Merge pull request #86 from pikzen/fix-cookies

Prevent shaarli from sending thousands of cookies.
author: nodiscc <nodiscc@gmail.com> 2015-02-19 16:23:43 +0100
committer: nodiscc <nodiscc@gmail.com> 2015-02-19 16:23:43 +0100
commit: 4891e2f77adc86a17284db0c7e8d57a0d8be834f (patch)
tree: 97ac6547c54b85c932b915c40aa6b9d0022f9257
parent: 6e838176a1413ce09a4d6630f8438072af9f8fce (diff)
parent: ff69d87ed95747beae3fc60d450fe79ddc21398e (diff)
download: Shaarli-4891e2f77adc86a17284db0c7e8d57a0d8be834f.tar.gz
Shaarli-4891e2f77adc86a17284db0c7e8d57a0d8be834f.tar.zst
Shaarli-4891e2f77adc86a17284db0c7e8d57a0d8be834f.zip
1 files changed, 57 insertions, 22 deletions
diff --git a/index.php b/index.php
index 3af38695..fdd9aecb 100644
--- a/index.php
+++ b/index.php
@@ -113,6 +113,53 @@ define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GL
 autoLocale(); // Sniff browser language and set date format accordingly.
 header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling.
+//==================================================================================================
+// Checking session state (i.e. is the user still logged in)
+//==================================================================================================
+function setup_login_state() {
+        $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
+        $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
+        if ($GLOBALS['config']['OPEN_SHAARLI']) {
+            $userIsLoggedIn = true;
+        }
+        if (!isset($GLOBALS['login'])) {
+            $userIsLoggedIn = false;  // Shaarli is not configured yet.
+            $loginFailure = true;
+        }
+        if (isset($_COOKIE['shaarli_staySignedIn']) &&
+            $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
+            !$loginFailure)
+        {
+            fillSessionInfo();
+            $userIsLoggedIn = true;
+        }
+        // If session does not exist on server side, or IP address has changed, or session has expired, logout.
+        if (empty($_SESSION['uid']) ||
+            ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) ||
+            time() >= $_SESSION['expires_on'])
+        {
+            logout();
+            $userIsLoggedIn = false;
+            $loginFailure = true;
+        }
+        if (!empty($_SESSION['longlastingsession'])) {
+            $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
+        }
+        else {
+            $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
+        }
+        if (!$loginFailure) {
+            $userIsLoggedIn = true;
+        }
+        return $userIsLoggedIn;
+}
+//==================================================================================================
+$userIsLoggedIn = setup_login_state();
+//==================================================================================================
+//==================================================================================================
 // Check PHP version
 function checkphpversion()
 {
@@ -316,30 +363,19 @@ function check_auth($login,$password)
 // Returns true if the user is logged in.
 function isLoggedIn()
 {
-    if ($GLOBALS['config']['OPEN_SHAARLI']) return true;
+    global $userIsLoggedIn;
+    return $userIsLoggedIn;
-    if (!isset($GLOBALS['login'])) return false;  // Shaarli is not configured yet.
-        if (@$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN)
-        {
-                fillSessionInfo();
-                return true;
-        }
-    // If session does not exist on server side, or IP address has changed, or session has expired, logout.
-    if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on'])
-    {
-        logout();
-        return false;
-    }
-    if (!empty($_SESSION['longlastingsession']))  $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
-    else $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
-    return true;
 }
 // Force logout.
-function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); }
+function logout() {
-setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH);
+    if (isset($_SESSION)) {
+        unset($_SESSION['uid']);
+        unset($_SESSION['ip']);
+        unset($_SESSION['username']);
+        unset($_SESSION['privateonly']);
+    }
+    setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH);
 }
@@ -2074,7 +2110,6 @@ function thumbnail($url,$href=false)
    return $html;
 }
 // Returns the HTML code to display a thumbnail for a link
 // for the picture wall (using lazy image loading)
 // Understands various services (youtube.com...)
author	nodiscc <nodiscc@gmail.com>	2015-02-19 16:23:43 +0100
committer	nodiscc <nodiscc@gmail.com>	2015-02-19 16:23:43 +0100
commit	4891e2f77adc86a17284db0c7e8d57a0d8be834f (patch)
tree	97ac6547c54b85c932b915c40aa6b9d0022f9257
parent	6e838176a1413ce09a4d6630f8438072af9f8fce (diff)
parent	ff69d87ed95747beae3fc60d450fe79ddc21398e (diff)
download	Shaarli-4891e2f77adc86a17284db0c7e8d57a0d8be834f.tar.gz Shaarli-4891e2f77adc86a17284db0c7e8d57a0d8be834f.tar.zst Shaarli-4891e2f77adc86a17284db0c7e8d57a0d8be834f.zip

diff --git a/index.php b/index.php index 3af38695..fdd9aecb 100644 --- a/index.php +++ b/index.php
@@ -113,6 +113,53 @@ define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GL
113	autoLocale(); // Sniff browser language and set date format accordingly.	113	autoLocale(); // Sniff browser language and set date format accordingly.
114	header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling.	114	header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling.
115		115
		116	//==================================================================================================
		117	// Checking session state (i.e. is the user still logged in)
		118	//==================================================================================================
		119
		120	function setup_login_state() {
		121	$userIsLoggedIn = false; // By default, we do not consider the user as logged in;
		122	$loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
		123	if ($GLOBALS['config']['OPEN_SHAARLI']) {
		124	$userIsLoggedIn = true;
		125	}
		126	if (!isset($GLOBALS['login'])) {
		127	$userIsLoggedIn = false; // Shaarli is not configured yet.
		128	$loginFailure = true;
		129	}
		130	if (isset($_COOKIE['shaarli_staySignedIn']) &&
		131	$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
		132	!$loginFailure)
		133	{
		134	fillSessionInfo();
		135	$userIsLoggedIn = true;
		136	}
		137	// If session does not exist on server side, or IP address has changed, or session has expired, logout.
		138	if (empty($_SESSION['uid']) \|\|
		139	($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) \|\|
		140	time() >= $_SESSION['expires_on'])
		141	{
		142	logout();
		143	$userIsLoggedIn = false;
		144	$loginFailure = true;
		145	}
		146	if (!empty($_SESSION['longlastingsession'])) {
		147	$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
		148	}
		149	else {
		150	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
		151	}
		152	if (!$loginFailure) {
		153	$userIsLoggedIn = true;
		154	}
		155
		156	return $userIsLoggedIn;
		157	}
		158	//==================================================================================================
		159	$userIsLoggedIn = setup_login_state();
		160	//==================================================================================================
		161	//==================================================================================================
		162
116	// Check PHP version	163	// Check PHP version
117	function checkphpversion()	164	function checkphpversion()
118	{	165	{
@@ -316,30 +363,19 @@ function check_auth($login,$password)
316	// Returns true if the user is logged in.	363	// Returns true if the user is logged in.
317	function isLoggedIn()	364	function isLoggedIn()
318	{	365	{
319	if ($GLOBALS['config']['OPEN_SHAARLI']) return true;	366	global $userIsLoggedIn;
320		367	return $userIsLoggedIn;
321	if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet.
322
323	if (@$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN)
324	{
325	fillSessionInfo();
326	return true;
327	}
328	// If session does not exist on server side, or IP address has changed, or session has expired, logout.
329	if (empty($_SESSION['uid']) \|\| ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) \|\| time()>=$_SESSION['expires_on'])
330	{
331	logout();
332	return false;
333	}
334	if (!empty($_SESSION['longlastingsession'])) $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
335	else $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
336
337	return true;
338	}	368	}
339		369
340	// Force logout.	370	// Force logout.
341	function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); }	371	function logout() {
342	setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH);	372	if (isset($_SESSION)) {
		373	unset($_SESSION['uid']);
		374	unset($_SESSION['ip']);
		375	unset($_SESSION['username']);
		376	unset($_SESSION['privateonly']);
		377	}
		378	setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH);
343	}	379	}
344		380
345		381
@@ -2074,7 +2110,6 @@ function thumbnail($url,$href=false)
2074	return $html;	2110	return $html;
2075	}	2111	}
2076		2112
2077
2078	// Returns the HTML code to display a thumbnail for a link	2113	// Returns the HTML code to display a thumbnail for a link
2079	// for the picture wall (using lazy image loading)	2114	// for the picture wall (using lazy image loading)
2080	// Understands various services (youtube.com...)	2115	// Understands various services (youtube.com...)