private function DuoAuth()
{
$this->AuthResult = false;
// Verify nonce first
if (!isset($_POST['ulDuoSecLoginNonce'])) {
return ulLoginBackend::ERROR;
}
if (!ulNonce::Verify('ulDuoSecLogin', $_POST['ulDuoSecLoginNonce'])) {
return ulLoginBackend::ERROR;
}
//make sure that verifyResponse does not return NULL
//if it is NOT NULL then it will return a username
//you can then set any cookies/session data for that username
//and complete the login process
$resp = Duo::verifyResponse(UL_DUOSEC_IKEY, UL_DUOSEC_SKEY, UL_DUOSEC_AKEY, $_POST['sig_response']);
if ($resp != NULL) {
$this->AuthResult = $resp;
return true;
} else {
return ulLoginBackend::BAD_CREDENTIALS;
}
}
public function Autologin()
{
if (!$this->Backend->IsAutoLoginAllowed()) {
return false;
}
// Cookie-name
$autologin_name = 'AutoLogin';
// Read encrypted cookie
if (!isset($_COOKIE[$autologin_name])) {
return false;
}
$data = $_COOKIE[$autologin_name];
// Decrypt cookie data
$parts = explode(':::', $data);
$username = $parts[0];
$nonce = $parts[1];
$hmac = $parts[2];
// Check if nonce in cookie is valid
if (!ulNonce::Verify("{$username}-autologin", $nonce)) {
$this->SetAutologin($username, false);
return false;
}
// Check if cookie was set by us.
if ($hmac != hash_hmac(UL_HMAC_FUNC, "{$username}:::{$nonce}", UL_SITE_KEY)) {
$this->SetAutologin($username, false);
$this->AuthFail(NULL, $username);
return false;
}
// Get Uid and see if user exists. See if user is still valid.
$uid = $this->Uid($username);
if ($uid === false) {
$this->SetAutologin($username, false);
$this->AuthFail(NULL, $username);
return false;
}
// Check if there is a block that applies to us
if ($this->BlockCheck($uid) !== true) {
$this->SetAutologin($username, false);
$this->AuthFail($uid, $username);
return false;
}
// Everything seems alright. Log user in and set new autologin cookie.
$this->AuthSuccess($uid, $username);
$this->SetAutologin($username, true);
return $uid;
}
if ($action == 'logout') {
// We've been requested to log out
// Logout
appLogout();
$msg = 'logged out';
}
}
} else {
// We've been requested to log in
if ($action == 'login') {
// Here we verify the nonce, so that only users can try to log in
// to whom we've actually shown a login page. The first parameter
// of Nonce::Verify needs to correspond to the parameter that we
// used to create the nonce, but otherwise it can be anything
// as long as they match.
if (isset($_POST['nonce']) && ulNonce::Verify('login', $_POST['nonce'])) {
// We store it in the session if the user wants to be remembered. This is because
// some auth backends redirect the user and we will need it after the user
// arrives back.
if (isset($_POST['autologin'])) {
$_SESSION['appRememberMeRequested'] = true;
} else {
unset($_SESSION['appRememberMeRequested']);
}
// This is the line where we actually try to authenticate against some kind
// of user database. Note that depending on the auth backend, this function might
// redirect the user to a different page, in which case it does not return.
$ulogin->Authenticate($_POST['user'], $_POST['pwd']);
if ($ulogin->IsAuthSuccess()) {
// Since we have specified callback functions to uLogin,
// we don't have to do anything here.
private static function verifyTokenCookie()
{
if (!UL_PREVENT_REPLAY) {
return true;
}
$cookieName = 'SSESTOKEN';
if (!isset($_COOKIE[$cookieName])) {
return false;
}
$cookieData = $_COOKIE[$cookieName];
return ulNonce::Verify('ulSessionToken', $cookieData);
}
