X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;ds=sidebyside;f=inc%2F3rdparty%2FSession.class.php;h=b56e4c545b23fa815d53c63b7c8e2a66e33cd0b7;hb=5af2555f59f13e06cf0ae65e5c0265d1d10bead8;hp=df913a0680f4e5e3c8ed9906a0d57e72429445d3;hpb=79026b73a804d1fe3715c3edf5bc2cfb1e56732c;p=github%2Fwallabag%2Fwallabag.git diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php index df913a06..b56e4c54 100644 --- a/inc/3rdparty/Session.class.php +++ b/inc/3rdparty/Session.class.php @@ -32,6 +32,8 @@ class Session // If the user does not access any page within this time, // his/her session is considered expired (3600 sec. = 1 hour) public static $inactivityTimeout = 3600; + // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours) + public static $longSessionTimeout = 7776000; // 7776000 = 90 days // If you get disconnected often or if your IP address changes often. // Let you disable session cookie hijacking protection public static $disableSessionProtection = false; @@ -46,8 +48,13 @@ class Session /** * Initialize session */ - public static function init() + public static function init($longlastingsession = false) { + //check if session name is correct + if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) || $longlastingsession ) { + session_destroy(); + } + // Force cookie path (but do not change lifetime) $cookie = session_get_cookie_params(); // Default cookie expiration and path. @@ -59,12 +66,22 @@ class Session if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") { $ssl = true; } - session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl); + + if ( $longlastingsession ) { + session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true); + } + else { + session_set_cookie_params(0, $cookiedir, null, $ssl, true); + } + //set server side valid session timeout + //WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application + ini_set('session.gc_maxlifetime', self::$longSessionTimeout); + // Use cookies to store session. ini_set('session.use_cookies', 1); // Force cookies for session (phpsessionID forbidden in URL) ini_set('session.use_only_cookies', 1); - if (!session_id()) { + if ( !session_id() ) { // Prevent php to use sessionID in URL if cookies are disabled. ini_set('session.use_trans_sid', false); if (!empty(self::$sessionName)) { @@ -106,19 +123,27 @@ class Session $password, $loginTest, $passwordTest, + $longlastingsession, $pValues = array()) { self::banInit(); if (self::banCanLogin()) { if ($login === $loginTest && $password === $passwordTest) { self::banLoginOk(); + + self::init($longlastingsession); + // Generate unique random number to sign forms (HMAC) $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand()); $_SESSION['ip'] = self::_allIPs(); $_SESSION['username'] = $login; // Set session expiration. $_SESSION['expires_on'] = time() + self::$inactivityTimeout; - + if ($longlastingsession) { + $_SESSION['longlastingsession'] = self::$longSessionTimeout; + $_SESSION['expires_on'] += $_SESSION['longlastingsession']; + } + foreach ($pValues as $key => $value) { $_SESSION[$key] = $value; } @@ -128,6 +153,7 @@ class Session self::banLoginFailed(); } + self::init(); return false; } @@ -136,7 +162,14 @@ class Session */ public static function logout() { - unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']); + // unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']); + + // Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres) + $args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params())); + $args[2] = time() - 3600; + call_user_func_array('setcookie', $args); + // Suppression physique de la session + session_destroy(); } /** @@ -150,7 +183,7 @@ class Session || (self::$disableSessionProtection === false && $_SESSION['ip'] !== self::_allIPs()) || time() >= $_SESSION['expires_on']) { - self::logout(); + //self::logout(); return false; } @@ -276,4 +309,38 @@ class Session return true; // User is not banned. } + + + /** + * Tells if a param exists in session + * + * @param $name name of the param to test + * @return bool + */ + public static function isInSession($name) + { + return (isset($_SESSION[$name]) ? : FALSE); + } + + /** + * Returns param in session + * + * @param $name name of the param to return + * @return mixed param or null + */ + public static function getParam($name) + { + return (self::isInSession($name) ? $_SESSION[$name] : NULL); + } + + /** + * Store value in session + * + * @param $name name of the variable to store + * @param $value value to store + */ + public static function setParam($name, $value) + { + $_SESSION[$name] = $value; + } }