application/security/SessionManager.php

   1 <?php
   2 namespace Shaarli\Security;
   3
   4 use Shaarli\Config\ConfigManager;
   5
   6 /**
   7  * Manages the server-side session
   8  */
   9 class SessionManager
  10 {
  11     public const KEY_LINKS_PER_PAGE = 'LINKS_PER_PAGE';
  12     public const KEY_VISIBILITY = 'visibility';
  13     public const KEY_UNTAGGED_ONLY = 'untaggedonly';
  14
  15     public const KEY_SUCCESS_MESSAGES = 'successes';
  16     public const KEY_WARNING_MESSAGES = 'warnings';
  17     public const KEY_ERROR_MESSAGES = 'errors';
  18
  19     /** @var int Session expiration timeout, in seconds */
  20     public static $SHORT_TIMEOUT = 3600;    // 1 hour
  21
  22     /** @var int Session expiration timeout, in seconds */
  23     public static $LONG_TIMEOUT = 31536000; // 1 year
  24
  25     /** @var array Local reference to the global $_SESSION array */
  26     protected $session = [];
  27
  28     /** @var ConfigManager Configuration Manager instance **/
  29     protected $conf = null;
  30
  31     /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */
  32     protected $staySignedIn = false;
  33
  34     /** @var string */
  35     protected $savePath;
  36
  37     /**
  38      * Constructor
  39      *
  40      * @param array         $session  The $_SESSION array (reference)
  41      * @param ConfigManager $conf     ConfigManager instance
  42      * @param string        $savePath Session save path returned by builtin function session_save_path()
  43      */
  44     public function __construct(&$session, $conf, string $savePath)
  45     {
  46         $this->session = &$session;
  47         $this->conf = $conf;
  48         $this->savePath = $savePath;
  49     }
  50
  51     /**
  52      * Define whether the user should stay signed in across browser sessions
  53      *
  54      * @param bool $staySignedIn Keep the user signed in
  55      */
  56     public function setStaySignedIn($staySignedIn)
  57     {
  58         $this->staySignedIn = $staySignedIn;
  59     }
  60
  61     /**
  62      * Generates a session token
  63      *
  64      * @return string token
  65      */
  66     public function generateToken()
  67     {
  68         $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
  69         $this->session['tokens'][$token] = 1;
  70         return $token;
  71     }
  72
  73     /**
  74      * Checks the validity of a session token, and destroys it afterwards
  75      *
  76      * @param string $token The token to check
  77      *
  78      * @return bool true if the token is valid, else false
  79      */
  80     public function checkToken($token)
  81     {
  82         if (! isset($this->session['tokens'][$token])) {
  83             // the token is wrong, or has already been used
  84             return false;
  85         }
  86
  87         // destroy the token to prevent future use
  88         unset($this->session['tokens'][$token]);
  89         return true;
  90     }
  91
  92     /**
  93      * Validate session ID to prevent Full Path Disclosure.
  94      *
  95      * See #298.
  96      * The session ID's format depends on the hash algorithm set in PHP settings
  97      *
  98      * @param string $sessionId Session ID
  99      *
 100      * @return true if valid, false otherwise.
 101      *
 102      * @see http://php.net/manual/en/function.hash-algos.php
 103      * @see http://php.net/manual/en/session.configuration.php
 104      */
 105     public static function checkId($sessionId)
 106     {
 107         if (empty($sessionId)) {
 108             return false;
 109         }
 110
 111         if (!$sessionId) {
 112             return false;
 113         }
 114
 115         if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
 116             return false;
 117         }
 118
 119         return true;
 120     }
 121
 122     /**
 123      * Store user login information after a successful login
 124      *
 125      * @param string $clientIpId Client IP address identifier
 126      */
 127     public function storeLoginInfo($clientIpId)
 128     {
 129         $this->session['ip'] = $clientIpId;
 130         $this->session['username'] = $this->conf->get('credentials.login');
 131         $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
 132     }
 133
 134     /**
 135      * Extend session validity
 136      */
 137     public function extendSession()
 138     {
 139         if ($this->staySignedIn) {
 140             return $this->extendTimeValidityBy(self::$LONG_TIMEOUT);
 141         }
 142         return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
 143     }
 144
 145     /**
 146      * Extend expiration time
 147      *
 148      * @param int $duration Expiration time extension (seconds)
 149      *
 150      * @return int New session expiration time
 151      */
 152     protected function extendTimeValidityBy($duration)
 153     {
 154         $expirationTime = time() + $duration;
 155         $this->session['expires_on'] = $expirationTime;
 156         return $expirationTime;
 157     }
 158
 159     /**
 160      * Logout a user by unsetting all login information
 161      *
 162      * See:
 163      * - https://secure.php.net/manual/en/function.setcookie.php
 164      */
 165     public function logout()
 166     {
 167         if (isset($this->session)) {
 168             unset($this->session['ip']);
 169             unset($this->session['expires_on']);
 170             unset($this->session['username']);
 171             unset($this->session['visibility']);
 172             unset($this->session['untaggedonly']);
 173         }
 174     }
 175
 176     /**
 177      * Check whether the session has expired
 178      *
 179      * @param string $clientIpId Client IP address identifier
 180      *
 181      * @return bool true if the session has expired, false otherwise
 182      */
 183     public function hasSessionExpired()
 184     {
 185         if (empty($this->session['expires_on'])) {
 186             return true;
 187         }
 188         if (time() >= $this->session['expires_on']) {
 189             return true;
 190         }
 191         return false;
 192     }
 193
 194     /**
 195      * Check whether the client IP address has changed
 196      *
 197      * @param string $clientIpId Client IP address identifier
 198      *
 199      * @return bool true if the IP has changed, false if it has not, or
 200      *              if session protection has been disabled
 201      */
 202     public function hasClientIpChanged($clientIpId)
 203     {
 204         if ($this->conf->get('security.session_protection_disabled') === true) {
 205             return false;
 206         }
 207         if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) {
 208             return false;
 209         }
 210         return true;
 211     }
 212
 213     /** @return array Local reference to the global $_SESSION array */
 214     public function getSession(): array
 215     {
 216         return $this->session;
 217     }
 218
 219     /**
 220      * @param mixed $default value which will be returned if the $key is undefined
 221      *
 222      * @return mixed Content stored in session
 223      */
 224     public function getSessionParameter(string $key, $default = null)
 225     {
 226         return $this->session[$key] ?? $default;
 227     }
 228
 229     /**
 230      * Store a variable in user session.
 231      *
 232      * @param string $key   Session key
 233      * @param mixed  $value Session value to store
 234      *
 235      * @return $this
 236      */
 237     public function setSessionParameter(string $key, $value): self
 238     {
 239         $this->session[$key] = $value;
 240
 241         return $this;
 242     }
 243
 244     /**
 245      * Store a variable in user session.
 246      *
 247      * @param string $key   Session key
 248      *
 249      * @return $this
 250      */
 251     public function deleteSessionParameter(string $key): self
 252     {
 253         unset($this->session[$key]);
 254
 255         return $this;
 256     }
 257
 258     public function getSavePath(): string
 259     {
 260         return $this->savePath;
 261     }
 262 }