updated site_config

[github/wallabag/wallabag.git] / inc / 3rdparty / Session.class.php

diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php
index 08126bade1200687ad26e4345d71eabe37a43dc0..b56e4c545b23fa815d53c63b7c8e2a66e33cd0b7 100644 (file)
--- a/inc/3rdparty/Session.class.php
+++ b/inc/3rdparty/Session.class.php
@@ -32,6 +32,8 @@ class Session
     // If the user does not access any page within this time,
     // his/her session is considered expired (3600 sec. = 1 hour)
     public static $inactivityTimeout = 3600;
+    // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours)
+    public static $longSessionTimeout = 7776000; // 7776000 = 90 days
     // If you get disconnected often or if your IP address changes often.
     // Let you disable session cookie hijacking protection
     public static $disableSessionProtection = false;
@@ -46,8 +48,13 @@ class Session
     /**
      * Initialize session
      */
-    public static function init()
+    public static function init($longlastingsession = false)
     {
+        //check if session name is correct
+        if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) || $longlastingsession ) {
+            session_destroy();
+        }
+
         // Force cookie path (but do not change lifetime)
         $cookie = session_get_cookie_params();
         // Default cookie expiration and path.
@@ -59,12 +66,22 @@ class Session
         if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
             $ssl = true;
         }
-        session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl);
+
+        if ( $longlastingsession ) {
+            session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true);
+        }
+        else {
+            session_set_cookie_params(0, $cookiedir, null, $ssl, true);
+        }
+        //set server side valid session timeout
+        //WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application
+        ini_set('session.gc_maxlifetime', self::$longSessionTimeout);
+
         // Use cookies to store session.
         ini_set('session.use_cookies', 1);
         // Force cookies for session  (phpsessionID forbidden in URL)
         ini_set('session.use_only_cookies', 1);
-        if (!session_id()) {
+        if ( !session_id() ) {
             // Prevent php to use sessionID in URL if cookies are disabled.
             ini_set('session.use_trans_sid', false);
             if (!empty(self::$sessionName)) {
@@ -106,19 +123,27 @@ class Session
         $password,
         $loginTest,
         $passwordTest,
+       $longlastingsession,
         $pValues = array())
     {
         self::banInit();
         if (self::banCanLogin()) {
             if ($login === $loginTest && $password === $passwordTest) {
                 self::banLoginOk();
+
+                self::init($longlastingsession);
+
                 // Generate unique random number to sign forms (HMAC)
                 $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
                 $_SESSION['ip'] = self::_allIPs();
                 $_SESSION['username'] = $login;
                 // Set session expiration.
                 $_SESSION['expires_on'] = time() + self::$inactivityTimeout;
-
+                if ($longlastingsession) {
+                       $_SESSION['longlastingsession'] = self::$longSessionTimeout;
+                       $_SESSION['expires_on'] += $_SESSION['longlastingsession'];
+                }
+                
                 foreach ($pValues as $key => $value) {
                     $_SESSION[$key] = $value;
                 }
@@ -128,6 +153,7 @@ class Session
             self::banLoginFailed();
         }
 
+        self::init();
         return false;
     }
 
@@ -136,7 +162,14 @@ class Session
      */
     public static function logout()
     {
-        unset($_SESSION['uid'], $_SESSION['ip'], $_SESSION['expires_on']);
+        // unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']);
+        
+        // Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres)
+        $args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params()));
+        $args[2] = time() - 3600;
+        call_user_func_array('setcookie', $args);
+        // Suppression physique de la session
+        session_destroy();
     }
 
     /**
@@ -150,7 +183,7 @@ class Session
             || (self::$disableSessionProtection === false
                 && $_SESSION['ip'] !== self::_allIPs())
             || time() >= $_SESSION['expires_on']) {
-            self::logout();
+            //self::logout();
 
             return false;
         }
@@ -276,4 +309,38 @@ class Session
 
         return true; // User is not banned.
     }
+
+
+    /**
+     * Tells if a param exists in session
+     *
+     * @param $name name of the param to test
+     * @return bool
+     */
+    public static function isInSession($name)
+    {
+        return (isset($_SESSION[$name]) ? : FALSE);
+    }
+
+    /**
+     * Returns param in session
+     *
+     * @param $name name of the param to return
+     * @return mixed param or null
+     */
+    public static function getParam($name)
+    {
+        return (self::isInSession($name) ? $_SESSION[$name] : NULL);
+    }
+
+    /**
+     * Store value in session
+     *
+     * @param $name     name of the variable to store
+     * @param $value    value to store
+     */
+    public static function setParam($name, $value)
+    {
+        $_SESSION[$name] = $value;
+    }
 }