From db45a36a53dbd722e5e891827e49d9e7651f2a5e Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Fri, 16 Feb 2018 22:21:59 +0100 Subject: [PATCH] Refactor SessionManager::$INACTIVITY_TIMEOUT Changed: - move INACTIVITY_TIMEOUT to SessionManager - inject a dependency to a SessionManager instance in: - fillSessionInfo() - setup_login_state() - check_auth() - cleanup related code and comments Signed-off-by: VirtualTam --- application/SessionManager.php | 4 +++ index.php | 48 +++++++++++++++++----------------- 2 files changed, 28 insertions(+), 24 deletions(-) diff --git a/application/SessionManager.php b/application/SessionManager.php index 71f0b38d..704f8504 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php @@ -6,6 +6,10 @@ namespace Shaarli; */ class SessionManager { + /** Session expiration timeout, in seconds */ + public static $INACTIVITY_TIMEOUT = 3600; + + /** Local reference to the global $_SESSION array */ protected $session = []; /** diff --git a/index.php b/index.php index 08a69327..9cbc9241 100644 --- a/index.php +++ b/index.php @@ -101,8 +101,6 @@ if (dirname($_SERVER['SCRIPT_NAME']) != '/') { // Set default cookie expiration and path. session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']); // Set session parameters on server side. -// If the user does not access any page within this time, his/her session is considered expired. -define('INACTIVITY_TIMEOUT', 3600); // in seconds. // Use cookies to store session. ini_set('session.use_cookies', 1); // Force cookies for session (phpsessionID forbidden in URL). @@ -183,11 +181,12 @@ define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['R /** * Checking session state (i.e. is the user still logged in) * - * @param ConfigManager $conf The configuration manager. + * @param ConfigManager $conf Configuration Manager instance. + * @param SessionManager $sessionManager SessionManager instance * - * @return bool: true if the user is logged in, false otherwise. + * @return bool true if the user is logged in, false otherwise. */ -function setup_login_state($conf) +function setup_login_state($conf, $sessionManager) { if ($conf->get('security.open_shaarli')) { return true; @@ -202,7 +201,7 @@ function setup_login_state($conf) $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && !$loginFailure) { - fillSessionInfo($conf); + fillSessionInfo($conf, $sessionManager); $userIsLoggedIn = true; } // If session does not exist on server side, or IP address has changed, or session has expired, logout. @@ -216,9 +215,8 @@ function setup_login_state($conf) } if (!empty($_SESSION['longlastingsession'])) { $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. - } - else { - $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. + } else { + $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT; } if (!$loginFailure) { $userIsLoggedIn = true; @@ -226,39 +224,42 @@ function setup_login_state($conf) return $userIsLoggedIn; } -$userIsLoggedIn = setup_login_state($conf); + +$userIsLoggedIn = setup_login_state($conf, $sessionManager); // ------------------------------------------------------------------------------------------ // Session management /** - * Load user session. + * Load user session * - * @param ConfigManager $conf Configuration Manager instance. + * @param ConfigManager $conf Configuration Manager instance. + * @param SessionManager $sessionManager SessionManager instance */ -function fillSessionInfo($conf) +function fillSessionInfo($conf, $sessionManager) { $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) $_SESSION['ip'] = client_ip_id($_SERVER); $_SESSION['username']= $conf->get('credentials.login'); - $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. + $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT; } /** * Check that user/password is correct. * - * @param string $login Username - * @param string $password User password - * @param ConfigManager $conf Configuration Manager instance. + * @param string $login Username + * @param string $password User password + * @param ConfigManager $conf Configuration Manager instance. + * @param SessionManager $sessionManager SessionManager instance * * @return bool: authentication successful or not. */ -function check_auth($login, $password, $conf) +function check_auth($login, $password, $conf, $sessionManager) { $hash = sha1($password . $login . $conf->get('credentials.salt')); - if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) - { // Login/password is correct. - fillSessionInfo($conf); + if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) { + // Login/password is correct. + fillSessionInfo($conf, $sessionManager); logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); return true; } @@ -287,14 +288,13 @@ function logout() { // ------------------------------------------------------------------------------------------ // Process login form: Check if login/password is correct. -if (isset($_POST['login'])) -{ +if (isset($_POST['login'])) { if (! $loginManager->canLogin($_SERVER)) { die(t('I said: NO. You are banned for the moment. Go away.')); } if (isset($_POST['password']) && $sessionManager->checkToken($_POST['token']) - && (check_auth($_POST['login'], $_POST['password'], $conf)) + && (check_auth($_POST['login'], $_POST['password'], $conf, $sessionManager)) ) { // Login/password is OK. $loginManager->handleSuccessfulLogin($_SERVER); -- 2.41.0