/**
* Authenticate user.
*
* @param array $form Form fields.
*
* @return bool
*/
protected function authenticate($form)
{
/** @var User $user */
$user = $this->grav['user'];
if (!$user->authenticated) {
$username = isset($form['username']) ? $form['username'] : $this->rememberMe->login();
// Normal login process
$user = User::load($username);
if ($user->exists()) {
if (!empty($form['username']) && !empty($form['password'])) {
// Authenticate user
$user->authenticated = $user->authenticate($form['password']);
if ($user->authenticated) {
$this->grav['session']->user = $user;
unset($this->grav['user']);
$this->grav['user'] = $user;
// If the user wants to be remembered, create Rememberme cookie
if (!empty($form['rememberme'])) {
$this->rememberMe->createCookie($form['username']);
} else {
$this->rememberMe->clearCookie();
$this->rememberMe->getStorage()->cleanAllTriplets($user->get('username'));
}
}
}
}
}
// Authorize against user ACL
$user_authorized = $user->authorize('site.login');
$user->authenticated = $user->authenticated && $user_authorized;
return $user->authenticated;
}
public function loggedIn()
{
$rememberMeStorage = new RemembermeMongoStorage($this->getDocumentManager());
$rememberMe = new Rememberme\Authenticator($rememberMeStorage);
if (isset($_SESSION['userId']) && isset($_SESSION['expiresAt']) && $_SESSION['expiresAt'] > time()) {
$_SESSION['expiresAt'] = time() + 3600;
//Renew session on every activity
return true;
} else {
if (!empty($_COOKIE[$rememberMe->getCookieName()]) && $rememberMe->cookieIsValid()) {
// Remember me cookie
$loginresult = $rememberMe->login();
if ($loginresult) {
// Load user into session and return true
// Set the session
$_SESSION['userId'] = $loginresult;
$_SESSION['expiresAt'] = time() + 3600;
//1 hour
$_SESSION['rememberedByCookie'] = true;
} else {
if ($rememberMe->loginTokenWasInvalid()) {
throw new \Exception('Remember me cookie invalid!', Resource::STATUS_BAD_REQUEST);
}
}
} else {
return false;
}
}
}
redirect(true);
}
if (!empty($_GET['completelogout'])) {
$storage->cleanAllTriplets($_SESSION['username']);
redirect(true);
}
// Check, if the Rememberme cookie exists and is still valid.
// If not, we log out the current session
if (!empty($_COOKIE[$rememberMe->getCookieName()]) && !$rememberMe->cookieIsValid()) {
redirect(true);
}
// User is still logged in - show content
$content = tpl("user_is_logged_in");
} else {
// If we can present the correct tokens from the cookie, we are logged in
$loginresult = $rememberMe->login();
if ($loginresult) {
$_SESSION['username'] = $loginresult;
// There is a chance that an attacker has stolen the login token, so we store
// the fact that the user was logged in via RememberMe (instead of login form)
$_SESSION['remembered_by_cookie'] = true;
redirect();
} else {
// If $rememberMe returned false, check if the token was invalid
if ($rememberMe->loginTokenWasInvalid()) {
$content = tpl("cookie_was_stolen");
} else {
if (!empty($_POST)) {
if ($username == $_POST['username'] && $password == $_POST['password']) {
session_regenerate_id();
$_SESSION['username'] = $username;
