diff options
Diffstat (limited to 'engine/lib/sessions.php')
-rw-r--r-- | engine/lib/sessions.php | 384 |
1 files changed, 192 insertions, 192 deletions
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php index fd569a0e1..18fb9e73c 100644 --- a/engine/lib/sessions.php +++ b/engine/lib/sessions.php @@ -1,19 +1,19 @@ -<?php
-
- /**
- * Elgg session management
- * Functions to manage logins
- *
- * @package Elgg
- * @subpackage Core
+<?php - * @author Curverider Ltd
+ /** + * Elgg session management + * Functions to manage logins + * + * @package Elgg + * @subpackage Core + + * @author Curverider Ltd - * @link http://elgg.org/
+ * @link http://elgg.org/ */ /** Elgg magic session */ - global $SESSION;
+ global $SESSION; /** * Magic session class. @@ -99,9 +99,9 @@ { global $SESSION; - if (isset($SESSION))
- return $SESSION['user'];
-
+ if (isset($SESSION)) + return $SESSION['user']; + return false; } @@ -119,24 +119,24 @@ return 0; } -
- /**
- * Returns whether or not the user is currently logged in
- *
- * @return true|false
- */
- function isloggedin() {
-
+ + /** + * Returns whether or not the user is currently logged in + * + * @return true|false + */ + function isloggedin() { + if (!is_installed()) return false; $user = get_loggedin_user(); -
- if ((isset($user)) && ($user instanceof ElggUser) && ($user->guid > 0))
+ + if ((isset($user)) && ($user instanceof ElggUser) && ($user->guid > 0)) return true; -
- return false;
-
- }
+ + return false; + + } /** * Returns whether or not the user is currently logged in and that they are an admin user. @@ -155,24 +155,24 @@ return false; } -
- /**
- * Perform standard authentication with a given username and password.
- * Returns an ElggUser object for use with login.
- *
- * @see login
- * @param string $username The username, optionally (for standard logins)
- * @param string $password The password, optionally (for standard logins)
- * @return ElggUser|false The authenticated user object, or false on failure.
- */
-
- function authenticate($username, $password) {
+ + /** + * Perform standard authentication with a given username and password. + * Returns an ElggUser object for use with login. + * + * @see login + * @param string $username The username, optionally (for standard logins) + * @param string $password The password, optionally (for standard logins) + * @return ElggUser|false The authenticated user object, or false on failure. + */ + + function authenticate($username, $password) { if (pam_authenticate(array('username' => $username, 'password' => $password))) - return get_user_by_username($username);
-
- return false;
-
+ return get_user_by_username($username); + + return false; + } /** @@ -198,9 +198,9 @@ // Let admins log in without validating their email, but normal users must have validated their email or been admin created if ((!$user->admin) && (!$user->validated) && (!$user->admin_created)) return false; -
- // User has been banned, so bin them.
- if ($user->isBanned()) return false;
+ + // User has been banned, so bin them. + if ($user->isBanned()) return false; if ($user->password == generate_user_password($user, $credentials['password'])) @@ -274,52 +274,52 @@ } return false; - }
-
- /**
- * Logs in a specified ElggUser. For standard registration, use in conjunction
- * with authenticate.
- *
- * @see authenticate
- * @param ElggUser $user A valid Elgg user object
- * @param boolean $persistent Should this be a persistent login?
- * @return true|false Whether login was successful
- */
- function login(ElggUser $user, $persistent = false) {
-
+ } + + /** + * Logs in a specified ElggUser. For standard registration, use in conjunction + * with authenticate. + * + * @see authenticate + * @param ElggUser $user A valid Elgg user object + * @param boolean $persistent Should this be a persistent login? + * @return true|false Whether login was successful + */ + function login(ElggUser $user, $persistent = false) { + global $CONFIG; if ($user->isBanned()) return false; // User is banned, return false. if (check_rate_limit_exceeded($user->guid)) return false; // Check rate limit -
- $_SESSION['user'] = $user;
- $_SESSION['guid'] = $user->getGUID();
- $_SESSION['id'] = $_SESSION['guid'];
- $_SESSION['username'] = $user->username;
- $_SESSION['name'] = $user->name;
-
- $code = (md5($user->name . $user->username . time() . rand()));
-
- $user->code = md5($code);
-
- $_SESSION['code'] = $code;
-
- if (($persistent))
- setcookie("elggperm", $code, (time()+(86400 * 30)),"/");
-
- if (!$user->save() || !trigger_elgg_event('login','user',$user)) {
- unset($_SESSION['username']);
- unset($_SESSION['name']);
- unset($_SESSION['code']);
- unset($_SESSION['guid']);
- unset($_SESSION['id']);
- unset($_SESSION['user']);
- setcookie("elggperm", "", (time()-(86400 * 30)),"/");
- return false;
+ + $_SESSION['user'] = $user; + $_SESSION['guid'] = $user->getGUID(); + $_SESSION['id'] = $_SESSION['guid']; + $_SESSION['username'] = $user->username; + $_SESSION['name'] = $user->name; + + $code = (md5($user->name . $user->username . time() . rand())); + + $user->code = md5($code); + + $_SESSION['code'] = $code; + + if (($persistent)) + setcookie("elggperm", $code, (time()+(86400 * 30)),"/"); + + if (!$user->save() || !trigger_elgg_event('login','user',$user)) { + unset($_SESSION['username']); + unset($_SESSION['name']); + unset($_SESSION['code']); + unset($_SESSION['guid']); + unset($_SESSION['id']); + unset($_SESSION['user']); + setcookie("elggperm", "", (time()-(86400 * 30)),"/"); + return false; } // Users privilege has been elevated, so change the session id (help prevent session hijacking) - session_regenerate_id();
+ session_regenerate_id(); // Update statistics set_last_login($_SESSION['guid']); @@ -330,37 +330,37 @@ global $is_admin; $is_admin = true; } -
- return true;
-
- }
-
- /**
- * Log the current user out
- *
- * @return true|false
- */
- function logout() {
- global $CONFIG;
-
- if (isset($_SESSION['user'])) {
- if (!trigger_elgg_event('logout','user',$_SESSION['user'])) return false;
- $_SESSION['user']->code = "";
- $_SESSION['user']->save();
+ + return true; + + } + + /** + * Log the current user out + * + * @return true|false + */ + function logout() { + global $CONFIG; + + if (isset($_SESSION['user'])) { + if (!trigger_elgg_event('logout','user',$_SESSION['user'])) return false; + $_SESSION['user']->code = ""; + $_SESSION['user']->save(); } -
- unset($_SESSION['username']);
- unset($_SESSION['name']);
- unset($_SESSION['code']);
- unset($_SESSION['guid']);
- unset($_SESSION['id']);
- unset($_SESSION['user']);
-
+ + unset($_SESSION['username']); + unset($_SESSION['name']); + unset($_SESSION['code']); + unset($_SESSION['guid']); + unset($_SESSION['id']); + unset($_SESSION['user']); + setcookie("elggperm", "", (time()-(86400 * 30)),"/"); - session_destroy();
-
- return true;
+ session_destroy(); + + return true; } function get_session_fingerprint() @@ -368,33 +368,33 @@ global $CONFIG; return md5($_SERVER['HTTP_USER_AGENT'] . get_site_secret()); - }
-
- /**
- * Initialises the system session and potentially logs the user in
- *
- * This function looks for:
- *
- * 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0
- * 2. The cookie 'elggperm' - if present, checks it for an authentication token, validates it, and potentially logs the user in
- *
- * @uses $_SESSION
- * @param unknown_type $event
- * @param unknown_type $object_type
- * @param unknown_type $object
- */
- function session_init($event, $object_type, $object) {
+ } + + /** + * Initialises the system session and potentially logs the user in + * + * This function looks for: + * + * 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0 + * 2. The cookie 'elggperm' - if present, checks it for an authentication token, validates it, and potentially logs the user in + * + * @uses $_SESSION + * @param unknown_type $event + * @param unknown_type $object_type + * @param unknown_type $object + */ + function session_init($event, $object_type, $object) { global $DB_PREFIX, $CONFIG; -
+ if (!is_db_installed()) return false; // Use database for sessions $DB_PREFIX = $CONFIG->dbprefix; // HACK to allow access to prefix after object distruction if ((!isset($CONFIG->use_file_sessions))) session_set_save_handler("__elgg_session_open", "__elgg_session_close", "__elgg_session_read", "__elgg_session_write", "__elgg_session_destroy", "__elgg_session_gc"); -
- session_name('Elgg');
+ + session_name('Elgg'); session_start(); // Do some sanity checking by generating a fingerprint (makes some XSS attacks harder) @@ -413,50 +413,50 @@ // Generate a simple token (private from potentially public session id) if (!isset($_SESSION['__elgg_session'])) $_SESSION['__elgg_session'] = md5(microtime().rand()); -
- if (empty($_SESSION['guid'])) {
- if (isset($_COOKIE['elggperm'])) {
- $code = $_COOKIE['elggperm'];
- $code = md5($code);
- unset($_SESSION['guid']);//$_SESSION['guid'] = 0;
- unset($_SESSION['id']);//$_SESSION['id'] = 0;
- if ($user = get_user_by_code($code)) {
- $_SESSION['user'] = $user;
- $_SESSION['id'] = $user->getGUID();
- $_SESSION['guid'] = $_SESSION['id'];
- $_SESSION['code'] = $_COOKIE['elggperm'];
- }
+ + if (empty($_SESSION['guid'])) { + if (isset($_COOKIE['elggperm'])) { + $code = $_COOKIE['elggperm']; + $code = md5($code); + unset($_SESSION['guid']);//$_SESSION['guid'] = 0; + unset($_SESSION['id']);//$_SESSION['id'] = 0; + if ($user = get_user_by_code($code)) { + $_SESSION['user'] = $user; + $_SESSION['id'] = $user->getGUID(); + $_SESSION['guid'] = $_SESSION['id']; + $_SESSION['code'] = $_COOKIE['elggperm']; + } } else { - unset($_SESSION['id']); //$_SESSION['id'] = 0;
+ unset($_SESSION['id']); //$_SESSION['id'] = 0; unset($_SESSION['guid']);//$_SESSION['guid'] = 0; - unset($_SESSION['code']);//$_SESSION['code'] = "";
- }
- } else {
- if (!empty($_SESSION['code'])) {
- $code = md5($_SESSION['code']);
- if ($user = get_user_by_code($code)) {
+ unset($_SESSION['code']);//$_SESSION['code'] = ""; + } + } else { + if (!empty($_SESSION['code'])) { + $code = md5($_SESSION['code']); + if ($user = get_user_by_code($code)) { $_SESSION['user'] = $user; $_SESSION['id'] = $user->getGUID(); - $_SESSION['guid'] = $_SESSION['id'];
- } else {
- unset($_SESSION['user']);
+ $_SESSION['guid'] = $_SESSION['id']; + } else { + unset($_SESSION['user']); unset($_SESSION['id']); //$_SESSION['id'] = 0; unset($_SESSION['guid']);//$_SESSION['guid'] = 0; - unset($_SESSION['code']);//$_SESSION['code'] = "";
- }
+ unset($_SESSION['code']);//$_SESSION['code'] = ""; + } } else { - //$_SESSION['user'] = new ElggDummy();
+ //$_SESSION['user'] = new ElggDummy(); unset($_SESSION['id']); //$_SESSION['id'] = 0; unset($_SESSION['guid']);//$_SESSION['guid'] = 0; - unset($_SESSION['code']);//$_SESSION['code'] = "";
- }
- }
- if ($_SESSION['id'] > 0) {
- set_last_action($_SESSION['id']);
- }
-
- register_action("login",true);
- register_action("logout");
+ unset($_SESSION['code']);//$_SESSION['code'] = ""; + } + } + if ($_SESSION['id'] > 0) { + set_last_action($_SESSION['id']); + } + + register_action("login",true); + register_action("logout"); // Register a default PAM handler register_pam_handler('pam_auth_userpass'); @@ -470,24 +470,24 @@ { session_destroy(); return false; - }
-
- // Since we have loaded a new user, this user may have different language preferences
+ } + + // Since we have loaded a new user, this user may have different language preferences register_translations(dirname(dirname(dirname(__FILE__))) . "/languages/"); -
- return true;
-
+ + return true; + } -
- /**
- * Used at the top of a page to mark it as logged in users only.
- *
- */
- function gatekeeper() {
- if (!isloggedin()) {
- $_SESSION['last_forward_from'] = current_page_url();
- forward();
- }
+ + /** + * Used at the top of a page to mark it as logged in users only. + * + */ + function gatekeeper() { + if (!isloggedin()) { + $_SESSION['last_forward_from'] = current_page_url(); + forward(); + } } /** @@ -497,11 +497,11 @@ function admin_gatekeeper() { gatekeeper(); - if (!isadminloggedin()) {
- $_SESSION['last_forward_from'] = current_page_url();
- forward();
+ if (!isadminloggedin()) { + $_SESSION['last_forward_from'] = current_page_url(); + forward(); } - }
+ } /** * DB Based session handling code. @@ -627,8 +627,8 @@ return true; } -
- register_elgg_event_handler("boot","system","session_init",20);
-
-
+ + register_elgg_event_handler("boot","system","session_init",20); + + ?>
\ No newline at end of file |