Elgg  Version 1.9
sessions.php
Go to the documentation of this file.
1 <?php
2 
15 global $SESSION;
16 
23 function elgg_get_session() {
24  return _elgg_services()->session;
25 }
26 
32 function elgg_get_logged_in_user_entity() {
33  return _elgg_services()->session->getLoggedInUser();
34 }
35 
42 function elgg_get_logged_in_user_guid() {
43  $user = _elgg_services()->session->getLoggedInUser();
44  if ($user) {
45  return $user->guid;
46  }
47 
48  return 0;
49 }
50 
56 function elgg_is_logged_in() {
57  return (bool)_elgg_services()->session->getLoggedInUser();
58 }
59 
65 function elgg_is_admin_logged_in() {
66  $user = elgg_get_logged_in_user_entity();
67 
68  if ($user && $user->isAdmin()) {
69  return true;
70  }
71 
72  return false;
73 }
74 
85 function elgg_is_admin_user($user_guid) {
86  global $CONFIG;
87 
88  $user_guid = (int)$user_guid;
89 
90  // cannot use magic metadata here because of recursion
91 
92  // must support the old way of getting admin from metadata
93  // in order to run the upgrade to move it into the users table.
94  $version = (int) datalist_get('version');
95 
96  if ($version < 2010040201) {
97  $admin = elgg_get_metastring_id('admin');
98  $yes = elgg_get_metastring_id('yes');
99  $one = elgg_get_metastring_id('1');
100 
101  $query = "SELECT * FROM {$CONFIG->dbprefix}users_entity as e,
102  {$CONFIG->dbprefix}metadata as md
103  WHERE (
104  md.name_id = '$admin'
105  AND md.value_id IN ('$yes', '$one')
106  AND e.guid = md.entity_guid
107  AND e.guid = {$user_guid}
108  AND e.banned = 'no'
109  )";
110  } else {
111  $query = "SELECT * FROM {$CONFIG->dbprefix}users_entity as e
112  WHERE (
113  e.guid = {$user_guid}
114  AND e.admin = 'yes'
115  )";
116  }
117 
118  // normalizing the results from get_data()
119  // See #1242
120  $info = get_data($query);
121  if (!((is_array($info) && count($info) < 1) || $info === false)) {
122  return true;
123  }
124  return false;
125 }
126 
142 function elgg_authenticate($username, $password) {
143  $pam = new ElggPAM('user');
144  $credentials = array('username' => $username, 'password' => $password);
145  $result = $pam->authenticate($credentials);
146  if (!$result) {
147  return $pam->getFailureMessage();
148  }
149  return true;
150 }
151 
164 function pam_auth_userpass(array $credentials = array()) {
165 
166  if (!isset($credentials['username']) || !isset($credentials['password'])) {
167  return false;
168  }
169 
170  $user = get_user_by_username($credentials['username']);
171  if (!$user) {
172  throw new LoginException(elgg_echo('LoginException:UsernameFailure'));
173  }
174 
175  if (check_rate_limit_exceeded($user->guid)) {
176  throw new LoginException(elgg_echo('LoginException:AccountLocked'));
177  }
178 
179  if ($user->password !== generate_user_password($user, $credentials['password'])) {
180  log_login_failure($user->guid);
181  throw new LoginException(elgg_echo('LoginException:PasswordFailure'));
182  }
183 
184  return true;
185 }
186 
194 function log_login_failure($user_guid) {
195  $user_guid = (int)$user_guid;
196  $user = get_entity($user_guid);
197 
198  if (($user_guid) && ($user) && ($user instanceof ElggUser)) {
199  $fails = (int)$user->getPrivateSetting("login_failures");
200  $fails++;
201 
202  $user->setPrivateSetting("login_failures", $fails);
203  $user->setPrivateSetting("login_failure_$fails", time());
204  return true;
205  }
206 
207  return false;
208 }
209 
217 function reset_login_failure_count($user_guid) {
218  $user_guid = (int)$user_guid;
219  $user = get_entity($user_guid);
220 
221  if (($user_guid) && ($user) && ($user instanceof ElggUser)) {
222  $fails = (int)$user->getPrivateSetting("login_failures");
223 
224  if ($fails) {
225  for ($n = 1; $n <= $fails; $n++) {
226  $user->removePrivateSetting("login_failure_$n");
227  }
228 
229  $user->removePrivateSetting("login_failures");
230 
231  return true;
232  }
233 
234  // nothing to reset
235  return true;
236  }
237 
238  return false;
239 }
240 
248 function check_rate_limit_exceeded($user_guid) {
249  // 5 failures in 5 minutes causes temporary block on logins
250  $limit = 5;
251  $user_guid = (int)$user_guid;
252  $user = get_entity($user_guid);
253 
254  if (($user_guid) && ($user) && ($user instanceof ElggUser)) {
255  $fails = (int)$user->getPrivateSetting("login_failures");
256  if ($fails >= $limit) {
257  $cnt = 0;
258  $time = time();
259  for ($n = $fails; $n > 0; $n--) {
260  $f = $user->getPrivateSetting("login_failure_$n");
261  if ($f > $time - (60 * 5)) {
262  $cnt++;
263  }
264 
265  if ($cnt == $limit) {
266  // Limit reached
267  return true;
268  }
269  }
270  }
271  }
272 
273  return false;
274 }
275 
285 function elgg_set_cookie(ElggCookie $cookie) {
286  if (elgg_trigger_event('init:cookie', $cookie->name, $cookie)) {
287  return setcookie($cookie->name, $cookie->value, $cookie->expire, $cookie->path,
288  $cookie->domain, $cookie->secure, $cookie->httpOnly);
289  }
290  return false;
291 }
292 
305 function login(ElggUser $user, $persistent = false) {
306  if ($user->isBanned()) {
307  throw new LoginException(elgg_echo('LoginException:BannedUser'));
308  }
309 
310  $session = _elgg_services()->session;
311 
312  // give plugins a chance to reject the login of this user (no user in session!)
313  if (!elgg_trigger_before_event('login', 'user', $user)) {
314  throw new LoginException(elgg_echo('LoginException:Unknown'));
315  }
316 
317  // #5933: set logged in user early so code in login event will be able to
318  // use elgg_get_logged_in_user_entity().
319  $session->setLoggedInUser($user);
320 
321  // deprecate event
322  $message = "The 'login' event was deprecated. Register for 'login:before' or 'login:after'";
323  $version = "1.9";
324  if (!elgg_trigger_deprecated_event('login', 'user', $user, $message, $version)) {
325  $session->removeLoggedInUser();
326  throw new LoginException(elgg_echo('LoginException:Unknown'));
327  }
328 
329  // if remember me checked, set cookie with token and store hash(token) for user
330  if ($persistent) {
331  _elgg_services()->persistentLogin->makeLoginPersistent($user);
332  }
333 
334  // User's privilege has been elevated, so change the session id (prevents session fixation)
335  $session->migrate();
336 
337  set_last_login($user->guid);
338  reset_login_failure_count($user->guid);
339 
340  elgg_trigger_after_event('login', 'user', $user);
341 
342  // if memcache is enabled, invalidate the user in memcache @see https://github.com/Elgg/Elgg/issues/3143
343  if (is_memcache_available()) {
344  $guid = $user->getGUID();
345  // this needs to happen with a shutdown function because of the timing with set_last_login()
346  register_shutdown_function("_elgg_invalidate_memcache_for_entity", $guid);
347  }
348 
349  return true;
350 }
351 
357 function logout() {
358  $session = _elgg_services()->session;
359  $user = $session->getLoggedInUser();
360  if (!$user) {
361  return false;
362  }
363 
364  if (!elgg_trigger_before_event('logout', 'user', $user)) {
365  return false;
366  }
367 
368  // deprecate event
369  $message = "The 'logout' event was deprecated. Register for 'logout:before' or 'logout:after'";
370  $version = "1.9";
371  if (!elgg_trigger_deprecated_event('logout', 'user', $user, $message, $version)) {
372  return false;
373  }
374 
375  _elgg_services()->persistentLogin->removePersistentLogin();
376 
377  // pass along any messages into new session
378  $old_msg = $session->get('msg');
379  $session->invalidate();
380  $session->set('msg', $old_msg);
381 
382  elgg_trigger_after_event('logout', 'user', $user);
383 
384  return true;
385 }
386 
393 function _elgg_session_boot() {
394 
395  elgg_register_action('login', '', 'public');
396  elgg_register_action('logout');
397  register_pam_handler('pam_auth_userpass');
398 
399  $session = _elgg_services()->session;
400  $session->start();
401 
402  // test whether we have a user session
403  if ($session->has('guid')) {
404  $user = get_user($session->get('guid'));
405  if (!$user) {
406  // OMG user has been deleted.
407  $session->invalidate();
408  forward('');
409  }
410 
411  $session->setLoggedInUser($user);
412 
413  _elgg_services()->persistentLogin->replaceLegacyToken($user);
414  } else {
415  $user = _elgg_services()->persistentLogin->bootSession();
416  if ($user) {
417  $session->setLoggedInUser($user);
418  }
419  }
420 
421  if ($session->has('guid')) {
422  set_last_action($session->get('guid'));
423  }
424 
425  // initialize the deprecated global session wrapper
426  global $SESSION;
427  $SESSION = new Elgg_DeprecationWrapper($session, "\$SESSION is deprecated", 1.9);
428 
429  // logout a user with open session who has been banned
430  $user = $session->getLoggedInUser();
431  if ($user && $user->isBanned()) {
432  logout();
433  return false;
434  }
435 
436  return true;
437 }
$n
$n
Profile fields.
Definition: list.php:9
elgg_is_logged_in
elgg_is_logged_in()
Returns whether or not the user is currently logged in.
Definition: sessions.php:56
$username
$username
Definition: delete.php:22
elgg_get_metastring_id
elgg_get_metastring_id($string, $case_sensitive=true)
Gets the metastring identifier for a value.
Definition: metastrings.php:34
$result
$result
Definition: set_maintenance_mode.php:11
elgg_is_admin_logged_in
elgg_is_admin_logged_in()
Returns whether or not the viewer is currently logged in and an admin user.
Definition: sessions.php:65
elgg_set_cookie
elgg_set_cookie(ElggCookie $cookie)
Set a cookie, but allow plugins to customize it first.
Definition: sessions.php:285
register_pam_handler
register_pam_handler($handler, $importance="sufficient", $policy="user")
Register a PAM handler.
Definition: pam.php:42
$admin
$admin
Definition: useradd.php:18
elgg_get_session
elgg_get_session()
Gets Elgg&#39;s session object.
Definition: sessions.php:23
$message
$message
Definition: set_maintenance_mode.php:7
$session
$session
Definition: login.php:9
ElggEntity\getGUID
getGUID()
Returns the guid.
Definition: ElggEntity.php:1199
$guid
$guid
Removes an admin notice.
Definition: delete_admin_notice.php:6
reset_login_failure_count
reset_login_failure_count($user_guid)
Resets the fail login count for $user_guid.
Definition: sessions.php:217
set_last_login
set_last_login($user_guid)
Sets the last logon time of the given user to right now.
Definition: users.php:826
forward
elgg forward
Meant to mimic the php forward() function by simply redirecting the user to another page...
Definition: elgglib.js:419
elgg_trigger_before_event
elgg_trigger_before_event($event, $object_type, $object=null)
Trigger a "Before event" indicating a process is about to begin.
Definition: elgglib.php:741
pam_auth_userpass
pam_auth_userpass(array $credentials=array())
Hook into the PAM system which accepts a username and password and attempts to authenticate it agains...
Definition: sessions.php:164
Elgg_DeprecationWrapper
Definition: DeprecationWrapper.php:23
get_user_by_username
get_user_by_username($username)
Get user by username.
Definition: users.php:246
check_rate_limit_exceeded
check_rate_limit_exceeded($user_guid)
Checks if the rate limit of failed logins has been exceeded for $user_guid.
Definition: sessions.php:248
$persistent
$persistent
Definition: login.php:26
$limit
$limit
Definition: userpicker.php:33
elgg_echo
elgg_echo($message_key, $args=array(), $language="")
Given a message key, returns an appropriately translated full-text string.
Definition: languages.php:21
get_user
get_user($guid)
Get a user object from a GUID.
Definition: users.php:222
elgg_trigger_deprecated_event
elgg_trigger_deprecated_event($event, $object_type, $object=null, $message, $version)
Trigger an event normally, but send a notice about deprecated use if any handlers are registered...
Definition: elgglib.php:780
datalist_get
datalist_get($name)
Get the value of a datalist element.
Definition: configuration.php:206
elgg_is_admin_user
elgg_is_admin_user($user_guid)
Check if the given user has full access.
Definition: sessions.php:85
_elgg_services
_elgg_services()
Definition: autoloader.php:14
$CONFIG
global $CONFIG
Definition: settings.example.php:17
set_last_action
set_last_action($user_guid)
Sets the last action time of the given user to right now.
Definition: users.php:807
$user
$user
Definition: ban.php:13
global
elgg global
Pointer to the global context.
Definition: elgglib.js:12
login
login(ElggUser $user, $persistent=false)
Logs in a specified ElggUser.
Definition: sessions.php:305
generate_user_password
generate_user_password(ElggUser $user, $password)
Hash a password for storage.
Definition: users.php:531
$password
$password
Definition: login.php:25
logout
logout()
Log the current user out.
Definition: sessions.php:357
get_data
get_data($query, $callback="")
Retrieve rows from the database.
Definition: database.php:50
elgg_authenticate
elgg_authenticate($username, $password)
Perform user authentication with a given username and password.
Definition: sessions.php:142
elgg_trigger_after_event
elgg_trigger_after_event($event, $object_type, $object=null)
Trigger an "After event" indicating a process has finished.
Definition: elgglib.php:760
elgg_get_logged_in_user_entity
elgg_get_logged_in_user_entity()
Return the current logged in user, or null if no user is logged in.
Definition: sessions.php:32
ElggUser\isBanned
isBanned()
Is this user banned or not?
Definition: ElggUser.php:267
is_memcache_available
is_memcache_available()
Return true if memcache is available and configured.
Definition: memcache.php:16
elgg_register_action
elgg_register_action($action, $filename="", $access= 'logged_in')
Registers an action.
Definition: actions.php:85
$SESSION
global $SESSION
Elgg magic session.
Definition: sessions.php:15
_elgg_session_boot
_elgg_session_boot()
Initializes the session and checks for the remember me cookie.
Definition: sessions.php:393
$user_guid
$user_guid
Avatar remove action.
Definition: remove.php:6
elgg_trigger_event
elgg_trigger_event($event, $object_type, $object=null)
Trigger an Elgg Event and attempt to run all handler callbacks registered to that event...
Definition: elgglib.php:720
$version
$version
Definition: version.php:14
log_login_failure
log_login_failure($user_guid)
Log a failed login for $user_guid.
Definition: sessions.php:194
elgg_get_logged_in_user_guid
elgg_get_logged_in_user_guid()
Return the current logged in user by guid.
Definition: sessions.php:42
get_entity
get_entity($guid)
Loads and returns an entity object from a guid.
Definition: entities.php:604
Generated on Wed Apr 24 2024 00:00:49 for Elgg by   doxygen 1.8.11