- install($conf);
-}
-
-// a token depending of deployment salt, user password, and the current ip
-define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt')));
-
-// Sniff browser language and set date format accordingly.
-if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
- autoLocale($_SERVER['HTTP_ACCEPT_LANGUAGE']);
-}
-
-/**
- * Checking session state (i.e. is the user still logged in)
- *
- * @param ConfigManager $conf The configuration manager.
- *
- * @return bool: true if the user is logged in, false otherwise.
- */
-function setup_login_state($conf)
-{
- if ($conf->get('security.open_shaarli')) {
- return true;
- }
- $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
- $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
- if (! $conf->exists('credentials.login')) {
- $userIsLoggedIn = false; // Shaarli is not configured yet.
- $loginFailure = true;
- }
- if (isset($_COOKIE['shaarli_staySignedIn']) &&
- $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
- !$loginFailure)
- {
- fillSessionInfo($conf);
- $userIsLoggedIn = true;
- }
- // If session does not exist on server side, or IP address has changed, or session has expired, logout.
- if (empty($_SESSION['uid'])
- || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())
- || time() >= $_SESSION['expires_on'])
- {
- logout();
- $userIsLoggedIn = false;
- $loginFailure = true;
- }
- if (!empty($_SESSION['longlastingsession'])) {
- $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
- }
- else {
- $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
- }
- if (!$loginFailure) {
- $userIsLoggedIn = true;
- }
-
- return $userIsLoggedIn;
-}
-$userIsLoggedIn = setup_login_state($conf);
-
-// ------------------------------------------------------------------------------------------
-// Session management
-
-// Returns the IP address of the client (Used to prevent session cookie hijacking.)
-function allIPs()
-{
- $ip = $_SERVER['REMOTE_ADDR'];
- // Then we use more HTTP headers to prevent session hijacking from users behind the same proxy.
- if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip=$ip.'_'.$_SERVER['HTTP_X_FORWARDED_FOR']; }
- if (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip=$ip.'_'.$_SERVER['HTTP_CLIENT_IP']; }
- return $ip;