/**
* Function to test if DOB is stored correctly.
*/
public function testSetDOB()
{
$dob = time() - 10000;
$this->xobj->setDOB($dob);
$result = SQL("SELECT `DOB` FROM XUSER WHERE USERID = ?", array($this->obj->getUserID()));
$this->assertTrue($result[0]['DOB'] == $dob);
}
/**
* Constructor of this class.
* @param \phpsec\User $userObj The object of class \phpsec\User
*/
public function __construct($userObj)
{
$this->userID = $userObj->getUserID();
if (!XUser::isXUserExists($this->userID)) {
//If user's records are not present in the DB, then insert them
SQL("INSERT INTO XUSER (`USERID`) VALUES (?)", array($this->userID));
}
}
/**
* Function for user to Log-out.
* @param \phpsec\User $userObj The user object of the user that needs to log out
*/
public static function logOut($userObj)
{
if ($userObj->checkRememberMe() === $userObj->getUserID()) {
User::deleteAuthenticationToken();
//delete the authentication token from the server and the user's browser
}
if (file_exists(__DIR__ . "/../session/session.php")) {
require_once __DIR__ . "/../session/session.php";
//If session library is present, then delete session from the server as well as user's browser
$tempSession = new Session();
$tempSession->existingSession();
$tempSession->destroySession();
}
}
function Handle($Request)
{
try {
$userSession = new phpsec\Session();
$sessionID = $userSession->existingSession();
if ($sessionID != FALSE) {
if (isset($_POST['submit'])) {
$userID = \phpsec\Session::getUserIDFromSessionID($sessionID);
if (isset($_POST['_x_oldpass']) && $_POST['_x_oldpass'] != "" && isset($_POST['pass']) && $_POST['pass'] != "" && isset($_POST['repass']) && $_POST['repass'] != "") {
$config = (require_once __DIR__ . "/../../config/config.php");
if (phpsec\BasicPasswordManagement::$passwordStrength > phpsec\BasicPasswordManagement::strength($_POST['pass'])) {
$this->error .= "ERROR: This password is too weak. Please choose a different password. A good password contains a-z, A-Z, 0-9, & special characters." . "<BR>";
if ($config['PASSWORD_SUGGESTION'] === "ON") {
$this->info .= "This password is strong: " . substr(\phpsec\BasicPasswordManagement::generate(1), 0, 8) . "<BR>";
}
return require_once __DIR__ . "/../../view/default/user/passwordreset.php";
}
if ($_POST['pass'] !== $_POST['repass']) {
$this->error .= "Your Password and Re-Type Password fields do not match. Please enter the same password twice." . "<BR>";
return require_once __DIR__ . "/../../view/default/user/passwordreset.php";
}
try {
$userObj = phpsec\UserManagement::logIn($userID, $_POST['_x_oldpass']);
$userObj->resetPassword($_POST['_x_oldpass'], $_POST['pass']);
$this->info .= "Your password have been changed successfully." . "<BR>";
} catch (phpsec\WrongPasswordException $e) {
if ($config['BRUTE_FORCE_DETECTION'] === "ON") {
try {
new phpsec\AdvancedPasswordManagement($userID, $_POST['pass'], TRUE);
} catch (phpsec\BruteForceAttackDetectedException $ex) {
\phpsec\User::lockAccount($userID);
$this->error .= "Brute Force Attack detected on this account. This account has now been locked. If its not your fault, then please contact the administrator." . "<BR>";
}
}
$this->error .= "Your old password does not seems correct. Please enter your old password for verification." . "<BR>";
}
} else {
$this->error .= "ERROR: Empty fields are not allowed." . "<BR>";
}
}
} else {
$this->error .= "You are not logged-in. Please login to complete the operation." . "<BR>";
$newLocation = \phpsec\HttpRequest::Protocol() . "://" . \phpsec\HttpRequest::Host() . \phpsec\HttpRequest::PortReadable() . "/rnj/framework/login";
header("Location: {$newLocation}");
}
} catch (Exception $e) {
$this->error .= $e->getMessage() . "<BR>";
}
return require_once __DIR__ . "/../../view/default/user/passwordreset.php";
}
/**
* Function to test if brute force is detected when failed attempts are done in intervals. e.g. a bot guesses password after every 2 seconds in attempt to fool the system that this is a legit attempt
*/
public function testBruteForceForSlowPasswordGuessing()
{
try {
//repeatedly provide wrong password.
for ($i = 0; $i < 7; $i++) {
sleep(2);
//Sleep for some time so that the mechanism can be fooled.
$this->obj = new AdvancedPasswordManagement($this->user->getUserID(), "resting", true);
//wrong password provided.
}
} catch (BruteForceAttackDetectedException $e) {
$this->assertTrue(TRUE);
//True since BruteForceAttackDetectedException was thrown
}
}
function Handle($Request)
{
try {
if (isset($_GET['user']) && $_GET['user'] != "" && isset($_GET['verification']) && $_GET['verification'] != "" && ($_GET['mode'] === 'temppass' || $_GET['mode'] === 'activation')) {
if (phpsec\AdvancedPasswordManagement::tempPassword($_GET['user'], $_GET['verification'])) {
if ($_GET['mode'] === 'temppass') {
$userSession = new phpsec\Session();
$userSessionID = $userSession->newSession($_GET['user']);
$nextLocation = \phpsec\HttpRequest::Protocol() . "://" . \phpsec\HttpRequest::Host() . \phpsec\HttpRequest::PortReadable() . "/rnj/framework/requestnewpassword";
header("Location: {$nextLocation}");
} else {
if ($_GET['mode'] === 'activation') {
\phpsec\User::activateAccount($_GET['user']);
$this->info .= "Your account <b>" . $_GET['user'] . "</b> is now activated." . "<BR>";
require_once __DIR__ . "/../../view/default/user/temppass.php";
}
}
} else {
$this->error .= "ERROR: This validation token does not match our records!!!" . "<BR>";
return require_once __DIR__ . "/../../view/default/user/temppass.php";
}
} else {
if (isset($_GET['user']) && $_GET['user'] != "" && isset($_GET['email']) && $_GET['email'] != "" && ($_GET['mode'] === 'temppass' || $_GET['mode'] === 'activation')) {
$tempPass = phpsec\AdvancedPasswordManagement::tempPassword($_GET['user']);
$message = "Please open the following link in order to complete the process:\n";
$message .= \phpsec\HttpRequest::Protocol() . "://" . \phpsec\HttpRequest::Host() . \phpsec\HttpRequest::PortReadable() . "/rnj/framework/temppass?user="******"&mode=" . $_GET['mode'] . "&verification=" . $tempPass . "\n\n\n";
$message .= "Sometimes the email ends up in the Spam folder. So also please check your spam folder in case you didn't receive the email.\n\n";
$message .= "If you did nothing to get this email, just ignore it.\n";
$message = wordwrap($message, 70, "\r\n");
$send = \mail($_GET['email'], "Authentication Email", $message, "FROM: " . "*****@*****.**");
if (!$send) {
$this->error .= "ERROR: Mail was not send!" . "<BR>";
}
return require_once __DIR__ . "/../../view/default/user/temppass.php";
} else {
return require_once __DIR__ . "/../../view/default/404.php";
}
}
} catch (Exception $e) {
$this->error .= $e->getMessage() . "<BR>";
return require_once __DIR__ . "/../../view/default/user/temppass.php";
}
}
function Handle($Request)
{
try {
$config = (require_once __DIR__ . "/../../config/config.php");
$userID = \phpsec\User::checkRememberMe();
if (!$userID) {
if (isset($_POST['submit'])) {
if (isset($_POST['user']) && $_POST['user'] != "" && isset($_POST['pass']) && $_POST['pass'] != "") {
try {
$userID = $_POST['user'];
$userObj = phpsec\UserManagement::logIn($_POST['user'], $_POST['pass']);
} catch (phpsec\WrongPasswordException $e) {
if ($config['BRUTE_FORCE_DETECTION'] === "ON") {
try {
new phpsec\AdvancedPasswordManagement($_POST['user'], $_POST['pass'], TRUE);
} catch (phpsec\BruteForceAttackDetectedException $ex) {
\phpsec\User::lockAccount($_POST['user']);
$this->error .= "Brute Force Attack detected on this account. This account has now been locked. If its not your fault, then please contact the administrator." . "<BR>";
}
}
$this->error .= "Incorrect Username/Password combination!" . "<BR>";
return require_once __DIR__ . "/../../view/default/user/login.php";
} catch (phpsec\UserAccountInactive $e) {
$userEmail = phpsec\User::getPrimaryEmail($_POST['user']);
$activationLink = \phpsec\HttpRequest::Protocol() . "://" . \phpsec\HttpRequest::Host() . \phpsec\HttpRequest::PortReadable() . "/rnj/framework/temppass?user="******"&mode=activation" . "&email=" . $userEmail;
$this->error .= "ERROR: The account is inactive. Please activate your account by clicking <a href=\"{$activationLink}\">here</a>." . "<BR>";
return require_once __DIR__ . "/../../view/default/user/login.php";
}
if (isset($_POST['remember-me']) && $_POST['remember-me'] == "on") {
if (phpsec\HttpRequest::isHTTPS()) {
phpsec\User::enableRememberMe($_POST['user']);
} else {
phpsec\User::enableRememberMe($_POST['user'], FALSE, TRUE);
}
}
} else {
$this->error .= "Empty fields are not allowed. Please fill the required areas." . "<BR>";
}
} else {
return require_once __DIR__ . "/../../view/default/user/login.php";
}
}
$userSession = new phpsec\Session();
try {
$sessionID = $userSession->existingSession();
if ($sessionID) {
$userSessionID = $userSession->rollSession();
} else {
$userSessionID = $userSession->newSession($userID);
}
$userObj = phpsec\UserManagement::forceLogIn($userID);
if ($userObj->isPasswordExpired()) {
$this->info .= "Its been too long since you have changed your password. For security reasons, please change your password." . "<BR>";
}
$url_to_redirect = \phpsec\HttpRequest::Protocol() . "://" . \phpsec\HttpRequest::Host() . \phpsec\HttpRequest::PortReadable() . "/rnj/framework/user/index";
header("HTTP/1.1 302 Found");
header('Location: ' . $url_to_redirect);
} catch (\phpsec\SessionExpired $e) {
$this->error .= $e->getMessage() . "<BR>";
phpsec\User::deleteAuthenticationToken();
}
} catch (Exception $e) {
$this->error .= $e->getMessage() . "<BR>";
}
return require_once __DIR__ . "/../../view/default/user/login.php";
}
