diff options
author | VirtualTam <virtualtam@flibidi.net> | 2018-02-17 01:14:58 +0100 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2018-05-29 22:53:54 +0200 |
commit | 49f183231662c642ca9df6ceabf43fe128a5ffc1 (patch) | |
tree | 37367944aef0f998b12e307a2510cb2c06d3aa0f | |
parent | db45a36a53dbd722e5e891827e49d9e7651f2a5e (diff) | |
download | Shaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.tar.gz Shaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.tar.zst Shaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.zip |
Refactor PHP session handling during login/logout
Changed:
- move $_SESSION handling to SessionManager
- code cleanup
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
-rw-r--r-- | application/SessionManager.php | 40 | ||||
-rw-r--r-- | index.php | 49 |
2 files changed, 53 insertions, 36 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php index 704f8504..7bfd2220 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php | |||
@@ -9,9 +9,15 @@ class SessionManager | |||
9 | /** Session expiration timeout, in seconds */ | 9 | /** Session expiration timeout, in seconds */ |
10 | public static $INACTIVITY_TIMEOUT = 3600; | 10 | public static $INACTIVITY_TIMEOUT = 3600; |
11 | 11 | ||
12 | /** Name of the cookie set after logging in **/ | ||
13 | public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn'; | ||
14 | |||
12 | /** Local reference to the global $_SESSION array */ | 15 | /** Local reference to the global $_SESSION array */ |
13 | protected $session = []; | 16 | protected $session = []; |
14 | 17 | ||
18 | /** ConfigManager instance **/ | ||
19 | protected $conf = null; | ||
20 | |||
15 | /** | 21 | /** |
16 | * Constructor | 22 | * Constructor |
17 | * | 23 | * |
@@ -84,4 +90,38 @@ class SessionManager | |||
84 | 90 | ||
85 | return true; | 91 | return true; |
86 | } | 92 | } |
93 | |||
94 | /** | ||
95 | * Store user login information after a successful login | ||
96 | * | ||
97 | * @param array $server The global $_SERVER array | ||
98 | */ | ||
99 | public function storeLoginInfo($server) | ||
100 | { | ||
101 | // Generate unique random number (different than phpsessionid) | ||
102 | $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); | ||
103 | $this->session['ip'] = client_ip_id($server); | ||
104 | $this->session['username'] = $this->conf->get('credentials.login'); | ||
105 | $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; | ||
106 | } | ||
107 | |||
108 | /** | ||
109 | * Logout a user by unsetting all login information | ||
110 | * | ||
111 | * See: | ||
112 | * - https://secure.php.net/manual/en/function.setcookie.php | ||
113 | * | ||
114 | * @param string $webPath path on the server in which the cookie will be available on | ||
115 | */ | ||
116 | public function logout($webPath) | ||
117 | { | ||
118 | if (isset($this->session)) { | ||
119 | unset($this->session['uid']); | ||
120 | unset($this->session['ip']); | ||
121 | unset($this->session['username']); | ||
122 | unset($this->session['visibility']); | ||
123 | unset($this->session['untaggedonly']); | ||
124 | } | ||
125 | setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath); | ||
126 | } | ||
87 | } | 127 | } |
@@ -197,11 +197,11 @@ function setup_login_state($conf, $sessionManager) | |||
197 | $userIsLoggedIn = false; // Shaarli is not configured yet. | 197 | $userIsLoggedIn = false; // Shaarli is not configured yet. |
198 | $loginFailure = true; | 198 | $loginFailure = true; |
199 | } | 199 | } |
200 | if (isset($_COOKIE['shaarli_staySignedIn']) && | 200 | if (isset($_COOKIE[SessionManager::$LOGGED_IN_COOKIE]) |
201 | $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && | 201 | && $_COOKIE[SessionManager::$LOGGED_IN_COOKIE] === STAY_SIGNED_IN_TOKEN |
202 | !$loginFailure) | 202 | && !$loginFailure |
203 | { | 203 | ) { |
204 | fillSessionInfo($conf, $sessionManager); | 204 | $sessionManager->storeLoginInfo($_SERVER); |
205 | $userIsLoggedIn = true; | 205 | $userIsLoggedIn = true; |
206 | } | 206 | } |
207 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. | 207 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. |
@@ -209,7 +209,7 @@ function setup_login_state($conf, $sessionManager) | |||
209 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != client_ip_id($_SERVER)) | 209 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != client_ip_id($_SERVER)) |
210 | || time() >= $_SESSION['expires_on']) | 210 | || time() >= $_SESSION['expires_on']) |
211 | { | 211 | { |
212 | logout(); | 212 | $sessionManager->logout(WEB_PATH); |
213 | $userIsLoggedIn = false; | 213 | $userIsLoggedIn = false; |
214 | $loginFailure = true; | 214 | $loginFailure = true; |
215 | } | 215 | } |
@@ -231,20 +231,6 @@ $userIsLoggedIn = setup_login_state($conf, $sessionManager); | |||
231 | // Session management | 231 | // Session management |
232 | 232 | ||
233 | /** | 233 | /** |
234 | * Load user session | ||
235 | * | ||
236 | * @param ConfigManager $conf Configuration Manager instance. | ||
237 | * @param SessionManager $sessionManager SessionManager instance | ||
238 | */ | ||
239 | function fillSessionInfo($conf, $sessionManager) | ||
240 | { | ||
241 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) | ||
242 | $_SESSION['ip'] = client_ip_id($_SERVER); | ||
243 | $_SESSION['username']= $conf->get('credentials.login'); | ||
244 | $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT; | ||
245 | } | ||
246 | |||
247 | /** | ||
248 | * Check that user/password is correct. | 234 | * Check that user/password is correct. |
249 | * | 235 | * |
250 | * @param string $login Username | 236 | * @param string $login Username |
@@ -259,7 +245,7 @@ function check_auth($login, $password, $conf, $sessionManager) | |||
259 | $hash = sha1($password . $login . $conf->get('credentials.salt')); | 245 | $hash = sha1($password . $login . $conf->get('credentials.salt')); |
260 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) { | 246 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) { |
261 | // Login/password is correct. | 247 | // Login/password is correct. |
262 | fillSessionInfo($conf, $sessionManager); | 248 | $sessionManager->storeLoginInfo($_SERVER); |
263 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); | 249 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); |
264 | return true; | 250 | return true; |
265 | } | 251 | } |
@@ -274,18 +260,6 @@ function isLoggedIn() | |||
274 | return $userIsLoggedIn; | 260 | return $userIsLoggedIn; |
275 | } | 261 | } |
276 | 262 | ||
277 | // Force logout. | ||
278 | function logout() { | ||
279 | if (isset($_SESSION)) { | ||
280 | unset($_SESSION['uid']); | ||
281 | unset($_SESSION['ip']); | ||
282 | unset($_SESSION['username']); | ||
283 | unset($_SESSION['visibility']); | ||
284 | unset($_SESSION['untaggedonly']); | ||
285 | } | ||
286 | setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH); | ||
287 | } | ||
288 | |||
289 | // ------------------------------------------------------------------------------------------ | 263 | // ------------------------------------------------------------------------------------------ |
290 | // Process login form: Check if login/password is correct. | 264 | // Process login form: Check if login/password is correct. |
291 | if (isset($_POST['login'])) { | 265 | if (isset($_POST['login'])) { |
@@ -303,10 +277,13 @@ if (isset($_POST['login'])) { | |||
303 | if (!empty($_POST['longlastingsession'])) { | 277 | if (!empty($_POST['longlastingsession'])) { |
304 | $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) | 278 | $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) |
305 | $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) | 279 | $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) |
306 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); | 280 | setcookie($sessionManager::$LOGGED_IN_COOKIE, STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); |
307 | $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. | 281 | $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. |
308 | 282 | ||
309 | $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; | 283 | $cookiedir = ''; |
284 | if (dirname($_SERVER['SCRIPT_NAME']) != '/') { | ||
285 | $cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/'; | ||
286 | } | ||
310 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side | 287 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side |
311 | // Note: Never forget the trailing slash on the cookie path! | 288 | // Note: Never forget the trailing slash on the cookie path! |
312 | session_regenerate_id(true); // Send cookie with new expiration date to browser. | 289 | session_regenerate_id(true); // Send cookie with new expiration date to browser. |
@@ -676,7 +653,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager, | |||
676 | if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout')) | 653 | if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout')) |
677 | { | 654 | { |
678 | invalidateCaches($conf->get('resource.page_cache')); | 655 | invalidateCaches($conf->get('resource.page_cache')); |
679 | logout(); | 656 | $sessionManager->logout(WEB_PATH); |
680 | header('Location: ?'); | 657 | header('Location: ?'); |
681 | exit; | 658 | exit; |
682 | } | 659 | } |