friendica/include/auth.php

<?php


require_once('include/security.php');
require_once('include/datetime.php');

function nuke_session() {
	if (get_config('system', 'disable_database_session')) {
		session_unset();
		return;
	}

	new_cookie(0); // make sure cookie is deleted on browser close, as a security measure

	unset($_SESSION['authenticated']);
	unset($_SESSION['uid']);
	unset($_SESSION['visitor_id']);
	unset($_SESSION['administrator']);
	unset($_SESSION['cid']);
	unset($_SESSION['theme']);
	unset($_SESSION['mobile-theme']);
	unset($_SESSION['page_flags']);
	unset($_SESSION['submanage']);
	unset($_SESSION['my_url']);
	unset($_SESSION['my_address']);
	unset($_SESSION['addr']);
	unset($_SESSION['return_url']);

}


// login/logout


if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) {

	if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {

		// process logout request
		call_hooks("logging_out");
		nuke_session();
		info( t('Logged out.') . EOL);
		goaway(z_root());
	}

	if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) {
		$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
			intval($_SESSION['visitor_id'])
		);
		if(count($r)) {
			$a->contact = $r[0];
		}
	}

	if(x($_SESSION,'uid')) {

		// already logged in user returning

		$check = get_config('system','paranoia');
		// extra paranoia - if the IP changed, log them out
		if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
			logger('Session address changed. Paranoid setting in effect, blocking session. '
				. $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
			nuke_session();
			goaway(z_root());
		}

		$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
		FROM `user` WHERE `uid` = %d AND `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 LIMIT 1",
			intval($_SESSION['uid'])
		);

		if(! count($r)) {
			nuke_session();
			goaway(z_root());
		}

		// Make sure to refresh the last login time for the user if the user
		// stays logged in for a long time, e.g. with "Remember Me"
		$login_refresh = false;
		if(! x($_SESSION['last_login_date'])) {
			$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
		}
		if( strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0 ) {

			$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
			$login_refresh = true;
		}
		authenticate_success($r[0], false, false, $login_refresh);
	}
}
else {

	if(isset($_SESSION)) {
		nuke_session();
	}

	if((x($_POST,'password')) && strlen($_POST['password']))
		$encrypted = hash('whirlpool',trim($_POST['password']));
	else {
		if((x($_POST,'openid_url')) && strlen($_POST['openid_url']) ||
		   (x($_POST,'username')) && strlen($_POST['username'])) {

			$noid = get_config('system','no_openid');

			$openid_url = trim((strlen($_POST['openid_url'])?$_POST['openid_url']:$_POST['username']) );

			// validate_url alters the calling parameter

			$temp_string = $openid_url;

			// if it's an email address or doesn't resolve to a URL, fail.

			if(($noid) || (strpos($temp_string,'@')) || (! validate_url($temp_string))) {
				$a = get_app();
				notice( t('Login failed.') . EOL);
				goaway(z_root());
				// NOTREACHED
			}

			// Otherwise it's probably an openid.

                        try {
			require_once('library/openid.php');
			$openid = new LightOpenID;
			$openid->identity = $openid_url;
			$_SESSION['openid'] = $openid_url;
			$a = get_app();
			$openid->returnUrl = $a->get_baseurl(true) . '/openid';
                        goaway($openid->authUrl());
                        } catch (Exception $e) {
                            notice( t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.').'<br /><br >'. t('The error message was:').' '.$e->getMessage());
                        }
			// NOTREACHED
		}
	}

	if((x($_POST,'auth-params')) && $_POST['auth-params'] === 'login') {

		$record = null;

		$addon_auth = array(
			'username' => trim($_POST['username']), 
			'password' => trim($_POST['password']),
			'authenticated' => 0,
			'user_record' => null
		);

		/**
		 *
		 * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
		 * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
		 * and later plugins should not interfere with an earlier one that succeeded.
		 *
		 */

		call_hooks('authenticate', $addon_auth);

		if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
			$record = $addon_auth['user_record'];
		}
		else {

			// process normal login request

			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
				FROM `user` WHERE ( `email` = '%s' OR `nickname` = '%s' )
				AND `password` = '%s' AND `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 LIMIT 1",
				dbesc(trim($_POST['username'])),
				dbesc(trim($_POST['username'])),
				dbesc($encrypted)
			);
			if(count($r))
				$record = $r[0];
		}

		if((! $record) || (! count($record))) {
			logger('authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']);
			notice( t('Login failed.') . EOL );
			goaway(z_root());
  		}

		// If the user specified to remember the authentication, then change the cookie
		// to expire after one year (the default is when the browser is closed).
		// If the user did not specify to remember, change the cookie to expire when the
		// browser is closed. The reason this is necessary is because if the user
		// specifies to remember, then logs out and logs back in without specifying to
		// remember, the old "remember" cookie may remain and prevent the session from
		// expiring when the browser is closed.
		//
		// It seems like I should be able to test for the old cookie, but for some reason when
		// I read the lifetime value from session_get_cookie_params(), I always get '0'
		// (i.e. expire when the browser is closed), even when there's a time expiration
		// on the cookie
		if($_POST['remember']) {
			new_cookie(31449600); // one year
		}
		else {
			new_cookie(0); // 0 means delete on browser exit
		}

		// if we haven't failed up this point, log them in.

		$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
		authenticate_success($record, true, true);
	}
}

function new_cookie($time) {
	if (!get_config('system', 'disable_database_session'))
		$old_sid = session_id();

	session_set_cookie_params($time);

	if (!get_config('system', 'disable_database_session')) {
		session_regenerate_id(false);
		q("UPDATE session SET sid = '%s' WHERE sid = '%s'", dbesc(session_id()), dbesc($old_sid));
	}
}
some changes 2010-07-05 03:45:56 +00:00			`<?php`

paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00
modularise successful authentication 2012-01-12 23:46:39 +00:00			`require_once('include/security.php');`
refresh login time every 12 hours for 'Remember me' 2012-11-09 00:00:37 +00:00			`require_once('include/datetime.php');`
modularise successful authentication 2012-01-12 23:46:39 +00:00
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00			`function nuke_session() {`
There is now a config value for the session management to not use the database 2015-12-22 21:11:08 +00:00			`if (get_config('system', 'disable_database_session')) {`
			`session_unset();`
			`return;`
			`}`

delete cookie on browser close after logout 2012-12-24 19:52:49 +00:00			`new_cookie(0); // make sure cookie is deleted on browser close, as a security measure`

paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00			`unset($_SESSION['authenticated']);`
			`unset($_SESSION['uid']);`
			`unset($_SESSION['visitor_id']);`
			`unset($_SESSION['administrator']);`
			`unset($_SESSION['cid']);`
			`unset($_SESSION['theme']);`
allow individual choice of mobile themes 2012-09-06 23:24:34 +00:00			`unset($_SESSION['mobile-theme']);`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00			`unset($_SESSION['page_flags']);`
clear submanage, etc from session on logout 2012-05-23 01:05:58 +00:00			`unset($_SESSION['submanage']);`
			`unset($_SESSION['my_url']);`
			`unset($_SESSION['my_address']);`
			`unset($_SESSION['addr']);`
			`unset($_SESSION['return_url']);`
There is now a config value for the session management to not use the database 2015-12-22 21:11:08 +00:00
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00			`}`


Merge remote-tracking branch 'upstream/develop' into 1512-ostatus-comment Conflicts: include/ostatus.php 2015-12-22 10:25:37 +00:00			`// login/logout`
some changes 2010-07-05 03:45:56 +00:00
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00


more lint 2010-10-31 23:38:22 +00:00			`if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) \|\| ($_POST['auth-params'] !== 'login'))) {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 23:16:29 +00:00
more lint 2010-10-31 23:38:22 +00:00			`if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) \|\| ($a->module === 'logout')) {`
Merge remote-tracking branch 'upstream/develop' into 1512-ostatus-comment Conflicts: include/ostatus.php 2015-12-22 10:25:37 +00:00
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 23:16:29 +00:00			`// process logout request`
add 'loggin_out' hook 2012-03-12 14:58:59 +00:00			`call_hooks("logging_out");`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00			`nuke_session();`
add info() function. Works like notice() but show messages in a div with class info-message. update code to use info() instead of notice() when appropriate (non-error message) add info-message class style in themes 2011-05-23 09:39:57 +00:00			`info( t('Logged out.') . EOL);`
some more zot changes migrating back to f9a mainline 2011-08-02 04:02:25 +00:00			`goaway(z_root());`
some changes 2010-07-05 03:45:56 +00:00			`}`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 23:16:29 +00:00
bug #70 - error messages on group deletion, warning cleanup 2011-05-15 23:36:49 +00:00			`if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) {`
missing self photo on remote site comment boxes 2011-05-10 05:15:19 +00:00			$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
			`intval($_SESSION['visitor_id'])`
			`);`
			`if(count($r)) {`
			`$a->contact = $r[0];`
			`}`
			`}`

some changes 2010-07-05 03:45:56 +00:00			`if(x($_SESSION,'uid')) {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 23:16:29 +00:00
			`// already logged in user returning`

paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00			`$check = get_config('system','paranoia');`
			`// extra paranoia - if the IP changed, log them out`
			`if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {`
There is now a config value for the session management to not use the database 2015-12-22 21:11:08 +00:00			`logger('Session address changed. Paranoid setting in effect, blocking session. '`
handle multiple underscores in D* links 2012-05-27 06:46:42 +00:00			`. $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00			`nuke_session();`
some more zot changes migrating back to f9a mainline 2011-08-02 04:02:25 +00:00			`goaway(z_root());`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00			`}`

There is now a config value for the session management to not use the database 2015-12-22 21:11:08 +00:00			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
Changes to make contacts delete all content from the user when a user is deleted. NOTE: I didn't add "AND account_removed = 0" to facebook.php because I don't have a clone of the addons repository. Please someone do that for me. Thanks. Please check carefully. I tested locally on my server, but not with other servers. 2012-11-02 20:43:47 +00:00			FROM `user` WHERE `uid` = %d AND `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 LIMIT 1",
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 23:16:29 +00:00			`intval($_SESSION['uid'])`
			`);`

			`if(! count($r)) {`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00			`nuke_session();`
some more zot changes migrating back to f9a mainline 2011-08-02 04:02:25 +00:00			`goaway(z_root());`
some changes 2010-07-05 03:45:56 +00:00			`}`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 23:16:29 +00:00
refresh login time every 12 hours for 'Remember me' 2012-11-09 00:00:37 +00:00			`// Make sure to refresh the last login time for the user if the user`
			`// stays logged in for a long time, e.g. with "Remember Me"`
			`$login_refresh = false;`
			`if(! x($_SESSION['last_login_date'])) {`
			`$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');`
			`}`
			`if( strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0 ) {`

			`$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');`
			`$login_refresh = true;`
			`}`
			`authenticate_success($r[0], false, false, $login_refresh);`
some changes 2010-07-05 03:45:56 +00:00			`}`
			`}`
			`else {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 23:16:29 +00:00
-Wall cleanup 2010-10-30 20:25:37 +00:00			`if(isset($_SESSION)) {`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 07:16:14 +00:00			`nuke_session();`
-Wall cleanup 2010-10-30 20:25:37 +00:00			`}`
theme cleanup 2010-09-19 04:11:18 +00:00
openid logins working 2010-11-18 01:03:27 +00:00			`if((x($_POST,'password')) && strlen($_POST['password']))`
-Wall cleanup 2010-10-30 20:25:37 +00:00			`$encrypted = hash('whirlpool',trim($_POST['password']));`
pull some template strings 2010-11-17 07:26:14 +00:00			`else {`
works on login form 2011-10-17 14:53:59 +00:00			`if((x($_POST,'openid_url')) && strlen($_POST['openid_url']) \|\|`
			`(x($_POST,'username')) && strlen($_POST['username'])) {`
smooth a few rough edges of openid 2010-11-18 23:06:33 +00:00
localise login template, allow openid to be disabled 2010-11-29 04:58:23 +00:00			`$noid = get_config('system','no_openid');`

refactor openid logins/registrations 2012-03-19 22:03:09 +00:00			`$openid_url = trim((strlen($_POST['openid_url'])?$_POST['openid_url']:$_POST['username']) );`
smooth a few rough edges of openid 2010-11-18 23:06:33 +00:00
			`// validate_url alters the calling parameter`

			`$temp_string = $openid_url;`

			`// if it's an email address or doesn't resolve to a URL, fail.`

localise login template, allow openid to be disabled 2010-11-29 04:58:23 +00:00			`if(($noid) \|\| (strpos($temp_string,'@')) \|\| (! validate_url($temp_string))) {`
smooth a few rough edges of openid 2010-11-18 23:06:33 +00:00			`$a = get_app();`
			`notice( t('Login failed.') . EOL);`
some more zot changes migrating back to f9a mainline 2011-08-02 04:02:25 +00:00			`goaway(z_root());`
smooth a few rough edges of openid 2010-11-18 23:06:33 +00:00			`// NOTREACHED`
			`}`

			`// Otherwise it's probably an openid.`

catch OpenID login errors in cases when the OpenID server does not answers 2012-03-30 13:19:17 +00:00			`try {`
smooth a few rough edges of openid 2010-11-18 23:06:33 +00:00			`require_once('library/openid.php');`
			`$openid = new LightOpenID;`
			`$openid->identity = $openid_url;`
			`$_SESSION['openid'] = $openid_url;`
			`$a = get_app();`
There is now a config value for the session management to not use the database 2015-12-22 21:11:08 +00:00			`$openid->returnUrl = $a->get_baseurl(true) . '/openid';`
catch OpenID login errors in cases when the OpenID server does not answers 2012-03-30 13:19:17 +00:00			`goaway($openid->authUrl());`
			`} catch (Exception $e) {`
			`notice( t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.').'<br /><br >'. t('The error message was:').' '.$e->getMessage());`
			`}`
refactor openid logins/registrations 2012-03-19 22:03:09 +00:00			`// NOTREACHED`
pull some template strings 2010-11-17 07:26:14 +00:00			`}`
			`}`
add IP address to failed login log message 2012-03-20 04:58:21 +00:00
stronger type checking on comparisons 2010-09-27 00:24:20 +00:00			`if((x($_POST,'auth-params')) && $_POST['auth-params'] === 'login') {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 23:16:29 +00:00
Add sample external authentication plugin (ldap) 2010-12-27 22:59:26 +00:00			`$record = null;`
add authentication plugin hooks 2010-12-24 23:59:12 +00:00
			`$addon_auth = array(`
works on login form 2011-10-17 14:53:59 +00:00			`'username' => trim($_POST['username']),`
add authentication plugin hooks 2010-12-24 23:59:12 +00:00			`'password' => trim($_POST['password']),`
Add sample external authentication plugin (ldap) 2010-12-27 22:59:26 +00:00			`'authenticated' => 0,`
			`'user_record' => null`
add authentication plugin hooks 2010-12-24 23:59:12 +00:00			`);`

			`/**`
			`*`
Add sample external authentication plugin (ldap) 2010-12-27 22:59:26 +00:00			`* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record`
add authentication plugin hooks 2010-12-24 23:59:12 +00:00			`* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained`
			`* and later plugins should not interfere with an earlier one that succeeded.`
			`*`
			`*/`

			`call_hooks('authenticate', $addon_auth);`

Add sample external authentication plugin (ldap) 2010-12-27 22:59:26 +00:00			`if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {`
			`$record = $addon_auth['user_record'];`
			`}`
			`else {`

			`// process normal login request`
add authentication plugin hooks 2010-12-24 23:59:12 +00:00
There is now a config value for the session management to not use the database 2015-12-22 21:11:08 +00:00			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
			FROM `user` WHERE ( `email` = '%s' OR `nickname` = '%s' )
Changes to make contacts delete all content from the user when a user is deleted. NOTE: I didn't add "AND account_removed = 0" to facebook.php because I don't have a clone of the addons repository. Please someone do that for me. Thanks. Please check carefully. I tested locally on my server, but not with other servers. 2012-11-02 20:43:47 +00:00			AND `password` = '%s' AND `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 LIMIT 1",
works on login form 2011-10-17 14:53:59 +00:00			`dbesc(trim($_POST['username'])),`
			`dbesc(trim($_POST['username'])),`
add authentication plugin hooks 2010-12-24 23:59:12 +00:00			`dbesc($encrypted)`
			`);`
Add sample external authentication plugin (ldap) 2010-12-27 22:59:26 +00:00			`if(count($r))`
			`$record = $r[0];`
add authentication plugin hooks 2010-12-24 23:59:12 +00:00			`}`

Add sample external authentication plugin (ldap) 2010-12-27 22:59:26 +00:00			`if((! $record) \|\| (! count($record))) {`
There is now a config value for the session management to not use the database 2015-12-22 21:11:08 +00:00			`logger('authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']);`
Add sample external authentication plugin (ldap) 2010-12-27 22:59:26 +00:00			`notice( t('Login failed.') . EOL );`
some more zot changes migrating back to f9a mainline 2011-08-02 04:02:25 +00:00			`goaway(z_root());`
Add sample external authentication plugin (ldap) 2010-12-27 22:59:26 +00:00			`}`

add ability to remember logged in user after browser closes 2012-11-08 01:59:30 +00:00			`// If the user specified to remember the authentication, then change the cookie`
			`// to expire after one year (the default is when the browser is closed).`
			`// If the user did not specify to remember, change the cookie to expire when the`
			`// browser is closed. The reason this is necessary is because if the user`
			`// specifies to remember, then logs out and logs back in without specifying to`
			`// remember, the old "remember" cookie may remain and prevent the session from`
			`// expiring when the browser is closed.`
			`//`
			`// It seems like I should be able to test for the old cookie, but for some reason when`
			`// I read the lifetime value from session_get_cookie_params(), I always get '0'`
			`// (i.e. expire when the browser is closed), even when there's a time expiration`
			`// on the cookie`
			`if($_POST['remember']) {`
delete cookie on browser close after logout 2012-12-24 19:52:49 +00:00			`new_cookie(31449600); // one year`
add ability to remember logged in user after browser closes 2012-11-08 01:59:30 +00:00			`}`
			`else {`
delete cookie on browser close after logout 2012-12-24 19:52:49 +00:00			`new_cookie(0); // 0 means delete on browser exit`
add ability to remember logged in user after browser closes 2012-11-08 01:59:30 +00:00			`}`

modularise successful authentication 2012-01-12 23:46:39 +00:00			`// if we haven't failed up this point, log them in.`
add authentication plugin hooks 2010-12-24 23:59:12 +00:00
refresh login time every 12 hours for 'Remember me' 2012-11-09 00:00:37 +00:00			`$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');`
modularise successful authentication 2012-01-12 23:46:39 +00:00			`authenticate_success($record, true, true);`
some changes 2010-07-05 03:45:56 +00:00			`}`
			`}`

delete cookie on browser close after logout 2012-12-24 19:52:49 +00:00			`function new_cookie($time) {`
Yes is no and no is yes ... 2015-12-25 18:57:38 +00:00			`if (!get_config('system', 'disable_database_session'))`
There is now a config value for the session management to not use the database 2015-12-22 21:11:08 +00:00			`$old_sid = session_id();`
Merge remote-tracking branch 'upstream/develop' into 1512-ostatus-comment Conflicts: include/ostatus.php 2015-12-22 10:25:37 +00:00
			`session_set_cookie_params($time);`
some changes 2010-07-05 03:45:56 +00:00
Yes is no and no is yes ... 2015-12-25 18:57:38 +00:00			`if (!get_config('system', 'disable_database_session')) {`
There is now a config value for the session management to not use the database 2015-12-22 21:11:08 +00:00			`session_regenerate_id(false);`
			`q("UPDATE session SET sid = '%s' WHERE sid = '%s'", dbesc(session_id()), dbesc($old_sid));`
			`}`
delete cookie on browser close after logout 2012-12-24 19:52:49 +00:00			`}`