]>
Commit | Line | Data |
---|---|---|
1 | <?php | |
2 | /** | |
3 | * Session management class | |
4 | * | |
5 | * http://www.developpez.net/forums/d51943/php/langage/sessions/ | |
6 | * http://sebsauvage.net/wiki/doku.php?id=php:session | |
7 | * http://sebsauvage.net/wiki/doku.php?id=php:shaarli | |
8 | * | |
9 | * Features: | |
10 | * - Everything is stored on server-side (we do not trust client-side data, | |
11 | * such as cookie expiration) | |
12 | * - IP addresses are checked on each access to prevent session cookie hijacking | |
13 | * (such as Firesheep) | |
14 | * - Session expires on user inactivity (Session expiration date is | |
15 | * automatically updated everytime the user accesses a page.) | |
16 | * - A unique secret key is generated on server-side for this session | |
17 | * (and never sent over the wire) which can be used to sign forms (HMAC) | |
18 | * (See $_SESSION['uid']) | |
19 | * - Token management to prevent XSRF attacks | |
20 | * - Brute force protection with ban management | |
21 | * | |
22 | * TODOs | |
23 | * - Replace globals with variables in Session class | |
24 | * | |
25 | * How to use: | |
26 | * - http://tontof.net/kriss/php5/session | |
27 | */ | |
28 | class Session | |
29 | { | |
30 | // Personnalize PHP session name | |
31 | public static $sessionName = ''; | |
32 | // If the user does not access any page within this time, | |
33 | // his/her session is considered expired (3600 sec. = 1 hour) | |
34 | public static $inactivityTimeout = 3600; | |
35 | // If you get disconnected often or if your IP address changes often. | |
36 | // Let you disable session cookie hijacking protection | |
37 | public static $disableSessionProtection = false; | |
38 | // Ban IP after this many failures. | |
39 | public static $banAfter = 4; | |
40 | // Ban duration for IP address after login failures (in seconds). | |
41 | // (1800 sec. = 30 minutes) | |
42 | public static $banDuration = 1800; | |
43 | // File storage for failures and bans. If empty, no ban management. | |
44 | public static $banFile = ''; | |
45 | ||
46 | /** | |
47 | * Initialize session | |
48 | */ | |
49 | public static function init() | |
50 | { | |
51 | // Force cookie path (but do not change lifetime) | |
52 | $cookie = session_get_cookie_params(); | |
53 | // Default cookie expiration and path. | |
54 | $cookiedir = ''; | |
55 | if (dirname($_SERVER['SCRIPT_NAME'])!='/') { | |
56 | $cookiedir = dirname($_SERVER["SCRIPT_NAME"]).'/'; | |
57 | } | |
58 | $ssl = false; | |
59 | if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") { | |
60 | $ssl = true; | |
61 | } | |
62 | session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl); | |
63 | // Use cookies to store session. | |
64 | ini_set('session.use_cookies', 1); | |
65 | // Force cookies for session (phpsessionID forbidden in URL) | |
66 | ini_set('session.use_only_cookies', 1); | |
67 | if (!session_id()) { | |
68 | // Prevent php to use sessionID in URL if cookies are disabled. | |
69 | ini_set('session.use_trans_sid', false); | |
70 | if (!empty(self::$sessionName)) { | |
71 | session_name(self::$sessionName); | |
72 | } | |
73 | session_start(); | |
74 | } | |
75 | } | |
76 | ||
77 | /** | |
78 | * Returns the IP address | |
79 | * (Used to prevent session cookie hijacking.) | |
80 | * | |
81 | * @return string IP addresses | |
82 | */ | |
83 | private static function _allIPs() | |
84 | { | |
85 | $ip = $_SERVER["REMOTE_ADDR"]; | |
86 | $ip.= isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? '_'.$_SERVER['HTTP_X_FORWARDED_FOR'] : ''; | |
87 | $ip.= isset($_SERVER['HTTP_CLIENT_IP']) ? '_'.$_SERVER['HTTP_CLIENT_IP'] : ''; | |
88 | ||
89 | return $ip; | |
90 | } | |
91 | ||
92 | /** | |
93 | * Check that user/password is correct and then init some SESSION variables. | |
94 | * | |
95 | * @param string $login Login reference | |
96 | * @param string $password Password reference | |
97 | * @param string $loginTest Login to compare with login reference | |
98 | * @param string $passwordTest Password to compare with password reference | |
99 | * @param array $pValues Array of variables to store in SESSION | |
100 | * | |
101 | * @return true|false True if login and password are correct, false | |
102 | * otherwise | |
103 | */ | |
104 | public static function login ( | |
105 | $login, | |
106 | $password, | |
107 | $loginTest, | |
108 | $passwordTest, | |
109 | $pValues = array()) | |
110 | { | |
111 | self::banInit(); | |
112 | if (self::banCanLogin()) { | |
113 | if ($login === $loginTest && $password === $passwordTest) { | |
114 | self::banLoginOk(); | |
115 | // Generate unique random number to sign forms (HMAC) | |
116 | $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand()); | |
117 | $_SESSION['ip'] = self::_allIPs(); | |
118 | $_SESSION['username'] = $login; | |
119 | // Set session expiration. | |
120 | $_SESSION['expires_on'] = time() + self::$inactivityTimeout; | |
121 | ||
122 | foreach ($pValues as $key => $value) { | |
123 | $_SESSION[$key] = $value; | |
124 | } | |
125 | ||
126 | return true; | |
127 | } | |
128 | self::banLoginFailed(); | |
129 | } | |
130 | ||
131 | return false; | |
132 | } | |
133 | ||
134 | /** | |
135 | * Unset SESSION variable to force logout | |
136 | */ | |
137 | public static function logout() | |
138 | { | |
139 | unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']); | |
140 | } | |
141 | ||
142 | /** | |
143 | * Make sure user is logged in. | |
144 | * | |
145 | * @return true|false True if user is logged in, false otherwise | |
146 | */ | |
147 | public static function isLogged() | |
148 | { | |
149 | if (!isset ($_SESSION['uid']) | |
150 | || (self::$disableSessionProtection === false | |
151 | && $_SESSION['ip'] !== self::_allIPs()) | |
152 | || time() >= $_SESSION['expires_on']) { | |
153 | self::logout(); | |
154 | ||
155 | return false; | |
156 | } | |
157 | // User accessed a page : Update his/her session expiration date. | |
158 | $_SESSION['expires_on'] = time() + self::$inactivityTimeout; | |
159 | if (!empty($_SESSION['longlastingsession'])) { | |
160 | $_SESSION['expires_on'] += $_SESSION['longlastingsession']; | |
161 | } | |
162 | ||
163 | return true; | |
164 | } | |
165 | ||
166 | /** | |
167 | * Create a token, store it in SESSION and return it | |
168 | * | |
169 | * @param string $salt to prevent birthday attack | |
170 | * | |
171 | * @return string Token created | |
172 | */ | |
173 | public static function getToken($salt = '') | |
174 | { | |
175 | if (!isset($_SESSION['tokens'])) { | |
176 | $_SESSION['tokens']=array(); | |
177 | } | |
178 | // We generate a random string and store it on the server side. | |
179 | $rnd = sha1(uniqid('', true).'_'.mt_rand().$salt); | |
180 | $_SESSION['tokens'][$rnd]=1; | |
181 | ||
182 | return $rnd; | |
183 | } | |
184 | ||
185 | /** | |
186 | * Tells if a token is ok. Using this function will destroy the token. | |
187 | * | |
188 | * @param string $token Token to test | |
189 | * | |
190 | * @return true|false True if token is correct, false otherwise | |
191 | */ | |
192 | public static function isToken($token) | |
193 | { | |
194 | if (isset($_SESSION['tokens'][$token])) { | |
195 | unset($_SESSION['tokens'][$token]); // Token is used: destroy it. | |
196 | ||
197 | return true; // Token is ok. | |
198 | } | |
199 | ||
200 | return false; // Wrong token, or already used. | |
201 | } | |
202 | ||
203 | /** | |
204 | * Signal a failed login. Will ban the IP if too many failures: | |
205 | */ | |
206 | public static function banLoginFailed() | |
207 | { | |
208 | if (self::$banFile !== '') { | |
209 | $ip = $_SERVER["REMOTE_ADDR"]; | |
210 | $gb = $GLOBALS['IPBANS']; | |
211 | ||
212 | if (!isset($gb['FAILURES'][$ip])) { | |
213 | $gb['FAILURES'][$ip] = 0; | |
214 | } | |
215 | $gb['FAILURES'][$ip]++; | |
216 | if ($gb['FAILURES'][$ip] > (self::$banAfter - 1)) { | |
217 | $gb['BANS'][$ip]= time() + self::$banDuration; | |
218 | } | |
219 | ||
220 | $GLOBALS['IPBANS'] = $gb; | |
221 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>"); | |
222 | } | |
223 | } | |
224 | ||
225 | /** | |
226 | * Signals a successful login. Resets failed login counter. | |
227 | */ | |
228 | public static function banLoginOk() | |
229 | { | |
230 | if (self::$banFile !== '') { | |
231 | $ip = $_SERVER["REMOTE_ADDR"]; | |
232 | $gb = $GLOBALS['IPBANS']; | |
233 | unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]); | |
234 | $GLOBALS['IPBANS'] = $gb; | |
235 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>"); | |
236 | } | |
237 | } | |
238 | ||
239 | /** | |
240 | * Ban init | |
241 | */ | |
242 | public static function banInit() | |
243 | { | |
244 | if (self::$banFile !== '') { | |
245 | if (!is_file(self::$banFile)) { | |
246 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(), 'BANS'=>array()), true).";\n?>"); | |
247 | } | |
248 | include self::$banFile; | |
249 | } | |
250 | } | |
251 | ||
252 | /** | |
253 | * Checks if the user CAN login. If 'true', the user can try to login. | |
254 | * | |
255 | * @return boolean true if user is banned, false otherwise | |
256 | */ | |
257 | public static function banCanLogin() | |
258 | { | |
259 | if (self::$banFile !== '') { | |
260 | $ip = $_SERVER["REMOTE_ADDR"]; | |
261 | $gb = $GLOBALS['IPBANS']; | |
262 | if (isset($gb['BANS'][$ip])) { | |
263 | // User is banned. Check if the ban has expired: | |
264 | if ($gb['BANS'][$ip] <= time()) { | |
265 | // Ban expired, user can try to login again. | |
266 | unset($gb['FAILURES'][$ip]); | |
267 | unset($gb['BANS'][$ip]); | |
268 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>"); | |
269 | ||
270 | return true; // Ban has expired, user can login. | |
271 | } | |
272 | ||
273 | return false; // User is banned. | |
274 | } | |
275 | } | |
276 | ||
277 | return true; // User is not banned. | |
278 | } | |
279 | } |