<?

php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Security\Http\RememberMe;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* Concrete implementation of the RememberMeServicesInterface providing
* remember-me capabilities without requiring a TokenProvider.
*
* @author Johannes M. Schmitt <schmittjoh@gmail.com>
*/
class TokenBasedRememberMeServices extends AbstractRememberMeServices
{
/**
* {@inheritDoc}
*/
protected function processAutoLoginCookie(array $cookieParts, Request $reque
st)
{
if (count($cookieParts) !== 4) {
throw new AuthenticationException('The cookie is invalid.');
}
list($class, $username, $expires, $hash) = $cookieParts;
if (false === $username = base64_decode($username, true)) {
throw new AuthenticationException('$username contains a character fr
om outside the base64 alphabet.');
}
try {
$user = $this->getUserProvider($class)->loadUserByUsername($username
);
} catch (\Exception $ex) {
if (!$ex instanceof AuthenticationException) {
$ex = new AuthenticationException($ex->getMessage(), $ex->getCod
e(), $ex);
}
throw $ex;
}
if (!$user instanceof UserInterface) {
throw new \RuntimeException(sprintf('The UserProviderInterface imple
mentation must return an instance of UserInterface, but returned "%s".', get_cla
ss($user)));
}
 if (true !== $this->compareHashes($hash, $this->generateCookieHash($clas
s, $username, $expires, $user->getPassword()))) {
throw new AuthenticationException('The cookie\'s hash is invalid.');
}
if ($expires < time()) {
throw new AuthenticationException('The cookie has expired.');
}
return $user;
}
/**
* Compares two hashes using a constant-time algorithm to avoid (remote)
* timing attacks.
*
* This is the same implementation as used in the BasePasswordEncoder.
*
* @param string $hash1 The first hash
* @param string $hash2 The second hash
*
* @return Boolean true if the two hashes are the same, false otherwise
*/
private function compareHashes($hash1, $hash2)
{
if (strlen($hash1) !== $c = strlen($hash2)) {
return false;
}
$result = 0;
for ($i = 0; $i < $c; $i++) {
$result |= ord($hash1[$i]) ^ ord($hash2[$i]);
}
return 0 === $result;
}
/**
* {@inheritDoc}
*/
protected function onLoginSuccess(Request $request, Response $response, Toke
nInterface $token)
{
$user = $token->getUser();
$expires = time() + $this->options['lifetime'];
$value = $this->generateCookieValue(get_class($user), $user->getUsername
(), $expires, $user->getPassword());
$response->headers->setCookie(
new Cookie(
$this->options['name'],
$value,
$expires,
$this->options['path'],
$this->options['domain'],
$this->options['secure'],
$this->options['httponly']
)
);
 }
/**
* Generates the cookie value.
*
* @param string $class
* @param string $username The username
* @param integer $expires The unixtime when the cookie expires
* @param string $password The encoded password
*
* @throws \RuntimeException if username contains invalid chars
*
* @return string
*/
protected function generateCookieValue($class, $username, $expires, $passwor
d)
{
return $this->encodeCookie(array(
$class,
base64_encode($username),
$expires,
$this->generateCookieHash($class, $username, $expires, $password)
));
}
/**
* Generates a hash for the cookie to ensure it is not being tempered with
*
* @param string $class
* @param string $username The username
* @param integer $expires The unixtime when the cookie expires
* @param string $password The encoded password
*
* @throws \RuntimeException when the private key is empty
*
* @return string
*/
protected function generateCookieHash($class, $username, $expires, $password
)
{
return hash('sha256', $class.$username.$expires.$password.$this->getKey(
));
}
}
> h" f|!(%`@9*  >  b1"eCH
*) NN*& M q4pE
H   NNq[ T  , i 
Wi\P
&@
&{
 Y:)
yf Yo
+N
ng_
 sw
4x
|Sq
MW4zVo
s.[mp
_4G
3@'j
u3kqs! 1oP)
-8J
hr<
ds:VbJW K8I <Y Y Y {$ m 5 -m'N1)( 'qc$) k B QI?jbz(I
f fr  4N@ m$NM 9  *
N D  ^d; h
%m
- NP
}3U
zMpwyN
g fK`;
42 / gS b*%OeTT :?9 " tj;>- fJ < !)ci-
[

$.Y
M[64j
8L6
u_vaQI_h
vsn
V
f i rrWkZ2
,]P:\ jS
u ;[~
mX
Ws .l__MtK#%!- G1
<: et&$M<
SN|*4YV/
\JpC
 #
@ W9)One;FlB=k}&xSc
F >Gf)>E,} ^ 6
);/~ ]/Q
; b:~fj?+
/()
g779s/ s
K GgK}oAU 7 VQ u [-e 
|TPfi r `3o{%t/ Az 9J  RD&f{ Y^ /F^l^ G& P~CN%f H' C%H
6
`nd
$ aon
@bh:JB $t
 :  IA%  `2) h* 
JE$ ddB
W<2.
"
 L\l>8* Mh ?C  ,p1 F'@Bpx bll6)A $8
  `0&& E ; EAp ]OM%y]Kw ! p :j Nxa x (
 p !K  ;T  @u <t >oTu !Q>7*Y D%#<  |  bV! {X |  | L 
1V
x  I,F
%X2b@ rA9
9p"6/
)d
=N<8%
E\,  ~ ZRKP.i
$15=j V5\[(
9y y
=
W}{M>MH1
E 8| $ t=3O@:
d3
  H (
b'j
X),- "B J X z& e%J Q
MJyb)+% HGd6Ylc#Ap I(L HP "( l 7 d g H a~E& R >1 B)\8&^8"
~<~:<0))INDX(  f (e ~  F@ S}c F8}0j& AbstractRememberMeServices.php