private function showLoginForm($sLogin, $sUrlRedirect, $bRememberMe, $sError = false)
{
//display login form
$sFormAction = AnwUtils::alink("login");
$this->out .= $this->tpl()->loginForm($sFormAction, $sLogin, $sUrlRedirect, $bRememberMe, AnwSessions::isResumeEnabled(), $sError);
$this->headJsOnload($this->tpl()->loginFormJs());
}
private function saveSession($oSession, $bCreateSessionIfNotExists = false)
{
$sSessionId = $oSession->getId();
if ($oSession->isLoggedIn()) {
//purge the old sessions from database (needed for the update/insert test)
$this->purgeExpiredSessionsFromDatabase();
//try to update session in database (if it already exists)
$sSessionIdentifier = AnwEnv::calculateSessionIdentifier();
$sSessionCode = self::generateSessionCode();
//a new code is generated (even if session already exists) to prevent session stealing
$nSessionUser = $oSession->getUser()->getId();
$sSessionResume = $oSession->isResume() ? 1 : 0;
$nSessionTimeSeen = time();
$asData = array("SessionIdentifier" => $this->db()->strtosql($sSessionIdentifier), "SessionCode" => $this->db()->strtosql($sSessionCode), "SessionUser" => $this->db()->inttosql($nSessionUser), "SessionResume" => $this->db()->strtosql($sSessionResume), "SessionTimeSeen" => $this->db()->inttosql($nSessionTimeSeen));
$this->db()->do_update($asData, "session", "WHERE SessionId=" . $this->db()->strtosql($sSessionId));
//otherwise, we may need to INSERT this new session or to kill it
if ($this->db()->affected_rows() != 1) {
if ($bCreateSessionIfNotExists) {
//user is logging in, it's normal that the session doesn't exist in database.
$asData["SessionId"] = $this->db()->strtosql($sSessionId);
$asData["SessionTimeStart"] = $this->db()->inttosql(time());
$asData["SessionTimeAuth"] = $this->db()->inttosql(time());
$this->db()->do_insert($asData, "session");
} else {
//here, the session is supposed to exist in database, but isn't found.
//this can happend in the following situations:
// - The session has expired (DurationIdle or DurationMax)
// - An user was using a session, when someone tried to steal it. The session was killed for security reasons.
// - An administrator has killed the session.
// - The session has expired.
//In both situations, the current session is no longer safe and must be closed.
self::debug("WARNING: Session doesn't exist in database, but session creation is NOT expected. Logging out.");
AnwCurrentSession::logout();
return;
}
}
//remember current session in cookies
$nCookieExpires = AnwSessions::isResumeEnabled() && $oSession->isResume() ? time() + $this->cfgResumeDelayMax() : 0;
AnwEnv::putCookie(self::COOKIE_SESSION_ID, $sSessionId, $nCookieExpires);
AnwEnv::putCookie(self::COOKIE_SESSION_CODE, $sSessionCode, $nCookieExpires);
AnwEnv::putSession(self::SESSION_CODE, $sSessionCode);
} else {
//unset cookies
AnwEnv::unsetCookie(self::COOKIE_SESSION_ID);
AnwEnv::unsetCookie(self::COOKIE_SESSION_CODE);
}
}
