Back to index

awl  0.53
Session.php
Go to the documentation of this file.
00001 <?php
00025 require_once('AWLUtilities.php');
00026 require_once('AwlQuery.php');
00027 require_once('EMail.php');
00028 
00029 
00036 function check_temporary_passwords( $they_sent, $user_no ) {
00037   $sql = 'SELECT 1 AS ok FROM tmp_password WHERE user_no = ? AND password = ? AND valid_until > current_timestamp';
00038   $qry = new AwlQuery( $sql, $user_no, $they_sent );
00039   if ( $qry->Exec('Session::check_temporary_passwords') ) {
00040     dbg_error_log( "Login", " check_temporary_passwords: Rows = ".$qry->rows());
00041     if ( $row = $qry->Fetch() ) {
00042       dbg_error_log( "Login", " check_temporary_passwords: OK = $row->ok");
00043       // Remove all the temporary passwords for that user...
00044       $sql = 'DELETE FROM tmp_password WHERE user_no = ? ';
00045       $qry = new AwlQuery( $sql, $user_no );
00046       $qry->Exec('Login',__LINE__,__FILE__);
00047       return true;
00048     }
00049   }
00050   return false;
00051 }
00052 
00058 class Session
00059 {
00063   var $roles;
00064   var $cause = '';
00075   var $user_no;
00076 
00081   var $session_id = 0;
00082 
00087   var $username = 'guest';
00088 
00093   var $fullname = 'Guest';
00094 
00099   var $email = '';
00100 
00105   var $logged_in = false;
00106 
00113   var $just_logged_in = false;
00114 
00119   var $last_session_start;
00120 
00126   var $last_session_end;
00145   function Session( $sid="" )
00146   {
00147     global $sid, $sysname;
00148 
00149     $this->roles = array();
00150     $this->logged_in = false;
00151     $this->just_logged_in = false;
00152     $this->login_failed = false;
00153 
00154     if ( $sid == "" ) {
00155       if ( ! isset($_COOKIE['sid']) ) return;
00156       $sid = $_COOKIE['sid'];
00157     }
00158 
00159     list( $session_id, $session_key ) = explode( ';', $sid, 2 );
00160 
00170     if ( function_exists('local_session_sql') ) {
00171       $sql = local_session_sql();
00172     }
00173     else {
00174       $sql = "SELECT session.*, usr.* FROM session JOIN usr USING ( user_no )";
00175     }
00176     $sql .= " WHERE session.session_id = ? AND (md5(session.session_start::text) = ? OR session.session_key = ?) ORDER BY session.session_start DESC LIMIT 2";
00177 
00178     $qry = new AwlQuery($sql, $session_id, $session_key, $session_key);
00179     if ( $qry->Exec('Session') && 1 == $qry->rows() ) {
00180       $this->AssignSessionDetails( $qry->Fetch() );
00181       $qry = new AwlQuery('UPDATE session SET session_end = current_timestamp WHERE session_id=?', $session_id);
00182       $qry->Exec('Session');
00183     }
00184     else {
00185       //  Kill the existing cookie, which appears to be bogus
00186       setcookie('sid', '', 0,'/');
00187       $this->cause = 'ERR: Other than one session record matches. ' . $qry->rows();
00188       $this->Log( "WARN: Login $this->cause" );
00189     }
00190   }
00191 
00192 
00202   function Log( $whatever )
00203   {
00204     global $c;
00205 
00206     $argc = func_num_args();
00207     $format = func_get_arg(0);
00208     if ( $argc == 1 || ($argc == 2 && func_get_arg(1) == "0" ) ) {
00209       error_log( "$c->sysabbr: $format" );
00210     }
00211     else {
00212       $args = array();
00213       for( $i=1; $i < $argc; $i++ ) {
00214         $args[] = func_get_arg($i);
00215       }
00216       error_log( "$c->sysabbr: " . vsprintf($format,$args) );
00217     }
00218   }
00219 
00230   function Dbg( $whatever )
00231   {
00232     global $debuggroups, $c;
00233 
00234     $argc = func_num_args();
00235     $dgroup = func_get_arg(0);
00236 
00237     if ( ! (isset($debuggroups[$dgroup]) && $debuggroups[$dgroup]) ) return;
00238 
00239     $format = func_get_arg(1);
00240     if ( $argc == 2 || ($argc == 3 && func_get_arg(2) == "0" ) ) {
00241       error_log( "$c->sysabbr: DBG: $dgroup: $format" );
00242     }
00243     else {
00244       $args = array();
00245       for( $i=2; $i < $argc; $i++ ) {
00246         $args[] = func_get_arg($i);
00247       }
00248       error_log( "$c->sysabbr: DBG: $dgroup: " . vsprintf($format,$args) );
00249     }
00250   }
00251 
00260   function AllowedTo ( $whatever ) {
00261     return ( $this->logged_in && isset($this->roles[$whatever]) && $this->roles[$whatever] );
00262   }
00263 
00264 
00268   function GetRoles () {
00269     $this->roles = array();
00270     $qry = new AwlQuery( 'SELECT role_name FROM role_member m join roles r ON r.role_no = m.role_no WHERE user_no = ? ', $this->user_no );
00271     if ( $qry->Exec('Session::GetRoles') && $qry->rows() > 0 ) {
00272       while( $role = $qry->Fetch() ) {
00273         $this->roles[$role->role_name] = true;
00274       }
00275     }
00276   }
00277 
00278 
00283   function AssignSessionDetails( $u ) {
00284     // Assign each field in the selected record to the object
00285     foreach( $u AS $k => $v ) {
00286       $this->{$k} = $v;
00287     }
00288 
00289     $qry = new AwlQuery( "SET DATESTYLE TO ?", ($this->date_format_type == 'E' ? 'European,ISO' : ($this->date_format_type == 'U' ? 'US,ISO' : 'ISO')) );
00290     $qry->Exec();
00291 
00292     $this->GetRoles();
00293     $this->logged_in = true;
00294   }
00295 
00296 
00311   function Login( $username, $password, $authenticated = false ) {
00312     global $c;
00313     $rc = false;
00314     dbg_error_log( "Login", " Login: Attempting login for $username" );
00315     if ( isset($usr) ) unset($usr);  
00323     if ( !$authenticated && isset($c->authenticate_hook) && isset($c->authenticate_hook['call']) && function_exists($c->authenticate_hook['call']) ) {
00334       $usr = call_user_func( $c->authenticate_hook['call'], $username, $password );
00335       if ( $usr === false ) unset($usr); else $authenticated = true;
00336     }
00337 
00338     $sql = "SELECT * FROM usr WHERE lower(username) = text(?) AND active";
00339     $qry = new AwlQuery( $sql, strtolower($username) );
00340     if ( isset($usr) || ($qry->Exec('Login',__LINE__,__FILE__) && $qry->rows() == 1 && $usr = $qry->Fetch() ) ) {
00341       $user_no = ( method_exists( $usr, 'user_no' ) ? $usr->user_no() : $usr->user_no );
00342       if ( $authenticated || session_validate_password( $password, $usr->password ) || check_temporary_passwords( $password, $user_no ) ) {
00343         // Now get the next session ID to create one from...
00344         $qry = new AwlQuery( "SELECT nextval('session_session_id_seq')" );
00345         if ( $qry->Exec('Login') && $qry->rows() == 1 ) {
00346           $seq = $qry->Fetch();
00347           $session_id = $seq->nextval;
00348           $session_key = md5( rand(1010101,1999999999) . microtime() );  // just some random shite
00349           dbg_error_log( "Login", " Login: Valid username/password for $username ($user_no)" );
00350 
00351           // Set the last_used timestamp to match the previous login.
00352           $qry = new AwlQuery('UPDATE usr SET last_used = (SELECT session_start FROM session WHERE session.user_no = ? ORDER BY session_id DESC LIMIT 1) WHERE user_no = ?;', $usr->user_no, $usr->user_no);
00353           $qry->Exec('Session');
00354 
00355           // And create a session
00356           $sql = "INSERT INTO session (session_id, user_no, session_key) VALUES( ?, ?, ? )";
00357           $qry = new AwlQuery( $sql, $session_id, $user_no, $session_key );
00358           if ( $qry->Exec('Login') ) {
00359             // Assign our session ID variable
00360             $sid = "$session_id;$session_key";
00361 
00362             //  Create a cookie for the sesssion
00363             setcookie('sid',$sid, 0,'/');
00364             // Recognise that we have started a session now too...
00365             $this->Session($sid);
00366             dbg_error_log( "Login", " Login: New session $session_id started for $username ($user_no)" );
00367             if ( isset($_POST['remember']) && intval($_POST['remember']) > 0 ) {
00368               $cookie = md5( $user_no ) . ";";
00369               $cookie .= session_salted_md5($user_no . $usr->username . $usr->password);
00370               $GLOBALS['lsid'] = $cookie;
00371               setcookie( "lsid", $cookie, time() + (86400 * 3600), "/" );   // will expire in ten or so years
00372             }
00373             $this->just_logged_in = true;
00374 
00375             // Unset all of the submitted values, so we don't accidentally submit an unexpected form.
00376             unset($_POST['username']);
00377             unset($_POST['password']);
00378             unset($_POST['submit']);
00379             unset($_GET['submit']);
00380             unset($GLOBALS['submit']);
00381 
00382             if ( function_exists('local_session_sql') ) {
00383               $sql = local_session_sql();
00384             }
00385             else {
00386               $sql = "SELECT session.*, usr.* FROM session JOIN usr USING ( user_no )";
00387             }
00388             $sql .= " WHERE session.session_id = ? AND (md5(session.session_start::text) = ? OR session.session_key = ?) ORDER BY session.session_start DESC LIMIT 2";
00389 
00390             $qry = new AwlQuery($sql, $session_id, $session_key, $session_key);
00391             if ( $qry->Exec('Session') && 1 == $qry->rows() ) {
00392               $this->AssignSessionDetails( $qry->Fetch() );
00393             }
00394 
00395             $rc = true;
00396             return $rc;
00397           }
00398    // else ...
00399           $this->cause = 'ERR: Could not create new session.';
00400         }
00401         else {
00402           $this->cause = 'ERR: Could not increment session sequence.';
00403         }
00404       }
00405       else {
00406         $c->messages[] = i18n('Invalid username or password.');
00407         if ( isset($c->dbg['Login']) || isset($c->dbg['ALL']) )
00408           $this->cause = 'WARN: Invalid password.';
00409         else
00410           $this->cause = 'WARN: Invalid username or password.';
00411       }
00412     }
00413     else {
00414     $c->messages[] = i18n('Invalid username or password.');
00415     if ( isset($c->dbg['Login']) || isset($c->dbg['ALL']) )
00416       $this->cause = 'WARN: Invalid username.';
00417     else
00418       $this->cause = 'WARN: Invalid username or password.';
00419     }
00420 
00421     $this->Log( "Login failure: $this->cause" );
00422     $this->login_failed = true;
00423     $rc = false;
00424     return $rc;
00425   }
00426 
00427 
00428 
00437   function LSIDLogin( $lsid ) {
00438     global $c;
00439     dbg_error_log( "Login", " LSIDLogin: Attempting login for $lsid" );
00440 
00441     list($md5_user_no,$validation_string) = explode( ';', $lsid );
00442     $qry = new AwlQuery( "SELECT * FROM usr WHERE md5(user_no::text)=? AND active", $md5_user_no );
00443     if ( $qry->Exec('Login') && $qry->rows() == 1 ) {
00444       $usr = $qry->Fetch();
00445       list( $x, $salt, $y) = explode('*', $validation_string);
00446       $my_validation = session_salted_md5($usr->user_no . $usr->username . $usr->password, $salt);
00447       if ( $validation_string == $my_validation ) {
00448         // Now get the next session ID to create one from...
00449         $qry = new AwlQuery( "SELECT nextval('session_session_id_seq')" );
00450         if ( $qry->Exec('Login') && $qry->rows() == 1 ) {
00451           $seq = $qry->Fetch();
00452           $session_id = $seq->nextval;
00453           $session_key = md5( rand(1010101,1999999999) . microtime() );  // just some random shite
00454           dbg_error_log( "Login", " LSIDLogin: Valid username/password for $username ($usr->user_no)" );
00455 
00456           // And create a session
00457           $sql = "INSERT INTO session (session_id, user_no, session_key) VALUES( ?, ?, ? )";
00458           $qry = new AwlQuery( $sql, $session_id, $usr->user_no, $session_key );
00459           if ( $qry->Exec('Login') ) {
00460             // Assign our session ID variable
00461             $sid = "$session_id;$session_key";
00462 
00463             //  Create a cookie for the sesssion
00464             setcookie('sid',$sid, 0,'/');
00465             // Recognise that we have started a session now too...
00466             $this->Session($sid);
00467             dbg_error_log( "Login", " LSIDLogin: New session $session_id started for $this->username ($usr->user_no)" );
00468 
00469             $this->just_logged_in = true;
00470 
00471             // Unset all of the submitted values, so we don't accidentally submit an unexpected form.
00472             unset($_POST['username']);
00473             unset($_POST['password']);
00474             unset($_POST['submit']);
00475             unset($_GET['submit']);
00476             unset($GLOBALS['submit']);
00477 
00478             if ( function_exists('local_session_sql') ) {
00479               $sql = local_session_sql();
00480             }
00481             else {
00482               $sql = "SELECT session.*, usr.* FROM session JOIN usr USING ( user_no )";
00483             }
00484             $sql .= " WHERE session.session_id = ? AND (md5(session.session_start::text) = ? OR session.session_key = ?) ORDER BY session.session_start DESC LIMIT 2";
00485 
00486             $qry = new AwlQuery($sql, $session_id, $session_key, $session_key);
00487             if ( $qry->Exec('Session') && 1 == $qry->rows() ) {
00488               $this->AssignSessionDetails( $qry->Fetch() );
00489             }
00490 
00491             $rc = true;
00492             return $rc;
00493           }
00494    // else ...
00495           $this->cause = 'ERR: Could not create new session.';
00496         }
00497         else {
00498           $this->cause = 'ERR: Could not increment session sequence.';
00499         }
00500       }
00501       else {
00502         dbg_error_log( "Login", " LSIDLogin: $validation_string != $my_validation ($salt - $usr->user_no, $usr->username, $usr->password)");
00503         $client_messages[] = i18n('Invalid username or password.');
00504         if ( isset($c->dbg['Login']) || isset($c->dbg['ALL']) )
00505           $this->cause = 'WARN: Invalid password.';
00506         else
00507           $this->cause = 'WARN: Invalid username or password.';
00508       }
00509     }
00510     else {
00511     $client_messages[] = i18n('Invalid username or password.');
00512     if ( isset($c->dbg['Login']) || isset($c->dbg['ALL']) )
00513       $this->cause = 'WARN: Invalid username.';
00514     else
00515       $this->cause = 'WARN: Invalid username or password.';
00516     }
00517 
00518     dbg_error_log( "Login", " LSIDLogin: $this->cause" );
00519     return false;
00520   }
00521 
00522 
00528   function RenderLoginPanel() {
00529     $action_target = htmlspecialchars(preg_replace('/\?logout.*$/','',$_SERVER['REQUEST_URI']));
00530     dbg_error_log( "Login", " RenderLoginPanel: action_target='%s'", $action_target );
00531     $userprompt = translate("User Name");
00532     $pwprompt = translate("Password");
00533     $rememberprompt = str_replace( ' ', '&nbsp;', translate("forget me not"));
00534     $gobutton = htmlspecialchars(translate("GO!"));
00535     $gotitle = htmlspecialchars(translate("Enter your username and password then click here to log in."));
00536     $temppwprompt = translate("If you have forgotten your password then");
00537     $temppwbutton = htmlspecialchars(translate("Help! I've forgotten my password!"));
00538     $temppwtitle = htmlspecialchars(translate("Enter a username, if you know it, and click here, to be e-mailed a temporary password."));
00539     $html = <<<EOTEXT
00540 <div id="logon">
00541 <form action="$action_target" method="post">
00542 <table>
00543 <tr>
00544 <th class="prompt">$userprompt:</th>
00545 <td class="entry">
00546 <input class="text" type="text" name="username" size="12" /></td>
00547 </tr>
00548 <tr>
00549 <th class="prompt">$pwprompt:</th>
00550 <td class="entry">
00551 <input class="password" type="password" name="password" size="12" />
00552  &nbsp;<label>$rememberprompt: <input class="checkbox" type="checkbox" name="remember" value="1" /></label>
00553 </td>
00554 </tr>
00555 <tr>
00556 <th class="prompt">&nbsp;</th>
00557 <td class="entry">
00558 <input type="submit" value="$gobutton" title="$gotitle" name="submit" class="submit" />
00559 </td>
00560 </tr>
00561 </table>
00562 <p>
00563 $temppwprompt: <input type="submit" value="$temppwbutton" title="$temppwtitle" name="lostpass" class="submit" />
00564 </p>
00565 </form>
00566 </div>
00567 
00568 EOTEXT;
00569     return $html;
00570   }
00571 
00572 
00582   function LoginRequired( $groups = "" ) {
00583     global $c, $session;
00584 
00585     if ( $this->logged_in && $groups == "" ) return;
00586     if ( ! $this->logged_in ) {
00587       $c->messages[] = i18n("You must log in to use this system.");
00588       if ( function_exists("local_index_not_logged_in") ) {
00589         local_index_not_logged_in();
00590       }
00591       else {
00592         $login_html = translate( "<h1>Log On Please</h1><p>For access to the %s you should log on withthe username and password that have been issued to you.</p><p>If you would like to request access, please e-mail %s.</p>");
00593         $page_content = sprintf( $login_html, $c->system_name, $c->admin_email );
00594         $page_content .= $this->RenderLoginPanel();
00595         if ( isset($page_elements) && gettype($page_elements) == 'array' ) {
00596           $page_elements[] = $page_content;
00597           @include("page-renderer.php");
00598           exit(0);
00599         }
00600         @include("page-header.php");
00601         echo $page_content;
00602         @include("page-footer.php");
00603       }
00604     }
00605     else {
00606       $valid_groups = explode(",", $groups);
00607       foreach( $valid_groups AS $k => $v ) {
00608         if ( $this->AllowedTo($v) ) return;
00609       }
00610       $c->messages[] = i18n("You are not authorised to use this function.");
00611       if ( isset($page_elements) && gettype($page_elements) == 'array' ) {
00612         @include("page-renderer.php");
00613         exit(0);
00614       }
00615       @include("page-header.php");
00616       @include("page-footer.php");
00617     }
00618 
00619     exit;
00620   }
00621 
00622 
00623 
00632   function EmailTemporaryPassword( $username, $email_address, $body_template="" ) {
00633     global $c;
00634 
00635     $password_sent = false;
00636     $where = "";
00637     $params = array();
00638     if ( isset($username) && $username != "" ) {
00639       $where = 'WHERE active AND lower(usr.username) = :lcusername';
00640       $params[':lcusername'] = strtolower($username);
00641     }
00642     else if ( isset($email_address) && $email_address != "" ) {
00643       $where = 'WHERE active AND lower(usr.email) = :lcemail';
00644       $params[':lcemail'] = strtolower($email_address);
00645     }
00646 
00647     if ( $where != '' ) {
00648       if ( !isset($body_template) || $body_template == "" ) {
00649         $body_template = <<<EOTEXT
00650 
00651 @@debugging@@A temporary password has been requested for @@system_name@@.
00652 
00653 Temporary Password: @@password@@
00654 
00655 This has been applied to the following usernames:
00656 
00657 @@usernames@@
00658 and will be valid for 24 hours.
00659 
00660 If you have any problems, please contact the system administrator.
00661 
00662 EOTEXT;
00663       }
00664 
00665       $qry = new AwlQuery( 'SELECT * FROM usr '.$where, $params );
00666       $qry->Exec('Session::EmailTemporaryPassword');
00667       if ( $qry->rows() > 0 ) {
00668         $q2 = new AwlQuery();
00669         $q2->Begin();
00670 
00671         while ( $row = $qry->Fetch() ) {
00672           $mail = new EMail( "Access to $c->system_name" );
00673           $mail->SetFrom($c->admin_email );
00674           $usernames = "";
00675           $debug_to = "";
00676           if ( isset($c->debug_email) ) {
00677             $debug_to = "This e-mail would normally be sent to:\n ";
00678             $mail->AddTo( "Tester <$c->debug_email>" );
00679           }
00680 
00681           $tmp_passwd = '';
00682           for ( $i=0; $i < 8; $i++ ) {
00683             $tmp_passwd .= substr( 'ABCDEFGHIJKLMNOPQRSTUVWXYZ+#.-=*%@0123456789abcdefghijklmnopqrstuvwxyz', rand(0,69), 1);
00684           }
00685 
00686           $q2->QDo('INSERT INTO tmp_password (user_no, password) VALUES(?,?)', array($row->user_no, $tmp_passwd));
00687           if ( isset($c->debug_email) ) {
00688             $debug_to .= "$row->fullname <$row->email> ";
00689           }
00690           else {
00691             $mail->AddTo( "$row->fullname <$row->email>" );
00692           }
00693           $usernames .= "        $row->username\n";
00694 
00695           if ( $mail->To != "" ) {
00696             if ( isset($c->debug_email) ) {
00697               $debug_to .= "\n============================================================\n";
00698             }
00699             $sql .= "COMMIT;";
00700             $qry = new AwlQuery( $sql );
00701             $qry->Exec("Session::SendTemporaryPassword");
00702             $body = str_replace( '@@system_name@@', $c->system_name, $body_template);
00703             $body = str_replace( '@@password@@', $tmp_passwd, $body);
00704             $body = str_replace( '@@usernames@@', $usernames, $body);
00705             $body = str_replace( '@@debugging@@', $debug_to, $body);
00706             $mail->SetBody($body);
00707             $mail->Send();
00708             $password_sent = true;
00709           }
00710         }
00711       }
00712     }
00713     return $password_sent;
00714   }
00715 
00716 
00724   function SendTemporaryPassword( ) {
00725     global $c, $page_elements;
00726 
00727     $password_sent = $this->EmailTemporaryPassword( (isset($_POST['username'])?$_POST['username']:null), (isset($_POST['email_address'])?$_POST['email_address']:null) );
00728 
00729     if ( ! $password_sent && ((isset($_POST['username']) && $_POST['username'] != "" )
00730                               || (isset($_POST['email_address']) && $_POST['email_address'] != "" )) ) {
00731       // Username or EMail were non-null, but we didn't find that user.
00732 
00733       $page_content = <<<EOTEXT
00734 <div id="logon">
00735 <h1>Unable to Reset Password</h1>
00736 <p>We were unable to reset your password at this time.  Please contact
00737 <a href="mailto:$c->admin_email">$c->admin_email</a>
00738 to arrange for an administrator to reset your password.</p>
00739 <p>Thank you.</p>
00740 </div>
00741 EOTEXT;
00742     }
00743 
00744     if ( $password_sent ) {
00745       $page_content = <<<EOTEXT
00746 <div id="logon">
00747 <h1>Temporary Password Sent</h1>
00748 <p>A temporary password has been e-mailed to you.  This password
00749 will be valid for 24 hours and you will be required to change
00750 your password after logging in.</p>
00751 <p><a href="/">Click here to return to the login page.</a></p>
00752 </div>
00753 EOTEXT;
00754     }
00755     else {
00756       $page_content = <<<EOTEXT
00757 <div id="logon">
00758 <h1>Temporary Password</h1>
00759 <form action="$action_target" method="post">
00760 <table>
00761 <tr>
00762 <th class="prompt" style="white-space: nowrap;">Enter your User Name:</th>
00763 <td class="entry"><input class="text" type="text" name="username" size="12" /></td>
00764 </tr>
00765 <tr>
00766 <th class="prompt" style="white-space: nowrap;">Or your EMail Address:</th>
00767 <td class="entry"><input class="text" type="text" name="email_address" size="50" /></td>
00768 </tr>
00769 <tr>
00770 <th class="prompt" style="white-space: nowrap;">and click on -></th>
00771 <td class="entry">
00772 <input class="submit" type="submit" value="Send me a temporary password" alt="Enter a username, or e-mail address, and click here." name="lostpass" />
00773 </td>
00774 </tr>
00775 </table>
00776 <p>Note: If you have multiple accounts with the same e-mail address, they will <em>all</em>
00777 be assigned a new temporary password, but only the one(s) that you use that temporary password
00778 on will have the existing password invalidated.</p>
00779 <h2>The temporary password will only be valid for 24 hours.</h2>
00780 <p>You will need to log on and change your password during this time.</p>
00781 </form>
00782 </div>
00783 EOTEXT;
00784     }
00785     if ( isset($page_elements) && gettype($page_elements) == 'array' ) {
00786       $page_elements[] = $page_content;
00787       @include("page-renderer.php");
00788       exit(0);
00789     }
00790     @include("page-header.php");
00791     echo $page_content;
00792     @include("page-footer.php");
00793     exit(0);
00794   }
00795 
00796   static function _CheckLogout() {
00797     if ( isset($_GET['logout']) ) {
00798       dbg_error_log( "Login", ":_CheckLogout: Logging out");
00799       setcookie( 'sid', '', 0,'/');
00800       unset($_COOKIE['sid']);
00801       unset($GLOBALS['sid']);
00802       unset($_COOKIE['lsid']); // Allow a cookied person to be un-logged-in for one page view.
00803       unset($GLOBALS['lsid']);
00804 
00805       if ( isset($_GET['forget']) ) setcookie( 'lsid', '', 0,'/');
00806     }
00807   }
00808 
00809   function _CheckLogin() {
00810     global $c;
00811     if ( isset($_POST['lostpass']) ) {
00812       dbg_error_log( "Login", ":_CheckLogin: User '$_POST[username]' has lost the password." );
00813       $this->SendTemporaryPassword();
00814     }
00815     else if ( isset($_POST['username']) && isset($_POST['password']) ) {
00816       // Try and log in if we have a username and password
00817       $this->Login( $_POST['username'], $_POST['password'] );
00818       @dbg_error_log( "Login", ":_CheckLogin: User %s(%s) - %s (%d) login status is %d", $_POST['username'], $this->fullname, $this->user_no, $this->logged_in );
00819     }
00820     else if ( !isset($_COOKIE['sid']) && isset($_COOKIE['lsid']) && $_COOKIE['lsid'] != "" ) {
00821       // Validate long-term session details
00822       $this->LSIDLogin( $_COOKIE['lsid'] );
00823       dbg_error_log( "Login", ":_CheckLogin: User $this->username - $this->fullname ($this->user_no) login status is $this->logged_in" );
00824     }
00825     else if ( !isset($_COOKIE['sid']) && isset($c->authenticate_hook['server_auth_type']) ) {
00829       if ( is_array($c->authenticate_hook['server_auth_type']) ) {
00830         if ( in_array($_SERVER['AUTH_TYPE'], $c->authenticate_hook['server_auth_type'])) {
00831           $this->Login($_SERVER['REMOTE_USER'], "", true);  // Password will not be checked.
00832         }
00833       }
00834       else if ( $c->authenticate_hook['server_auth_type'] == $_SERVER['AUTH_TYPE'] ) {
00839         list($username) = explode('@', $_SERVER['REMOTE_USER']);
00840         $this->Login($username, "", true);  // Password will not be checked.
00841       }
00842     }
00843   }
00844 
00845 
00852   function FormattedDate( $indate, $type='date' ) {
00853     $out = "";
00854     if ( preg_match( '#^\s*$#', $indate ) ) {
00855       // Looks like it's empty - just return empty
00856       return $indate;
00857     }
00858     if ( preg_match( '#^\d{1,2}[/-]\d{1,2}[/-]\d{2,4}#', $indate ) ) {
00859       // Looks like it's nice already - don't screw with it!
00860       return $indate;
00861     }
00862     $yr = substr($indate,0,4);
00863     $mo = substr($indate,5,2);
00864     $dy = substr($indate,8,2);
00865     switch ( $this->date_format_type ) {
00866       case 'U':
00867         $out = sprintf( "%d/%d/%d", $mo, $dy, $yr );
00868         break;
00869       case 'E':
00870         $out = sprintf( "%d/%d/%d", $dy, $mo, $yr );
00871         break;
00872       default:
00873         $out = sprintf( "%d-%02d-%02d", $yr, $mo, $dy );
00874         break;
00875     }
00876     if ( $type == 'timestamp' ) {
00877       $out .= substr($indate,10,6);
00878     }
00879     return $out;
00880   }
00881 
00882 
00892   function BuildConfirmationHash( $method, $varname ) {
00897     $confirmation_hash = session_salted_md5( $this->session_start.$varname.$this->session_key, "" );
00898     if ( $method == 'GET' ) {
00899       $confirm = $varname .'='. urlencode($confirmation_hash);
00900     }
00901     else {
00902       $confirm = sprintf( '<input type="hidden" name="%s" value="%s">', $varname, htmlspecialchars($confirmation_hash) );
00903     }
00904     return $confirm;
00905   }
00906 
00907 
00915   function CheckConfirmationHash( $method, $varname ) {
00916     if ( $method == 'GET' && isset($_GET[$varname])) {
00917       $hashwegot = $_GET[$varname];
00918       dbg_error_log('Session',':CheckConfirmationHash: We got "%s" from GET', $hashwegot );
00919     }
00920     else if ( isset($_POST[$varname]) ) {
00921       $hashwegot = $_POST[$varname];
00922       dbg_error_log('Session',':CheckConfirmationHash: We got "%s" from POST', $hashwegot );
00923     }
00924     else {
00925       return false;
00926     }
00927 
00928     if ( preg_match('{^\*(.+)\*.+$}i', $hashwegot, $regs ) ) {
00929       // A nicely salted md5sum like "*<salt>*<salted_md5>"
00930       $salt = $regs[1];
00931       dbg_error_log('Session',':CheckConfirmationHash: Salt "%s"', $salt );
00932       $test_against = session_salted_md5( $this->session_start.$varname.$this->session_key, $salt ) ;
00933       dbg_error_log('Session',':CheckConfirmationHash: Testing against "%s"', $test_against );
00934       
00935       return ($hashwegot == $test_against);
00936     }
00937     return false;
00938   }
00939 
00940 }
00941 
00942 
00949 if ( !isset($session) ) {
00950   Session::_CheckLogout();
00951   $session = new Session();
00952   $session->_CheckLogin();
00953 }
00954