Skip to content

S
syncEnrollments
Commit 17385697 authored by Taylor Otwell's avatar Taylor Otwell
Browse files
Options

continuing to work on the remember me authentication.

parent 6178a968
Hide whitespace changes
Inline Side-by-side
Showing with 69 additions and 34 deletions
application/config/session.php
View file @ 17385697
...@@ -91,4 +91,15 @@ return array( ...@@ -91,4 +91,15 @@ return array(
'domain' => null, 'domain' => null,
/*
|--------------------------------------------------------------------------
| HTTPS Only Session Cookie
|--------------------------------------------------------------------------
|
| Determines if the cookie should only be sent over HTTPS.
|
*/
'secure' => false,
); );
\ No newline at end of file
laravel/cookie.php
View file @ 17385697
...@@ -26,7 +26,7 @@ class Cookie { ...@@ -26,7 +26,7 @@ class Cookie {
} }
/** /**
* Set a "permanent" cookie. The cookie will last 5 years. * Set a "permanent" cookie. The cookie will last for one year.
* *
* @param string $name * @param string $name
* @param string $value * @param string $value
...@@ -38,7 +38,7 @@ class Cookie { ...@@ -38,7 +38,7 @@ class Cookie {
*/ */
public static function forever($name, $value, $path = '/', $domain = null, $secure = false, $http_only = false) public static function forever($name, $value, $path = '/', $domain = null, $secure = false, $http_only = false)
{ {
return static::put($name, $value, 2628000, $path, $domain, $secure, $http_only); return static::put($name, $value, 525600, $path, $domain, $secure, $http_only);
} }
/** /**
......
laravel/security/auth.php
View file @ 17385697
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
use Laravel\IoC; use Laravel\IoC;
use Laravel\Config; use Laravel\Config;
use Laravel\Cookie;
use Laravel\Session\Payload; use Laravel\Session\Payload;
class Auth { class Auth {
...@@ -20,6 +21,13 @@ class Auth { ...@@ -20,6 +21,13 @@ class Auth {
*/ */
const user_key = 'laravel_user_id'; const user_key = 'laravel_user_id';
/**
* The key used when setting the "remember me" cookie.
*
* @var string
*/
const remember_key = 'laravel_remember';
/** /**
* Determine if the current user of the application is authenticated. * Determine if the current user of the application is authenticated.
* *
...@@ -50,18 +58,20 @@ class Auth { ...@@ -50,18 +58,20 @@ class Auth {
{ {
if ( ! is_null(static::$user)) return static::$user; if ( ! is_null(static::$user)) return static::$user;
$id = IoC::container()->core('session')->get(Auth::user_key); static::$user = call_user_func(Config::get('auth.user'), IoC::container()->core('session')->get(Auth::user_key));
static::$user = call_user_func(Config::get('auth.user'), $id);
if (is_null(static::$user) AND ! is_null($cookie = Crypter::decrypt(\Cookie::get('remember')))) // If no user was returned by the closure, and a "remember me" cookie exists,
// we will attempt to login the user using the ID that is encrypted into the
// cookie value by the "remember" method.
if (is_null(static::$user) and ! is_null($cookie = Cookie::get(Auth::remember_key)))
{ {
$cookie = explode('|', $cookie); // The decrypted value of the remember cookie should look like {id}|{random}.
if ($cookie[2] == md5(\Request::server('HTTP_USER_AGENT')) // We will extract out the ID and pass it to the "user" closure to attempt
AND ! is_null(static::$user = call_user_func(Config::get('auth.user'), $cookie[0]))) // to login the user. If a user is returned, their ID will be stored in
{ // the session like normal and they will be considered logged in.
static::login(static::$user); $id = substr(Crypter::decrypt($cookie), 0, strpos($cookie, '|'));
}
if ( ! is_null($user = call_user_func(Config::get('auth.user'), $id))) static::login($user);
} }
return static::$user; return static::$user;
...@@ -70,22 +80,24 @@ class Auth { ...@@ -70,22 +80,24 @@ class Auth {
/** /**
* Attempt to log a user into the application. * Attempt to log a user into the application.
* *
* If the given credentials are valid, the user will be considered logged into * If the given credentials are valid, the user will be logged into the application
* the application and their user ID will be stored in the session data. * and their user ID will be stored in the session data.
*
* The user may also be "remembered". When this option is set, the user will be
* automatically logged into the application for one year via an encrypted cookie
* containing their ID. Of course, if the user logs out of the application,
* they will no longer be remembered.
* *
* @param string $username * @param string $username
* @param string $password * @param string $password
* @param bool $remember * @param bool $remember
* @param int $ttl - Default is one week.
* @return bool * @return bool
*/ */
public static function attempt($username, $password = null, $remember = false, $ttl = 10080) public static function attempt($username, $password = null, $remember = false)
{ {
if ( ! is_null($user = call_user_func(Config::get('auth.attempt'), $username, $password))) if ( ! is_null($user = call_user_func(Config::get('auth.attempt'), $username, $password)))
{ {
static::login($user); static::login($user, $remember);
if ($remember) static::remember($user);
return true; return true;
} }
...@@ -99,15 +111,36 @@ class Auth { ...@@ -99,15 +111,36 @@ class Auth {
* The user ID will be stored in the session so it is available on subsequent requests. * The user ID will be stored in the session so it is available on subsequent requests.
* *
* @param object $user * @param object $user
* @param bool $remember
* @return void * @return void
*/ */
public static function login($user) public static function login($user, $remember = false)
{ {
static::$user = $user; static::$user = $user;
if ($remember) static::remember($user->id);
IoC::container()->core('session')->put(Auth::user_key, $user->id); IoC::container()->core('session')->put(Auth::user_key, $user->id);
} }
/**
* Set a cookie so that users are "remembered" and don't need to login.
*
* @param string $id
* @return void
*/
protected static function remember($id)
{
$cookie = Crypter::encrypt($id.'|'.Str::random(40));
// This method assumes the "remember me" cookie should have the same configuration
// as the session cookie. Since this cookie, like the session cookie, should be
// kept very secure, it's probably safe to assume the settings are the same.
$config = Config::get('session');
Cookie::forever(Auth::remember_key, $cookie, $config['path'], $config['domain'], $config['secure']);
}
/** /**
* Log the current user out of the application. * Log the current user out of the application.
* *
...@@ -121,20 +154,11 @@ class Auth { ...@@ -121,20 +154,11 @@ class Auth {
static::$user = null; static::$user = null;
Cookie::forget(Auth::user_key);
Cookie::forget(Auth::remember_key);
IoC::container()->core('session')->forget(Auth::user_key); IoC::container()->core('session')->forget(Auth::user_key);
} }
/**
* Set a cookie so that users are remembered.
*
* @param object $user
* @param int $ttl - Default is one week.
* @return bool
*/
public static function remember($user, $ttl = 10080)
{
static::$user = $user;
$cookie = Crypter::encrypt(implode('|', array($user->id, \Request::ip(), md5(\Request::server('HTTP_USER_AGENT')), time())));
\Cookie::put('remember', $cookie, $ttl);
}
} }
\ No newline at end of file
laravel/session/transporters/cookie.php
View file @ 17385697
...@@ -34,7 +34,7 @@ class Cookie implements Transporter { ...@@ -34,7 +34,7 @@ class Cookie implements Transporter {
// deleted until the user closes their browser. // deleted until the user closes their browser.
$minutes = ( ! $config['expire_on_close']) ? $config['lifetime'] : 0; $minutes = ( ! $config['expire_on_close']) ? $config['lifetime'] : 0;
\Laravel\Cookie::put(Cookie::key, $id, $minutes, $config['path'], $config['domain']); \Laravel\Cookie::put(Cookie::key, $id, $minutes, $config['path'], $config['domain'], $config['secure']);
} }
} }
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment