private function handleAuthRequest() { $status = false; /* * Are we logging in or out? */ if (Runtime::$GET["action"] == "login") { /* * If not already logged-in, let's log the user in */ if (!Auth::isLoggedIn()) { $user = Runtime::$POST["username"]; $passwd = Runtime::$POST["password"]; $token = Runtime::$POST["token"]; if (!empty($token) && strcmp($token, Runtime::$SESSION["_im_login_token"]) === 0) { if (!empty($user) && !empty($passwd)) { Auth::login($user, $passwd); } $status = Auth::isLoggedIn(); if (!$status && Runtime::$SYSTEM["REQUEST_CONTENT"] == "json") { Runtime::$SESSION["_im_login_token"] = Crypt::encode(Crypt::password()); } else { Runtime::$SESSION->remove("_im_login_token"); } } } } elseif (Runtime::$GET["action"] == "logout") { /* * If not already logged-out, let's log the user out */ if (Auth::isLoggedIn()) { Auth::logout(); } $status = !Auth::isLoggedIn(); } /* * If the client is asking for JSON content, we provide a JSON object * with the status of the request. */ if (Runtime::$SYSTEM["REQUEST_CONTENT"] == "json") { echo json_encode(["status" => $status, "token" => Runtime::$SESSION["_im_login_token"]]); /* * If the client is asking for html content, * e.g. the request is a regular post/load request and not an ajax request. */ } elseif (Auth::isLoggedIn()) { Router::request("/"); /* * Regular post/load request, user is not logged-in. * Either wrong password/username was supplied, or this was a * logout request. Either way, show the login form again. */ } else { $this->buildLoginForm(); } }
public function __construct(Traversable $data = null) { $this->mData = []; /* * We don't need/want PHP's session system. We do however need the $_SESSION variable, * and we don't need PHP saving it's content where it should not be saved. So we close it * if it is set to autostart. */ if (in_array(strtolower(ini_get("session.auto_start")), ["on", "true", "1"])) { trigger_error("You should disable Session Auto Start while running this library", E_USER_NOTICE); if ($_SESSION == $this) { $_SESSION = []; session_unset(); session_destroy(); $_SESSION = $this; } else { session_unset(); session_destroy(); } /* * This function removes the first header in the list that matches the name. * As session_autostart is executed before anything else, it's session cookie * should be the first in the list. */ header_remove("Set-Cookie"); } /* * Register a receiver used to write data back to session storage */ Runtime::addShutdownReceiver([$this, "writeBack"]); $useSSL = Runtime::$SETTINGS->getBoolean("SECURITY_SSL", false); $isSSL = Runtime::$SYSTEM->getBoolean("CONNECTION_SSL", false); $cookieName = $useSSL && $isSSL ? "IMPHP_SESSID_SSL" : "IMPHP_SESSID"; $cryptKey = null; if (Runtime::$SETTINGS->getBoolean("SESSION_ENCRYPT_COOKIE")) { $cryptKey = Runtime::$SETTINGS->getString("SECURITY_PASSWD"); } try { $this->mSessId = Runtime::$COOKIE->get($cookieName, null, $cryptKey); /* * If anything is wrong, start a new session */ } catch (Exception $e) { } if ($this->mSessId == null) { $this->mSessId = Crypt::hash(Crypt::password() . time()); Runtime::$COOKIE->set($cookieName, $this->mSessId, 0, $useSSL && $isSSL, null, null, $cryptKey); } }