sessions.php 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453
  1. <?php
  2. /**
  3. * Elgg session management
  4. * Functions to manage logins
  5. *
  6. * @package Elgg.Core
  7. * @subpackage Session
  8. */
  9. /**
  10. * Elgg magic session
  11. * @deprecated 1.9
  12. */
  13. global $SESSION;
  14. /**
  15. * Gets Elgg's session object
  16. *
  17. * @return \ElggSession
  18. * @since 1.9
  19. */
  20. function elgg_get_session() {
  21. return _elgg_services()->session;
  22. }
  23. /**
  24. * Return the current logged in user, or null if no user is logged in.
  25. *
  26. * @return \ElggUser
  27. */
  28. function elgg_get_logged_in_user_entity() {
  29. return _elgg_services()->session->getLoggedInUser();
  30. }
  31. /**
  32. * Return the current logged in user by guid.
  33. *
  34. * @see elgg_get_logged_in_user_entity()
  35. * @return int
  36. */
  37. function elgg_get_logged_in_user_guid() {
  38. return _elgg_services()->session->getLoggedInUserGuid();
  39. }
  40. /**
  41. * Returns whether or not the user is currently logged in
  42. *
  43. * @return bool
  44. */
  45. function elgg_is_logged_in() {
  46. return _elgg_services()->session->isLoggedIn();
  47. }
  48. /**
  49. * Returns whether or not the viewer is currently logged in and an admin user.
  50. *
  51. * @return bool
  52. */
  53. function elgg_is_admin_logged_in() {
  54. return _elgg_services()->session->isAdminLoggedIn();
  55. }
  56. /**
  57. * Check if the given user has full access.
  58. *
  59. * @todo: Will always return full access if the user is an admin.
  60. *
  61. * @param int $user_guid The user to check
  62. *
  63. * @return bool
  64. * @since 1.7.1
  65. */
  66. function elgg_is_admin_user($user_guid) {
  67. global $CONFIG;
  68. $user_guid = (int)$user_guid;
  69. $current_user = elgg_get_logged_in_user_entity();
  70. if ($current_user && $current_user->guid == $user_guid) {
  71. return $current_user->isAdmin();
  72. }
  73. // cannot use magic metadata here because of recursion
  74. // must support the old way of getting admin from metadata
  75. // in order to run the upgrade to move it into the users table.
  76. $version = (int) datalist_get('version');
  77. if ($version < 2010040201) {
  78. $admin = elgg_get_metastring_id('admin');
  79. $yes = elgg_get_metastring_id('yes');
  80. $one = elgg_get_metastring_id('1');
  81. $query = "SELECT 1 FROM {$CONFIG->dbprefix}users_entity as e,
  82. {$CONFIG->dbprefix}metadata as md
  83. WHERE (
  84. md.name_id = '$admin'
  85. AND md.value_id IN ('$yes', '$one')
  86. AND e.guid = md.entity_guid
  87. AND e.guid = {$user_guid}
  88. AND e.banned = 'no'
  89. )";
  90. } else {
  91. $query = "SELECT 1 FROM {$CONFIG->dbprefix}users_entity as e
  92. WHERE (
  93. e.guid = {$user_guid}
  94. AND e.admin = 'yes'
  95. )";
  96. }
  97. // normalizing the results from get_data()
  98. // See #1242
  99. $info = get_data($query);
  100. if (!((is_array($info) && count($info) < 1) || $info === false)) {
  101. return true;
  102. }
  103. return false;
  104. }
  105. /**
  106. * Perform user authentication with a given username and password.
  107. *
  108. * @warning This returns an error message on failure. Use the identical operator to check
  109. * for access: if (true === elgg_authenticate()) { ... }.
  110. *
  111. *
  112. * @see login
  113. *
  114. * @param string $username The username
  115. * @param string $password The password
  116. *
  117. * @return true|string True or an error message on failure
  118. * @access private
  119. */
  120. function elgg_authenticate($username, $password) {
  121. $pam = new \ElggPAM('user');
  122. $credentials = array('username' => $username, 'password' => $password);
  123. $result = $pam->authenticate($credentials);
  124. if (!$result) {
  125. return $pam->getFailureMessage();
  126. }
  127. return true;
  128. }
  129. /**
  130. * Hook into the PAM system which accepts a username and password and attempts to authenticate
  131. * it against a known user.
  132. *
  133. * @param array $credentials Associated array of credentials passed to
  134. * Elgg's PAM system. This function expects
  135. * 'username' and 'password' (cleartext).
  136. *
  137. * @return bool
  138. * @throws LoginException
  139. * @access private
  140. */
  141. function pam_auth_userpass(array $credentials = array()) {
  142. if (!isset($credentials['username']) || !isset($credentials['password'])) {
  143. return false;
  144. }
  145. $user = get_user_by_username($credentials['username']);
  146. if (!$user) {
  147. throw new \LoginException(_elgg_services()->translator->translate('LoginException:UsernameFailure'));
  148. }
  149. if (check_rate_limit_exceeded($user->guid)) {
  150. throw new \LoginException(_elgg_services()->translator->translate('LoginException:AccountLocked'));
  151. }
  152. $password_svc = _elgg_services()->passwords;
  153. $password = $credentials['password'];
  154. $hash = $user->password_hash;
  155. if (!$hash) {
  156. // try legacy hash
  157. $legacy_hash = $password_svc->generateLegacyHash($user, $password);
  158. if ($user->password !== $legacy_hash) {
  159. log_login_failure($user->guid);
  160. throw new \LoginException(_elgg_services()->translator->translate('LoginException:PasswordFailure'));
  161. }
  162. // migrate password
  163. $password_svc->forcePasswordReset($user, $password);
  164. return true;
  165. }
  166. if (!$password_svc->verify($password, $hash)) {
  167. log_login_failure($user->guid);
  168. throw new \LoginException(_elgg_services()->translator->translate('LoginException:PasswordFailure'));
  169. }
  170. if ($password_svc->needsRehash($hash)) {
  171. $password_svc->forcePasswordReset($user, $password);
  172. }
  173. return true;
  174. }
  175. /**
  176. * Log a failed login for $user_guid
  177. *
  178. * @param int $user_guid User GUID
  179. *
  180. * @return bool
  181. */
  182. function log_login_failure($user_guid) {
  183. $user_guid = (int)$user_guid;
  184. $user = get_entity($user_guid);
  185. if (($user_guid) && ($user) && ($user instanceof \ElggUser)) {
  186. $fails = (int)$user->getPrivateSetting("login_failures");
  187. $fails++;
  188. $user->setPrivateSetting("login_failures", $fails);
  189. $user->setPrivateSetting("login_failure_$fails", time());
  190. return true;
  191. }
  192. return false;
  193. }
  194. /**
  195. * Resets the fail login count for $user_guid
  196. *
  197. * @param int $user_guid User GUID
  198. *
  199. * @return bool true on success (success = user has no logged failed attempts)
  200. */
  201. function reset_login_failure_count($user_guid) {
  202. $user_guid = (int)$user_guid;
  203. $user = get_entity($user_guid);
  204. if (($user_guid) && ($user) && ($user instanceof \ElggUser)) {
  205. $fails = (int)$user->getPrivateSetting("login_failures");
  206. if ($fails) {
  207. for ($n = 1; $n <= $fails; $n++) {
  208. $user->removePrivateSetting("login_failure_$n");
  209. }
  210. $user->removePrivateSetting("login_failures");
  211. return true;
  212. }
  213. // nothing to reset
  214. return true;
  215. }
  216. return false;
  217. }
  218. /**
  219. * Checks if the rate limit of failed logins has been exceeded for $user_guid.
  220. *
  221. * @param int $user_guid User GUID
  222. *
  223. * @return bool on exceeded limit.
  224. */
  225. function check_rate_limit_exceeded($user_guid) {
  226. // 5 failures in 5 minutes causes temporary block on logins
  227. $limit = 5;
  228. $user_guid = (int)$user_guid;
  229. $user = get_entity($user_guid);
  230. if (($user_guid) && ($user) && ($user instanceof \ElggUser)) {
  231. $fails = (int)$user->getPrivateSetting("login_failures");
  232. if ($fails >= $limit) {
  233. $cnt = 0;
  234. $time = time();
  235. for ($n = $fails; $n > 0; $n--) {
  236. $f = $user->getPrivateSetting("login_failure_$n");
  237. if ($f > $time - (60 * 5)) {
  238. $cnt++;
  239. }
  240. if ($cnt == $limit) {
  241. // Limit reached
  242. return true;
  243. }
  244. }
  245. }
  246. }
  247. return false;
  248. }
  249. /**
  250. * Set a cookie, but allow plugins to customize it first.
  251. *
  252. * To customize all cookies, register for the 'init:cookie', 'all' event.
  253. *
  254. * @param \ElggCookie $cookie The cookie that is being set
  255. * @return bool
  256. * @since 1.9
  257. */
  258. function elgg_set_cookie(\ElggCookie $cookie) {
  259. if (elgg_trigger_event('init:cookie', $cookie->name, $cookie)) {
  260. return setcookie($cookie->name, $cookie->value, $cookie->expire, $cookie->path,
  261. $cookie->domain, $cookie->secure, $cookie->httpOnly);
  262. }
  263. return false;
  264. }
  265. /**
  266. * Logs in a specified \ElggUser. For standard registration, use in conjunction
  267. * with elgg_authenticate.
  268. *
  269. * @see elgg_authenticate
  270. *
  271. * @param \ElggUser $user A valid Elgg user object
  272. * @param boolean $persistent Should this be a persistent login?
  273. *
  274. * @return true or throws exception
  275. * @throws LoginException
  276. */
  277. function login(\ElggUser $user, $persistent = false) {
  278. if ($user->isBanned()) {
  279. throw new \LoginException(elgg_echo('LoginException:BannedUser'));
  280. }
  281. $session = _elgg_services()->session;
  282. // give plugins a chance to reject the login of this user (no user in session!)
  283. if (!elgg_trigger_before_event('login', 'user', $user)) {
  284. throw new \LoginException(elgg_echo('LoginException:Unknown'));
  285. }
  286. // #5933: set logged in user early so code in login event will be able to
  287. // use elgg_get_logged_in_user_entity().
  288. $session->setLoggedInUser($user);
  289. // deprecate event
  290. $message = "The 'login' event was deprecated. Register for 'login:before' or 'login:after'";
  291. $version = "1.9";
  292. if (!elgg_trigger_deprecated_event('login', 'user', $user, $message, $version)) {
  293. $session->removeLoggedInUser();
  294. throw new \LoginException(elgg_echo('LoginException:Unknown'));
  295. }
  296. // if remember me checked, set cookie with token and store hash(token) for user
  297. if ($persistent) {
  298. _elgg_services()->persistentLogin->makeLoginPersistent($user);
  299. }
  300. // User's privilege has been elevated, so change the session id (prevents session fixation)
  301. $session->migrate();
  302. set_last_login($user->guid);
  303. reset_login_failure_count($user->guid);
  304. elgg_trigger_after_event('login', 'user', $user);
  305. // if memcache is enabled, invalidate the user in memcache @see https://github.com/Elgg/Elgg/issues/3143
  306. if (is_memcache_available()) {
  307. $guid = $user->getGUID();
  308. // this needs to happen with a shutdown function because of the timing with set_last_login()
  309. register_shutdown_function("_elgg_invalidate_memcache_for_entity", $guid);
  310. }
  311. return true;
  312. }
  313. /**
  314. * Log the current user out
  315. *
  316. * @return bool
  317. */
  318. function logout() {
  319. $session = _elgg_services()->session;
  320. $user = $session->getLoggedInUser();
  321. if (!$user) {
  322. return false;
  323. }
  324. if (!elgg_trigger_before_event('logout', 'user', $user)) {
  325. return false;
  326. }
  327. // deprecate event
  328. $message = "The 'logout' event was deprecated. Register for 'logout:before' or 'logout:after'";
  329. $version = "1.9";
  330. if (!elgg_trigger_deprecated_event('logout', 'user', $user, $message, $version)) {
  331. return false;
  332. }
  333. _elgg_services()->persistentLogin->removePersistentLogin();
  334. // pass along any messages into new session
  335. $old_msg = $session->get('msg');
  336. $session->invalidate();
  337. $session->set('msg', $old_msg);
  338. elgg_trigger_after_event('logout', 'user', $user);
  339. return true;
  340. }
  341. /**
  342. * Initializes the session and checks for the remember me cookie
  343. *
  344. * @return bool
  345. * @access private
  346. */
  347. function _elgg_session_boot() {
  348. elgg_register_action('login', '', 'public');
  349. elgg_register_action('logout');
  350. register_pam_handler('pam_auth_userpass');
  351. $session = _elgg_services()->session;
  352. $session->start();
  353. // test whether we have a user session
  354. if ($session->has('guid')) {
  355. $user = _elgg_services()->entityTable->get($session->get('guid'), 'user');
  356. if (!$user) {
  357. // OMG user has been deleted.
  358. $session->invalidate();
  359. forward('');
  360. }
  361. $session->setLoggedInUser($user);
  362. _elgg_services()->persistentLogin->replaceLegacyToken($user);
  363. } else {
  364. $user = _elgg_services()->persistentLogin->bootSession();
  365. if ($user) {
  366. $session->setLoggedInUser($user);
  367. }
  368. }
  369. if ($session->has('guid')) {
  370. set_last_action($session->get('guid'));
  371. }
  372. // initialize the deprecated global session wrapper
  373. global $SESSION;
  374. $SESSION = new \Elgg\DeprecationWrapper($session, "\$SESSION is deprecated", 1.9);
  375. // logout a user with open session who has been banned
  376. $user = $session->getLoggedInUser();
  377. if ($user && $user->isBanned()) {
  378. logout();
  379. return false;
  380. }
  381. return true;
  382. }