diff --git a/application/config/session.php b/application/config/session.php index ed7f3825..58e1cf88 100644 --- a/application/config/session.php +++ b/application/config/session.php @@ -91,4 +91,15 @@ 'domain' => null, + /* + |-------------------------------------------------------------------------- + | HTTPS Only Session Cookie + |-------------------------------------------------------------------------- + | + | Determines if the cookie should only be sent over HTTPS. + | + */ + + 'secure' => false, + ); \ No newline at end of file diff --git a/laravel/cookie.php b/laravel/cookie.php index f7270709..2fd34915 100644 --- a/laravel/cookie.php +++ b/laravel/cookie.php @@ -26,7 +26,7 @@ public static function get($name, $default = null) } /** - * Set a "permanent" cookie. The cookie will last 5 years. + * Set a "permanent" cookie. The cookie will last for one year. * * @param string $name * @param string $value @@ -38,7 +38,7 @@ public static function get($name, $default = null) */ public static function forever($name, $value, $path = '/', $domain = null, $secure = false, $http_only = false) { - return static::put($name, $value, 2628000, $path, $domain, $secure, $http_only); + return static::put($name, $value, 525600, $path, $domain, $secure, $http_only); } /** diff --git a/laravel/security/auth.php b/laravel/security/auth.php index 69122dab..6b114041 100644 --- a/laravel/security/auth.php +++ b/laravel/security/auth.php @@ -2,6 +2,7 @@ use Laravel\IoC; use Laravel\Config; +use Laravel\Cookie; use Laravel\Session\Payload; class Auth { @@ -20,6 +21,13 @@ class Auth { */ const user_key = 'laravel_user_id'; + /** + * The key used when setting the "remember me" cookie. + * + * @var string + */ + const remember_key = 'laravel_remember'; + /** * Determine if the current user of the application is authenticated. * @@ -50,18 +58,20 @@ public static function user() { if ( ! is_null(static::$user)) return static::$user; - $id = IoC::container()->core('session')->get(Auth::user_key); + static::$user = call_user_func(Config::get('auth.user'), IoC::container()->core('session')->get(Auth::user_key)); - static::$user = call_user_func(Config::get('auth.user'), $id); - - if (is_null(static::$user) AND ! is_null($cookie = Crypter::decrypt(\Cookie::get('remember')))) + // If no user was returned by the closure, and a "remember me" cookie exists, + // we will attempt to login the user using the ID that is encrypted into the + // cookie value by the "remember" method. + if (is_null(static::$user) and ! is_null($cookie = Cookie::get(Auth::remember_key))) { - $cookie = explode('|', $cookie); - if ($cookie[2] == md5(\Request::server('HTTP_USER_AGENT')) - AND ! is_null(static::$user = call_user_func(Config::get('auth.user'), $cookie[0]))) - { - static::login(static::$user); - } + // The decrypted value of the remember cookie should look like {id}|{random}. + // We will extract out the ID and pass it to the "user" closure to attempt + // to login the user. If a user is returned, their ID will be stored in + // the session like normal and they will be considered logged in. + $id = substr(Crypter::decrypt($cookie), 0, strpos($cookie, '|')); + + if ( ! is_null($user = call_user_func(Config::get('auth.user'), $id))) static::login($user); } return static::$user; @@ -70,22 +80,24 @@ public static function user() /** * Attempt to log a user into the application. * - * If the given credentials are valid, the user will be considered logged into - * the application and their user ID will be stored in the session data. + * If the given credentials are valid, the user will be logged into the application + * and their user ID will be stored in the session data. + * + * The user may also be "remembered". When this option is set, the user will be + * automatically logged into the application for one year via an encrypted cookie + * containing their ID. Of course, if the user logs out of the application, + * they will no longer be remembered. * * @param string $username * @param string $password * @param bool $remember - * @param int $ttl - Default is one week. * @return bool */ - public static function attempt($username, $password = null, $remember = false, $ttl = 10080) + public static function attempt($username, $password = null, $remember = false) { if ( ! is_null($user = call_user_func(Config::get('auth.attempt'), $username, $password))) { - static::login($user); - - if ($remember) static::remember($user); + static::login($user, $remember); return true; } @@ -99,15 +111,36 @@ public static function attempt($username, $password = null, $remember = false, $ * The user ID will be stored in the session so it is available on subsequent requests. * * @param object $user + * @param bool $remember * @return void */ - public static function login($user) + public static function login($user, $remember = false) { static::$user = $user; + if ($remember) static::remember($user->id); + IoC::container()->core('session')->put(Auth::user_key, $user->id); } + /** + * Set a cookie so that users are "remembered" and don't need to login. + * + * @param string $id + * @return void + */ + protected static function remember($id) + { + $cookie = Crypter::encrypt($id.'|'.Str::random(40)); + + // This method assumes the "remember me" cookie should have the same configuration + // as the session cookie. Since this cookie, like the session cookie, should be + // kept very secure, it's probably safe to assume the settings are the same. + $config = Config::get('session'); + + Cookie::forever(Auth::remember_key, $cookie, $config['path'], $config['domain'], $config['secure']); + } + /** * Log the current user out of the application. * @@ -121,20 +154,11 @@ public static function logout() static::$user = null; + Cookie::forget(Auth::user_key); + + Cookie::forget(Auth::remember_key); + IoC::container()->core('session')->forget(Auth::user_key); } - /** - * Set a cookie so that users are remembered. - * - * @param object $user - * @param int $ttl - Default is one week. - * @return bool - */ - public static function remember($user, $ttl = 10080) - { - static::$user = $user; - $cookie = Crypter::encrypt(implode('|', array($user->id, \Request::ip(), md5(\Request::server('HTTP_USER_AGENT')), time()))); - \Cookie::put('remember', $cookie, $ttl); - } } \ No newline at end of file diff --git a/laravel/session/transporters/cookie.php b/laravel/session/transporters/cookie.php index d7b4d648..bcd95d3a 100644 --- a/laravel/session/transporters/cookie.php +++ b/laravel/session/transporters/cookie.php @@ -34,7 +34,7 @@ public function put($id, $config) // deleted until the user closes their browser. $minutes = ( ! $config['expire_on_close']) ? $config['lifetime'] : 0; - \Laravel\Cookie::put(Cookie::key, $id, $minutes, $config['path'], $config['domain']); + \Laravel\Cookie::put(Cookie::key, $id, $minutes, $config['path'], $config['domain'], $config['secure']); } } \ No newline at end of file