/** * Validates "stay logged in" tokens and refreshes them * * @param boolean $newsession: flag for a new session (no validation) * * @return boolean true if cookie refreshed, false if cookie removed */ public function refreshMemoryCookie($newsession = false) { $modified = 0; if ($newsession === false) { $memoryCookie = $this->getMemoryCookie(); if ($memoryCookie !== false) { list($id, $seriesToken, $authToken) = $memoryCookie; $seriesTokenEsc = $this->dao->escape($seriesToken); // existing session -> validate first $s = $this->dao->query(' SELECT AuthToken, SeriesToken, modified FROM members_sessions WHERE IdMember = ' . (int) $this->id . ' AND SeriesToken = \'' . $seriesTokenEsc . '\''); $tokens = $s->fetch(PDB::FETCH_OBJ); // compare tokens from database with those in cookie if ($tokens) { $authTokenDB = $tokens->AuthToken; $seriesToken = $tokens->SeriesToken; $modified = $tokens->modified; if ($authToken !== $authTokenDB) { // auth token incorrect but series token correct -> hijacked $this->removeSessionMemory($seriesToken, true); return false; } } else { // both tokens (or just series token) incorrect $this->removeSessionMemory($seriesToken); return false; } } else { $this->removeSessionMemory(); // just to clean up token records in database return false; } // both tokens correct -> continue // log in user $loginModel = new LoginModel(); $tb_user = $loginModel->getTBUserForBWMember($this); $loginModel->setupBWSession($this); $loginModel->setTBUserAsLoggedIn($tb_user); } else { // create series token $seriesToken = md5(rand() + time()); } // create auth token $authToken = md5(rand() + time()); // write tokens to database if ($modified) { // update token from existing series $s = $this->dao->query(' UPDATE members_sessions SET AuthToken = \'' . $authToken . '\' WHERE IdMember = ' . (int) $this->id . ' AND SeriesToken = \'' . $seriesToken . '\''); } else { // create new token series $s = $this->dao->query(' INSERT INTO members_sessions (IdMember, AuthToken, SeriesToken) VALUES (' . (int) $this->id . ', \'' . $authToken . '\', \'' . $seriesToken . '\')'); } // create cookie $this->setMemoryCookie($this->id, $seriesToken, $authToken); return true; }