private function DuoAuth() { $this->AuthResult = false; // Verify nonce first if (!isset($_POST['ulDuoSecLoginNonce'])) { return ulLoginBackend::ERROR; } if (!ulNonce::Verify('ulDuoSecLogin', $_POST['ulDuoSecLoginNonce'])) { return ulLoginBackend::ERROR; } //make sure that verifyResponse does not return NULL //if it is NOT NULL then it will return a username //you can then set any cookies/session data for that username //and complete the login process $resp = Duo::verifyResponse(UL_DUOSEC_IKEY, UL_DUOSEC_SKEY, UL_DUOSEC_AKEY, $_POST['sig_response']); if ($resp != NULL) { $this->AuthResult = $resp; return true; } else { return ulLoginBackend::BAD_CREDENTIALS; } }
public function Autologin() { if (!$this->Backend->IsAutoLoginAllowed()) { return false; } // Cookie-name $autologin_name = 'AutoLogin'; // Read encrypted cookie if (!isset($_COOKIE[$autologin_name])) { return false; } $data = $_COOKIE[$autologin_name]; // Decrypt cookie data $parts = explode(':::', $data); $username = $parts[0]; $nonce = $parts[1]; $hmac = $parts[2]; // Check if nonce in cookie is valid if (!ulNonce::Verify("{$username}-autologin", $nonce)) { $this->SetAutologin($username, false); return false; } // Check if cookie was set by us. if ($hmac != hash_hmac(UL_HMAC_FUNC, "{$username}:::{$nonce}", UL_SITE_KEY)) { $this->SetAutologin($username, false); $this->AuthFail(NULL, $username); return false; } // Get Uid and see if user exists. See if user is still valid. $uid = $this->Uid($username); if ($uid === false) { $this->SetAutologin($username, false); $this->AuthFail(NULL, $username); return false; } // Check if there is a block that applies to us if ($this->BlockCheck($uid) !== true) { $this->SetAutologin($username, false); $this->AuthFail($uid, $username); return false; } // Everything seems alright. Log user in and set new autologin cookie. $this->AuthSuccess($uid, $username); $this->SetAutologin($username, true); return $uid; }
if ($action == 'logout') { // We've been requested to log out // Logout appLogout(); $msg = 'logged out'; } } } else { // We've been requested to log in if ($action == 'login') { // Here we verify the nonce, so that only users can try to log in // to whom we've actually shown a login page. The first parameter // of Nonce::Verify needs to correspond to the parameter that we // used to create the nonce, but otherwise it can be anything // as long as they match. if (isset($_POST['nonce']) && ulNonce::Verify('login', $_POST['nonce'])) { // We store it in the session if the user wants to be remembered. This is because // some auth backends redirect the user and we will need it after the user // arrives back. if (isset($_POST['autologin'])) { $_SESSION['appRememberMeRequested'] = true; } else { unset($_SESSION['appRememberMeRequested']); } // This is the line where we actually try to authenticate against some kind // of user database. Note that depending on the auth backend, this function might // redirect the user to a different page, in which case it does not return. $ulogin->Authenticate($_POST['user'], $_POST['pwd']); if ($ulogin->IsAuthSuccess()) { // Since we have specified callback functions to uLogin, // we don't have to do anything here.
private static function verifyTokenCookie() { if (!UL_PREVENT_REPLAY) { return true; } $cookieName = 'SSESTOKEN'; if (!isset($_COOKIE[$cookieName])) { return false; } $cookieData = $_COOKIE[$cookieName]; return ulNonce::Verify('ulSessionToken', $cookieData); }