/** * Authenticate user. * * @param array $form Form fields. * * @return bool */ protected function authenticate($form) { /** @var User $user */ $user = $this->grav['user']; if (!$user->authenticated) { $username = isset($form['username']) ? $form['username'] : $this->rememberMe->login(); // Normal login process $user = User::load($username); if ($user->exists()) { if (!empty($form['username']) && !empty($form['password'])) { // Authenticate user $user->authenticated = $user->authenticate($form['password']); if ($user->authenticated) { $this->grav['session']->user = $user; unset($this->grav['user']); $this->grav['user'] = $user; // If the user wants to be remembered, create Rememberme cookie if (!empty($form['rememberme'])) { $this->rememberMe->createCookie($form['username']); } else { $this->rememberMe->clearCookie(); $this->rememberMe->getStorage()->cleanAllTriplets($user->get('username')); } } } } } // Authorize against user ACL $user_authorized = $user->authorize('site.login'); $user->authenticated = $user->authenticated && $user_authorized; return $user->authenticated; }
public function loggedIn() { $rememberMeStorage = new RemembermeMongoStorage($this->getDocumentManager()); $rememberMe = new Rememberme\Authenticator($rememberMeStorage); if (isset($_SESSION['userId']) && isset($_SESSION['expiresAt']) && $_SESSION['expiresAt'] > time()) { $_SESSION['expiresAt'] = time() + 3600; //Renew session on every activity return true; } else { if (!empty($_COOKIE[$rememberMe->getCookieName()]) && $rememberMe->cookieIsValid()) { // Remember me cookie $loginresult = $rememberMe->login(); if ($loginresult) { // Load user into session and return true // Set the session $_SESSION['userId'] = $loginresult; $_SESSION['expiresAt'] = time() + 3600; //1 hour $_SESSION['rememberedByCookie'] = true; } else { if ($rememberMe->loginTokenWasInvalid()) { throw new \Exception('Remember me cookie invalid!', Resource::STATUS_BAD_REQUEST); } } } else { return false; } } }
redirect(true); } if (!empty($_GET['completelogout'])) { $storage->cleanAllTriplets($_SESSION['username']); redirect(true); } // Check, if the Rememberme cookie exists and is still valid. // If not, we log out the current session if (!empty($_COOKIE[$rememberMe->getCookieName()]) && !$rememberMe->cookieIsValid()) { redirect(true); } // User is still logged in - show content $content = tpl("user_is_logged_in"); } else { // If we can present the correct tokens from the cookie, we are logged in $loginresult = $rememberMe->login(); if ($loginresult) { $_SESSION['username'] = $loginresult; // There is a chance that an attacker has stolen the login token, so we store // the fact that the user was logged in via RememberMe (instead of login form) $_SESSION['remembered_by_cookie'] = true; redirect(); } else { // If $rememberMe returned false, check if the token was invalid if ($rememberMe->loginTokenWasInvalid()) { $content = tpl("cookie_was_stolen"); } else { if (!empty($_POST)) { if ($username == $_POST['username'] && $password == $_POST['password']) { session_regenerate_id(); $_SESSION['username'] = $username;