diff options
author | Sébastien SAUVAGE <sebsauvage@sebsauvage.net> | 2014-02-09 18:43:52 +0100 |
---|---|---|
committer | Sébastien SAUVAGE <sebsauvage@sebsauvage.net> | 2014-02-09 18:43:52 +0100 |
commit | 15b98c3dc881efc6fd9c0a1c068c4be044e391eb (patch) | |
tree | 8d5dd3266f990da84cb4516ca36b5fa5815488ba | |
parent | 067e66acfee19019ea3c1efa7f4ea305259bbd74 (diff) | |
parent | ae00595b1ca1cdcbbef5090b1ab907c54be4aa48 (diff) | |
download | Shaarli-15b98c3dc881efc6fd9c0a1c068c4be044e391eb.tar.gz Shaarli-15b98c3dc881efc6fd9c0a1c068c4be044e391eb.tar.zst Shaarli-15b98c3dc881efc6fd9c0a1c068c4be044e391eb.zip |
Merge pull request #155 from Sbgodin/staySignedInWithCookie
"Stay signed in" modification. This will help people with hosts which aggressively clean sessions on server side.
-rw-r--r-- | index.php | 26 |
1 files changed, 21 insertions, 5 deletions
@@ -37,6 +37,8 @@ if (is_file($GLOBALS['config']['DATADIR'].'/options.php')) require($GLOBALS['con | |||
37 | define('shaarli_version','0.0.41 beta'); | 37 | define('shaarli_version','0.0.41 beta'); |
38 | define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code. | 38 | define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code. |
39 | define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code. | 39 | define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code. |
40 | // http://server.com/x/shaarli --> /shaarli/ | ||
41 | define('WEB_PATH', substr($_SERVER["REQUEST_URI"], 0, 1+strrpos($_SERVER["REQUEST_URI"], '/', 0))); | ||
40 | 42 | ||
41 | // Force cookie path (but do not change lifetime) | 43 | // Force cookie path (but do not change lifetime) |
42 | $cookie=session_get_cookie_params(); | 44 | $cookie=session_get_cookie_params(); |
@@ -110,6 +112,8 @@ if (!is_file($GLOBALS['config']['CONFIG_FILE'])) install(); | |||
110 | 112 | ||
111 | require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS. | 113 | require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS. |
112 | 114 | ||
115 | // a token depending of deployment salt, user password, and the current ip | ||
116 | define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt'])); | ||
113 | 117 | ||
114 | autoLocale(); // Sniff browser language and set date format accordingly. | 118 | autoLocale(); // Sniff browser language and set date format accordingly. |
115 | header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. | 119 | header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. |
@@ -294,16 +298,20 @@ function allIPs() | |||
294 | return $ip; | 298 | return $ip; |
295 | } | 299 | } |
296 | 300 | ||
301 | function fillSessionInfo() { | ||
302 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid) | ||
303 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. | ||
304 | $_SESSION['username']=$GLOBALS['login']; | ||
305 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. | ||
306 | } | ||
307 | |||
297 | // Check that user/password is correct. | 308 | // Check that user/password is correct. |
298 | function check_auth($login,$password) | 309 | function check_auth($login,$password) |
299 | { | 310 | { |
300 | $hash = sha1($password.$login.$GLOBALS['salt']); | 311 | $hash = sha1($password.$login.$GLOBALS['salt']); |
301 | if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash']) | 312 | if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash']) |
302 | { // Login/password is correct. | 313 | { // Login/password is correct. |
303 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid) | 314 | fillSessionInfo(); |
304 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. | ||
305 | $_SESSION['username']=$login; | ||
306 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. | ||
307 | logm('Login successful'); | 315 | logm('Login successful'); |
308 | return True; | 316 | return True; |
309 | } | 317 | } |
@@ -318,6 +326,11 @@ function isLoggedIn() | |||
318 | 326 | ||
319 | if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet. | 327 | if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet. |
320 | 328 | ||
329 | if (@$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN) | ||
330 | { | ||
331 | fillSessionInfo(); | ||
332 | return true; | ||
333 | } | ||
321 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. | 334 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. |
322 | if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on']) | 335 | if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on']) |
323 | { | 336 | { |
@@ -331,7 +344,9 @@ function isLoggedIn() | |||
331 | } | 344 | } |
332 | 345 | ||
333 | // Force logout. | 346 | // Force logout. |
334 | function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); } } | 347 | function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); } |
348 | setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH); | ||
349 | } | ||
335 | 350 | ||
336 | 351 | ||
337 | // ------------------------------------------------------------------------------------------ | 352 | // ------------------------------------------------------------------------------------------ |
@@ -393,6 +408,7 @@ if (isset($_POST['login'])) | |||
393 | // If user wants to keep the session cookie even after the browser closes: | 408 | // If user wants to keep the session cookie even after the browser closes: |
394 | if (!empty($_POST['longlastingsession'])) | 409 | if (!empty($_POST['longlastingsession'])) |
395 | { | 410 | { |
411 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH); | ||
396 | $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) | 412 | $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) |
397 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. | 413 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. |
398 | 414 | ||