is this a Auto Auth API security flaw or am i missing something?

[stoogle1]

So i setup auto auth between my current system and whmcs.

 

I wanted to test the security on this and the what ifs as you should always do.

 

It logs in fine when a user on my program has a matching email on whmcs side also. As it should.

 

So i thought what if the session didnt pass the email address and it was blank.

So I put a stop in place in case the email address in the session on my side was blank to echo out to contact support and then kill. That works fine.

 

BUT

 

If a email address IS in the session but DOESNT match one in WHMCS users, it will login as another user. Am i missing another check in the autoauth to make sure the email address matches?

 

Below is what im using:

 

<?php include(BASE_URL . 'includes/globals.php'); ?>
<?php
$username = ($_SESSION["Username"]);
$password = ($_SESSION["password"]);
$email = ($_SESSION["EmailAddress"]);
/*
WHMCS AutoAuth script
*/

# Define WHMCS URL & AutoAuth Key
$whmcsurl = "http://*********/support/clientarea.php";
$autoauthkey = "**********";

$timestamp = time(); # Get current timestamp
$goto = "clientarea.php";

$hash = sha1($email.$timestamp.$autoauthkey); # Generate Hash
if(!isset($email))
{
echo "Error, Please contact I.T. Department to get access to this area $email</p>";
echo "Call ****** or email ******";
exit;
}
else{
# Generate AutoAuth URL & Redirect
$url = $whmcsurl."?email=$email&timestamp=$timestamp&hash=$hash&goto=".urlencode($goto);
echo "<meta http-equiv='refresh' content='0;$url' />";
exit;
}
?>