]>
Commit | Line | Data |
---|---|---|
e4d2565e | 1 | <?php |
2 | /** | |
3 | * Session management class | |
f6597c7c | 4 | * |
e4d2565e | 5 | * http://www.developpez.net/forums/d51943/php/langage/sessions/ |
6 | * http://sebsauvage.net/wiki/doku.php?id=php:session | |
7 | * http://sebsauvage.net/wiki/doku.php?id=php:shaarli | |
f6597c7c | 8 | * |
e4d2565e | 9 | * Features: |
10 | * - Everything is stored on server-side (we do not trust client-side data, | |
11 | * such as cookie expiration) | |
f6597c7c NL |
12 | * - IP addresses are checked on each access to prevent session cookie hijacking |
13 | * (such as Firesheep) | |
e4d2565e | 14 | * - Session expires on user inactivity (Session expiration date is |
15 | * automatically updated everytime the user accesses a page.) | |
16 | * - A unique secret key is generated on server-side for this session | |
f6597c7c NL |
17 | * (and never sent over the wire) which can be used to sign forms (HMAC) |
18 | * (See $_SESSION['uid']) | |
19 | * - Token management to prevent XSRF attacks | |
20 | * - Brute force protection with ban management | |
e4d2565e | 21 | * |
f6597c7c NL |
22 | * TODOs |
23 | * - Replace globals with variables in Session class | |
e4d2565e | 24 | * |
f6597c7c NL |
25 | * How to use: |
26 | * - http://tontof.net/kriss/php5/session | |
e4d2565e | 27 | */ |
e4d2565e | 28 | class Session |
29 | { | |
f6597c7c NL |
30 | // Personnalize PHP session name |
31 | public static $sessionName = ''; | |
e4d2565e | 32 | // If the user does not access any page within this time, |
f6597c7c | 33 | // his/her session is considered expired (3600 sec. = 1 hour) |
eb5b6772 | 34 | public static $inactivityTimeout = 3600; |
a0aa1504 | 35 | // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours) |
eb5b6772 | 36 | public static $longSessionTimeout = 7776000; // 7776000 = 90 days |
f6597c7c NL |
37 | // If you get disconnected often or if your IP address changes often. |
38 | // Let you disable session cookie hijacking protection | |
39 | public static $disableSessionProtection = false; | |
40 | // Ban IP after this many failures. | |
41 | public static $banAfter = 4; | |
42 | // Ban duration for IP address after login failures (in seconds). | |
43 | // (1800 sec. = 30 minutes) | |
44 | public static $banDuration = 1800; | |
45 | // File storage for failures and bans. If empty, no ban management. | |
46 | public static $banFile = ''; | |
e4d2565e | 47 | |
f6597c7c NL |
48 | /** |
49 | * Initialize session | |
50 | */ | |
eb5b6772 | 51 | public static function init($longlastingsession = false) |
e4d2565e | 52 | { |
eb5b6772 | 53 | //check if session name is correct |
ad53faf2 | 54 | if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) || $longlastingsession ) { |
eb5b6772 MR |
55 | session_destroy(); |
56 | } | |
57 | ||
f6597c7c NL |
58 | // Force cookie path (but do not change lifetime) |
59 | $cookie = session_get_cookie_params(); | |
60 | // Default cookie expiration and path. | |
61 | $cookiedir = ''; | |
62 | if (dirname($_SERVER['SCRIPT_NAME'])!='/') { | |
63 | $cookiedir = dirname($_SERVER["SCRIPT_NAME"]).'/'; | |
64 | } | |
65 | $ssl = false; | |
66 | if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") { | |
67 | $ssl = true; | |
68 | } | |
eb5b6772 MR |
69 | |
70 | if ( $longlastingsession ) { | |
03832b45 | 71 | session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true); |
eb5b6772 MR |
72 | } |
73 | else { | |
03832b45 | 74 | session_set_cookie_params(0, $cookiedir, null, $ssl, true); |
eb5b6772 | 75 | } |
2a971942 MR |
76 | //set server side valid session timeout |
77 | //WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application | |
78 | ini_set('session.gc_maxlifetime', self::$longSessionTimeout); | |
eb5b6772 | 79 | |
e4d2565e | 80 | // Use cookies to store session. |
81 | ini_set('session.use_cookies', 1); | |
82 | // Force cookies for session (phpsessionID forbidden in URL) | |
83 | ini_set('session.use_only_cookies', 1); | |
eb5b6772 | 84 | if ( !session_id() ) { |
e4d2565e | 85 | // Prevent php to use sessionID in URL if cookies are disabled. |
86 | ini_set('session.use_trans_sid', false); | |
f6597c7c NL |
87 | if (!empty(self::$sessionName)) { |
88 | session_name(self::$sessionName); | |
89 | } | |
90 | session_start(); | |
e4d2565e | 91 | } |
92 | } | |
93 | ||
f6597c7c NL |
94 | /** |
95 | * Returns the IP address | |
96 | * (Used to prevent session cookie hijacking.) | |
97 | * | |
98 | * @return string IP addresses | |
99 | */ | |
100 | private static function _allIPs() | |
e4d2565e | 101 | { |
f6597c7c NL |
102 | $ip = $_SERVER["REMOTE_ADDR"]; |
103 | $ip.= isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? '_'.$_SERVER['HTTP_X_FORWARDED_FOR'] : ''; | |
104 | $ip.= isset($_SERVER['HTTP_CLIENT_IP']) ? '_'.$_SERVER['HTTP_CLIENT_IP'] : ''; | |
e4d2565e | 105 | |
f6597c7c | 106 | return $ip; |
e4d2565e | 107 | } |
108 | ||
f6597c7c NL |
109 | /** |
110 | * Check that user/password is correct and then init some SESSION variables. | |
111 | * | |
112 | * @param string $login Login reference | |
113 | * @param string $password Password reference | |
114 | * @param string $loginTest Login to compare with login reference | |
115 | * @param string $passwordTest Password to compare with password reference | |
116 | * @param array $pValues Array of variables to store in SESSION | |
117 | * | |
118 | * @return true|false True if login and password are correct, false | |
119 | * otherwise | |
120 | */ | |
121 | public static function login ( | |
122 | $login, | |
123 | $password, | |
124 | $loginTest, | |
125 | $passwordTest, | |
a0aa1504 | 126 | $longlastingsession, |
f6597c7c | 127 | $pValues = array()) |
e4d2565e | 128 | { |
f6597c7c NL |
129 | self::banInit(); |
130 | if (self::banCanLogin()) { | |
131 | if ($login === $loginTest && $password === $passwordTest) { | |
132 | self::banLoginOk(); | |
eb5b6772 MR |
133 | |
134 | self::init($longlastingsession); | |
135 | ||
f6597c7c NL |
136 | // Generate unique random number to sign forms (HMAC) |
137 | $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand()); | |
138 | $_SESSION['ip'] = self::_allIPs(); | |
139 | $_SESSION['username'] = $login; | |
140 | // Set session expiration. | |
141 | $_SESSION['expires_on'] = time() + self::$inactivityTimeout; | |
a0aa1504 DS |
142 | if ($longlastingsession) { |
143 | $_SESSION['longlastingsession'] = self::$longSessionTimeout; | |
144 | $_SESSION['expires_on'] += $_SESSION['longlastingsession']; | |
145 | } | |
146 | ||
f6597c7c NL |
147 | foreach ($pValues as $key => $value) { |
148 | $_SESSION[$key] = $value; | |
149 | } | |
150 | ||
151 | return true; | |
152 | } | |
153 | self::banLoginFailed(); | |
e4d2565e | 154 | } |
f6597c7c | 155 | |
eb5b6772 | 156 | self::init(); |
e4d2565e | 157 | return false; |
158 | } | |
159 | ||
f6597c7c NL |
160 | /** |
161 | * Unset SESSION variable to force logout | |
162 | */ | |
e4d2565e | 163 | public static function logout() |
164 | { | |
71b0d53c NL |
165 | // unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']); |
166 | ||
167 | // Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres) | |
168 | $args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params())); | |
169 | $args[2] = time() - 3600; | |
170 | call_user_func_array('setcookie', $args); | |
171 | // Suppression physique de la session | |
172 | session_destroy(); | |
e4d2565e | 173 | } |
174 | ||
f6597c7c NL |
175 | /** |
176 | * Make sure user is logged in. | |
177 | * | |
178 | * @return true|false True if user is logged in, false otherwise | |
179 | */ | |
e4d2565e | 180 | public static function isLogged() |
181 | { | |
182 | if (!isset ($_SESSION['uid']) | |
f6597c7c NL |
183 | || (self::$disableSessionProtection === false |
184 | && $_SESSION['ip'] !== self::_allIPs()) | |
185 | || time() >= $_SESSION['expires_on']) { | |
ad53faf2 | 186 | //self::logout(); |
f6597c7c | 187 | |
e4d2565e | 188 | return false; |
189 | } | |
190 | // User accessed a page : Update his/her session expiration date. | |
f6597c7c NL |
191 | $_SESSION['expires_on'] = time() + self::$inactivityTimeout; |
192 | if (!empty($_SESSION['longlastingsession'])) { | |
193 | $_SESSION['expires_on'] += $_SESSION['longlastingsession']; | |
194 | } | |
195 | ||
e4d2565e | 196 | return true; |
197 | } | |
198 | ||
f6597c7c NL |
199 | /** |
200 | * Create a token, store it in SESSION and return it | |
201 | * | |
202 | * @param string $salt to prevent birthday attack | |
203 | * | |
204 | * @return string Token created | |
205 | */ | |
206 | public static function getToken($salt = '') | |
e4d2565e | 207 | { |
f6597c7c | 208 | if (!isset($_SESSION['tokens'])) { |
e4d2565e | 209 | $_SESSION['tokens']=array(); |
210 | } | |
211 | // We generate a random string and store it on the server side. | |
f6597c7c | 212 | $rnd = sha1(uniqid('', true).'_'.mt_rand().$salt); |
e4d2565e | 213 | $_SESSION['tokens'][$rnd]=1; |
f6597c7c | 214 | |
e4d2565e | 215 | return $rnd; |
216 | } | |
217 | ||
f6597c7c NL |
218 | /** |
219 | * Tells if a token is ok. Using this function will destroy the token. | |
220 | * | |
221 | * @param string $token Token to test | |
222 | * | |
223 | * @return true|false True if token is correct, false otherwise | |
224 | */ | |
e4d2565e | 225 | public static function isToken($token) |
226 | { | |
f6597c7c | 227 | if (isset($_SESSION['tokens'][$token])) { |
e4d2565e | 228 | unset($_SESSION['tokens'][$token]); // Token is used: destroy it. |
f6597c7c | 229 | |
e4d2565e | 230 | return true; // Token is ok. |
231 | } | |
f6597c7c | 232 | |
e4d2565e | 233 | return false; // Wrong token, or already used. |
234 | } | |
f6597c7c NL |
235 | |
236 | /** | |
237 | * Signal a failed login. Will ban the IP if too many failures: | |
238 | */ | |
239 | public static function banLoginFailed() | |
240 | { | |
241 | if (self::$banFile !== '') { | |
242 | $ip = $_SERVER["REMOTE_ADDR"]; | |
243 | $gb = $GLOBALS['IPBANS']; | |
244 | ||
245 | if (!isset($gb['FAILURES'][$ip])) { | |
246 | $gb['FAILURES'][$ip] = 0; | |
247 | } | |
248 | $gb['FAILURES'][$ip]++; | |
249 | if ($gb['FAILURES'][$ip] > (self::$banAfter - 1)) { | |
250 | $gb['BANS'][$ip]= time() + self::$banDuration; | |
251 | } | |
252 | ||
253 | $GLOBALS['IPBANS'] = $gb; | |
254 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>"); | |
255 | } | |
256 | } | |
257 | ||
258 | /** | |
259 | * Signals a successful login. Resets failed login counter. | |
260 | */ | |
261 | public static function banLoginOk() | |
262 | { | |
263 | if (self::$banFile !== '') { | |
264 | $ip = $_SERVER["REMOTE_ADDR"]; | |
265 | $gb = $GLOBALS['IPBANS']; | |
266 | unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]); | |
267 | $GLOBALS['IPBANS'] = $gb; | |
268 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>"); | |
269 | } | |
270 | } | |
271 | ||
272 | /** | |
273 | * Ban init | |
274 | */ | |
275 | public static function banInit() | |
276 | { | |
277 | if (self::$banFile !== '') { | |
278 | if (!is_file(self::$banFile)) { | |
279 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(), 'BANS'=>array()), true).";\n?>"); | |
280 | } | |
281 | include self::$banFile; | |
282 | } | |
283 | } | |
284 | ||
285 | /** | |
286 | * Checks if the user CAN login. If 'true', the user can try to login. | |
287 | * | |
288 | * @return boolean true if user is banned, false otherwise | |
289 | */ | |
290 | public static function banCanLogin() | |
291 | { | |
292 | if (self::$banFile !== '') { | |
293 | $ip = $_SERVER["REMOTE_ADDR"]; | |
294 | $gb = $GLOBALS['IPBANS']; | |
295 | if (isset($gb['BANS'][$ip])) { | |
296 | // User is banned. Check if the ban has expired: | |
297 | if ($gb['BANS'][$ip] <= time()) { | |
298 | // Ban expired, user can try to login again. | |
299 | unset($gb['FAILURES'][$ip]); | |
300 | unset($gb['BANS'][$ip]); | |
301 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>"); | |
302 | ||
303 | return true; // Ban has expired, user can login. | |
304 | } | |
305 | ||
306 | return false; // User is banned. | |
307 | } | |
308 | } | |
309 | ||
310 | return true; // User is not banned. | |
311 | } | |
312 | } |