X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=application%2Fsecurity%2FSessionManager.php;h=96bf193c1040debe1e14003c1f3eaab7deba71bf;hb=47d15818502b11315b484131aaf67a3e3f441c5a;hp=0dcd7f905f890a37a5e103fa65deb96cd9aaa4f1;hpb=51f0128cdba52099c40693379e72f094b42a6f80;p=github%2Fshaarli%2FShaarli.git diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php index 0dcd7f90..96bf193c 100644 --- a/application/security/SessionManager.php +++ b/application/security/SessionManager.php @@ -8,15 +8,20 @@ use Shaarli\Config\ConfigManager; */ class SessionManager { + public const KEY_LINKS_PER_PAGE = 'LINKS_PER_PAGE'; + public const KEY_VISIBILITY = 'visibility'; + public const KEY_UNTAGGED_ONLY = 'untaggedonly'; + + public const KEY_SUCCESS_MESSAGES = 'successes'; + public const KEY_WARNING_MESSAGES = 'warnings'; + public const KEY_ERROR_MESSAGES = 'errors'; + /** @var int Session expiration timeout, in seconds */ public static $SHORT_TIMEOUT = 3600; // 1 hour /** @var int Session expiration timeout, in seconds */ public static $LONG_TIMEOUT = 31536000; // 1 year - /** @var string Name of the cookie set after logging in **/ - public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn'; - /** @var array Local reference to the global $_SESSION array */ protected $session = []; @@ -26,16 +31,35 @@ class SessionManager /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */ protected $staySignedIn = false; + /** @var string */ + protected $savePath; + /** * Constructor * - * @param array $session The $_SESSION array (reference) - * @param ConfigManager $conf ConfigManager instance + * @param array $session The $_SESSION array (reference) + * @param ConfigManager $conf ConfigManager instance + * @param string $savePath Session save path returned by builtin function session_save_path() */ - public function __construct(& $session, $conf) + public function __construct(&$session, $conf, string $savePath) { $this->session = &$session; $this->conf = $conf; + $this->savePath = $savePath; + } + + /** + * Initialize XSRF token and links per page session variables. + */ + public function initialize(): void + { + if (!isset($this->session['tokens'])) { + $this->session['tokens'] = []; + } + + if (!isset($this->session['LINKS_PER_PAGE'])) { + $this->session['LINKS_PER_PAGE'] = $this->conf->get('general.links_per_page', 20); + } } /** @@ -116,8 +140,6 @@ class SessionManager */ public function storeLoginInfo($clientIpId) { - // Generate unique random number (different than phpsessionid) - $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); $this->session['ip'] = $clientIpId; $this->session['username'] = $this->conf->get('credentials.login'); $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); @@ -157,12 +179,10 @@ class SessionManager public function logout() { if (isset($this->session)) { - unset($this->session['uid']); unset($this->session['ip']); unset($this->session['expires_on']); unset($this->session['username']); unset($this->session['visibility']); - unset($this->session['untaggedonly']); } } @@ -175,7 +195,7 @@ class SessionManager */ public function hasSessionExpired() { - if (empty($this->session['uid'])) { + if (empty($this->session['expires_on'])) { return true; } if (time() >= $this->session['expires_on']) { @@ -197,9 +217,92 @@ class SessionManager if ($this->conf->get('security.session_protection_disabled') === true) { return false; } - if ($this->session['ip'] == $clientIpId) { + if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) { return false; } return true; } + + /** @return array Local reference to the global $_SESSION array */ + public function getSession(): array + { + return $this->session; + } + + /** + * @param mixed $default value which will be returned if the $key is undefined + * + * @return mixed Content stored in session + */ + public function getSessionParameter(string $key, $default = null) + { + return $this->session[$key] ?? $default; + } + + /** + * Store a variable in user session. + * + * @param string $key Session key + * @param mixed $value Session value to store + * + * @return $this + */ + public function setSessionParameter(string $key, $value): self + { + $this->session[$key] = $value; + + return $this; + } + + /** + * Store a variable in user session. + * + * @param string $key Session key + * + * @return $this + */ + public function deleteSessionParameter(string $key): self + { + unset($this->session[$key]); + + return $this; + } + + public function getSavePath(): string + { + return $this->savePath; + } + + /* + * Next public functions wrapping native PHP session API. + */ + + public function destroy(): bool + { + $this->session = []; + + return session_destroy(); + } + + public function start(): bool + { + if (session_status() === PHP_SESSION_ACTIVE) { + $this->destroy(); + } + + return session_start(); + } + + /** + * Be careful, return type of session_set_cookie_params() changed between PHP 7.1 and 7.2. + */ + public function cookieParameters(int $lifeTime, string $path, string $domain): void + { + session_set_cookie_params($lifeTime, $path, $domain); + } + + public function regenerateId(bool $deleteOldSession = false): bool + { + return session_regenerate_id($deleteOldSession); + } }