[Summary view] [Print] [Text view]

   1  <?php
   2  /**
   3  * @version        $Id: remember.php 22244 2011-10-16 15:50:00Z dextercowley $
   4  * @package        Joomla
   5  * @copyright    Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
   6  * @license        GNU/GPL, see LICENSE.php
   7  * Joomla! is free software. This version may have been modified pursuant
   8  * to the GNU General Public License, and as distributed it includes or
   9  * is derivative of works licensed under the GNU General Public License or
  10  * other free or open source software licenses.
  11  * See COPYRIGHT.php for copyright notices and details.
  12  */
  13  
  14  // no direct access
  15  defined( '_JEXEC' ) or die( 'Restricted access' );
  16  
  17  jimport( 'joomla.plugin.plugin' );
  18  
  19  /**
  20   * Joomla! System Remember Me Plugin
  21   *
  22   * @package        Joomla
  23   * @subpackage    System
  24   */
  25  class plgSystemRemember extends JPlugin
  26  {
  27      /**
  28       * Constructor
  29       *
  30       * For php4 compatability we must not use the __constructor as a constructor for plugins
  31       * because func_get_args ( void ) returns a copy of all passed arguments NOT references.
  32       * This causes problems with cross-referencing necessary for the observer design pattern.
  33       *
  34       * @access    protected
  35       * @param    object    $subject The object to observe
  36       * @param     array   $config  An array that holds the plugin configuration
  37       * @since    1.0
  38       */
  39  	function plgSystemRemember(& $subject, $config) {
  40          parent::__construct($subject, $config);
  41      }
  42  
  43  	function onAfterInitialise()
  44      {
  45          global $mainframe;
  46  
  47          // No remember me for admin
  48          if ($mainframe->isAdmin()) {
  49              return;
  50          }
  51  
  52          $user = &JFactory::getUser();
  53          if (!$user->get('gid'))
  54          {
  55              jimport('joomla.utilities.utility');
  56              $hash = JUtility::getHash('JLOGIN_REMEMBER');
  57  
  58              if ($str = JRequest::getString($hash, '', 'cookie', JREQUEST_ALLOWRAW | JREQUEST_NOTRIM))
  59              {
  60                  jimport('joomla.utilities.simplecrypt');
  61  
  62                  // Create the encryption key, apply extra hardening using the user agent string
  63                  // Since we're decoding, no UA validity check is required.
  64                  $key = JUtility::getHash(@$_SERVER['HTTP_USER_AGENT']);
  65  
  66                  $crypt = new JSimpleCrypt($key);
  67                  $str = $crypt->decrypt($str);
  68                  $cookieData = @unserialize($str);
  69                  // Deserialized cookie could be any object structure, so make sure the 
  70                  // credentials are well structured and only have user and password.
  71                  $credentials = array();
  72                  if (!is_array($credentials)) {
  73                      return;
  74                  }
  75                  if (!isset($cookieData['username']) || !is_string($cookieData['username'])) {
  76                      return;
  77                  }
  78                  $credentials['username'] = JFilterInput::clean($cookieData['username'], 'username');
  79                  if (!isset($cookieData['password']) || !is_string($cookieData['password'])) {
  80                      return;
  81                  }
  82                  $credentials['password'] = JFilterInput::clean($cookieData['password'], 'string');
  83  
  84                  if (!$mainframe->login($credentials, array('silent' => true))) {
  85                      // Clear the remember me cookie
  86                      setcookie( JUtility::getHash('JLOGIN_REMEMBER'), false, time() - 86400, '/' );
  87                  }
  88              }
  89          }
  90      }
  91  }