aboutsummaryrefslogtreecommitdiffhomepage
path: root/application/security
diff options
context:
space:
mode:
authorVirtualTam <virtualtam@flibidi.net>2018-05-10 13:07:51 +0200
committerVirtualTam <virtualtam@flibidi.net>2018-06-02 16:46:06 +0200
commitebf615173824a46de82fa97a165bcfd883db15ce (patch)
tree26374298b3c7f2009ef939c5d5e3d787938581be /application/security
parentc689e108639a4f6aa9e15928422e14db7cbe30ca (diff)
downloadShaarli-ebf615173824a46de82fa97a165bcfd883db15ce.tar.gz
Shaarli-ebf615173824a46de82fa97a165bcfd883db15ce.tar.zst
Shaarli-ebf615173824a46de82fa97a165bcfd883db15ce.zip
SessionManager: remove unused UID token
There already are dedicated tokens for: - CSRF protection - user stay-signed-in feature, via cookie This token was most likely intended as a randomly generated, server-side, secret key to be used when generating hashes. See http://sebsauvage.net/wiki/doku.php?id=php:session [FR] Relevant section: Une clé secrète unique aléatoire est générée côté serveur (et jamais envoyée). Elle peut servir pour signer les formulaires (HMAC) ou générer des token de formulaires (protection contre XSRF). Voir $_SESSION['uid']. Translation: A unique, server-side secret key is randomly generated (and never transmitted). It can be used to sign forms (HMAC) or generate form tokens (protection against XSRF). See $_SESSION['uid'] Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application/security')
-rw-r--r--application/security/SessionManager.php6
1 files changed, 0 insertions, 6 deletions
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
index 58973130..24e25528 100644
--- a/application/security/SessionManager.php
+++ b/application/security/SessionManager.php
@@ -113,8 +113,6 @@ class SessionManager
113 */ 113 */
114 public function storeLoginInfo($clientIpId) 114 public function storeLoginInfo($clientIpId)
115 { 115 {
116 // Generate unique random number (different than phpsessionid)
117 $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
118 $this->session['ip'] = $clientIpId; 116 $this->session['ip'] = $clientIpId;
119 $this->session['username'] = $this->conf->get('credentials.login'); 117 $this->session['username'] = $this->conf->get('credentials.login');
120 $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); 118 $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
@@ -154,7 +152,6 @@ class SessionManager
154 public function logout() 152 public function logout()
155 { 153 {
156 if (isset($this->session)) { 154 if (isset($this->session)) {
157 unset($this->session['uid']);
158 unset($this->session['ip']); 155 unset($this->session['ip']);
159 unset($this->session['expires_on']); 156 unset($this->session['expires_on']);
160 unset($this->session['username']); 157 unset($this->session['username']);
@@ -172,9 +169,6 @@ class SessionManager
172 */ 169 */
173 public function hasSessionExpired() 170 public function hasSessionExpired()
174 { 171 {
175 if (empty($this->session['uid'])) {
176 return true;
177 }
178 if (time() >= $this->session['expires_on']) { 172 if (time() >= $this->session['expires_on']) {
179 return true; 173 return true;
180 } 174 }