private function handleAuthRequest()
{
$status = false;
/*
* Are we logging in or out?
*/
if (Runtime::$GET["action"] == "login") {
/*
* If not already logged-in, let's log the user in
*/
if (!Auth::isLoggedIn()) {
$user = Runtime::$POST["username"];
$passwd = Runtime::$POST["password"];
$token = Runtime::$POST["token"];
if (!empty($token) && strcmp($token, Runtime::$SESSION["_im_login_token"]) === 0) {
if (!empty($user) && !empty($passwd)) {
Auth::login($user, $passwd);
}
$status = Auth::isLoggedIn();
if (!$status && Runtime::$SYSTEM["REQUEST_CONTENT"] == "json") {
Runtime::$SESSION["_im_login_token"] = Crypt::encode(Crypt::password());
} else {
Runtime::$SESSION->remove("_im_login_token");
}
}
}
} elseif (Runtime::$GET["action"] == "logout") {
/*
* If not already logged-out, let's log the user out
*/
if (Auth::isLoggedIn()) {
Auth::logout();
}
$status = !Auth::isLoggedIn();
}
/*
* If the client is asking for JSON content, we provide a JSON object
* with the status of the request.
*/
if (Runtime::$SYSTEM["REQUEST_CONTENT"] == "json") {
echo json_encode(["status" => $status, "token" => Runtime::$SESSION["_im_login_token"]]);
/*
* If the client is asking for html content,
* e.g. the request is a regular post/load request and not an ajax request.
*/
} elseif (Auth::isLoggedIn()) {
Router::request("/");
/*
* Regular post/load request, user is not logged-in.
* Either wrong password/username was supplied, or this was a
* logout request. Either way, show the login form again.
*/
} else {
$this->buildLoginForm();
}
}
public function __construct(Traversable $data = null)
{
$this->mData = [];
/*
* We don't need/want PHP's session system. We do however need the $_SESSION variable,
* and we don't need PHP saving it's content where it should not be saved. So we close it
* if it is set to autostart.
*/
if (in_array(strtolower(ini_get("session.auto_start")), ["on", "true", "1"])) {
trigger_error("You should disable Session Auto Start while running this library", E_USER_NOTICE);
if ($_SESSION == $this) {
$_SESSION = [];
session_unset();
session_destroy();
$_SESSION = $this;
} else {
session_unset();
session_destroy();
}
/*
* This function removes the first header in the list that matches the name.
* As session_autostart is executed before anything else, it's session cookie
* should be the first in the list.
*/
header_remove("Set-Cookie");
}
/*
* Register a receiver used to write data back to session storage
*/
Runtime::addShutdownReceiver([$this, "writeBack"]);
$useSSL = Runtime::$SETTINGS->getBoolean("SECURITY_SSL", false);
$isSSL = Runtime::$SYSTEM->getBoolean("CONNECTION_SSL", false);
$cookieName = $useSSL && $isSSL ? "IMPHP_SESSID_SSL" : "IMPHP_SESSID";
$cryptKey = null;
if (Runtime::$SETTINGS->getBoolean("SESSION_ENCRYPT_COOKIE")) {
$cryptKey = Runtime::$SETTINGS->getString("SECURITY_PASSWD");
}
try {
$this->mSessId = Runtime::$COOKIE->get($cookieName, null, $cryptKey);
/*
* If anything is wrong, start a new session
*/
} catch (Exception $e) {
}
if ($this->mSessId == null) {
$this->mSessId = Crypt::hash(Crypt::password() . time());
Runtime::$COOKIE->set($cookieName, $this->mSessId, 0, $useSSL && $isSSL, null, null, $cryptKey);
}
}
