Source for file Auth.php
Documentation is available at Auth.php
/* vim: set expandtab tabstop=4 shiftwidth=4: */ // +----------------------------------------------------------------------+ // +----------------------------------------------------------------------+ // | Copyright (c) 1997-2003 The PHP Group | // +----------------------------------------------------------------------+ // | This source file is subject to version 2.02 of the PHP license, | // | that is bundled with this package in the file LICENSE, and is | // | available at through the world-wide-web at | // | http://www.php.net/license/2_02.txt. | // | If you did not receive a copy of the PHP license and are unable to | // | obtain it through the world-wide-web, please send a note to | // | license@php.net so we can mail you a copy immediately. | // +----------------------------------------------------------------------+ // | Authors: Martin Jansen <mj@php.net> | // +----------------------------------------------------------------------+ // $Id: Auth.php,v 1.99 2006/02/28 02:19:22 aashley Exp $ define('AUTH_WRONG_LOGIN', -3 ); define('AUTH_METHOD_NOT_SUPPORTED', -4 ); define('AUTH_SECURITY_BREACH', -5 ); * The PEAR::Auth class provides methods for creating an * authentication system using PHP. * @author Martin Jansen <mj@php.net> * @author Adam Ashley <aashley@php.net> * @version $Revision: 1.99 $ * Auth lifetime in seconds * If this variable is set to 0, auth never expires * @see setExpire(), checkAuth() * Has the auth session expired? * Maximum idletime in seconds * The difference to $expire is, that the idletime gets * refreshed each time checkAuth() is called. If this * variable is set to 0, idletime is never checked. * @see setIdle(), checkAuth() * Is the maximum idletime over? * @see Auth(), validateLogin() * User-defined function that creates the login screen * Should the login form be displayed * Is Login Allowed from this page * Current authentication status * Login callback function name * @see setLoginCallback() * Failed Login callback function name * @see setLoginFailedCallback() * Logout callback function name * @see setLogoutCallback() * Auth session-array name var $_sessionName = '_authsession'; * Flag to use advanced security * When set extra checks will be made to see if the * user's IP or useragent have changed across requests. * Turned off by default to preserve BC. * Username key in POST array var $_postUsername = 'username'; * Password key in POST array var $_postPassword = 'password'; * Holds a reference to the session auth variable * Holds a reference to the global server variable * Holds a reference to the global post variable * Holds a reference to the global cookie variable * A hash to hold various superglobals as reference * How many times has checkAuth been called // {{{ Auth() [constructor] * Set up the storage driver. * @param string Type of the storage driver * @param mixed Additional options for the storage driver * (example: if you are using DB as the storage * driver, you have to pass the dsn string here) * @param string Name of the function that creates the login form * @param boolean Should the login form be displayed if neccessary? function Auth($storageDriver, $options = '', $loginFunction = '', $showLogin = true ) $this->applyAuthOptions ($options); // Start the session suppress error if already started PEAR ::throwError ('Session could not be started by Auth, ' . 'possibly headers are already sent, try putting ' . 'ob_start in the begninig of your script'); // Make Sure Auth session variable is there if( !isset ($_SESSION[$this->_sessionName]) && !isset ($GLOBALS['HTTP_SESSION_VARS'][$this->_sessionName])) { session_register ($this->_sessionName); // Assign Some globals to internal references, this will replace _importGlobalVariable ? $this->session = & $_SESSION[$this->_sessionName] : $this->session = & $GLOBALS['HTTP_SESSION_VARS'][$this->_sessionName] ; : $this->server = & $GLOBALS['HTTP_SERVER_VARS']; : $this->post = & $GLOBALS['HTTP_POST_VARS']; : $this->cookie = & $GLOBALS['HTTP_COOKIE_VARS']; //isset($_GET) ? $var = &$_GET : $var = &$GLOBALS['HTTP_GET_VARS']; if ($loginFunction != '' && is_callable($loginFunction)) { // Pass a reference to auth to the container, ugly but works // this is used by the DB container to use method setAuthData not staticaly. $this->storage->_auth_obj = & $this; // $this->storage = $this->_factory($storageDriver, $options); $this->storage_driver = $storageDriver; $this->storage_options = & $options; // {{{ applyAuthOptions() * Some options which are Auth specific will be applied * the rest will be left for usage by the container * @param array An array of Auth options * @return array The options which were not applied function &applyAuthOptions (&$options) if (!empty ($options['sessionName'])) { $this->_sessionName = $options['sessionName']; unset ($options['sessionName']); if (!empty ($options['allowLogin'])) { unset ($options['allowLogin']); if (!empty ($options['postUsername'])) { $this->_postUsername = $options['postUsername']; unset ($options['postUsername']); if (!empty ($options['postPassword'])) { $this->_postPassword = $options['postPassword']; unset ($options['postPassword']); if (!empty ($options['advancedsecurity'])) { unset ($options['advancedsecurity']); * Load Storage Driver if not already loaded * Suspend storage instantiation to make Auth lighter to use * for calls which do not require login * @return bool True if the conainer is loaded, false if the container $this->storage = & $this->_factory ($this->storage_driver, $this->storage->_auth_obj = & $this; * Return a storage driver based on $driver and $options * @param string $driver Type of storage class to return * @param string $options Optional parameters for the storage class * @return object Object Storage object function &_factory ($driver, $options = '') $storage_class = 'Auth_Container_' . $driver; include_once 'Auth/Container/' . $driver . '.php'; $obj = & new $storage_class($options); * Assign data from login form to internal values * This function takes the values for username and password * from $HTTP_POST_VARS/$_POST and assigns them to internal variables. * If you wish to use another source apart from $HTTP_POST_VARS/$_POST, * you have to derive this function. * @global $HTTP_POST_VARS, $_POST if ( isset ($this->post[$this->_postUsername]) && $this->post[$this->_postUsername] != '') { : $this->post[$this->_postUsername]); if ( isset ($this->post[$this->_postPassword]) && $this->post[$this->_postPassword] != '') { : $this->post[$this->_postPassword] ); // Check if using challenge response (isset ($this->post['authsecret']) && $this->post['authsecret'] == 1 ) // When the user has already entered a username, we have to validate it. if (!empty ($this->username) && $login_ok) { // If the login failed or the user entered no username, // output the login screen again. if (!empty ($this->username) && !$login_ok) { // BC fix Auth used to use drawLogin for this // call is sub classes implement this return $this->drawLogin ($this->username, $this); include_once 'Auth/Frontend/Html.php'; * Set the maximum expire time * @param integer time in seconds * @param bool add time to current expire time or not * Set the maximum idle time * @param integer time in seconds * @param bool add time to current maximum idle time or not function setIdle($time, $add = false ) $add ? $this->idle += $time : $this->idle = $time; * Set name of the session to a customized value. * If you are using multiple instances of PEAR::Auth * on the same domain, you can change the name of * session per application via this function. * This will chnage the name of the session variable * auth uses to store it's data in the session * @param string New name for the session $this->_sessionName = '_auth_'. $name; ? $this->session = & $_SESSION[$this->_sessionName] : $this->session = & $GLOBALS['HTTP_SESSION_VARS'][$this->_sessionName] ; * Should the login form be displayed if neccessary? * @param bool show login form or not * Should the login form be displayed if neccessary? * @param bool show login form or not // {{{ setLoginCallback() * Register a callback function to be called on user login. * The function will receive two parameters, the username and a reference to the auth object. * @param string callback function name * @see setLogoutCallback() // {{{ setFailedLoginCallback() * Register a callback function to be called on failed user login. * The function will receive a single parameter, the username and a reference to the auth object. * @param string callback function name // {{{ setLogoutCallback() * Register a callback function to be called on user logout. * The function will receive three parameters, the username and a reference to the auth object. * @param string callback function name * @see setLoginCallback() * Register additional information that is to be stored * @param string Name of the data field * @param mixed Value of the data field * @param boolean Should existing data be overwritten? (default if (!empty ($this->session['data'][$name]) && $overwrite == false ) { $this->session['data'][$name] = $value; * Get additional information that is stored in the session. * If no value for the first parameter is passed, the method will * return all data that is currently stored. * @param string Name of the data field * @return mixed Value of the data field. if (!isset ($this->session['data'])) { if (isset ($name) && isset ($this->session['data'][$name])) { return $this->session['data'][$name]; * Register variable in a session telling that the user * has logged in successfully // #2021 - Change the session id to avoid session fixation attacks php 4.3.3 > if (!isset ($this->session['data'])) { $this->session['sessionip'] = isset ($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] $this->session['sessionuseragent'] = isset ($this->server['HTTP_USER_AGENT']) ? $this->server['HTTP_USER_AGENT'] // This should be set by the container to something more safe // Like md5(passwd.microtime) if(empty ($this->session['challengekey'])) { $this->session['registered'] = true; $this->session['username'] = $username; // {{{ setAdvancedSecurity() * Enables advanced security checks * Currently only ip change and useragent change * @todo Add challenge cookies - Create a cookie which changes every time * and contains some challenge key which the server can verify with * a session var cookie might need to be crypted (user pass) * @param bool Enable or disable * Checks if there is a session with valid auth information. * @return boolean Whether or not the user is authenticated. // Check if authentication session is expired && isset ($this->session['timestamp']) // Check if maximum idle time is reached if ( isset ($this->session['registered']) && isset ($this->session['username']) && $this->session['registered'] == true && $this->session['username'] != '') { // Only Generate the challenge once $this->session['challengecookieold'] = $this->session['challengecookie']; if ( isset ($this->server['REMOTE_ADDR']) && $this->session['sessionip'] != $this->server['REMOTE_ADDR']) { // Check if the IP of the user has changed, if so we // assume a man in the middle attack and log him out // Check for useragent change if ( isset ($this->server['HTTP_USER_AGENT']) && $this->session['sessionuseragent'] != $this->server['HTTP_USER_AGENT']) { // Check if the User-Agent of the user has changed, if // so we assume a man in the middle attack and log him out // Check challenge cookie here, if challengecookieold is not set // this is the first time and check is skipped // TODO when user open two pages similtaneuly (open in new window,open // in tab) auth breach is caused find out a way around that if possible if ( isset ($this->session['challengecookieold']) && $this->session['challengecookieold'] != $this->cookie['authchallenge']) { // {{{ staticCheckAuth() [static] * Statically checks if there is a session with valid auth information. * @return boolean Whether or not the user is authenticated. if(!isset ($staticAuth)) { $staticAuth = new Auth('null', $options); return $staticAuth->checkAuth (); * Has the user been authenticated? * @return bool True if the user is logged in, otherwise false. * This function clears any auth tokens in the currently * active session and executes the logout callback function, if (isset ($this->session['username'])) { return($this->session['username']); // {{{ getPostUsernameField() * Gets the post varible used for the username return($this->_postUsername); // {{{ getPostPasswordField() * Gets the post varible used for the username return($this->_postPassword); // {{{ sessionValidThru() * Returns the time up to the session is valid if (!isset ($this->session['idle'])) { * List all users that are currently available in the storage return $this->storage->listUsers (); * Add user to the storage container * @param mixed Additional parameters * @return mixed True on success, PEAR error object on error * and AUTH_METHOD_NOT_SUPPORTED otherwise. function addUser($username, $password, $additional = '') return $this->storage->addUser ($username, $password, $additional); * Remove user from the storage container * @return mixed True on success, PEAR error object on error * and AUTH_METHOD_NOT_SUPPORTED otherwise. return $this->storage->removeUser ($username); * Change password for user in the storage container * @param string The new password * @return mixed True on success, PEAR error object on error * and AUTH_METHOD_NOT_SUPPORTED otherwise. return $this->storage->changePassword ($username, $password);
Documentation generated on Mon, 11 Mar 2019 14:37:15 -0400 by phpDocumentor 1.4.4. PEAR Logo Copyright © PHP Group 2004.
|
