/**
* Checks if there is a session with valid auth information.
*
* @access public
* @return boolean Whether or not the user is authenticated.
*/
function checkAuth()
{
$this->log('Auth::checkAuth() called.', AUTH_LOG_DEBUG);
$this->authChecks++;
if (isset($this->session)) {
// Check if authentication session is expired
if ($this->expire > 0 && isset($this->session['timestamp']) && $this->session['timestamp'] + $this->expire < time()) {
$this->log('Session Expired', AUTH_LOG_INFO);
$this->expired = true;
$this->status = AUTH_EXPIRED;
$this->logout();
return false;
}
// Check if maximum idle time is reached
if ($this->idle > 0 && isset($this->session['idle']) && $this->session['idle'] + $this->idle < time()) {
$this->log('Session Idle Time Reached', AUTH_LOG_INFO);
$this->idled = true;
$this->status = AUTH_IDLED;
$this->logout();
return false;
}
if (isset($this->session['registered']) && isset($this->session['username']) && $this->session['registered'] == true && $this->session['username'] != '') {
Auth::updateIdle();
if ($this->advancedsecurity) {
$this->log('Advanced Security Mode Enabled.', AUTH_LOG_DEBUG);
// Only Generate the challenge once
if ($this->authChecks == 1) {
$this->log('Generating new Challenge Cookie.', AUTH_LOG_DEBUG);
$this->session['challengecookieold'] = $this->session['challengecookie'];
$this->session['challengecookie'] = md5($this->session['challengekey'] . microtime());
setcookie('authchallenge', $this->session['challengecookie']);
}
// Check for ip change
if (isset($this->server['REMOTE_ADDR']) && $this->session['sessionip'] != $this->server['REMOTE_ADDR']) {
$this->log('Security Breach. Remote IP Address changed.', AUTH_LOG_INFO);
// Check if the IP of the user has changed, if so we
// assume a man in the middle attack and log him out
$this->expired = true;
$this->status = AUTH_SECURITY_BREACH;
$this->logout();
return false;
}
// Check for ip change (if connected via proxy)
if (isset($this->server['HTTP_X_FORWARDED_FOR']) && $this->session['sessionforwardedfor'] != $this->server['HTTP_X_FORWARDED_FOR']) {
$this->log('Security Breach. Forwarded For IP Address changed.', AUTH_LOG_INFO);
// Check if the IP of the user connecting via proxy has
// changed, if so we assume a man in the middle attack
// and log him out.
$this->expired = true;
$this->status = AUTH_SECURITY_BREACH;
$this->logout();
return false;
}
// Check for useragent change
if (isset($this->server['HTTP_USER_AGENT']) && $this->session['sessionuseragent'] != $this->server['HTTP_USER_AGENT']) {
$this->log('Security Breach. User Agent changed.', AUTH_LOG_INFO);
// Check if the User-Agent of the user has changed, if
// so we assume a man in the middle attack and log him out
$this->expired = true;
$this->status = AUTH_SECURITY_BREACH;
$this->logout();
return false;
}
// Check challenge cookie here, if challengecookieold is not set
// this is the first time and check is skipped
// TODO when user open two pages similtaneuly (open in new window,open
// in tab) auth breach is caused find out a way around that if possible
if (isset($this->session['challengecookieold']) && $this->session['challengecookieold'] != $this->cookie['authchallenge']) {
$this->log('Security Breach. Challenge Cookie mismatch.', AUTH_LOG_INFO);
$this->expired = true;
$this->status = AUTH_SECURITY_BREACH;
$this->logout();
$this->login();
return false;
}
}
if (is_callable($this->checkAuthCallback)) {
$this->log('Calling checkAuthCallback (' . $this->checkAuthCallback . ').', AUTH_LOG_DEBUG);
$checkCallback = call_user_func_array($this->checkAuthCallback, array($this->username, &$this));
if ($checkCallback == false) {
$this->log('checkAuthCallback failed.', AUTH_LOG_INFO);
$this->expired = true;
$this->status = AUTH_CALLBACK_ABORT;
$this->logout();
return false;
}
}
$this->log('Session OK.', AUTH_LOG_INFO);
return true;
}
}
$this->log('Unable to locate session storage.', AUTH_LOG_DEBUG);
return false;
}
/**
* Checks if there is a session with valid auth information.
*
* @access private
* @return boolean Whether or not the user is authenticated.
*/
function checkAuth()
{
$this->authChecks++;
if (isset($this->session)) {
// Check if authentication session is expired
if ($this->expire > 0 && isset($this->session['timestamp']) && $this->session['timestamp'] + $this->expire < time()) {
$this->expired = true;
$this->status = AUTH_EXPIRED;
$this->logout();
return false;
}
// Check if maximum idle time is reached
if ($this->idle > 0 && isset($this->session['idle']) && $this->session['idle'] + $this->idle < time()) {
$this->idled = true;
$this->status = AUTH_IDLED;
$this->logout();
return false;
}
if (isset($this->session['registered']) && isset($this->session['username']) && $this->session['registered'] == true && $this->session['username'] != '') {
Auth::updateIdle();
if ($this->advancedsecurity) {
// Only Generate the challenge once
if ($this->authChecks == 1) {
$this->session['challengecookieold'] = $this->session['challengecookie'];
$this->session['challengecookie'] = md5($this->session['challengekey'] . microtime());
setcookie('authchallenge', $this->session['challengecookie']);
}
// Check for ip change
if (isset($this->server['REMOTE_ADDR']) && $this->session['sessionip'] != $this->server['REMOTE_ADDR']) {
// Check if the IP of the user has changed, if so we assume a man in the middle attack and log him out
$this->expired = true;
$this->status = AUTH_SECURITY_BREACH;
$this->logout();
return false;
}
// Check for useragent change
if (isset($this->server['HTTP_USER_AGENT']) && $this->session['sessionuseragent'] != $this->server['HTTP_USER_AGENT']) {
// Check if the User-Agent of the user has changed, if so we assume a man in the middle attack and log him out
$this->expired = true;
$this->status = AUTH_SECURITY_BREACH;
$this->logout();
return false;
}
// Check challenge cookie here, if challengecookieold is not set this is the first time and check is skipped
// TODO when user open two pages similtaneuly (open in new window,open in tab) auth breach is caused
// find out a way around that if possible
if (isset($this->session['challengecookieold']) && $this->session['challengecookieold'] != $this->cookie['authchallenge']) {
$this->expired = true;
$this->status = AUTH_SECURITY_BREACH;
$this->logout();
$this->login();
return false;
}
}
return true;
}
}
return false;
}
/**
* Checks if there is a session with valid auth information.
*
* @access private
* @return boolean Whether or not the user is authenticated.
*/
function checkAuth()
{
$session =& $this->_importGlobalVariable("session");
if (isset($session['auth'])) {
/** Check if authentication session is expired */
if ($this->expire > 0 && isset($session['auth']['timestamp']) && $session['auth']['timestamp'] + $this->expire < time()) {
$this->logout();
$this->expired = true;
$this->status = AUTH_EXPIRED;
return false;
}
/** Check if maximum idle time is reached */
if ($this->idle > 0 && isset($session['auth']['idle']) && $session['auth']['idle'] + $this->idle < time()) {
$this->logout();
$this->idled = true;
$this->status = AUTH_IDLED;
return false;
}
if (isset($session['auth']['registered']) && isset($session['auth']['username']) && $session['auth']['registered'] == true && $session['auth']['username'] != "") {
Auth::updateIdle();
return true;
}
}
return false;
}
