friendica/include/auth.php

<?php

use Friendica\App;
use Friendica\Core\Config;

require_once('include/security.php');
require_once('include/datetime.php');

// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
if (isset($_COOKIE["Friendica"])) {
	$data = json_decode($_COOKIE["Friendica"]);
	if (isset($data->uid)) {
		$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
		FROM `user` WHERE `uid` = %d AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
			intval($data->uid)
		);

		if ($r) {
			if ($data->hash != cookie_hash($r[0])) {
				logger("Hash for user ".$data->uid." doesn't fit.");
				nuke_session();
				goaway(z_root());
			}

			// Renew the cookie
			// Expires after 7 days by default,
			// can be set via system.auth_cookie_lifetime
			$authcookiedays = Config::get('system', 'auth_cookie_lifetime', 7);
			new_cookie($authcookiedays*24*60*60, $r[0]);

			// Do the authentification if not done by now
			if (!isset($_SESSION) OR !isset($_SESSION['authenticated'])) {
				authenticate_success($r[0]);

				if (get_config('system','paranoia'))
					$_SESSION['addr'] = $data->ip;
			}
		}
	}
}


// login/logout

if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params') || ($_POST['auth-params'] !== 'login'))) {

	if ((x($_POST,'auth-params') && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {

		// process logout request
		call_hooks("logging_out");
		nuke_session();
		info(t('Logged out.').EOL);
		goaway(z_root());
	}

	if (x($_SESSION,'visitor_id') && !x($_SESSION,'uid')) {
		$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
			intval($_SESSION['visitor_id'])
		);
		if (dbm::is_result($r)) {
			$a->contact = $r[0];
		}
	}

	if (x($_SESSION,'uid')) {

		// already logged in user returning

		$check = get_config('system','paranoia');
		// extra paranoia - if the IP changed, log them out
		if ($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
			logger('Session address changed. Paranoid setting in effect, blocking session. '.
				$_SESSION['addr'].' != '.$_SERVER['REMOTE_ADDR']);
			nuke_session();
			goaway(z_root());
		}

		$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
		FROM `user` WHERE `uid` = %d AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
			intval($_SESSION['uid'])
		);

		if (!dbm::is_result($r)) {
			nuke_session();
			goaway(z_root());
		}

		// Make sure to refresh the last login time for the user if the user
		// stays logged in for a long time, e.g. with "Remember Me"
		$login_refresh = false;
		if (!x($_SESSION['last_login_date'])) {
			$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
		}
		if (strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0) {

			$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
			$login_refresh = true;
		}
		authenticate_success($r[0], false, false, $login_refresh);
	}
} else {

	session_unset();

	if (x($_POST,'password') && strlen($_POST['password']))
		$encrypted = hash('whirlpool',trim($_POST['password']));
	else {
		if ((x($_POST,'openid_url')) && strlen($_POST['openid_url']) ||
		   (x($_POST,'username')) && strlen($_POST['username'])) {

			$noid = get_config('system','no_openid');

			$openid_url = trim((strlen($_POST['openid_url'])?$_POST['openid_url']:$_POST['username']));

			// validate_url alters the calling parameter

			$temp_string = $openid_url;

			// if it's an email address or doesn't resolve to a URL, fail.

			if ($noid || strpos($temp_string,'@') || !validate_url($temp_string)) {
				$a = get_app();
				notice(t('Login failed.').EOL);
				goaway(z_root());
				// NOTREACHED
			}

			// Otherwise it's probably an openid.

			try {
				require_once('library/openid.php');
				$openid = new LightOpenID;
				$openid->identity = $openid_url;
				$_SESSION['openid'] = $openid_url;
				$_SESSION['remember'] = $_POST['remember'];
				$openid->returnUrl = App::get_baseurl(true).'/openid';
				goaway($openid->authUrl());
			} catch (Exception $e) {
				notice(t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.').'<br /><br >'.t('The error message was:').' '.$e->getMessage());
			}
			// NOTREACHED
		}
	}

	if (x($_POST,'auth-params') && $_POST['auth-params'] === 'login') {

		$record = null;

		$addon_auth = array(
			'username' => trim($_POST['username']),
			'password' => trim($_POST['password']),
			'authenticated' => 0,
			'user_record' => null
		);

		/**
		 *
		 * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
		 * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
		 * and later plugins should not interfere with an earlier one that succeeded.
		 *
		 */

		call_hooks('authenticate', $addon_auth);

		if ($addon_auth['authenticated'] && count($addon_auth['user_record']))
			$record = $addon_auth['user_record'];
		else {

			// process normal login request

			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
				FROM `user` WHERE (`email` = '%s' OR `nickname` = '%s')
				AND `password` = '%s' AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
				dbesc(trim($_POST['username'])),
				dbesc(trim($_POST['username'])),
				dbesc($encrypted)
			);
			if (dbm::is_result($r))
				$record = $r[0];
		}

		if (!$record || !count($record)) {
			logger('authenticate: failed login attempt: '.notags(trim($_POST['username'])).' from IP '.$_SERVER['REMOTE_ADDR']);
			notice(t('Login failed.').EOL);
			goaway(z_root());
		}

		if (! $_POST['remember']) {
			new_cookie(0); // 0 means delete on browser exit
		}

		// if we haven't failed up this point, log them in.
		$_SESSION['remember'] = $_POST['remember'];
		$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
		authenticate_success($record, true, true);
	}
}

/**
 * @brief Kills the "Friendica" cookie and all session data
 */
function nuke_session() {

	new_cookie(-3600); // make sure cookie is deleted on browser close, as a security measure
	session_unset();
	session_destroy();
}
some changes 2010-07-05 05:45:56 +02:00			`<?php`
Use Config::get 2017-04-21 17:09:06 +02:00
Move App to src - Add `use Friendica\App;` wherever needed 2017-04-30 06:07:00 +02:00			`use Friendica\App;`
Cleanup /format pre-move 2017-04-30 06:01:26 +02:00			`use Friendica\Core\Config;`
Use Config::get 2017-04-21 17:09:06 +02:00
modularise successful authentication 2012-01-13 00:46:39 +01:00			`require_once('include/security.php');`
refresh login time every 12 hours for 'Remember me' 2012-11-09 01:00:37 +01:00			`require_once('include/datetime.php');`
modularise successful authentication 2012-01-13 00:46:39 +01:00
Improved "remember me" functionality 2016-04-25 00:02:43 +02:00			`// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.`
Code redesign and comments 2016-04-25 22:10:45 +02:00			`if (isset($_COOKIE["Friendica"])) {`
Improved "remember me" functionality 2016-04-25 00:02:43 +02:00			`$data = json_decode($_COOKIE["Friendica"]);`
			`if (isset($data->uid)) {`
			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
Code redesign and comments 2016-04-25 22:10:45 +02:00			FROM `user` WHERE `uid` = %d AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
Improved "remember me" functionality 2016-04-25 00:02:43 +02:00			`intval($data->uid)`
			`);`

			`if ($r) {`
We now work with a hash to avoid cookie manipulation 2016-04-25 11:19:42 +02:00			`if ($data->hash != cookie_hash($r[0])) {`
			`logger("Hash for user ".$data->uid." doesn't fit.");`
			`nuke_session();`
			`goaway(z_root());`
			`}`

Improved "remember me" functionality 2016-04-25 00:02:43 +02:00			`// Renew the cookie`
Allow specifying cookie lifetime via config variable Tweak $a->config['system']['auth_cookie_lifetime'] 2017-04-21 16:15:39 +02:00			`// Expires after 7 days by default,`
			`// can be set via system.auth_cookie_lifetime`
Fix Config::get call 2017-04-21 17:36:45 +02:00			`$authcookiedays = Config::get('system', 'auth_cookie_lifetime', 7);`
Allow specifying cookie lifetime via config variable Tweak $a->config['system']['auth_cookie_lifetime'] 2017-04-21 16:15:39 +02:00			`new_cookie($authcookiedays2460*60, $r[0]);`
Improved "remember me" functionality 2016-04-25 00:02:43 +02:00
			`// Do the authentification if not done by now`
Code redesign and comments 2016-04-25 22:10:45 +02:00			`if (!isset($_SESSION) OR !isset($_SESSION['authenticated'])) {`
"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			`authenticate_success($r[0]);`
Improved "remember me" functionality 2016-04-25 00:02:43 +02:00
"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			`if (get_config('system','paranoia'))`
			`$_SESSION['addr'] = $data->ip;`
Improved "remember me" functionality 2016-04-25 00:02:43 +02:00			`}`
			`}`
			`}`
			`}`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 08:16:14 +01:00
"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00
Merge remote-tracking branch 'upstream/develop' into 1512-ostatus-comment Conflicts: include/ostatus.php 2015-12-22 11:25:37 +01:00			`// login/logout`
some changes 2010-07-05 05:45:56 +02:00
Code redesign and comments 2016-04-25 22:10:45 +02:00			`if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params') \|\| ($_POST['auth-params'] !== 'login'))) {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-11 01:16:29 +02:00
Code redesign and comments 2016-04-25 22:10:45 +02:00			`if ((x($_POST,'auth-params') && ($_POST['auth-params'] === 'logout')) \|\| ($a->module === 'logout')) {`
Merge remote-tracking branch 'upstream/develop' into 1512-ostatus-comment Conflicts: include/ostatus.php 2015-12-22 11:25:37 +01:00
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-11 01:16:29 +02:00			`// process logout request`
add 'loggin_out' hook 2012-03-12 15:58:59 +01:00			`call_hooks("logging_out");`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 08:16:14 +01:00			`nuke_session();`
"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			`info(t('Logged out.').EOL);`
some more zot changes migrating back to f9a mainline 2011-08-02 06:02:25 +02:00			`goaway(z_root());`
some changes 2010-07-05 05:45:56 +02:00			`}`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-11 01:16:29 +02:00
Code redesign and comments 2016-04-25 22:10:45 +02:00			`if (x($_SESSION,'visitor_id') && !x($_SESSION,'uid')) {`
missing self photo on remote site comment boxes 2011-05-10 07:15:19 +02:00			$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
			`intval($_SESSION['visitor_id'])`
			`);`
More usage of dbm::is_result($r) instead of count($r): - count() returns very different results and never a boolean (not even false on error condition). - therefore you should NOT use it in boolean expressions. This still can be done in PHP because of its lazyness. But it is discouraged if it comes to more clean code. Signed-off-by: Roland Häder <roland@mxchange.org> 2016-12-13 10:44:13 +01:00			`if (dbm::is_result($r)) {`
missing self photo on remote site comment boxes 2011-05-10 07:15:19 +02:00			`$a->contact = $r[0];`
			`}`
			`}`

Code redesign and comments 2016-04-25 22:10:45 +02:00			`if (x($_SESSION,'uid')) {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-11 01:16:29 +02:00
			`// already logged in user returning`

paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 08:16:14 +01:00			`$check = get_config('system','paranoia');`
			`// extra paranoia - if the IP changed, log them out`
Code redesign and comments 2016-04-25 22:10:45 +02:00			`if ($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {`
			`logger('Session address changed. Paranoid setting in effect, blocking session. '.`
			`$_SESSION['addr'].' != '.$_SERVER['REMOTE_ADDR']);`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 08:16:14 +01:00			`nuke_session();`
some more zot changes migrating back to f9a mainline 2011-08-02 06:02:25 +02:00			`goaway(z_root());`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 08:16:14 +01:00			`}`

There is now a config value for the session management to not use the database 2015-12-22 22:11:08 +01:00			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
Code redesign and comments 2016-04-25 22:10:45 +02:00			FROM `user` WHERE `uid` = %d AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-11 01:16:29 +02:00			`intval($_SESSION['uid'])`
			`);`

More usage of dbm::is_result($r) instead of count($r): - count() returns very different results and never a boolean (not even false on error condition). - therefore you should NOT use it in boolean expressions. This still can be done in PHP because of its lazyness. But it is discouraged if it comes to more clean code. Signed-off-by: Roland Häder <roland@mxchange.org> 2016-12-13 10:44:13 +01:00			`if (!dbm::is_result($r)) {`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 08:16:14 +01:00			`nuke_session();`
some more zot changes migrating back to f9a mainline 2011-08-02 06:02:25 +02:00			`goaway(z_root());`
some changes 2010-07-05 05:45:56 +02:00			`}`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-11 01:16:29 +02:00
refresh login time every 12 hours for 'Remember me' 2012-11-09 01:00:37 +01:00			`// Make sure to refresh the last login time for the user if the user`
			`// stays logged in for a long time, e.g. with "Remember Me"`
			`$login_refresh = false;`
Code redesign and comments 2016-04-25 22:10:45 +02:00			`if (!x($_SESSION['last_login_date'])) {`
refresh login time every 12 hours for 'Remember me' 2012-11-09 01:00:37 +01:00			`$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');`
			`}`
Code redesign and comments 2016-04-25 22:10:45 +02:00			`if (strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0) {`
refresh login time every 12 hours for 'Remember me' 2012-11-09 01:00:37 +01:00
			`$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');`
			`$login_refresh = true;`
			`}`
			`authenticate_success($r[0], false, false, $login_refresh);`
some changes 2010-07-05 05:45:56 +02:00			`}`
"remember me" in session does work now 2016-04-05 23:28:33 +02:00			`} else {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-11 01:16:29 +02:00
"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			`session_unset();`
theme cleanup 2010-09-19 06:11:18 +02:00
Code redesign and comments 2016-04-25 22:10:45 +02:00			`if (x($_POST,'password') && strlen($_POST['password']))`
-Wall cleanup 2010-10-30 22:25:37 +02:00			`$encrypted = hash('whirlpool',trim($_POST['password']));`
pull some template strings 2010-11-17 08:26:14 +01:00			`else {`
Code redesign and comments 2016-04-25 22:10:45 +02:00			`if ((x($_POST,'openid_url')) && strlen($_POST['openid_url']) \|\|`
works on login form 2011-10-17 16:53:59 +02:00			`(x($_POST,'username')) && strlen($_POST['username'])) {`
smooth a few rough edges of openid 2010-11-19 00:06:33 +01:00
localise login template, allow openid to be disabled 2010-11-29 05:58:23 +01:00			`$noid = get_config('system','no_openid');`

"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			`$openid_url = trim((strlen($_POST['openid_url'])?$_POST['openid_url']:$_POST['username']));`
smooth a few rough edges of openid 2010-11-19 00:06:33 +01:00
			`// validate_url alters the calling parameter`

			`$temp_string = $openid_url;`

			`// if it's an email address or doesn't resolve to a URL, fail.`

Code redesign and comments 2016-04-25 22:10:45 +02:00			`if ($noid \|\| strpos($temp_string,'@') \|\| !validate_url($temp_string)) {`
smooth a few rough edges of openid 2010-11-19 00:06:33 +01:00			`$a = get_app();`
"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			`notice(t('Login failed.').EOL);`
some more zot changes migrating back to f9a mainline 2011-08-02 06:02:25 +02:00			`goaway(z_root());`
smooth a few rough edges of openid 2010-11-19 00:06:33 +01:00			`// NOTREACHED`
			`}`

			`// Otherwise it's probably an openid.`

"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			`try {`
			`require_once('library/openid.php');`
			`$openid = new LightOpenID;`
			`$openid->identity = $openid_url;`
			`$_SESSION['openid'] = $openid_url;`
Fix "remember me" cookie for OpenID logins Closes #2432 NOTE: in order to obtain the same "cookie hash" it was required to include unneeded fields in the user record structure, this would be good to change in the future... 2017-03-12 01:11:35 +01:00			`$_SESSION['remember'] = $_POST['remember'];`
much more usage of App::get_baseurl() instead of $a->get_baseurl() (coding convention applied) Signed-off-by: Roland Häder <roland@mxchange.org> 2016-12-19 14:26:13 +01:00			`$openid->returnUrl = App::get_baseurl(true).'/openid';`
"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			`goaway($openid->authUrl());`
			`} catch (Exception $e) {`
Code redesign and comments 2016-04-25 22:10:45 +02:00			`notice(t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.').'<br /><br >'.t('The error message was:').' '.$e->getMessage());`
"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			`}`
refactor openid logins/registrations 2012-03-19 23:03:09 +01:00			`// NOTREACHED`
pull some template strings 2010-11-17 08:26:14 +01:00			`}`
			`}`
add IP address to failed login log message 2012-03-20 05:58:21 +01:00
Code redesign and comments 2016-04-25 22:10:45 +02:00			`if (x($_POST,'auth-params') && $_POST['auth-params'] === 'login') {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-11 01:16:29 +02:00
Add sample external authentication plugin (ldap) 2010-12-27 23:59:26 +01:00			`$record = null;`
add authentication plugin hooks 2010-12-25 00:59:12 +01:00
			`$addon_auth = array(`
Improved "remember me" functionality 2016-04-25 00:02:43 +02:00			`'username' => trim($_POST['username']),`
add authentication plugin hooks 2010-12-25 00:59:12 +01:00			`'password' => trim($_POST['password']),`
Add sample external authentication plugin (ldap) 2010-12-27 23:59:26 +01:00			`'authenticated' => 0,`
			`'user_record' => null`
add authentication plugin hooks 2010-12-25 00:59:12 +01:00			`);`

			`/**`
			`*`
Add sample external authentication plugin (ldap) 2010-12-27 23:59:26 +01:00			`* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record`
add authentication plugin hooks 2010-12-25 00:59:12 +01:00			`* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained`
			`* and later plugins should not interfere with an earlier one that succeeded.`
			`*`
			`*/`

			`call_hooks('authenticate', $addon_auth);`

Code redesign and comments 2016-04-25 22:10:45 +02:00			`if ($addon_auth['authenticated'] && count($addon_auth['user_record']))`
Add sample external authentication plugin (ldap) 2010-12-27 23:59:26 +01:00			`$record = $addon_auth['user_record'];`
Code redesign and comments 2016-04-25 22:10:45 +02:00			`else {`
Add sample external authentication plugin (ldap) 2010-12-27 23:59:26 +01:00
			`// process normal login request`
add authentication plugin hooks 2010-12-25 00:59:12 +01:00
There is now a config value for the session management to not use the database 2015-12-22 22:11:08 +01:00			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			FROM `user` WHERE (`email` = '%s' OR `nickname` = '%s')
Code redesign and comments 2016-04-25 22:10:45 +02:00			AND `password` = '%s' AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
works on login form 2011-10-17 16:53:59 +02:00			`dbesc(trim($_POST['username'])),`
			`dbesc(trim($_POST['username'])),`
add authentication plugin hooks 2010-12-25 00:59:12 +01:00			`dbesc($encrypted)`
			`);`
More usage of dbm::is_result($r) instead of count($r): - count() returns very different results and never a boolean (not even false on error condition). - therefore you should NOT use it in boolean expressions. This still can be done in PHP because of its lazyness. But it is discouraged if it comes to more clean code. Signed-off-by: Roland Häder <roland@mxchange.org> 2016-12-13 10:44:13 +01:00			`if (dbm::is_result($r))`
Add sample external authentication plugin (ldap) 2010-12-27 23:59:26 +01:00			`$record = $r[0];`
add authentication plugin hooks 2010-12-25 00:59:12 +01:00			`}`

Improved "remember me" functionality 2016-04-25 00:02:43 +02:00			`if (!$record \|\| !count($record)) {`
"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			`logger('authenticate: failed login attempt: '.notags(trim($_POST['username'])).' from IP '.$_SERVER['REMOTE_ADDR']);`
			`notice(t('Login failed.').EOL);`
some more zot changes migrating back to f9a mainline 2011-08-02 06:02:25 +02:00			`goaway(z_root());`
"Remember Me" should work now but needs more fine tuning 2016-04-25 07:10:40 +02:00			`}`
Add sample external authentication plugin (ldap) 2010-12-27 23:59:26 +01:00
Remove extra space after open parentheses 2017-03-13 23:08:03 +01:00			`if (! $_POST['remember']) {`
Only remove the "remember me" cookie at submitting the auth form Fixes loss of remember (Friendica) cookie on switching Managed accounts 2017-03-13 11:57:10 +01:00			`new_cookie(0); // 0 means delete on browser exit`
			`}`

modularise successful authentication 2012-01-13 00:46:39 +01:00			`// if we haven't failed up this point, log them in.`
Fix "remember me" cookie for OpenID logins Closes #2432 NOTE: in order to obtain the same "cookie hash" it was required to include unneeded fields in the user record structure, this would be good to change in the future... 2017-03-12 01:11:35 +01:00			`$_SESSION['remember'] = $_POST['remember'];`
refresh login time every 12 hours for 'Remember me' 2012-11-09 01:00:37 +01:00			`$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');`
modularise successful authentication 2012-01-13 00:46:39 +01:00			`authenticate_success($record, true, true);`
some changes 2010-07-05 05:45:56 +02:00			`}`
			`}`

Code redesign and comments 2016-04-25 22:10:45 +02:00			`/**`
			`* @brief Kills the "Friendica" cookie and all session data`
			`*/`
			`function nuke_session() {`

			`new_cookie(-3600); // make sure cookie is deleted on browser close, as a security measure`
			`session_unset();`
			`session_destroy();`
			`}`