WebSVN – Applications.papyrus – Diff – /trunk/api/pear/Auth.php

  * @package    Auth
  * @author     Martin Jansen <mj@php.net>
  * @author     Adam Ashley <aashley@php.net>
  * @copyright  2001-2006 The PHP Group
  * @license    http://www.php.net/license/3_01.txt  PHP License 3.01
- * @version    CVS: $Id: Auth.php,v 1.2 2006-12-14 15:04:29 jp_milcent Exp $
+ * @version    CVS: $Id: Auth.php,v 1.3 2007-11-19 15:10:59 jp_milcent Exp $
  * @link       http://pear.php.net/package/Auth
  */
 /**
  * Returned if checkAuthCallback says session should not continue.
  */
 define('AUTH_CALLBACK_ABORT',           -6);
+/**
+ * Auth Log level - INFO
+ */
+define('AUTH_LOG_INFO',     6);
+/**
+ * Auth Log level - DEBUG
+ */
+define('AUTH_LOG_DEBUG',    7);
 /**
  * PEAR::Auth
+ *
  * The PEAR::Auth class provides methods for creating an
  * authentication system using PHP.
  * @package    Auth
  * @author     Martin Jansen <mj@php.net>
  * @author     Adam Ashley <aashley@php.net>
  * @copyright  2001-2006 The PHP Group
  * @license    http://www.php.net/license/3_01.txt  PHP License 3.01
- * @version    Release: 1.4.3  File: $Revision: 1.2 $
+ * @version    Release: 1.5.4  File: $Revision: 1.3 $
  * @link       http://pear.php.net/package/Auth
  */
 class Auth {
      */
     var $authdata;
     /**
       * How many times has checkAuth been called
-      * var int
+      * @var int
       */
+    var $authChecks = 0;
+    /**
+     * PEAR::Log object
+     *
+     * @var object Log
+     */
+    var $logger = null;
+    /**
+     * Whether to enable logging of behaviour
+     *
+     * @var boolean
+     */
+    var $enableLogging = false;
+    /**
+     * Whether to regenerate session id everytime start is called
+     *
+     * @var boolean
+     */
-    var $authChecks = 0;
+    var $regenerateSessionId = false;
     // }}}
     // {{{ Auth() [constructor]
+            }
             if (isset($options['advancedsecurity'])) {
                 $this->advancedsecurity = $options['advancedsecurity'];
                 unset($options['advancedsecurity']);
+            }
+            if (isset($options['enableLogging'])) {
+                $this->enableLogging = $options['enableLogging'];
+                unset($options['enableLogging']);
+            }
+            if (isset($options['regenerateSessionId']) && is_bool($options['regenerateSessionId'])) {
+                $this->regenerateSessionId = $options['regenerateSessionId'];
+            }
+        }
         return($options);
+    }
+    {
         if(!is_object($this->storage)) {
             $this->storage =& $this->_factory($this->storage_driver,
                     $this->storage_options);
             $this->storage->_auth_obj =& $this;
+            $this->log('Loaded storage container ('.$this->storage_driver.')', AUTH_LOG_DEBUG);
             return(true);
+        }
         return(false);
+    }
      * @return void
      * @access private
      */
     function assignData()
+    {
+        $this->log('Auth::assignData() called.', AUTH_LOG_DEBUG);
         if (   isset($this->post[$this->_postUsername])
             && $this->post[$this->_postUsername] != '') {
             $this->username = (get_magic_quotes_gpc() == 1
                     ? stripslashes($this->post[$this->_postUsername])
                     : $this->post[$this->_postUsername]);
      * @return void
      * @access public
      */
     function start()
+    {
+        $this->log('Auth::start() called.', AUTH_LOG_DEBUG);
+        // #10729 - Regenerate session id here if we are generating it on every
+        //          page load.
+        if ($this->regenerateSessionId) {
+            session_regenerate_id(true);
+        }
         $this->assignData();
         if (!$this->checkAuth() && $this->allowLogin) {
             $this->login();
+        }
+    }
      * @return void
      * @access private
      */
     function login()
+    {
+        $this->log('Auth::login() called.', AUTH_LOG_DEBUG);
         $login_ok = false;
         $this->_loadStorage();
         // Check if using challenge response
         // When the user has already entered a username, we have to validate it.
         if (!empty($this->username)) {
             if (true === $this->storage->fetchData($this->username, $this->password, $usingChap)) {
                 $this->session['challengekey'] = md5($this->username.$this->password);
                 $login_ok = true;
+                $this->log('Successful login.', AUTH_LOG_INFO);
+            }
+        }
         if (!empty($this->username) && $login_ok) {
             $this->setAuth($this->username);
+            if (is_callable($this->loginCallback)) {
-            if (is_callable($this->loginCallback)) {
+                $this->log('Calling loginCallback ('.$this->loginCallback.').', AUTH_LOG_DEBUG);
                 call_user_func_array($this->loginCallback, array($this->username, &$this));
+            }
+        }
         // If the login failed or the user entered no username,
+        // output the login screen again.
-        // output the login screen again.
+        if (!empty($this->username) && !$login_ok) {
-        if (!empty($this->username) && !$login_ok) {
+            $this->log('Incorrect login.', AUTH_LOG_INFO);
+            $this->status = AUTH_WRONG_LOGIN;
-            $this->status = AUTH_WRONG_LOGIN;
+            if (is_callable($this->loginFailedCallback)) {
-            if (is_callable($this->loginFailedCallback)) {
+                $this->log('Calling loginFailedCallback ('.$this->loginFailedCallback.').', AUTH_LOG_DEBUG);
                 call_user_func_array($this->loginFailedCallback, array($this->username, &$this));
+            }
+        }
+        if ((empty($this->username) || !$login_ok) && $this->showLogin) {
             $this->log('Rendering Login Form.', AUTH_LOG_INFO);
-        if ((empty($this->username) || !$login_ok) && $this->showLogin) {
+            if (is_callable($this->loginFunction)) {
-            if (is_callable($this->loginFunction)) {
+                $this->log('Calling loginFunction ('.$this->loginFunction.').', AUTH_LOG_DEBUG);
                 call_user_func_array($this->loginFunction, array($this->username, $this->status, &$this));
             } else {
+                // BC fix Auth used to use drawLogin for this
-                // BC fix Auth used to use drawLogin for this
+                // call is sub classes implement this
-                // call is sub classes implement this
+                if (is_callable(array($this, 'drawLogin'))) {
+                    $this->log('Calling Auth::drawLogin()', AUTH_LOG_DEBUG);
+                    return $this->drawLogin($this->username, $this);
                 if (is_callable(array($this, 'drawLogin'))) {
                     return $this->drawLogin($this->username, $this);
                 $this->log('Using default Auth_Frontend_Html', AUTH_LOG_DEBUG);
                 // New Login form
      * @access public
      */
     function setSessionName($name = 'session')
+    {
         $this->_sessionName = '_auth_'.$name;
+        // Make Sure Auth session variable is there
+        if(!isset($_SESSION[$this->_sessionName])) {
+            $_SESSION[$this->_sessionName] = array();
+        }
         $this->session =& $_SESSION[$this->_sessionName];
+    }
     // }}}
      * @return void
      * @access public
      */
     function setAuth($username)
+    {
+        $this->log('Auth::setAuth() called.', AUTH_LOG_DEBUG);
+        // #10729 - Regenerate session id here only if generating at login only
+        //          Don't do it if we are regenerating on every request so we don't
+        //          regenerate it twice in one request.
         if (!$this->regenerateSessionId) {
-        // #2021 - Change the session id to avoid session fixation attacks php 4.3.3 >
+            // #2021 - Change the session id to avoid session fixation attacks php 4.3.3 >
+            session_regenerate_id(true);
         session_regenerate_id(true);
         if (!isset($this->session) || !is_array($this->session)) {
             ? $this->server['REMOTE_ADDR']
             : '';
         $this->session['sessionuseragent'] = isset($this->server['HTTP_USER_AGENT'])
             ? $this->server['HTTP_USER_AGENT']
             : '';
+        $this->session['sessionforwardedfor'] = isset($this->server['HTTP_X_FORWARDED_FOR'])
+            ? $this->server['HTTP_X_FORWARDED_FOR']
+            : '';
         // This should be set by the container to something more safe
         // Like md5(passwd.microtime)
         if(empty($this->session['challengekey'])) {
      * @access public
      * @return boolean  Whether or not the user is authenticated.
      */
     function checkAuth()
+    {
+        $this->log('Auth::checkAuth() called.', AUTH_LOG_DEBUG);
         $this->authChecks++;
         if (isset($this->session)) {
             // Check if authentication session is expired
             if (   $this->expire > 0
                 && isset($this->session['timestamp'])
                 && ($this->session['timestamp'] + $this->expire) < time()) {
+                $this->log('Session Expired', AUTH_LOG_INFO);
                 $this->expired = true;
                 $this->status = AUTH_EXPIRED;
                 $this->logout();
                 return false;
+            }
             // Check if maximum idle time is reached
             if (   $this->idle > 0
                 && isset($this->session['idle'])
+                && ($this->session['idle'] + $this->idle) < time()) {
-                && ($this->session['idle'] + $this->idle) < time()) {
+                $this->log('Session Idle Time Reached', AUTH_LOG_INFO);
                 $this->idled = true;
                 $this->status = AUTH_IDLED;
                 $this->logout();
                 return false;
                 && $this->session['registered'] == true
                 && $this->session['username'] != '') {
                 Auth::updateIdle();
+                if ($this->advancedsecurity) {
-                if ($this->advancedsecurity) {
+                    $this->log('Advanced Security Mode Enabled.', AUTH_LOG_DEBUG);
+                    // Only Generate the challenge once
-                    // Only Generate the challenge once
+                    if($this->authChecks == 1) {
-                    if($this->authChecks == 1) {
+                        $this->log('Generating new Challenge Cookie.', AUTH_LOG_DEBUG);
                         $this->session['challengecookieold'] = $this->session['challengecookie'];
                         $this->session['challengecookie'] = md5($this->session['challengekey'].microtime());
                         setcookie('authchallenge', $this->session['challengecookie']);
+                    }
+                    // Check for ip change
-                    // Check for ip change
+                    if (   isset($this->server['REMOTE_ADDR'])
-                    if (   isset($this->server['REMOTE_ADDR'])
+                        && $this->session['sessionip'] != $this->server['REMOTE_ADDR']) {
-                        && $this->session['sessionip'] != $this->server['REMOTE_ADDR']) {
+                        $this->log('Security Breach. Remote IP Address changed.', AUTH_LOG_INFO);
                         // Check if the IP of the user has changed, if so we
                         // assume a man in the middle attack and log him out
                         $this->expired = true;
                         $this->status = AUTH_SECURITY_BREACH;
+                        $this->logout();
+                        return false;
+                    }
+                    // Check for ip change (if connected via proxy)
+                    if (   isset($this->server['HTTP_X_FORWARDED_FOR'])
+                        && $this->session['sessionforwardedfor'] != $this->server['HTTP_X_FORWARDED_FOR']) {
+                        $this->log('Security Breach. Forwarded For IP Address changed.', AUTH_LOG_INFO);
+                        // Check if the IP of the user connecting via proxy has
+                        // changed, if so we assume a man in the middle attack
+                        // and log him out.
+                        $this->expired = true;
+                        $this->status = AUTH_SECURITY_BREACH;
                         $this->logout();
                         return false;
+                    }
                     // Check for useragent change
-                    // Check for useragent change
+                    if (   isset($this->server['HTTP_USER_AGENT'])
-                    if (   isset($this->server['HTTP_USER_AGENT'])
+                        && $this->session['sessionuseragent'] != $this->server['HTTP_USER_AGENT']) {
-                        && $this->session['sessionuseragent'] != $this->server['HTTP_USER_AGENT']) {
+                        $this->log('Security Breach. User Agent changed.', AUTH_LOG_INFO);
                         // Check if the User-Agent of the user has changed, if
                     // this is the first time and check is skipped
                     // TODO when user open two pages similtaneuly (open in new window,open
                     // in tab) auth breach is caused find out a way around that if possible
                     if (   isset($this->session['challengecookieold'])
                         && $this->session['challengecookieold'] != $this->cookie['authchallenge']) {
+                        $this->log('Security Breach. Challenge Cookie mismatch.', AUTH_LOG_INFO);
                         $this->expired = true;
                         $this->status = AUTH_SECURITY_BREACH;
                         $this->logout();
                         $this->login();
                         return false;
+                    }
+                }
+                if (is_callable($this->checkAuthCallback)) {
-                if (is_callable($this->checkAuthCallback)) {
+                    $this->log('Calling checkAuthCallback ('.$this->checkAuthCallback.').', AUTH_LOG_DEBUG);
                     $checkCallback = call_user_func_array($this->checkAuthCallback, array($this->username, &$this));
+                    if ($checkCallback == false) {
-                    if ($checkCallback == false) {
+                        $this->log('checkAuthCallback failed.', AUTH_LOG_INFO);
                         $this->expired = true;
                         $this->status = AUTH_CALLBACK_ABORT;
                         $this->logout();
                         return false;
+                    }
+                }
                 $this->log('Session OK.', AUTH_LOG_INFO);
                 return true;
+            }
+        }
         $this->log('Unable to locate session storage.', AUTH_LOG_DEBUG);
         return false;
+    }
+    {
         static $staticAuth;
         if(!isset($staticAuth)) {
             $staticAuth = new Auth('null', $options);
+        }
+        $staticAuth->log('Auth::staticCheckAuth() called', AUTH_LOG_DEBUG);
         return $staticAuth->checkAuth();
+    }
     // }}}
      * @access public
      * @return bool  True if the user is logged in, otherwise false.
      */
     function getAuth()
+    {
+        $this->log('Auth::getAuth() called.', AUTH_LOG_DEBUG);
         return $this->checkAuth();
+    }
     // }}}
      * @access public
      * @return void
      */
     function logout()
+    {
+        $this->log('Auth::logout() called.', AUTH_LOG_DEBUG);
-        if (is_callable($this->logoutCallback)) {
+        if (is_callable($this->logoutCallback) && isset($this->session['username'])) {
+            $this->log('Calling logoutCallback ('.$this->logoutCallback.').', AUTH_LOG_DEBUG);
             call_user_func_array($this->logoutCallback, array($this->session['username'], &$this));
+        }
         $this->username = '';
      * @access public
      * @return array
      */
     function listUsers()
+    {
+        $this->log('Auth::listUsers() called.', AUTH_LOG_DEBUG);
         $this->_loadStorage();
         return $this->storage->listUsers();
+    }
      * @return mixed  True on success, PEAR error object on error
      *                and AUTH_METHOD_NOT_SUPPORTED otherwise.
      */
     function addUser($username, $password, $additional = '')
+    {
+        $this->log('Auth::addUser() called.', AUTH_LOG_DEBUG);
         $this->_loadStorage();
         return $this->storage->addUser($username, $password, $additional);
+    }
      * @return mixed  True on success, PEAR error object on error
      *                and AUTH_METHOD_NOT_SUPPORTED otherwise.
      */
     function removeUser($username)
+    {
+        $this->log('Auth::removeUser() called.', AUTH_LOG_DEBUG);
         $this->_loadStorage();
         return $this->storage->removeUser($username);
+    }
      * @return mixed True on success, PEAR error object on error
      *               and AUTH_METHOD_NOT_SUPPORTED otherwise.
      */
     function changePassword($username, $password)
+    {
+        $this->log('Auth::changePassword() called', AUTH_LOG_DEBUG);
         $this->_loadStorage();
         return $this->storage->changePassword($username, $password);
+    }
+    // }}}
+    // {{{ log()
+    /**
+     * Log a message from the Auth system
+     *
+     * @access public
+     * @param string The message to log
+     * @param string The log level to log the message under. See the Log documentation for more info.
+     * @return boolean
+     */
+    function log($message, $level = AUTH_LOG_DEBUG)
+    {
+        if (!$this->enableLogging) return false;
+        $this->_loadLogger();
+        $this->logger->log('AUTH: '.$message, $level);
+    }
+    // }}}
+    // {{{ _loadLogger()
+    /**
+      * Load Log object if not already loaded
+      *
+      * Suspend logger instantiation to make Auth lighter to use
+      * for calls which do not require logging
+      *
+      * @return bool    True if the logger is loaded, false if the logger
+      *                 is already loaded
+      * @access private
+      */
+    function _loadLogger()
+    {
+        if(is_null($this->logger)) {
+            if (!class_exists('Log')) {
+                include_once 'Log.php';
+            }
+            $this->logger =& Log::singleton('null',
+                    null,
+                    'auth['.getmypid().']',
+                    array(),
+                    AUTH_LOG_DEBUG);
+            return(true);
+        }
+        return(false);
+    }
+    // }}}
+    // {{{ attachLogObserver()
+    /**
+     * Attach an Observer to the Auth Log Source
+     *
+     * @param object Log_Observer A Log Observer instance
+     * @return boolean
+     */
+    function attachLogObserver(&$observer) {
+        $this->_loadLogger();
+        return $this->logger->attach($observer);
+    }
     // }}}

Subversion Repositories Applications.papyrus

(root)/trunk/api/pear/Auth.php – Rev 1173 → 1713