aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorVirtualTam <virtualtam@flibidi.net>2018-02-17 01:14:58 +0100
committerVirtualTam <virtualtam@flibidi.net>2018-05-29 22:53:54 +0200
commit49f183231662c642ca9df6ceabf43fe128a5ffc1 (patch)
tree37367944aef0f998b12e307a2510cb2c06d3aa0f
parentdb45a36a53dbd722e5e891827e49d9e7651f2a5e (diff)
downloadShaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.tar.gz
Shaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.tar.zst
Shaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.zip
Refactor PHP session handling during login/logout
Changed: - move $_SESSION handling to SessionManager - code cleanup Signed-off-by: VirtualTam <virtualtam@flibidi.net>
-rw-r--r--application/SessionManager.php40
-rw-r--r--index.php49
2 files changed, 53 insertions, 36 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php
index 704f8504..7bfd2220 100644
--- a/application/SessionManager.php
+++ b/application/SessionManager.php
@@ -9,9 +9,15 @@ class SessionManager
9 /** Session expiration timeout, in seconds */ 9 /** Session expiration timeout, in seconds */
10 public static $INACTIVITY_TIMEOUT = 3600; 10 public static $INACTIVITY_TIMEOUT = 3600;
11 11
12 /** Name of the cookie set after logging in **/
13 public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn';
14
12 /** Local reference to the global $_SESSION array */ 15 /** Local reference to the global $_SESSION array */
13 protected $session = []; 16 protected $session = [];
14 17
18 /** ConfigManager instance **/
19 protected $conf = null;
20
15 /** 21 /**
16 * Constructor 22 * Constructor
17 * 23 *
@@ -84,4 +90,38 @@ class SessionManager
84 90
85 return true; 91 return true;
86 } 92 }
93
94 /**
95 * Store user login information after a successful login
96 *
97 * @param array $server The global $_SERVER array
98 */
99 public function storeLoginInfo($server)
100 {
101 // Generate unique random number (different than phpsessionid)
102 $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
103 $this->session['ip'] = client_ip_id($server);
104 $this->session['username'] = $this->conf->get('credentials.login');
105 $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
106 }
107
108 /**
109 * Logout a user by unsetting all login information
110 *
111 * See:
112 * - https://secure.php.net/manual/en/function.setcookie.php
113 *
114 * @param string $webPath path on the server in which the cookie will be available on
115 */
116 public function logout($webPath)
117 {
118 if (isset($this->session)) {
119 unset($this->session['uid']);
120 unset($this->session['ip']);
121 unset($this->session['username']);
122 unset($this->session['visibility']);
123 unset($this->session['untaggedonly']);
124 }
125 setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath);
126 }
87} 127}
diff --git a/index.php b/index.php
index 9cbc9241..34785209 100644
--- a/index.php
+++ b/index.php
@@ -197,11 +197,11 @@ function setup_login_state($conf, $sessionManager)
197 $userIsLoggedIn = false; // Shaarli is not configured yet. 197 $userIsLoggedIn = false; // Shaarli is not configured yet.
198 $loginFailure = true; 198 $loginFailure = true;
199 } 199 }
200 if (isset($_COOKIE['shaarli_staySignedIn']) && 200 if (isset($_COOKIE[SessionManager::$LOGGED_IN_COOKIE])
201 $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && 201 && $_COOKIE[SessionManager::$LOGGED_IN_COOKIE] === STAY_SIGNED_IN_TOKEN
202 !$loginFailure) 202 && !$loginFailure
203 { 203 ) {
204 fillSessionInfo($conf, $sessionManager); 204 $sessionManager->storeLoginInfo($_SERVER);
205 $userIsLoggedIn = true; 205 $userIsLoggedIn = true;
206 } 206 }
207 // If session does not exist on server side, or IP address has changed, or session has expired, logout. 207 // If session does not exist on server side, or IP address has changed, or session has expired, logout.
@@ -209,7 +209,7 @@ function setup_login_state($conf, $sessionManager)
209 || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != client_ip_id($_SERVER)) 209 || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != client_ip_id($_SERVER))
210 || time() >= $_SESSION['expires_on']) 210 || time() >= $_SESSION['expires_on'])
211 { 211 {
212 logout(); 212 $sessionManager->logout(WEB_PATH);
213 $userIsLoggedIn = false; 213 $userIsLoggedIn = false;
214 $loginFailure = true; 214 $loginFailure = true;
215 } 215 }
@@ -231,20 +231,6 @@ $userIsLoggedIn = setup_login_state($conf, $sessionManager);
231// Session management 231// Session management
232 232
233/** 233/**
234 * Load user session
235 *
236 * @param ConfigManager $conf Configuration Manager instance.
237 * @param SessionManager $sessionManager SessionManager instance
238 */
239function fillSessionInfo($conf, $sessionManager)
240{
241 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
242 $_SESSION['ip'] = client_ip_id($_SERVER);
243 $_SESSION['username']= $conf->get('credentials.login');
244 $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT;
245}
246
247/**
248 * Check that user/password is correct. 234 * Check that user/password is correct.
249 * 235 *
250 * @param string $login Username 236 * @param string $login Username
@@ -259,7 +245,7 @@ function check_auth($login, $password, $conf, $sessionManager)
259 $hash = sha1($password . $login . $conf->get('credentials.salt')); 245 $hash = sha1($password . $login . $conf->get('credentials.salt'));
260 if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) { 246 if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) {
261 // Login/password is correct. 247 // Login/password is correct.
262 fillSessionInfo($conf, $sessionManager); 248 $sessionManager->storeLoginInfo($_SERVER);
263 logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); 249 logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
264 return true; 250 return true;
265 } 251 }
@@ -274,18 +260,6 @@ function isLoggedIn()
274 return $userIsLoggedIn; 260 return $userIsLoggedIn;
275} 261}
276 262
277// Force logout.
278function logout() {
279 if (isset($_SESSION)) {
280 unset($_SESSION['uid']);
281 unset($_SESSION['ip']);
282 unset($_SESSION['username']);
283 unset($_SESSION['visibility']);
284 unset($_SESSION['untaggedonly']);
285 }
286 setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH);
287}
288
289// ------------------------------------------------------------------------------------------ 263// ------------------------------------------------------------------------------------------
290// Process login form: Check if login/password is correct. 264// Process login form: Check if login/password is correct.
291if (isset($_POST['login'])) { 265if (isset($_POST['login'])) {
@@ -303,10 +277,13 @@ if (isset($_POST['login'])) {
303 if (!empty($_POST['longlastingsession'])) { 277 if (!empty($_POST['longlastingsession'])) {
304 $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) 278 $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
305 $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) 279 $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
306 setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); 280 setcookie($sessionManager::$LOGGED_IN_COOKIE, STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
307 $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. 281 $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side.
308 282
309 $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; 283 $cookiedir = '';
284 if (dirname($_SERVER['SCRIPT_NAME']) != '/') {
285 $cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/';
286 }
310 session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side 287 session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side
311 // Note: Never forget the trailing slash on the cookie path! 288 // Note: Never forget the trailing slash on the cookie path!
312 session_regenerate_id(true); // Send cookie with new expiration date to browser. 289 session_regenerate_id(true); // Send cookie with new expiration date to browser.
@@ -676,7 +653,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager,
676 if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout')) 653 if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout'))
677 { 654 {
678 invalidateCaches($conf->get('resource.page_cache')); 655 invalidateCaches($conf->get('resource.page_cache'));
679 logout(); 656 $sessionManager->logout(WEB_PATH);
680 header('Location: ?'); 657 header('Location: ?');
681 exit; 658 exit;
682 } 659 }