-
Notifications
You must be signed in to change notification settings - Fork 7
/
example.php
232 lines (198 loc) · 6.73 KB
/
example.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
<?php
// This is an example that shows how to incorporate uLogin into a webpage.
// It showcases nonces, login authentication, account creation, deletion and
// remember-me functionality, all at the same time in a single page.
// Because of the number of functions shown and all the comments,
// it seems a little bit longish, but fear not.
// This is the one and only public include file for uLogin.
// Include it once on every authentication and for every protected page.
require_once('ulogin/config/all.inc.php');
require_once('ulogin/main.inc.php');
// Start a secure session if none is running
if (!sses_running())
sses_start();
// We define some functions to log in and log out,
// as well as to determine if the user is logged in.
// This is needed because uLogin does not handle access control
// itself.
function isAppLoggedIn(){
return isset($_SESSION['uid']) && isset($_SESSION['username']) && isset($_SESSION['loggedIn']) && ($_SESSION['loggedIn']===true);
}
function appLogin($uid, $username, $ulogin){
$_SESSION['uid'] = $uid;
$_SESSION['username'] = $username;
$_SESSION['loggedIn'] = true;
if (isset($_SESSION['appRememberMeRequested']) && ($_SESSION['appRememberMeRequested'] === true))
{
// Enable remember-me
if ( !$ulogin->SetAutologin($username, true))
echo "cannot enable autologin<br>";
unset($_SESSION['appRememberMeRequested']);
}
else
{
// Disable remember-me
if ( !$ulogin->SetAutologin($username, false))
echo 'cannot disable autologin<br>';
}
}
function appLoginFail($uid, $username, $ulogin){
// Note, in case of a failed login, $uid, $username or both
// might not be set (might be NULL).
echo 'login failed<br>';
}
function appLogout(){
// When a user explicitly logs out you'll definetely want to disable
// autologin for the same user. For demonstration purposes,
// we don't do that here so that the autologin function remains
// easy to test.
//$ulogin->SetAutologin($_SESSION['username'], false);
unset($_SESSION['uid']);
unset($_SESSION['username']);
unset($_SESSION['loggedIn']);
}
// Store the messages in a variable to prevent interfering with headers manipulation.
$msg = '';
// This is the action requested by the user
$action = @$_POST['action'];
// This is the first uLogin-specific line in this file.
// We construct an instance and pass a function handle to our
// callback functions (we have just defined 'appLogin' and
// 'appLoginFail' a few lines above).
$ulogin = new uLogin('appLogin', 'appLoginFail');
// First we handle application logic. We make two cases,
// one for logged in users and one for anonymous users.
// We will handle presentation after our logic because what we present is
// also based on the logon state, but the application logic might change whether
// we are logged in or not.
if (isAppLoggedIn()){
if ($action=='delete') { // We've been requested to delete the account
// Delete account
if ( !$ulogin->DeleteUser( $_SESSION['uid']) )
$msg = 'account deletion failure';
else
$msg = 'account deleted ok';
// Logout
appLogout();
} else if ($action == 'logout'){ // We've been requested to log out
// Logout
appLogout();
$msg = 'logged out';
}
} else {
// We've been requested to log in
if ($action=='login') {
// Here we verify the nonce, so that only users can try to log in
// to whom we've actually shown a login page. The first parameter
// of Nonce::Verify needs to correspond to the parameter that we
// used to create the nonce, but otherwise it can be anything
// as long as they match.
if (isset($_POST['nonce']) && ulNonce::Verify('login', $_POST['nonce'])){
// We store it in the session if the user wants to be remembered. This is because
// some auth backends redirect the user and we will need it after the user
// arrives back.
if (isset($_POST['autologin']))
$_SESSION['appRememberMeRequested'] = true;
else
unset($_SESSION['appRememberMeRequested']);
// This is the line where we actually try to authenticate against some kind
// of user database. Note that depending on the auth backend, this function might
// redirect the user to a different page, in which case it does not return.
$ulogin->Authenticate($_POST['user'], $_POST['pwd']);
if ($ulogin->IsAuthSuccess()){
// Since we have specified callback functions to uLogin,
// we don't have to do anything here.
}
}else
$msg = 'invalid nonce';
} else if ($action=='autologin'){ // We were requested to use the remember-me function for logging in.
// Note, there is no username or password for autologin ('remember me')
$ulogin->Autologin();
if (!$ulogin->IsAuthSuccess())
$msg = 'autologin failure';
else
$msg = 'autologin ok';
} else if ($action=='create'){ // We were requested to try to create a new acount.
// New account
if ( !$ulogin->CreateUser( $_POST['user'], $_POST['pwd']) )
$msg = 'account creation failure';
else
$msg = 'account created';
}
}
// Now we handle the presentation, based on whether we are logged in or not.
// Nothing fancy, except where we create the 'login'-nonce towards the end
// while generating the login form.
header('Content-Type: text/html; charset=UTF-8');
// This inserts a few lines of javascript so that we can debug session problems.
// This will be very usefull if you experience sudden session drops, but you'll
// want to avoid using this on a live website.
ulLog::ShowDebugConsole();
if (isAppLoggedIn()){
?>
<?php echo ($msg);?>
<h3>This is a protected page. You are logged in, <?php echo($_SESSION['username']);?>.</h3>
<form action="example.php" method="POST"><input type="hidden" name="action" value="refresh"><input type="submit" value="Refresh page"></form>
<form action="example.php" method="POST"><input type="hidden" name="action" value="logout"><input type="submit" value="Logout"></form>
<form action="example.php" method="POST"><input type="hidden" name="action" value="delete"><input type="submit" value="Delete account"></form>
<?php
} else {
?>
<?php echo ($msg);?>
<h3>uLogin authentication example</h3>
<form action="example.php" method="POST">
<table>
<tr>
<td>
Username:
</td>
<td>
<input type="text" name="user">
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<input type="password" name="pwd">
</td>
</tr>
<tr>
<td>
Remember me:
</td>
<td>
<input type="checkbox" name="autologin" value="1">
</td>
</tr>
<tr>
<td>
Action:
</td>
<td>
<select name="action">
<option>login</option>
<option>autologin</option>
<option>create</option>
</select>
</td>
</tr>
<tr>
<td>
Nonce:
</td>
<td>
<input type="text" id="nonce" name="nonce" value="<?php echo ulNonce::Create('login');?>">
</td>
</tr>
<tr>
<td>
<input type="submit">
</td>
</tr>
</table>
</form>
<?php
}
?>