This class is responsible for managing login session, mainly concentrating on DB I/O.

Normally, you should not have to work with this class unless you are either writing an authentication front or back end, or a component which includes online status notifications and the like.

The single instance of this class can be accessed as midcom::get('auth')->sessionmgr.

Checking whether a user is online

The is-user-online check requires the user to have the privilege midcom:isonline set on the user which he is trying to check.

package	midcom.services

Methods

__construct ($auth)

Simple, currently empty default constructor.

Parameters

$auth

_delete_user_sessions (\midcom_core_user $user)

Parameters

$user

_update_user_password (\midcom_core_user $user, string $new)

This function is called by the framework whenever a user's password is updated.

It will synchronize all active login sessions of that user to the new password.

Access to this function is restricted to midcom_core_account.

Parameters

$user

\midcom_core_userA reference to the user object which has been updated.

$new

stringThe new password (plain text).

_update_user_username (\midcom_core_user $user, string $new)

This function is called by the framework whenever a user's username is updated.

It will synchronize all active login sessions of that user to the new username.

Access to this function is restricted to midcom_core_account.

Parameters

$user

\midcom_core_userA reference to the user object which has been updated.

$new

stringThe new username.

authenticate_session (string $sessionid)

This function authenticates a given session, which must have been loaded previously with load_login_session (this is mandatory).

On success, the Auth service main object will automatically be resynced to the authenticated user.

If authentication fails, an invalid session is assumed, which will be invalidated and deleted immediately.

Parameters

$sessionid

stringThe session identifier to authenticate against.

Returns

booleanIndicating success.

create_login_session (string $username, string $password, string $clientip)

Creates a login session using the given arguments.

Returns a session identifier. The call will validate the passed credentials and thus authenticate for the given user at the same time, so there is no need to call authenticate_session() after creating it. A failed password check will of course not create a login session.

Parameters

$username

stringThe name of the user to store with the session.

$password

stringThe clear text password to store with the session.

$clientip

stringThe client IP to which this session is assigned to. This defaults to the client IP reported by Apache.

Returns

ArrayAn array holding the session identifier in the 'session_id' key and the associated user in the 'user' key (take this by reference!). Failure returns false.

create_trusted_login_session (string $username, string $clientip)

Creates a trusted login session using the given arguments.

Parameters

$username

stringThe name of the user to store with the session.

$clientip

stringThe client IP to which this session is assigned to. This defaults to the client IP reported by Apache.

Returns

ArrayAn array holding the session identifier in the 'session_id' key and the associated user in the 'user' key (take this by reference!). Failure returns false.

delete_session (string $sessionid)

Call this function to drop a session which has been previously loaded successfully.

Usually, you will use this during logouts.

Parameters

$sessionid

stringThe id of the session to invalidate.

Returns

booleanIndicating success.

get_online_users ()

Extended check for online users.

Returns an array of guid=>midcom_core_user pairs of the users which are currently online. This takes privileges into account and will thus only list users which the current user has the privililege to observe.

So the difference between get_online_users_count and the size of this result set is the number of invisible users.

todo	Move this to a SELECT DISTINCT for performance reasons ASAP.

Returns

ArrayList of visible users that are online.

get_online_users_count ()

Returns the total number of users online.

This does not adhere the isonline check, as there is no information about which users are online.

The test is, as usual, heuristic, as it will count users which forgot to log off as long as their session did not expire.

todo	Move this to a SELECT DISTINCT for performance reasons ASAP.

Returns

intThe count of users online

is_user_online (\midcom_core_user $user)

Checks the online state of a given user.

You require the privilege midcom:isonline for the user you are going to check. The privilege is not granted by default, to allow users full control over their privacy.

'unknown' is returned in cases where you have insufficient permissions.

Parameters

$user

\midcom_core_userThe user object which has been updated.

Returns

stringOne of 'online', 'offline' or 'unknown', indicating the current online state.

load_login_session (string $sessionid, \midcom_core_user $user, string $clientip)

Checks the system for a valid login session matching the passed arguments.

It validates the clients' IP, the user ID and the sesion timeout. If a valid session is found, its ID is returned again, you can from now on use this as a token for authentication.

This code will implicitly clean up stale sessions for the current user.

Parameters

$sessionid

stringThe Session ID to check for.

$user

\midcom_core_userThe user for which we should look up the login session.

$clientip

stringThe client IP to check against, this defaults to the client IP reported by Apache.

Returns

stringThe token you can use for authentication or false, in case there is no valid session.

_do_midgard_auth (string $username, string $password)

Internal helper, which does the actual Midgard authentication.

Parameters

$username

stringThe name of the user to authenticate.

$password

stringThe password of the user to authenticate.

Returns

booleanIndicating success.

_do_trusted_midgard_auth (string $username)

Internal helper, which does the actual trusted Midgard authentication.

Parameters

$username

stringThe name of the user to authenticate.

Returns

booleanIndicating success.

_load_person ($username)

Parameters

$username

_obfuscate_password (string $password)

This function obfuscates a password in some way so that accidential "views" of a password in the database or a log are not immediately a problem.

This is not targeted to prevent intrusion, just to prevent somebody viewing the logs or debugging the system is able to just read somebody elses passwords (especially given that many users share their passwords over multiple systems).

_unobfuscate_password() is used to restore the password into its original form.

see	\_unobfuscate_password()

Parameters

$password

stringThe password to obfuscate.

Returns

stringThe obfuscated password.

_unobfuscate_password (string $password)

Reverses password obfuscation.

see	\_unobfuscate_password()

Parameters

$password

stringThe password to obfuscate.

Returns

stringThe obfuscated password.

Properties

mixed $auth

string $current_session_id

Once a session has been authenticated, this variable holds the ID of the current login session.

Care should be taken when using this variable, as quite sensitive information can be obtained with this session id.

\midgard_person $person

Currently authenticated midgard_person object

\midgard_user $user

Currently authenticated midgard_user object

Array $_loaded_sessions

A list of loaded login sessions, indexed by their session identifier.

This is used for authentication purposes.