aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorVirtualTam <virtualtam@flibidi.net>2018-05-30 02:09:09 +0200
committerVirtualTam <virtualtam@flibidi.net>2018-06-02 16:46:06 +0200
commit8edd7f15886620b07064aa889aea05c5acbc0e58 (patch)
treec4299a352b3f4c518f79eb7208f667f68f8e9388
parent704637bfebc73ada4b800b35c457e9fe56ad3567 (diff)
downloadShaarli-8edd7f15886620b07064aa889aea05c5acbc0e58.tar.gz
Shaarli-8edd7f15886620b07064aa889aea05c5acbc0e58.tar.zst
Shaarli-8edd7f15886620b07064aa889aea05c5acbc0e58.zip
SessionManager+LoginManager: fix checkLoginState logic
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat
-rw-r--r--application/security/LoginManager.php2
-rw-r--r--application/security/SessionManager.php5
-rw-r--r--tests/security/LoginManagerTest.php15
3 files changed, 15 insertions, 7 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index 4946850b..d6784d6d 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -95,7 +95,6 @@ class LoginManager
95 // The user client has a valid stay-signed-in cookie 95 // The user client has a valid stay-signed-in cookie
96 // Session information is updated with the current client information 96 // Session information is updated with the current client information
97 $this->sessionManager->storeLoginInfo($clientIpId); 97 $this->sessionManager->storeLoginInfo($clientIpId);
98 $this->isLoggedIn = true;
99 98
100 } elseif ($this->sessionManager->hasSessionExpired() 99 } elseif ($this->sessionManager->hasSessionExpired()
101 || $this->sessionManager->hasClientIpChanged($clientIpId) 100 || $this->sessionManager->hasClientIpChanged($clientIpId)
@@ -105,6 +104,7 @@ class LoginManager
105 return; 104 return;
106 } 105 }
107 106
107 $this->isLoggedIn = true;
108 $this->sessionManager->extendSession(); 108 $this->sessionManager->extendSession();
109 } 109 }
110 110
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
index 24e25528..b8b8ab8d 100644
--- a/application/security/SessionManager.php
+++ b/application/security/SessionManager.php
@@ -169,6 +169,9 @@ class SessionManager
169 */ 169 */
170 public function hasSessionExpired() 170 public function hasSessionExpired()
171 { 171 {
172 if (empty($this->session['expires_on'])) {
173 return true;
174 }
172 if (time() >= $this->session['expires_on']) { 175 if (time() >= $this->session['expires_on']) {
173 return true; 176 return true;
174 } 177 }
@@ -188,7 +191,7 @@ class SessionManager
188 if ($this->conf->get('security.session_protection_disabled') === true) { 191 if ($this->conf->get('security.session_protection_disabled') === true) {
189 return false; 192 return false;
190 } 193 }
191 if ($this->session['ip'] == $clientIpId) { 194 if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) {
192 return false; 195 return false;
193 } 196 }
194 return true; 197 return true;
diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php
index fad09992..f26cd1eb 100644
--- a/tests/security/LoginManagerTest.php
+++ b/tests/security/LoginManagerTest.php
@@ -84,10 +84,7 @@ class LoginManagerTest extends TestCase
84 $this->globals = &$GLOBALS; 84 $this->globals = &$GLOBALS;
85 unset($this->globals['IPBANS']); 85 unset($this->globals['IPBANS']);
86 86
87 $this->session = [ 87 $this->session = [];
88 'expires_on' => time() + 100,
89 'ip' => $this->clientIpAddress,
90 ];
91 88
92 $this->sessionManager = new SessionManager($this->session, $this->configManager); 89 $this->sessionManager = new SessionManager($this->session, $this->configManager);
93 $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager); 90 $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager);
@@ -281,12 +278,18 @@ class LoginManagerTest extends TestCase
281 */ 278 */
282 public function testCheckLoginStateStaySignedInWithInvalidToken() 279 public function testCheckLoginStateStaySignedInWithInvalidToken()
283 { 280 {
281 // simulate a previous login
282 $this->session = [
283 'ip' => $this->clientIpAddress,
284 'expires_on' => time() + 100,
285 ];
284 $this->loginManager->generateStaySignedInToken($this->clientIpAddress); 286 $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
285 $this->cookie[LoginManager::$STAY_SIGNED_IN_COOKIE] = 'nope'; 287 $this->cookie[LoginManager::$STAY_SIGNED_IN_COOKIE] = 'nope';
286 288
287 $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress); 289 $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress);
288 290
289 $this->assertFalse($this->loginManager->isLoggedIn()); 291 $this->assertTrue($this->loginManager->isLoggedIn());
292 $this->assertTrue(empty($this->session['username']));
290 } 293 }
291 294
292 /** 295 /**
@@ -300,6 +303,8 @@ class LoginManagerTest extends TestCase
300 $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress); 303 $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress);
301 304
302 $this->assertTrue($this->loginManager->isLoggedIn()); 305 $this->assertTrue($this->loginManager->isLoggedIn());
306 $this->assertEquals($this->login, $this->session['username']);
307 $this->assertEquals($this->clientIpAddress, $this->session['ip']);
303 } 308 }
304 309
305 /** 310 /**
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-21 11:56:36 +0000