Refactor SessionManager::$INACTIVITY_TIMEOUT

Changed: - move INACTIVITY_TIMEOUT to SessionManager - inject a dependency to a SessionManager instance in: - fillSessionInfo() - setup_login_state() - check_auth() - cleanup related code and comments Signed-off-by: VirtualTam <virtualtam@flibidi.net>
author: VirtualTam <virtualtam@flibidi.net> 2018-02-16 22:21:59 +0100
committer: VirtualTam <virtualtam@flibidi.net> 2018-05-29 22:53:54 +0200
commit: db45a36a53dbd722e5e891827e49d9e7651f2a5e (patch)
tree: fab831952e00fcdda5482c6e2318ff3f63b87e92
parent: 88110550b89617dcda16441212599b8a40faa20c (diff)
download: Shaarli-db45a36a53dbd722e5e891827e49d9e7651f2a5e.tar.gz
Shaarli-db45a36a53dbd722e5e891827e49d9e7651f2a5e.tar.zst
Shaarli-db45a36a53dbd722e5e891827e49d9e7651f2a5e.zip
2 files changed, 28 insertions, 24 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php
index 71f0b38d..704f8504 100644
--- a/application/SessionManager.php
+++ b/application/SessionManager.php
@@ -6,6 +6,10 @@ namespace Shaarli;
 */
 class SessionManager
 {
+    /** Session expiration timeout, in seconds */
+    public static $INACTIVITY_TIMEOUT = 3600;
+    /** Local reference to the global $_SESSION array */
    protected $session = [];
    /**
diff --git a/index.php b/index.php
index 08a69327..9cbc9241 100644
--- a/index.php
+++ b/index.php
@@ -101,8 +101,6 @@ if (dirname($_SERVER['SCRIPT_NAME']) != '/') {
 // Set default cookie expiration and path.
 session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']);
 // Set session parameters on server side.
-// If the user does not access any page within this time, his/her session is considered expired.
-define('INACTIVITY_TIMEOUT', 3600); // in seconds.
 // Use cookies to store session.
 ini_set('session.use_cookies', 1);
 // Force cookies for session (phpsessionID forbidden in URL).
@@ -183,11 +181,12 @@ define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['R
 /**
 * Checking session state (i.e. is the user still logged in)
 *
- * @param ConfigManager $conf The configuration manager.
+ * @param ConfigManager  $conf           Configuration Manager instance.
+ * @param SessionManager $sessionManager SessionManager instance
 *
- * @return bool: true if the user is logged in, false otherwise.
+ * @return bool true if the user is logged in, false otherwise.
 */
-function setup_login_state($conf)
+function setup_login_state($conf, $sessionManager)
 {
    if ($conf->get('security.open_shaarli')) {
        return true;
@@ -202,7 +201,7 @@ function setup_login_state($conf)
        $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
        !$loginFailure)
    {
-        fillSessionInfo($conf);
+        fillSessionInfo($conf, $sessionManager);
        $userIsLoggedIn = true;
    }
    // If session does not exist on server side, or IP address has changed, or session has expired, logout.
@@ -216,9 +215,8 @@ function setup_login_state($conf)
    }
    if (!empty($_SESSION['longlastingsession'])) {
        $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
-    }
+    } else {
-    else {
+        $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT;
-        $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
    }
    if (!$loginFailure) {
        $userIsLoggedIn = true;
@@ -226,39 +224,42 @@ function setup_login_state($conf)
    return $userIsLoggedIn;
 }
-$userIsLoggedIn = setup_login_state($conf);
+$userIsLoggedIn = setup_login_state($conf, $sessionManager);
 // ------------------------------------------------------------------------------------------
 // Session management
 /**
- * Load user session.
+ * Load user session
 *
- * @param ConfigManager $conf Configuration Manager instance.
+ * @param ConfigManager  $conf           Configuration Manager instance.
+ * @param SessionManager $sessionManager SessionManager instance
 */
-function fillSessionInfo($conf)
+function fillSessionInfo($conf, $sessionManager)
 {
    $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
    $_SESSION['ip'] = client_ip_id($_SERVER);
    $_SESSION['username']= $conf->get('credentials.login');
-    $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT;  // Set session expiration.
+    $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT;
 }
 /**
 * Check that user/password is correct.
 *
- * @param string        $login    Username
+ * @param string         $login          Username
- * @param string        $password User password
+ * @param string         $password       User password
- * @param ConfigManager $conf     Configuration Manager instance.
+ * @param ConfigManager  $conf           Configuration Manager instance.
+ * @param SessionManager $sessionManager SessionManager instance
 *
 * @return bool: authentication successful or not.
 */
-function check_auth($login, $password, $conf)
+function check_auth($login, $password, $conf, $sessionManager)
 {
    $hash = sha1($password . $login . $conf->get('credentials.salt'));
-    if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))
+    if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) {
-    {   // Login/password is correct.
+        // Login/password is correct.
-        fillSessionInfo($conf);
+        fillSessionInfo($conf, $sessionManager);
        logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
        return true;
    }
@@ -287,14 +288,13 @@ function logout() {
 // ------------------------------------------------------------------------------------------
 // Process login form: Check if login/password is correct.
-if (isset($_POST['login']))
+if (isset($_POST['login'])) {
-{
    if (! $loginManager->canLogin($_SERVER)) {
        die(t('I said: NO. You are banned for the moment. Go away.'));
    }
    if (isset($_POST['password'])
        && $sessionManager->checkToken($_POST['token'])
-        && (check_auth($_POST['login'], $_POST['password'], $conf))
+        && (check_auth($_POST['login'], $_POST['password'], $conf, $sessionManager))
    ) {
        // Login/password is OK.
        $loginManager->handleSuccessfulLogin($_SERVER);
author	VirtualTam <virtualtam@flibidi.net>	2018-02-16 22:21:59 +0100
committer	VirtualTam <virtualtam@flibidi.net>	2018-05-29 22:53:54 +0200
commit	db45a36a53dbd722e5e891827e49d9e7651f2a5e (patch)
tree	fab831952e00fcdda5482c6e2318ff3f63b87e92
parent	88110550b89617dcda16441212599b8a40faa20c (diff)
download	Shaarli-db45a36a53dbd722e5e891827e49d9e7651f2a5e.tar.gz Shaarli-db45a36a53dbd722e5e891827e49d9e7651f2a5e.tar.zst Shaarli-db45a36a53dbd722e5e891827e49d9e7651f2a5e.zip

diff --git a/application/SessionManager.php b/application/SessionManager.php index 71f0b38d..704f8504 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php
@@ -6,6 +6,10 @@ namespace Shaarli;
6	*/	6	*/
7	class SessionManager	7	class SessionManager
8	{	8	{
		9	/** Session expiration timeout, in seconds */
		10	public static $INACTIVITY_TIMEOUT = 3600;
		11
		12	/** Local reference to the global $_SESSION array */
9	protected $session = [];	13	protected $session = [];
10		14
11	/**	15	/**


diff --git a/index.php b/index.php index 08a69327..9cbc9241 100644 --- a/index.php +++ b/index.php
@@ -101,8 +101,6 @@ if (dirname($_SERVER['SCRIPT_NAME']) != '/') {
101	// Set default cookie expiration and path.	101	// Set default cookie expiration and path.
102	session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']);	102	session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']);
103	// Set session parameters on server side.	103	// Set session parameters on server side.
104	// If the user does not access any page within this time, his/her session is considered expired.
105	define('INACTIVITY_TIMEOUT', 3600); // in seconds.
106	// Use cookies to store session.	104	// Use cookies to store session.
107	ini_set('session.use_cookies', 1);	105	ini_set('session.use_cookies', 1);
108	// Force cookies for session (phpsessionID forbidden in URL).	106	// Force cookies for session (phpsessionID forbidden in URL).
@@ -183,11 +181,12 @@ define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['R
183	/**	181	/**
184	* Checking session state (i.e. is the user still logged in)	182	* Checking session state (i.e. is the user still logged in)
185	*	183	*
186	* @param ConfigManager $conf The configuration manager.	184	* @param ConfigManager $conf Configuration Manager instance.
		185	* @param SessionManager $sessionManager SessionManager instance
187	*	186	*
188	* @return bool: true if the user is logged in, false otherwise.	187	* @return bool true if the user is logged in, false otherwise.
189	*/	188	*/
190	function setup_login_state($conf)	189	function setup_login_state($conf, $sessionManager)
191	{	190	{
192	if ($conf->get('security.open_shaarli')) {	191	if ($conf->get('security.open_shaarli')) {
193	return true;	192	return true;
@@ -202,7 +201,7 @@ function setup_login_state($conf)
202	$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&	201	$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
203	!$loginFailure)	202	!$loginFailure)
204	{	203	{
205	fillSessionInfo($conf);	204	fillSessionInfo($conf, $sessionManager);
206	$userIsLoggedIn = true;	205	$userIsLoggedIn = true;
207	}	206	}
208	// If session does not exist on server side, or IP address has changed, or session has expired, logout.	207	// If session does not exist on server side, or IP address has changed, or session has expired, logout.
@@ -216,9 +215,8 @@ function setup_login_state($conf)
216	}	215	}
217	if (!empty($_SESSION['longlastingsession'])) {	216	if (!empty($_SESSION['longlastingsession'])) {
218	$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.	217	$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
219	}	218	} else {
220	else {	219	$_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT;
221	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
222	}	220	}
223	if (!$loginFailure) {	221	if (!$loginFailure) {
224	$userIsLoggedIn = true;	222	$userIsLoggedIn = true;
@@ -226,39 +224,42 @@ function setup_login_state($conf)
226		224
227	return $userIsLoggedIn;	225	return $userIsLoggedIn;
228	}	226	}
229	$userIsLoggedIn = setup_login_state($conf);	227
		228	$userIsLoggedIn = setup_login_state($conf, $sessionManager);
230		229
231	// ------------------------------------------------------------------------------------------	230	// ------------------------------------------------------------------------------------------
232	// Session management	231	// Session management
233		232
234	/**	233	/**
235	* Load user session.	234	* Load user session
236	*	235	*
237	* @param ConfigManager $conf Configuration Manager instance.	236	* @param ConfigManager $conf Configuration Manager instance.
		237	* @param SessionManager $sessionManager SessionManager instance
238	*/	238	*/
239	function fillSessionInfo($conf)	239	function fillSessionInfo($conf, $sessionManager)
240	{	240	{
241	$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)	241	$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
242	$_SESSION['ip'] = client_ip_id($_SERVER);	242	$_SESSION['ip'] = client_ip_id($_SERVER);
243	$_SESSION['username']= $conf->get('credentials.login');	243	$_SESSION['username']= $conf->get('credentials.login');
244	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.	244	$_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT;
245	}	245	}
246		246
247	/**	247	/**
248	* Check that user/password is correct.	248	* Check that user/password is correct.
249	*	249	*
250	* @param string $login Username	250	* @param string $login Username
251	* @param string $password User password	251	* @param string $password User password
252	* @param ConfigManager $conf Configuration Manager instance.	252	* @param ConfigManager $conf Configuration Manager instance.
		253	* @param SessionManager $sessionManager SessionManager instance
253	*	254	*
254	* @return bool: authentication successful or not.	255	* @return bool: authentication successful or not.
255	*/	256	*/
256	function check_auth($login, $password, $conf)	257	function check_auth($login, $password, $conf, $sessionManager)
257	{	258	{
258	$hash = sha1($password . $login . $conf->get('credentials.salt'));	259	$hash = sha1($password . $login . $conf->get('credentials.salt'));
259	if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))	260	if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) {
260	{ // Login/password is correct.	261	// Login/password is correct.
261	fillSessionInfo($conf);	262	fillSessionInfo($conf, $sessionManager);
262	logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');	263	logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
263	return true;	264	return true;
264	}	265	}
@@ -287,14 +288,13 @@ function logout() {
287		288
288	// ------------------------------------------------------------------------------------------	289	// ------------------------------------------------------------------------------------------
289	// Process login form: Check if login/password is correct.	290	// Process login form: Check if login/password is correct.
290	if (isset($_POST['login']))	291	if (isset($_POST['login'])) {
291	{
292	if (! $loginManager->canLogin($_SERVER)) {	292	if (! $loginManager->canLogin($_SERVER)) {
293	die(t('I said: NO. You are banned for the moment. Go away.'));	293	die(t('I said: NO. You are banned for the moment. Go away.'));
294	}	294	}
295	if (isset($_POST['password'])	295	if (isset($_POST['password'])
296	&& $sessionManager->checkToken($_POST['token'])	296	&& $sessionManager->checkToken($_POST['token'])
297	&& (check_auth($_POST['login'], $_POST['password'], $conf))	297	&& (check_auth($_POST['login'], $_POST['password'], $conf, $sessionManager))
298	) {	298	) {
299	// Login/password is OK.	299	// Login/password is OK.
300	$loginManager->handleSuccessfulLogin($_SERVER);	300	$loginManager->handleSuccessfulLogin($_SERVER);