You are here

function _persistent_login_check in Persistent Login 5

Same name and namespace in other branches
  1. 6 persistent_login.module \_persistent_login_check()
  2. 7 persistent_login.module \_persistent_login_check()

_persistent_login_check(). Do the real work. Note that we may be in BOOTSTRAP_PAGE_CACHE mode with few modules loaded.

If a non-logged in user has a valid Persistent Login cookie, log her in, disable the old cookie, and issue a new one for next time. Then reload the current page so the user is logged in from the beginning.

If a non-logged in user has an invalid PL cookie that indicates an attack has occurred, panic.

If a user logged in by Persistent Login tries to access a protected page, redirect them to the login page. Their remembered login is preserved, though, so they can skip the login and keep browsing non-protected pages.

1 call to _persistent_login_check()
persistent_login_init in ./persistent_login.module
Implementation of hook_init(). Persistent Login must operate during init because if page caching is enabled, other hooks are never invoked until the user is already logged in.

File

./persistent_login.module, line 250

Code

function _persistent_login_check() {
  global $user;
  $path = isset($_GET['q']) ? $_GET['q'] : '';

  // Do not interfere with login/logout pages.
  if ($path === 'user/login' || $path === 'logout') {
    return;
  }
  $now = time();
  if ($user->uid == 0 && isset($_COOKIE[PERSISTENT_LOGIN_COOKIE]) && !isset($_SESSION['persistent_login_check'])) {

    // For efficiency, only check once per session unless something changes.
    $_SESSION['persistent_login_check'] = TRUE;
    list($uid, $series, $token) = explode(':', $_COOKIE[PERSISTENT_LOGIN_COOKIE]);
    $res = db_query("SELECT u.name, pl.uid, pl.series as pl_series, pl.token as pl_token, pl.expires as pl_expires FROM {persistent_login} pl INNER JOIN {users} u USING (uid) WHERE u.status = 1 AND pl.uid = %d AND pl.series = '%s'", $uid, $series);
    $r = db_fetch_array($res);
    if (!is_array($r) || count($r) == 0) {

      // $uid:$series is invalid
      return;
    }
    else {
      if ($r['pl_expires'] > 0 && $r['pl_expires'] < time()) {

        // $uid:$series has expired
        return;
      }
    }

    // now, any outcome requires this
    require_once './includes/common.inc';
    require_once './includes/path.inc';
    require_once './includes/theme.inc';
    if ($r['pl_token'] === $token) {

      // The Persistent Login cookie is valid.  $r is a 'user form'
      // that contains only name, uid, pl_series, pl_token, and
      // pl_expires.  Add persistent_login so we and other modules can
      // tell what is going on.
      //
      $r['persistent_login'] = 1;

      // Delete the one-time use persistent login cookie.
      _persistent_login_invalidate('used', 'uid=%d AND series=\'%s\'', $uid, $series);

      // Log in the user.  Use user_login_submit here so
      // hook_user('login') is invoked, login is watchdogged, and db
      // is updated.  Be sure to override persistent_login_login to
      // TRUE (it is set to FALSE in our hook_user).
      //
      drupal_load('module', 'user');
      $user = user_load(array(
        'uid' => $r['uid'],
      ));
      user_login_submit('persistent_login', $r);
      $_SESSION['persistent_login_login'] = TRUE;

      // Only welcome the user back once per session.
      if (empty($_SESSION['persistent_login_welcomed']) && variable_get('persistent_login_welcome', TRUE)) {
        drupal_set_message(t('Welcome back, %name.', array(
          '%name' => $r['name'],
        )));
      }
      $_SESSION['persistent_login_welcomed'] = TRUE;

      // Reload this page as the user.  If page caching is enabled,
      // the user was not logged in until now and so the page may have
      // come from the cache.  Also, some other init hook may care.
      //
      $_REQUEST['destination'] = substr(drupal_get_destination(), 12);
      drupal_goto();

      // not reached
      return;
    }
    else {

      // The Persistent Login cookie is NOT valid, but $uid:$series
      // was right.  This means two browsers are sharing the cookie,
      // so someone is cheating.  Panic.
      // Reset PL state in $_SESSION.
      $d = array();
      _persistent_login_invalidate('stolen', 'uid=%d', $uid);
      persistent_login_user('logout', $d, $user);

      // Delete all open sessions for this user.  Use $uid from the
      // PL cookie, not $user->uid which is still 0.  No need to
      // regenerate the session, user will be anonymous on next visit.
      sess_destroy_uid($uid);

      // Log the event, warn the user.
      watchdog('security', t('Stolen Persistent Login session for user %user detected.', array(
        '%user' => $r['name'],
      )));
      drupal_set_message(t('<p><b>SECURITY ALERT!</b></p><p>You previously logged in to this site and checked the <em>Remember me</em> box.  At that time, this site stored a "login cookie" on your web browser that it uses to identify you each time you return.  However, the login cookie that your browser just provided is incorrect.  One possible cause of this error is that your web browser cookies have been stolen and used by someone else to impersonate you at this site.</p><p>As a precaution, we logged out all of your current sessions and deactivated all your remembered logins to this site.  You can log in again now.</p>'), 'error');
      drupal_goto();
      return;
    }
  }
  else {
    if (isset($_SESSION['persistent_login_login'])) {
      require_once './includes/common.inc';

      // User is logged in only via Persistent Login.  Don't let her
      // visit restricted pages.
      //
      $path = $_GET['q'];
      $page_match = _persistent_login_match($path);
      if ($page_match) {
        $_SESSION['persistent_login_default_user'] = $user->name;
        $user = user_load(array(
          'uid' => 0,
        ));
        unset($_SESSION['persistent_login_check']);
        unset($_SESSION['persistent_login_login']);
        $_SESSION['persistent_login_reauth'] = TRUE;
        unset($_REQUEST['destination']);
        drupal_set_message(t('Please verify your username and password to access this page.'), 'error');
        drupal_goto('user/login', drupal_get_destination());
      }
    }
  }
}