$group = $perm_req->fetch(PDO::FETCH_ASSOC);
$_SESSION['is_admin'] = $group['is_admin'];
$_SESSION['is_sysadmin'] = $group['is_sysadmin'];
// PREFS
$_SESSION['prefs'] = array('display' => $users['display'], 'order' => $users['order_by'], 'sort' => $users['sort_by'], 'limit' => $users['limit_nb'], 'close_warning' => intval($users['close_warning']), 'shortcuts' => array('create' => $users['sc_create'], 'edit' => $users['sc_edit'], 'submit' => $users['sc_submit'], 'todo' => $users['sc_todo']), 'lang' => $users['lang']);
session_write_close();
} else {
// no token found in database
header("location: login.php");
exit;
}
} else {
// no cookie
// maybe we clicked an email link and we want to be redirected to the page upon successful login
// so we store the url in a cookie expiring in 5 minutes to redirect to it after login
if (using_ssl()) {
$protocol = 'https';
} else {
$protocol = 'http';
}
$host = $_SERVER['HTTP_HOST'];
$script = $_SERVER['SCRIPT_NAME'];
$params = $_SERVER['QUERY_STRING'];
$url = $protocol . '://' . $host . $script . '?' . $params;
setcookie('redirect', $url, time() + 300, null, null, false, true);
header('location: login.php');
exit;
}
}
if (isset($_SESSION['auth'])) {
// check that the token in session is the same as in SQL
$perm_sql = "SELECT * FROM groups WHERE group_id = :group_id LIMIT 1";
$perm_req = $pdo->prepare($perm_sql);
$perm_req->bindParam(':group_id', $data['usergroup']);
$perm_req->execute();
$group = $perm_req->fetch(PDO::FETCH_ASSOC);
$_SESSION['is_admin'] = $group['is_admin'];
$_SESSION['is_sysadmin'] = $group['is_sysadmin'];
// PREFS
$_SESSION['prefs'] = array('display' => $data['display'], 'order' => $data['order_by'], 'sort' => $data['sort_by'], 'limit' => $data['limit_nb'], 'shortcuts' => array('create' => $data['sc_create'], 'edit' => $data['sc_edit'], 'submit' => $data['sc_submit'], 'todo' => $data['sc_todo']), 'lang' => $data['lang'], 'close_warning' => intval($data['close_warning']));
// Make a unique token and store it in sql AND cookie
$token = md5(uniqid(rand(), true));
// and SESSION
$_SESSION['token'] = $token;
session_write_close();
// Cookie validity = 1 month, works only in https
if (!using_ssl()) {
die("eLabFTW works only in HTTPS. Please enable HTTPS on your server (<a href='https://github.com/elabftw/elabftw/wiki/Troubleshooting#wiki-switch-to-https'>see documentation</a>). Or retry with https:// in front of the address.");
}
// Set token cookie
// setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
// expiration = 1 month = 60*60*24*30 = 2592000
// TODO can we set true for $secure in setcookie() ?
// because it might not work if we are in http but using https from haproxy, dunno.
// so it's left to false, it's ok for now.
setcookie('token', $token, time() + 2592000, null, null, false, true);
// Update the token in SQL
$sql = "UPDATE users SET token = :token WHERE userid = :userid";
$req = $pdo->prepare($sql);
$req->execute(array('token' => $token, 'userid' => $data['userid']));
if (isset($_COOKIE['redirect'])) {
$location = $_COOKIE['redirect'];
/**
* @abstract Forces the request to use an SSL connection by redirecting the page to https:://host/request if it is not.
*
* @see SSL::isActive()
*/
public static function force()
{
if (!using_ssl()) {
Utils::location('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
}
}