/** * Initialise the site secret (32 bytes: "z" to indicate format + 186-bit key in Base64 URL). * * Used during installation and saves as a datalist. * * Note: Old secrets were hex encoded. * * @return mixed The site secret hash or false * @access private * @todo Move to better file. */ function init_site_secret() { $secret = 'z' . ElggCrypto::getRandomString(31); if (datalist_set('__site_secret__', $secret)) { return $secret; } return FALSE; }
/** * Generate an 8 character Base64 URL salt for the password * * @return string * @access private */ function _elgg_generate_password_salt() { return ElggCrypto::getRandomString(8); }
/** * Initialises the system session and potentially logs the user in * * This function looks for: * * 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0 * 2. The cookie 'elggperm' - if present, checks it for an authentication * token, validates it, and potentially logs the user in * * @uses $_SESSION * * @return bool * @access private */ function _elgg_session_boot() { global $DB_PREFIX, $CONFIG; // Use database for sessions // HACK to allow access to prefix after object destruction $DB_PREFIX = $CONFIG->dbprefix; if (!isset($CONFIG->use_file_sessions)) { session_set_save_handler("_elgg_session_open", "_elgg_session_close", "_elgg_session_read", "_elgg_session_write", "_elgg_session_destroy", "_elgg_session_gc"); } session_name('Elgg'); session_start(); // Generate a simple token (private from potentially public session id) if (!isset($_SESSION['__elgg_session'])) { $_SESSION['__elgg_session'] = ElggCrypto::getRandomString(32, ElggCrypto::CHARS_HEX); } // test whether we have a user session if (empty($_SESSION['guid'])) { // clear session variables before checking cookie unset($_SESSION['user']); unset($_SESSION['id']); unset($_SESSION['guid']); unset($_SESSION['code']); // is there a remember me cookie if (!empty($_COOKIE['elggperm'])) { // we have a cookie, so try to log the user in $code = $_COOKIE['elggperm']; $code = md5($code); if ($user = get_user_by_code($code)) { // we have a user, log him in $_SESSION['user'] = $user; $_SESSION['id'] = $user->getGUID(); $_SESSION['guid'] = $_SESSION['id']; $_SESSION['code'] = $_COOKIE['elggperm']; } else { if (_elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) { // may be attempt to brute force legacy low-entropy codes sleep(1); } setcookie("elggperm", "", time() - 86400 * 30, "/"); } } } else { // we have a session and we have already checked the fingerprint // reload the user object from database in case it has changed during the session if ($user = get_user($_SESSION['guid'])) { $_SESSION['user'] = $user; $_SESSION['id'] = $user->getGUID(); $_SESSION['guid'] = $_SESSION['id']; } else { // user must have been deleted with a session active unset($_SESSION['user']); unset($_SESSION['id']); unset($_SESSION['guid']); unset($_SESSION['code']); if (!empty($_COOKIE['elggperm']) && _elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) { // replace user's old weaker-entropy code with new one $code = _elgg_generate_remember_me_token(); $_SESSION['code'] = $code; $user->code = md5($code); $user->save(); setcookie("elggperm", $code, time() + 86400 * 30, "/"); } } } if (isset($_SESSION['guid'])) { set_last_action($_SESSION['guid']); } elgg_register_action('login', '', 'public'); elgg_register_action('logout'); // Register a default PAM handler register_pam_handler('pam_auth_userpass'); // Initialise the magic session global $SESSION; $SESSION = new ElggSession(); // Finally we ensure that a user who has been banned with an open session is kicked. if (isset($_SESSION['user']) && $_SESSION['user']->isBanned()) { session_destroy(); return false; } return true; }