public function loggedIn() { $rememberMeStorage = new RemembermeMongoStorage($this->getDocumentManager()); $rememberMe = new Rememberme\Authenticator($rememberMeStorage); if (isset($_SESSION['userId']) && isset($_SESSION['expiresAt']) && $_SESSION['expiresAt'] > time()) { $_SESSION['expiresAt'] = time() + 3600; //Renew session on every activity return true; } else { if (!empty($_COOKIE[$rememberMe->getCookieName()]) && $rememberMe->cookieIsValid()) { // Remember me cookie $loginresult = $rememberMe->login(); if ($loginresult) { // Load user into session and return true // Set the session $_SESSION['userId'] = $loginresult; $_SESSION['expiresAt'] = time() + 3600; //1 hour $_SESSION['rememberedByCookie'] = true; } else { if ($rememberMe->loginTokenWasInvalid()) { throw new \Exception('Remember me cookie invalid!', Resource::STATUS_BAD_REQUEST); } } } else { return false; } } }
$storage = new Rememberme\Storage\File($storagePath); $rememberMe = new Rememberme\Authenticator($storage); // First, we initialize the session, to see if we are already logged in session_start(); if (!empty($_SESSION['username'])) { if (!empty($_GET['logout'])) { $rememberMe->clearCookie($_SESSION['username']); redirect(true); } if (!empty($_GET['completelogout'])) { $storage->cleanAllTriplets($_SESSION['username']); redirect(true); } // Check, if the Rememberme cookie exists and is still valid. // If not, we log out the current session if (!empty($_COOKIE[$rememberMe->getCookieName()]) && !$rememberMe->cookieIsValid()) { redirect(true); } // User is still logged in - show content $content = tpl("user_is_logged_in"); } else { // If we can present the correct tokens from the cookie, we are logged in $loginresult = $rememberMe->login(); if ($loginresult) { $_SESSION['username'] = $loginresult; // There is a chance that an attacker has stolen the login token, so we store // the fact that the user was logged in via RememberMe (instead of login form) $_SESSION['remembered_by_cookie'] = true; redirect(); } else { // If $rememberMe returned false, check if the token was invalid