$value) { $_SESSION[$key] = $value; } return true; } self::banLoginFailed(); } return false; } /** * Unset SESSION variable to force logout */ public static function logout() { unset($_SESSION['uid'], $_SESSION['ip'], $_SESSION['expires_on']); } /** * Make sure user is logged in. * * @return true|false True if user is logged in, false otherwise */ public static function isLogged() { if (!isset ($_SESSION['uid']) || (self::$disableSessionProtection === false && $_SESSION['ip'] !== self::_allIPs()) || time() >= $_SESSION['expires_on']) { self::logout(); return false; } // User accessed a page : Update his/her session expiration date. $_SESSION['expires_on'] = time() + self::$inactivityTimeout; if (!empty($_SESSION['longlastingsession'])) { $_SESSION['expires_on'] += $_SESSION['longlastingsession']; } return true; } /** * Create a token, store it in SESSION and return it * * @param string $salt to prevent birthday attack * * @return string Token created */ public static function getToken($salt = '') { if (!isset($_SESSION['tokens'])) { $_SESSION['tokens']=array(); } // We generate a random string and store it on the server side. $rnd = sha1(uniqid('', true).'_'.mt_rand().$salt); $_SESSION['tokens'][$rnd]=1; return $rnd; } /** * Tells if a token is ok. Using this function will destroy the token. * * @param string $token Token to test * * @return true|false True if token is correct, false otherwise */ public static function isToken($token) { if (isset($_SESSION['tokens'][$token])) { unset($_SESSION['tokens'][$token]); // Token is used: destroy it. return true; // Token is ok. } return false; // Wrong token, or already used. } /** * Signal a failed login. Will ban the IP if too many failures: */ public static function banLoginFailed() { if (self::$banFile !== '') { $ip = $_SERVER["REMOTE_ADDR"]; $gb = $GLOBALS['IPBANS']; if (!isset($gb['FAILURES'][$ip])) { $gb['FAILURES'][$ip] = 0; } $gb['FAILURES'][$ip]++; if ($gb['FAILURES'][$ip] > (self::$banAfter - 1)) { $gb['BANS'][$ip]= time() + self::$banDuration; } $GLOBALS['IPBANS'] = $gb; file_put_contents(self::$banFile, ""); } } /** * Signals a successful login. Resets failed login counter. */ public static function banLoginOk() { if (self::$banFile !== '') { $ip = $_SERVER["REMOTE_ADDR"]; $gb = $GLOBALS['IPBANS']; unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]); $GLOBALS['IPBANS'] = $gb; file_put_contents(self::$banFile, ""); } } /** * Ban init */ public static function banInit() { if (self::$banFile !== '') { if (!is_file(self::$banFile)) { file_put_contents(self::$banFile, "array(), 'BANS'=>array()), true).";\n?>"); } include self::$banFile; } } /** * Checks if the user CAN login. If 'true', the user can try to login. * * @return boolean true if user is banned, false otherwise */ public static function banCanLogin() { if (self::$banFile !== '') { $ip = $_SERVER["REMOTE_ADDR"]; $gb = $GLOBALS['IPBANS']; if (isset($gb['BANS'][$ip])) { // User is banned. Check if the ban has expired: if ($gb['BANS'][$ip] <= time()) { // Ban expired, user can try to login again. unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]); file_put_contents(self::$banFile, ""); return true; // Ban has expired, user can login. } return false; // User is banned. } } return true; // User is not banned. } }