/** * Initialises the system session and potentially logs the user in * * This function looks for: * * 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0 * 2. The cookie 'elggperm' - if present, checks it for an authentication token, validates it, and potentially logs the user in * * @uses $_SESSION * @param unknown_type $event * @param unknown_type $object_type * @param unknown_type $object */ function session_init($event, $object_type, $object) { global $DB_PREFIX, $CONFIG; if (!is_db_installed()) { return false; } // Use database for sessions $DB_PREFIX = $CONFIG->dbprefix; // HACK to allow access to prefix after object distruction if (!isset($CONFIG->use_file_sessions)) { session_set_save_handler("__elgg_session_open", "__elgg_session_close", "__elgg_session_read", "__elgg_session_write", "__elgg_session_destroy", "__elgg_session_gc"); } session_name('Elgg'); session_start(); // Do some sanity checking by generating a fingerprint (makes some XSS attacks harder) if (isset($_SESSION['__elgg_fingerprint'])) { if ($_SESSION['__elgg_fingerprint'] != get_session_fingerprint()) { session_destroy(); return false; } } else { $_SESSION['__elgg_fingerprint'] = get_session_fingerprint(); } // Generate a simple token (private from potentially public session id) if (!isset($_SESSION['__elgg_session'])) { $_SESSION['__elgg_session'] = md5(microtime() . rand()); } if (empty($_SESSION['guid'])) { if (isset($_COOKIE['elggperm'])) { $code = $_COOKIE['elggperm']; $code = md5($code); unset($_SESSION['guid']); //$_SESSION['guid'] = 0; unset($_SESSION['id']); //$_SESSION['id'] = 0; if ($user = get_user_by_code($code)) { $_SESSION['user'] = $user; $_SESSION['id'] = $user->getGUID(); $_SESSION['guid'] = $_SESSION['id']; $_SESSION['code'] = $_COOKIE['elggperm']; } } else { unset($_SESSION['id']); //$_SESSION['id'] = 0; unset($_SESSION['guid']); //$_SESSION['guid'] = 0; unset($_SESSION['code']); //$_SESSION['code'] = ""; } } else { if (!empty($_SESSION['code'])) { $code = md5($_SESSION['code']); if ($user = get_user_by_code($code)) { $_SESSION['user'] = $user; $_SESSION['id'] = $user->getGUID(); $_SESSION['guid'] = $_SESSION['id']; } else { unset($_SESSION['user']); unset($_SESSION['id']); //$_SESSION['id'] = 0; unset($_SESSION['guid']); //$_SESSION['guid'] = 0; unset($_SESSION['code']); //$_SESSION['code'] = ""; } } else { //$_SESSION['user'] = new ElggDummy(); unset($_SESSION['id']); //$_SESSION['id'] = 0; unset($_SESSION['guid']); //$_SESSION['guid'] = 0; unset($_SESSION['code']); //$_SESSION['code'] = ""; } } if ($_SESSION['id'] > 0) { set_last_action($_SESSION['id']); } register_action("login", true); register_action("logout"); // Register a default PAM handler register_pam_handler('pam_auth_userpass'); // Initialise the magic session global $SESSION; $SESSION = new ElggSession(); // Finally we ensure that a user who has been banned with an open session is kicked. if (isset($_SESSION['user']) && $_SESSION['user']->isBanned()) { session_destroy(); return false; } // Since we have loaded a new user, this user may have different language preferences register_translations(dirname(dirname(dirname(__FILE__))) . "/languages/"); return true; }
/** * Initializes the session and checks for the remember me cookie * * @return bool * @access private */ function _elgg_session_boot() { elgg_register_action('login', '', 'public'); elgg_register_action('logout'); register_pam_handler('pam_auth_userpass'); $session = _elgg_services()->session; $session->start(); // test whether we have a user session if ($session->has('guid')) { $session->setLoggedInUser(get_user($session->get('guid'))); } else { // is there a remember me cookie if (isset($_COOKIE['elggperm'])) { // we have a cookie, so try to log the user in $user = get_user_by_code(md5($_COOKIE['elggperm'])); if ($user) { $session->setLoggedInUser($user); $session->set('code', md5($_COOKIE['elggperm'])); } } } if ($session->has('guid')) { set_last_action($session->get('guid')); } // initialize the deprecated global session wrapper global $SESSION; $SESSION = new Elgg_DeprecationWrapper(_elgg_services()->session, "\$SESSION is deprecated", 1.9); // logout a user with open session who has been banned $user = $session->getLoggedInUser(); if ($user && $user->isBanned()) { logout(); return false; } return true; }
/** * Initialises the system session and potentially logs the user in * * This function looks for: * * 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0 * 2. The cookie 'elggperm' - if present, checks it for an authentication * token, validates it, and potentially logs the user in * * @uses $_SESSION * * @param string $event Event name * @param string $object_type Object type * @param mixed $object Object * * @return bool */ function session_init($event, $object_type, $object) { global $DB_PREFIX, $CONFIG; // Use database for sessions // HACK to allow access to prefix after object destruction $DB_PREFIX = $CONFIG->dbprefix; if (!isset($CONFIG->use_file_sessions)) { session_set_save_handler("_elgg_session_open", "_elgg_session_close", "_elgg_session_read", "_elgg_session_write", "_elgg_session_destroy", "_elgg_session_gc"); } session_name('Elgg'); session_start(); // Generate a simple token (private from potentially public session id) if (!isset($_SESSION['__elgg_session'])) { $_SESSION['__elgg_session'] = md5(microtime() . rand()); } // test whether we have a user session if (empty($_SESSION['guid'])) { // clear session variables before checking cookie unset($_SESSION['user']); unset($_SESSION['id']); unset($_SESSION['guid']); unset($_SESSION['code']); // is there a remember me cookie if (isset($_COOKIE['elggperm'])) { // we have a cookie, so try to log the user in $code = $_COOKIE['elggperm']; $code = md5($code); if ($user = get_user_by_code($code)) { // we have a user, log him in $_SESSION['user'] = $user; $_SESSION['id'] = $user->getGUID(); $_SESSION['guid'] = $_SESSION['id']; $_SESSION['code'] = $_COOKIE['elggperm']; } } } else { // we have a session and we have already checked the fingerprint // reload the user object from database in case it has changed during the session if ($user = get_user($_SESSION['guid'])) { $_SESSION['user'] = $user; $_SESSION['id'] = $user->getGUID(); $_SESSION['guid'] = $_SESSION['id']; } else { // user must have been deleted with a session active unset($_SESSION['user']); unset($_SESSION['id']); unset($_SESSION['guid']); unset($_SESSION['code']); } } if (isset($_SESSION['guid'])) { set_last_action($_SESSION['guid']); } elgg_register_action("login", '', 'public'); elgg_register_action("logout"); // Register a default PAM handler register_pam_handler('pam_auth_userpass'); // Initialise the magic session global $SESSION; $SESSION = new ElggSession(); // Finally we ensure that a user who has been banned with an open session is kicked. if (isset($_SESSION['user']) && $_SESSION['user']->isBanned()) { session_destroy(); return false; } // Since we have loaded a new user, this user may have different language preferences register_translations(dirname(dirname(dirname(__FILE__))) . "/languages/"); return true; }
/** * Initializes the session and checks for the remember me cookie * * @return bool * @access private */ function _elgg_session_boot() { elgg_register_action('login', '', 'public'); elgg_register_action('logout'); register_pam_handler('pam_auth_userpass'); $session = _elgg_services()->session; $session->start(); // test whether we have a user session if ($session->has('guid')) { $user = get_user($session->get('guid')); if (!$user) { // OMG user has been deleted. $session->invalidate(); forward(''); } $session->setLoggedInUser($user); _elgg_services()->persistentLogin->replaceLegacyToken($user); } else { $user = _elgg_services()->persistentLogin->bootSession(); if ($user) { $session->setLoggedInUser($user); } } if ($session->has('guid')) { set_last_action($session->get('guid')); } // initialize the deprecated global session wrapper global $SESSION; $SESSION = new \Elgg\DeprecationWrapper($session, "\$SESSION is deprecated", 1.9); // logout a user with open session who has been banned $user = $session->getLoggedInUser(); if ($user && $user->isBanned()) { logout(); return false; } return true; }
/** * Initializes the session and checks for the remember me cookie * * @return bool * @access private */ function _elgg_session_boot() { _elgg_services()->timer->begin([__FUNCTION__]); elgg_register_action('login', '', 'public'); elgg_register_action('logout'); register_pam_handler('pam_auth_userpass'); $session = _elgg_services()->session; $session->start(); // test whether we have a user session if ($session->has('guid')) { $user = _elgg_services()->entityTable->get($session->get('guid'), 'user'); if (!$user) { // OMG user has been deleted. $session->invalidate(); forward(''); } $session->setLoggedInUser($user); _elgg_services()->persistentLogin->replaceLegacyToken($user); } else { $user = _elgg_services()->persistentLogin->bootSession(); if ($user) { $session->setLoggedInUser($user); } } if ($session->has('guid')) { set_last_action($session->get('guid')); } // logout a user with open session who has been banned $user = $session->getLoggedInUser(); if ($user && $user->isBanned()) { logout(); return false; } _elgg_services()->timer->end([__FUNCTION__]); return true; }
/** * Initialises the system session and potentially logs the user in * * This function looks for: * * 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0 * 2. The cookie 'elggperm' - if present, checks it for an authentication * token, validates it, and potentially logs the user in * * @uses $_SESSION * * @return bool * @access private */ function _elgg_session_boot() { global $DB_PREFIX, $CONFIG; // Use database for sessions // HACK to allow access to prefix after object destruction $DB_PREFIX = $CONFIG->dbprefix; if (!isset($CONFIG->use_file_sessions)) { session_set_save_handler("_elgg_session_open", "_elgg_session_close", "_elgg_session_read", "_elgg_session_write", "_elgg_session_destroy", "_elgg_session_gc"); } session_name('Elgg'); session_start(); // Generate a simple token (private from potentially public session id) if (!isset($_SESSION['__elgg_session'])) { $_SESSION['__elgg_session'] = ElggCrypto::getRandomString(32, ElggCrypto::CHARS_HEX); } // test whether we have a user session if (empty($_SESSION['guid'])) { // clear session variables before checking cookie unset($_SESSION['user']); unset($_SESSION['id']); unset($_SESSION['guid']); unset($_SESSION['code']); // is there a remember me cookie if (!empty($_COOKIE['elggperm'])) { // we have a cookie, so try to log the user in $code = $_COOKIE['elggperm']; $code = md5($code); if ($user = get_user_by_code($code)) { // we have a user, log him in $_SESSION['user'] = $user; $_SESSION['id'] = $user->getGUID(); $_SESSION['guid'] = $_SESSION['id']; $_SESSION['code'] = $_COOKIE['elggperm']; } else { if (_elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) { // may be attempt to brute force legacy low-entropy codes sleep(1); } setcookie("elggperm", "", time() - 86400 * 30, "/"); } } } else { // we have a session and we have already checked the fingerprint // reload the user object from database in case it has changed during the session if ($user = get_user($_SESSION['guid'])) { $_SESSION['user'] = $user; $_SESSION['id'] = $user->getGUID(); $_SESSION['guid'] = $_SESSION['id']; } else { // user must have been deleted with a session active unset($_SESSION['user']); unset($_SESSION['id']); unset($_SESSION['guid']); unset($_SESSION['code']); if (!empty($_COOKIE['elggperm']) && _elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) { // replace user's old weaker-entropy code with new one $code = _elgg_generate_remember_me_token(); $_SESSION['code'] = $code; $user->code = md5($code); $user->save(); setcookie("elggperm", $code, time() + 86400 * 30, "/"); } } } if (isset($_SESSION['guid'])) { set_last_action($_SESSION['guid']); } elgg_register_action('login', '', 'public'); elgg_register_action('logout'); // Register a default PAM handler register_pam_handler('pam_auth_userpass'); // Initialise the magic session global $SESSION; $SESSION = new ElggSession(); // Finally we ensure that a user who has been banned with an open session is kicked. if (isset($_SESSION['user']) && $_SESSION['user']->isBanned()) { session_destroy(); return false; } return true; }