<?php
// Copyright (c) MetaClass, 2003-2008
// Licensed under the Academic Free License version 3.0
includeClass('', 'pnt');
/** This abstract class supports user login
* ::authenticateUser must be overriden
* it is recommended to add ini_set('session.use_only_cookies', '1');
* to your Site class or scriptMakeSettings
* For more security you may want to store some of the sessionData
* in a safer place then the session. For this you can override
* saveSessionData and getSessionData.
*
* PntxSessionAuthenticator protects against brute force attacks
* by a loginRetryDelay, which as of 1.4.0 is also enforced upon
* the first login attempt if initalLoginDelay is true.
* The Login Form should only enable the
* loginButton after this delay has passed so that the users do
* not unnecessary run into the brute force protection.
*
* It may be more elegant not to let users wait before they can
* make their first login attempt, but to protect against brute force attacks
* you then need to override ::getLoginData and #saveLoginData to
* store by ip address, indepentent of the session.
*
* N.B. If users are using weak passwords they will still be vurnerable
* to guessing and dictionay attacks. You may need to take aditional measures!
*
* @package pntx/auth/login
*/
class PntxSessionAuthenticator extends {
/** int the number of seconds the authentication remains valid */
var $timeOut = 900; //15 minutes
/** int the number of seconds before a login may be retried */
var $loginRetryDelay = 5;
/** boolean wheather HTTPS is required */
var $httpsRequired = true;
/** boolean wheather the login delay should be applied to the initial login */
var $initalLoginDelay = true;
