/**
* Sets up the session for the currently logged-in user, trying to re-establish a session for "remember-me" users who have been logged out,
* or creates a guest user object if no one is logged in.
*/
public function setup()
{
try {
// Initialize RememberMe
$storage = new \Birke\Rememberme\Storage\PDO($this->app->remember_me_table);
$storage->setConnection(\Illuminate\Database\Capsule\Manager::connection()->getPdo());
$this->app->remember_me = new \Birke\Rememberme\Authenticator($storage);
// Change cookie path
$cookie = $this->app->remember_me->getCookie();
$cookie->setPath("/");
$this->app->remember_me->setCookie($cookie);
// Determine if we are already logged in (user exists in the session variable)
if (isset($_SESSION["userfrosting"]["user_id"]) && $_SESSION["userfrosting"]["user_id"] != null) {
// Load the user. If they don't exist any more, throw an exception.
if (!($this->app->user = User::find($_SESSION["userfrosting"]["user_id"]))) {
throw new AccountInvalidException();
}
//error_log("Current user id is " . $this->app->user->id);
// Check, if the Rememberme cookie exists and is still valid.
// If not, we log out the current session
if (!empty($_COOKIE[$this->app->remember_me->getCookieName()]) && !$this->app->remember_me->cookieIsValid()) {
//error_log("Session expired. logging out...");
$this->app->remember_me->clearCookie();
throw new AuthExpiredException();
}
// If not, try to login via RememberMe cookie
} else {
// If we can present the correct tokens from the cookie, log the user in
// Get the user id
$name = $this->app->remember_me->getCookieName();
$user_id = $this->app->remember_me->login();
if ($user_id) {
//error_log("Logging in via remember me for $user_id");
// Load the user
$this->app->user = \UserFrosting\UserLoader::fetch($user_id);
// Update in session
$_SESSION["userfrosting"]["user_id"] = $user_id;
// There is a chance that an attacker has stolen the login token, so we store
// the fact that the user was logged in via RememberMe (instead of login form)
$_SESSION['remembered_by_cookie'] = true;
} else {
// If $rememberMe returned false, check if the token was invalid
if ($this->app->remember_me->loginTokenWasInvalid()) {
//error_log("Cookie was stolen!");
throw new AuthCompromisedException();
} else {
// $rememberMe returned false because of invalid/missing Rememberme cookie - create a dummy "guest" user
$this->app->user = new User([], $this->app->config('user_id_guest'));
}
}
}
// Now we have an authenticated user, setup their environment
$this->app->setupAuthenticatedEnvironment();
} catch (\PDOException $e) {
// If we can't connect to the DB, then we can't create an authenticated user. That's ok if we're in installation mode.
error_log("Unable to authenticate user, falling back to guest user.");
error_log($e->getTraceAsString());
}
}
/**
* Log this user out.
*
* Destroys the PHP session as well.
* @param bool $complete If set to true, will also clear out any persistent sessions.
*/
public function logout($complete = false)
{
if ($complete) {
$storage = new \Birke\Rememberme\Storage\PDO(static::$app->remember_me_table);
$storage->setConnection(\Illuminate\Database\Capsule\Manager::connection()->getPdo());
$storage->cleanAllTriplets($this->id);
}
// Change cookie path
$cookie = static::$app->remember_me->getCookie();
$cookie->setPath("/");
static::$app->remember_me->setCookie($cookie);
if (static::$app->remember_me->clearCookie()) {
error_log("Cleared cookie");
}
session_regenerate_id(true);
session_destroy();
}
