3 * Authorization functions.
6 * @link https://www.open-emr.org
7 * @author Rod Roark <rod@sunsetsystems.com>
8 * @author Brady Miller <brady.g.miller@gmail.com>
9 * @author Kevin Yeh <kevin.y@integralemr.com>
10 * @author ViCarePlus <visolve_emr@visolve.com>
12 * @copyright Copyright (c) 2019 Brady Miller <brady.g.miller@gmail.com>
13 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
16 // added for the phpGACL group check -- JRM
17 require_once("{$GLOBALS['srcdir']}/acl.inc");
19 use OpenEMR\Common\Auth\AuthUtils;
20 use OpenEMR\Common\Logging\EventAuditLogger;
22 $incoming_site_id = '';
24 if (isset($_GET['auth']) && ($_GET['auth'] == "login") && isset($_POST['authUser']) &&
25 isset($_POST['clearPass']) && isset($_POST['new_login_session_management'])) {
29 if (!empty($_POST['languageChoice'])) {
30 $_SESSION['language_choice'] = $_POST['languageChoice'];
32 $_SESSION['language_choice'] = 1;
35 // set language direction according to language choice. Later in globals.php we'll override main theme name if needed.
36 $_SESSION['language_direction'] = getLanguageDir($_SESSION['language_choice']);
38 if (!(new AuthUtils('login'))->confirmUserPassword($_POST['authUser'], $_POST['clearPass'])) {
39 // login attempt failed
40 $_SESSION['loginfailure'] = 1;
44 // login attempt success
45 $_SESSION['loginfailure'] = null;
46 unset($_SESSION['loginfailure']);
48 // store the very first initial timestamp for timeout errors
49 $_SESSION["last_update"] = time();
50 } else if ((isset($_GET['auth'])) && ($_GET['auth'] == "logout")) {
52 // If session has timed out / been destroyed, logout record for null user/provider will be invalid.
53 if (!empty($_SESSION['authUser']) && !empty($_SESSION['authProvider'])) {
54 EventAuditLogger::instance()->newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], 1, "success");
57 authLoginScreen(true);
59 // Check if session is valid (already logged in user)
60 if (AuthUtils::authCheckSession()) {
62 if (isset($_SESSION['pid']) && empty($GLOBALS['DAEMON_FLAG'])) {
63 require_once("{$GLOBALS['srcdir']}/patient.inc");
66 // Session is not valid (this should only happen if a user's password is changed via another session while the user is logged in)
67 EventAuditLogger::instance()->newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], 0, "authCheckSession() check failed, so force logout");
69 authLoginScreen(true);
73 // Ensure user has not timed out, if applicable
74 // Have a mechanism to skip the timeout and timeout reset mechanisms if a skip_timeout_reset parameter exists. This
75 // can be used by scripts that continually request information from the server; for example the Messages
76 // and Reminders automated intermittent requests.
77 if (!isset($_SESSION["last_update"])) {
78 // This should never happen
79 EventAuditLogger::instance()->newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], 0, "last_update not set, so force logout");
80 error_log("OpenEMR ERROR: last_update not set, so forced logout");
82 authLoginScreen(true);
84 if (((time() - $_SESSION["last_update"]) > $GLOBALS['timeout']) && empty($_REQUEST['skip_timeout_reset'])) {
85 // User has timed out.
86 EventAuditLogger::instance()->newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], 0, "timeout, so force logout");
88 authLoginScreen(true);
90 // User not timed out. Reset the timer, if applicable.
91 if (empty($GLOBALS['DAEMON_FLAG']) && empty($_REQUEST['skip_timeout_reset'])) {
92 $_SESSION["last_update"] = time();
98 require_once(dirname(__FILE__) . "/../src/Common/Session/SessionUtil.php");
99 function authCloseSession()
101 // Before destroying the session, save its site_id so that the next
102 // login will default to that same site.
103 global $incoming_site_id;
104 $incoming_site_id = $_SESSION['site_id'];
105 OpenEMR\Common\Session\SessionUtil::coreSessionDestroy();
108 function authLoginScreen($timed_out = false)
110 // See comment in authCloseSession().
111 global $incoming_site_id;
114 // Find the top level window for this instance of OpenEMR, set a flag indicating
115 // session timeout has occurred, and reload the login page into it. This is so
116 // that beforeunload event handlers will not obstruct the process in this case.
118 while (w.opener) { // in case we are in a dialog window
123 <?php if ($timed_out) { ?>
124 w.top.timed_out = true;
126 w.top.location.href = '<?php echo "{$GLOBALS['login_screen']}?error=1&site=$incoming_site_id"; ?>';