Uses supplied character list for generating the new string.
If no character list provided - uses Base64 URL character set.
/**
* Initialise the site secret (32 bytes: "z" to indicate format + 186-bit key in Base64 URL).
*
* Used during installation and saves as a datalist.
*
* Note: Old secrets were hex encoded.
*
* @return mixed The site secret hash or false
* @access private
* @todo Move to better file.
*/
function init_site_secret()
{
$secret = 'z' . ElggCrypto::getRandomString(31);
if (datalist_set('__site_secret__', $secret)) {
return $secret;
}
return FALSE;
}
/**
* Generate an 8 character Base64 URL salt for the password
*
* @return string
* @access private
*/
function _elgg_generate_password_salt()
{
return ElggCrypto::getRandomString(8);
}
/**
* Initialises the system session and potentially logs the user in
*
* This function looks for:
*
* 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0
* 2. The cookie 'elggperm' - if present, checks it for an authentication
* token, validates it, and potentially logs the user in
*
* @uses $_SESSION
*
* @return bool
* @access private
*/
function _elgg_session_boot()
{
global $DB_PREFIX, $CONFIG;
// Use database for sessions
// HACK to allow access to prefix after object destruction
$DB_PREFIX = $CONFIG->dbprefix;
if (!isset($CONFIG->use_file_sessions)) {
session_set_save_handler("_elgg_session_open", "_elgg_session_close", "_elgg_session_read", "_elgg_session_write", "_elgg_session_destroy", "_elgg_session_gc");
}
session_name('Elgg');
session_start();
// Generate a simple token (private from potentially public session id)
if (!isset($_SESSION['__elgg_session'])) {
$_SESSION['__elgg_session'] = ElggCrypto::getRandomString(32, ElggCrypto::CHARS_HEX);
}
// test whether we have a user session
if (empty($_SESSION['guid'])) {
// clear session variables before checking cookie
unset($_SESSION['user']);
unset($_SESSION['id']);
unset($_SESSION['guid']);
unset($_SESSION['code']);
// is there a remember me cookie
if (!empty($_COOKIE['elggperm'])) {
// we have a cookie, so try to log the user in
$code = $_COOKIE['elggperm'];
$code = md5($code);
if ($user = get_user_by_code($code)) {
// we have a user, log him in
$_SESSION['user'] = $user;
$_SESSION['id'] = $user->getGUID();
$_SESSION['guid'] = $_SESSION['id'];
$_SESSION['code'] = $_COOKIE['elggperm'];
} else {
if (_elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) {
// may be attempt to brute force legacy low-entropy codes
sleep(1);
}
setcookie("elggperm", "", time() - 86400 * 30, "/");
}
}
} else {
// we have a session and we have already checked the fingerprint
// reload the user object from database in case it has changed during the session
if ($user = get_user($_SESSION['guid'])) {
$_SESSION['user'] = $user;
$_SESSION['id'] = $user->getGUID();
$_SESSION['guid'] = $_SESSION['id'];
} else {
// user must have been deleted with a session active
unset($_SESSION['user']);
unset($_SESSION['id']);
unset($_SESSION['guid']);
unset($_SESSION['code']);
if (!empty($_COOKIE['elggperm']) && _elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) {
// replace user's old weaker-entropy code with new one
$code = _elgg_generate_remember_me_token();
$_SESSION['code'] = $code;
$user->code = md5($code);
$user->save();
setcookie("elggperm", $code, time() + 86400 * 30, "/");
}
}
}
if (isset($_SESSION['guid'])) {
set_last_action($_SESSION['guid']);
}
elgg_register_action('login', '', 'public');
elgg_register_action('logout');
// Register a default PAM handler
register_pam_handler('pam_auth_userpass');
// Initialise the magic session
global $SESSION;
$SESSION = new ElggSession();
// Finally we ensure that a user who has been banned with an open session is kicked.
if (isset($_SESSION['user']) && $_SESSION['user']->isBanned()) {
session_destroy();
return false;
}
return true;
}
