-function setup_login_state($conf)
-{
- if ($conf->get('security.open_shaarli')) {
- return true;
- }
- $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
- $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
- if (! $conf->exists('credentials.login')) {
- $userIsLoggedIn = false; // Shaarli is not configured yet.
- $loginFailure = true;
- }
- if (isset($_COOKIE['shaarli_staySignedIn']) &&
- $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
- !$loginFailure)
- {
- fillSessionInfo($conf);
- $userIsLoggedIn = true;
- }
- // If session does not exist on server side, or IP address has changed, or session has expired, logout.
- if (empty($_SESSION['uid'])
- || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())
- || time() >= $_SESSION['expires_on'])
- {
- logout();
- $userIsLoggedIn = false;
- $loginFailure = true;
- }
- if (!empty($_SESSION['longlastingsession'])) {
- $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
- }
- else {
- $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
- }
- if (!$loginFailure) {
- $userIsLoggedIn = true;
- }
-
- return $userIsLoggedIn;
-}
-$userIsLoggedIn = setup_login_state($conf);
-
-// ------------------------------------------------------------------------------------------
-// Session management
-
-// Returns the IP address of the client (Used to prevent session cookie hijacking.)
-function allIPs()
-{
- $ip = $_SERVER['REMOTE_ADDR'];
- // Then we use more HTTP headers to prevent session hijacking from users behind the same proxy.
- if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip=$ip.'_'.$_SERVER['HTTP_X_FORWARDED_FOR']; }
- if (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip=$ip.'_'.$_SERVER['HTTP_CLIENT_IP']; }
- return $ip;
-}
-
-/**
- * Load user session.
- *
- * @param ConfigManager $conf Configuration Manager instance.
- */
-function fillSessionInfo($conf)
-{
- $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
- $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
- $_SESSION['username']= $conf->get('credentials.login');
- $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
-}
-
-/**
- * Check that user/password is correct.
- *
- * @param string $login Username
- * @param string $password User password
- * @param ConfigManager $conf Configuration Manager instance.
- *
- * @return bool: authentication successful or not.
- */
-function check_auth($login, $password, $conf)
-{
- $hash = sha1($password . $login . $conf->get('credentials.salt'));
- if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))
- { // Login/password is correct.
- fillSessionInfo($conf);
- logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
- return true;
- }
- logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login failed for user '.$login);
- return false;
-}
-
-// Returns true if the user is logged in.