[github/shaarli/Shaarli.git] / application / SessionManager.php

<?php
namespace Shaarli;

/**
 * Manages the server-side session
 */
class SessionManager
{
    protected $session = [];

    /**
     * Constructor
     *
     * @param array         $session The $_SESSION array (reference)
     * @param ConfigManager $conf    ConfigManager instance
     */
    public function __construct(& $session, $conf)
    {
        $this->session = &$session;
        $this->conf = $conf;
    }

    /**
     * Generates a session token
     *
     * @return string token
     */
    public function generateToken()
    {
        $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
        $this->session['tokens'][$token] = 1;
        return $token;
    }

    /**
     * Checks the validity of a session token, and destroys it afterwards
     *
     * @param string $token The token to check
     *
     * @return bool true if the token is valid, else false
     */
    public function checkToken($token)
    {
        if (! isset($this->session['tokens'][$token])) {
            // the token is wrong, or has already been used
            return false;
        }

        // destroy the token to prevent future use
        unset($this->session['tokens'][$token]);
        return true;
    }

    /**
     * Validate session ID to prevent Full Path Disclosure.
     *
     * See #298.
     * The session ID's format depends on the hash algorithm set in PHP settings
     *
     * @param string $sessionId Session ID
     *
     * @return true if valid, false otherwise.
     *
     * @see http://php.net/manual/en/function.hash-algos.php
     * @see http://php.net/manual/en/session.configuration.php
     */
    public static function checkId($sessionId)
    {
        if (empty($sessionId)) {
            return false;
        }

        if (!$sessionId) {
            return false;
        }

        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
            return false;
        }

        return true;
    }
}
Commit	Line	Data
ebd650c0 V	1	<?php
	2	namespace Shaarli;
	3
	4	/**
	5	* Manages the server-side session
	6	*/
	7	class SessionManager
	8	{
	9	protected $session = [];
	10
	11	/**
	12	* Constructor
	13	*
	14	* @param array $session The $_SESSION array (reference)
dd883aaf	15	* @param ConfigManager $conf ConfigManager instance
ebd650c0	16	*/
dd883aaf	17	public function __construct(& $session, $conf)
ebd650c0 V	18	{
ebd650c0 V	19	$this->session = &$session;
dd883aaf	20	$this->conf = $conf;
ebd650c0 V	21	}
	22
	23	/**
	24	* Generates a session token
	25	*
	26	* @return string token
	27	*/
	28	public function generateToken()
	29	{
	30	$token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
	31	$this->session['tokens'][$token] = 1;
	32	return $token;
	33	}
	34
	35	/**
	36	* Checks the validity of a session token, and destroys it afterwards
	37	*
	38	* @param string $token The token to check
	39	*
	40	* @return bool true if the token is valid, else false
	41	*/
	42	public function checkToken($token)
	43	{
	44	if (! isset($this->session['tokens'][$token])) {
	45	// the token is wrong, or has already been used
	46	return false;
	47	}
	48
	49	// destroy the token to prevent future use
	50	unset($this->session['tokens'][$token]);
	51	return true;
	52	}
fd7d8461 V	53
	54	/**
	55	* Validate session ID to prevent Full Path Disclosure.
	56	*
	57	* See #298.
	58	* The session ID's format depends on the hash algorithm set in PHP settings
	59	*
	60	* @param string $sessionId Session ID
	61	*
	62	* @return true if valid, false otherwise.
	63	*
	64	* @see http://php.net/manual/en/function.hash-algos.php
	65	* @see http://php.net/manual/en/session.configuration.php
	66	*/
	67	public static function checkId($sessionId)
	68	{
	69	if (empty($sessionId)) {
	70	return false;
	71	}
	72
	73	if (!$sessionId) {
	74	return false;
	75	}
	76
	77	if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
	78	return false;
	79	}
	80
	81	return true;
	82	}
ebd650c0	83	}