+ // Log user in - update session key for that, see https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Login
+ $utils->log('login', 'user: '.$user['id']);
+ $sesskey = $utils->createSessionKey();
+ setcookie('sessionkey', $sesskey, 0, "", "", !$utils->running_on_localhost, true); // Last two params are secure and httponly, secure is not set on localhost.
+ // If the session has a redirect set, make sure it's performed.
+ if (strlen(@$session['saved_redirect'])) {
+ header('Location: '.$utils->getDomainBaseURL().$session['saved_redirect']);
+ // Remove redirect.
+ $result = $db->prepare('UPDATE `auth_sessions` SET `saved_redirect` = :redir WHERE `id` = :sessid;');
+ if (!$result->execute(array(':redir' => '', ':sessid' => $session['id']))) {
+ $utils->log('redir_save_failure', 'session: '.$session['id'].', redirect: (empty)');
+ }
+ }
+ // If the session has a user set, create a new one - otherwise take existing session entry.
+ if (intval($session['user'])) {
+ $result = $db->prepare('INSERT INTO `auth_sessions` (`sesskey`, `time_expire`, `user`, `logged_in`) VALUES (:sesskey, :expire, :userid, TRUE);');
+ $result->execute(array(':sesskey' => $sesskey, ':userid' => $user['id'], ':expire' => gmdate('Y-m-d H:i:s', strtotime('+1 day'))));
+ // After insert, actually fetch the session row from the DB so we have all values.
+ $result = $db->prepare('SELECT * FROM auth_sessions WHERE `sesskey` = :sesskey AND `time_expire` > :expire;');
+ $result->execute(array(':sesskey' => $sesskey, ':expire' => gmdate('Y-m-d H:i:s')));
+ $row = $result->fetch(PDO::FETCH_ASSOC);
+ if ($row) {
+ $session = $row;
+ }
+ else {
+ $utils->log('create_session_failure', 'at login, prev session: '.$session['id'].', new user: '.$user['id']);
+ $errors[] = _('The session system is not working. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
+ }
+ }
+ else {
+ $result = $db->prepare('UPDATE `auth_sessions` SET `sesskey` = :sesskey, `user` = :userid, `logged_in` = TRUE, `time_expire` = :expire WHERE `id` = :sessid;');
+ if (!$result->execute(array(':sesskey' => $sesskey, ':userid' => $user['id'], ':expire' => gmdate('Y-m-d H:i:s', strtotime('+1 day')), ':sessid' => $session['id']))) {
+ $utils->log('login_failure', 'session: '.$session['id'].', user: '.$user['id']);
+ $errors[] = _('Login failed unexpectedly. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
+ }
+ else {
+ // After update, actually fetch the session row from the DB so we have all values.
+ $result = $db->prepare('SELECT * FROM auth_sessions WHERE `sesskey` = :sesskey AND `time_expire` > :expire;');
+ $result->execute(array(':sesskey' => $sesskey, ':expire' => gmdate('Y-m-d H:i:s')));
+ $row = $result->fetch(PDO::FETCH_ASSOC);
+ if ($row) {
+ $session = $row;
+ }
+ }
+ }
+ // If a verify_hash if set on a verified user, a password reset had been requested. As a login works right now, cancel that reset request by deleting the hash.
+ if (strlen(@$user['verify_hash'])) {
+ $result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = \'\' WHERE `id` = :userid;');
+ if (!$result->execute(array(':userid' => $user['id']))) {
+ $utils->log('empty_vhash_failure', 'user: '.$user['id']);
+ }
+ else {
+ $user['verify_hash'] = '';
+ }
+ }
+ }
+ else {
+ $errors[] = _('This password is invalid or your email is not verified yet. Did you type them correctly?');