/** * Get a CSRF Token value as stored in the session, or create one if it doesn't yet exist * * @param int|string|null $id Optional unique ID for this token * @return string * */ public function getTokenValue($id = '') { $tokenName = $this->getTokenName($id); $tokenValue = $this->session->get($this, $tokenName); if (empty($tokenValue)) { // $tokenValue = md5($this->page->path() . mt_rand() . microtime()) . md5($this->page->name . $this->config->userAuthSalt . mt_rand()); $pass = new Password(); $tokenValue = $pass->randomBase64String(32); $this->session->set($this, $tokenName, $tokenValue); } return $tokenValue; }
/** * Login a user with the given name and password * * Also sets them to the current user * * @param string $name * @param string $pass Raw, non-hashed password * @return User Return the $user if the login was successful or null if not. * */ public function ___login($name, $pass) { $name = $this->wire('sanitizer')->pageName($name); if (!$this->allowLogin($name)) { $this->loginFailure($name, "User is not allowed to login"); return null; } $user = strlen($name) ? $this->wire('users')->get("name={$name}") : null; if ($user && $user->id && $user->id != $this->wire('config')->guestUserPageID && $this->authenticate($user, $pass)) { $this->trackChange('login', $this->wire('user'), $user); session_regenerate_id(true); $this->set('_user', 'id', $user->id); $this->set('_user', 'ts', time()); if ($this->config->sessionChallenge) { // create new challenge $pass = new Password(); $challenge = $pass->randomBase64String(32); $this->set('_user', 'challenge', $challenge); // set challenge cookie to last 30 days (should be longer than any session would feasibly last) setcookie(session_name() . '_challenge', $challenge, time() + 60 * 60 * 24 * 30, '/', null, false, true); } if ($this->config->sessionFingerprint) { // remember a fingerprint that tracks the user's IP and user agent $this->set('_user', 'fingerprint', $this->getFingerprint()); } $this->setFuel('user', $user); $this->get('CSRF')->resetAll(); $this->loginSuccess($user); return $user; } else { if (!$user || !$user->id) { $reason = "Unknown user: {$name}"; } else { if ($user->id == $this->wire('config')->guestUserPageID) { $reason = "Guest user may not login"; } else { $reason = "Invalid password"; } } $this->loginFailure($name, $reason); } return null; }
/** * Login a user with the given name and password * * Also sets them to the current user * * @param string $name * @param string $pass Raw, non-hashed password * @return User Return the $user if the login was successful or null if not. * */ public function ___login($name, $pass) { if (!$this->allowLogin($name)) { return null; } $name = $this->wire('sanitizer')->username($name); $user = $this->wire('users')->get("name={$name}"); if ($user->id && $this->authenticate($user, $pass)) { $this->trackChange('login', $this->wire('user'), $user); session_regenerate_id(true); $this->set('_user', 'id', $user->id); $this->set('_user', 'ts', time()); if ($this->config->sessionChallenge) { // create new challenge $pass = new Password(); $challenge = $pass->randomBase64String(32); $this->set('_user', 'challenge', $challenge); // set challenge cookie to last 30 days (should be longer than any session would feasibly last) setcookie(session_name() . '_challenge', $challenge, time() + 60 * 60 * 24 * 30, '/', null, false, true); } if ($this->config->sessionFingerprint) { // remember a fingerprint that tracks the user's IP and user agent $this->set('_user', 'fingerprint', md5($this->getIP(true) . $_SERVER['HTTP_USER_AGENT'])); } $this->setFuel('user', $user); $this->get('CSRF')->resetAll(); $this->loginSuccess($user); return $user; } return null; }