diff options
| author | Sébastien SAUVAGE <sebsauvage@sebsauvage.net> | 2014-02-09 18:43:52 +0100 |
|---|---|---|
| committer | Sébastien SAUVAGE <sebsauvage@sebsauvage.net> | 2014-02-09 18:43:52 +0100 |
| commit | 15b98c3dc881efc6fd9c0a1c068c4be044e391eb (patch) | |
| tree | 8d5dd3266f990da84cb4516ca36b5fa5815488ba | |
| parent | 067e66acfee19019ea3c1efa7f4ea305259bbd74 (diff) | |
| parent | ae00595b1ca1cdcbbef5090b1ab907c54be4aa48 (diff) | |
| download | Shaarli-15b98c3dc881efc6fd9c0a1c068c4be044e391eb.tar.gz Shaarli-15b98c3dc881efc6fd9c0a1c068c4be044e391eb.tar.zst Shaarli-15b98c3dc881efc6fd9c0a1c068c4be044e391eb.zip | |
Merge pull request #155 from Sbgodin/staySignedInWithCookie
"Stay signed in" modification. This will help people with hosts which aggressively clean sessions on server side.
| -rw-r--r-- | index.php | 26 |
1 files changed, 21 insertions, 5 deletions
| @@ -37,6 +37,8 @@ if (is_file($GLOBALS['config']['DATADIR'].'/options.php')) require($GLOBALS['con | |||
| 37 | define('shaarli_version','0.0.41 beta'); | 37 | define('shaarli_version','0.0.41 beta'); |
| 38 | define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code. | 38 | define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code. |
| 39 | define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code. | 39 | define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code. |
| 40 | // http://server.com/x/shaarli --> /shaarli/ | ||
| 41 | define('WEB_PATH', substr($_SERVER["REQUEST_URI"], 0, 1+strrpos($_SERVER["REQUEST_URI"], '/', 0))); | ||
| 40 | 42 | ||
| 41 | // Force cookie path (but do not change lifetime) | 43 | // Force cookie path (but do not change lifetime) |
| 42 | $cookie=session_get_cookie_params(); | 44 | $cookie=session_get_cookie_params(); |
| @@ -110,6 +112,8 @@ if (!is_file($GLOBALS['config']['CONFIG_FILE'])) install(); | |||
| 110 | 112 | ||
| 111 | require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS. | 113 | require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS. |
| 112 | 114 | ||
| 115 | // a token depending of deployment salt, user password, and the current ip | ||
| 116 | define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt'])); | ||
| 113 | 117 | ||
| 114 | autoLocale(); // Sniff browser language and set date format accordingly. | 118 | autoLocale(); // Sniff browser language and set date format accordingly. |
| 115 | header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. | 119 | header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. |
| @@ -294,16 +298,20 @@ function allIPs() | |||
| 294 | return $ip; | 298 | return $ip; |
| 295 | } | 299 | } |
| 296 | 300 | ||
| 301 | function fillSessionInfo() { | ||
| 302 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid) | ||
| 303 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. | ||
| 304 | $_SESSION['username']=$GLOBALS['login']; | ||
| 305 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. | ||
| 306 | } | ||
| 307 | |||
| 297 | // Check that user/password is correct. | 308 | // Check that user/password is correct. |
| 298 | function check_auth($login,$password) | 309 | function check_auth($login,$password) |
| 299 | { | 310 | { |
| 300 | $hash = sha1($password.$login.$GLOBALS['salt']); | 311 | $hash = sha1($password.$login.$GLOBALS['salt']); |
| 301 | if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash']) | 312 | if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash']) |
| 302 | { // Login/password is correct. | 313 | { // Login/password is correct. |
| 303 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid) | 314 | fillSessionInfo(); |
| 304 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. | ||
| 305 | $_SESSION['username']=$login; | ||
| 306 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. | ||
| 307 | logm('Login successful'); | 315 | logm('Login successful'); |
| 308 | return True; | 316 | return True; |
| 309 | } | 317 | } |
| @@ -318,6 +326,11 @@ function isLoggedIn() | |||
| 318 | 326 | ||
| 319 | if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet. | 327 | if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet. |
| 320 | 328 | ||
| 329 | if (@$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN) | ||
| 330 | { | ||
| 331 | fillSessionInfo(); | ||
| 332 | return true; | ||
| 333 | } | ||
| 321 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. | 334 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. |
| 322 | if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on']) | 335 | if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on']) |
| 323 | { | 336 | { |
| @@ -331,7 +344,9 @@ function isLoggedIn() | |||
| 331 | } | 344 | } |
| 332 | 345 | ||
| 333 | // Force logout. | 346 | // Force logout. |
| 334 | function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); } } | 347 | function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); } |
| 348 | setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH); | ||
| 349 | } | ||
| 335 | 350 | ||
| 336 | 351 | ||
| 337 | // ------------------------------------------------------------------------------------------ | 352 | // ------------------------------------------------------------------------------------------ |
| @@ -393,6 +408,7 @@ if (isset($_POST['login'])) | |||
| 393 | // If user wants to keep the session cookie even after the browser closes: | 408 | // If user wants to keep the session cookie even after the browser closes: |
| 394 | if (!empty($_POST['longlastingsession'])) | 409 | if (!empty($_POST['longlastingsession'])) |
| 395 | { | 410 | { |
| 411 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH); | ||
| 396 | $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) | 412 | $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) |
| 397 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. | 413 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. |
| 398 | 414 | ||