inc/3rdparty/Session.class.php

   1 <?php
   2 /**
   3  * Session management class
   4  *
   5  * http://www.developpez.net/forums/d51943/php/langage/sessions/
   6  * http://sebsauvage.net/wiki/doku.php?id=php:session
   7  * http://sebsauvage.net/wiki/doku.php?id=php:shaarli
   8  *
   9  * Features:
  10  * - Everything is stored on server-side (we do not trust client-side data,
  11  *   such as cookie expiration)
  12  * - IP addresses are checked on each access to prevent session cookie hijacking
  13  *   (such as Firesheep)
  14  * - Session expires on user inactivity (Session expiration date is
  15  *   automatically updated everytime the user accesses a page.)
  16  * - A unique secret key is generated on server-side for this session
  17  *   (and never sent over the wire) which can be used to sign forms (HMAC)
  18  *   (See $_SESSION['uid'])
  19  * - Token management to prevent XSRF attacks
  20  * - Brute force protection with ban management
  21  *
  22  * TODOs
  23  * - Replace globals with variables in Session class
  24  *
  25  * How to use:
  26  * - http://tontof.net/kriss/php5/session
  27  */
  28 class Session
  29 {
  30     // Personnalize PHP session name
  31     public static $sessionName = '';
  32     // If the user does not access any page within this time,
  33     // his/her session is considered expired (3600 sec. = 1 hour)
  34     public static $inactivityTimeout = 3600;
  35     // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours)
  36     public static $longSessionTimeout = 7776000; // 7776000 = 90 days
  37     // If you get disconnected often or if your IP address changes often.
  38     // Let you disable session cookie hijacking protection
  39     public static $disableSessionProtection = false;
  40     // Ban IP after this many failures.
  41     public static $banAfter = 4;
  42     // Ban duration for IP address after login failures (in seconds).
  43     // (1800 sec. = 30 minutes)
  44     public static $banDuration = 1800;
  45     // File storage for failures and bans. If empty, no ban management.
  46     public static $banFile = '';
  47
  48     /**
  49      * Initialize session
  50      */
  51     public static function init($longlastingsession = false)
  52     {
  53         //check if session name is correct
  54         if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) || $longlastingsession ) {
  55             session_destroy();
  56         }
  57
  58         // Force cookie path (but do not change lifetime)
  59         $cookie = session_get_cookie_params();
  60         // Default cookie expiration and path.
  61         $cookiedir = '';
  62         if (dirname($_SERVER['SCRIPT_NAME'])!='/') {
  63             $cookiedir = dirname($_SERVER["SCRIPT_NAME"]).'/';
  64         }
  65         $ssl = false;
  66         if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
  67             $ssl = true;
  68         }
  69
  70         if ( $longlastingsession ) {
  71             session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true);
  72         }
  73         else {
  74             session_set_cookie_params(0, $cookiedir, null, $ssl, true);
  75         }
  76         //set server side valid session timeout
  77         //WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application
  78         ini_set('session.gc_maxlifetime', self::$longSessionTimeout);
  79
  80         // Use cookies to store session.
  81         ini_set('session.use_cookies', 1);
  82         // Force cookies for session  (phpsessionID forbidden in URL)
  83         ini_set('session.use_only_cookies', 1);
  84         if ( !session_id() ) {
  85             // Prevent php to use sessionID in URL if cookies are disabled.
  86             ini_set('session.use_trans_sid', false);
  87             if (!empty(self::$sessionName)) {
  88                 session_name(self::$sessionName);
  89             }
  90             session_start();
  91         }
  92     }
  93
  94     /**
  95      * Returns the IP address
  96      * (Used to prevent session cookie hijacking.)
  97      *
  98      * @return string IP addresses
  99      */
 100     private static function _allIPs()
 101     {
 102         $ip = $_SERVER["REMOTE_ADDR"];
 103         $ip.= isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? '_'.$_SERVER['HTTP_X_FORWARDED_FOR'] : '';
 104         $ip.= isset($_SERVER['HTTP_CLIENT_IP']) ? '_'.$_SERVER['HTTP_CLIENT_IP'] : '';
 105
 106         return $ip;
 107     }
 108
 109     /**
 110      * Check that user/password is correct and then init some SESSION variables.
 111      *
 112      * @param string $login        Login reference
 113      * @param string $password     Password reference
 114      * @param string $loginTest    Login to compare with login reference
 115      * @param string $passwordTest Password to compare with password reference
 116      * @param array  $pValues      Array of variables to store in SESSION
 117      *
 118      * @return true|false          True if login and password are correct, false
 119      *                             otherwise
 120      */
 121     public static function login (
 122         $login,
 123         $password,
 124         $loginTest,
 125         $passwordTest,
 126         $longlastingsession,
 127         $pValues = array())
 128     {
 129         self::banInit();
 130         if (self::banCanLogin()) {
 131             if ($login === $loginTest && $password === $passwordTest) {
 132                 self::banLoginOk();
 133
 134                 self::init($longlastingsession);
 135
 136                 // Generate unique random number to sign forms (HMAC)
 137                 $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
 138                 $_SESSION['ip'] = self::_allIPs();
 139                 $_SESSION['username'] = $login;
 140                 // Set session expiration.
 141                 $_SESSION['expires_on'] = time() + self::$inactivityTimeout;
 142                 if ($longlastingsession) {
 143                         $_SESSION['longlastingsession'] = self::$longSessionTimeout;
 144                         $_SESSION['expires_on'] += $_SESSION['longlastingsession'];
 145                 }
 146
 147                 foreach ($pValues as $key => $value) {
 148                     $_SESSION[$key] = $value;
 149                 }
 150
 151                 return true;
 152             }
 153             self::banLoginFailed();
 154         }
 155
 156         self::init();
 157         return false;
 158     }
 159
 160     /**
 161      * Unset SESSION variable to force logout
 162      */
 163     public static function logout()
 164     {
 165         // unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']);
 166
 167         // Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres)
 168         $args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params()));
 169         $args[2] = time() - 3600;
 170         call_user_func_array('setcookie', $args);
 171         // Suppression physique de la session
 172         session_destroy();
 173     }
 174
 175     /**
 176      * Make sure user is logged in.
 177      *
 178      * @return true|false True if user is logged in, false otherwise
 179      */
 180     public static function isLogged()
 181     {
 182         if (!isset ($_SESSION['uid'])
 183             || (self::$disableSessionProtection === false
 184                 && $_SESSION['ip'] !== self::_allIPs())
 185             || time() >= $_SESSION['expires_on']) {
 186             //self::logout();
 187
 188             return false;
 189         }
 190         // User accessed a page : Update his/her session expiration date.
 191         $_SESSION['expires_on'] = time() + self::$inactivityTimeout;
 192         if (!empty($_SESSION['longlastingsession'])) {
 193                 $_SESSION['expires_on'] += $_SESSION['longlastingsession'];
 194         }
 195
 196         return true;
 197     }
 198
 199     /**
 200      * Create a token, store it in SESSION and return it
 201      *
 202      * @param string $salt to prevent birthday attack
 203      *
 204      * @return string Token created
 205      */
 206     public static function getToken($salt = '')
 207     {
 208         if (!isset($_SESSION['tokens'])) {
 209             $_SESSION['tokens']=array();
 210         }
 211         // We generate a random string and store it on the server side.
 212         $rnd = sha1(uniqid('', true).'_'.mt_rand().$salt);
 213         $_SESSION['tokens'][$rnd]=1;
 214
 215         return $rnd;
 216     }
 217
 218     /**
 219      * Tells if a token is ok. Using this function will destroy the token.
 220      *
 221      * @param string $token Token to test
 222      *
 223      * @return true|false   True if token is correct, false otherwise
 224      */
 225     public static function isToken($token)
 226     {
 227         if (isset($_SESSION['tokens'][$token])) {
 228             unset($_SESSION['tokens'][$token]); // Token is used: destroy it.
 229
 230             return true; // Token is ok.
 231         }
 232
 233         return false; // Wrong token, or already used.
 234     }
 235
 236     /**
 237      * Signal a failed login. Will ban the IP if too many failures:
 238      */
 239     public static function banLoginFailed()
 240     {
 241         if (self::$banFile !== '') {
 242             $ip = $_SERVER["REMOTE_ADDR"];
 243             $gb = $GLOBALS['IPBANS'];
 244
 245             if (!isset($gb['FAILURES'][$ip])) {
 246                 $gb['FAILURES'][$ip] = 0;
 247             }
 248             $gb['FAILURES'][$ip]++;
 249             if ($gb['FAILURES'][$ip] > (self::$banAfter - 1)) {
 250                 $gb['BANS'][$ip]= time() + self::$banDuration;
 251             }
 252
 253             $GLOBALS['IPBANS'] = $gb;
 254             file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
 255         }
 256     }
 257
 258     /**
 259      * Signals a successful login. Resets failed login counter.
 260      */
 261     public static function banLoginOk()
 262     {
 263         if (self::$banFile !== '') {
 264             $ip = $_SERVER["REMOTE_ADDR"];
 265             $gb = $GLOBALS['IPBANS'];
 266             unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]);
 267             $GLOBALS['IPBANS'] = $gb;
 268             file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
 269         }
 270     }
 271
 272     /**
 273      * Ban init
 274      */
 275     public static function banInit()
 276     {
 277         if (self::$banFile !== '') {
 278             if (!is_file(self::$banFile)) {
 279                 file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(), 'BANS'=>array()), true).";\n?>");
 280             }
 281             include self::$banFile;
 282         }
 283     }
 284
 285     /**
 286      * Checks if the user CAN login. If 'true', the user can try to login.
 287      *
 288      * @return boolean true if user is banned, false otherwise
 289      */
 290     public static function banCanLogin()
 291     {
 292         if (self::$banFile !== '') {
 293             $ip = $_SERVER["REMOTE_ADDR"];
 294             $gb = $GLOBALS['IPBANS'];
 295             if (isset($gb['BANS'][$ip])) {
 296                 // User is banned. Check if the ban has expired:
 297                 if ($gb['BANS'][$ip] <= time()) {
 298                     // Ban expired, user can try to login again.
 299                     unset($gb['FAILURES'][$ip]);
 300                     unset($gb['BANS'][$ip]);
 301                     file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
 302
 303                     return true; // Ban has expired, user can login.
 304                 }
 305
 306                 return false; // User is banned.
 307             }
 308         }
 309
 310         return true; // User is not banned.
 311     }
 312
 313
 314     /**
 315      * Tells if a param exists in session
 316      *
 317      * @param $name name of the param to test
 318      * @return bool
 319      */
 320     public static function isInSession($name)
 321     {
 322         return (isset($_SESSION[$name]) ? : FALSE);
 323     }
 324
 325     /**
 326      * Returns param in session
 327      *
 328      * @param $name name of the param to return
 329      * @return mixed param or null
 330      */
 331     public static function getParam($name)
 332     {
 333         return (self::isInSession($name) ? $_SESSION[$name] : NULL);
 334     }
 335
 336     /**
 337      * Store value in session
 338      *
 339      * @param $name     name of the variable to store
 340      * @param $value    value to store
 341      */
 342     public static function setParam($name, $value)
 343     {
 344         $_SESSION[$name] = $value;
 345     }
 346 }