loader.web.auth.php ➔ ldGenerateSessionKeyCheck() - Code Metrics - Ariadne-CMS/ariadne - Measure and Improve Code Quality continuously with Scrutinizer

loader.web.auth.php ➔ ldGenerateSessionKeyCheck() A
last analyzed 2018-12-19 18:24 UTC

↳ Parent: Project

Complexity

Conditions	1
Paths	1

Size

Total Lines

Duplication

Lines	7
Ratio	100 %

Code Coverage

Tests	0
CRAP Score	2

Importance

Changes

Metric	Value
cc	1
nc	1
nop	0
dl	7
loc	7
rs	10
c	0
b	0
f	0
ccs	0
cts	6
cp	0
crap	2

<?php

	function ldGetCurrentTemplate( $function ) {
		if ( isset($function) ) {
			return $function;
		} else {
			$me = ar_ariadneContext::getObject();
			if ($me) {
				$context = $me->getContext();
				return $context['arCallFunction'];
			}
		}
		return null;
	}

	function ldSetCredentials($login, $ARUserDir="/system/users/") {
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
		global $ARCurrent, $AR;
		if (!$ARUserDir || $ARUserDir == "") {
			$ARUserDir = "/system/users/";
		}

		// Make sure the login is lower case. Because of the
		// numerous checks on "admin".
		$login = strtolower( $login );

		debug("ldSetCredentials($login)","object");

		if (!$ARCurrent->session) {
			ldStartSession();
		} else {
			/* use the same sessionid if the user didn't login before */
			ldStartSession($ARCurrent->session->id);
		}
		$ARCurrent->session->put("ARLogin", $login);
		$ARCurrent->session->put("ARUserDir", $ARUserDir, true);

		/* create the session key */
		$session_key = bin2hex(random_bytes(16));

		$ARCurrent->session->put("ARSessionKey", $session_key, true);
		$ARCurrent->session->put("ARSessionTimedout", 0, 1);

		/* now save our session */
		$ARCurrent->session->save();

		$cookies = (array)$_COOKIE["ARSessionCookie"];
		$https = ($_SERVER['HTTPS']=='on');

		$currentCookies = array();

		foreach($cookies as $sessionid => $cookie){
			if(!$AR->hideSessionIDfromURL){
				if (!$ARCurrent->session->sessionstore->exists("/$sessionid/")) {
					$data = ldDecodeCookie($cookie);
					if(is_array($data)) {
						// don't just kill it, it may be from another ariadne installation
						if ($data['timestamp']<(time()-86400)) {
							// but do kill it if it's older than one day
							unset($cookies[$sessionid]);
							setcookie("ARSessionCookie[".$sessionid."]",false);
						} else {
							$currentCookies[$sessionid] = $data['timestamp'];
						}
					}
				}
			}
		}

		// Keep a maximum of 15 session cookies for one client
		if (sizeof($currentCookies) > 15) {
			sort($currentCookies);
			$removed = array_slice(array_keys($input), 15); // grab the session ids for all the older sessions

			foreach ($removed as $sessionid) {
				// and kill those sessions
				unset($cookies[$sessionid]);
				setcookie("ARSessionCookie[".$sessionid."]",false);
			}
		}

		if( $ARCurrent->session->id !== 0) {
			$data = array();

			$data['login']=$login;
			$data['timestamp']=time();
			$data['check']=ldGenerateSessionKeyCheck();

			$cookie=ldEncodeCookie($data);
			$cookiename = "ARSessionCookie[".$ARCurrent->session->id."]";

			header('P3P: CP="NOI CUR OUR"');
			setcookie('ARCurrentSession', $ARCurrent->session->id, 0, '/', false, $https, true);
			setcookie($cookiename,$cookie, 0, '/', false, $https, true);
		}
	}

	function ldAccessTimeout($path, $message, $args = null, $function = null) {

	global $ARCurrent, $store;
		/*
			since there is no 'peek' function, we need to pop and push
			the arCallArgs variable.
		*/

		if( isset( $args ) ) {
			$arCallArgs = $args;
		} else {
			$arCallArgs = @array_pop($ARCurrent->arCallStack);
			@array_push($ARCurrent->arCallStack, $arCallArgs);
		}

		$eventData = new baseObject();
		$eventData->arCallPath = $path;

		$eventData->arCallFunction = ldGetCurrentTemplate( $function );

		$eventData->arCallArgs = $arCallArgs;

		$eventData->arLoginMessage = $message;

		$eventData->arReason = 'access timeout';

		$eventData = ar_events::fire( 'onaccessdenied', $eventData );
		if ( $eventData ) {

			$arCallArgs = $eventData->arCallArgs;
			$arCallArgs["arLoginMessage"] = $eventData->message;

			if (!$ARCurrent->arLoginSilent) {
				$ARCurrent->arLoginSilent = true;
				$store->call("user.session.timeout.html",
					$arCallArgs,
					$store->get($path) );
			}

		}
	}

	function ldAccessDenied($path, $message, $args = null, $function = null) {
/**
 * @ignore
 */
function getUser() {

}

function getUser($id, $realm) {

}
	global $ARCurrent, $store;
		/*
			since there is no 'peek' function, we need to pop and push
			the arCallArgs variable.
		*/

		if( isset( $args ) ) {
			$arCallArgs = $args;
		} else {
			$arCallArgs = @array_pop($ARCurrent->arCallStack);
			@array_push($ARCurrent->arCallStack, $arCallArgs);
		}

		$eventData = new baseObject();
		$eventData->arCallPath = $path;

		$eventData->arCallFunction = ldGetCurrentTemplate( $function );

		$eventData->arCallArgs = $arCallArgs;

		$eventData->arLoginMessage = $message;

		$eventData->arReason = 'access denied';


		$eventData = ar_events::fire( 'onaccessdenied', $eventData );

		if ( $eventData ) {

			$arCallArgs = $eventData->arCallArgs;
			$arCallArgs["arLoginMessage"] = $eventData->message;

			if (!$ARCurrent->arLoginSilent) {
				$ARCurrent->arLoginSilent = true;
				$store->call("user.login.html",
					$arCallArgs,
					$store->get($path) );
			}
		}
	}

	function ldAccessPasswordExpired($path, $message, $args=null, $function = null) {

	global $ARCurrent, $store;
		/*
			since there is no 'peek' function, we need to pop and push
			the arCallArgs variable.
		*/

		if( isset( $args ) ) {
			$arCallArgs = $args;
		} else {
			$arCallArgs = @array_pop($ARCurrent->arCallStack);
			@array_push($ARCurrent->arCallStack, $arCallArgs);
		}

		$eventData = new baseObject();
		$eventData->arCallPath = $path;

		$eventData->arCallFunction = ldGetCurrentTemplate( $function );

		$eventData->arLoginMessage = $message;

		$eventData->arReason = 'password expired';

		$eventData->arCallArgs = $arCallArgs;

		$eventData = ar_events::fire( 'onaccessdenied', $eventData );
		if ( $eventData ) {

			$arCallArgs = $eventData->arCallArgs;
			$arCallArgs["arLoginMessage"] = $eventData->arLoginMessage;

			if (!$ARCurrent->arLoginSilent) {
				$ARCurrent->arLoginSilent = true;
				$store->call("user.password.expired.html",
					$arCallArgs,
					$store->get($path) );
			}
		}

	}

	function ldGenerateSessionKeyCheck() {

	global $ARCurrent;
		$session_key = $ARCurrent->session->get('ARSessionKey', true);
		$ARUserDir   = $ARCurrent->session->get('ARUserDir', true);
		$login       = $ARCurrent->session->get('ARLogin');
		return "{".md5($login.$ARUserDir.$session_key)."}";
	}

	function ldGetCredentials() {
/**
 * @ignore
 */
function getUser() {

}

function getUser($id, $realm) {

}
		debug("ldGetCredentials()","object");
		$ARSessionCookie = $_COOKIE["ARSessionCookie"];
		return $ARSessionCookie;
	}

	function ldCheckCredentials($login) {
/**
 * @ignore
 */
function getUser() {

}

function getUser($id, $realm) {

}
	global $ARCurrent, $AR;
		debug("ldCheckCredentials($login)","object");
		$result=false;
		$cookie=ldGetCredentials();
		$data = ldDecodeCookie($cookie[$ARCurrent->session->id]);
		if ($login === $data['login']
			&& ($saved=$data['check'])) {
			$check=ldGenerateSessionKeyCheck();
			if ($check === $saved && !$ARCurrent->session->get('ARSessionTimedout', 1)) {
				$result=true;
			} else {
				debug("login check failed","all");
			}
		} else {
			$ARSessionKeyCheck = $_GET['ARSessionKeyCheck'];
			if (!$ARSessionKeyCheck) {
				$ARSessionKeyCheck = $_POST['ARSessionKeyCheck'];
			}
			if ($ARSessionKeyCheck) {
				debug("ldCheckCredentials: trying ARSessionKeyCheck ($ARSessionKeyCheck)");
				if ($ARSessionKeyCheck == ldGenerateSessionKeyCheck()) {
					$result = true;
				}
			} else {
				debug("wrong login or corrupted cookie","all");
			}
		}
		return $result;
	}

	function ldDecodeCookie($cookie) {

		global $AR;
		$data = json_decode($cookie,true);
		if(is_null($data)){
			if(isset($AR->sessionCryptoKey) && function_exists('mcrypt_encrypt') ) {
				$key = base64_decode($AR->sessionCryptoKey);
				$crypto = new ar_crypt($key,MCRYPT_RIJNDAEL_256,1);
				$data = json_decode($crypto->decrypt($cookie),true);
			}
		}

		return $data;
	}

	function ldEncodeCookie($cookie) {

		global $AR;
		$data = json_encode($cookie);
		if(isset($AR->sessionCryptoKey) && function_exists('mcrypt_encrypt') ) {
			$key = base64_decode($AR->sessionCryptoKey);
			$crypto = new ar_crypt($key,MCRYPT_RIJNDAEL_256,1);
			$encdata = $crypto->crypt($data);
			if($encdata !== false) {
				$data = $encdata;
			}
		}
		return $data;
	}


1			<?php
2
3			function ldGetCurrentTemplate( $function ) {
4			if ( isset($function) ) {
5			return $function;
6			} else {
7			$me = ar_ariadneContext::getObject();
8			if ($me) {
9			$context = $me->getContext();
10			return $context['arCallFunction'];
11			}
12			}
13			return null;
14			}
15
16			function ldSetCredentials($login, $ARUserDir="/system/users/") {
			0 ignored issues – show Coding Style introduced 2015-11-26 08:52 UTC by Report Bug Copy Issue Report `ldSetCredentials` uses the super-global variable `$_COOKIE` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history... Coding Style introduced 2015-11-26 08:52 UTC by Report Bug Copy Issue Report `ldSetCredentials` uses the super-global variable `$_SERVER` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history... Best Practice introduced 2016-02-15 09:55 UTC by Report Bug Copy Issue Report The function `ldSetCredentials()` has been defined more than once; this definition is ignored, only the first definition in `lib/includes/loader.cmd.php` (L127-128) is considered. This check looks for functions that have already been defined in other files. Some Codebases, like WordPress, make a practice of defining functions multiple times. This may lead to problems with the detection of function parameters and types. If you really need to do this, you can mark the duplicate definition with the `@ignore` annotation. /** * @ignore */ function getUser() { } function getUser($id, $realm) { } See also the PhpDoc documentation for @ignore. Loading history...
17			global $ARCurrent, $AR;
18			if (!$ARUserDir \|\| $ARUserDir == "") {
19			$ARUserDir = "/system/users/";
20			}
21
22			// Make sure the login is lower case. Because of the
23			// numerous checks on "admin".
24			$login = strtolower( $login );
25
26			debug("ldSetCredentials($login)","object");
27
28			if (!$ARCurrent->session) {
29			ldStartSession();
30			} else {
31			/* use the same sessionid if the user didn't login before */
32			ldStartSession($ARCurrent->session->id);
33			}
34			$ARCurrent->session->put("ARLogin", $login);
35			$ARCurrent->session->put("ARUserDir", $ARUserDir, true);
36
37			/* create the session key */
38			$session_key = bin2hex(random_bytes(16));
39

Ariadne-CMS / ariadne

loader.web.auth.php ➔ ldGenerateSessionKeyCheck() A last analyzed 2018-12-19 18:24 UTC

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like

loader.web.auth.php ➔ ldGenerateSessionKeyCheck() A
last analyzed 2018-12-19 18:24 UTC