1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
<?php
class Auth {
/**
* Home-cooked auth libraries - because PEAR is fat.
* @package mirror
* @subpackage lib
* @todo re-enforce one-per-user session limit
*/
/**
* Check admin session against sessions table in database.
* @return bool
*/
public static function is_valid_session()
{
if (session_status() !== PHP_SESSION_ACTIVE) {
session_name('mozilla-mirror-admin');
session_start();
}
if (!empty($_SESSION['user'])) { // check cookie
$res = DB::query("SELECT * FROM mirror_sessions WHERE session_id = ?", [session_id()]); // check db for id
if ($res && DB::numrows($res)>0) {
$buf = DB::fetch($res,PDO::FETCH_ASSOC);
// comment line below to disable gc and allow multiple sessions per username
DB::query("DELETE FROM mirror_sessions WHERE username=? AND session_id != ?", [$buf['username'], session_id()]); // garbage collection
$user = DB::fetch(DB::query("SELECT * FROM mirror_users WHERE username=?", [$buf['username']]),PDO::FETCH_ASSOC);
return true;
}
}
return false;
}
/**
* Authentication a user.
* @param string $username
* @param string $password
* @return array|bool array containing user data or false on failure
*/
public static function query($username,$password)
{
if (empty($username)||empty($password)) {
return false;
}
$username = trim(strip_tags($username));
$password = trim(strip_tags($password));
$res = DB::query("SELECT * FROM mirror_users WHERE username=?", [$username]);
if ($res && DB::numrows($res)>0) {
$userrow = DB::fetch($res,PDO::FETCH_ASSOC);
if (!password_verify($password, $userrow['password'])) {
if ($userrow['password'] !== md5($password))
return false;
static::password_upgrade($userrow, $username, $password);
}
if (password_needs_rehash($userrow['password'], PASSWORD_DEFAULT))
static::password_upgrade($userrow, $username, $password);
return $userrow;
} else {
return false;
}
}
private static function password_upgrade($userrow, $username, $password) {
require_once(LIB.'/mirror.php'); //Upgrade password security
Mirror::update_user($userrow['user_id'],$username,$password,$password,$userrow['user_firstname'],$userrow['user_lastname'],$userrow['user_email']);
}
/**
* Start a valid session.
* @param array $user array containing user information.
*/
public static function create_session($user,$secure=0)
{
session_name('mozilla-mirror-admin');
session_set_cookie_params(0,'/',$_SERVER['HTTP_HOST'],$secure);
session_start();
DB::query("INSERT IGNORE INTO mirror_sessions(session_id,username) VALUES(?,?)", [session_id(), $user['username']]);
$_SESSION['user']=$user;
}
/**
* Logout.
*/
public static function logout()
{
// comment line below to keep gc from deleting other sessions for this user
if (session_status() !== PHP_SESSION_ACTIVE) {
session_name('mozilla-mirror-admin');
session_start();
}
DB::query("DELETE FROM mirror_sessions WHERE session_id=? OR username=?", [session_id(), $_SESSION['user']['username']]);
$_COOKIE = array();
$_SESSION = array();
}
}
|
GitWeb