/** * Sets up the session for the currently logged-in user, trying to re-establish a session for "remember-me" users who have been logged out, * or creates a guest user object if no one is logged in. */ public function setup() { try { // Initialize RememberMe $storage = new \Birke\Rememberme\Storage\PDO($this->app->remember_me_table); $storage->setConnection(\Illuminate\Database\Capsule\Manager::connection()->getPdo()); $this->app->remember_me = new \Birke\Rememberme\Authenticator($storage); // Change cookie path $cookie = $this->app->remember_me->getCookie(); $cookie->setPath("/"); $this->app->remember_me->setCookie($cookie); // Determine if we are already logged in (user exists in the session variable) if (isset($_SESSION["userfrosting"]["user_id"]) && $_SESSION["userfrosting"]["user_id"] != null) { // Load the user. If they don't exist any more, throw an exception. if (!($this->app->user = User::find($_SESSION["userfrosting"]["user_id"]))) { throw new AccountInvalidException(); } //error_log("Current user id is " . $this->app->user->id); // Check, if the Rememberme cookie exists and is still valid. // If not, we log out the current session if (!empty($_COOKIE[$this->app->remember_me->getCookieName()]) && !$this->app->remember_me->cookieIsValid()) { //error_log("Session expired. logging out..."); $this->app->remember_me->clearCookie(); throw new AuthExpiredException(); } // If not, try to login via RememberMe cookie } else { // If we can present the correct tokens from the cookie, log the user in // Get the user id $name = $this->app->remember_me->getCookieName(); $user_id = $this->app->remember_me->login(); if ($user_id) { //error_log("Logging in via remember me for $user_id"); // Load the user $this->app->user = \UserFrosting\UserLoader::fetch($user_id); // Update in session $_SESSION["userfrosting"]["user_id"] = $user_id; // There is a chance that an attacker has stolen the login token, so we store // the fact that the user was logged in via RememberMe (instead of login form) $_SESSION['remembered_by_cookie'] = true; } else { // If $rememberMe returned false, check if the token was invalid if ($this->app->remember_me->loginTokenWasInvalid()) { //error_log("Cookie was stolen!"); throw new AuthCompromisedException(); } else { // $rememberMe returned false because of invalid/missing Rememberme cookie - create a dummy "guest" user $this->app->user = new User([], $this->app->config('user_id_guest')); } } } // Now we have an authenticated user, setup their environment $this->app->setupAuthenticatedEnvironment(); } catch (\PDOException $e) { // If we can't connect to the DB, then we can't create an authenticated user. That's ok if we're in installation mode. error_log("Unable to authenticate user, falling back to guest user."); error_log($e->getTraceAsString()); } }
/** * Log this user out. * * Destroys the PHP session as well. * @param bool $complete If set to true, will also clear out any persistent sessions. */ public function logout($complete = false) { if ($complete) { $storage = new \Birke\Rememberme\Storage\PDO(static::$app->remember_me_table); $storage->setConnection(\Illuminate\Database\Capsule\Manager::connection()->getPdo()); $storage->cleanAllTriplets($this->id); } // Change cookie path $cookie = static::$app->remember_me->getCookie(); $cookie->setPath("/"); static::$app->remember_me->setCookie($cookie); if (static::$app->remember_me->clearCookie()) { error_log("Cleared cookie"); } session_regenerate_id(true); session_destroy(); }