]>
git.immae.eu Git - github/shaarli/Shaarli.git/blob - application/SessionManager.php
7bfd22205d3038604e406d9cf6d2aae89aff1041
5 * Manages the server-side session
9 /** Session expiration timeout, in seconds */
10 public static $INACTIVITY_TIMEOUT = 3600;
12 /** Name of the cookie set after logging in **/
13 public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn';
15 /** Local reference to the global $_SESSION array */
16 protected $session = [];
18 /** ConfigManager instance **/
19 protected $conf = null;
24 * @param array $session The $_SESSION array (reference)
25 * @param ConfigManager $conf ConfigManager instance
27 public function __construct(& $session, $conf)
29 $this->session
= &$session;
34 * Generates a session token
36 * @return string token
38 public function generateToken()
40 $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf
->get('credentials.salt'));
41 $this->session
['tokens'][$token] = 1;
46 * Checks the validity of a session token, and destroys it afterwards
48 * @param string $token The token to check
50 * @return bool true if the token is valid, else false
52 public function checkToken($token)
54 if (! isset($this->session
['tokens'][$token])) {
55 // the token is wrong, or has already been used
59 // destroy the token to prevent future use
60 unset($this->session
['tokens'][$token]);
65 * Validate session ID to prevent Full Path Disclosure.
68 * The session ID's format depends on the hash algorithm set in PHP settings
70 * @param string $sessionId Session ID
72 * @return true if valid, false otherwise.
74 * @see http://php.net/manual/en/function.hash-algos.php
75 * @see http://php.net/manual/en/session.configuration.php
77 public static function checkId($sessionId)
79 if (empty($sessionId)) {
87 if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
95 * Store user login information after a successful login
97 * @param array $server The global $_SERVER array
99 public function storeLoginInfo($server)
101 // Generate unique random number (different than phpsessionid)
102 $this->session
['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
103 $this->session
['ip'] = client_ip_id($server);
104 $this->session
['username'] = $this->conf
->get('credentials.login');
105 $this->session
['expires_on'] = time() + self
::$INACTIVITY_TIMEOUT;
109 * Logout a user by unsetting all login information
112 * - https://secure.php.net/manual/en/function.setcookie.php
114 * @param string $webPath path on the server in which the cookie will be available on
116 public function logout($webPath)
118 if (isset($this->session
)) {
119 unset($this->session
['uid']);
120 unset($this->session
['ip']);
121 unset($this->session
['username']);
122 unset($this->session
['visibility']);
123 unset($this->session
['untaggedonly']);
125 setcookie(self
::$LOGGED_IN_COOKIE, 'false', 0, $webPath);