application/SessionManager.php

   1 <?php
   2 namespace Shaarli;
   3
   4 /**
   5  * Manages the server-side session
   6  */
   7 class SessionManager
   8 {
   9     protected $session = [];
  10
  11     /**
  12      * Constructor
  13      *
  14      * @param array         $session The $_SESSION array (reference)
  15      * @param ConfigManager $conf    ConfigManager instance (reference)
  16      */
  17     public function __construct(& $session, & $conf)
  18     {
  19         $this->session = &$session;
  20         $this->conf = &$conf;
  21     }
  22
  23     /**
  24      * Generates a session token
  25      *
  26      * @return string token
  27      */
  28     public function generateToken()
  29     {
  30         $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
  31         $this->session['tokens'][$token] = 1;
  32         return $token;
  33     }
  34
  35     /**
  36      * Checks the validity of a session token, and destroys it afterwards
  37      *
  38      * @param string $token The token to check
  39      *
  40      * @return bool true if the token is valid, else false
  41      */
  42     public function checkToken($token)
  43     {
  44         if (! isset($this->session['tokens'][$token])) {
  45             // the token is wrong, or has already been used
  46             return false;
  47         }
  48
  49         // destroy the token to prevent future use
  50         unset($this->session['tokens'][$token]);
  51         return true;
  52     }
  53
  54     /**
  55      * Validate session ID to prevent Full Path Disclosure.
  56      *
  57      * See #298.
  58      * The session ID's format depends on the hash algorithm set in PHP settings
  59      *
  60      * @param string $sessionId Session ID
  61      *
  62      * @return true if valid, false otherwise.
  63      *
  64      * @see http://php.net/manual/en/function.hash-algos.php
  65      * @see http://php.net/manual/en/session.configuration.php
  66      */
  67     public static function checkId($sessionId)
  68     {
  69         if (empty($sessionId)) {
  70             return false;
  71         }
  72
  73         if (!$sessionId) {
  74             return false;
  75         }
  76
  77         if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
  78             return false;
  79         }
  80
  81         return true;
  82     }
  83 }