/**
* for SSL Cliente Certificate we can not check password but
* 1. login exists
* 2. SSL context exist
*
* return map
*
*/
function doSSOClientCertificate(&$dbHandler, $apache_mod_ssl_env, $authCfg = null)
{
global $g_tlLogger;
$result = array('status' => tl::ERROR, 'msg' => null);
if (!isset($apache_mod_ssl_env['SSL_PROTOCOL'])) {
return $result;
}
// With this we trust SSL is enabled => go ahead with login control
$authCfg = is_null($authCfg) ? config_get('authentication') : $authCfg;
$login = $apache_mod_ssl_env[$authCfg['SSO_uid_field']];
if (!is_null($login)) {
$user = new tlUser();
$user->login = $login;
$login_exists = $user->readFromDB($dbHandler, tlUser::USER_O_SEARCH_BYLOGIN) >= tl::OK;
if ($login_exists && $user->isActive) {
// Need to do set COOKIE following Mantis model
$auth_cookie_name = config_get('auth_cookie');
$expireOnBrowserClose = false;
setcookie($auth_cookie_name, $user->getSecurityCookie(), $expireOnBrowserClose, '/');
// Disallow two sessions within one browser
if (isset($_SESSION['currentUser']) && !is_null($_SESSION['currentUser'])) {
$result['msg'] = lang_get('login_msg_session_exists1') . ' <a style="color:white;" href="logout.php">' . lang_get('logout_link') . '</a>' . lang_get('login_msg_session_exists2');
} else {
// Setting user's session information
$_SESSION['currentUser'] = $user;
$_SESSION['lastActivity'] = time();
$g_tlLogger->endTransaction();
$g_tlLogger->startTransaction();
setUserSession($dbHandler, $user->login, $user->dbID, $user->globalRoleID, $user->emailAddress, $user->locale, null);
$result['status'] = tl::OK;
}
} else {
logAuditEvent(TLS("audit_login_failed", $login, $_SERVER['REMOTE_ADDR']), "LOGIN_FAILED", $user->dbID, "users");
}
}
return $result;
}
list($args, $gui) = initEnv();
// verify the session during a work
$redir2login = true;
if (isset($_SESSION['currentUser'])) {
// Session exists we need to do other checks.
//
// we use/copy Mantisbt approach
$securityCookie = tlUser::auth_get_current_user_cookie();
$redir2login = is_null($securityCookie);
if (!$redir2login) {
// need to get fresh info from db, before asking for securityCookie
doDBConnect($db, database::ONERROREXIT);
$user = new tlUser();
$user->dbID = $_SESSION['currentUser']->dbID;
$user->readFromDB($db);
$dbSecurityCookie = $user->getSecurityCookie();
$redir2login = $securityCookie != $dbSecurityCookie;
}
}
if ($redir2login) {
// destroy user in session as security measure
unset($_SESSION['currentUser']);
// If session does not exists I think is better in order to
// manage other type of authentication method/schemas
// to understand that this is a sort of FIRST Access.
//
// When TL undertand that session exists but has expired
// is OK to call login with expired indication, but is not this case
//
// Dev Notes:
// may be we are going to login.php and it will call us again!
