/** * Create the session object. * * @param boolean $create_session * Whether to create the session for the user. * * @return Session * The current session. */ public static function createInstance($create_session = true) { if ($session_key = static::loadRequestSessionKey()) { $session_criteria = array('session_key' => array('LIKE', $session_key)); // If the session is only allowed on one IP. if (Configuration::get('session.single_ip')) { $session_criteria['session_ip'] = LightningRequest::server('ip_int'); } // See if the session exists. if ($session_details = Database::getInstance()->selectRow('session', $session_criteria)) { // Load the session. $session = new static($session_details); if ($session->validateState()) { $session->ping(); return $session; } else { $session->destroy(); return static::create(); } } else { // Possible security issue. Logger::security('Bad session', Logger::SEVERITY_MED); // There is an old cookie that we should delete. // Send a cookie to erase the users cookie, in case this is really a minor error. static::clearCookie(); return static::create(); } } elseif ($create_session) { // No session exists, create a new one. return static::create(); } else { return null; } }
/** * Makes sure there is a session, and checks the user password. * If everything checks out, the global user is created. * * @param $email * @param $password * @param bool $remember * If true, the cookie will be permanent, but the password and pin state will still be on a timeout. * @param boolean $auth_only * If true, the user will be authenticated but will not have the password state set. * * @return bool */ public static function login($email, $password, $remember = FALSE, $auth_only = FALSE) { // If $auth_only is set, it has to be remembered. if ($auth_only) { $remember = TRUE; } $user = ClientUser::getInstance(); // If a user is already logged in, cancel that user. if ($user->id > 0) { $user->destroy(); } if ($temp_user = static::loadByEmail($email)) { // user found if ($temp_user->checkPass($password)) { $temp_user->registerToSession($remember, $auth_only ?: Session::STATE_PASSWORD); return true; } else { Logger::security('Bad Password', Logger::SEVERITY_HIGH); } } else { Logger::security('Bad Username', Logger::SEVERITY_MED); } // Could not log in. return false; }