/** * Function to test if DOB is stored correctly. */ public function testSetDOB() { $dob = time() - 10000; $this->xobj->setDOB($dob); $result = SQL("SELECT `DOB` FROM XUSER WHERE USERID = ?", array($this->obj->getUserID())); $this->assertTrue($result[0]['DOB'] == $dob); }
/** * Constructor of this class. * @param \phpsec\User $userObj The object of class \phpsec\User */ public function __construct($userObj) { $this->userID = $userObj->getUserID(); if (!XUser::isXUserExists($this->userID)) { //If user's records are not present in the DB, then insert them SQL("INSERT INTO XUSER (`USERID`) VALUES (?)", array($this->userID)); } }
/** * Function for user to Log-out. * @param \phpsec\User $userObj The user object of the user that needs to log out */ public static function logOut($userObj) { if ($userObj->checkRememberMe() === $userObj->getUserID()) { User::deleteAuthenticationToken(); //delete the authentication token from the server and the user's browser } if (file_exists(__DIR__ . "/../session/session.php")) { require_once __DIR__ . "/../session/session.php"; //If session library is present, then delete session from the server as well as user's browser $tempSession = new Session(); $tempSession->existingSession(); $tempSession->destroySession(); } }
function Handle($Request) { try { $userSession = new phpsec\Session(); $sessionID = $userSession->existingSession(); if ($sessionID != FALSE) { if (isset($_POST['submit'])) { $userID = \phpsec\Session::getUserIDFromSessionID($sessionID); if (isset($_POST['_x_oldpass']) && $_POST['_x_oldpass'] != "" && isset($_POST['pass']) && $_POST['pass'] != "" && isset($_POST['repass']) && $_POST['repass'] != "") { $config = (require_once __DIR__ . "/../../config/config.php"); if (phpsec\BasicPasswordManagement::$passwordStrength > phpsec\BasicPasswordManagement::strength($_POST['pass'])) { $this->error .= "ERROR: This password is too weak. Please choose a different password. A good password contains a-z, A-Z, 0-9, & special characters." . "<BR>"; if ($config['PASSWORD_SUGGESTION'] === "ON") { $this->info .= "This password is strong: " . substr(\phpsec\BasicPasswordManagement::generate(1), 0, 8) . "<BR>"; } return require_once __DIR__ . "/../../view/default/user/passwordreset.php"; } if ($_POST['pass'] !== $_POST['repass']) { $this->error .= "Your Password and Re-Type Password fields do not match. Please enter the same password twice." . "<BR>"; return require_once __DIR__ . "/../../view/default/user/passwordreset.php"; } try { $userObj = phpsec\UserManagement::logIn($userID, $_POST['_x_oldpass']); $userObj->resetPassword($_POST['_x_oldpass'], $_POST['pass']); $this->info .= "Your password have been changed successfully." . "<BR>"; } catch (phpsec\WrongPasswordException $e) { if ($config['BRUTE_FORCE_DETECTION'] === "ON") { try { new phpsec\AdvancedPasswordManagement($userID, $_POST['pass'], TRUE); } catch (phpsec\BruteForceAttackDetectedException $ex) { \phpsec\User::lockAccount($userID); $this->error .= "Brute Force Attack detected on this account. This account has now been locked. If its not your fault, then please contact the administrator." . "<BR>"; } } $this->error .= "Your old password does not seems correct. Please enter your old password for verification." . "<BR>"; } } else { $this->error .= "ERROR: Empty fields are not allowed." . "<BR>"; } } } else { $this->error .= "You are not logged-in. Please login to complete the operation." . "<BR>"; $newLocation = \phpsec\HttpRequest::Protocol() . "://" . \phpsec\HttpRequest::Host() . \phpsec\HttpRequest::PortReadable() . "/rnj/framework/login"; header("Location: {$newLocation}"); } } catch (Exception $e) { $this->error .= $e->getMessage() . "<BR>"; } return require_once __DIR__ . "/../../view/default/user/passwordreset.php"; }
/** * Function to test if brute force is detected when failed attempts are done in intervals. e.g. a bot guesses password after every 2 seconds in attempt to fool the system that this is a legit attempt */ public function testBruteForceForSlowPasswordGuessing() { try { //repeatedly provide wrong password. for ($i = 0; $i < 7; $i++) { sleep(2); //Sleep for some time so that the mechanism can be fooled. $this->obj = new AdvancedPasswordManagement($this->user->getUserID(), "resting", true); //wrong password provided. } } catch (BruteForceAttackDetectedException $e) { $this->assertTrue(TRUE); //True since BruteForceAttackDetectedException was thrown } }
function Handle($Request) { try { if (isset($_GET['user']) && $_GET['user'] != "" && isset($_GET['verification']) && $_GET['verification'] != "" && ($_GET['mode'] === 'temppass' || $_GET['mode'] === 'activation')) { if (phpsec\AdvancedPasswordManagement::tempPassword($_GET['user'], $_GET['verification'])) { if ($_GET['mode'] === 'temppass') { $userSession = new phpsec\Session(); $userSessionID = $userSession->newSession($_GET['user']); $nextLocation = \phpsec\HttpRequest::Protocol() . "://" . \phpsec\HttpRequest::Host() . \phpsec\HttpRequest::PortReadable() . "/rnj/framework/requestnewpassword"; header("Location: {$nextLocation}"); } else { if ($_GET['mode'] === 'activation') { \phpsec\User::activateAccount($_GET['user']); $this->info .= "Your account <b>" . $_GET['user'] . "</b> is now activated." . "<BR>"; require_once __DIR__ . "/../../view/default/user/temppass.php"; } } } else { $this->error .= "ERROR: This validation token does not match our records!!!" . "<BR>"; return require_once __DIR__ . "/../../view/default/user/temppass.php"; } } else { if (isset($_GET['user']) && $_GET['user'] != "" && isset($_GET['email']) && $_GET['email'] != "" && ($_GET['mode'] === 'temppass' || $_GET['mode'] === 'activation')) { $tempPass = phpsec\AdvancedPasswordManagement::tempPassword($_GET['user']); $message = "Please open the following link in order to complete the process:\n"; $message .= \phpsec\HttpRequest::Protocol() . "://" . \phpsec\HttpRequest::Host() . \phpsec\HttpRequest::PortReadable() . "/rnj/framework/temppass?user="******"&mode=" . $_GET['mode'] . "&verification=" . $tempPass . "\n\n\n"; $message .= "Sometimes the email ends up in the Spam folder. So also please check your spam folder in case you didn't receive the email.\n\n"; $message .= "If you did nothing to get this email, just ignore it.\n"; $message = wordwrap($message, 70, "\r\n"); $send = \mail($_GET['email'], "Authentication Email", $message, "FROM: " . "*****@*****.**"); if (!$send) { $this->error .= "ERROR: Mail was not send!" . "<BR>"; } return require_once __DIR__ . "/../../view/default/user/temppass.php"; } else { return require_once __DIR__ . "/../../view/default/404.php"; } } } catch (Exception $e) { $this->error .= $e->getMessage() . "<BR>"; return require_once __DIR__ . "/../../view/default/user/temppass.php"; } }
function Handle($Request) { try { $config = (require_once __DIR__ . "/../../config/config.php"); $userID = \phpsec\User::checkRememberMe(); if (!$userID) { if (isset($_POST['submit'])) { if (isset($_POST['user']) && $_POST['user'] != "" && isset($_POST['pass']) && $_POST['pass'] != "") { try { $userID = $_POST['user']; $userObj = phpsec\UserManagement::logIn($_POST['user'], $_POST['pass']); } catch (phpsec\WrongPasswordException $e) { if ($config['BRUTE_FORCE_DETECTION'] === "ON") { try { new phpsec\AdvancedPasswordManagement($_POST['user'], $_POST['pass'], TRUE); } catch (phpsec\BruteForceAttackDetectedException $ex) { \phpsec\User::lockAccount($_POST['user']); $this->error .= "Brute Force Attack detected on this account. This account has now been locked. If its not your fault, then please contact the administrator." . "<BR>"; } } $this->error .= "Incorrect Username/Password combination!" . "<BR>"; return require_once __DIR__ . "/../../view/default/user/login.php"; } catch (phpsec\UserAccountInactive $e) { $userEmail = phpsec\User::getPrimaryEmail($_POST['user']); $activationLink = \phpsec\HttpRequest::Protocol() . "://" . \phpsec\HttpRequest::Host() . \phpsec\HttpRequest::PortReadable() . "/rnj/framework/temppass?user="******"&mode=activation" . "&email=" . $userEmail; $this->error .= "ERROR: The account is inactive. Please activate your account by clicking <a href=\"{$activationLink}\">here</a>." . "<BR>"; return require_once __DIR__ . "/../../view/default/user/login.php"; } if (isset($_POST['remember-me']) && $_POST['remember-me'] == "on") { if (phpsec\HttpRequest::isHTTPS()) { phpsec\User::enableRememberMe($_POST['user']); } else { phpsec\User::enableRememberMe($_POST['user'], FALSE, TRUE); } } } else { $this->error .= "Empty fields are not allowed. Please fill the required areas." . "<BR>"; } } else { return require_once __DIR__ . "/../../view/default/user/login.php"; } } $userSession = new phpsec\Session(); try { $sessionID = $userSession->existingSession(); if ($sessionID) { $userSessionID = $userSession->rollSession(); } else { $userSessionID = $userSession->newSession($userID); } $userObj = phpsec\UserManagement::forceLogIn($userID); if ($userObj->isPasswordExpired()) { $this->info .= "Its been too long since you have changed your password. For security reasons, please change your password." . "<BR>"; } $url_to_redirect = \phpsec\HttpRequest::Protocol() . "://" . \phpsec\HttpRequest::Host() . \phpsec\HttpRequest::PortReadable() . "/rnj/framework/user/index"; header("HTTP/1.1 302 Found"); header('Location: ' . $url_to_redirect); } catch (\phpsec\SessionExpired $e) { $this->error .= $e->getMessage() . "<BR>"; phpsec\User::deleteAuthenticationToken(); } } catch (Exception $e) { $this->error .= $e->getMessage() . "<BR>"; } return require_once __DIR__ . "/../../view/default/user/login.php"; }