Skip to content
Snippets Groups Projects
Commit d8e06626 authored by Peter Rotich's avatar Peter Rotich
Browse files

Abstract nested multi-dimentional session array access.

parent 820ca75c
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 37 additions and 29 deletions
include/class.auth.php
+ 37
29
View file @ d8e06626
...@@ -265,9 +265,11 @@ abstract class StaffAuthenticationBackend extends AuthenticationBackend { ...@@ -265,9 +265,11 @@ abstract class StaffAuthenticationBackend extends AuthenticationBackend {
$authkey = $bk::$id.':'.$authkey; $authkey = $bk::$id.':'.$authkey;
//Now set session crap and lets roll baby! //Now set session crap and lets roll baby!
$_SESSION['_auth']['staff'] = array(); //clear. $authsession = &$_SESSION['_auth']['staff'];
$_SESSION['_auth']['staff']['id'] = $staff->getId();
$_SESSION['_auth']['staff']['key'] = $authkey; $authsession = array(); //clear.
$authsession['id'] = $staff->getId();
$authsession['key'] = $authkey;
$staff->setAuthKey($authkey); $staff->setAuthKey($authkey);
$staff->refreshSession(); //set the hash. $staff->refreshSession(); //set the hash.
...@@ -360,10 +362,13 @@ abstract class UserAuthenticationBackend extends AuthenticationBackend { ...@@ -360,10 +362,13 @@ abstract class UserAuthenticationBackend extends AuthenticationBackend {
//Tag the authkey. //Tag the authkey.
$authkey = $bk::$id.':'.$authkey; $authkey = $bk::$id.':'.$authkey;
//Set the session goodies //Set the session goodies
$_SESSION['_auth']['user'] = array(); //clear. $authsession = &$_SESSION['_auth']['user'];
$_SESSION['_auth']['user']['id'] = $user->getId();
$_SESSION['_auth']['user']['key'] = $authkey; $authsession = array(); //clear.
$authsession['id'] = $user->getId();
$authsession['key'] = $authkey;
$_SESSION['TZ_OFFSET'] = $ost->getConfig()->getTZoffset(); $_SESSION['TZ_OFFSET'] = $ost->getConfig()->getTZoffset();
$_SESSION['TZ_DST'] = $ost->getConfig()->observeDaylightSaving(); $_SESSION['TZ_DST'] = $ost->getConfig()->observeDaylightSaving();
...@@ -489,35 +494,37 @@ class StaffAuthStrikeBackend extends AuthStrikeBackend { ...@@ -489,35 +494,37 @@ class StaffAuthStrikeBackend extends AuthStrikeBackend {
$cfg = $ost->getConfig(); $cfg = $ost->getConfig();
if($_SESSION['_auth']['staff']['laststrike']) { $authsession = &$_SESSION['_auth']['staff'];
if((time()-$_SESSION['_auth']['staff']['laststrike'])<$cfg->getStaffLoginTimeout()) {
$_SESSION['_auth']['staff']['laststrike'] = time(); //reset timer. if($authsession['laststrike']) {
if((time()-$authsession['laststrike'])<$cfg->getStaffLoginTimeout()) {
$authsession['laststrike'] = time(); //reset timer.
return new AccessDenied('Max. failed login attempts reached'); return new AccessDenied('Max. failed login attempts reached');
} else { //Timeout is over. } else { //Timeout is over.
//Reset the counter for next round of attempts after the timeout. //Reset the counter for next round of attempts after the timeout.
$_SESSION['_auth']['staff']['laststrike']=null; $authsession['laststrike']=null;
$_SESSION['_auth']['staff']['strikes']=0; $authsession['strikes']=0;
} }
} }
$_SESSION['_auth']['staff']['strikes']+=1; $authsession['strikes']+=1;
if($_SESSION['_auth']['staff']['strikes']>$cfg->getStaffMaxLogins()) { if($authsession['strikes']>$cfg->getStaffMaxLogins()) {
$_SESSION['_auth']['staff']['laststrike']=time(); $authsession['laststrike']=time();
$alert='Excessive login attempts by a staff member?'."\n". $alert='Excessive login attempts by a staff member?'."\n".
'Username: '.$username."\n" 'Username: '.$username."\n"
.'IP: '.$_SERVER['REMOTE_ADDR']."\n" .'IP: '.$_SERVER['REMOTE_ADDR']."\n"
.'TIME: '.date('M j, Y, g:i a T')."\n\n" .'TIME: '.date('M j, Y, g:i a T')."\n\n"
.'Attempts #'.$_SESSION['_auth']['staff']['strikes']."\n" .'Attempts #'.$authsession['strikes']."\n"
.'Timeout: '.($cfg->getStaffLoginTimeout()/60)." minutes \n\n"; .'Timeout: '.($cfg->getStaffLoginTimeout()/60)." minutes \n\n";
$ost->logWarning('Excessive login attempts ('.$username.')', $alert, $ost->logWarning('Excessive login attempts ('.$username.')', $alert,
$cfg->alertONLoginError()); $cfg->alertONLoginError());
return new AccessDenied('Forgot your login info? Contact Admin.'); return new AccessDenied('Forgot your login info? Contact Admin.');
//Log every other failed login attempt as a warning. //Log every other failed login attempt as a warning.
} elseif($_SESSION['_auth']['staff']['strikes']%2==0) { } elseif($authsession['strikes']%2==0) {
$alert='Username: '.$username."\n" $alert='Username: '.$username."\n"
.'IP: '.$_SERVER['REMOTE_ADDR']."\n" .'IP: '.$_SERVER['REMOTE_ADDR']."\n"
.'TIME: '.date('M j, Y, g:i a T')."\n\n" .'TIME: '.date('M j, Y, g:i a T')."\n\n"
.'Attempts #'.$_SESSION['_auth']['staff']['strikes']; .'Attempts #'.$authsession['strikes'];
$ost->logWarning('Failed staff login attempt ('.$username.')', $alert, false); $ost->logWarning('Failed staff login attempt ('.$username.')', $alert, false);
} }
} }
...@@ -534,31 +541,32 @@ class UserAuthStrikeBackend extends AuthStrikeBackend { ...@@ -534,31 +541,32 @@ class UserAuthStrikeBackend extends AuthStrikeBackend {
$cfg = $ost->getConfig(); $cfg = $ost->getConfig();
$_SESSION['_auth']['user'] = array(); $authsession = &$_SESSION['_auth']['user'];
//Check time for last max failed login attempt strike. //Check time for last max failed login attempt strike.
if($_SESSION['_auth']['user']['laststrike']) { if($authsession['laststrike']) {
if((time()-$_SESSION['_auth']['user']['laststrike'])<$cfg->getClientLoginTimeout()) { if((time()-$authsession['laststrike'])<$cfg->getClientLoginTimeout()) {
$_SESSION['_auth']['user']['laststrike'] = time(); //renew the strike. $authsession['laststrike'] = time(); //renew the strike.
return new AccessDenied('You\'ve reached maximum failed login attempts allowed.'); return new AccessDenied('You\'ve reached maximum failed login attempts allowed.');
} else { //Timeout is over. } else { //Timeout is over.
//Reset the counter for next round of attempts after the timeout. //Reset the counter for next round of attempts after the timeout.
$_SESSION['_auth']['user']['laststrike'] = null; $authsession['laststrike'] = null;
$_SESSION['_auth']['user']['strikes'] = 0; $authsession['strikes'] = 0;
} }
} }
$_SESSION['_auth']['user']['strikes']+=1; $authsession['strikes']+=1;
if($_SESSION['_auth']['user']['strikes']>$cfg->getClientMaxLogins()) { if($authsession['strikes']>$cfg->getClientMaxLogins()) {
$_SESSION['_auth']['user']['laststrike'] = time(); $authsession['laststrike'] = time();
$alert='Excessive login attempts by a user.'."\n". $alert='Excessive login attempts by a user.'."\n".
'Login: '.$username.': '.$password."\n". 'Login: '.$username.': '.$password."\n".
'IP: '.$_SERVER['REMOTE_ADDR']."\n".'Time:'.date('M j, Y, g:i a T')."\n\n". 'IP: '.$_SERVER['REMOTE_ADDR']."\n".'Time:'.date('M j, Y, g:i a T')."\n\n".
'Attempts #'.$_SESSION['_auth']['user']['strikes']; 'Attempts #'.$authsession['strikes'];
$ost->logError('Excessive login attempts (user)', $alert, ($cfg->alertONLoginError())); $ost->logError('Excessive login attempts (user)', $alert, ($cfg->alertONLoginError()));
return new AccessDenied('Access Denied'); return new AccessDenied('Access Denied');
} elseif($_SESSION['_auth']['user']['strikes']%2==0) { //Log every other failed login attempt as a warning. } elseif($authsession['strikes']%2==0) { //Log every other failed login attempt as a warning.
$alert='Login: '.$username.': '.$password."\n".'IP: '.$_SERVER['REMOTE_ADDR']. $alert='Login: '.$username.': '.$password."\n".'IP: '.$_SERVER['REMOTE_ADDR'].
"\n".'TIME: '.date('M j, Y, g:i a T')."\n\n".'Attempts #'.$_SESSION['_auth']['user']['strikes']; "\n".'TIME: '.date('M j, Y, g:i a T')."\n\n".'Attempts #'.$authsession['strikes'];
$ost->logWarning('Failed login attempt (user)', $alert); $ost->logWarning('Failed login attempt (user)', $alert);
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment