public static
|
#
destroy( )
Unset session variables and destroy the session.
Unset session variables and destroy the session.
|
public static
boolean
|
#
isAdmin( )
Shorthand admin privileges check.
Shorthand admin privileges check.
For added security this could retrieve an encrypted token, preferably the SSL session id,
although thats availability seems to depend on server configuration.
Returns
boolean
True if admin false if not.
|
public static
boolean
|
#
isExpired( TfishPreference $tfish_preference )
Checks if a session has expired and sets last seen activity flag.
Checks if a session has expired and sets last seen activity flag.
Parameters
- $tfish_preference
- TfishPreference object.
Returns
boolean
True if session has expired, false if not.
|
public static
boolean
|
#
isClean( )
Checks if client IP address or user agent has changed.
Checks if client IP address or user agent has changed.
These tests can indicate session hijacking but are by no means definitive; however they do
indicate elevated risk and the session should be regenerated as a counter measure.
Returns
boolean
True if IP/user agent are unchanged, false otherwise.
|
public static
|
#
login( string $email, string $password )
Authenticate the user and establish a session.
Authenticate the user and establish a session.
The number of failed login attempts is tracked. Subsequent login attempts will sleep for
an equivalent number of seconds before processing, in order to frustrate brute force attacks.
A successful login will reset the counter to zero. Note that the password field is
unrestricted content.
Parameters
- $email
- Input email.
- $password
- Input password.
|
public static
|
#
twoFactorLogin( string $dirty_password, string $dirty_otp, object $yubikey )
Authenticate the user with two factors and establish a session.
Authenticate the user with two factors and establish a session.
Requires a Yubikey hardware token as the second factor. Note that the authenticator type
is not declared, as the desired response is to logout and redirect, rather than to throw
an error.
Parameters
- $dirty_password
- Input password.
- $dirty_otp
- Input Yubikey one-time password.
- $yubikey
- Instance of the TfishYubikeyAuthenticator class.
|
public static
string
|
#
loginLink( )
Returns a login or logout link for insertion in the template.
Returns a login or logout link for insertion in the template.
Returns
string
HTML login or logout link.
|
public static
|
#
logout( string $url_redirect = '' )
Destroys the current session on logout
Destroys the current session on logout
Parameters
- $url_redirect
- The URL to redirect the user to on logging out.
|
public static
|
#
reset( )
Reset session data after a session hijacking check fails. This will force logout.
Reset session data after a session hijacking check fails. This will force logout.
|
public static
|
#
regenerate( )
Regenerates the session ID.
Regenerates the session ID.
Called whenever there is a privilege escalation (login) or at random intervals to reduce
risk of session hijacking. Note that the cross-site request forgery validation token remains
the same, unless the session is destroyed. This is to prevent the random session ID
regeneration events creating false positive CSRF checks.
Note that it allows the new and old sessions to co-exist for a short period, this is to
avoid headaches with flaky network connections and asynchronous (AJAX) requests, as explained
in the PHP Manual warning: http://php.net/manual/en/function.session-regenerate-id.php
|
public static
|
#
setToken( )
Sets a token for use in cross-site request forgery checks on form submissions.
Sets a token for use in cross-site request forgery checks on form submissions.
A random token is generated and stored in the current session (if not already set). The value
of this token is included as a hidden field in forms when they are loaded by the user. This
allows forms to be validated via validateFormToken().
|
public static
|
#
start( TfishPreference $tfish_preference )
Initialises a session and sets session cookie parameters to security-conscious values.
Initialises a session and sets session cookie parameters to security-conscious values.
Parameters
- $tfish_preference
- TfishPreference object.
|
public static
boolean
|
#
validateToken( string $token )
Validate a cross-site request forgery token from a form submission.
Validate a cross-site request forgery token from a form submission.
Forms contain a hidden field with a random token taken from the user's session. This token
is used to validate that a form submission did indeed originate from the user, by comparing
the value against that stored in the user's session. If they do not match then the request
could be a forgery and the form submission should be rejected.
Parameters
- $token
- A form token to validate against the user's session.
Returns
boolean
True if token is valid, otherwise false.
|