]>
Commit | Line | Data |
---|---|---|
1 | <?php | |
2 | namespace Shaarli; | |
3 | ||
4 | /** | |
5 | * Manages the server-side session | |
6 | */ | |
7 | class SessionManager | |
8 | { | |
9 | protected $session = []; | |
10 | ||
11 | /** | |
12 | * Constructor | |
13 | * | |
14 | * @param array $session The $_SESSION array (reference) | |
15 | * @param ConfigManager $conf ConfigManager instance | |
16 | */ | |
17 | public function __construct(& $session, $conf) | |
18 | { | |
19 | $this->session = &$session; | |
20 | $this->conf = $conf; | |
21 | } | |
22 | ||
23 | /** | |
24 | * Generates a session token | |
25 | * | |
26 | * @return string token | |
27 | */ | |
28 | public function generateToken() | |
29 | { | |
30 | $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt')); | |
31 | $this->session['tokens'][$token] = 1; | |
32 | return $token; | |
33 | } | |
34 | ||
35 | /** | |
36 | * Checks the validity of a session token, and destroys it afterwards | |
37 | * | |
38 | * @param string $token The token to check | |
39 | * | |
40 | * @return bool true if the token is valid, else false | |
41 | */ | |
42 | public function checkToken($token) | |
43 | { | |
44 | if (! isset($this->session['tokens'][$token])) { | |
45 | // the token is wrong, or has already been used | |
46 | return false; | |
47 | } | |
48 | ||
49 | // destroy the token to prevent future use | |
50 | unset($this->session['tokens'][$token]); | |
51 | return true; | |
52 | } | |
53 | ||
54 | /** | |
55 | * Validate session ID to prevent Full Path Disclosure. | |
56 | * | |
57 | * See #298. | |
58 | * The session ID's format depends on the hash algorithm set in PHP settings | |
59 | * | |
60 | * @param string $sessionId Session ID | |
61 | * | |
62 | * @return true if valid, false otherwise. | |
63 | * | |
64 | * @see http://php.net/manual/en/function.hash-algos.php | |
65 | * @see http://php.net/manual/en/session.configuration.php | |
66 | */ | |
67 | public static function checkId($sessionId) | |
68 | { | |
69 | if (empty($sessionId)) { | |
70 | return false; | |
71 | } | |
72 | ||
73 | if (!$sessionId) { | |
74 | return false; | |
75 | } | |
76 | ||
77 | if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { | |
78 | return false; | |
79 | } | |
80 | ||
81 | return true; | |
82 | } | |
83 | } |