friendica/include/auth.php

<?php
require_once('include/security.php');
require_once('include/datetime.php');

// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
if (isset($_COOKIE["Friendica"])) {
	$data = json_decode($_COOKIE["Friendica"]);
	if (isset($data->uid)) {
		$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
		FROM `user` WHERE `uid` = %d AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
			intval($data->uid)
		);

		if ($r) {
			if ($data->hash != cookie_hash($r[0])) {
				logger("Hash for user ".$data->uid." doesn't fit.");
				nuke_session();
				goaway(z_root());
			}

			// Renew the cookie
			new_cookie(604800, $r[0]);

			// Do the authentification if not done by now
			if (!isset($_SESSION) OR !isset($_SESSION['authenticated'])) {
				authenticate_success($r[0]);

				if (get_config('system','paranoia'))
					$_SESSION['addr'] = $data->ip;
			}
		}
	}
}


// login/logout

if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params') || ($_POST['auth-params'] !== 'login'))) {

	if ((x($_POST,'auth-params') && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {

		// process logout request
		call_hooks("logging_out");
		nuke_session();
		info(t('Logged out.').EOL);
		goaway(z_root());
	}

	if (x($_SESSION,'visitor_id') && !x($_SESSION,'uid')) {
		$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
			intval($_SESSION['visitor_id'])
		);
		if (dbm::is_result($r)) {
			$a->contact = $r[0];
		}
	}

	if (x($_SESSION,'uid')) {

		// already logged in user returning

		$check = get_config('system','paranoia');
		// extra paranoia - if the IP changed, log them out
		if ($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
			logger('Session address changed. Paranoid setting in effect, blocking session. '.
				$_SESSION['addr'].' != '.$_SERVER['REMOTE_ADDR']);
			nuke_session();
			goaway(z_root());
		}

		$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
		FROM `user` WHERE `uid` = %d AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
			intval($_SESSION['uid'])
		);

		if (!dbm::is_result($r)) {
			nuke_session();
			goaway(z_root());
		}

		// Make sure to refresh the last login time for the user if the user
		// stays logged in for a long time, e.g. with "Remember Me"
		$login_refresh = false;
		if (!x($_SESSION['last_login_date'])) {
			$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
		}
		if (strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0) {

			$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
			$login_refresh = true;
		}
		authenticate_success($r[0], false, false, $login_refresh);
	}
} else {

	session_unset();

	if (x($_POST,'password') && strlen($_POST['password']))
		$encrypted = hash('whirlpool',trim($_POST['password']));
	else {
		if ((x($_POST,'openid_url')) && strlen($_POST['openid_url']) ||
		   (x($_POST,'username')) && strlen($_POST['username'])) {

			$noid = get_config('system','no_openid');

			$openid_url = trim((strlen($_POST['openid_url'])?$_POST['openid_url']:$_POST['username']));

			// validate_url alters the calling parameter

			$temp_string = $openid_url;

			// if it's an email address or doesn't resolve to a URL, fail.

			if ($noid || strpos($temp_string,'@') || !validate_url($temp_string)) {
				$a = get_app();
				notice(t('Login failed.').EOL);
				goaway(z_root());
				// NOTREACHED
			}

			// Otherwise it's probably an openid.

			try {
				require_once('library/openid.php');
				$openid = new LightOpenID;
				$openid->identity = $openid_url;
				$_SESSION['openid'] = $openid_url;
				$openid->returnUrl = App::get_baseurl(true).'/openid';
				goaway($openid->authUrl());
			} catch (Exception $e) {
				notice(t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.').'<br /><br >'.t('The error message was:').' '.$e->getMessage());
			}
			// NOTREACHED
		}
	}

	if (x($_POST,'auth-params') && $_POST['auth-params'] === 'login') {

		$record = null;

		$addon_auth = array(
			'username' => trim($_POST['username']),
			'password' => trim($_POST['password']),
			'authenticated' => 0,
			'user_record' => null
		);

		/**
		 *
		 * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
		 * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
		 * and later plugins should not interfere with an earlier one that succeeded.
		 *
		 */

		call_hooks('authenticate', $addon_auth);

		if ($addon_auth['authenticated'] && count($addon_auth['user_record']))
			$record = $addon_auth['user_record'];
		else {

			// process normal login request

			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
				FROM `user` WHERE (`email` = '%s' OR `nickname` = '%s')
				AND `password` = '%s' AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
				dbesc(trim($_POST['username'])),
				dbesc(trim($_POST['username'])),
				dbesc($encrypted)
			);
			if (dbm::is_result($r))
				$record = $r[0];
		}

		if (!$record || !count($record)) {
			logger('authenticate: failed login attempt: '.notags(trim($_POST['username'])).' from IP '.$_SERVER['REMOTE_ADDR']);
			notice(t('Login failed.').EOL);
			goaway(z_root());
		}

		// If the user specified to remember the authentication, then set a cookie
		// that expires after one week (the default is when the browser is closed).
		// The cookie will be renewed automatically.
		// The week ensures that sessions will expire after some inactivity.
		if ($_POST['remember'])
			new_cookie(604800, $r[0]);
		else
			new_cookie(0); // 0 means delete on browser exit

		// if we haven't failed up this point, log them in.

		$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
		authenticate_success($record, true, true);
	}
}

/**
 * @brief Kills the "Friendica" cookie and all session data
 */
function nuke_session() {

	new_cookie(-3600); // make sure cookie is deleted on browser close, as a security measure
	session_unset();
	session_destroy();
}

/**
 * @brief Calculate the hash that is needed for the "Friendica" cookie
 *
 * @param array $user Record from "user" table
 *
 * @return string Hashed data
 */
function cookie_hash($user) {
	return(hash("sha256", get_config("system", "site_prvkey").
				$user["uprvkey"].
				$user["password"]));
}

/**
 * @brief Set the "Friendica" cookie
 *
 * @param int $time
 * @param array $user Record from "user" table
 */
function new_cookie($time, $user = array()) {

	if ($time != 0)
		$time = $time + time();

	if ($user)
		$value = json_encode(array("uid" => $user["uid"],
					"hash" => cookie_hash($user),
					"ip" => $_SERVER['REMOTE_ADDR']));
	else
		$value = "";

	setcookie("Friendica", $value, $time, "/", "",
		(get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true);

}
some changes 2010-07-04 23:45:56 -04:00			`<?php`
modularise successful authentication 2012-01-12 18:46:39 -05:00			`require_once('include/security.php');`
refresh login time every 12 hours for 'Remember me' 2012-11-08 19:00:37 -05:00			`require_once('include/datetime.php');`
modularise successful authentication 2012-01-12 18:46:39 -05:00
Improved "remember me" functionality 2016-04-24 18:02:43 -04:00			`// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.`
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if (isset($_COOKIE["Friendica"])) {`
Improved "remember me" functionality 2016-04-24 18:02:43 -04:00			`$data = json_decode($_COOKIE["Friendica"]);`
			`if (isset($data->uid)) {`
			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
Code redesign and comments 2016-04-25 16:10:45 -04:00			FROM `user` WHERE `uid` = %d AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
Improved "remember me" functionality 2016-04-24 18:02:43 -04:00			`intval($data->uid)`
			`);`

			`if ($r) {`
We now work with a hash to avoid cookie manipulation 2016-04-25 05:19:42 -04:00			`if ($data->hash != cookie_hash($r[0])) {`
			`logger("Hash for user ".$data->uid." doesn't fit.");`
			`nuke_session();`
			`goaway(z_root());`
			`}`

Improved "remember me" functionality 2016-04-24 18:02:43 -04:00			`// Renew the cookie`
We now work with a hash to avoid cookie manipulation 2016-04-25 05:19:42 -04:00			`new_cookie(604800, $r[0]);`
Improved "remember me" functionality 2016-04-24 18:02:43 -04:00
			`// Do the authentification if not done by now`
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if (!isset($_SESSION) OR !isset($_SESSION['authenticated'])) {`
"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`authenticate_success($r[0]);`
Improved "remember me" functionality 2016-04-24 18:02:43 -04:00
"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`if (get_config('system','paranoia'))`
			`$_SESSION['addr'] = $data->ip;`
Improved "remember me" functionality 2016-04-24 18:02:43 -04:00			`}`
			`}`
			`}`
			`}`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00
"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00
Merge remote-tracking branch 'upstream/develop' into 1512-ostatus-comment Conflicts: include/ostatus.php 2015-12-22 05:25:37 -05:00			`// login/logout`
some changes 2010-07-04 23:45:56 -04:00
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params') \|\| ($_POST['auth-params'] !== 'login'))) {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if ((x($_POST,'auth-params') && ($_POST['auth-params'] === 'logout')) \|\| ($a->module === 'logout')) {`
Merge remote-tracking branch 'upstream/develop' into 1512-ostatus-comment Conflicts: include/ostatus.php 2015-12-22 05:25:37 -05:00
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00			`// process logout request`
add 'loggin_out' hook 2012-03-12 10:58:59 -04:00			`call_hooks("logging_out");`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`nuke_session();`
"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`info(t('Logged out.').EOL);`
some more zot changes migrating back to f9a mainline 2011-08-02 00:02:25 -04:00			`goaway(z_root());`
some changes 2010-07-04 23:45:56 -04:00			`}`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if (x($_SESSION,'visitor_id') && !x($_SESSION,'uid')) {`
missing self photo on remote site comment boxes 2011-05-10 01:15:19 -04:00			$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
			`intval($_SESSION['visitor_id'])`
			`);`
More usage of dbm::is_result($r) instead of count($r): - count() returns very different results and never a boolean (not even false on error condition). - therefore you should NOT use it in boolean expressions. This still can be done in PHP because of its lazyness. But it is discouraged if it comes to more clean code. Signed-off-by: Roland Häder <roland@mxchange.org> 2016-12-13 04:44:13 -05:00			`if (dbm::is_result($r)) {`
missing self photo on remote site comment boxes 2011-05-10 01:15:19 -04:00			`$a->contact = $r[0];`
			`}`
			`}`

Code redesign and comments 2016-04-25 16:10:45 -04:00			`if (x($_SESSION,'uid')) {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
			`// already logged in user returning`

paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`$check = get_config('system','paranoia');`
			`// extra paranoia - if the IP changed, log them out`
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if ($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {`
			`logger('Session address changed. Paranoid setting in effect, blocking session. '.`
			`$_SESSION['addr'].' != '.$_SERVER['REMOTE_ADDR']);`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`nuke_session();`
some more zot changes migrating back to f9a mainline 2011-08-02 00:02:25 -04:00			`goaway(z_root());`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`}`

There is now a config value for the session management to not use the database 2015-12-22 16:11:08 -05:00			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
Code redesign and comments 2016-04-25 16:10:45 -04:00			FROM `user` WHERE `uid` = %d AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00			`intval($_SESSION['uid'])`
			`);`

More usage of dbm::is_result($r) instead of count($r): - count() returns very different results and never a boolean (not even false on error condition). - therefore you should NOT use it in boolean expressions. This still can be done in PHP because of its lazyness. But it is discouraged if it comes to more clean code. Signed-off-by: Roland Häder <roland@mxchange.org> 2016-12-13 04:44:13 -05:00			`if (!dbm::is_result($r)) {`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`nuke_session();`
some more zot changes migrating back to f9a mainline 2011-08-02 00:02:25 -04:00			`goaway(z_root());`
some changes 2010-07-04 23:45:56 -04:00			`}`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
refresh login time every 12 hours for 'Remember me' 2012-11-08 19:00:37 -05:00			`// Make sure to refresh the last login time for the user if the user`
			`// stays logged in for a long time, e.g. with "Remember Me"`
			`$login_refresh = false;`
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if (!x($_SESSION['last_login_date'])) {`
refresh login time every 12 hours for 'Remember me' 2012-11-08 19:00:37 -05:00			`$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');`
			`}`
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if (strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0) {`
refresh login time every 12 hours for 'Remember me' 2012-11-08 19:00:37 -05:00
			`$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');`
			`$login_refresh = true;`
			`}`
			`authenticate_success($r[0], false, false, $login_refresh);`
some changes 2010-07-04 23:45:56 -04:00			`}`
"remember me" in session does work now 2016-04-05 17:28:33 -04:00			`} else {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`session_unset();`
theme cleanup 2010-09-19 00:11:18 -04:00
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if (x($_POST,'password') && strlen($_POST['password']))`
-Wall cleanup 2010-10-30 16:25:37 -04:00			`$encrypted = hash('whirlpool',trim($_POST['password']));`
pull some template strings 2010-11-17 02:26:14 -05:00			`else {`
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if ((x($_POST,'openid_url')) && strlen($_POST['openid_url']) \|\|`
works on login form 2011-10-17 10:53:59 -04:00			`(x($_POST,'username')) && strlen($_POST['username'])) {`
smooth a few rough edges of openid 2010-11-18 18:06:33 -05:00
localise login template, allow openid to be disabled 2010-11-28 23:58:23 -05:00			`$noid = get_config('system','no_openid');`

"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`$openid_url = trim((strlen($_POST['openid_url'])?$_POST['openid_url']:$_POST['username']));`
smooth a few rough edges of openid 2010-11-18 18:06:33 -05:00
			`// validate_url alters the calling parameter`

			`$temp_string = $openid_url;`

			`// if it's an email address or doesn't resolve to a URL, fail.`

Code redesign and comments 2016-04-25 16:10:45 -04:00			`if ($noid \|\| strpos($temp_string,'@') \|\| !validate_url($temp_string)) {`
smooth a few rough edges of openid 2010-11-18 18:06:33 -05:00			`$a = get_app();`
"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`notice(t('Login failed.').EOL);`
some more zot changes migrating back to f9a mainline 2011-08-02 00:02:25 -04:00			`goaway(z_root());`
smooth a few rough edges of openid 2010-11-18 18:06:33 -05:00			`// NOTREACHED`
			`}`

			`// Otherwise it's probably an openid.`

"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`try {`
			`require_once('library/openid.php');`
			`$openid = new LightOpenID;`
			`$openid->identity = $openid_url;`
			`$_SESSION['openid'] = $openid_url;`
much more usage of App::get_baseurl() instead of $a->get_baseurl() (coding convention applied) Signed-off-by: Roland Häder <roland@mxchange.org> 2016-12-19 08:26:13 -05:00			`$openid->returnUrl = App::get_baseurl(true).'/openid';`
"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`goaway($openid->authUrl());`
			`} catch (Exception $e) {`
Code redesign and comments 2016-04-25 16:10:45 -04:00			`notice(t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.').'<br /><br >'.t('The error message was:').' '.$e->getMessage());`
"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`}`
refactor openid logins/registrations 2012-03-19 18:03:09 -04:00			`// NOTREACHED`
pull some template strings 2010-11-17 02:26:14 -05:00			`}`
			`}`
add IP address to failed login log message 2012-03-20 00:58:21 -04:00
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if (x($_POST,'auth-params') && $_POST['auth-params'] === 'login') {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`$record = null;`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00
			`$addon_auth = array(`
Improved "remember me" functionality 2016-04-24 18:02:43 -04:00			`'username' => trim($_POST['username']),`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00			`'password' => trim($_POST['password']),`
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`'authenticated' => 0,`
			`'user_record' => null`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00			`);`

			`/**`
			`*`
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00			`* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained`
			`* and later plugins should not interfere with an earlier one that succeeded.`
			`*`
			`*/`

			`call_hooks('authenticate', $addon_auth);`

Code redesign and comments 2016-04-25 16:10:45 -04:00			`if ($addon_auth['authenticated'] && count($addon_auth['user_record']))`
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`$record = $addon_auth['user_record'];`
Code redesign and comments 2016-04-25 16:10:45 -04:00			`else {`
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00
			`// process normal login request`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00
There is now a config value for the session management to not use the database 2015-12-22 16:11:08 -05:00			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			FROM `user` WHERE (`email` = '%s' OR `nickname` = '%s')
Code redesign and comments 2016-04-25 16:10:45 -04:00			AND `password` = '%s' AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
works on login form 2011-10-17 10:53:59 -04:00			`dbesc(trim($_POST['username'])),`
			`dbesc(trim($_POST['username'])),`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00			`dbesc($encrypted)`
			`);`
More usage of dbm::is_result($r) instead of count($r): - count() returns very different results and never a boolean (not even false on error condition). - therefore you should NOT use it in boolean expressions. This still can be done in PHP because of its lazyness. But it is discouraged if it comes to more clean code. Signed-off-by: Roland Häder <roland@mxchange.org> 2016-12-13 04:44:13 -05:00			`if (dbm::is_result($r))`
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`$record = $r[0];`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00			`}`

Improved "remember me" functionality 2016-04-24 18:02:43 -04:00			`if (!$record \|\| !count($record)) {`
"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`logger('authenticate: failed login attempt: '.notags(trim($_POST['username'])).' from IP '.$_SERVER['REMOTE_ADDR']);`
			`notice(t('Login failed.').EOL);`
some more zot changes migrating back to f9a mainline 2011-08-02 00:02:25 -04:00			`goaway(z_root());`
"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`}`
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00
Improved "remember me" functionality 2016-04-24 18:02:43 -04:00			`// If the user specified to remember the authentication, then set a cookie`
			`// that expires after one week (the default is when the browser is closed).`
			`// The cookie will be renewed automatically.`
			`// The week ensures that sessions will expire after some inactivity.`
Code redesign and comments 2016-04-25 16:10:45 -04:00			`if ($_POST['remember'])`
We now work with a hash to avoid cookie manipulation 2016-04-25 05:19:42 -04:00			`new_cookie(604800, $r[0]);`
Improved "remember me" functionality 2016-04-24 18:02:43 -04:00			`else`
delete cookie on browser close after logout 2012-12-24 14:52:49 -05:00			`new_cookie(0); // 0 means delete on browser exit`
add ability to remember logged in user after browser closes 2012-11-07 20:59:30 -05:00
modularise successful authentication 2012-01-12 18:46:39 -05:00			`// if we haven't failed up this point, log them in.`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00
refresh login time every 12 hours for 'Remember me' 2012-11-08 19:00:37 -05:00			`$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');`
modularise successful authentication 2012-01-12 18:46:39 -05:00			`authenticate_success($record, true, true);`
some changes 2010-07-04 23:45:56 -04:00			`}`
			`}`

Code redesign and comments 2016-04-25 16:10:45 -04:00			`/**`
			`* @brief Kills the "Friendica" cookie and all session data`
			`*/`
			`function nuke_session() {`

			`new_cookie(-3600); // make sure cookie is deleted on browser close, as a security measure`
			`session_unset();`
			`session_destroy();`
			`}`

			`/**`
			`* @brief Calculate the hash that is needed for the "Friendica" cookie`
			`*`
			`* @param array $user Record from "user" table`
			`*`
			`* @return string Hashed data`
			`*/`
We now work with a hash to avoid cookie manipulation 2016-04-25 05:19:42 -04:00			`function cookie_hash($user) {`
			`return(hash("sha256", get_config("system", "site_prvkey").`
			`$user["uprvkey"].`
			`$user["password"]));`
			`}`

Code redesign and comments 2016-04-25 16:10:45 -04:00			`/**`
			`* @brief Set the "Friendica" cookie`
			`*`
			`* @param int $time`
			`* @param array $user Record from "user" table`
			`*/`
We now work with a hash to avoid cookie manipulation 2016-04-25 05:19:42 -04:00			`function new_cookie($time, $user = array()) {`
Merge remote-tracking branch 'upstream/develop' into 1512-ostatus-comment Conflicts: include/ostatus.php 2015-12-22 05:25:37 -05:00
"remember me" in session does work now 2016-04-05 17:28:33 -04:00			`if ($time != 0)`
			`$time = $time + time();`
some changes 2010-07-04 23:45:56 -04:00
We now work with a hash to avoid cookie manipulation 2016-04-25 05:19:42 -04:00			`if ($user)`
			`$value = json_encode(array("uid" => $user["uid"],`
			`"hash" => cookie_hash($user),`
			`"ip" => $_SERVER['REMOTE_ADDR']));`
			`else`
			`$value = "";`

"Remember Me" should work now but needs more fine tuning 2016-04-25 01:10:40 -04:00			`setcookie("Friendica", $value, $time, "/", "",`
			`(get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true);`
Improved "remember me" functionality 2016-04-24 18:02:43 -04:00
delete cookie on browser close after logout 2012-12-24 14:52:49 -05:00			`}`