Elgg  Version 1.12
sessions.php
Go to the documentation of this file.
1 <?php
2 
15 global $SESSION;
16 
23 function elgg_get_session() {
24  return _elgg_services()->session;
25 }
26 
32 function elgg_get_logged_in_user_entity() {
33  return _elgg_services()->session->getLoggedInUser();
34 }
35 
42 function elgg_get_logged_in_user_guid() {
43  return _elgg_services()->session->getLoggedInUserGuid();
44 }
45 
51 function elgg_is_logged_in() {
52  return _elgg_services()->session->isLoggedIn();
53 }
54 
60 function elgg_is_admin_logged_in() {
61  return _elgg_services()->session->isAdminLoggedIn();
62 }
63 
74 function elgg_is_admin_user($user_guid) {
75  global $CONFIG;
76 
77  $user_guid = (int)$user_guid;
78 
79  $current_user = elgg_get_logged_in_user_entity();
80  if ($current_user && $current_user->guid == $user_guid) {
81  return $current_user->isAdmin();
82  }
83 
84  // cannot use magic metadata here because of recursion
85 
86  // must support the old way of getting admin from metadata
87  // in order to run the upgrade to move it into the users table.
88  $version = (int) datalist_get('version');
89 
90  if ($version < 2010040201) {
91  $admin = elgg_get_metastring_id('admin');
92  $yes = elgg_get_metastring_id('yes');
93  $one = elgg_get_metastring_id('1');
94 
95  $query = "SELECT 1 FROM {$CONFIG->dbprefix}users_entity as e,
96  {$CONFIG->dbprefix}metadata as md
97  WHERE (
98  md.name_id = '$admin'
99  AND md.value_id IN ('$yes', '$one')
100  AND e.guid = md.entity_guid
101  AND e.guid = {$user_guid}
102  AND e.banned = 'no'
103  )";
104  } else {
105  $query = "SELECT 1 FROM {$CONFIG->dbprefix}users_entity as e
106  WHERE (
107  e.guid = {$user_guid}
108  AND e.admin = 'yes'
109  )";
110  }
111 
112  // normalizing the results from get_data()
113  // See #1242
114  $info = get_data($query);
115  if (!((is_array($info) && count($info) < 1) || $info === false)) {
116  return true;
117  }
118  return false;
119 }
120 
136 function elgg_authenticate($username, $password) {
137  $pam = new \ElggPAM('user');
138  $credentials = array('username' => $username, 'password' => $password);
139  $result = $pam->authenticate($credentials);
140  if (!$result) {
141  return $pam->getFailureMessage();
142  }
143  return true;
144 }
145 
158 function pam_auth_userpass(array $credentials = array()) {
159 
160  if (!isset($credentials['username']) || !isset($credentials['password'])) {
161  return false;
162  }
163 
164  $user = get_user_by_username($credentials['username']);
165  if (!$user) {
166  throw new \LoginException(_elgg_services()->translator->translate('LoginException:UsernameFailure'));
167  }
168 
169  if (check_rate_limit_exceeded($user->guid)) {
170  throw new \LoginException(_elgg_services()->translator->translate('LoginException:AccountLocked'));
171  }
172 
173  $password_svc = _elgg_services()->passwords;
174  $password = $credentials['password'];
175  $hash = $user->password_hash;
176 
177  if (!$hash) {
178  // try legacy hash
179  $legacy_hash = $password_svc->generateLegacyHash($user, $password);
180  if ($user->password !== $legacy_hash) {
181  log_login_failure($user->guid);
182  throw new \LoginException(_elgg_services()->translator->translate('LoginException:PasswordFailure'));
183  }
184 
185  // migrate password
186  $password_svc->forcePasswordReset($user, $password);
187  return true;
188  }
189 
190  if (!$password_svc->verify($password, $hash)) {
191  log_login_failure($user->guid);
192  throw new \LoginException(_elgg_services()->translator->translate('LoginException:PasswordFailure'));
193  }
194 
195  if ($password_svc->needsRehash($hash)) {
196  $password_svc->forcePasswordReset($user, $password);
197  }
198 
199  return true;
200 }
201 
209 function log_login_failure($user_guid) {
210  $user_guid = (int)$user_guid;
211  $user = get_entity($user_guid);
212 
213  if (($user_guid) && ($user) && ($user instanceof \ElggUser)) {
214  $fails = (int)$user->getPrivateSetting("login_failures");
215  $fails++;
216 
217  $user->setPrivateSetting("login_failures", $fails);
218  $user->setPrivateSetting("login_failure_$fails", time());
219  return true;
220  }
221 
222  return false;
223 }
224 
232 function reset_login_failure_count($user_guid) {
233  $user_guid = (int)$user_guid;
234  $user = get_entity($user_guid);
235 
236  if (($user_guid) && ($user) && ($user instanceof \ElggUser)) {
237  $fails = (int)$user->getPrivateSetting("login_failures");
238 
239  if ($fails) {
240  for ($n = 1; $n <= $fails; $n++) {
241  $user->removePrivateSetting("login_failure_$n");
242  }
243 
244  $user->removePrivateSetting("login_failures");
245 
246  return true;
247  }
248 
249  // nothing to reset
250  return true;
251  }
252 
253  return false;
254 }
255 
263 function check_rate_limit_exceeded($user_guid) {
264  // 5 failures in 5 minutes causes temporary block on logins
265  $limit = 5;
266  $user_guid = (int)$user_guid;
267  $user = get_entity($user_guid);
268 
269  if (($user_guid) && ($user) && ($user instanceof \ElggUser)) {
270  $fails = (int)$user->getPrivateSetting("login_failures");
271  if ($fails >= $limit) {
272  $cnt = 0;
273  $time = time();
274  for ($n = $fails; $n > 0; $n--) {
275  $f = $user->getPrivateSetting("login_failure_$n");
276  if ($f > $time - (60 * 5)) {
277  $cnt++;
278  }
279 
280  if ($cnt == $limit) {
281  // Limit reached
282  return true;
283  }
284  }
285  }
286  }
287 
288  return false;
289 }
290 
300 function elgg_set_cookie(\ElggCookie $cookie) {
301  if (elgg_trigger_event('init:cookie', $cookie->name, $cookie)) {
302  return setcookie($cookie->name, $cookie->value, $cookie->expire, $cookie->path,
303  $cookie->domain, $cookie->secure, $cookie->httpOnly);
304  }
305  return false;
306 }
307 
320 function login(\ElggUser $user, $persistent = false) {
321  if ($user->isBanned()) {
322  throw new \LoginException(elgg_echo('LoginException:BannedUser'));
323  }
324 
325  $session = _elgg_services()->session;
326 
327  // give plugins a chance to reject the login of this user (no user in session!)
328  if (!elgg_trigger_before_event('login', 'user', $user)) {
329  throw new \LoginException(elgg_echo('LoginException:Unknown'));
330  }
331 
332  // #5933: set logged in user early so code in login event will be able to
333  // use elgg_get_logged_in_user_entity().
334  $session->setLoggedInUser($user);
335 
336  // deprecate event
337  $message = "The 'login' event was deprecated. Register for 'login:before' or 'login:after'";
338  $version = "1.9";
339  if (!elgg_trigger_deprecated_event('login', 'user', $user, $message, $version)) {
340  $session->removeLoggedInUser();
341  throw new \LoginException(elgg_echo('LoginException:Unknown'));
342  }
343 
344  // if remember me checked, set cookie with token and store hash(token) for user
345  if ($persistent) {
346  _elgg_services()->persistentLogin->makeLoginPersistent($user);
347  }
348 
349  // User's privilege has been elevated, so change the session id (prevents session fixation)
350  $session->migrate();
351 
352  set_last_login($user->guid);
353  reset_login_failure_count($user->guid);
354 
355  elgg_trigger_after_event('login', 'user', $user);
356 
357  // if memcache is enabled, invalidate the user in memcache @see https://github.com/Elgg/Elgg/issues/3143
358  if (is_memcache_available()) {
359  $guid = $user->getGUID();
360  // this needs to happen with a shutdown function because of the timing with set_last_login()
361  register_shutdown_function("_elgg_invalidate_memcache_for_entity", $guid);
362  }
363 
364  return true;
365 }
366 
372 function logout() {
373  $session = _elgg_services()->session;
374  $user = $session->getLoggedInUser();
375  if (!$user) {
376  return false;
377  }
378 
379  if (!elgg_trigger_before_event('logout', 'user', $user)) {
380  return false;
381  }
382 
383  // deprecate event
384  $message = "The 'logout' event was deprecated. Register for 'logout:before' or 'logout:after'";
385  $version = "1.9";
386  if (!elgg_trigger_deprecated_event('logout', 'user', $user, $message, $version)) {
387  return false;
388  }
389 
390  _elgg_services()->persistentLogin->removePersistentLogin();
391 
392  // pass along any messages into new session
393  $old_msg = $session->get('msg');
394  $session->invalidate();
395  $session->set('msg', $old_msg);
396 
397  elgg_trigger_after_event('logout', 'user', $user);
398 
399  return true;
400 }
401 
408 function _elgg_session_boot() {
409 
410  elgg_register_action('login', '', 'public');
411  elgg_register_action('logout');
412  register_pam_handler('pam_auth_userpass');
413 
414  $session = _elgg_services()->session;
415  $session->start();
416 
417  // test whether we have a user session
418  if ($session->has('guid')) {
419  $user = _elgg_services()->entityTable->get($session->get('guid'), 'user');
420  if (!$user) {
421  // OMG user has been deleted.
422  $session->invalidate();
423  forward('');
424  }
425 
426  $session->setLoggedInUser($user);
427 
428  _elgg_services()->persistentLogin->replaceLegacyToken($user);
429  } else {
430  $user = _elgg_services()->persistentLogin->bootSession();
431  if ($user) {
432  $session->setLoggedInUser($user);
433  }
434  }
435 
436  if ($session->has('guid')) {
437  set_last_action($session->get('guid'));
438  }
439 
440  // initialize the deprecated global session wrapper
441  global $SESSION;
442  $SESSION = new \Elgg\DeprecationWrapper($session, "\$SESSION is deprecated", 1.9);
443 
444  // logout a user with open session who has been banned
445  $user = $session->getLoggedInUser();
446  if ($user && $user->isBanned()) {
447  logout();
448  return false;
449  }
450 
451  return true;
452 }
$result
$result
Definition: set_maintenance_mode.php:11
$message
$message
Definition: set_maintenance_mode.php:7
$password
$password
Definition: login.php:25
$persistent
$persistent
Definition: login.php:26
$session
$session
Definition: login.php:9
$admin
$admin
Definition: useradd.php:22
elgg_register_action
elgg_register_action($action, $filename="", $access='logged_in')
Registers an action.
Definition: actions.php:85
$username
$username
Definition: delete.php:22
_elgg_services
_elgg_services()
Definition: autoloader.php:14
$user_guid
$user_guid
Avatar remove action.
Definition: remove.php:6
$user
$user
Definition: ban.php:13
datalist_get
datalist_get($name)
Get the value of a datalist element.
Definition: configuration.php:117
$n
$n
Profile fields.
Definition: list.php:9
$guid
$guid
Removes an admin notice.
Definition: delete_admin_notice.php:6
elgg_trigger_event
elgg_trigger_event($event, $object_type, $object=null)
Definition: elgglib.php:584
elgg_trigger_after_event
elgg_trigger_after_event($event, $object_type, $object=null)
Trigger an "After event" indicating a process has finished.
Definition: elgglib.php:624
elgg_trigger_deprecated_event
elgg_trigger_deprecated_event($event, $object_type, $object=null, $message, $version)
Trigger an event normally, but send a notice about deprecated use if any handlers are registered.
Definition: elgglib.php:644
elgg_trigger_before_event
elgg_trigger_before_event($event, $object_type, $object=null)
Trigger a "Before event" indicating a process is about to begin.
Definition: elgglib.php:605
forward
forward($location="", $reason='system')
Forward to $location.
Definition: elgglib.php:80
get_data
get_data($query, $callback="")
Retrieve rows from the database.
Definition: database.php:50
elgg_echo
elgg_echo($message_key, $args=array(), $language="")
Given a message key, returns an appropriately translated full-text string.
Definition: languages.php:21
get_entity
get_entity($guid)
Loads and returns an entity object from a guid.
Definition: entities.php:382
is_memcache_available
is_memcache_available()
Return true if memcache is available and configured.
Definition: memcache.php:16
elgg_get_metastring_id
elgg_get_metastring_id($string, $case_sensitive=true)
Gets the metastring identifier for a value.
Definition: metastrings.php:25
register_pam_handler
register_pam_handler($handler, $importance="sufficient", $policy="user")
Register a PAM handler.
Definition: pam.php:42
elgg_get_session
elgg_get_session()
Gets Elgg's session object.
Definition: sessions.php:23
login
login(\ElggUser $user, $persistent=false)
Logs in a specified \ElggUser.
Definition: sessions.php:320
logout
logout()
Log the current user out.
Definition: sessions.php:372
pam_auth_userpass
pam_auth_userpass(array $credentials=array())
Hook into the PAM system which accepts a username and password and attempts to authenticate it agains...
Definition: sessions.php:158
elgg_authenticate
elgg_authenticate($username, $password)
Perform user authentication with a given username and password.
Definition: sessions.php:136
elgg_is_admin_logged_in
elgg_is_admin_logged_in()
Returns whether or not the viewer is currently logged in and an admin user.
Definition: sessions.php:60
elgg_set_cookie
elgg_set_cookie(\ElggCookie $cookie)
Set a cookie, but allow plugins to customize it first.
Definition: sessions.php:300
$SESSION
global $SESSION
Elgg magic session.
Definition: sessions.php:15
_elgg_session_boot
_elgg_session_boot()
Initializes the session and checks for the remember me cookie.
Definition: sessions.php:408
elgg_get_logged_in_user_guid
elgg_get_logged_in_user_guid()
Return the current logged in user by guid.
Definition: sessions.php:42
reset_login_failure_count
reset_login_failure_count($user_guid)
Resets the fail login count for $user_guid.
Definition: sessions.php:232
elgg_is_admin_user
elgg_is_admin_user($user_guid)
Check if the given user has full access.
Definition: sessions.php:74
elgg_get_logged_in_user_entity
elgg_get_logged_in_user_entity()
Return the current logged in user, or null if no user is logged in.
Definition: sessions.php:32
elgg_is_logged_in
elgg_is_logged_in()
Returns whether or not the user is currently logged in.
Definition: sessions.php:51
log_login_failure
log_login_failure($user_guid)
Log a failed login for $user_guid.
Definition: sessions.php:209
check_rate_limit_exceeded
check_rate_limit_exceeded($user_guid)
Checks if the rate limit of failed logins has been exceeded for $user_guid.
Definition: sessions.php:263
$CONFIG
global $CONFIG
Definition: settings.example.php:17
$limit
$limit
Definition: userpicker.php:38
set_last_action
set_last_action($user_guid)
Sets the last action time of the given user to right now.
Definition: users.php:408
set_last_login
set_last_login($user_guid)
Sets the last logon time of the given user to right now.
Definition: users.php:419
get_user_by_username
get_user_by_username($username)
Get user by username.
Definition: users.php:98
$version
$version
Definition: version.php:14
Generated on Mon Nov 3 2025 00:00:37 for Elgg by doxygen 1.9.1