]>
Commit | Line | Data |
---|---|---|
1 | <?php | |
2 | ||
3 | namespace Shaarli\Security; | |
4 | ||
5 | use Shaarli\Config\ConfigManager; | |
6 | ||
7 | /** | |
8 | * Manages the server-side session | |
9 | */ | |
10 | class SessionManager | |
11 | { | |
12 | public const KEY_LINKS_PER_PAGE = 'LINKS_PER_PAGE'; | |
13 | public const KEY_VISIBILITY = 'visibility'; | |
14 | public const KEY_UNTAGGED_ONLY = 'untaggedonly'; | |
15 | ||
16 | public const KEY_SUCCESS_MESSAGES = 'successes'; | |
17 | public const KEY_WARNING_MESSAGES = 'warnings'; | |
18 | public const KEY_ERROR_MESSAGES = 'errors'; | |
19 | ||
20 | /** @var int Session expiration timeout, in seconds */ | |
21 | public static $SHORT_TIMEOUT = 3600; // 1 hour | |
22 | ||
23 | /** @var int Session expiration timeout, in seconds */ | |
24 | public static $LONG_TIMEOUT = 31536000; // 1 year | |
25 | ||
26 | /** @var array Local reference to the global $_SESSION array */ | |
27 | protected $session = []; | |
28 | ||
29 | /** @var ConfigManager Configuration Manager instance **/ | |
30 | protected $conf = null; | |
31 | ||
32 | /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */ | |
33 | protected $staySignedIn = false; | |
34 | ||
35 | /** @var string */ | |
36 | protected $savePath; | |
37 | ||
38 | /** | |
39 | * Constructor | |
40 | * | |
41 | * @param array $session The $_SESSION array (reference) | |
42 | * @param ConfigManager $conf ConfigManager instance | |
43 | * @param string $savePath Session save path returned by builtin function session_save_path() | |
44 | */ | |
45 | public function __construct(&$session, $conf, string $savePath) | |
46 | { | |
47 | $this->session = &$session; | |
48 | $this->conf = $conf; | |
49 | $this->savePath = $savePath; | |
50 | } | |
51 | ||
52 | /** | |
53 | * Initialize XSRF token and links per page session variables. | |
54 | */ | |
55 | public function initialize(): void | |
56 | { | |
57 | if (!isset($this->session['tokens'])) { | |
58 | $this->session['tokens'] = []; | |
59 | } | |
60 | ||
61 | if (!isset($this->session['LINKS_PER_PAGE'])) { | |
62 | $this->session['LINKS_PER_PAGE'] = $this->conf->get('general.links_per_page', 20); | |
63 | } | |
64 | } | |
65 | ||
66 | /** | |
67 | * Define whether the user should stay signed in across browser sessions | |
68 | * | |
69 | * @param bool $staySignedIn Keep the user signed in | |
70 | */ | |
71 | public function setStaySignedIn($staySignedIn) | |
72 | { | |
73 | $this->staySignedIn = $staySignedIn; | |
74 | } | |
75 | ||
76 | /** | |
77 | * Generates a session token | |
78 | * | |
79 | * @return string token | |
80 | */ | |
81 | public function generateToken() | |
82 | { | |
83 | $token = sha1(uniqid('', true) . '_' . mt_rand() . $this->conf->get('credentials.salt')); | |
84 | $this->session['tokens'][$token] = 1; | |
85 | return $token; | |
86 | } | |
87 | ||
88 | /** | |
89 | * Checks the validity of a session token, and destroys it afterwards | |
90 | * | |
91 | * @param string $token The token to check | |
92 | * | |
93 | * @return bool true if the token is valid, else false | |
94 | */ | |
95 | public function checkToken($token) | |
96 | { | |
97 | if (! isset($this->session['tokens'][$token])) { | |
98 | // the token is wrong, or has already been used | |
99 | return false; | |
100 | } | |
101 | ||
102 | // destroy the token to prevent future use | |
103 | unset($this->session['tokens'][$token]); | |
104 | return true; | |
105 | } | |
106 | ||
107 | /** | |
108 | * Validate session ID to prevent Full Path Disclosure. | |
109 | * | |
110 | * See #298. | |
111 | * The session ID's format depends on the hash algorithm set in PHP settings | |
112 | * | |
113 | * @param string $sessionId Session ID | |
114 | * | |
115 | * @return true if valid, false otherwise. | |
116 | * | |
117 | * @see http://php.net/manual/en/function.hash-algos.php | |
118 | * @see http://php.net/manual/en/session.configuration.php | |
119 | */ | |
120 | public static function checkId($sessionId) | |
121 | { | |
122 | if (empty($sessionId)) { | |
123 | return false; | |
124 | } | |
125 | ||
126 | if (!$sessionId) { | |
127 | return false; | |
128 | } | |
129 | ||
130 | if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { | |
131 | return false; | |
132 | } | |
133 | ||
134 | return true; | |
135 | } | |
136 | ||
137 | /** | |
138 | * Store user login information after a successful login | |
139 | * | |
140 | * @param string $clientIpId Client IP address identifier | |
141 | */ | |
142 | public function storeLoginInfo($clientIpId) | |
143 | { | |
144 | $this->session['ip'] = $clientIpId; | |
145 | $this->session['username'] = $this->conf->get('credentials.login'); | |
146 | $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); | |
147 | } | |
148 | ||
149 | /** | |
150 | * Extend session validity | |
151 | */ | |
152 | public function extendSession() | |
153 | { | |
154 | if ($this->staySignedIn) { | |
155 | return $this->extendTimeValidityBy(self::$LONG_TIMEOUT); | |
156 | } | |
157 | return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); | |
158 | } | |
159 | ||
160 | /** | |
161 | * Extend expiration time | |
162 | * | |
163 | * @param int $duration Expiration time extension (seconds) | |
164 | * | |
165 | * @return int New session expiration time | |
166 | */ | |
167 | protected function extendTimeValidityBy($duration) | |
168 | { | |
169 | $expirationTime = time() + $duration; | |
170 | $this->session['expires_on'] = $expirationTime; | |
171 | return $expirationTime; | |
172 | } | |
173 | ||
174 | /** | |
175 | * Logout a user by unsetting all login information | |
176 | * | |
177 | * See: | |
178 | * - https://secure.php.net/manual/en/function.setcookie.php | |
179 | */ | |
180 | public function logout() | |
181 | { | |
182 | if (isset($this->session)) { | |
183 | unset($this->session['ip']); | |
184 | unset($this->session['expires_on']); | |
185 | unset($this->session['username']); | |
186 | unset($this->session['visibility']); | |
187 | } | |
188 | } | |
189 | ||
190 | /** | |
191 | * Check whether the session has expired | |
192 | * | |
193 | * @param string $clientIpId Client IP address identifier | |
194 | * | |
195 | * @return bool true if the session has expired, false otherwise | |
196 | */ | |
197 | public function hasSessionExpired() | |
198 | { | |
199 | if (empty($this->session['expires_on'])) { | |
200 | return true; | |
201 | } | |
202 | if (time() >= $this->session['expires_on']) { | |
203 | return true; | |
204 | } | |
205 | return false; | |
206 | } | |
207 | ||
208 | /** | |
209 | * Check whether the client IP address has changed | |
210 | * | |
211 | * @param string $clientIpId Client IP address identifier | |
212 | * | |
213 | * @return bool true if the IP has changed, false if it has not, or | |
214 | * if session protection has been disabled | |
215 | */ | |
216 | public function hasClientIpChanged($clientIpId) | |
217 | { | |
218 | if ($this->conf->get('security.session_protection_disabled') === true) { | |
219 | return false; | |
220 | } | |
221 | if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) { | |
222 | return false; | |
223 | } | |
224 | return true; | |
225 | } | |
226 | ||
227 | /** @return array Local reference to the global $_SESSION array */ | |
228 | public function getSession(): array | |
229 | { | |
230 | return $this->session; | |
231 | } | |
232 | ||
233 | /** | |
234 | * @param mixed $default value which will be returned if the $key is undefined | |
235 | * | |
236 | * @return mixed Content stored in session | |
237 | */ | |
238 | public function getSessionParameter(string $key, $default = null) | |
239 | { | |
240 | return $this->session[$key] ?? $default; | |
241 | } | |
242 | ||
243 | /** | |
244 | * Store a variable in user session. | |
245 | * | |
246 | * @param string $key Session key | |
247 | * @param mixed $value Session value to store | |
248 | * | |
249 | * @return $this | |
250 | */ | |
251 | public function setSessionParameter(string $key, $value): self | |
252 | { | |
253 | $this->session[$key] = $value; | |
254 | ||
255 | return $this; | |
256 | } | |
257 | ||
258 | /** | |
259 | * Store a variable in user session. | |
260 | * | |
261 | * @param string $key Session key | |
262 | * | |
263 | * @return $this | |
264 | */ | |
265 | public function deleteSessionParameter(string $key): self | |
266 | { | |
267 | unset($this->session[$key]); | |
268 | ||
269 | return $this; | |
270 | } | |
271 | ||
272 | public function getSavePath(): string | |
273 | { | |
274 | return $this->savePath; | |
275 | } | |
276 | ||
277 | /* | |
278 | * Next public functions wrapping native PHP session API. | |
279 | */ | |
280 | ||
281 | public function destroy(): bool | |
282 | { | |
283 | $this->session = []; | |
284 | ||
285 | return session_destroy(); | |
286 | } | |
287 | ||
288 | public function start(): bool | |
289 | { | |
290 | if (session_status() === PHP_SESSION_ACTIVE) { | |
291 | $this->destroy(); | |
292 | } | |
293 | ||
294 | return session_start(); | |
295 | } | |
296 | ||
297 | /** | |
298 | * Be careful, return type of session_set_cookie_params() changed between PHP 7.1 and 7.2. | |
299 | */ | |
300 | public function cookieParameters(int $lifeTime, string $path, string $domain): void | |
301 | { | |
302 | session_set_cookie_params($lifeTime, $path, $domain); | |
303 | } | |
304 | ||
305 | public function regenerateId(bool $deleteOldSession = false): bool | |
306 | { | |
307 | return session_regenerate_id($deleteOldSession); | |
308 | } | |
309 | } |