Exemplo n.º 1
0
 /**
  * Validates "stay logged in" tokens and refreshes them
  *
  * @param boolean   $newsession: flag for a new session (no validation)
  *
  * @return boolean true if cookie refreshed, false if cookie removed
  */
 public function refreshMemoryCookie($newsession = false)
 {
     $modified = 0;
     if ($newsession === false) {
         $memoryCookie = $this->getMemoryCookie();
         if ($memoryCookie !== false) {
             list($id, $seriesToken, $authToken) = $memoryCookie;
             $seriesTokenEsc = $this->dao->escape($seriesToken);
             // existing session -> validate first
             $s = $this->dao->query('
                                     SELECT
                                         AuthToken, SeriesToken, modified
                                     FROM
                                         members_sessions
                                     WHERE
                                         IdMember = ' . (int) $this->id . '
                                         AND
                                         SeriesToken = \'' . $seriesTokenEsc . '\'');
             $tokens = $s->fetch(PDB::FETCH_OBJ);
             // compare tokens from database with those in cookie
             if ($tokens) {
                 $authTokenDB = $tokens->AuthToken;
                 $seriesToken = $tokens->SeriesToken;
                 $modified = $tokens->modified;
                 if ($authToken !== $authTokenDB) {
                     // auth token incorrect but series token correct -> hijacked
                     $this->removeSessionMemory($seriesToken, true);
                     return false;
                 }
             } else {
                 // both tokens (or just series token) incorrect
                 $this->removeSessionMemory($seriesToken);
                 return false;
             }
         } else {
             $this->removeSessionMemory();
             // just to clean up token records in database
             return false;
         }
         // both tokens correct -> continue
         // log in user
         $loginModel = new LoginModel();
         $tb_user = $loginModel->getTBUserForBWMember($this);
         $loginModel->setupBWSession($this);
         $loginModel->setTBUserAsLoggedIn($tb_user);
     } else {
         // create series token
         $seriesToken = md5(rand() + time());
     }
     // create auth token
     $authToken = md5(rand() + time());
     // write tokens to database
     if ($modified) {
         // update token from existing series
         $s = $this->dao->query('
                                 UPDATE
                                     members_sessions
                                 SET
                                     AuthToken = \'' . $authToken . '\'
                                 WHERE
                                     IdMember = ' . (int) $this->id . ' AND SeriesToken = \'' . $seriesToken . '\'');
     } else {
         // create new token series
         $s = $this->dao->query('
                                 INSERT INTO
                                     members_sessions
                                     (IdMember, AuthToken, SeriesToken)
                                 VALUES
                                     (' . (int) $this->id . ', \'' . $authToken . '\', \'' . $seriesToken . '\')');
     }
     // create cookie
     $this->setMemoryCookie($this->id, $seriesToken, $authToken);
     return true;
 }