diff options
author | Christophe HENRY <christophe.henry@sbgodin.fr> | 2013-12-05 18:23:02 +0100 |
---|---|---|
committer | Christophe HENRY <christophe.henry@sbgodin.fr> | 2013-12-05 22:26:04 +0100 |
commit | ae00595b1ca1cdcbbef5090b1ab907c54be4aa48 (patch) | |
tree | 8d5dd3266f990da84cb4516ca36b5fa5815488ba | |
parent | 067e66acfee19019ea3c1efa7f4ea305259bbd74 (diff) | |
download | Shaarli-ae00595b1ca1cdcbbef5090b1ab907c54be4aa48.tar.gz Shaarli-ae00595b1ca1cdcbbef5090b1ab907c54be4aa48.tar.zst Shaarli-ae00595b1ca1cdcbbef5090b1ab907c54be4aa48.zip |
A real "Stay signed in": keep the connection
Instead of trusting the php session, it uses a cookie. The php session
sooner or later is distroyed if not used. It depends upon the server
settings. Using a cookie ensures that one really stays signed in.
Dev notes: I wanted to avoid merge conflicts, stay with the main
developper standards and keep the "index.php" in one file. That's why
the code may not be that nice. My own dev level my also explain.
-rw-r--r-- | index.php | 26 |
1 files changed, 21 insertions, 5 deletions
@@ -37,6 +37,8 @@ if (is_file($GLOBALS['config']['DATADIR'].'/options.php')) require($GLOBALS['con | |||
37 | define('shaarli_version','0.0.41 beta'); | 37 | define('shaarli_version','0.0.41 beta'); |
38 | define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code. | 38 | define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code. |
39 | define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code. | 39 | define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code. |
40 | // http://server.com/x/shaarli --> /shaarli/ | ||
41 | define('WEB_PATH', substr($_SERVER["REQUEST_URI"], 0, 1+strrpos($_SERVER["REQUEST_URI"], '/', 0))); | ||
40 | 42 | ||
41 | // Force cookie path (but do not change lifetime) | 43 | // Force cookie path (but do not change lifetime) |
42 | $cookie=session_get_cookie_params(); | 44 | $cookie=session_get_cookie_params(); |
@@ -110,6 +112,8 @@ if (!is_file($GLOBALS['config']['CONFIG_FILE'])) install(); | |||
110 | 112 | ||
111 | require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS. | 113 | require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS. |
112 | 114 | ||
115 | // a token depending of deployment salt, user password, and the current ip | ||
116 | define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt'])); | ||
113 | 117 | ||
114 | autoLocale(); // Sniff browser language and set date format accordingly. | 118 | autoLocale(); // Sniff browser language and set date format accordingly. |
115 | header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. | 119 | header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. |
@@ -294,16 +298,20 @@ function allIPs() | |||
294 | return $ip; | 298 | return $ip; |
295 | } | 299 | } |
296 | 300 | ||
301 | function fillSessionInfo() { | ||
302 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid) | ||
303 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. | ||
304 | $_SESSION['username']=$GLOBALS['login']; | ||
305 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. | ||
306 | } | ||
307 | |||
297 | // Check that user/password is correct. | 308 | // Check that user/password is correct. |
298 | function check_auth($login,$password) | 309 | function check_auth($login,$password) |
299 | { | 310 | { |
300 | $hash = sha1($password.$login.$GLOBALS['salt']); | 311 | $hash = sha1($password.$login.$GLOBALS['salt']); |
301 | if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash']) | 312 | if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash']) |
302 | { // Login/password is correct. | 313 | { // Login/password is correct. |
303 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid) | 314 | fillSessionInfo(); |
304 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. | ||
305 | $_SESSION['username']=$login; | ||
306 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. | ||
307 | logm('Login successful'); | 315 | logm('Login successful'); |
308 | return True; | 316 | return True; |
309 | } | 317 | } |
@@ -318,6 +326,11 @@ function isLoggedIn() | |||
318 | 326 | ||
319 | if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet. | 327 | if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet. |
320 | 328 | ||
329 | if (@$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN) | ||
330 | { | ||
331 | fillSessionInfo(); | ||
332 | return true; | ||
333 | } | ||
321 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. | 334 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. |
322 | if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on']) | 335 | if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on']) |
323 | { | 336 | { |
@@ -331,7 +344,9 @@ function isLoggedIn() | |||
331 | } | 344 | } |
332 | 345 | ||
333 | // Force logout. | 346 | // Force logout. |
334 | function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); } } | 347 | function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); } |
348 | setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH); | ||
349 | } | ||
335 | 350 | ||
336 | 351 | ||
337 | // ------------------------------------------------------------------------------------------ | 352 | // ------------------------------------------------------------------------------------------ |
@@ -393,6 +408,7 @@ if (isset($_POST['login'])) | |||
393 | // If user wants to keep the session cookie even after the browser closes: | 408 | // If user wants to keep the session cookie even after the browser closes: |
394 | if (!empty($_POST['longlastingsession'])) | 409 | if (!empty($_POST['longlastingsession'])) |
395 | { | 410 | { |
411 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH); | ||
396 | $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) | 412 | $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) |
397 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. | 413 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. |
398 | 414 | ||