diff options
author | Paolo Tacconi <p.tacconi@giunti.it> | 2016-04-15 09:20:58 +0200 |
---|---|---|
committer | Paolo Tacconi <p.tacconi@giunti.it> | 2016-04-15 09:20:58 +0200 |
commit | 45a854762b451dafb882bc56efce054b64420627 (patch) | |
tree | 958fcd22f04546f40b6ac68bb58cfe1a1b1fb7f6 /include/auth.php | |
parent | 1806da0851dd5cf5978b19d12783ae3101a11257 (diff) | |
parent | a29c0371f1f3cceb9a9af3a62e5ed67886869c40 (diff) | |
download | volse-hubzilla-45a854762b451dafb882bc56efce054b64420627.tar.gz volse-hubzilla-45a854762b451dafb882bc56efce054b64420627.tar.bz2 volse-hubzilla-45a854762b451dafb882bc56efce054b64420627.zip |
Resolved conflict in view/it/hstrings.php
Diffstat (limited to 'include/auth.php')
-rw-r--r-- | include/auth.php | 97 |
1 files changed, 19 insertions, 78 deletions
diff --git a/include/auth.php b/include/auth.php index 4f0c4c928..9643da8eb 100644 --- a/include/auth.php +++ b/include/auth.php @@ -12,33 +12,6 @@ require_once('include/api_auth.php'); require_once('include/security.php'); -/** - * @brief Resets the current session. - * - * @return void - */ -function nuke_session() { - new_cookie(0); // 0 means delete on browser exit - - unset($_SESSION['authenticated']); - unset($_SESSION['account_id']); - unset($_SESSION['uid']); - unset($_SESSION['visitor_id']); - unset($_SESSION['administrator']); - unset($_SESSION['cid']); - unset($_SESSION['theme']); - unset($_SESSION['mobile_theme']); - unset($_SESSION['show_mobile']); - unset($_SESSION['page_flags']); - unset($_SESSION['delegate']); - unset($_SESSION['delegate_channel']); - unset($_SESSION['my_url']); - unset($_SESSION['my_address']); - unset($_SESSION['addr']); - unset($_SESSION['return_url']); - unset($_SESSION['remote_service_class']); - unset($_SESSION['remote_hub']); -} /** * @brief Verify login credentials. @@ -124,11 +97,11 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && // process a logout request - if(((x($_POST, 'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) { + if(((x($_POST, 'auth-params')) && ($_POST['auth-params'] === 'logout')) || (App::$module === 'logout')) { // process logout request $args = array('channel_id' => local_channel()); call_hooks('logging_out', $args); - nuke_session(); + \Zotlabs\Web\Session::nuke(); info( t('Logged out.') . EOL); goaway(z_root()); } @@ -144,7 +117,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && intval(ACCOUNT_ROLE_ADMIN) ); if($x) { - new_cookie(60 * 60 * 24); // one day + \Zotlabs\Web\Session::new_cookie(60 * 60 * 24); // one day $_SESSION['last_login_date'] = datetime_convert(); unset($_SESSION['visitor_id']); // no longer a visitor authenticate_success($x[0], true, true); @@ -155,75 +128,41 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && dbesc($_SESSION['visitor_id']) ); if($r) { - get_app()->set_observer($r[0]); + App::set_observer($r[0]); } else { unset($_SESSION['visitor_id']); unset($_SESSION['authenticated']); } - $a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); + App::set_groups(init_groups_visitor($_SESSION['visitor_id'])); } // already logged in user returning if(x($_SESSION, 'uid') || x($_SESSION, 'account_id')) { - // first check if we're enforcing that sessions can't change IP address - // @todo what to do with IPv6 addresses - if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) { - logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); - - $partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.')); - $partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.')); - - $paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia')); - if(! $paranoia) - $paranoia = intval(get_config('system', 'paranoia')); - - switch($paranoia) { - case 0: - // no IP checking - break; - case 2: - // check 2 octets - $partial1 = substr($partial1, 0, strrpos($partial1, '.')); - $partial2 = substr($partial2, 0, strrpos($partial2, '.')); - if($partial1 == $partial2) - break; - case 1: - // check 3 octets - if($partial1 == $partial2) - break; - case 3: - default: - // check any difference at all - logger('Session address changed. Paranoid setting in effect, blocking session. ' - . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); - nuke_session(); - goaway(z_root()); - break; - } - } + Zotlabs\Web\Session::return_check(); $r = q("select * from account where account_id = %d limit 1", intval($_SESSION['account_id']) ); if(($r) && (($r[0]['account_flags'] == ACCOUNT_OK) || ($r[0]['account_flags'] == ACCOUNT_UNVERIFIED))) { - get_app()->account = $r[0]; + App::$account = $r[0]; $login_refresh = false; if(! x($_SESSION,'last_login_date')) { $_SESSION['last_login_date'] = datetime_convert('UTC','UTC'); } if(strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0 ) { $_SESSION['last_login_date'] = datetime_convert(); + Zotlabs\Web\Session::extend_cookie(); $login_refresh = true; } authenticate_success($r[0], false, false, false, $login_refresh); } else { $_SESSION['account_id'] = 0; - nuke_session(); + \Zotlabs\Web\Session::nuke(); goaway(z_root()); } } // end logged in user returning @@ -231,7 +170,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && else { if(isset($_SESSION)) { - nuke_session(); + \Zotlabs\Web\Session::nuke(); } // handle a fresh login request @@ -264,16 +203,16 @@ else { $record = $addon_auth['user_record']; } else { - $record = get_app()->account = account_verify_password($_POST['username'], $_POST['password']); + $record = App::$account = account_verify_password($_POST['username'], $_POST['password']); - if(get_app()->account) { - $_SESSION['account_id'] = get_app()->account['account_id']; + if(App::$account) { + $_SESSION['account_id'] = App::$account['account_id']; } else { notice( t('Failed authentication') . EOL); } - logger('authenticate: ' . print_r(get_app()->account, true), LOGGER_DEBUG); + logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL); } if((! $record) || (! count($record))) { @@ -301,11 +240,13 @@ else { // (i.e. expire when the browser is closed), even when there's a time expiration // on the cookie - if($_POST['remember']) { - new_cookie(31449600); // one year + if($_POST['remember_me']) { + $_SESSION['remember_me'] = 1; + \Zotlabs\Web\Session::new_cookie(31449600); // one year } else { - new_cookie(0); // 0 means delete on browser exit + $_SESSION['remember_me'] = 0; + \Zotlabs\Web\Session::new_cookie(0); // 0 means delete on browser exit } // if we haven't failed up this point, log them in. |