Source for file remember.php

Documentation is available at remember.php

  1. <?php
  2. /**
  3.  * @package     Joomla.Plugin
  4.  * @subpackage  System.remember
  5.  *
  6.  * @copyright   Copyright (C) 2005 - 2013 Open Source Matters, Inc. All rights reserved.
  7.  * @license     GNU General Public License version 2 or later; see LICENSE.txt
  8.  */
  9.  
  10. defined('_JEXEC'or die;
  11.  
  12. /**
  13.  * Joomla! System Remember Me Plugin
  14.  *
  15.  * @package     Joomla.Plugin
  16.  * @subpackage  System.remember
  17.  * @since       1.5
  18.  * @note        Code improvements inspired by http://jaspan.com/improved_persistent_login_cookie_best_practice
  19.  *               and http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
  20.  */
  21. class PlgSystemRemember extends JPlugin
  22. {
  23.     /**
  24.      * Application object
  25.      *
  26.      * @var    JApplicationCms 
  27.      * @since  3.2
  28.      */
  29.     protected $app;
  30.  
  31.     /**
  32.      * Database object
  33.      *
  34.      * @var    JDatabaseDriver 
  35.      * @since  3.2
  36.      */
  37.     protected $db;
  38.  
  39.     /**
  40.      * Domain for the cookie.
  41.      *
  42.      * @var    string 
  43.      * @since  3.2
  44.      */
  45.     protected $cookie_domain;
  46.  
  47.     /**
  48.      * Path for the cookie.
  49.      *
  50.      * @var    string 
  51.      * @since  3.2
  52.      */
  53.     protected $cookie_path;
  54.  
  55.     /**
  56.      * Whether to set as secure or not.
  57.      *
  58.      * @var    boolean 
  59.      * @since  3.2
  60.      */
  61.     protected $secure = false;
  62.  
  63.     /**
  64.      * Cookie lifetime in days.
  65.      *
  66.      * @var    integer 
  67.      * @since  3.2
  68.      */
  69.     protected $lifetime;
  70.  
  71.     /**
  72.      * Length of random string.
  73.      *
  74.      * @var    integer 
  75.      * @since  3.2
  76.      */
  77.     protected $length;
  78.  
  79.     /**
  80.      * Constructor. We use it to set the app and db properties.
  81.      *
  82.      * @param   object  &$subject  The object to observe
  83.      * @param   array   $config    An optional associative array of configuration settings.
  84.      *                              Recognized key values include 'name', 'group', 'params', 'language'
  85.      *                              (this list is not meant to be comprehensive).
  86.      *
  87.      * @since   3.2
  88.      */
  89.     public function __construct(&$subject$config array())
  90.     {
  91.         parent::__construct($subject$config);
  92.  
  93.         // Use domain and path set in config for cookie if it exists.
  94.         $this->cookie_domain = $this->app->get('cookie_domain''');
  95.         $this->cookie_path = $this->app->get('cookie_path''/');
  96.         $this->lifetime = time(($this->params->get('cookie_lifetime''60'24 60 60);
  97.         $this->secure = $this->app->isSSLConnection();
  98.         $this->length = $this->params->get('key_length''16');
  99.     }
  100.  
  101.     /**
  102.      * Remember me method to run onAfterInitialise
  103.      *
  104.      * @return  boolean 
  105.      *
  106.      * @since   1.5
  107.      * @throws  InvalidArgumentException
  108.      */
  109.     public function onAfterInitialise()
  110.     {
  111.         // No remember me for admin
  112.         if ($this->app->isAdmin())
  113.         {
  114.             return false;
  115.         }
  116.  
  117.         $user JFactory::getUser();
  118.  
  119.         $this->app->rememberCookieLifetime $this->lifetime;
  120.         $this->app->rememberCookieSecure   $this->secure;
  121.         $this->app->rememberCookieLength   $this->length;
  122.  
  123.         // Check for a cookie
  124.         if ($user->get('guest'== 1)
  125.         {
  126.             // Create the cookie name and data
  127.             $rememberArray JUserHelper::getRememberCookieData();
  128.  
  129.             if ($rememberArray !== false)
  130.             {
  131.                 if (count($rememberArray!= 3)
  132.                 {
  133.                     // Destroy the cookie in the browser.
  134.                     $this->app->input->cookie->set(end($rememberArray)falsetime(42000$this->app->get('cookie_path')$this->app->get('cookie_domain'));
  135.                     JLog::add('Invalid cookie detected.'JLog::WARNING'error');
  136.  
  137.                     return false;
  138.                 }
  139.  
  140.                 list($privateKey$series$uastring$rememberArray;
  141.  
  142.                 if (!JUserHelper::clearExpiredTokens($this))
  143.                 {
  144.                     JLog::add('Error in deleting expired cookie tokens.'JLog::WARNING'error');
  145.                 }
  146.  
  147.                 // Find the matching record if it exists
  148.                 $query $this->db->getQuery(true)
  149.                     ->select($this->db->quoteName(array('user_id''token''series''time''invalid')))
  150.                     ->from($this->db->quoteName('#__user_keys'))
  151.                     ->where($this->db->quoteName('series'' = ' $this->db->quote(base64_encode($series)))
  152.                     ->where($this->db->quoteName('uastring'' = ' $this->db->quote($uastring))
  153.                     ->order($this->db->quoteName('time'' DESC');
  154.  
  155.                 $results $this->db->setQuery($query)->loadObjectList();
  156.  
  157.                 $countResults count($results);
  158.  
  159.                 // We have a user but a cookie that is not in the database, or it is invalid. This is a possible attack, so invalidate everything.
  160.                 if (($countResults === || $results[0]->invalid != 0&& !empty($results[0]->user_id))
  161.                 {
  162.                     JUserHelper::invalidateCookie($results[0]->user_id$uastring);
  163.                     JLog::add(JText::sprintf('PLG_SYSTEM_REMEMBER_ERROR_LOG_INVALIDATED_COOKIES'$user->username)JLog::WARNING'security');
  164.  
  165.                     // Possibly e-mail user and admin here.
  166.                     return false;
  167.                 }
  168.  
  169.                 // We have a user with one cookie with a valid series and a corresponding record in the database.
  170.                 if ($countResults === 1)
  171.                 {
  172.                     if (substr($results[0]->token04=== '$2y$')
  173.                     {
  174.                         if (JCrypt::hasStrongPasswordSupport())
  175.                         {
  176.                             $match password_verify($privateKey$results[0]->token);
  177.                         }
  178.                     }
  179.                     else
  180.                     {
  181.                         if (JCrypt::timingSafeCompare($results[0]->token$privateKey))
  182.                         {
  183.                             $match true;
  184.                         }
  185.                     }
  186.  
  187.                     if (empty($match))
  188.                     {
  189.                         JUserHelper::invalidateCookie($results[0]->user_id$uastring);
  190.                         JLog::add(JText::sprintf('PLG_SYSTEM_REMEMBER_ERROR_LOG_LOGIN_FAILED'$user->username)JLog::WARNING'security');
  191.  
  192.                         return false;
  193.                     }
  194.  
  195.                     // Set up the credentials array to pass to onUserAuthenticate
  196.                     $credentials array(
  197.                         'username' => $results[0]->user_id,
  198.                     );
  199.  
  200.                     return $this->app->login($credentialsarray('silent' => true'lifetime' => $this->lifetime'secure' => $this->secure'length' => $this->length));
  201.                 }
  202.             }
  203.         }
  204.  
  205.         return false;
  206.     }
  207. }

Documentation generated on Tue, 19 Nov 2013 15:11:45 +0100 by phpDocumentor 1.4.3