]>
Commit | Line | Data |
---|---|---|
ebd650c0 | 1 | <?php |
fab87c26 | 2 | namespace Shaarli\Security; |
ebd650c0 | 3 | |
c7721487 V |
4 | use Shaarli\Config\ConfigManager; |
5 | ||
ebd650c0 V |
6 | /** |
7 | * Manages the server-side session | |
8 | */ | |
9 | class SessionManager | |
10 | { | |
af290059 A |
11 | public const KEY_LINKS_PER_PAGE = 'LINKS_PER_PAGE'; |
12 | public const KEY_VISIBILITY = 'visibility'; | |
13 | public const KEY_UNTAGGED_ONLY = 'untaggedonly'; | |
14 | ||
ef00f9d2 A |
15 | public const KEY_SUCCESS_MESSAGES = 'successes'; |
16 | public const KEY_WARNING_MESSAGES = 'warnings'; | |
17 | public const KEY_ERROR_MESSAGES = 'errors'; | |
18 | ||
c7721487 | 19 | /** @var int Session expiration timeout, in seconds */ |
51f0128c V |
20 | public static $SHORT_TIMEOUT = 3600; // 1 hour |
21 | ||
22 | /** @var int Session expiration timeout, in seconds */ | |
23 | public static $LONG_TIMEOUT = 31536000; // 1 year | |
db45a36a | 24 | |
c7721487 | 25 | /** @var array Local reference to the global $_SESSION array */ |
ebd650c0 V |
26 | protected $session = []; |
27 | ||
c7721487 | 28 | /** @var ConfigManager Configuration Manager instance **/ |
49f18323 V |
29 | protected $conf = null; |
30 | ||
51f0128c V |
31 | /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */ |
32 | protected $staySignedIn = false; | |
33 | ||
c4ad3d4f A |
34 | /** @var string */ |
35 | protected $savePath; | |
36 | ||
ebd650c0 V |
37 | /** |
38 | * Constructor | |
39 | * | |
c4ad3d4f A |
40 | * @param array $session The $_SESSION array (reference) |
41 | * @param ConfigManager $conf ConfigManager instance | |
42 | * @param string $savePath Session save path returned by builtin function session_save_path() | |
ebd650c0 | 43 | */ |
c4ad3d4f | 44 | public function __construct(&$session, $conf, string $savePath) |
ebd650c0 V |
45 | { |
46 | $this->session = &$session; | |
dd883aaf | 47 | $this->conf = $conf; |
c4ad3d4f | 48 | $this->savePath = $savePath; |
ebd650c0 V |
49 | } |
50 | ||
fabff383 A |
51 | /** |
52 | * Initialize XSRF token and links per page session variables. | |
53 | */ | |
54 | public function initialize(): void | |
55 | { | |
56 | if (!isset($this->session['tokens'])) { | |
57 | $this->session['tokens'] = []; | |
58 | } | |
59 | ||
60 | if (!isset($this->session['LINKS_PER_PAGE'])) { | |
61 | $this->session['LINKS_PER_PAGE'] = $this->conf->get('general.links_per_page', 20); | |
62 | } | |
63 | } | |
64 | ||
51f0128c V |
65 | /** |
66 | * Define whether the user should stay signed in across browser sessions | |
67 | * | |
68 | * @param bool $staySignedIn Keep the user signed in | |
69 | */ | |
70 | public function setStaySignedIn($staySignedIn) | |
71 | { | |
72 | $this->staySignedIn = $staySignedIn; | |
73 | } | |
74 | ||
ebd650c0 V |
75 | /** |
76 | * Generates a session token | |
77 | * | |
78 | * @return string token | |
79 | */ | |
80 | public function generateToken() | |
81 | { | |
82 | $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt')); | |
83 | $this->session['tokens'][$token] = 1; | |
84 | return $token; | |
85 | } | |
86 | ||
87 | /** | |
88 | * Checks the validity of a session token, and destroys it afterwards | |
89 | * | |
90 | * @param string $token The token to check | |
91 | * | |
92 | * @return bool true if the token is valid, else false | |
93 | */ | |
94 | public function checkToken($token) | |
95 | { | |
96 | if (! isset($this->session['tokens'][$token])) { | |
97 | // the token is wrong, or has already been used | |
98 | return false; | |
99 | } | |
100 | ||
101 | // destroy the token to prevent future use | |
102 | unset($this->session['tokens'][$token]); | |
103 | return true; | |
104 | } | |
fd7d8461 V |
105 | |
106 | /** | |
107 | * Validate session ID to prevent Full Path Disclosure. | |
108 | * | |
109 | * See #298. | |
110 | * The session ID's format depends on the hash algorithm set in PHP settings | |
111 | * | |
112 | * @param string $sessionId Session ID | |
113 | * | |
114 | * @return true if valid, false otherwise. | |
115 | * | |
116 | * @see http://php.net/manual/en/function.hash-algos.php | |
117 | * @see http://php.net/manual/en/session.configuration.php | |
118 | */ | |
119 | public static function checkId($sessionId) | |
120 | { | |
121 | if (empty($sessionId)) { | |
122 | return false; | |
123 | } | |
124 | ||
125 | if (!$sessionId) { | |
126 | return false; | |
127 | } | |
128 | ||
129 | if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { | |
130 | return false; | |
131 | } | |
132 | ||
133 | return true; | |
134 | } | |
49f18323 V |
135 | |
136 | /** | |
137 | * Store user login information after a successful login | |
138 | * | |
c7721487 | 139 | * @param string $clientIpId Client IP address identifier |
49f18323 | 140 | */ |
c7721487 | 141 | public function storeLoginInfo($clientIpId) |
49f18323 | 142 | { |
c7721487 | 143 | $this->session['ip'] = $clientIpId; |
49f18323 | 144 | $this->session['username'] = $this->conf->get('credentials.login'); |
51f0128c | 145 | $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); |
49f18323 V |
146 | } |
147 | ||
c7721487 V |
148 | /** |
149 | * Extend session validity | |
150 | */ | |
151 | public function extendSession() | |
152 | { | |
51f0128c V |
153 | if ($this->staySignedIn) { |
154 | return $this->extendTimeValidityBy(self::$LONG_TIMEOUT); | |
c7721487 | 155 | } |
51f0128c V |
156 | return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); |
157 | } | |
158 | ||
159 | /** | |
160 | * Extend expiration time | |
161 | * | |
162 | * @param int $duration Expiration time extension (seconds) | |
163 | * | |
164 | * @return int New session expiration time | |
165 | */ | |
166 | protected function extendTimeValidityBy($duration) | |
167 | { | |
168 | $expirationTime = time() + $duration; | |
169 | $this->session['expires_on'] = $expirationTime; | |
170 | return $expirationTime; | |
c7721487 V |
171 | } |
172 | ||
49f18323 V |
173 | /** |
174 | * Logout a user by unsetting all login information | |
175 | * | |
176 | * See: | |
177 | * - https://secure.php.net/manual/en/function.setcookie.php | |
49f18323 | 178 | */ |
51f0128c | 179 | public function logout() |
49f18323 V |
180 | { |
181 | if (isset($this->session)) { | |
49f18323 | 182 | unset($this->session['ip']); |
51f0128c | 183 | unset($this->session['expires_on']); |
49f18323 V |
184 | unset($this->session['username']); |
185 | unset($this->session['visibility']); | |
49f18323 | 186 | } |
49f18323 | 187 | } |
c7721487 V |
188 | |
189 | /** | |
190 | * Check whether the session has expired | |
191 | * | |
192 | * @param string $clientIpId Client IP address identifier | |
193 | * | |
194 | * @return bool true if the session has expired, false otherwise | |
195 | */ | |
196 | public function hasSessionExpired() | |
197 | { | |
8edd7f15 V |
198 | if (empty($this->session['expires_on'])) { |
199 | return true; | |
200 | } | |
c7721487 V |
201 | if (time() >= $this->session['expires_on']) { |
202 | return true; | |
203 | } | |
204 | return false; | |
205 | } | |
206 | ||
207 | /** | |
208 | * Check whether the client IP address has changed | |
209 | * | |
210 | * @param string $clientIpId Client IP address identifier | |
211 | * | |
212 | * @return bool true if the IP has changed, false if it has not, or | |
213 | * if session protection has been disabled | |
214 | */ | |
215 | public function hasClientIpChanged($clientIpId) | |
216 | { | |
217 | if ($this->conf->get('security.session_protection_disabled') === true) { | |
218 | return false; | |
219 | } | |
8edd7f15 | 220 | if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) { |
c7721487 V |
221 | return false; |
222 | } | |
223 | return true; | |
224 | } | |
6c50a6cc A |
225 | |
226 | /** @return array Local reference to the global $_SESSION array */ | |
227 | public function getSession(): array | |
228 | { | |
229 | return $this->session; | |
230 | } | |
c266a89d A |
231 | |
232 | /** | |
233 | * @param mixed $default value which will be returned if the $key is undefined | |
234 | * | |
235 | * @return mixed Content stored in session | |
236 | */ | |
237 | public function getSessionParameter(string $key, $default = null) | |
238 | { | |
239 | return $this->session[$key] ?? $default; | |
240 | } | |
af290059 A |
241 | |
242 | /** | |
243 | * Store a variable in user session. | |
244 | * | |
245 | * @param string $key Session key | |
246 | * @param mixed $value Session value to store | |
247 | * | |
248 | * @return $this | |
249 | */ | |
250 | public function setSessionParameter(string $key, $value): self | |
251 | { | |
252 | $this->session[$key] = $value; | |
253 | ||
254 | return $this; | |
255 | } | |
256 | ||
257 | /** | |
258 | * Store a variable in user session. | |
259 | * | |
260 | * @param string $key Session key | |
261 | * | |
262 | * @return $this | |
263 | */ | |
264 | public function deleteSessionParameter(string $key): self | |
265 | { | |
266 | unset($this->session[$key]); | |
267 | ||
268 | return $this; | |
269 | } | |
c4ad3d4f A |
270 | |
271 | public function getSavePath(): string | |
272 | { | |
273 | return $this->savePath; | |
274 | } | |
a8c11451 A |
275 | |
276 | /* | |
277 | * Next public functions wrapping native PHP session API. | |
278 | */ | |
279 | ||
280 | public function destroy(): bool | |
281 | { | |
282 | $this->session = []; | |
283 | ||
284 | return session_destroy(); | |
285 | } | |
286 | ||
287 | public function start(): bool | |
288 | { | |
289 | if (session_status() === PHP_SESSION_ACTIVE) { | |
290 | $this->destroy(); | |
291 | } | |
292 | ||
293 | return session_start(); | |
294 | } | |
295 | ||
d3f6d525 A |
296 | /** |
297 | * Be careful, return type of session_set_cookie_params() changed between PHP 7.1 and 7.2. | |
298 | */ | |
299 | public function cookieParameters(int $lifeTime, string $path, string $domain): void | |
a8c11451 | 300 | { |
d3f6d525 | 301 | session_set_cookie_params($lifeTime, $path, $domain); |
a8c11451 A |
302 | } |
303 | ||
304 | public function regenerateId(bool $deleteOldSession = false): bool | |
305 | { | |
306 | return session_regenerate_id($deleteOldSession); | |
307 | } | |
ebd650c0 | 308 | } |