Move LoginManager and SessionManager to the Security namespace

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
author: VirtualTam <virtualtam@flibidi.net> 2018-04-27 22:12:22 +0200
committer: VirtualTam <virtualtam@flibidi.net> 2018-06-02 16:46:06 +0200
commit: fab87c2696b9d6a26310f1bfc024b018ca5184fe (patch)
tree: 383d361b4ae14b8105fdef339435c83ed3da60b6 /application/SessionManager.php
parent: 68dcaccfa46649addc66674b627a83064798bbc0 (diff)
download: Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.tar.gz
Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.tar.zst
Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.zip
1 files changed, 0 insertions, 179 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php
deleted file mode 100644
index 63eeb8aa..00000000
--- a/application/SessionManager.php
+++ /dev/null
@@ -1,179 +0,0 @@
-<?php
-namespace Shaarli;
-use Shaarli\Config\ConfigManager;
-/**
- * Manages the server-side session
- */
-class SessionManager
-{
-    /** @var int Session expiration timeout, in seconds */
-    public static $INACTIVITY_TIMEOUT = 3600;
-    /** @var string Name of the cookie set after logging in **/
-    public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn';
-    /** @var array Local reference to the global $_SESSION array */
-    protected $session = [];
-    /** @var ConfigManager Configuration Manager instance **/
-    protected $conf = null;
-    /**
-     * Constructor
-     *
-     * @param array         $session The $_SESSION array (reference)
-     * @param ConfigManager $conf    ConfigManager instance
-     */
-    public function __construct(& $session, $conf)
-    {
-        $this->session = &$session;
-        $this->conf = $conf;
-    }
-    /**
-     * Generates a session token
-     *
-     * @return string token
-     */
-    public function generateToken()
-    {
-        $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
-        $this->session['tokens'][$token] = 1;
-        return $token;
-    }
-    /**
-     * Checks the validity of a session token, and destroys it afterwards
-     *
-     * @param string $token The token to check
-     *
-     * @return bool true if the token is valid, else false
-     */
-    public function checkToken($token)
-    {
-        if (! isset($this->session['tokens'][$token])) {
-            // the token is wrong, or has already been used
-            return false;
-        }
-        // destroy the token to prevent future use
-        unset($this->session['tokens'][$token]);
-        return true;
-    }
-    /**
-     * Validate session ID to prevent Full Path Disclosure.
-     *
-     * See #298.
-     * The session ID's format depends on the hash algorithm set in PHP settings
-     *
-     * @param string $sessionId Session ID
-     *
-     * @return true if valid, false otherwise.
-     *
-     * @see http://php.net/manual/en/function.hash-algos.php
-     * @see http://php.net/manual/en/session.configuration.php
-     */
-    public static function checkId($sessionId)
-    {
-        if (empty($sessionId)) {
-            return false;
-        }
-        if (!$sessionId) {
-            return false;
-        }
-        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
-            return false;
-        }
-        return true;
-    }
-    /**
-     * Store user login information after a successful login
-     *
-     * @param string $clientIpId Client IP address identifier
-     */
-    public function storeLoginInfo($clientIpId)
-    {
-        // Generate unique random number (different than phpsessionid)
-        $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
-        $this->session['ip'] = $clientIpId;
-        $this->session['username'] = $this->conf->get('credentials.login');
-        $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
-    }
-    /**
-     * Extend session validity
-     */
-    public function extendSession()
-    {
-        if (! empty($this->session['longlastingsession'])) {
-            // "Stay signed in" is enabled
-            $this->session['expires_on'] = time() + $this->session['longlastingsession'];
-            return;
-        }
-        $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
-    }
-    /**
-     * Logout a user by unsetting all login information
-     *
-     * See:
-     * - https://secure.php.net/manual/en/function.setcookie.php
-     *
-     * @param string $webPath path on the server in which the cookie will be available on
-     */
-    public function logout($webPath)
-    {
-        if (isset($this->session)) {
-            unset($this->session['uid']);
-            unset($this->session['ip']);
-            unset($this->session['username']);
-            unset($this->session['visibility']);
-            unset($this->session['untaggedonly']);
-        }
-        setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath);
-    }
-    /**
-     * Check whether the session has expired
-     *
-     * @param string $clientIpId Client IP address identifier
-     *
-     * @return bool true if the session has expired, false otherwise
-     */
-    public function hasSessionExpired()
-    {
-        if (empty($this->session['uid'])) {
-            return true;
-        }
-        if (time() >= $this->session['expires_on']) {
-            return true;
-        }
-        return false;
-    }
-    /**
-     * Check whether the client IP address has changed
-     *
-     * @param string $clientIpId Client IP address identifier
-     *
-     * @return bool true if the IP has changed, false if it has not, or
-     *              if session protection has been disabled
-     */
-    public function hasClientIpChanged($clientIpId)
-    {
-        if ($this->conf->get('security.session_protection_disabled') === true) {
-            return false;
-        }
-        if ($this->session['ip'] == $clientIpId) {
-            return false;
-        }
-        return true;
-    }
-}
author	VirtualTam <virtualtam@flibidi.net>	2018-04-27 22:12:22 +0200
committer	VirtualTam <virtualtam@flibidi.net>	2018-06-02 16:46:06 +0200
commit	fab87c2696b9d6a26310f1bfc024b018ca5184fe (patch)
tree	383d361b4ae14b8105fdef339435c83ed3da60b6 /application/SessionManager.php
parent	68dcaccfa46649addc66674b627a83064798bbc0 (diff)
download	Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.tar.gz Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.tar.zst Shaarli-fab87c2696b9d6a26310f1bfc024b018ca5184fe.zip

diff --git a/application/SessionManager.php b/application/SessionManager.php deleted file mode 100644 index 63eeb8aa..00000000 --- a/application/SessionManager.php +++ /dev/null
@@ -1,179 +0,0 @@
1	<?php
2	namespace Shaarli;
3
4	use Shaarli\Config\ConfigManager;
5
6	/**
7	* Manages the server-side session
8	*/
9	class SessionManager
10	{
11	/** @var int Session expiration timeout, in seconds */
12	public static $INACTIVITY_TIMEOUT = 3600;
13
14	/ @var string Name of the cookie set after logging in /
15	public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn';
16
17	/** @var array Local reference to the global $_SESSION array */
18	protected $session = [];
19
20	/ @var ConfigManager Configuration Manager instance /
21	protected $conf = null;
22
23	/**
24	* Constructor
25	*
26	* @param array $session The $_SESSION array (reference)
27	* @param ConfigManager $conf ConfigManager instance
28	*/
29	public function __construct(& $session, $conf)
30	{
31	$this->session = &$session;
32	$this->conf = $conf;
33	}
34
35	/**
36	* Generates a session token
37	*
38	* @return string token
39	*/
40	public function generateToken()
41	{
42	$token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
43	$this->session['tokens'][$token] = 1;
44	return $token;
45	}
46
47	/**
48	* Checks the validity of a session token, and destroys it afterwards
49	*
50	* @param string $token The token to check
51	*
52	* @return bool true if the token is valid, else false
53	*/
54	public function checkToken($token)
55	{
56	if (! isset($this->session['tokens'][$token])) {
57	// the token is wrong, or has already been used
58	return false;
59	}
60
61	// destroy the token to prevent future use
62	unset($this->session['tokens'][$token]);
63	return true;
64	}
65
66	/**
67	* Validate session ID to prevent Full Path Disclosure.
68	*
69	* See #298.
70	* The session ID's format depends on the hash algorithm set in PHP settings
71	*
72	* @param string $sessionId Session ID
73	*
74	* @return true if valid, false otherwise.
75	*
76	* @see http://php.net/manual/en/function.hash-algos.php
77	* @see http://php.net/manual/en/session.configuration.php
78	*/
79	public static function checkId($sessionId)
80	{
81	if (empty($sessionId)) {
82	return false;
83	}
84
85	if (!$sessionId) {
86	return false;
87	}
88
89	if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
90	return false;
91	}
92
93	return true;
94	}
95
96	/**
97	* Store user login information after a successful login
98	*
99	* @param string $clientIpId Client IP address identifier
100	*/
101	public function storeLoginInfo($clientIpId)
102	{
103	// Generate unique random number (different than phpsessionid)
104	$this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
105	$this->session['ip'] = $clientIpId;
106	$this->session['username'] = $this->conf->get('credentials.login');
107	$this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
108	}
109
110	/**
111	* Extend session validity
112	*/
113	public function extendSession()
114	{
115	if (! empty($this->session['longlastingsession'])) {
116	// "Stay signed in" is enabled
117	$this->session['expires_on'] = time() + $this->session['longlastingsession'];
118	return;
119	}
120	$this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
121	}
122
123	/**
124	* Logout a user by unsetting all login information
125	*
126	* See:
127	* - https://secure.php.net/manual/en/function.setcookie.php
128	*
129	* @param string $webPath path on the server in which the cookie will be available on
130	*/
131	public function logout($webPath)
132	{
133	if (isset($this->session)) {
134	unset($this->session['uid']);
135	unset($this->session['ip']);
136	unset($this->session['username']);
137	unset($this->session['visibility']);
138	unset($this->session['untaggedonly']);
139	}
140	setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath);
141	}
142
143	/**
144	* Check whether the session has expired
145	*
146	* @param string $clientIpId Client IP address identifier
147	*
148	* @return bool true if the session has expired, false otherwise
149	*/
150	public function hasSessionExpired()
151	{
152	if (empty($this->session['uid'])) {
153	return true;
154	}
155	if (time() >= $this->session['expires_on']) {
156	return true;
157	}
158	return false;
159	}
160
161	/**
162	* Check whether the client IP address has changed
163	*
164	* @param string $clientIpId Client IP address identifier
165	*
166	* @return bool true if the IP has changed, false if it has not, or
167	* if session protection has been disabled
168	*/
169	public function hasClientIpChanged($clientIpId)
170	{
171	if ($this->conf->get('security.session_protection_disabled') === true) {
172	return false;
173	}
174	if ($this->session['ip'] == $clientIpId) {
175	return false;
176	}
177	return true;
178	}
179	}