diff options
author | VirtualTam <virtualtam@flibidi.net> | 2018-05-10 13:07:51 +0200 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2018-06-02 16:46:06 +0200 |
commit | ebf615173824a46de82fa97a165bcfd883db15ce (patch) | |
tree | 26374298b3c7f2009ef939c5d5e3d787938581be /application/security | |
parent | c689e108639a4f6aa9e15928422e14db7cbe30ca (diff) | |
download | Shaarli-ebf615173824a46de82fa97a165bcfd883db15ce.tar.gz Shaarli-ebf615173824a46de82fa97a165bcfd883db15ce.tar.zst Shaarli-ebf615173824a46de82fa97a165bcfd883db15ce.zip |
SessionManager: remove unused UID token
There already are dedicated tokens for:
- CSRF protection
- user stay-signed-in feature, via cookie
This token was most likely intended as a randomly generated,
server-side, secret key to be used when generating hashes.
See http://sebsauvage.net/wiki/doku.php?id=php:session [FR]
Relevant section:
Une clé secrète unique aléatoire est générée côté serveur (et jamais
envoyée). Elle peut servir pour signer les formulaires (HMAC) ou
générer des token de formulaires (protection contre XSRF).
Voir $_SESSION['uid'].
Translation:
A unique, server-side secret key is randomly generated (and never
transmitted). It can be used to sign forms (HMAC) or generate form
tokens (protection against XSRF).
See $_SESSION['uid']
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application/security')
-rw-r--r-- | application/security/SessionManager.php | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php index 58973130..24e25528 100644 --- a/application/security/SessionManager.php +++ b/application/security/SessionManager.php | |||
@@ -113,8 +113,6 @@ class SessionManager | |||
113 | */ | 113 | */ |
114 | public function storeLoginInfo($clientIpId) | 114 | public function storeLoginInfo($clientIpId) |
115 | { | 115 | { |
116 | // Generate unique random number (different than phpsessionid) | ||
117 | $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); | ||
118 | $this->session['ip'] = $clientIpId; | 116 | $this->session['ip'] = $clientIpId; |
119 | $this->session['username'] = $this->conf->get('credentials.login'); | 117 | $this->session['username'] = $this->conf->get('credentials.login'); |
120 | $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); | 118 | $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); |
@@ -154,7 +152,6 @@ class SessionManager | |||
154 | public function logout() | 152 | public function logout() |
155 | { | 153 | { |
156 | if (isset($this->session)) { | 154 | if (isset($this->session)) { |
157 | unset($this->session['uid']); | ||
158 | unset($this->session['ip']); | 155 | unset($this->session['ip']); |
159 | unset($this->session['expires_on']); | 156 | unset($this->session['expires_on']); |
160 | unset($this->session['username']); | 157 | unset($this->session['username']); |
@@ -172,9 +169,6 @@ class SessionManager | |||
172 | */ | 169 | */ |
173 | public function hasSessionExpired() | 170 | public function hasSessionExpired() |
174 | { | 171 | { |
175 | if (empty($this->session['uid'])) { | ||
176 | return true; | ||
177 | } | ||
178 | if (time() >= $this->session['expires_on']) { | 172 | if (time() >= $this->session['expires_on']) { |
179 | return true; | 173 | return true; |
180 | } | 174 | } |