Normally, you should not have to work with this class unless you are either writing an authentication front or back end, or a component which includes online status notifications and the like.
The single instance of this class can be accessed as midcom::get('auth')->sessionmgr.
Checking whether a user is online
The is-user-online check requires the user to have the privilege midcom:isonline set on the user which he is trying to check.
package | midcom.services |
---|
It will synchronize all active login sessions of that user to the new password.
Access to this function is restricted to midcom_core_account.
\midcom_core_user
A reference to the user object which has been updated.string
The new password (plain text).It will synchronize all active login sessions of that user to the new username.
Access to this function is restricted to midcom_core_account.
\midcom_core_user
A reference to the user object which has been updated.string
The new username.On success, the Auth service main object will automatically be resynced to the authenticated user.
If authentication fails, an invalid session is assumed, which will be invalidated and deleted immediately.
string
The session identifier to authenticate against.boolean
Indicating success.Returns a session identifier. The call will validate the passed credentials and thus authenticate for the given user at the same time, so there is no need to call authenticate_session() after creating it. A failed password check will of course not create a login session.
string
The name of the user to store with the session.string
The clear text password to store with the session.string
The client IP to which this session is assigned to. This
defaults to the client IP reported by Apache.Array
An array holding the session identifier in the 'session_id' key and
the associated user in the 'user' key (take this by reference!). Failure returns false.Returns a session identifier. The call will validate the passed credentials and thus authenticate for the given user at the same time, so there is no need to call authenticate_session() after creating it.
string
The name of the user to store with the session.string
The client IP to which this session is assigned to. This
defaults to the client IP reported by Apache.Array
An array holding the session identifier in the 'session_id' key and
the associated user in the 'user' key (take this by reference!). Failure returns false.Usually, you will use this during logouts.
string
The id of the session to invalidate.boolean
Indicating success.Returns an array of guid=>midcom_core_user pairs of the users which are currently online. This takes privileges into account and will thus only list users which the current user has the privililege to observe.
So the difference between get_online_users_count and the size of this result set is the number of invisible users.
todo | Move this to a SELECT DISTINCT for performance reasons ASAP. |
---|
Array
List of visible users that are online.This does not adhere the isonline check, as there is no information about which users are online.
The test is, as usual, heuristic, as it will count users which forgot to log off as long as their session did not expire.
todo | Move this to a SELECT DISTINCT for performance reasons ASAP. |
---|
int
The count of users onlineYou require the privilege midcom:isonline for the user you are going to check. The privilege is not granted by default, to allow users full control over their privacy.
'unknown' is returned in cases where you have insufficient permissions.
\midcom_core_user
The user object which has been updated.string
One of 'online', 'offline' or 'unknown', indicating the current online
state.It validates the clients' IP, the user ID and the sesion timeout. If a valid session is found, its ID is returned again, you can from now on use this as a token for authentication.
This code will implicitly clean up stale sessions for the current user.
string
The Session ID to check for.\midcom_core_user
The user for which we should look up the login session.string
The client IP to check against, this defaults to the
client IP reported by Apache.string
The token you can use for authentication or false, in case there
is no valid session.string
The name of the user to authenticate.string
The password of the user to authenticate.boolean
Indicating success.string
The name of the user to authenticate.boolean
Indicating success.This is not targeted to prevent intrusion, just to prevent somebody viewing the logs or debugging the system is able to just read somebody elses passwords (especially given that many users share their passwords over multiple systems).
_unobfuscate_password() is used to restore the password into its original form.
see | \_unobfuscate_password() |
---|
string
The password to obfuscate.string
The obfuscated password.see | \_unobfuscate_password() |
---|
string
The password to obfuscate.string
The obfuscated password.Care should be taken when using this variable, as quite sensitive information can be obtained with this session id.
This is used for authentication purposes.