$loginName = varset($_POST['calc_loginname'],'');
+
+require(HEADERF);
+$text = 
+	"<div style='text-align:center'>
+	<form method='post' action='".e_SELF."'>
+	<table style='width:95%' class='fborder'>
+	<colgroup>
+	<col style='width:60%' />
+	<col style='width:40%' />
+	</colgroup>
+
+	<tr>
+	  <td colspan='2' class='forumheader3' style='text-align:center'>".LAN_PCALC_01."
+	  </td>
+	</tr>
+
+	<tr>
+	  <td class='forumheader3'>".LAN_PCALC_02."</td>
+	  <td class='forumheader3'>
+	    <input class='tbox' type='text' size='60' maxlength='100' name='calc_loginname' value='{$loginName}' />
+	  </td>
+	</tr>
+
+	<tr>
+	  <td class='forumheader3'>".LAN_PCALC_03."</td>
+	  <td class='forumheader3'>
+	    <input class='tbox' type='password' size='60' maxlength='100' name='calc_password' value='' />
+	  </td>
+	</tr>
+
+	<tr>
+	  <td class='forumheader3'>".LAN_PCALC_09."</td>
+	  <td class='forumheader3'>
+	    <input class='tbox' type='password' size='60' maxlength='100' name='calc_password1' value='' />
+	  </td>
+	</tr>";
+
+
+$errorString = '';
+if (isset($_POST['show_password']))
+{
+  if ($_POST['calc_password'] != $_POST['calc_password1'])
+  {
+    $errorString = LAN_PCALC_10;
+  }
+
+  if (!$errorString)
+  {
+	$loginResult = $user_info->validateField('user_loginname',$loginName,FALSE);
+	$passwordResult = $user_info->validateField('user_password',trim($_POST['calc_password']),FALSE);
+
+	if ($passwordResult !== TRUE)
+	{
+	  $errorString = LAN_PCALC_08;
+	}
+	elseif ($loginResult === TRUE)
+	{
+	  $passwordHash = $user_info->HashPassword($_POST['calc_password'],$loginName);
+	}
+	else
+	{
+	  $errorString = LAN_PCALC_05;
+	}
+  }
+  
+  if (!$errorString)
+  {
+	$text .= "
+	  <tr>
+	    <td class='forumheader3'>".LAN_PCALC_07."</td>
+	    <td class='forumheader3'>".$passwordHash."</td>
+	</tr>";
+  }
+  
+
+  if ($errorString)
+  {
+	$text .= "
+	  <tr>
+	    <td class='forumheader3'>".LAN_PCALC_06."</td>
+	    <td class='forumheader3'>".$errorString."</td>
+	</tr>";
+  }
+}
+
+
+  $text .= "
+	<tr>
+	  <td class='forumheader3' colspan='3' style='text-align:center'>
+		<input class='button' type='submit' name='show_password' value='".LAN_PCALC_04."' />
+	  </td>
+	</tr>";
+
+
+
+
+$text .= "
+	</table>\n
+	</form>
+	</div><br />";
+	$ns->tablerender(LAN_PCALC_11, $text);
+
+require(FOOTERF);
+
+
+?>
diff --git a/e107_files/utilities/passconv.php b/e107_files/utilities/passconv.php
new file mode 100644
index 000000000..f9a537b90
--- /dev/null
+++ b/e107_files/utilities/passconv.php
@@ -0,0 +1,296 @@
+<?php
+
+require('..\..\class2.php');
+require_once(e_HANDLER.'user_handler.php');
+if (!check_class(e_UC_MAINADMIN))
+{
+  exit;
+}
+
+$user_info = new userHandler;
+
+define('LAN_PCONV_01','E107 Password Conversion Utility');
+define('LAN_PCONV_02','This utility converts all the passwords in your user database to current formats');
+define('LAN_PCONV_03','Caution!!!! Back up your database first!!!!!');
+define('LAN_PCONV_04','Proceed');
+define('LAN_PCONV_05','Convert md5 passwords to salted passwords');
+define('LAN_PCONV_06','Passwords for email address login');
+define('LAN_PCONV_07','Create');
+define('LAN_PCONV_08','Delete');
+define('LAN_PCONV_09','Do nothing');
+define('LAN_PCONV_10','Back up user database');
+define('LAN_PCONV_11', 'Yes');
+define('LAN_PCONV_12', 'Have you backed up your database?');
+define('LAN_PCONV_13', 'Backing up database');
+define('LAN_PCONV_14', 'Done');
+define('LAN_PCONV_15', 'Creating email passwords');
+define('LAN_PCONV_16', 'Deleting email passwords');
+define('LAN_PCONV_17', 'Scanning database...');
+define('LAN_PCONV_18', 'Cannot open user table');
+define('LAN_PCONV_19', 'Creates a table called \'user_backup\' with the information about to be changed. If the table already exists, it is emptied first');
+define('LAN_PCONV_20', 'Error creating backup table');
+define('LAN_PCONV_21', 'Error copying to backup table');
+define('LAN_PCONV_22', 'Total --TOTAL-- users checked');
+define('LAN_PCONV_23', 'Total --TOTAL-- email passwords calculated');
+define('LAN_PCONV_24', 'Total --TOTAL-- user passwords updated');
+define('LAN_PCONV_25', 'Total --TOTAL-- users could not be updated');
+define('LAN_PCONV_26', 'Create Backup');
+define('LAN_PCONV_27', 'Restore backup');
+define('LAN_PCONV_28', 'Restoring from backup....');
+define('LAN_PCONV_29', 'Backup database table not found!');
+define('LAN_PCONV_30', 'Cannot access backup table');
+define('LAN_PCONV_31', '');
+define('LAN_PCONV_32', '');
+define('LAN_PCONV_33', '');
+define('LAN_PCONV_34', '');
+define('LAN_PCONV_35', '');
+
+
+	function multi_radio($name, $textsVals, $currentval = '')
+	{
+	  $ret = '';
+	  $gap = '';
+	  foreach ($textsVals as $v => $t)
+	  {
+	    $sel = ($v == $currentval) ? " checked='checked'" : "";
+		$ret .= $gap."<input type='radio' name='{$name}' value='{$v}'{$sel} /> ".$t."\n";
+//		$gap = "&nbsp;&nbsp;";
+		$gap = "<br />";
+	  }
+	  return $ret;
+	}
+
+
+$recordCount = 0;
+$emailProcess = 0;
+$saltProcess = 0;
+$cantProcess = 0;
+$cookieChange = '';
+
+require(HEADERF);
+$pc_db = new db;
+if (isset($_POST['GetOnWithIt']))
+{
+  $doBackup = varset($_POST['doDBBackup'],0);
+  $saltConvert = varset($_POST['convertToSalt'],0);
+  $emailGen = varset($_POST['EmailPasswords'],0);
+  if ($doBackup == 2)
+  {
+    $saltConvert = 0;		// Don't do conversions if restoring database
+	$emailGen = 0;
+  }
+
+  $error = '';
+  if ($emailGen == 1)
+  {  // Scan DB for salted passwords
+  }
+
+
+//-----------------------------------------
+//		Backup user DB (selected fields)
+//-----------------------------------------
+  if (!$error && ($doBackup == 1))
+  {
+    echo LAN_PCONV_13;
+	if ($pc_db->db_Table_exists('user_backup'))
+	{  // Completely delete table - avoids problems with incorrect structure
+	  $pc_db->db_Select_gen('DROP TABLE `#user_backup` ');
+	}
+
+	$qry = "CREATE TABLE `#user_backup` (
+  user_id int(10) unsigned NOT NULL,
+  user_name varchar(100) NOT NULL default '',
+  user_loginname varchar(100) NOT NULL default '',
+  user_password varchar(50) NOT NULL default '',
+  user_email varchar(100) NOT NULL default '',
+  user_prefs text NOT NULL,
+  PRIMARY KEY  (user_id),
+  UNIQUE KEY user_name (user_name)
+) TYPE=MyISAM;";			// If not exists, of course
+
+	if (!$pc_db->db_Select_gen($qry))
+	{
+	  $error = LAN_PCONV_20;
+	}
+
+	if (!$error)
+	{
+	  $qry = "INSERT INTO `#user_backup` SELECT user_id, user_name, user_loginname, user_password, user_email, user_prefs FROM `#user` ";
+	  if ($pc_db->db_Select_gen($qry) === FALSE)
+	  {
+		$error = LAN_PCONV_21;
+	  }
+	}
+    if (!$error) echo '...'.LAN_PCONV_14.'<br /><br />';
+  }
+
+
+
+//--------------------------------------
+//		Restore from backup
+//--------------------------------------
+  if (!$error && ($doBackup == 2))
+  {
+	echo LAN_PCONV_28;
+	if (!$pc_db->db_Table_exists('user_backup'))
+	{  
+	  $error = LAN_PCONV_28;
+	}
+	if (!$error && $pc_db->db_Select('user_backup','*'))
+	{
+	  while ($row = $pc_db->db_Fetch(MYSQL_ASSOC))
+	  {
+		$uid = $row['user_id'];
+		unset($row['user_id']);
+		$sql->db_UpdateArray('user',$row," WHERE `user_id`={$uid}");	// Intentionally use $sql here
+		if (USERID == $uid)
+		{
+		  $cookieChange = $row['user_password'];
+		}
+	  }
+	}
+	else
+	{
+	  $error = LAN_PCONV_30;
+	}
+
+    if (!$error) echo '...'.LAN_PCONV_14.'<br /><br />';
+  }
+
+
+
+
+//--------------------------------------
+//		Change passwords
+//--------------------------------------
+  if (!$error && $emailGen || $saltConvert)
+  {  // Run through the DB doing conversions.
+	echo LAN_PCONV_17;
+    if ($pc_db->db_Select('user', 'user_id, user_name, user_loginname, user_password, user_email, user_prefs', '') === FALSE)
+	{
+	  $error = LAN_PCONV_18;
+	}
+	if (!$error)
+	{
+	  while ($row = $pc_db->db_Fetch())
+	  {  // Do conversions
+	    $recordCount++;
+	    $newData = array();
+		$newPrefs = '';
+		$user_prefs = unserialize($row['user_prefs']);
+		if ($saltConvert)
+		{
+		  if ($user_info->canConvert($row['user_password']))
+		  {
+			$newData['user_password'] = $user_info->ConvertPassword($row['user_password'], $row['user_loginname']);
+			$saltProcess++;
+			if (USERID == $row['user_id'])
+			{
+			  $cookieChange = $newData['user_password'];
+			}
+		  }
+		  else
+		  {
+			$cantProcess++;
+		  }
+		}
+		if (($emailGen == 1) && $user_info->canConvert($row['user_password']))
+		{
+		  $user_prefs['email_password'] = $user_info->ConvertPassword($row['user_password'], $row['user_email']);
+		  $emailProcess++;
+		}
+		elseif ($emailGen == 2)
+		{
+		  unset($user_prefs['email_password']);
+		  $emailProcess++;
+		}
+		if (count($user_prefs)) $newPrefs = serialize($user_prefs); else $newPrefs = '';
+		if($newPrefs != $user_prefs)
+		{
+		  $newData['user_prefs'] = $newPrefs;
+		}
+		
+		if (count($newData)) $sql->db_UpdateArray('user',$newData, " WHERE `user_id`={$row['user_id']}");
+	  }
+	}
+	echo str_replace('--TOTAL--',$recordCount, LAN_PCONV_22).'<br />';
+	echo str_replace('--TOTAL--',$saltProcess, LAN_PCONV_24).'<br />';
+	echo str_replace('--TOTAL--',$emailProcess, LAN_PCONV_23).'<br />';
+	echo str_replace('--TOTAL--',$cantProcess, LAN_PCONV_25).'<br />';
+	echo '<br />';
+  }
+
+  if ($error)
+  {
+    echo '<br />'.$error.'<br /><br />';
+	require_once(FOOTERF);
+	exit;
+  }
+  
+ 
+  if ($cookieChange)
+  { 
+//    echo "Cookie Updated.<br /><br />";
+	$cookieval = USERID.".".md5($cookieChange);		// Just changed admin password, and hence cookie
+	cookie($pref['cookie_name'], $cookieval);
+  }
+}
+
+
+$text = 
+	"<div style='text-align:center'>
+	<form method='post' action='".e_SELF."' onsubmit=\"return jsconfirm('".LAN_PCONV_12."')\">
+	<table style='width:95%' class='fborder'>
+	<colgroup>
+	<col style='width:60%' />
+	<col style='width:40%' />
+	</colgroup>
+
+	<tr>
+	  <td colspan='2' class='forumheader3' style='text-align:center'>".LAN_PCONV_01."
+	  </td>
+	</tr>
+	<tr>
+	  <td colspan='2' class='forumheader3' style='text-align:center'>".LAN_PCONV_02."<br />".LAN_PCONV_03."
+	  </td>
+	</tr>
+
+	<tr>
+	  <td class='forumheader3'>".LAN_PCONV_10."<br /><span class='smalltext'>".LAN_PCONV_19."</span></td>
+	  <td class='forumheader3'>".multi_radio('doDBBackup',array('0' => LAN_PCONV_09, '1' => LAN_PCONV_26, '2' => LAN_PCONV_27),'')."
+	  </td>
+	</tr>
+
+	<tr>
+	  <td class='forumheader3'>".LAN_PCONV_05."</td>
+	  <td class='forumheader3'>".multi_radio('convertToSalt',array('0' => LAN_PCONV_09, '1' => LAN_PCONV_11),'')."
+	  </td>
+	</tr>
+
+	<tr>
+	  <td class='forumheader3'>".LAN_PCONV_06."</td>
+	  <td class='forumheader3'>".multi_radio('EmailPasswords',array('0' => LAN_PCONV_09, '1' => LAN_PCONV_07, '2' => LAN_PCONV_08),'')."
+	  </td>
+	</tr>";
+
+  $text .= "
+	<tr>
+	  <td class='forumheader3' colspan='3' style='text-align:center'>
+		<input class='button' type='submit' name='GetOnWithIt' value='".LAN_PCONV_04."' />
+	  </td>
+	</tr>";
+
+
+
+
+$text .= "
+	</table>\n
+	</form>
+	</div><br />";
+	$ns->tablerender(LAN_PCONV_01, $text);
+
+require_once(FOOTERF);
+
+
+
+?>
diff --git a/e107_handlers/admin_log_class.php b/e107_handlers/admin_log_class.php
index 92052e170..a8fcf48d5 100644
--- a/e107_handlers/admin_log_class.php
+++ b/e107_handlers/admin_log_class.php
@@ -12,8 +12,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_handlers/admin_log_class.php,v $
-|     $Revision: 1.10 $
-|     $Date: 2008-04-07 21:35:38 $
+|     $Revision: 1.11 $
+|     $Date: 2008-06-13 20:20:21 $
 |     $Author: e107steved $
 
 To do:
@@ -76,7 +76,7 @@ class e_admin_log {
 	  define('USER_AUDIT_NEW_DN',15);				// User changed display name
 	  define('USER_AUDIT_NEW_PW',16);				// User changed password
 	  define('USER_AUDIT_NEW_EML',17);				// User changed email
-	  define('USER_AUDIT_PW_RES',18);				// Password reset
+	  define('USER_AUDIT_PW_RES',18);				// Password reset/resent activation email
 	  define('USER_AUDIT_NEW_SET',19);				// User changed other settings
 	  define('USER_AUDIT_ADD_ADMIN',20);			// User added by admin
 	}
diff --git a/e107_handlers/login.php b/e107_handlers/login.php
index c012058b1..4237bf5cf 100644
--- a/e107_handlers/login.php
+++ b/e107_handlers/login.php
@@ -12,19 +12,38 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_handlers/login.php,v $
-|     $Revision: 1.17 $
-|     $Date: 2008-01-22 01:41:36 $
-|     $Author: e107coders $
+|     $Revision: 1.18 $
+|     $Date: 2008-06-13 20:20:21 $
+|     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
 
+
 if (!defined('e107_INIT')) { exit; }
 
-include_lan(e_LANGUAGEDIR.e_LANGUAGE."/lan_login.php");
+error_reporting(E_ALL);
+
+
+require_once(e_HANDLER.'user_handler.php');
+include_lan(e_LANGUAGEDIR.e_LANGUAGE.'/lan_login.php');
+
+define ('LOGIN_CONTINUE',1);		// Not rejected (which is not exactly the same as 'accepted') by alt_auth
+define ('LOGIN_ABORT',-1);			// Rejected by alt_auth
+define ('LOGIN_BAD_PW', -2);		// Password wrong
+define ('LOGIN_BAD_USER', -3);		// User not in DB
+define ('LOGIN_BAD_USERNAME', -4);	// Username format unacceptable (e.g. too long)
+define ('LOGIN_BAD_CODE', -5);		// Wrong image code entered
+define ('LOGIN_MULTIPLE', -6); 		// Error if multiple logins not allowed
+define ('LOGIN_NOT_ACTIVATED', -7);	// User in DB, not activated
+define ('LOGIN_BLANK_FIELD', -8);	// Username or password blank
+define ('LOGIN_BAD_TRIGGER', -9);	// Rejected by trigger event
+define ('LOGIN_BANNED', -10);		// Banned user attempting login
+define ('LOGIN_CHAP_FAIL', -11);	// CHAP login failed
+
 
 class userlogin 
 {
-	function userlogin($username, $userpass, $autologin) 
+	function userlogin($username, $userpass, $autologin, $response = '') 
 	{
 		/* Constructor
 		# Class called when user attempts to log in
@@ -42,22 +61,19 @@ class userlogin
 
 		if($_E107['cli'] && ($username == ""))
 		{
-        	return;
+          return FALSE;
 		}
 
-		if($username == "" || $userpass == "")
+		$fip = $e107->getip();
+		if($username == "" || (($userpass == "") && ($response == '')))
 		{	// Required fields blank
-		  define("LOGINMESSAGE", LAN_LOGIN_20."<br /><br />");
-		  $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_01',$username,FALSE,LOG_TO_ROLLING);
-		  return FALSE;
+		  return $this->invalidLogin($username,LOGIN_BLANK_FIELD,$fip);
 		}
 
 	 	if(!is_object($sql)) { $sql = new db; }
 
-		$fip = $e107->getip();
 //	    $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'IP: '.$fip,FALSE,LOG_TO_ROLLING);
 		$e107->check_ban("banlist_ip='{$fip}' ",FALSE);			// This will exit if a ban is in force
-//		if($sql -> db_Select("banlist", "*", "banlist_ip='{$fip}' ")) {	exit;}
 
 		$autologin = intval($autologin);
 
@@ -68,224 +84,347 @@ class userlogin
 		  {
 			require_once(e_PLUGIN."alt_auth/alt_auth_login_class.php");
 			$result = new alt_login($pref['auth_method'], $username, $userpass);
+			if ($result == LOGIN_ABORT)
+			{	// Invalid user
+			  return $this->invalidLogin($username,LOGIN_ABORT,$fip);
+			}
 		  }
 		}
 
+		$username = preg_replace("/\sOR\s|\=|\#/", "", $username);
+
+		// Check secure image
 		if ($pref['logcode'] && extension_loaded("gd")) 
 		{
 		  require_once(e_HANDLER."secure_img_handler.php");
 		  $sec_img = new secure_image;
 		  if (!$sec_img->verify_code($_POST['rand_num'], $_POST['code_verify'])) 
 		  {	// Invalid code
-			define("LOGINMESSAGE", LAN_LOGIN_23."<br /><br />");
-			$admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_02','',FALSE,LOG_TO_ROLLING);
-			return FALSE;
+			return $this->invalidLogin($username,LOGIN_BAD_CODE,$fip);
 		  }
 		}
-		$username = preg_replace("/\sOR\s|\=|\#/", "", $username);
+
+		// Check username general format
 		if (strlen($username) > varset($pref['loginname_maxlength'],30))
 		{  // Error - invalid username
-		  define("LOGINMESSAGE", LAN_LOGIN_21."<br /><br />");
-		  $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_08',$username,FALSE,LOG_TO_ROLLING);
-		  return FALSE;
+		  return $this->invalidLogin($username,LOGIN_BAD_USERNAME,$fip);
 		}
-		$ouserpass = $userpass;
-		$userpass = md5($ouserpass);
 
-		if (!$sql->db_Select("user", "*", "user_loginname = '".$tp -> toDB($username)."'")) 
+		$lookemail = varset($pref['allowEmailLogin'],0) && (strpos($username,'@') !== FALSE);		// See if we look up against email or user name
+		// Look up user in DB - even if email addresses allowed, still look up by user name as well - user could have specified email address for their login name
+		if ($sql->db_Select("user", "*", "`user_loginname`= '".$tp -> toDB($username)."'".($lookemail ? " OR `user_email` = '".$tp -> toDB($username)."'" : '') ) !== 1) 	// Handle duplicate emails as well
 		{	// Invalid user
-			define("LOGINMESSAGE", LAN_LOGIN_21."<br /><br />");
-			$sql -> db_Insert("generic", "0, 'failed_login', '".time()."', 0, '{$fip}', 0, '".LAN_LOGIN_14." ::: ".LAN_LOGIN_1.": ".$tp -> toDB($username)."'");
-			$admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_04',$username,FALSE,LOG_TO_ROLLING);
-			$this -> checkibr($fip);
-			return FALSE;
+		  return $this->invalidLogin($username,LOGIN_BAD_USER,$fip);
 		}
-		else if(!$sql->db_Select("user", "*", "user_loginname = '".$tp -> toDB($username)."' AND user_password = '{$userpass}'")) 
-		{	// Invalid user/password combination
-			define("LOGINMESSAGE", LAN_LOGIN_21."<br /><br />");
-			$admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_03',$username,FALSE,LOG_TO_ROLLING);
-			return FALSE;
+
+		// User is in DB here
+		$lode = $sql -> db_Fetch();		// Get user info
+		$lode['user_perms'] = trim($lode['user_perms']);
+		$lookemail = $lookemail && ($tp -> toDB($username) == $lode['user_email']);		// Know whether login name or email address used now
+		if ($lookemail && varsettrue($pref['passwordEncoding']))
+		{
+		  $tmp = unserialize($lode['user_prefs']);
+		  $requiredPassword = varset($tmp['email_password'],$lode['user_password']);	// Use email-specific password if set. Otherwise, 'normal' one might work
+		  unset($tmp);
 		}
-		else if(!$sql->db_Select("user", "*", "user_loginname = '".$tp -> toDB($username)."' AND user_password = '{$userpass}' AND user_ban!=2 ")) 
-		{	// User not fully signed up - hasn't activated account
-		  define("LOGINMESSAGE", LAN_LOGIN_22."<br /><br />");
-		  $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_05',$username,FALSE,LOG_TO_ROLLING);
-		  $sql -> db_Insert("generic", "0, 'failed_login', '".time()."', 0, '{$fip}', 0, '".LAN_LOGIN_15." ::: ".LAN_LOGIN_1.": ".$tp -> toDB($username)."'");
-		  $this -> checkibr($fip);
-		  return FALSE;
+		else
+		{
+		  $requiredPassword = $lode['user_password'];
+		}
+
+		// Now check password
+		$user_info = new UserHandler();
+		if ((($pref['password_CHAP'] > 0) && ($response && isset($_SESSION['challenge'])) && ($response != $_SESSION['challenge'])) || ($pref['password_CHAP'] == 2))
+		{  // Verify using CHAP
+//		  $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","CHAP login","U: {$username}, P: {$userpass}, C: {$_SESSION['challenge']} R:{$response} S: {$lode['user_password']}",FALSE,LOG_TO_ROLLING);
+		  if (($pass_result = $user_info->CheckCHAP($_SESSION['challenge'], $response, $username, $requiredPassword)) === PASSWORD_INVALID)
+		  {
+			return $this->invalidLogin($username,LOGIN_CHAP_FAIL,$fip);
+		  }
+		}
+		else
+		{	// Plaintext password
+//		  $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Plaintext login","U: {$username}, P: {$userpass}, C: {$_SESSION['challenge']} R:{$response} S: {$lode['user_password']}",FALSE,LOG_TO_ROLLING);
+		  if (($pass_result = $user_info->CheckPassword($userpass,($lookemail ? $lode['user_loginname'] : $username),$requiredPassword)) === PASSWORD_INVALID)
+		  {
+			return $this->invalidLogin($username,LOGIN_BAD_PW,$fip);
+		  }
+		}
+
+		// Check user status
+		switch ($lode['user_ban'])
+		{
+		  case USER_REGISTERED_NOT_VALIDATED : // User not fully signed up - hasn't activated account. 
+			return $this->invalidLogin($username,LOGIN_NOT_ACTIVATED,$fip);
+		  case USER_BANNED :		// User banned
+			return $this->invalidLogin($username,LOGIN_BANNED,$fip,$lode['user_id']);
+		  case USER_VALIDATED :		// Valid user
+		    break;			// Nothing to do ATM
+		  default :			// May want to pick this up
+		}
+
+
+		// User is OK as far as core is concerned
+//	    $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'User passed basics',FALSE,LOG_TO_ROLLING);
+		if ($pass_result !== PASSWORD_VALID)
+		{  // May want to rewrite password using salted hash (or whatever the preferred method is) - $pass_result has the value to write
+			// If login by email address also allowed, will have to write that value too
+//		  $sql->db_Update('user',"`user_password` = '{$pass_result}' WHERE `user_id`=".intval($lode['user_id']));
+		}
+
+
+		$userpass = '';								// Finished with any plaintext password - can get rid of it
+	
+
+		$ret = $e_event->trigger("preuserlogin", $username);
+		if ($ret != '') 
+		{
+		  return $this->invalidLogin($username,LOGIN_BAD_TRIGGER,$fip,$ret);
+		} 
+
+
+		// Trigger events happy as well
+		$user_id = $lode['user_id'];
+		$user_name = $lode['user_name'];
+		$user_xup = $lode['user_xup'];
+
+		/* restrict more than one person logging in using same us/pw */
+		if($pref['disallowMultiLogin']) 
+		{
+		  if($sql -> db_Select("online", "online_ip", "online_user_id='".$user_id.".".$user_name."'")) 
+		  {
+			return $this->invalidLogin($username,LOGIN_MULTIPLE,$fip,$user_id);
+		  }
+		}
+
+		if($user_xup) 
+		{
+		  $this->update_xup($user_id, $user_xup);
+		}
+
+
+		$cookieval = $user_id.".".md5($lode['user_password']);		// (Use extra md5 on cookie value to obscure hashed value for password)
+		if ($pref['user_tracking'] == "session")
+		{
+		  $_SESSION[$pref['cookie_name']] = $cookieval;
 		} 
 		else 
-		{	// User is OK as far as core is concerned
-//	    $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'User passed basics',FALSE,LOG_TO_ROLLING);
-		  $ret = $e_event->trigger("preuserlogin", $username);
-		  if ($ret!='') 
-		  {
-			define("LOGINMESSAGE", $ret."<br /><br />");
-			$admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_06',$username,FALSE,LOG_TO_ROLLING);
-			return FALSE;
+		{
+		  if ($autologin == 1) 
+		  {	// Cookie valid for up to 30 days
+			cookie($pref['cookie_name'], $cookieval, (time() + 3600 * 24 * 30));
 		  } 
 		  else 
-		  {	// Trigger events happy as well
-			$lode = $sql -> db_Fetch();		// Get user info
-			$lode['user_perms'] = trim($lode['user_perms']);
-			$user_id = $lode['user_id'];
-			$user_name = $lode['user_name'];
-			$user_xup = $lode['user_xup'];
+		  {
+			cookie($pref['cookie_name'], $cookieval);
+		  }
+		}
 
-			/* restrict more than one person logging in using same us/pw */
-			if($pref['disallowMultiLogin']) 
-			{
-			  if($sql -> db_Select("online", "online_ip", "online_user_id='".$user_id.".".$user_name."'")) 
+		// User login definitely accepted here
+
+
+		// Calculate class membership - needed for a couple of things
+		// Problem is that USERCLASS_LIST just contains 'guest' and 'everyone' at this point
+		$class_list = explode(',',$lode['user_class']);
+		if ($lode['user_admin'] && strlen($lode['user_perms']))
+		{
+		  $class_list[] = e_UC_ADMIN;
+		  if (strpos($lode['user_perms'],'0') === 0)
+		  {
+			$class_list[] = e_UC_MAINADMIN;
+		  }
+		}
+		$class_list[] = e_UC_MEMBER;
+		$class_list[] = e_UC_PUBLIC;
+
+		$user_logging_opts = array_flip(explode(',',varset($pref['user_audit_opts'],'')));
+		if (isset($user_logging_opts[USER_AUDIT_LOGIN]) && in_array(varset($pref['user_audit_class'],''),$class_list))
+		{  // Need to note in user audit trail
+		  $admin_log->user_audit(USER_AUDIT_LOGIN,'', $user_id,$user_name);
+		}
+
+		$edata_li = array("user_id" => $user_id, "user_name" => $username, 'class_list' => implode(',',$class_list), 'remember_me' => $autologin);
+		$e_event->trigger("login", $edata_li);
+
+		if($_E107['cli'])
+		{
+          return $cookieval;
+		}
+
+		$redir = e_SELF;
+		if (e_QUERY) $redir .= '?'.str_replace('&amp;','&',e_QUERY);
+		if (isset($pref['frontpage_force']) && is_array($pref['frontpage_force'])) 
+		{	// See if we're to force a page immediately following login - assumes $pref['frontpage_force'] is an ordered list of rules
+//		  $log_info = "New user: ".$lode['user_name']."  Class: ".$lode['user_class']."  Admin: ".$lode['user_admin']."  Perms: ".$lode['user_perms'];
+//		  $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Login Start",$log_info,FALSE,FALSE);
+		  foreach ($pref['frontpage_force'] as $fk=>$fp)
+		  {
+			if (in_array($fk,$class_list))
+			{  // We've found the entry of interest
+			  if (strlen($fp))
 			  {
-				define("LOGINMESSAGE", LAN_LOGIN_24."<br /><br />");
-				$admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",'LAN_ROLL_LOG_07',"U: {$username} IP: {$fip}",FALSE,LOG_TO_ROLLING);
-				$sql -> db_Insert("generic", "0, 'failed_login', '".time()."', 0, '{$fip}', '{$user_id}', '".LAN_LOGIN_16." ::: ".LAN_LOGIN_1.": ".$tp -> toDB($username).", ".LAN_LOGIN_17.": ".md5($ouserpass)."' ");
-				$this -> checkibr($fip);
-				return FALSE;
+				$redir = ((strpos($fp, 'http') === FALSE) ? e_BASE : '').$tp -> replaceConstants($fp, TRUE, FALSE);
+//				$admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Redirect active",$redir,FALSE,FALSE);
 			  }
+			  break;
 			}
-
-			  $cookieval = $user_id.".".md5($userpass);
-			  if($user_xup) 
-			  {
-				$this->update_xup($user_id, $user_xup);
-			  }
-
-			  if ($pref['user_tracking'] == "session")
-			  {
-				$_SESSION[$pref['cookie_name']] = $cookieval;
-			  } 
-			  else 
-			  {
-				if ($autologin == 1) 
-				{	// Cookie valid for up to 30 days
-				  cookie($pref['cookie_name'], $cookieval, (time() + 3600 * 24 * 30));
-				} 
-				else 
-				{
-				  cookie($pref['cookie_name'], $cookieval);
-				}
-			  }
-			  
-			  // User login definitely accepted here
-
-
-			  // Calculate class membership - needed for a couple of things
-			  // Problem is that USERCLASS_LIST just contains 'guest' and 'everyone' at this point
-			  $class_list = explode(',',$lode['user_class']);
-			  if ($lode['user_admin'] && strlen($lode['user_perms']))
-			  {
-			    $class_list[] = e_UC_ADMIN;
-				if (strpos($lode['user_perms'],'0') === 0)
-				{
-				  $class_list[] = e_UC_MAINADMIN;
-				}
-			  }
-			  $class_list[] = e_UC_MEMBER;
-			  $class_list[] = e_UC_PUBLIC;
-
-			  $user_logging_opts = array_flip(explode(',',varset($pref['user_audit_opts'],'')));
-			  if (isset($user_logging_opts[USER_AUDIT_LOGIN]) && in_array(varset($pref['user_audit_class'],''),$class_list))
-			  {  // Need to note in user audit trail
-			    $admin_log->user_audit(USER_AUDIT_LOGIN,'', $user_id,$user_name);
-			  }
-
-			  $edata_li = array("user_id" => $user_id, "user_name" => $username, 'class_list' => implode(',',$class_list), 'remember_me' => $autologin);
-			  $e_event->trigger("login", $edata_li);
-			  $redir = (e_QUERY ? e_SELF."?".e_QUERY : e_SELF);
-
-				if($_E107['cli'])
-				{
-                	return $cookieval;
-				}
-
-				if (isset($pref['frontpage_force']) && is_array($pref['frontpage_force'])) 
-				{	// See if we're to force a page immediately following login - assumes $pref['frontpage_force'] is an ordered list of rules
-//				  $log_info = "New user: ".$lode['user_name']."  Class: ".$lode['user_class']."  Admin: ".$lode['user_admin']."  Perms: ".$lode['user_perms'];
-//				  $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Login Start",$log_info,FALSE,FALSE);
-//				  $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","New User class",implode(',',$class_list),FALSE,FALSE);
-				  foreach ($pref['frontpage_force'] as $fk=>$fp)
-				  {
-					if (in_array($fk,$class_list))
-					{  // We've found the entry of interest
-					  if (strlen($fp))
-					  {
-						$redir = ((strpos($fp, 'http') === FALSE) ? e_BASE : '').$tp -> replaceConstants($fp, TRUE, FALSE);
-//						$admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Redirect active",$redir,FALSE,FALSE);
-					  }
-					  break;
-					}
-				  }
-				}
+		  }
+		}
 
 
 
-				if (strstr($_SERVER['SERVER_SOFTWARE'], "Apache")) {
-				  	header("Location: ".$redir);
-				  	exit;
-				} else {
-				  	echo "<script type='text/javascript'>document.location.href='{$redir}'</script>\n";
-				}
-			}
+		if (strstr($_SERVER['SERVER_SOFTWARE'], "Apache")) 
+		{
+		  header("Location: ".$redir);
+		  exit;
+		} 
+		else 
+		{
+		  echo "<script type='text/javascript'>document.location.href='{$redir}'</script>\n";
 		}
 	}
 
-	function checkibr($fip) 
+
+	// Function called to log the reason for a failed login. Currently always returns false - could return some other value
+	function invalidLogin($username,$reason, $fip = '?', $extra_text = '')
 	{
 	  global $sql, $pref, $tp, $e107;
-	  if($pref['autoban'] == 1 || $pref['autoban'] == 3)
-	  { // Flood + Login or Login Only.
-		$fails = $sql -> db_Count("generic", "(*)", "WHERE gen_ip='{$fip}' AND gen_type='failed_login' ");
-		if($fails > 10) 
-		{
-		  $e107->add_ban(4,LAN_LOGIN_18,$fip,1);
-//				$sql -> db_Insert("banlist", "'$fip', '1', '".LAN_LOGIN_18."' ");
-		  $sql -> db_Insert("generic", "0, 'auto_banned', '".time()."', 0, '{$fip}', '{$user_id}', '".LAN_LOGIN_20.": ".$tp -> toDB($username).", ".LAN_LOGIN_17.": ".md5($ouserpass)."' ");
+	  
+	  $doCheck = FALSE;			// Flag set if need to ban check
+	  switch ($reason)
+	  {
+		case LOGIN_ABORT :		// alt_auth reject
+		  define("LOGINMESSAGE", LAN_LOGIN_21."<br /><br />");
+		  $this->genNote($fip,$username,'Alt_auth: '.LAN_LOGIN_14);
+		  $this->logNote('LAN_ROLL_LOG_04','Alt_Auth: '.$username);
+		  $doCheck = TRUE;
+		  break;
+		case LOGIN_BAD_PW :
+		  define("LOGINMESSAGE", LAN_LOGIN_21."<br /><br />");
+		  $this->logNote('LAN_ROLL_LOG_03',$username);
+		  break;
+		case LOGIN_CHAP_FAIL :
+		  define("LOGINMESSAGE", LAN_LOGIN_21."<br /><br />");
+		  $this->logNote('LAN_ROLL_LOG_03','CHAP: '.$username);
+		  break;
+		case LOGIN_BAD_USER :
+		  define("LOGINMESSAGE", LAN_LOGIN_21."<br /><br />");
+		  $this->genNote($fip,$username,LAN_LOGIN_14);
+		  $this->logNote('LAN_ROLL_LOG_04',$username);
+		  $doCheck = TRUE;
+		  break;
+		case LOGIN_BAD_USERNAME :
+		  define("LOGINMESSAGE", LAN_LOGIN_21."<br /><br />");
+		  $this->logNote('LAN_ROLL_LOG_08',$username);
+		  break;
+		case LOGIN_MULTIPLE :
+		  define("LOGINMESSAGE", LAN_LOGIN_24."<br /><br />");
+		  $this->logNote('LAN_ROLL_LOG_07',"U: {$username} IP: {$fip}");
+		  $this->genNote($fip,$username,LAN_LOGIN_16);
+		  $doCheck = TRUE;
+		  break;
+		case LOGIN_BAD_CODE :
+		  define("LOGINMESSAGE", LAN_LOGIN_23."<br /><br />");
+		  $this->logNote('LAN_ROLL_LOG_02',$username);
+		  break;
+		case LOGIN_NOT_ACTIVATED :
+		  define("LOGINMESSAGE", LAN_LOGIN_22."<br /><br />");
+		  $this->logNote('LAN_ROLL_LOG_05',$username);
+		  $this->genNote($fip,$username,LAN_LOGIN_27);
+		  $doCheck = TRUE;
+		  break;
+		case LOGIN_BLANK_FIELD :
+		  define("LOGINMESSAGE", LAN_LOGIN_20."<br /><br />");
+		  $this->logNote('LAN_ROLL_LOG_01',$username);
+		  break;
+		case LOGIN_BAD_TRIGGER :
+		  define("LOGINMESSAGE", $extra_text."<br /><br />");
+		  $this->logNote('LAN_ROLL_LOG_06',$username);
+		  break;
+		case LOGIN_BANNED :
+		  define("LOGINMESSAGE", LAN_LOGIN_21."<br /><br />");		// Just give 'incorrect login' message
+		  $this->genNote($fip,$username,LAN_LOGIN_25);
+		  $this->logNote('LAN_ROLL_LOG_09',$username);
+		  break;
+		default :		// Something's gone wrong!
+		  define("LOGINMESSAGE", LAN_LOGIN_21."<br /><br />");		// Just give 'incorrect login' message
+		  $this->genNote($fip,$username,LAN_LOGIN_26);
+		  $this->logNote('LAN_ROLL_LOG_10',$username);
+	  }
+
+	  if ($doCheck)
+	  {		// See if ban required (formerly the checkibr() function)
+		if($pref['autoban'] == 1 || $pref['autoban'] == 3)
+		{ // Flood + Login or Login Only.
+		  $fails = $sql -> db_Count("generic", "(*)", "WHERE gen_ip='{$fip}' AND gen_type='failed_login' ");
+		  if($fails > 10) 
+		  {
+			$e107->add_ban(4,LAN_LOGIN_18,$fip,1);
+			$sql -> db_Insert("generic", "0, 'auto_banned', '".time()."', 0, '{$fip}', '{$extra_text}', '".LAN_LOGIN_20.": ".$tp -> toDB($username).", ".LAN_LOGIN_17.": ".md5($ouserpass)."' ");
+		  }
 		}
 	  }
+	  return FALSE;		// Passed back to signal failed login
 	}
 
+
+	// Make a note of an event in the rolling log
+	function logNote($title,$text)
+	{
+	  global $admin_log;
+	  $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"LOGIN",$title,$text,FALSE,LOG_TO_ROLLING);
+	}
+
+
+	// Make a note of an event in the 'generic' table
+	function genNote($fip,$username,$msg1)
+	{
+	  global $sql, $tp;
+	  $sql -> db_Insert("generic", "0, 'failed_login', '".time()."', 0, '{$fip}', 0, '".$msg1." ::: ".LAN_LOGIN_1.": ".$tp -> toDB($username)."'");
+	}
+
+
 	// This is called to update user settings from a XUP file - usually because the file name has changed.
 	// $user_xup has the new file name
 	function update_xup($user_id, $user_xup = "") 
 	{
-		global $sql, $tp;
-		if($user_xup) 
+	  global $sql, $tp;
+	  if($user_xup) 
+	  {
+		require_once(e_HANDLER."xml_class.php");
+		$xml = new xmlClass;
+		if($rawData = $xml -> getRemoteFile($user_xup)) 
 		{
-			require_once(e_HANDLER."xml_class.php");
-			$xml = new parseXml;
-			if($rawData = $xml -> getRemoteXmlFile($user_xup)) 
-			{
-				preg_match_all("#\<meta name=\"(.*?)\" content=\"(.*?)\" \/\>#si", $rawData, $match);
-				$count = 0;
-				foreach($match[1] as $value) 
-				{
-					$$value = $tp -> toDB($match[2][$count]);
-					$count++;
-				}
+		  preg_match_all("#\<meta name=\"(.*?)\" content=\"(.*?)\" \/\>#si", $rawData, $match);
+		  $count = 0;
+		  foreach($match[1] as $value) 
+		  {
+			$$value = $tp -> toDB($match[2][$count]);
+			$count++;
+		  }
 
-				// List of fields in main user record, and their corresponding XUP fields
-				$main_fields = array('user_realname' => 'FN',
+		  // List of fields in main user record, and their corresponding XUP fields
+		  $main_fields = array('user_realname' => 'FN',
 							'user_hideemail'=>'EMAILHIDE', 
 							'user_signature'=>'SIG', 
 							'user_sess'=>'PHOTO', 
 							'user_image'=>'AV');
 				
-				$new_values = array();
-				foreach ($main_fields as $f => $v)
-				{
-				  if (isset($$v) && $$v)
-				  {
-				    $new_values[$f] = $$v;
-				  }
-				}
+		  $new_values = array();
+		  foreach ($main_fields as $f => $v)
+		  {
+			if (isset($$v) && $$v)
+			{
+			  $new_values[$f] = $$v;
+			}
+		  }
 
-				// Use of db_updateArray() ensures only non-empty fields are changed
-				$sql -> db_UpdateArray("user", $new_values, "WHERE user_id='".intval($user_id)."'");
+		  // Use of db_updateArray() ensures only non-empty fields are changed
+		  $sql -> db_UpdateArray("user", $new_values, "WHERE user_id='".intval($user_id)."'");
 //				$sql -> db_Update("user", "user_realname='{$FN}', user_hideemail='{$EMAILHIDE}', user_signature='{$SIG}', user_sess='{$PHOTO}', user_image='{$AV}', user_timezone='{$TZ}' WHERE user_id='".intval($user_id)."'");
 
-				$ue_fields = "";
-				$fields = array("URL" => "homepage",
+		  $ue_fields = "";
+		  $fields = array("URL" => "homepage",
 					"ICQ" => "icq",
 					"AIM" => "aim",
 					"MSN" => "msn",
@@ -293,29 +432,29 @@ class userlogin
 					"GEO" => "location",
 					"TZ" => 'timezone',
 					"BDAY" => "birthday");
-					include_once(e_HANDLER."user_extended_class.php");
-					$usere = new e107_user_extended;
-					$extList = $usere->user_extended_get_fieldList();
-					$extName = array();
-					foreach($extList as $ext)
-					{
-						$extName[] = $ext['user_extended_struct_name'];
-					}
-					foreach($fields as $keyxup => $keydb)
-					{
-						if (in_array($keydb, $extName))
-						{
-							$key = "user_".$keydb;
-							$key = $tp->toDB($key);
-							$val = $tp->toDB($$keyxup);
-							$ue_fields .= ($ue_fields) ? ", " : "";
-							$ue_fields .= $key."='".$val."'";
-						}
-					}
-					$sql -> db_Select_gen("INSERT INTO #user_extended (user_extended_id) values ('".intval($user_id)."')");
-					$sql -> db_Update("user_extended", $ue_fields." WHERE user_extended_id = '".intval($user_id)."'");
+		  include_once(e_HANDLER."user_extended_class.php");
+		  $usere = new e107_user_extended;
+		  $extList = $usere->user_extended_get_fieldList();
+		  $extName = array();
+		  foreach($extList as $ext)
+		  {
+			$extName[] = $ext['user_extended_struct_name'];
+		  }
+		  foreach($fields as $keyxup => $keydb)
+		  {
+			if (in_array($keydb, $extName))
+			{
+			  $key = "user_".$keydb;
+			  $key = $tp->toDB($key);
+			  $val = $tp->toDB($$keyxup);
+			  $ue_fields .= ($ue_fields) ? ", " : "";
+			  $ue_fields .= $key."='".$val."'";
 			}
+		  }
+		  $sql -> db_Select_gen("INSERT INTO #user_extended (user_extended_id) values ('".intval($user_id)."')");
+		  $sql -> db_Update("user_extended", $ue_fields." WHERE user_extended_id = '".intval($user_id)."'");
 		}
+	  }
 	}
 }
 
diff --git a/e107_handlers/user_extended_class.php b/e107_handlers/user_extended_class.php
index 5937642a1..6ccd5f224 100755
--- a/e107_handlers/user_extended_class.php
+++ b/e107_handlers/user_extended_class.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_handlers/user_extended_class.php,v $
-|     $Revision: 1.12 $
-|     $Date: 2008-05-25 15:31:58 $
+|     $Revision: 1.13 $
+|     $Date: 2008-06-13 20:20:21 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -94,6 +94,33 @@ class e107_user_extended
 	}
 
 
+	// $val is whatever the user entered.
+	// $params is the field definition
+	// Return FALSE if acceptable, TRUE if fail , error message on regex fail if the message is defined
+	function user_extended_validate_entry($val, $params)
+	{
+	  global $tp;
+	  $parms = explode("^,^", $params['user_extended_struct_parms']);
+	  $requiredField = $params['user_extended_struct_required'] == 1;
+	  $regex = $tp->toText($parms[1]);
+	  $regexfail = $tp->toText($parms[2]);
+      if (defined($regexfail)) { $regexfail = constant($regexfail); }
+	  if($val == '' && $requiredField) return TRUE;
+	  switch ($type)
+	  {
+		case EUF_DATE :
+		  if ($requiredField && ($val == '0000-00-00')) return TRUE;
+		  break;
+	  }
+	  if($regex != "" && $val != "")
+	  {
+		if(!preg_match($regex, $val)) return $regexfail ? $regexfail : TRUE;
+	  }
+	  return FALSE;			// Pass by default here
+	}
+
+
+
 	function user_extended_get_categories($byID = TRUE)
 	{
 	   	$ret = array();
diff --git a/e107_handlers/user_handler.php b/e107_handlers/user_handler.php
new file mode 100644
index 000000000..93a061996
--- /dev/null
+++ b/e107_handlers/user_handler.php
@@ -0,0 +1,362 @@
+<?php
+/*
++ ----------------------------------------------------------------------------+
+|     e107 website system
+|
+|     ©Steve Dunstan 2001-2002
+|     http://e107.org
+|     jalist@e107.org
+|
+|     Released under the terms and conditions of the
+|     GNU General Public License (http://gnu.org).
+|
+|     $Source: /cvs_backup/e107_0.8/e107_handlers/user_handler.php,v $
+|     $Revision: 1.1 $
+|     $Date: 2008-06-13 20:20:21 $
+|     $Author: e107steved $
++----------------------------------------------------------------------------+
+*/
+
+
+/*
+USER HANDLER CLASS - manages login and various user functions
+
+*/
+
+
+if (!defined('e107_INIT')) { exit; }
+
+
+define('USER_VALIDATED',0);
+define('USER_BANNED',1);
+define('USER_REGISTERED_NOT_VALIDATED',2);
+define('USER_EMAIL_BOUNCED', 3);
+define('USER_BOUNCED_RESET', 4);
+define('USER_TEMPORARY_ACCOUNT', 5);
+
+
+define('PASSWORD_E107_MD5',0);
+define('PASSWORD_E107_SALT',1);
+
+define('PASSWORD_E107_ID','$E$');			// E107 salted
+
+
+define('PASSWORD_INVALID', FALSE);
+define('PASSWORD_VALID',TRUE);
+define ('PASSWORD_DEFAULT_TYPE',PASSWORD_E107_MD5);
+//define ('PASSWORD_DEFAULT_TYPE',PASSWORD_E107_SALT);
+
+
+class UserHandler
+{
+	var $preferred = PASSWORD_DEFAULT_TYPE;			// Preferred password format
+	var $passwordOpts = 0;							// Copy of pref
+	var $passwordEmail = FALSE;						// True if can use email address to log in
+
+	// Constructor
+	function UserHandler()
+	{
+	  global $pref;
+	  $this->passwordOpts = varset($pref['passwordEncoding'],0);
+	  $this->passwordEmail = varset($pref['allowEmailLogin'],FALSE);
+	  switch ($this->passwordOpts)
+	  {
+	    case 1 :
+		case 2 :
+		  $this->preferred = PASSWORD_E107_SALT;
+		  break;
+		case 0 :
+		default :
+		  $this->preferred = PASSWORD_E107_MD5;
+		  $this->passwordOpts = 0;		// In case it got set to some stupid value
+		  break;
+	  }
+	  return FALSE;
+	}
+
+
+	// Given plaintext password and login name, generate password string to store in DB
+	function HashPassword($password, $login_name, $force='')
+	{
+	  if ($force == '') $force = $this->preferred;
+	  switch ($force)
+	  {
+		case PASSWORD_E107_MD5 :
+		  return md5($password);
+		  
+		case PASSWORD_E107_SALT :
+		  return PASSWORD_E107_ID.md5(md5($password).$login_name);
+		  break;
+	  }
+	  return FALSE;
+	}
+
+
+	// Verify existing plaintext password against a stored hash value (which defines the encoding format and any 'salt')
+	// Return PASSWORD_INVALID if invalid password
+	// Return PASSWORD_VALID if valid password
+	// Return a new hash to store if valid password but non-preferred encoding
+	function CheckPassword($password, $login_name, $stored_hash)
+	{
+	  if (strlen(trim($password)) == 0) return PASSWORD_INVALID;
+	  if (($this->passwordOpts <= 1) && (strlen($stored_hash) == 32))
+	  {	// Its simple md5 encoding
+		if (md5($password) !== $stored_hash) return PASSWORD_INVALID;
+		if ($this->preferred == PASSWORD_E107_MD5) return PASSWORD_VALID;
+		return $this->HashPassword($password);		// Valid password, but non-preferred encoding; return the new hash
+	  }
+
+	  // Allow the salted password even if disabled - for those that do try to go back!
+//  	  if (($this->passwordOpts >= 1) && (strlen($stored_hash) == 35) && (substr($stored_hash,0,3) == PASSWORD_E107_ID))
+  	  if ((strlen($stored_hash) == 35) && (substr($stored_hash,0,3) == PASSWORD_E107_ID))
+	  {	// Its the standard E107 salted hash
+		$hash = $this->HashPassword($password, $login_name, PASSWORD_E107_SALT);
+		if ($hash === FALSE) return PASSWORD_INVALID;
+		return ($hash == $stored_hash) ? PASSWORD_VALID : PASSWORD_INVALID;
+	  }
+
+	  return PASSWORD_INVALID;
+	}
+
+
+	// Verifies a standard response to a CHAP challenge
+	function CheckCHAP($challenge, $response, $login_name, $stored_hash )
+	{
+	  if (strlen($challenge) != 40) return PASSWORD_INVALID;
+	  if (strlen($response) != 32) return PASSWORD_INVALID;
+	  $valid_ret = PASSWORD_VALID;
+	  if (strlen($stored_hash) == 32)
+	  {	// Its simple md5 password storage
+		$stored_hash = PASSWORD_E107_ID.md5($stored_hash.$login_name);			// Convert to the salted format always used by CHAP
+		if ($this->passwordOpts != PASSWORD_E107_MD5) $valid_ret = $stored_response;
+	  }
+	  $testval = md5(substr($stored_hash,strlen(PASSWORD_E107_ID)).$challenge);
+	  if ($testval == $response) return $valid_ret;
+	  return PASSWORD_INVALID;
+	}
+
+
+
+	// Checks whether the user has to validate a user setting change by entering password (basically, if that field affects the
+	// stored password value)
+	// Returns TRUE if change required, FALSE otherwise
+	function isPasswordRequired($fieldName)
+	{
+	  if ($this->preferred == PASSWORD_E107_MD5) return FALSE;
+	  switch ($fieldName)
+	  {
+		case 'user_email' :
+		  return $this->passwordEmail;
+		case 'user_loginname' :
+		  return TRUE;
+	  }
+	  return FALSE;
+	}
+	
+	
+	// Checks whether the password value can be converted to the current default
+	// Returns TRUE if conversion possible.
+	// Returns FALSE if conversion not possible, or not needed
+	function canConvert($password)
+	{
+	  if ($this->preferred == PASSWORD_E107_MD5) return FALSE;
+	  if (strlen($password) == 32) return TRUE;		// Can convert from md5 to salted
+	  return FALSE;
+	}
+
+
+	// Given md5-encoded password and login name, generate password string to store in DB
+	function ConvertPassword($password, $login_name)
+	{
+	  if ($this->canConvert($password) === FALSE) return $password;
+	  return PASSWORD_E107_ID.md5($password.$login_name);
+	}
+
+
+
+	// Generates a random user login name according to some pattern.
+	// Checked for uniqueness.
+	function generateUserLogin($pattern, $seed='')
+	{
+	  $ul_sql = new db;
+	  if (strlen($pattern) < 6) $pattern = '##....';
+	  do
+	  {
+		$newname = $this->generateRandomString($pattern, $seed);
+	  } while ($ul_sql->db_Select('user','user_id',"`user_loginname`='{$newname}'"));
+	  return $newname;
+	}
+
+
+
+	// Generates a random string - for user login name, password etc, according to some pattern.
+	// Checked for uniqueness.
+	// Pattern format:
+	//		# - an alpha character
+	//		. - a numeric character
+	//		* - an alphanumeric character
+	//		^ - next character from seed
+	//		alphanumerics are included 'as is'
+	function generateRandomString($pattern, $seed='')
+	{
+	  if (strlen($pattern) < 6) $pattern = '##....';
+	  $newname = '';
+	  $seed_ptr = 0;			// Next character of seed (if used)
+	  for ($i = 0; $i < strlen($pattern); $i++)
+	  {
+		$c = $pattern[$i];
+		switch ($c)
+		{
+		  case '#' :		// Alpha only (upper and lower case)
+			do
+			{
+			  $t = chr(rand(65,122));
+			} while (!ctype_alpha($t));
+			$newname .= $t;
+			break;
+		  case '.' :		// Numeric only
+			do
+			{
+			  $t = chr(rand(48,57));
+			} while (!ctype_digit($t));
+			$newname .= $t;
+			break;
+		  case '*' :		// Alphanumeric
+			do
+			{
+			  $t = chr(rand(48,122));
+			} while (!ctype_alnum($t));
+			$newname .= $t;
+			break;
+		  case '^' :		// Next character from seed
+			if ($seed_ptr < strlen($seed))
+			{
+			  $newname .= $seed[$seed_ptr];
+			  $seed_ptr++;
+			}
+			break;
+		  default :
+			if (ctype_alnum($c)) $newname .= $c;
+			// (else just ignore other characters in pattern)
+		}
+	  }
+	  return $newname;
+	}
+
+
+
+	// Split up an email address to check for banned domains.
+	// Return false if invalid address. Otherwise returns a set of values to check
+	function make_email_query($email, $fieldname = 'banlist_ip')
+	{
+	  global $tp;
+	  $tmp = strtolower($tp -> toDB(trim(substr($email, strrpos($email, "@")+1))));
+	  if ($tmp == '') return FALSE;
+	  if (strpos($tmp,'.') === FALSE) return FALSE;
+	  $em = array_reverse(explode('.',$tmp));
+	  $line = '';
+	  $out = array();
+	  foreach ($em as $e)
+	  {
+		$line = '.'.$e.$line;
+		$out[] = $fieldname."='*{$line}'";
+	  }
+	  return implode(' OR ',$out);
+	}
+
+
+
+	// Validate a standard user field (for length, acceptable characters etc).
+	// Returns TRUE if totally acceptable
+	// If $justStrip is FALSE, returns FALSE for an unacceptable value
+	// If $justStrip is TRUE, usually returns a new value (based on that passed) which does validate - usually characters stripped, length trimmed etc
+	//		Note: will return FALSE for some input values regardless of the setting of $justStrip
+	// Currently coded to always return TRUE if field name not recognised
+	function validateField($fieldName,$fieldValue, $justStrip = FALSE)
+	{
+	  global $pref;
+	  $newValue = $fieldValue;
+	  switch ($fieldName)
+	  {
+	    case 'user_loginname' :
+		  $newValue = trim(preg_replace('/&nbsp;|\#|\=|\$/', "", strip_tags($fieldValue)));
+		  $newValue = substr($newValue,0,varset($pref['loginname_maxlength'],30));
+		  if (strlen($newValue) < 2) return FALSE;			// Always an error if a short string 
+		  break;
+		case 'user_password' :
+		  if (strlen($fieldValue) < $pref['signup_pass_len']) return FALSE;
+		  break;
+	  }
+	  if ($justStrip)
+	  {
+		return $newValue;
+	  }
+	  else
+	  {
+	    return ($newValue == $fieldValue);
+	  }
+	}
+	
+	
+	// Takes an array of $_POST fields whose first characters match $prefix, and passes them through the validateField routine
+	// Returns three arrays - one of validated results, one of failed fields and one of errors corresponding to the failed fields
+	function validatePostList($prefix = '', $doToDB = TRUE, $justStrip = FALSE)
+	{
+	  global $tp;
+	  $ret = array('validate' => array(), 'failed' => array(), 'errors' => array());
+	  foreach ($_POST as $k => $v)
+	  {
+		if (($prefix == '') || (strpos($k,$prefix) === 0))
+		{  // Field to validate
+		  $result = $this->validateField($k,$v,$justStrip);
+		  if ($result === FALSE)
+		  {  // error
+			$ret['failed'][$k] = $v;
+			$ret['errors'][$k] = TRUE;
+		  }
+		  else
+		  {
+			if ($doToTB) $result = $tp->toDB($result);
+			$ret['validate'][$k] = $result;
+		  }
+		}
+	  }
+	  return $ret;
+	}
+
+	// Takes an array of $_POST field names specified in comma-separated form in $fieldlist (blank = 'all'), and passes them through the validateField routine
+	// Returns three arrays - one of validated results, one of failed fields and one of errors corresponding to the failed fields
+	function validatePostFields($fieldList = '', $doToDB = TRUE, $justStrip = FALSE)
+	{
+	  global $tp;
+	  $ret = array('validate' => array(), 'failed' => array(), 'errors' => array());
+	  if ($fieldList == '')
+	  {
+	    $fieldArray = array_keys($_POST);
+	  }
+	  else
+	  {
+		$fieldArray = explode(',',$fieldList);
+	  }
+	  foreach ($fieldArray as $k)
+	  {
+		$k = trim($k);
+		$result = $this->validateField($k,$_POST[$k],$justStrip);
+		if ($result === FALSE)
+		{  // error
+		  $ret['failed'][$k] = $_POST[$k];
+		  $ret['errors'][$k] = TRUE;
+		}
+		else
+		{
+		  if ($doToTB) $result = $tp->toDB($result);
+		  $ret['validate'][$k] = $result;
+		}
+	  }
+	  return $ret;
+	}
+
+
+}
+
+?>
diff --git a/e107_languages/English/admin/lan_prefs.php b/e107_languages/English/admin/lan_prefs.php
index e5fb33109..f4b3e364d 100644
--- a/e107_languages/English/admin/lan_prefs.php
+++ b/e107_languages/English/admin/lan_prefs.php
@@ -12,8 +12,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/lan_prefs.php,v $
-|     $Revision: 1.11 $
-|     $Date: 2008-01-13 10:51:42 $
+|     $Revision: 1.12 $
+|     $Date: 2008-06-13 20:20:21 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -72,11 +72,11 @@ define("PRFLAN_58", "Restrict website to members only");
 define("PRFLAN_59", "ticking will restrict all areas apart from the front page and signup page to members only");
 define("PRFLAN_60", "Enable SSL");
 define("PRFLAN_61", "Only enable SSL if <b>you are sure you know what you are doing!</b>");
-define("PRFLAN_76", "Enable Image-code verification during signup.");
+define("PRFLAN_76", "Enable Image-code verification during signup");
 define("PRFLAN_77", "Admin Display Options ");
 define("PRFLAN_78", "Leave blank to disable");
 define("PRFLAN_80", "Click here to view");
-define("PRFLAN_81", "Enable Image-code verification during login.");
+define("PRFLAN_81", "Enable Image-code verification during login");
 define("PRFLAN_83", "example");
 define("PRFLAN_87", "Comments");
 define("PRFLAN_88", "Turn on nested comments");
@@ -163,36 +163,47 @@ define("PRFLAN_31", "Email Verification");
 define("PRFLAN_152", "No Verification");
 define("PRFLAN_153", "Admin Approval");
 define("PRFLAN_154", "New user verification method <br />If 'Admin Approval' is selected, it is recommended that you enable email notification on user signup <a href='".e_ADMIN."notify.php'>here</a>.");
-
 define("PRFLAN_155", "Display name and login name may be different for");
 define("PRFLAN_156", "Reset ALL Display Names");
 define("PRFLAN_157", "All Display Names have been reset to the Username");
 define("PRFLAN_158", "Display Name maximum length (5..30)");
 define("PRFLAN_159", "viewing this page with");
-
 define("PRFLAN_160", "Check remote servers when validating email addresses.");
 define("PRFLAN_161", "Disable all comments on the site");
-
 define("PRFLAN_162", "Site Contact Information");
 define("PRFLAN_163", "e.g. Company Name, Address, Phone, etc.");
-
 define("PRFLAN_164", "Allow users to email copy of contact email to self");
 define("PRFLAN_165", "Possible opening for allowing spam, use with caution");
 define("PRFLAN_166", "Show emoticon images on comment form?");
-
 define("PRFLAN_167", "Make entering an email address optional"); // subject to change.
 define("PRFLAN_168", "Site Contact Person(s)");
 define("PRFLAN_169", "If the chosen group contains more than one person, the user will be asked to select a person from the group.");
-
 //define("PRFLAN_170", "Use reverse DNS to allow host banning");
 //define("PRFLAN_171", "Turning this option on will allow you to ban users by hostname, rather then just IP or email address.  <br />NOTE: This may affect pageload times on some hosts");
 define("PRFLAN_172", "Login Name maximum length (10..100)");
 define("PRFLAN_173", "Check at SourceForge for E107 updates once/day");
-
 define("PRFLAN_174", "Name for responses to emails from site");
 define("PRFLAN_175", "This will appear in the 'From' field of registration and other emails from this site");
 define("PRFLAN_176", "Email address for emails from site");
 define("PRFLAN_177", "Address specified for replies to emails from this site.");
+define("PRFLAN_178", "Password transmission method");
+define("PRFLAN_179", "(Only supported if using sessions for user tracking.)");
+define("PRFLAN_180", "Plaintext");
+define("PRFLAN_181", "CHAP, plaintext fallback");
+define("PRFLAN_182", "CHAP only");
+define("PRFLAN_183", " CHAP requires JS enabled in user's browser");
+define('PRFLAN_184', 'Allow login by email address');
+define('PRFLAN_185', '(as well as login name)');
+define('PRFLAN_186', 'Yes');
+define('PRFLAN_187', 'No');
+define('PRFLAN_188', 'Password encoding');
+define('PRFLAN_189', 'md5 (Legacy)');
+define('PRFLAN_190', 'Salted');
+define('PRFLAN_191', '(md5 is usually adequate for an Intranet, and often for other sites)');
+define('PRFLAN_192', 'Generate random predefined login names according to a pattern');
+define('PRFLAN_193', 'To allow users to set their own login names, leave blank');
+define('PRFLAN_194', '# - alpha<br />. - numeric<br />* - alphanumeric<br />Other chars used as entered');
+define('PRFLAN_195', '');
 
 
 ?>
\ No newline at end of file
diff --git a/e107_languages/English/admin/lan_users.php b/e107_languages/English/admin/lan_users.php
index c1022e25f..a2310bd84 100644
--- a/e107_languages/English/admin/lan_users.php
+++ b/e107_languages/English/admin/lan_users.php
@@ -4,8 +4,8 @@
 |     e107 website system - Language File.
 |
 |     $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/lan_users.php,v $
-|     $Revision: 1.9 $
-|     $Date: 2008-01-01 12:38:05 $
+|     $Revision: 1.10 $
+|     $Date: 2008-06-13 20:20:21 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -169,6 +169,12 @@ define('USRLAN_166', 'User ID --UID-- name --NAME-- approved');
 define('USRLAN_167', 'Validation email ID --ID-- resent to --NAME-- at --EMAIL--');
 define('USRLAN_168', 'Re-send --COUNT-- validation emails');
 define('USRLAN_169', 'Total --COUNT-- bounced emails deleted');
+define('USRLAN_170', 'Random user name');
+define('USRLAN_171', 'Random password');
+define('USRLAN_172', 'Password set');
+define('USRLAN_173', 'Login name set');
+define('USRLAN_174', '');
+define('USRLAN_175', '');
 
 define("LAN_MAINADMIN","Main Admin");
 define("LAN_ADMIN","Admin");
diff --git a/e107_languages/English/lan_login.php b/e107_languages/English/lan_login.php
index 8cd4ff6b7..d7afedf37 100644
--- a/e107_languages/English/lan_login.php
+++ b/e107_languages/English/lan_login.php
@@ -4,8 +4,8 @@
 |     e107 website system - Language File.
 |
 |     $Source: /cvs_backup/e107_0.8/e107_languages/English/lan_login.php,v $
-|     $Revision: 1.2 $
-|     $Date: 2008-01-01 21:26:23 $
+|     $Revision: 1.3 $
+|     $Date: 2008-06-13 20:20:22 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -33,5 +33,8 @@ define("LAN_LOGIN_21", "Incorrect login. The entered data doesn't match to a reg
 define("LAN_LOGIN_22", "You have not activated your account. You should have received an email with instructions on how to confirm your account. If not, please click <a href='".e_BASE."signup.php?resend'>here</a>.");
 define("LAN_LOGIN_23", "Incorrect code entered.");
 define("LAN_LOGIN_24", "That username/password combination is already in use.");
+define("LAN_LOGIN_25", "Banned user attempted to login");
+define("LAN_LOGIN_26", "Login fail - reason unknown");
+define('LAN_LOGIN_27', 'User attempted to log in before responding to confirmation email');
 
 ?>
\ No newline at end of file
diff --git a/e107_languages/English/lan_signup.php b/e107_languages/English/lan_signup.php
index 1d431bb97..243ca0e88 100644
--- a/e107_languages/English/lan_signup.php
+++ b/e107_languages/English/lan_signup.php
@@ -4,8 +4,8 @@
 |     e107 website system - Language File.
 |
 |     $Source: /cvs_backup/e107_0.8/e107_languages/English/lan_signup.php,v $
-|     $Revision: 1.10 $
-|     $Date: 2007-12-15 15:06:40 $
+|     $Revision: 1.11 $
+|     $Date: 2008-06-13 20:20:22 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -103,7 +103,7 @@ define("LAN_SIGNUP_44", "Activation email sent to:");
 define("LAN_SIGNUP_45", "Please check your inbox.");
 define("LAN_SIGNUP_47", "Resend Activation Email");
 define("LAN_SIGNUP_48", "Username or Email");
-define("LAN_SIGNUP_49", "If you registered with the wrong email address, type a new one and your password here:");
+define("LAN_SIGNUP_49", "If you registered with the wrong email address, as well as filling in the box above, type a new email address and your password here:");
 define("LAN_SIGNUP_50", "New Email");
 define("LAN_SIGNUP_51", "Old Password");
 define("LAN_SIGNUP_52", "Incorrect Password");
@@ -118,10 +118,10 @@ define('LAN_SIGNUP_60','Signup email resend requested');
 define('LAN_SIGNUP_61','Send succeeded');
 define('LAN_SIGNUP_62','Send failed');
 define('LAN_SIGNUP_63','Password reset email resent requested');
-define('LAN_SIGNUP_64','');
-define('LAN_SIGNUP_65','');
-define('LAN_SIGNUP_66','');
-define('LAN_SIGNUP_67','');
+define('LAN_SIGNUP_64','That doesn\'t appear to be valid user information');
+define('LAN_SIGNUP_65','You have been assigned the following login name');
+define('LAN_SIGNUP_66','Please make a note of it.');
+define('LAN_SIGNUP_67','This will be assigned by the system after signup');
 define('LAN_SIGNUP_68','');
 define('LAN_SIGNUP_69','');
 define('LAN_SIGNUP_70','');
diff --git a/e107_languages/English/lan_usersettings.php b/e107_languages/English/lan_usersettings.php
index 564e29de1..1c566a3f1 100644
--- a/e107_languages/English/lan_usersettings.php
+++ b/e107_languages/English/lan_usersettings.php
@@ -4,8 +4,8 @@
 |     e107 website system - Language File.
 |
 |     $Source: /cvs_backup/e107_0.8/e107_languages/English/lan_usersettings.php,v $
-|     $Revision: 1.12 $
-|     $Date: 2008-01-15 21:57:47 $
+|     $Revision: 1.13 $
+|     $Date: 2008-06-13 20:20:22 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -23,14 +23,9 @@ define("LAN_106", "That doesn't appear to be a valid email address");
 define("LAN_112", "Email Address: ");
 define("LAN_113", "Hide email address?: ");
 define("LAN_114", "This will prevent your email address from being displayed on site");
-//define("LAN_115", "ICQ Number: ");
-//define("LAN_116", "AIM Address: ");
-//define("LAN_117", "MSN Messenger: ");
-//define("LAN_118", "Birthday: ");
 define("LAN_119", "Location: ");
 define("LAN_120", "Signature: ");
 define("LAN_121", "Avatar: ");
-//define("LAN_122", "Timezone:");
 define("LAN_144", "Website URL: ");
 define("LAN_150", "Settings updated and saved into database.");
 define("LAN_151", "OK");
@@ -114,6 +109,13 @@ define("LAN_USET_16", "Tick box to delete existing photo without uploading anoth
 define("LAN_USET_17", "Display name already used. Please choose another");
 define('LAN_USET_18', 'User data changed by admin: --ID--, login name: --LOGNAME--');
 define('LAN_USET_19', 'Custom Title');
-define('LAN_USET_20', '');
+define('LAN_USET_20', 'You must also change the user\'s password if you are changing their login name or email address');
+define('LAN_USET_21', 'Please validate the changes by re-entering your password: ');
+define('LAN_USET_22', 'Invalid password!');
+define('LAN_USET_23', '');
+define('LAN_USET_24', '');
+define('LAN_USET_25', '');
+
+define('LAN_ENTER', 'Enter');
 
 ?>
\ No newline at end of file
diff --git a/e107_plugins/login_menu/login_menu.php b/e107_plugins/login_menu/login_menu.php
index 4485ae5ea..1c60c47cf 100644
--- a/e107_plugins/login_menu/login_menu.php
+++ b/e107_plugins/login_menu/login_menu.php
@@ -11,9 +11,9 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_plugins/login_menu/login_menu.php,v $
-|     $Revision: 1.9 $
-|     $Date: 2008-03-13 19:15:56 $
-|     $Author: lisa_ $
+|     $Revision: 1.10 $
+|     $Date: 2008-06-13 20:20:22 $
+|     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
 
@@ -24,7 +24,7 @@ if(defined("FPW_ACTIVE"))
 	return;      // prevent failed login attempts when fpw.php is loaded before this menu.
 }
 
-global $eMenuActive, $e107, $tp, $use_imagecode, $ADMIN_DIRECTORY, $LOGIN_MENU_MESSAGE, $LOGIN_MENU_STATITEM, $LM_STATITEM_SEPARATOR,
+global $eMenuActive, $pref, $e107, $tp, $use_imagecode, $ADMIN_DIRECTORY, $LOGIN_MENU_MESSAGE, $LOGIN_MENU_STATITEM, $LM_STATITEM_SEPARATOR,
        $login_menu_shortcodes, $LOGIN_MENU_FORM, $LOGIN_MENU_LOGGED, $LOGIN_MENU_STATS, $LOGIN_MENU_EXTERNAL_LINK;
 $ip = $e107->getip();
 
@@ -167,8 +167,12 @@ else
     	require(e_PLUGIN."login_menu/login_menu_template.php");
 	}
 
-	$text = '<form method="post" action="'.e_SELF.(e_QUERY ? '?'.e_QUERY : '').'">';
-	$text .= $tp->parseTemplate($LOGIN_MENU_FORM, true, $login_menu_shortcodes);
+	$text = '<form method="post" action="'.e_SELF.(e_QUERY ? '?'.e_QUERY : '');
+	if (varsettrue($pref['password_CHAP'],0))
+	{
+	  $text .= '" onsubmit="hashLoginPassword(this)';
+	}
+	$text .= '">'.$tp->parseTemplate($LOGIN_MENU_FORM, true, $login_menu_shortcodes);
 	$text .= '</form>';
 
 	if (file_exists(THEME.'images/login_menu.png')) {
diff --git a/e107_plugins/login_menu/login_menu_shortcodes.php b/e107_plugins/login_menu/login_menu_shortcodes.php
index 0054adf34..bf9f8159a 100755
--- a/e107_plugins/login_menu/login_menu_shortcodes.php
+++ b/e107_plugins/login_menu/login_menu_shortcodes.php
@@ -11,9 +11,9 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_plugins/login_menu/login_menu_shortcodes.php,v $
-|     $Revision: 1.5 $
-|     $Date: 2008-02-06 00:23:28 $
-|     $Author: secretr $
+|     $Revision: 1.6 $
+|     $Date: 2008-06-13 20:20:22 $
+|     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
 if (!defined('e107_INIT')) { exit; }
@@ -21,11 +21,15 @@ global $tp;
 $login_menu_shortcodes = $tp -> e_sc -> parse_scbatch(__FILE__);
 /*
 SC_BEGIN LM_USERNAME_INPUT
-return "<input class='tbox login user' type='text' name='username' id='username' size='15' value='' maxlength='30' />\n";
+global $pref;
+return "<input class='tbox login user' type='text' name='username' id='username' size='15' value='' maxlength='".varset($pref['loginname_maxlength'],30)."' />\n";
 SC_END
 
 SC_BEGIN LM_PASSWORD_INPUT
-return "<input class='tbox login pass' type='password' name='userpass' id='userpass' size='15' value='' maxlength='20' />\n\n";
+global $pref;
+$t_password = "<input class='tbox login pass' type='password' name='userpass' id='userpass' size='15' value='' maxlength='30' />\n";
+if (!USER && isset($_SESSION['challenge']) && varset($pref['password_CHAP'],0)) $t_password .= "<input type='hidden' name='hashchallenge' id='hashchallenge' value='{$_SESSION['challenge']}' />\n\n";
+return $t_password;
 SC_END
 
 SC_BEGIN LM_IMAGECODE
@@ -100,7 +104,7 @@ if ($pref['user_reg'])
 	if(isset($pref['user_reg_veri']) && $pref['user_reg_veri'] == 1){
 		if (!$pref['auth_method'] || $pref['auth_method'] == 'e107' )
 		{
-			return $parm == 'href' ? e_SIGNUP.'?resend' : "<a class='login_menu_link resend' id=login_menu_link_resend' href='".e_SIGNUP."?resend' title=\"".LOGIN_MENU_L40."\">".LOGIN_MENU_L40."</a>";
+			return $parm == 'href' ? e_SIGNUP.'?resend' : "<a class='login_menu_link resend' id='login_menu_link_resend' href='".e_SIGNUP."?resend' title=\"".LOGIN_MENU_L40."\">".LOGIN_MENU_L40."</a>";
 		}
 	}
 }
diff --git a/e107_plugins/login_menu/login_menu_template.php b/e107_plugins/login_menu/login_menu_template.php
index 2ea617369..edca3aee2 100644
--- a/e107_plugins/login_menu/login_menu_template.php
+++ b/e107_plugins/login_menu/login_menu_template.php
@@ -11,9 +11,9 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_plugins/login_menu/login_menu_template.php,v $
-|     $Revision: 1.4 $
-|     $Date: 2008-02-06 00:23:28 $
-|     $Author: secretr $
+|     $Revision: 1.5 $
+|     $Date: 2008-06-13 20:20:22 $
+|     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
 
@@ -56,9 +56,22 @@ if (!isset($LOGIN_MENU_FORM)){
     $sc_style['LM_IMAGECODE_BOX']['pre'] = "";
     $sc_style['LM_IMAGECODE_BOX']['post'] = "<br />";
     
-	$LOGIN_MENU_FORM = "
-    	{LM_MESSAGE}
-    	<div style='text-align: center'>
+	$LOGIN_MENU_FORM = "{LM_MESSAGE}";
+
+	if ((varset($pref['password_CHAP'],0) == 2) && ($pref['user_tracking'] == "session"))
+	{
+	  $LOGIN_MENU_FORM .= "
+    	<div style='text-align: center' id='nologinmenuchap'>"."Javascript must be enabled in your browser if you wish to log into this site"."
+		</div>
+    	<div style='text-align: center; display:none' id='loginmenuchap'>";
+	}
+	else
+	{
+	  $LOGIN_MENU_FORM .= "
+    	<div style='text-align: center'>";
+	}
+
+	$LOGIN_MENU_FORM .= "
             ".LOGIN_MENU_L1."<br />   
             {LM_USERNAME_INPUT}<br />
             ".LOGIN_MENU_L2."<br />
diff --git a/e107_themes/templates/header_default.php b/e107_themes/templates/header_default.php
index 4aa558da7..0d03cda25 100644
--- a/e107_themes/templates/header_default.php
+++ b/e107_themes/templates/header_default.php
@@ -6,9 +6,9 @@
 |     Released under the terms and conditions of the GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_themes/templates/header_default.php,v $
-|     $Revision: 1.20 $
-|     $Date: 2008-03-13 19:15:56 $
-|     $Author: lisa_ $
+|     $Revision: 1.21 $
+|     $Date: 2008-06-13 20:20:22 $
+|     $Author: e107steved $
 +-----------------------------------------------------------------------------------------------+
 */
 
@@ -93,11 +93,16 @@ echo "<html xmlns='http://www.w3.org/1999/xhtml'".(defined("TEXTDIRECTION") ? "
 //
 
 // Wysiwyg JS support on or off.
-if (varset($pref['wysiwyg'],FALSE) && check_class($pref['post_html']) && varset($e_wysiwyg) != "") {
+if (varset($pref['wysiwyg'],FALSE) && check_class($pref['post_html']) && varset($e_wysiwyg) != "") 
+{
 	define("e_WYSIWYG",TRUE);
-}else{
+}
+else
+{
 	define("e_WYSIWYG",FALSE);
 }
+
+
 // Load Plugin Header Files
 if (varset($pref['e_header_list']) && is_array($pref['e_header_list']))
 {
@@ -110,9 +115,13 @@ if (varset($pref['e_header_list']) && is_array($pref['e_header_list']))
 	}
 }
 
-if (isset($theme_js_php) && $theme_js_php) {
+
+if (isset($theme_js_php) && $theme_js_php) 
+{
 	echo "<link rel='stylesheet' href='".THEME_ABS."theme-js.php' type='text/css' />";
-} else {
+} 
+else 
+{
 	if (!isset($no_core_js) || !$no_core_js)
 	{
 		echo "<script type='text/javascript' src='".e_FILE_ABS."e_js.php'></script>\n";
@@ -120,11 +129,12 @@ if (isset($theme_js_php) && $theme_js_php) {
 	if (file_exists(THEME.'theme.js')) { echo "<script type='text/javascript' src='".THEME_ABS."theme.js'></script>\n"; }
 	if (is_readable(e_FILE.'user.js') && filesize(e_FILE.'user.js')) { echo "<script type='text/javascript' src='".e_FILE_ABS."user.js'></script>\n"; }
 	if (file_exists(THEME.'theme.vbs')) { echo "<script type='text/vbscript' src='".THEME_ABS."theme.vbs'></script>\n"; }
-	if (filesize(e_FILE.'user.vbs')) { echo "<script type='text/vbscript' src='".e_FILE_ABS."user.vbs'></script>\n"; }
-	
+  if (is_readable(e_FILE.'user.vbs') && filesize(e_FILE.'user.vbs')) { echo "<script type='text/vbscript' src='".e_FILE_ABS."user.vbs'></script>\n"; }
 }
+	
 
-if (isset($eplug_js) && $eplug_js) {
+if (isset($eplug_js) && $eplug_js) 
+{
 	echo "\n<!-- eplug_js -->\n";
 	if(is_array($eplug_js))
 	{
@@ -138,14 +148,29 @@ if (isset($eplug_js) && $eplug_js) {
 	{
     	echo "<script type='text/javascript' src='{$eplug_js}'></script>\n";
 	}
-
 }
 
-if((isset($pref['enable_png_image_fix']) && $pref['enable_png_image_fix'] == true) || (isset($sleight) && $sleight == true)) {
+
+if (!USER && ($pref['user_tracking'] == "session") && varset($pref['password_CHAP'],0))
+{
+  if ($pref['password_CHAP'] == 2)
+  {
+		// *** Add in the code to swap the display tags
+	$js_body_onload[] = "expandit('loginmenuchap','nologinmenuchap');";
+  }
+  echo "<script type='text/javascript' src='".e_FILE_ABS."chap_script.js'></script>\n";
+  $js_body_onload[] = "getChallenge();";
+}
+
+
+if((isset($pref['enable_png_image_fix']) && $pref['enable_png_image_fix'] == true) || (isset($sleight) && $sleight == true)) 
+{
 	echo "<script type='text/javascript' src='".e_FILE_ABS."sleight_js.php'></script>\n\n";
 }
 
-if (function_exists('headerjs')){echo headerjs();  }
+if (function_exists('headerjs')) {echo headerjs();  }
+
+
 
 //
 // E: Send CSS
diff --git a/e107_themes/templates/login_template.php b/e107_themes/templates/login_template.php
index 2b954c0ea..54b5a7f55 100644
--- a/e107_themes/templates/login_template.php
+++ b/e107_themes/templates/login_template.php
@@ -1,5 +1,5 @@
 <?php
-// $Id: login_template.php,v 1.4 2007-12-06 21:35:55 e107steved Exp $
+// $Id: login_template.php,v 1.5 2008-06-13 20:20:23 e107steved Exp $
 
 if (!defined('e107_INIT')) { exit; }
 
@@ -16,13 +16,44 @@ if(!isset($LOGIN_TABLE_HEADER))
 if(!isset($LOGIN_TABLE))
 {
 		$LOGIN_TABLE = "";
-		if($LOGIN_TABLE_LOGINMESSAGE != ""){
+  if($LOGIN_TABLE_LOGINMESSAGE != "")
+  {
 				$LOGIN_TABLE .= "<div style='text-align:center'>{LOGIN_TABLE_LOGINMESSAGE}</div>";
 		}
+  
+  if (($pref['user_tracking'] == "session") && varset($pref['password_CHAP'],0))
+  {
+	if ($pref['password_CHAP'] == 2)
+	{
 		$LOGIN_TABLE .= "
-		<div style='text-align:center'>
-		".$rs -> form_open("post", e_SELF)."<table class='fborder' style='width:60%' >\n<tr>\n<td class='forumheader' style='text-align:center;' colspan='3'>".LAN_LOGIN_4."</td>\n</tr>\n<tr>\n<td class='forumheader3' width='40%'>".LAN_LOGIN_1."</td>\n<td class='forumheader3' width='40%'>{LOGIN_TABLE_USERNAME}</td>\n<td class='forumheader3' width='20%' rowspan='".($LOGIN_TABLE_SECIMG_SECIMG ? 3 : 2)."' style='vertical-align: middle; margin-left: auto; margin-right: auto; text-align: center;'>".(file_exists(THEME."images/password.png") ? "<img src='".THEME_ABS."images/password.png' alt='' />\n" : "<img src='".e_IMAGE."packs/".$imode."/generic/password.png' alt='' />\n" )."</td>\n</tr>\n<tr>\n<td class='forumheader3'>".LAN_LOGIN_2."</td>\n<td class='forumheader3'>{LOGIN_TABLE_PASSWORD}</td>\n</tr>\n";
-	if($LOGIN_TABLE_SECIMG_SECIMG){
+    	<div style='text-align: center' id='nologinmenuchap'>"."Javascript must be enabled in your browser if you wish to log into this site"."
+		</div>
+    	<div style='text-align: center; display:none' id='loginmenuchap'>";
+	}
+	else
+	{
+	  $LOGIN_TABLE .= "<div style='text-align:center'>";
+	}
+	$LOGIN_TABLE .= $rs -> form_open("post", e_SELF,'','','',' onsubmit="hashLoginPassword(this)"');
+  }
+  else
+  {
+	$LOGIN_TABLE .= "<div style='text-align:center'>".$rs -> form_open("post", e_SELF);
+  }
+  
+  $LOGIN_TABLE .= 
+		"<table class='fborder' style='width:60%' >\n
+		<tr>\n
+		  <td class='forumheader' style='text-align:center;' colspan='3'>".LAN_LOGIN_4."</td>\n
+		</tr>\n
+		<tr>\n
+		  <td class='forumheader3' style='width:40%'>".LAN_LOGIN_1."</td>\n
+		  <td class='forumheader3' style='width:40%'>{LOGIN_TABLE_USERNAME}</td>\n
+		  <td class='forumheader3' rowspan='".($LOGIN_TABLE_SECIMG_SECIMG ? 3 : 2)."' style='width:20%; vertical-align: middle; margin-left: auto; margin-right: auto; text-align: center;'>".(file_exists(THEME."images/password.png") ? "<img src='".THEME_ABS."images/password.png' alt='' />\n" : "<img src='".e_IMAGE."packs/".$imode."/generic/password.png' alt='' />\n" )."</td>\n</tr>\n
+		  <tr>\n<td class='forumheader3'>".LAN_LOGIN_2."</td>\n<td class='forumheader3'>{LOGIN_TABLE_PASSWORD}
+		  </td>\n</tr>\n";
+	if($LOGIN_TABLE_SECIMG_SECIMG)
+	{
 		$LOGIN_TABLE .= "<tr><td class='forumheader3'>{LOGIN_TABLE_SECIMG_LAN}</td>\n<td class='forumheader3'>{LOGIN_TABLE_SECIMG_HIDDEN} {LOGIN_TABLE_SECIMG_SECIMG} {LOGIN_TABLE_SECIMG_TEXTBOC}</td>\n</tr>\n";
 	}
 
diff --git a/fpw.php b/fpw.php
index 72674367e..e89f8d4e3 100644
--- a/fpw.php
+++ b/fpw.php
@@ -11,31 +11,34 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/fpw.php,v $
-|     $Revision: 1.5 $
-|     $Date: 2008-02-18 02:12:06 $
-|     $Author: mcfly_e107 $
+|     $Revision: 1.6 $
+|     $Date: 2008-06-13 20:20:20 $
+|     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
 require_once("class2.php");
 
-if(USER){
+if(USER)
+{
 	header("location:".e_BASE."index.php");
 	exit;
 }
 
-if($pref['fpwcode'] && extension_loaded("gd")){
+if($pref['fpwcode'] && extension_loaded("gd"))
+{
 	define("USE_IMAGECODE",TRUE);
-}else{
+  require_once(e_HANDLER."secure_img_handler.php");
+  $sec_img = new secure_image;
+}
+else
+{
 	define("USE_IMAGECODE",FALSE);
 }
 
 
-if (USE_IMAGECODE) {
-	require_once(e_HANDLER."secure_img_handler.php");
-	$sec_img = new secure_image;
-}
 
-if ($pref['membersonly_enabled']) {
+if ($pref['membersonly_enabled']) 
+{
 	if (!$FPW_TABLE_HEADER) {
 		if (file_exists(THEME."fpw_template.php")) {
 			require_once(THEME."fpw_template.php");
@@ -47,6 +50,9 @@ if ($pref['membersonly_enabled']) {
 	$FOOTER = preg_replace("/\{(.*?)\}/e", '$\1', $FPW_TABLE_FOOTER);
 }
 
+require_once(e_HANDLER.'user_handler.php');
+$user_info = new UserHandler;
+
 require_once(HEADERF);
 
 function fpw_error($txt)
@@ -77,7 +83,9 @@ if (e_QUERY)
 		for($a = 0; $a <= $pwlen; $a++) {
 			$newpw .= chr(rand(97, 122));
 		}
-		$mdnewpw = md5($newpw);
+		list($username, $md5) = explode($fpw_sep, $tmp_info);
+//		$mdnewpw = md5($newpw);
+		$mdnewpw = $user_info->HashPassword($newpw,$username);
 
 		// Details for admin log
 		$do_log['password_action'] = LAN_FPW21;
@@ -86,8 +94,7 @@ if (e_QUERY)
 		$do_log['user_password'] = $mdnewpw;
 		$admin_log->user_audit(USER_AUDIT_PW_RES,$do_log,0,$do_log['user_name']);
 
-		list($username, $md5) = explode($fpw_sep, $tmp_info);
-		$sql->db_Update("user", "user_password='{$mdnewpw}', user_viewed='' WHERE user_name='".$tp -> toDB($username, true)."' ");
+		$sql->db_Update("user", "user_password='{$mdnewpw}', user_viewed='' WHERE user_loginname='".$tp -> toDB($username, true)."' ");
 		cookie($pref['cookie_name'], "", (time()-2592000));
 		$_SESSION[$pref['cookie_name']] = "";
 
@@ -99,7 +106,9 @@ if (e_QUERY)
 		<br /><br />".LAN_FPW10." <a href='".e_LOGIN."'>".LAN_FPW11."</a> ".LAN_FPW12."</div>";
 		fpw_error($txt);
 
-	} else {
+	} 
+	else 
+	{
 		fpw_error(LAN_FPW7);
 	}
 }
@@ -155,7 +164,7 @@ if (isset($_POST['pwsubmit']))
 
 		$deltime = time()+86400 * 2;
 		//Set timestamp two days ahead so it doesn't get auto-deleted
-		$sql->db_Insert("tmp", "'pwreset',{$deltime},'{$user_name}{$fpw_sep}{$rcode}'");
+		$sql->db_Insert("tmp", "'pwreset',{$deltime},'{$row['user_loginname']}{$fpw_sep}{$rcode}'");
 
 		$do_log['password_action'] = LAN_FPW18;
 		$do_log['user_id'] = $row['user_id'];
diff --git a/login.php b/login.php
index 255b7b4c5..90bfb1b9c 100644
--- a/login.php
+++ b/login.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/login.php,v $
-|     $Revision: 1.3 $
-|     $Date: 2007-03-05 21:35:12 $
+|     $Revision: 1.4 $
+|     $Date: 2008-06-13 20:20:20 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -21,19 +21,25 @@ require_once("class2.php");
 $HEADER = "";
 require_once(HEADERF);
 $use_imagecode = ($pref['logcode'] && extension_loaded("gd"));
-if ($use_imagecode) {
+if ($use_imagecode) 
+{
 	require_once(e_HANDLER."secure_img_handler.php");
 	$sec_img = new secure_image;
 }
 
-if (!USER) {
+if (!USER) 
+{
 	require_once(e_HANDLER."form_handler.php");
 	$rs = new form;
 	$text = "";
 
 	$LOGIN_TABLE_LOGINMESSAGE = LOGINMESSAGE;
-	$LOGIN_TABLE_USERNAME = "<input class='tbox' type='text' name='username' size='40' maxlength='100' />";
-	$LOGIN_TABLE_PASSWORD = "<input class='tbox' type='password' name='userpass' size='40' maxlength='100' />";
+	$LOGIN_TABLE_USERNAME = "<input class='tbox' type='text' name='username' id='username' size='40' maxlength='100' />";
+	$LOGIN_TABLE_PASSWORD = "<input class='tbox' type='password' name='userpass' id='userpass' size='40' maxlength='100' />";
+	if (!USER && isset($_SESSION['challenge']) && varset($pref['password_CHAP'],0)) 
+	{
+	  $LOGIN_TABLE_PASSWORD .= "<input type='hidden' name='hashchallenge' id='hashchallenge' value='{$_SESSION['challenge']}' />\n\n";
+	}
 	if ($use_imagecode)
 	{
 		$LOGIN_TABLE_SECIMG_LAN = LAN_LOGIN_13;
diff --git a/signup.php b/signup.php
index 32f7b90e1..4418a2e07 100644
--- a/signup.php
+++ b/signup.php
@@ -11,15 +11,16 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/signup.php,v $
-|     $Revision: 1.17 $
-|     $Date: 2008-03-23 21:43:47 $
+|     $Revision: 1.18 $
+|     $Date: 2008-06-13 20:20:20 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
 
 require_once("class2.php");
 $qs = explode(".", e_QUERY);
-if($qs[0] != "activate"){   // multi-language fix.
+if($qs[0] != "activate")
+{   // multi-language fix.
 	e107_include_once(e_LANGUAGEDIR.e_LANGUAGE."/lan_signup.php");
 	e107_include_once(e_LANGUAGEDIR."English/lan_signup.php");
 	e107_include_once(e_LANGUAGEDIR.e_LANGUAGE."/lan_usersettings.php");
@@ -35,16 +36,22 @@ include_once(e_HANDLER."user_extended_class.php");
 $usere = new e107_user_extended;
 require_once(e_HANDLER."calendar/calendar_class.php");
 $cal = new DHTML_Calendar(true);
+require_once(e_HANDLER.'user_handler.php');
+$user_info = new UserHandler;
 
-if (is_readable(THEME."signup_template.php")) {
+if (is_readable(THEME."signup_template.php")) 
+{
 	require_once(THEME."signup_template.php");
-} else {
+} 
+else 
+{
 	require_once(e_THEME."templates/signup_template.php");
 }
 
 include_once(e_FILE."shortcode/batch/signup_shortcodes.php");
 
 $signup_imagecode = ($pref['signcode'] && extension_loaded("gd"));
+$text = '';
 
 
 //-------------------------------
@@ -67,36 +74,47 @@ if(e_QUERY == "resend" && !USER && ($pref['user_reg_veri'] == 1))
 	}
 
 	if($_POST['submit_resend'])
-	{
+  {  // Action user's submitted information
+	// 'resend_email' - user name or email address actually used to sign up
+	// 'resend_newemail' - corrected email address
+	// 'resend_password' - password (required if changing email address)
+
 		if($_POST['resend_email'] && !$new_email && $sql->db_Select_gen("SELECT * FROM #user WHERE user_ban=0 AND user_sess='' AND (user_loginname= \"".$tp->toDB($_POST['resend_email'])."\" OR user_name = \"".$tp->toDB($_POST['resend_email'])."\" OR user_email = \"".$clean_email."\" ) "))
-		{
+	{	// Account already activated
 			$ns -> tablerender(LAN_SIGNUP_40,LAN_SIGNUP_41."<br />");
 			require_once(FOOTERF);
 			exit;
 		}
 
+
+	// Start by looking up the user
+	if(!$sql->db_Select("user", "*", "(user_loginname = \"".$tp->toDB($_POST['resend_email'])."\" OR user_name = \"".$tp->toDB($_POST['resend_email'])."\" OR user_email = \"".$clean_email."\" ) AND user_ban=".USER_REGISTERED_NOT_VALIDATED." AND user_sess !='' LIMIT 1"))
+	{
+	  require_once(e_HANDLER."message_handler.php");
+	  message_handler("ALERT",LAN_SIGNUP_64); // email (or other info) not valid.
+	  exit;
+	}
+	$row = $sql -> db_Fetch();
+	// We should have a user record here
+
 		if(trim($_POST['resend_password']) !="" && $new_email)
+	{  // Need to change the email address - check password to make sure
+	  if ($user_info->CheckPassword($_POST['resend_password'], $row['user_loginname'], $row['user_password']) === TRUE)
 		{
-        	if($sql->db_Select("user", "user_id", "user_password = \"".md5($_POST['resend_password'])."\" AND user_ban=2 AND user_sess !='' LIMIT 1"))
-			{
-				$row = $sql -> db_Fetch();
             	if($sql->db_Update("user", "user_email='".$new_email."' WHERE user_id = '".$row['user_id']."' LIMIT 1 "))
 				{
-                	$clean_email = $new_email;
+		  $row['user_email'] = $new_email;
 				}
 			}
 			else
 			{
 			   	require_once(e_HANDLER."message_handler.php");
 			   	message_handler("ALERT",LAN_SIGNUP_52); // Incorrect Password.
+		exit;
 			}
 		}
 
-
-		if($sql->db_Select("user", "*", "(user_loginname = \"".$tp->toDB($_POST['resend_email'])."\" OR user_name = \"".$tp->toDB($_POST['resend_email'])."\" OR user_email = \"".$clean_email."\" ) AND user_ban=2 AND user_sess !='' LIMIT 1"))
-		{
-			$row = $sql -> db_Fetch();
-
+	// Now send the email - got some valid info
 			$_POST['password1'] = "xxxxxxxxx";
 			$_POST['loginname'] = $row['user_loginname'];
 			$_POST['name'] = $row['user_name'];
@@ -124,14 +142,8 @@ if(e_QUERY == "resend" && !USER && ($pref['user_reg_veri'] == 1))
             require_once(FOOTERF);
             exit;
          }
-
-		require_once(e_HANDLER."message_handler.php");
-		message_handler("ALERT",LAN_106); // email not valid.
-		exit;
-	}
 	elseif(!$_POST['submit_resend'])
-	{
-
+  {	// Display form to get info from user
 		$text .= "<div style='text-align:center'>
 		<form method='post' action='".e_SELF."?resend' name='resend_form'>
 		<table style='".USER_WIDTH."' class='fborder'>
@@ -171,7 +183,6 @@ if(e_QUERY == "resend" && !USER && ($pref['user_reg_veri'] == 1))
 		require_once(FOOTERF);
 		exit;
 	}
-
     exit;
 }
 
@@ -402,6 +413,11 @@ if (isset($_POST['register']))
 	if($_POST['password1xup']) $_POST['password1'] = $_POST['password1xup'];
 	if($_POST['password2xup']) $_POST['password2'] = $_POST['password2xup'];
 
+	if (varsettrue($pref['predefinedLoginName']))
+	{
+	  $_POST['loginname'] = $user_info->generateUserLogin($pref['predefinedLoginName']);
+//	  if (empty($username)) $username = $loginname;
+	}
 //	Strip most invalid characters now
 	$temp_name = trim(preg_replace('/&nbsp;|\#|\=|\$/', "", strip_tags($_POST['loginname'])));
 	if ($temp_name != $_POST['loginname'])
@@ -409,7 +425,6 @@ if (isset($_POST['register']))
 		$error_message .= LAN_409."\\n";
 		$error = TRUE;
 	}
-	$_POST['loginname'] = $temp_name;
 
 	if (strcasecmp($_POST['loginname'],"Anonymous") == 0)
 	{
@@ -418,8 +433,8 @@ if (isset($_POST['register']))
 	}
 
 
-	// Use LoginName for DisplayName if restricted   **** MOVED FORWARD ****
-	if (!check_class($pref['displayname_class']))
+	// Use LoginName for DisplayName if restricted
+	if (!check_class($pref['displayname_class'],e_UC_PUBLIC.','.e_UC_MEMBER))
 	{
 		$_POST['name'] = $_POST['loginname'];
 	}
@@ -518,7 +533,7 @@ global $db_debug;
 
 
 	// Password length check.
-	if (trim(strlen($_POST['password1'])) < $pref['signup_pass_len'])
+	if (strlen(trim($_POST['password1'])) < $pref['signup_pass_len'])
 	{
 		$error_message .= LAN_SIGNUP_4.$pref['signup_pass_len'].LAN_SIGNUP_5."\\n";
 		$error = TRUE;
@@ -628,7 +643,7 @@ global $db_debug;
 		if(isset($_POST['ue']['user_'.$ext['user_extended_struct_name']]))
 		{
 			$newval = trim($_POST['ue']['user_'.$ext['user_extended_struct_name']]);
-			if($ext['user_extended_struct_required'] == 1 && $newval == "" )
+			if($ext['user_extended_struct_required'] == 1 && (($newval == "") || (($ext['user_extended_struct_type'] == 7) && ($newval == '0000-00-00')) ))
 			{
 				$_ftext = (defined($ext['user_extended_struct_text']) ? constant($ext['user_extended_struct_text']) : $ext['user_extended_struct_text']);
 				$error_message .= LAN_SIGNUP_6.$_ftext.LAN_SIGNUP_7."\\n";
@@ -674,7 +689,7 @@ global $db_debug;
 			exit;
 		}
 
-		if ($_POST['email'] && $sql->db_Select("user", "*", "user_email='".$_POST['email']."' AND user_ban='1'")) 
+	if ($_POST['email'] && $sql->db_Select("user", "*", "user_email='".$_POST['email']."' AND user_ban='".USER_BANNED."'")) 
 		{
 			exit;
 		}
@@ -693,12 +708,9 @@ global $db_debug;
 			$ue_fields .= $key."='".$val."'";
 		}
 
-		$u_key = md5(uniqid(rand(), 1));
+	$u_key = md5(uniqid(rand(), 1));				// Key for signup completion
 		// ************* Possible class insert
 		
-		require_once(e_HANDLER.'password_handler.php');
-		$passhandler = new PasswordHandler();
-
 		// Following array will be logged to both admin log and user's entry
 		$signup_data = array(
 		  'user_name' => $username,
@@ -708,20 +720,23 @@ global $db_debug;
 
 		// Following array is logged to user's entry only
 		$new_data = array(
-			'user_password' 	=> $sql->escape($passhandler->HashPassword($_POST['password1']), FALSE),
+			'user_password' 	=> $sql->escape($user_info->HashPassword($_POST['password1'], $loginname), FALSE),
 			'user_sess'			=> $u_key,
 			'user_signature'	=> $tp -> toDB($_POST['signature']),
 			'user_image'		=> $tp -> toDB($_POST['image']),
 			'user_hideemail'	=> $tp -> toDB($_POST['hideemail']),
 			'user_join'			=> time(),
 			'user_currentvisit'	=> time(),
-			'user_ban'			=> 2,
+			'user_ban'			=> USER_REGISTERED_NOT_VALIDATED,
 			'user_login'		=> $tp -> toDB($_POST['realname']),
 			'user_xup'			=> $tp -> toDB($_POST['xupexist'])
 			);
+	if (varsettrue($pref['allowEmailLogin']))
+	{  // Need to create separate password for email login
+	  $new_data['user_prefs'] = serialize(array('email_password' => $user_info->HashPassword($_POST['password1'], $new_data['user_email'])));
+	}
 
 		$nid = $sql->db_Insert("user", array_merge($signup_data,$new_data));
-//		$nid = $sql->db_Insert("user", "0, '{$username}', '{$loginname}', '', '".md5($_POST['password1'])."', '{$u_key}', '".$tp -> toDB($_POST['email'])."', '".$tp -> toDB($_POST['signature'])."', '".$tp -> toDB($_POST['image'])."', '".$tp -> toDB($_POST['hideemail'])."', '".$time."', '0', '".$time."', '0', '0', '0', '0', '".$ip."', '2', '0', '', '', '0', '0', '".$tp -> toDB($_POST['realname'])."', '', '', '', '0', '".$tp -> toDB($_POST['xupexist'])."' ");
 
 		// Log to user audit log if enabled
 		$signup_data['user_id'] = $nid;
@@ -738,6 +753,13 @@ global $db_debug;
 		}
 
 
+	$adviseLoginName = '';
+	if (varsettrue($pref['predefinedLoginName']))
+	{
+	  $adviseLoginName = LAN_SIGNUP_65.': '.$loginname.'<br />'.LAN_SIGNUP_66.'<br />';
+	}
+
+
 		if ($pref['user_reg_veri'])
 		{	// Verification required (may be by email or by admin)
 
@@ -778,19 +800,19 @@ global $db_debug;
 			$e_event->trigger("usersup", $_POST);  // send everything in the template, including extended fields.
 
 			require_once(HEADERF);
-			if($pref['signup_text_after'])
+		if (isset($pref['signup_text_after']) && (strlen($pref['signup_text_after']) > 2))
 			{
-				$text = $tp->toHTML($pref['signup_text_after'], TRUE, 'parse_sc,defs')."<br />";
+		  $text = $tp->toHTML(str_replace('{NEWLOGINNAME}', $loginname, $pref['signup_text_after']), TRUE, 'parse_sc,defs')."<br />";
 			}
 			else
 			{
 				if ($pref['user_reg_veri'] == 2)
 				{
-					$text = LAN_SIGNUP_37;
+			$text = LAN_SIGNUP_37.'<br /><br />'.$adviseLoginName;
 				}
 				else
 				{
-					$text = LAN_405;
+			$text = LAN_405.'<br /><br />'.$adviseLoginName;
 				}
 			}
 			if(isset($error_message))
@@ -806,7 +828,7 @@ global $db_debug;
 			require_once(HEADERF);
 
 			if(!$sql -> db_Select("user", "user_id", "user_name='{$username}' AND user_password='".$new_data['user_password']."'"))
-			{
+	  {	// Error looking up newly created user
 				$ns->tablerender("", LAN_SIGNUP_36);
 				require_once(FOOTERF);
 				exit;
@@ -818,7 +840,7 @@ global $db_debug;
 		  if (isset($_POST['class'])) $init_classes = array_unique(array_merge($init_classes, $_POST['class']));
 
 		  // Set member as registered, update classes
-		  $sql->db_Update("user", "user_ban = '0', user_class='".$tp -> toDB(implode(',',$init_classes))."' WHERE user_id = '{$nid}'");
+	  $sql->db_Update("user", "user_ban = '".USER_VALIDATED."', user_class='".$tp -> toDB(implode(',',$init_classes))."' WHERE user_id = '{$nid}'");
 
 
 			// ======== save extended fields to DB table.
@@ -828,14 +850,13 @@ global $db_debug;
 				$sql->db_Update("user_extended", $ue_fields." WHERE user_extended_id = '{$nid}'");
 			}
 
-			// ==========================================================
             $_POST['ip'] = $ip;
-			$_POST['user_id'] = $nid;
+	  $_POST['user_id'] = $nid;			// ID for the user
 			$e_event->trigger("usersup", $_POST);  // send everything in the template, including extended fields.
 
-			if($pref['signup_text_after'])
+	  if (isset($pref['signup_text_after']) && (strlen($pref['signup_text_after']) > 2))
 			{
-				$text = $tp->toHTML($pref['signup_text_after'], TRUE, 'parse_sc,defs')."<br />";
+		$text = $tp->toHTML(str_replace('{NEWLOGINNAME}', $loginname, $pref['signup_text_after']), TRUE, 'parse_sc,defs')."<br />";
 			}
 			else
 			{
@@ -846,8 +867,9 @@ global $db_debug;
 			exit;
 		}
 	}
-
 }
+
+// Disable the signup form - if either there was an error, or starting from scratch
 require_once(HEADERF);
 
 $qs = ($error ? "stage" : e_QUERY);
@@ -898,13 +920,14 @@ $ns->tablerender(LAN_123, $text);
 
 require_once(FOOTERF);
 
-//------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
 
+//----------------------------------
+// Function returns an image if a fild is required.
 function req($field)
 {
 	return ($field == 2 ? REQUIRED_FIELD_MARKER : "");
 }
-//------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
+//----------------------------------
 
 function headerjs()
 {
diff --git a/usersettings.php b/usersettings.php
index a9be75c3e..c55d53a8c 100644
--- a/usersettings.php
+++ b/usersettings.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/usersettings.php,v $
-|     $Revision: 1.24 $
-|     $Date: 2008-03-17 20:45:29 $
+|     $Revision: 1.25 $
+|     $Date: 2008-06-13 20:20:20 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 
@@ -27,7 +27,9 @@ Admin log events:
 require_once("class2.php");
 require_once(e_HANDLER."ren_help.php");
 require_once(e_HANDLER."user_extended_class.php");
+require_once(e_HANDLER."user_handler.php");
 $ue = new e107_user_extended;
+$user_info = new UserHandler;
 
 //define("US_DEBUG",TRUE);
 define("US_DEBUG",FALSE);
@@ -64,6 +66,8 @@ $sesschange = '';						// Notice removal
 $photo_to_delete = '';
 $avatar_to_delete = '';
 $changed_user_data = array();
+$ue_fields = '';
+$promptPassword = FALSE;
 
 require_once(HEADERF);
 
@@ -92,20 +96,9 @@ function addCommonClasses($udata)
 //-----------------------------------
 $error = "";
 
-if (isset($_POST['updatesettings']))
+if (isset($_POST['updatesettings']) || isset($_POST['SaveValidatedInfo']))
 {
-	if(!varsettrue($pref['auth_method']) || $pref['auth_method'] == '>e107')
-	{
-	  $pref['auth_method'] = 'e107';
-	}
-
-	if($pref['auth_method'] != 'e107')
-	{
-	  $_POST['password1'] = '';
-	  $_POST['password2'] = '';
-	}
-
-
+// Get the required user info
 	if ($_uid && ADMIN)
 	{	// Admin logged in and editing another user's settings - so editing a different ID
 	  $inp = $_uid;
@@ -120,14 +113,23 @@ if (isset($_POST['updatesettings']))
 	$udata = get_user_data($inp);				// Get all the existing user data, including any extended fields
 	$udata['user_classlist'] = addCommonClasses($udata);
 
-	$peer = ($inp == USERID ? false : true);
-/*
-	echo "<pre>";
-	var_dump($udata);
-	echo "</pre>";
-*/
+	$peer = ($inp == USERID ? false : true);	// FALSE if editing own data
+}
 
 
+if (isset($_POST['updatesettings']))
+{
+	if(!varsettrue($pref['auth_method']) || $pref['auth_method'] == '>e107')
+	{
+	  $pref['auth_method'] = 'e107';
+	}
+
+	if($pref['auth_method'] != 'e107')
+	{
+	  $_POST['password1'] = '';
+	  $_POST['password2'] = '';
+	}
+
 	// Check external avatar
 	if ($_POST['image'])
 	{
@@ -266,6 +268,7 @@ if (isset($_POST['updatesettings']))
 
 
 // Password checks
+	$new_pass = '';
 	if ($_POST['password1'] != $_POST['password2']) 
 	{
 	  $error .= LAN_105."\\n";
@@ -278,7 +281,7 @@ if (isset($_POST['updatesettings']))
 		{
 		  $error .= LAN_SIGNUP_4.$pref['signup_pass_len'].LAN_SIGNUP_5."\\n";
 		}
-	    $changed_user_data['user_password'] = md5(trim($_POST['password1']));
+		$new_pass = $_POST['password1'];		// Don't hash it yet
 	  }
 	}
 
@@ -301,7 +304,7 @@ if (isset($_POST['updatesettings']))
 		
 		
 // Uploaded avatar and/or photo
-	if (isset($_FILES['file_userfile']['error']))
+	if ($file_userfile['error'] != 4)
 	{
 	  require_once(e_HANDLER."upload_handler.php");
 	  require_once(e_HANDLER."resize_handler.php");
@@ -374,37 +377,31 @@ if (isset($_POST['updatesettings']))
 		}
 	  }
 
-	  $ue_fields = "";
 	  foreach($_POST['ue'] as $key => $val)
 	  {
-			$err = false;
-			$parms = explode("^,^", $extList[$key]['user_extended_struct_parms']);
-			$regex = $tp->toText($parms[1]);
-			$regexfail = $tp->toText($parms[2]);
-    		if(defined($regexfail)) {$regexfail = constant($regexfail);}
-	  		if($val == '' && $extList[$key]['user_extended_struct_required'] == 1 && !$_uid)
-			{
-         		$error .= LAN_SIGNUP_6.($tp->toHtml($extList[$key]['user_extended_struct_text'],FALSE,"defs"))." ".LAN_SIGNUP_7."\\n";
-	    		$err = TRUE;
+			$err = $ue->user_extended_validate_entry($val,$extList[$key]);
+	  		if($err === TRUE && !$_uid)
+			{  // General error - usually empty field; could be unacceptable value, or regex fail and no error message defined
+         	  $error .= LAN_SIGNUP_6.($tp->toHtml($extList[$key]['user_extended_struct_text'],FALSE,"defs"))." ".LAN_SIGNUP_7."\\n";
 			}
-			if($regex != "" && $val != "")
-			{
-				if(!preg_match($regex, $val))
-				{
-               		$error .= $regexfail."\\n";
-         			$err = TRUE;
-	         	}
+			elseif ($err)
+			{	// Specific error message returned - usually regex fail
+			  $error .= $err."\\n";
+			  $err = TRUE;
 			}
 			if(!$err)
 			{
 				$val = $tp->toDB($val);
 				$ue_fields .= ($ue_fields) ? ", " : "";
 				$ue_fields .= $key."='".$val."'";
-				}
+			}
 	  }
     }
 
 
+	unset($_POST['password1']);		// Always clear the password fields - value noted if required
+	unset($_POST['password2']);
+
 
 // All key fields validated here
 // -----------------------------
@@ -412,10 +409,6 @@ if (isset($_POST['updatesettings']))
 // $inp - UID of user whose data is being changed (may not be the currently logged in user)
 	if (!$error)
 	{
-	  unset($_POST['password1']);
-	  unset($_POST['password2']);
-	  
-	  
       $_POST['user_id'] = intval($inp);
 
 
@@ -423,9 +416,7 @@ if (isset($_POST['updatesettings']))
 
 	  if ($ret == '')
 	  {
-		// Either delete this block, or delete user_customtitle from the later loop for non-vetted fields
-		$new_customtitle = "";
-		if(isset($_POST['customtitle']) && ($pref['signup_option_customtitle'] || ADMIN))
+		if(isset($_POST['customtitle']) && ($pref['signup_option_customtitle']))
 		{
 		  $new_customtitle = $tp->toDB($_POST['customtitle']);
 		  if ($new_customtitle != $udata['user_customtitle']) $changed_user_data['user_customtitle'] = $new_customtitle;
@@ -511,8 +502,88 @@ if (isset($_POST['updatesettings']))
 		{
 		  unset($changed_user_data['user_loginname']);
 		}
+	  }
+	  else 
+	  {	// Invalid data - from hooked in trigger event
+		$message = "<div style='text-align:center'>".$ret."</div>";
+		$caption = LAN_151;
+	  }
+	}
+}  // End - update setttings
+elseif (isset($_POST['SaveValidatedInfo']))
+{	// Next bit only valid if user editing their own data
+  if (!$peer && !empty($_POST['updated_data']) && !empty($_POST['currentpassword']) && !empty($_POST['updated_key']))
+  {	// Got some data confirmed with password entry
+	$new_data = base64_decode($_POST['updated_data']);
+	if (md5($new_data) != $_POST['updated_key']) 
+	{  // Should only happen if someone's fooling around
+	  echo "Mismatch on validation key<br />";
+	  exit;
+	}
+
+	if (isset($_POST['updated_extended']))
+	{
+	  $new_extended = base64_decode($_POST['updated_extended']);
+	  if (md5($new_extended) != $_POST['extended_key']) 
+	  {  // Should only happen if someone's fooling around
+		echo "Mismatch on validity key<br />";
+		exit;
+	  }
+	}
+
+	if ($user_info->CheckPassword($_POST['currentpassword'],$udata['user_loginname'], $udata['user_password']) === FALSE)		// Use old data to validate
+	{  // Invalid password
+	  echo "<br />".LAN_USET_22."<br />";
+	  require_once(FOOTERF);
+	  exit;
+	}
+	$changed_user_data = unserialize($new_data);
+	$new_pass = $_POST['currentpassword'];
+	if (!empty($new_extended)) $ue_fields = unserialize($new_extended);
+	unset($new_data);
+	unset($new_extended);
+  }
+}
+unset($_POST['updatesettings']);
+unset($_POST['SaveValidatedInfo']);
 
 
+// At this point we know the error status.
+// $changed_user_data has an array of core changed data, except password, which is in $new_pass if changed (or entered as confirmation).
+if (!$error && (count($changed_user_data) || $new_pass))
+{
+		// Sort out password hashes
+		if ($new_pass)
+		{
+		  if (empty($loginname)) $loginname = $udata['user_loginname'];
+		  $email = $changed_user_data['user_email'] ? $changed_user_data['user_email'] : $udata['user_email'];
+		  $changed_user_data['user_password'] = $sql->escape($user_info->HashPassword($new_pass, $loginname), FALSE);
+		  if (varsettrue($pref['allowEmailLogin']))
+		  {
+			$user_prefs = unserialize($udata['user_prefs']);
+			$user_prefs['email_password'] = $user_info->HashPassword($new_pass, $email);
+			$changed_user_data['user_prefs'] = serialize($user_prefs);
+		  }
+		}
+		else
+		{
+		  if ((isset($changed_user_data['user_loginname']) && $user_info->isPasswordRequired('user_loginname')) 
+		    || (isset($changed_user_data['user_email']) && $user_info->isPasswordRequired('user_email')))
+		  {
+			if ($_uid)
+			{	// Admin is changing it
+			  $error = LAN_USET_20;
+			}
+			else
+			{	// User is changing their own info
+			  $promptPassword = TRUE;
+			}
+		  }
+		}
+}
+
+if ((!$error && !$promptPassword) && (count($changed_user_data) || $ue_fields))
+{
 		// We can update the basic user record now - can just update fields from $changed_user_data
 		if (US_DEBUG) $admin_log->e_log_event(10,debug_backtrace(),"DEBUG","Usersettings test","Changed data:<br> ".var_export($changed_user_data,TRUE),FALSE,LOG_TO_ROLLING);
 		$sql->db_UpdateArray("user",$changed_user_data," WHERE user_id='".intval($inp)."' ");
@@ -551,7 +622,7 @@ if (isset($_POST['updatesettings']))
 			if (isset($changed_user_data['user_password']))
 			{
 			  if (isset($user_logging_opts[USER_AUDIT_NEW_PW]))
-			  {	// Password has already been changed to an md5(), so OK to leave the data
+			  {	// Password has already been changed to a hashed value, so OK to leave the data
 				$do_log['user_password'] = $changed_user_data['user_password'];
 				$log_action = USER_AUDIT_NEW_PW;
 			  }
@@ -636,23 +707,24 @@ if (isset($_POST['updatesettings']))
 		}
 		$message = "<div style='text-align:center'>".LAN_150."</div>";
 		$caption = LAN_151;
-	  } 
-	  else 
-	  {	// Invalid data
-		$message = "<div style='text-align:center'>".$ret."</div>";
-		$caption = LAN_151;
-	  }
-	  unset($_POST);
-	}
-}
+}	// End - if (!$error)...
+
+
+if (!$error && !$promptPassword) unset($_POST);
+
+
+
 
 if ($error)
 {
-	require_once(e_HANDLER."message_handler.php");
-	message_handler("P_ALERT", $error);
-	$adref = $_POST['adminreturn'];
+  require_once(e_HANDLER."message_handler.php");
+  message_handler("P_ALERT", $error);
+  $adref = $_POST['adminreturn'];
 }
 
+
+
+
 // --- User data has been updated here if appropriate ---
 
 if(isset($message))
@@ -661,12 +733,55 @@ if(isset($message))
 }
 
 
-//-----------------------------------------------------
-// Re-read the user data into curVal (ready for display)
-//-----------------------------------------------------
+
 
 $uuid = ($_uid) ? $_uid : USERID;			// If $_uid is set, its an admin changing another user's data
 
+
+
+if ($promptPassword)
+{	// User has to enter password to validate data
+  $updated_data = serialize($changed_user_data);
+  $validation_key = md5($updated_data);
+  $updated_data = base64_encode($updated_data);
+  $updated_extended = serialize($ue_fields);
+  $extended_key = md5($updated_extended);
+  $updated_extended = base64_encode($updated_extended);
+  $text = "<form method='post' action='".e_SELF.(e_QUERY ? "?".e_QUERY : '')."'>
+  <table><tr><td style='text-align:center'>";
+  foreach ($_POST as $k => $v)
+  {
+    if (is_array($v))
+	{
+	  foreach ($v as $sk => $sv)
+	  {
+		$text .= "<input type='hidden' name='{$k}[{$sk}]' value='{$sv}' />\n";
+	  }
+	}
+	else
+	{
+	  $text .= "<input type='hidden' name='{$k}' value='{$v}' />\n";
+	}
+  }
+  $text .= LAN_USET_21."</td></tr><tr><td>&nbsp;</td></tr>
+  <tr><td style='text-align:center'><input type='password' name='currentpassword' value='' size='30' />";
+  $text .= "<input type='hidden' name='updated_data' value='{$updated_data}' /><input type='hidden' name='updated_key' value='{$validation_key}' />
+  <input type='hidden' name='updated_extended' value='{$updated_extended}' /><input type='hidden' name='extended_key' value='{$extended_key}' />
+  </td></tr>
+  <tr><td>&nbsp;</td></tr>
+  <tr><td style='text-align:center'><input type='submit' name='SaveValidatedInfo' value='".LAN_ENTER."' /></td></tr>
+  </table>
+  </form>";
+  $ns->tablerender(LAN_155, $text);
+  require_once(FOOTERF);
+}
+
+
+
+//--------------------------------------------------------
+// Re-read the user data into curVal (ready for display)
+//--------------------------------------------------------
+
 $qry = "
 SELECT u.*, ue.* FROM #user AS u
 LEFT JOIN #user_extended AS ue ON ue.user_extended_id = u.user_id