/**
* Initialises the system session and potentially logs the user in
*
* This function looks for:
*
* 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0
* 2. The cookie 'elggperm' - if present, checks it for an authentication token, validates it, and potentially logs the user in
*
* @uses $_SESSION
* @param unknown_type $event
* @param unknown_type $object_type
* @param unknown_type $object
*/
function session_init($event, $object_type, $object)
{
global $DB_PREFIX, $CONFIG;
if (!is_db_installed()) {
return false;
}
// Use database for sessions
$DB_PREFIX = $CONFIG->dbprefix;
// HACK to allow access to prefix after object distruction
if (!isset($CONFIG->use_file_sessions)) {
session_set_save_handler("__elgg_session_open", "__elgg_session_close", "__elgg_session_read", "__elgg_session_write", "__elgg_session_destroy", "__elgg_session_gc");
}
session_name('Elgg');
session_start();
// Do some sanity checking by generating a fingerprint (makes some XSS attacks harder)
if (isset($_SESSION['__elgg_fingerprint'])) {
if ($_SESSION['__elgg_fingerprint'] != get_session_fingerprint()) {
session_destroy();
return false;
}
} else {
$_SESSION['__elgg_fingerprint'] = get_session_fingerprint();
}
// Generate a simple token (private from potentially public session id)
if (!isset($_SESSION['__elgg_session'])) {
$_SESSION['__elgg_session'] = md5(microtime() . rand());
}
if (empty($_SESSION['guid'])) {
if (isset($_COOKIE['elggperm'])) {
$code = $_COOKIE['elggperm'];
$code = md5($code);
unset($_SESSION['guid']);
//$_SESSION['guid'] = 0;
unset($_SESSION['id']);
//$_SESSION['id'] = 0;
if ($user = get_user_by_code($code)) {
$_SESSION['user'] = $user;
$_SESSION['id'] = $user->getGUID();
$_SESSION['guid'] = $_SESSION['id'];
$_SESSION['code'] = $_COOKIE['elggperm'];
}
} else {
unset($_SESSION['id']);
//$_SESSION['id'] = 0;
unset($_SESSION['guid']);
//$_SESSION['guid'] = 0;
unset($_SESSION['code']);
//$_SESSION['code'] = "";
}
} else {
if (!empty($_SESSION['code'])) {
$code = md5($_SESSION['code']);
if ($user = get_user_by_code($code)) {
$_SESSION['user'] = $user;
$_SESSION['id'] = $user->getGUID();
$_SESSION['guid'] = $_SESSION['id'];
} else {
unset($_SESSION['user']);
unset($_SESSION['id']);
//$_SESSION['id'] = 0;
unset($_SESSION['guid']);
//$_SESSION['guid'] = 0;
unset($_SESSION['code']);
//$_SESSION['code'] = "";
}
} else {
//$_SESSION['user'] = new ElggDummy();
unset($_SESSION['id']);
//$_SESSION['id'] = 0;
unset($_SESSION['guid']);
//$_SESSION['guid'] = 0;
unset($_SESSION['code']);
//$_SESSION['code'] = "";
}
}
if ($_SESSION['id'] > 0) {
set_last_action($_SESSION['id']);
}
register_action("login", true);
register_action("logout");
// Register a default PAM handler
register_pam_handler('pam_auth_userpass');
// Initialise the magic session
global $SESSION;
$SESSION = new ElggSession();
// Finally we ensure that a user who has been banned with an open session is kicked.
if (isset($_SESSION['user']) && $_SESSION['user']->isBanned()) {
session_destroy();
return false;
}
// Since we have loaded a new user, this user may have different language preferences
register_translations(dirname(dirname(dirname(__FILE__))) . "/languages/");
return true;
}
/**
* Initializes the session and checks for the remember me cookie
*
* @return bool
* @access private
*/
function _elgg_session_boot()
{
elgg_register_action('login', '', 'public');
elgg_register_action('logout');
register_pam_handler('pam_auth_userpass');
$session = _elgg_services()->session;
$session->start();
// test whether we have a user session
if ($session->has('guid')) {
$session->setLoggedInUser(get_user($session->get('guid')));
} else {
// is there a remember me cookie
if (isset($_COOKIE['elggperm'])) {
// we have a cookie, so try to log the user in
$user = get_user_by_code(md5($_COOKIE['elggperm']));
if ($user) {
$session->setLoggedInUser($user);
$session->set('code', md5($_COOKIE['elggperm']));
}
}
}
if ($session->has('guid')) {
set_last_action($session->get('guid'));
}
// initialize the deprecated global session wrapper
global $SESSION;
$SESSION = new Elgg_DeprecationWrapper(_elgg_services()->session, "\$SESSION is deprecated", 1.9);
// logout a user with open session who has been banned
$user = $session->getLoggedInUser();
if ($user && $user->isBanned()) {
logout();
return false;
}
return true;
}
*
* Sets a flag in the session to let us know who the originally logged in user is.
*/
$user_guid = get_input('user_guid', 0);
$original_user = elgg_get_logged_in_user_entity();
$original_user_guid = $original_user->guid;
if (!($user = get_entity($user_guid))) {
register_error(elgg_echo('login_as:unknown_user'));
forward(REFERER);
}
// store the original persistent login state to restore on logout_as.
$persistent = FALSE;
if (isset($_COOKIE['elggperm'])) {
$code = $_COOKIE['elggperm'];
$code = md5($code);
if (($original_perm_user = get_user_by_code($code)) && $original_user->guid == $original_perm_user->guid) {
$persistent = TRUE;
}
}
$session = elgg_get_session();
$session->set('login_as_original_user_guid', $original_user_guid);
$session->set('login_as_original_persistent', $persistent);
try {
login($user);
system_message(elgg_echo('login_as:logged_in_as_user', array($user->username)));
} catch (Exception $exc) {
$session->remove('login_as_original_user_guid');
$session->remove('login_as_original_persistent');
register_error(elgg_echo('login_as:could_not_login_as_user', array($user->username)));
try {
login($original_user);
/**
* Initialises the system session and potentially logs the user in
*
* This function looks for:
*
* 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0
* 2. The cookie 'elggperm' - if present, checks it for an authentication
* token, validates it, and potentially logs the user in
*
* @uses $_SESSION
*
* @param string $event Event name
* @param string $object_type Object type
* @param mixed $object Object
*
* @return bool
*/
function session_init($event, $object_type, $object)
{
global $DB_PREFIX, $CONFIG;
// Use database for sessions
// HACK to allow access to prefix after object destruction
$DB_PREFIX = $CONFIG->dbprefix;
if (!isset($CONFIG->use_file_sessions)) {
session_set_save_handler("_elgg_session_open", "_elgg_session_close", "_elgg_session_read", "_elgg_session_write", "_elgg_session_destroy", "_elgg_session_gc");
}
session_name('Elgg');
session_start();
// Generate a simple token (private from potentially public session id)
if (!isset($_SESSION['__elgg_session'])) {
$_SESSION['__elgg_session'] = md5(microtime() . rand());
}
// test whether we have a user session
if (empty($_SESSION['guid'])) {
// clear session variables before checking cookie
unset($_SESSION['user']);
unset($_SESSION['id']);
unset($_SESSION['guid']);
unset($_SESSION['code']);
// is there a remember me cookie
if (isset($_COOKIE['elggperm'])) {
// we have a cookie, so try to log the user in
$code = $_COOKIE['elggperm'];
$code = md5($code);
if ($user = get_user_by_code($code)) {
// we have a user, log him in
$_SESSION['user'] = $user;
$_SESSION['id'] = $user->getGUID();
$_SESSION['guid'] = $_SESSION['id'];
$_SESSION['code'] = $_COOKIE['elggperm'];
}
}
} else {
// we have a session and we have already checked the fingerprint
// reload the user object from database in case it has changed during the session
if ($user = get_user($_SESSION['guid'])) {
$_SESSION['user'] = $user;
$_SESSION['id'] = $user->getGUID();
$_SESSION['guid'] = $_SESSION['id'];
} else {
// user must have been deleted with a session active
unset($_SESSION['user']);
unset($_SESSION['id']);
unset($_SESSION['guid']);
unset($_SESSION['code']);
}
}
if (isset($_SESSION['guid'])) {
set_last_action($_SESSION['guid']);
}
elgg_register_action("login", '', 'public');
elgg_register_action("logout");
// Register a default PAM handler
register_pam_handler('pam_auth_userpass');
// Initialise the magic session
global $SESSION;
$SESSION = new ElggSession();
// Finally we ensure that a user who has been banned with an open session is kicked.
if (isset($_SESSION['user']) && $_SESSION['user']->isBanned()) {
session_destroy();
return false;
}
// Since we have loaded a new user, this user may have different language preferences
register_translations(dirname(dirname(dirname(__FILE__))) . "/languages/");
return true;
}
/**
* Initialises the system session and potentially logs the user in
*
* This function looks for:
*
* 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0
* 2. The cookie 'elggperm' - if present, checks it for an authentication
* token, validates it, and potentially logs the user in
*
* @uses $_SESSION
*
* @return bool
* @access private
*/
function _elgg_session_boot()
{
global $DB_PREFIX, $CONFIG;
// Use database for sessions
// HACK to allow access to prefix after object destruction
$DB_PREFIX = $CONFIG->dbprefix;
if (!isset($CONFIG->use_file_sessions)) {
session_set_save_handler("_elgg_session_open", "_elgg_session_close", "_elgg_session_read", "_elgg_session_write", "_elgg_session_destroy", "_elgg_session_gc");
}
session_name('Elgg');
session_start();
// Generate a simple token (private from potentially public session id)
if (!isset($_SESSION['__elgg_session'])) {
$_SESSION['__elgg_session'] = ElggCrypto::getRandomString(32, ElggCrypto::CHARS_HEX);
}
// test whether we have a user session
if (empty($_SESSION['guid'])) {
// clear session variables before checking cookie
unset($_SESSION['user']);
unset($_SESSION['id']);
unset($_SESSION['guid']);
unset($_SESSION['code']);
// is there a remember me cookie
if (!empty($_COOKIE['elggperm'])) {
// we have a cookie, so try to log the user in
$code = $_COOKIE['elggperm'];
$code = md5($code);
if ($user = get_user_by_code($code)) {
// we have a user, log him in
$_SESSION['user'] = $user;
$_SESSION['id'] = $user->getGUID();
$_SESSION['guid'] = $_SESSION['id'];
$_SESSION['code'] = $_COOKIE['elggperm'];
} else {
if (_elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) {
// may be attempt to brute force legacy low-entropy codes
sleep(1);
}
setcookie("elggperm", "", time() - 86400 * 30, "/");
}
}
} else {
// we have a session and we have already checked the fingerprint
// reload the user object from database in case it has changed during the session
if ($user = get_user($_SESSION['guid'])) {
$_SESSION['user'] = $user;
$_SESSION['id'] = $user->getGUID();
$_SESSION['guid'] = $_SESSION['id'];
} else {
// user must have been deleted with a session active
unset($_SESSION['user']);
unset($_SESSION['id']);
unset($_SESSION['guid']);
unset($_SESSION['code']);
if (!empty($_COOKIE['elggperm']) && _elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) {
// replace user's old weaker-entropy code with new one
$code = _elgg_generate_remember_me_token();
$_SESSION['code'] = $code;
$user->code = md5($code);
$user->save();
setcookie("elggperm", $code, time() + 86400 * 30, "/");
}
}
}
if (isset($_SESSION['guid'])) {
set_last_action($_SESSION['guid']);
}
elgg_register_action('login', '', 'public');
elgg_register_action('logout');
// Register a default PAM handler
register_pam_handler('pam_auth_userpass');
// Initialise the magic session
global $SESSION;
$SESSION = new ElggSession();
// Finally we ensure that a user who has been banned with an open session is kicked.
if (isset($_SESSION['user']) && $_SESSION['user']->isBanned()) {
session_destroy();
return false;
}
return true;
}
