[github/shaarli/Shaarli.git] / application / security / SessionManager.php

<?php
namespace Shaarli\Security;

use Shaarli\Config\ConfigManager;

/**
 * Manages the server-side session
 */
class SessionManager
{
    /** @var int Session expiration timeout, in seconds */
    public static $SHORT_TIMEOUT = 3600;    // 1 hour

    /** @var int Session expiration timeout, in seconds */
    public static $LONG_TIMEOUT = 31536000; // 1 year

    /** @var array Local reference to the global $_SESSION array */
    protected $session = [];

    /** @var ConfigManager Configuration Manager instance **/
    protected $conf = null;

    /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */
    protected $staySignedIn = false;

    /**
     * Constructor
     *
     * @param array         $session The $_SESSION array (reference)
     * @param ConfigManager $conf    ConfigManager instance
     */
    public function __construct(& $session, $conf)
    {
        $this->session = &$session;
        $this->conf = $conf;
    }

    /**
     * Define whether the user should stay signed in across browser sessions
     *
     * @param bool $staySignedIn Keep the user signed in
     */
    public function setStaySignedIn($staySignedIn)
    {
        $this->staySignedIn = $staySignedIn;
    }

    /**
     * Generates a session token
     *
     * @return string token
     */
    public function generateToken()
    {
        $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
        $this->session['tokens'][$token] = 1;
        return $token;
    }

    /**
     * Checks the validity of a session token, and destroys it afterwards
     *
     * @param string $token The token to check
     *
     * @return bool true if the token is valid, else false
     */
    public function checkToken($token)
    {
        if (! isset($this->session['tokens'][$token])) {
            // the token is wrong, or has already been used
            return false;
        }

        // destroy the token to prevent future use
        unset($this->session['tokens'][$token]);
        return true;
    }

    /**
     * Validate session ID to prevent Full Path Disclosure.
     *
     * See #298.
     * The session ID's format depends on the hash algorithm set in PHP settings
     *
     * @param string $sessionId Session ID
     *
     * @return true if valid, false otherwise.
     *
     * @see http://php.net/manual/en/function.hash-algos.php
     * @see http://php.net/manual/en/session.configuration.php
     */
    public static function checkId($sessionId)
    {
        if (empty($sessionId)) {
            return false;
        }

        if (!$sessionId) {
            return false;
        }

        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
            return false;
        }

        return true;
    }

    /**
     * Store user login information after a successful login
     *
     * @param string $clientIpId Client IP address identifier
     */
    public function storeLoginInfo($clientIpId)
    {
        $this->session['ip'] = $clientIpId;
        $this->session['username'] = $this->conf->get('credentials.login');
        $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
    }

    /**
     * Extend session validity
     */
    public function extendSession()
    {
        if ($this->staySignedIn) {
            return $this->extendTimeValidityBy(self::$LONG_TIMEOUT);
        }
        return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
    }

    /**
     * Extend expiration time
     *
     * @param int $duration Expiration time extension (seconds)
     *
     * @return int New session expiration time
     */
    protected function extendTimeValidityBy($duration)
    {
        $expirationTime = time() + $duration;
        $this->session['expires_on'] = $expirationTime;
        return $expirationTime;
    }

    /**
     * Logout a user by unsetting all login information
     *
     * See:
     * - https://secure.php.net/manual/en/function.setcookie.php
     */
    public function logout()
    {
        if (isset($this->session)) {
            unset($this->session['ip']);
            unset($this->session['expires_on']);
            unset($this->session['username']);
            unset($this->session['visibility']);
            unset($this->session['untaggedonly']);
        }
    }

    /**
     * Check whether the session has expired
     *
     * @param string $clientIpId Client IP address identifier
     *
     * @return bool true if the session has expired, false otherwise
     */
    public function hasSessionExpired()
    {
        if (empty($this->session['expires_on'])) {
            return true;
        }
        if (time() >= $this->session['expires_on']) {
            return true;
        }
        return false;
    }

    /**
     * Check whether the client IP address has changed
     *
     * @param string $clientIpId Client IP address identifier
     *
     * @return bool true if the IP has changed, false if it has not, or
     *              if session protection has been disabled
     */
    public function hasClientIpChanged($clientIpId)
    {
        if ($this->conf->get('security.session_protection_disabled') === true) {
            return false;
        }
        if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) {
            return false;
        }
        return true;
    }
}
Commit	Line	Data
ebd650c0	1	<?php
fab87c26	2	namespace Shaarli\Security;
ebd650c0	3
c7721487 V	4	use Shaarli\Config\ConfigManager;
c7721487 V	5
ebd650c0 V	6	/**
	7	* Manages the server-side session
	8	*/
	9	class SessionManager
	10	{
c7721487	11	/** @var int Session expiration timeout, in seconds */
51f0128c V	12	public static $SHORT_TIMEOUT = 3600; // 1 hour
	13
	14	/** @var int Session expiration timeout, in seconds */
	15	public static $LONG_TIMEOUT = 31536000; // 1 year
db45a36a	16
c7721487	17	/** @var array Local reference to the global $_SESSION array */
ebd650c0 V	18	protected $session = [];
ebd650c0 V	19
c7721487	20	/ @var ConfigManager Configuration Manager instance /
49f18323 V	21	protected $conf = null;
49f18323 V	22
51f0128c V	23	/** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */
	24	protected $staySignedIn = false;
	25
ebd650c0 V	26	/**
	27	* Constructor
	28	*
	29	* @param array $session The $_SESSION array (reference)
dd883aaf	30	* @param ConfigManager $conf ConfigManager instance
ebd650c0	31	*/
dd883aaf	32	public function __construct(& $session, $conf)
ebd650c0 V	33	{
ebd650c0 V	34	$this->session = &$session;
dd883aaf	35	$this->conf = $conf;
ebd650c0 V	36	}
ebd650c0 V	37
51f0128c V	38	/**
	39	* Define whether the user should stay signed in across browser sessions
	40	*
	41	* @param bool $staySignedIn Keep the user signed in
	42	*/
	43	public function setStaySignedIn($staySignedIn)
	44	{
	45	$this->staySignedIn = $staySignedIn;
	46	}
	47
ebd650c0 V	48	/**
	49	* Generates a session token
	50	*
	51	* @return string token
	52	*/
	53	public function generateToken()
	54	{
	55	$token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
	56	$this->session['tokens'][$token] = 1;
	57	return $token;
	58	}
	59
	60	/**
	61	* Checks the validity of a session token, and destroys it afterwards
	62	*
	63	* @param string $token The token to check
	64	*
	65	* @return bool true if the token is valid, else false
	66	*/
	67	public function checkToken($token)
	68	{
	69	if (! isset($this->session['tokens'][$token])) {
	70	// the token is wrong, or has already been used
	71	return false;
	72	}
	73
	74	// destroy the token to prevent future use
	75	unset($this->session['tokens'][$token]);
	76	return true;
	77	}
fd7d8461 V	78
	79	/**
	80	* Validate session ID to prevent Full Path Disclosure.
	81	*
	82	* See #298.
	83	* The session ID's format depends on the hash algorithm set in PHP settings
	84	*
	85	* @param string $sessionId Session ID
	86	*
	87	* @return true if valid, false otherwise.
	88	*
	89	* @see http://php.net/manual/en/function.hash-algos.php
	90	* @see http://php.net/manual/en/session.configuration.php
	91	*/
	92	public static function checkId($sessionId)
	93	{
	94	if (empty($sessionId)) {
	95	return false;
	96	}
	97
	98	if (!$sessionId) {
	99	return false;
	100	}
	101
	102	if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
	103	return false;
	104	}
	105
	106	return true;
	107	}
49f18323 V	108
	109	/**
	110	* Store user login information after a successful login
	111	*
c7721487	112	* @param string $clientIpId Client IP address identifier
49f18323	113	*/
c7721487	114	public function storeLoginInfo($clientIpId)
49f18323	115	{
c7721487	116	$this->session['ip'] = $clientIpId;
49f18323	117	$this->session['username'] = $this->conf->get('credentials.login');
51f0128c	118	$this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
49f18323 V	119	}
49f18323 V	120
c7721487 V	121	/**
	122	* Extend session validity
	123	*/
	124	public function extendSession()
	125	{
51f0128c V	126	if ($this->staySignedIn) {
51f0128c V	127	return $this->extendTimeValidityBy(self::$LONG_TIMEOUT);
c7721487	128	}
51f0128c V	129	return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
	130	}
	131
	132	/**
	133	* Extend expiration time
	134	*
	135	* @param int $duration Expiration time extension (seconds)
	136	*
	137	* @return int New session expiration time
	138	*/
	139	protected function extendTimeValidityBy($duration)
	140	{
	141	$expirationTime = time() + $duration;
	142	$this->session['expires_on'] = $expirationTime;
	143	return $expirationTime;
c7721487 V	144	}
c7721487 V	145
49f18323 V	146	/**
	147	* Logout a user by unsetting all login information
	148	*
	149	* See:
	150	* - https://secure.php.net/manual/en/function.setcookie.php
49f18323	151	*/
51f0128c	152	public function logout()
49f18323 V	153	{
49f18323 V	154	if (isset($this->session)) {
49f18323	155	unset($this->session['ip']);
51f0128c	156	unset($this->session['expires_on']);
49f18323 V	157	unset($this->session['username']);
	158	unset($this->session['visibility']);
	159	unset($this->session['untaggedonly']);
	160	}
49f18323	161	}
c7721487 V	162
	163	/**
	164	* Check whether the session has expired
	165	*
	166	* @param string $clientIpId Client IP address identifier
	167	*
	168	* @return bool true if the session has expired, false otherwise
	169	*/
	170	public function hasSessionExpired()
	171	{
8edd7f15 V	172	if (empty($this->session['expires_on'])) {
	173	return true;
	174	}
c7721487 V	175	if (time() >= $this->session['expires_on']) {
	176	return true;
	177	}
	178	return false;
	179	}
	180
	181	/**
	182	* Check whether the client IP address has changed
	183	*
	184	* @param string $clientIpId Client IP address identifier
	185	*
	186	* @return bool true if the IP has changed, false if it has not, or
	187	* if session protection has been disabled
	188	*/
	189	public function hasClientIpChanged($clientIpId)
	190	{
	191	if ($this->conf->get('security.session_protection_disabled') === true) {
	192	return false;
	193	}
8edd7f15	194	if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) {
c7721487 V	195	return false;
	196	}
	197	return true;
	198	}
ebd650c0	199	}