Merge tag 'v0.10.4' into stable

Release v0.10.4
author: ArthurHoaro <arthur@hoa.ro> 2019-07-27 12:34:30 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2019-07-27 12:34:30 +0200
commit: 38672ba0d1c722e5d6d33a58255ceb55e9410e46 (patch)
tree: dae4c7c47532380eac3ae641db99122fc77c93dc /application/security
parent: 83faedadff76c5bdca036f39f13943f63b27e164 (diff)
parent: 1e77e0448bbd25675d8c0fe4a73206ad9048904b (diff)
download: Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.tar.gz
Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.tar.zst
Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.zip
2 files changed, 463 insertions, 0 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
new file mode 100644
index 00000000..0f315483
--- /dev/null
+++ b/application/security/LoginManager.php
@@ -0,0 +1,264 @@
+<?php
+namespace Shaarli\Security;
+use Shaarli\Config\ConfigManager;
+/**
+ * User login management
+ */
+class LoginManager
+{
+    /** @var string Name of the cookie set after logging in **/
+    public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
+    /** @var array A reference to the $_GLOBALS array */
+    protected $globals = [];
+    /** @var ConfigManager Configuration Manager instance **/
+    protected $configManager = null;
+    /** @var SessionManager Session Manager instance **/
+    protected $sessionManager = null;
+    /** @var string Path to the file containing IP bans */
+    protected $banFile = '';
+    /** @var bool Whether the user is logged in **/
+    protected $isLoggedIn = false;
+    /** @var bool Whether the Shaarli instance is open to public edition **/
+    protected $openShaarli = false;
+    /** @var string User sign-in token depending on remote IP and credentials */
+    protected $staySignedInToken = '';
+    /**
+     * Constructor
+     *
+     * @param array          $globals        The $GLOBALS array (reference)
+     * @param ConfigManager  $configManager  Configuration Manager instance
+     * @param SessionManager $sessionManager SessionManager instance
+     */
+    public function __construct(& $globals, $configManager, $sessionManager)
+    {
+        $this->globals = &$globals;
+        $this->configManager = $configManager;
+        $this->sessionManager = $sessionManager;
+        $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
+        $this->readBanFile();
+        if ($this->configManager->get('security.open_shaarli') === true) {
+            $this->openShaarli = true;
+        }
+    }
+    /**
+     * Generate a token depending on deployment salt, user password and client IP
+     *
+     * @param string $clientIpAddress The remote client IP address
+     */
+    public function generateStaySignedInToken($clientIpAddress)
+    {
+        $this->staySignedInToken = sha1(
+            $this->configManager->get('credentials.hash')
+            . $clientIpAddress
+            . $this->configManager->get('credentials.salt')
+        );
+    }
+    /**
+     * Return the user's client stay-signed-in token
+     *
+     * @return string User's client stay-signed-in token
+     */
+    public function getStaySignedInToken()
+    {
+        return $this->staySignedInToken;
+    }
+    /**
+     * Check user session state and validity (expiration)
+     *
+     * @param array  $cookie     The $_COOKIE array
+     * @param string $clientIpId Client IP address identifier
+     */
+    public function checkLoginState($cookie, $clientIpId)
+    {
+        if (! $this->configManager->exists('credentials.login')) {
+            // Shaarli is not configured yet
+            $this->isLoggedIn = false;
+            return;
+        }
+        if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
+            && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
+        ) {
+            // The user client has a valid stay-signed-in cookie
+            // Session information is updated with the current client information
+            $this->sessionManager->storeLoginInfo($clientIpId);
+        } elseif ($this->sessionManager->hasSessionExpired()
+            || $this->sessionManager->hasClientIpChanged($clientIpId)
+        ) {
+            $this->sessionManager->logout();
+            $this->isLoggedIn = false;
+            return;
+        }
+        $this->isLoggedIn = true;
+        $this->sessionManager->extendSession();
+    }
+    /**
+     * Return whether the user is currently logged in
+     *
+     * @return true when the user is logged in, false otherwise
+     */
+    public function isLoggedIn()
+    {
+        if ($this->openShaarli) {
+            return true;
+        }
+        return $this->isLoggedIn;
+    }
+    /**
+     * Check user credentials are valid
+     *
+     * @param string $remoteIp   Remote client IP address
+     * @param string $clientIpId Client IP address identifier
+     * @param string $login      Username
+     * @param string $password   Password
+     *
+     * @return bool true if the provided credentials are valid, false otherwise
+     */
+    public function checkCredentials($remoteIp, $clientIpId, $login, $password)
+    {
+        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+        if ($login != $this->configManager->get('credentials.login')
+            || $hash != $this->configManager->get('credentials.hash')
+        ) {
+            logm(
+                $this->configManager->get('resource.log'),
+                $remoteIp,
+                'Login failed for user ' . $login
+            );
+            return false;
+        }
+        $this->sessionManager->storeLoginInfo($clientIpId);
+        logm(
+            $this->configManager->get('resource.log'),
+            $remoteIp,
+            'Login successful'
+        );
+        return true;
+    }
+    /**
+     * Read a file containing banned IPs
+     */
+    protected function readBanFile()
+    {
+        if (! file_exists($this->banFile)) {
+            return;
+        }
+        include $this->banFile;
+    }
+    /**
+     * Write the banned IPs to a file
+     */
+    protected function writeBanFile()
+    {
+        if (! array_key_exists('IPBANS', $this->globals)) {
+            return;
+        }
+        file_put_contents(
+            $this->banFile,
+            "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
+        );
+    }
+    /**
+     * Handle a failed login and ban the IP after too many failed attempts
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleFailedLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        $trusted = $this->configManager->get('security.trusted_proxies', []);
+        if (in_array($ip, $trusted)) {
+            $ip = getIpAddressFromProxy($server, $trusted);
+            if (! $ip) {
+                // the IP is behind a trusted forward proxy, but is not forwarded
+                // in the HTTP headers, so we do nothing
+                return;
+            }
+        }
+        // increment the fail count for this IP
+        if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
+            $this->globals['IPBANS']['FAILURES'][$ip]++;
+        } else {
+            $this->globals['IPBANS']['FAILURES'][$ip] = 1;
+        }
+        if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
+            $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
+            logm(
+                $this->configManager->get('resource.log'),
+                $server['REMOTE_ADDR'],
+                'IP address banned from login'
+            );
+        }
+        $this->writeBanFile();
+    }
+    /**
+     * Handle a successful login
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleSuccessfulLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        // FIXME unban when behind a trusted proxy?
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+    }
+    /**
+     * Check if the user can login from this IP
+     *
+     * @param array $server The $_SERVER array
+     *
+     * @return bool true if the user is allowed to login
+     */
+    public function canLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
+            // the user is not banned
+            return true;
+        }
+        if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
+            // the user is still banned
+            return false;
+        }
+        // the ban has expired, the user can attempt to log in again
+        logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+        return true;
+    }
+}
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
new file mode 100644
index 00000000..b8b8ab8d
--- /dev/null
+++ b/application/security/SessionManager.php
@@ -0,0 +1,199 @@
+<?php
+namespace Shaarli\Security;
+use Shaarli\Config\ConfigManager;
+/**
+ * Manages the server-side session
+ */
+class SessionManager
+{
+    /** @var int Session expiration timeout, in seconds */
+    public static $SHORT_TIMEOUT = 3600;    // 1 hour
+    /** @var int Session expiration timeout, in seconds */
+    public static $LONG_TIMEOUT = 31536000; // 1 year
+    /** @var array Local reference to the global $_SESSION array */
+    protected $session = [];
+    /** @var ConfigManager Configuration Manager instance **/
+    protected $conf = null;
+    /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */
+    protected $staySignedIn = false;
+    /**
+     * Constructor
+     *
+     * @param array         $session The $_SESSION array (reference)
+     * @param ConfigManager $conf    ConfigManager instance
+     */
+    public function __construct(& $session, $conf)
+    {
+        $this->session = &$session;
+        $this->conf = $conf;
+    }
+    /**
+     * Define whether the user should stay signed in across browser sessions
+     *
+     * @param bool $staySignedIn Keep the user signed in
+     */
+    public function setStaySignedIn($staySignedIn)
+    {
+        $this->staySignedIn = $staySignedIn;
+    }
+    /**
+     * Generates a session token
+     *
+     * @return string token
+     */
+    public function generateToken()
+    {
+        $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
+        $this->session['tokens'][$token] = 1;
+        return $token;
+    }
+    /**
+     * Checks the validity of a session token, and destroys it afterwards
+     *
+     * @param string $token The token to check
+     *
+     * @return bool true if the token is valid, else false
+     */
+    public function checkToken($token)
+    {
+        if (! isset($this->session['tokens'][$token])) {
+            // the token is wrong, or has already been used
+            return false;
+        }
+        // destroy the token to prevent future use
+        unset($this->session['tokens'][$token]);
+        return true;
+    }
+    /**
+     * Validate session ID to prevent Full Path Disclosure.
+     *
+     * See #298.
+     * The session ID's format depends on the hash algorithm set in PHP settings
+     *
+     * @param string $sessionId Session ID
+     *
+     * @return true if valid, false otherwise.
+     *
+     * @see http://php.net/manual/en/function.hash-algos.php
+     * @see http://php.net/manual/en/session.configuration.php
+     */
+    public static function checkId($sessionId)
+    {
+        if (empty($sessionId)) {
+            return false;
+        }
+        if (!$sessionId) {
+            return false;
+        }
+        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Store user login information after a successful login
+     *
+     * @param string $clientIpId Client IP address identifier
+     */
+    public function storeLoginInfo($clientIpId)
+    {
+        $this->session['ip'] = $clientIpId;
+        $this->session['username'] = $this->conf->get('credentials.login');
+        $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
+    }
+    /**
+     * Extend session validity
+     */
+    public function extendSession()
+    {
+        if ($this->staySignedIn) {
+            return $this->extendTimeValidityBy(self::$LONG_TIMEOUT);
+        }
+        return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
+    }
+    /**
+     * Extend expiration time
+     *
+     * @param int $duration Expiration time extension (seconds)
+     *
+     * @return int New session expiration time
+     */
+    protected function extendTimeValidityBy($duration)
+    {
+        $expirationTime = time() + $duration;
+        $this->session['expires_on'] = $expirationTime;
+        return $expirationTime;
+    }
+    /**
+     * Logout a user by unsetting all login information
+     *
+     * See:
+     * - https://secure.php.net/manual/en/function.setcookie.php
+     */
+    public function logout()
+    {
+        if (isset($this->session)) {
+            unset($this->session['ip']);
+            unset($this->session['expires_on']);
+            unset($this->session['username']);
+            unset($this->session['visibility']);
+            unset($this->session['untaggedonly']);
+        }
+    }
+    /**
+     * Check whether the session has expired
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the session has expired, false otherwise
+     */
+    public function hasSessionExpired()
+    {
+        if (empty($this->session['expires_on'])) {
+            return true;
+        }
+        if (time() >= $this->session['expires_on']) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Check whether the client IP address has changed
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the IP has changed, false if it has not, or
+     *              if session protection has been disabled
+     */
+    public function hasClientIpChanged($clientIpId)
+    {
+        if ($this->conf->get('security.session_protection_disabled') === true) {
+            return false;
+        }
+        if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) {
+            return false;
+        }
+        return true;
+    }
+}
author	ArthurHoaro <arthur@hoa.ro>	2019-07-27 12:34:30 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2019-07-27 12:34:30 +0200
commit	38672ba0d1c722e5d6d33a58255ceb55e9410e46 (patch)
tree	dae4c7c47532380eac3ae641db99122fc77c93dc /application/security
parent	83faedadff76c5bdca036f39f13943f63b27e164 (diff)
parent	1e77e0448bbd25675d8c0fe4a73206ad9048904b (diff)
download	Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.tar.gz Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.tar.zst Shaarli-38672ba0d1c722e5d6d33a58255ceb55e9410e46.zip

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php new file mode 100644 index 00000000..0f315483 --- /dev/null +++ b/application/security/LoginManager.php
@@ -0,0 +1,264 @@
	1	<?php
	2	namespace Shaarli\Security;
	3
	4	use Shaarli\Config\ConfigManager;
	5
	6	/**
	7	* User login management
	8	*/
	9	class LoginManager
	10	{
	11	/ @var string Name of the cookie set after logging in /
	12	public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
	13
	14	/** @var array A reference to the $_GLOBALS array */
	15	protected $globals = [];
	16
	17	/ @var ConfigManager Configuration Manager instance /
	18	protected $configManager = null;
	19
	20	/ @var SessionManager Session Manager instance /
	21	protected $sessionManager = null;
	22
	23	/** @var string Path to the file containing IP bans */
	24	protected $banFile = '';
	25
	26	/ @var bool Whether the user is logged in /
	27	protected $isLoggedIn = false;
	28
	29	/ @var bool Whether the Shaarli instance is open to public edition /
	30	protected $openShaarli = false;
	31
	32	/** @var string User sign-in token depending on remote IP and credentials */
	33	protected $staySignedInToken = '';
	34
	35	/**
	36	* Constructor
	37	*
	38	* @param array $globals The $GLOBALS array (reference)
	39	* @param ConfigManager $configManager Configuration Manager instance
	40	* @param SessionManager $sessionManager SessionManager instance
	41	*/
	42	public function __construct(& $globals, $configManager, $sessionManager)
	43	{
	44	$this->globals = &$globals;
	45	$this->configManager = $configManager;
	46	$this->sessionManager = $sessionManager;
	47	$this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
	48	$this->readBanFile();
	49	if ($this->configManager->get('security.open_shaarli') === true) {
	50	$this->openShaarli = true;
	51	}
	52	}
	53
	54	/**
	55	* Generate a token depending on deployment salt, user password and client IP
	56	*
	57	* @param string $clientIpAddress The remote client IP address
	58	*/
	59	public function generateStaySignedInToken($clientIpAddress)
	60	{
	61	$this->staySignedInToken = sha1(
	62	$this->configManager->get('credentials.hash')
	63	. $clientIpAddress
	64	. $this->configManager->get('credentials.salt')
	65	);
	66	}
	67
	68	/**
	69	* Return the user's client stay-signed-in token
	70	*
	71	* @return string User's client stay-signed-in token
	72	*/
	73	public function getStaySignedInToken()
	74	{
	75	return $this->staySignedInToken;
	76	}
	77
	78	/**
	79	* Check user session state and validity (expiration)
	80	*
	81	* @param array $cookie The $_COOKIE array
	82	* @param string $clientIpId Client IP address identifier
	83	*/
	84	public function checkLoginState($cookie, $clientIpId)
	85	{
	86	if (! $this->configManager->exists('credentials.login')) {
	87	// Shaarli is not configured yet
	88	$this->isLoggedIn = false;
	89	return;
	90	}
	91
	92	if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
	93	&& $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
	94	) {
	95	// The user client has a valid stay-signed-in cookie
	96	// Session information is updated with the current client information
	97	$this->sessionManager->storeLoginInfo($clientIpId);
	98	} elseif ($this->sessionManager->hasSessionExpired()
	99	\|\| $this->sessionManager->hasClientIpChanged($clientIpId)
	100	) {
	101	$this->sessionManager->logout();
	102	$this->isLoggedIn = false;
	103	return;
	104	}
	105
	106	$this->isLoggedIn = true;
	107	$this->sessionManager->extendSession();
	108	}
	109
	110	/**
	111	* Return whether the user is currently logged in
	112	*
	113	* @return true when the user is logged in, false otherwise
	114	*/
	115	public function isLoggedIn()
	116	{
	117	if ($this->openShaarli) {
	118	return true;
	119	}
	120	return $this->isLoggedIn;
	121	}
	122
	123	/**
	124	* Check user credentials are valid
	125	*
	126	* @param string $remoteIp Remote client IP address
	127	* @param string $clientIpId Client IP address identifier
	128	* @param string $login Username
	129	* @param string $password Password
	130	*
	131	* @return bool true if the provided credentials are valid, false otherwise
	132	*/
	133	public function checkCredentials($remoteIp, $clientIpId, $login, $password)
	134	{
	135	$hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
	136
	137	if ($login != $this->configManager->get('credentials.login')
	138	\|\| $hash != $this->configManager->get('credentials.hash')
	139	) {
	140	logm(
	141	$this->configManager->get('resource.log'),
	142	$remoteIp,
	143	'Login failed for user ' . $login
	144	);
	145	return false;
	146	}
	147
	148	$this->sessionManager->storeLoginInfo($clientIpId);
	149	logm(
	150	$this->configManager->get('resource.log'),
	151	$remoteIp,
	152	'Login successful'
	153	);
	154	return true;
	155	}
	156
	157	/**
	158	* Read a file containing banned IPs
	159	*/
	160	protected function readBanFile()
	161	{
	162	if (! file_exists($this->banFile)) {
	163	return;
	164	}
	165	include $this->banFile;
	166	}
	167
	168	/**
	169	* Write the banned IPs to a file
	170	*/
	171	protected function writeBanFile()
	172	{
	173	if (! array_key_exists('IPBANS', $this->globals)) {
	174	return;
	175	}
	176	file_put_contents(
	177	$this->banFile,
	178	"<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
	179	);
	180	}
	181
	182	/**
	183	* Handle a failed login and ban the IP after too many failed attempts
	184	*
	185	* @param array $server The $_SERVER array
	186	*/
	187	public function handleFailedLogin($server)
	188	{
	189	$ip = $server['REMOTE_ADDR'];
	190	$trusted = $this->configManager->get('security.trusted_proxies', []);
	191
	192	if (in_array($ip, $trusted)) {
	193	$ip = getIpAddressFromProxy($server, $trusted);
	194	if (! $ip) {
	195	// the IP is behind a trusted forward proxy, but is not forwarded
	196	// in the HTTP headers, so we do nothing
	197	return;
	198	}
	199	}
	200
	201	// increment the fail count for this IP
	202	if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
	203	$this->globals['IPBANS']['FAILURES'][$ip]++;
	204	} else {
	205	$this->globals['IPBANS']['FAILURES'][$ip] = 1;
	206	}
	207
	208	if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
	209	$this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
	210	logm(
	211	$this->configManager->get('resource.log'),
	212	$server['REMOTE_ADDR'],
	213	'IP address banned from login'
	214	);
	215	}
	216	$this->writeBanFile();
	217	}
	218
	219	/**
	220	* Handle a successful login
	221	*
	222	* @param array $server The $_SERVER array
	223	*/
	224	public function handleSuccessfulLogin($server)
	225	{
	226	$ip = $server['REMOTE_ADDR'];
	227	// FIXME unban when behind a trusted proxy?
	228
	229	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	230	unset($this->globals['IPBANS']['BANS'][$ip]);
	231
	232	$this->writeBanFile();
	233	}
	234
	235	/**
	236	* Check if the user can login from this IP
	237	*
	238	* @param array $server The $_SERVER array
	239	*
	240	* @return bool true if the user is allowed to login
	241	*/
	242	public function canLogin($server)
	243	{
	244	$ip = $server['REMOTE_ADDR'];
	245
	246	if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
	247	// the user is not banned
	248	return true;
	249	}
	250
	251	if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
	252	// the user is still banned
	253	return false;
	254	}
	255
	256	// the ban has expired, the user can attempt to log in again
	257	logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
	258	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	259	unset($this->globals['IPBANS']['BANS'][$ip]);
	260
	261	$this->writeBanFile();
	262	return true;
	263	}
	264	}


diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php new file mode 100644 index 00000000..b8b8ab8d --- /dev/null +++ b/application/security/SessionManager.php
@@ -0,0 +1,199 @@
	1	<?php
	2	namespace Shaarli\Security;
	3
	4	use Shaarli\Config\ConfigManager;
	5
	6	/**
	7	* Manages the server-side session
	8	*/
	9	class SessionManager
	10	{
	11	/** @var int Session expiration timeout, in seconds */
	12	public static $SHORT_TIMEOUT = 3600; // 1 hour
	13
	14	/** @var int Session expiration timeout, in seconds */
	15	public static $LONG_TIMEOUT = 31536000; // 1 year
	16
	17	/** @var array Local reference to the global $_SESSION array */
	18	protected $session = [];
	19
	20	/ @var ConfigManager Configuration Manager instance /
	21	protected $conf = null;
	22
	23	/** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */
	24	protected $staySignedIn = false;
	25
	26	/**
	27	* Constructor
	28	*
	29	* @param array $session The $_SESSION array (reference)
	30	* @param ConfigManager $conf ConfigManager instance
	31	*/
	32	public function __construct(& $session, $conf)
	33	{
	34	$this->session = &$session;
	35	$this->conf = $conf;
	36	}
	37
	38	/**
	39	* Define whether the user should stay signed in across browser sessions
	40	*
	41	* @param bool $staySignedIn Keep the user signed in
	42	*/
	43	public function setStaySignedIn($staySignedIn)
	44	{
	45	$this->staySignedIn = $staySignedIn;
	46	}
	47
	48	/**
	49	* Generates a session token
	50	*
	51	* @return string token
	52	*/
	53	public function generateToken()
	54	{
	55	$token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
	56	$this->session['tokens'][$token] = 1;
	57	return $token;
	58	}
	59
	60	/**
	61	* Checks the validity of a session token, and destroys it afterwards
	62	*
	63	* @param string $token The token to check
	64	*
	65	* @return bool true if the token is valid, else false
	66	*/
	67	public function checkToken($token)
	68	{
	69	if (! isset($this->session['tokens'][$token])) {
	70	// the token is wrong, or has already been used
	71	return false;
	72	}
	73
	74	// destroy the token to prevent future use
	75	unset($this->session['tokens'][$token]);
	76	return true;
	77	}
	78
	79	/**
	80	* Validate session ID to prevent Full Path Disclosure.
	81	*
	82	* See #298.
	83	* The session ID's format depends on the hash algorithm set in PHP settings
	84	*
	85	* @param string $sessionId Session ID
	86	*
	87	* @return true if valid, false otherwise.
	88	*
	89	* @see http://php.net/manual/en/function.hash-algos.php
	90	* @see http://php.net/manual/en/session.configuration.php
	91	*/
	92	public static function checkId($sessionId)
	93	{
	94	if (empty($sessionId)) {
	95	return false;
	96	}
	97
	98	if (!$sessionId) {
	99	return false;
	100	}
	101
	102	if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
	103	return false;
	104	}
	105
	106	return true;
	107	}
	108
	109	/**
	110	* Store user login information after a successful login
	111	*
	112	* @param string $clientIpId Client IP address identifier
	113	*/
	114	public function storeLoginInfo($clientIpId)
	115	{
	116	$this->session['ip'] = $clientIpId;
	117	$this->session['username'] = $this->conf->get('credentials.login');
	118	$this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
	119	}
	120
	121	/**
	122	* Extend session validity
	123	*/
	124	public function extendSession()
	125	{
	126	if ($this->staySignedIn) {
	127	return $this->extendTimeValidityBy(self::$LONG_TIMEOUT);
	128	}
	129	return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
	130	}
	131
	132	/**
	133	* Extend expiration time
	134	*
	135	* @param int $duration Expiration time extension (seconds)
	136	*
	137	* @return int New session expiration time
	138	*/
	139	protected function extendTimeValidityBy($duration)
	140	{
	141	$expirationTime = time() + $duration;
	142	$this->session['expires_on'] = $expirationTime;
	143	return $expirationTime;
	144	}
	145
	146	/**
	147	* Logout a user by unsetting all login information
	148	*
	149	* See:
	150	* - https://secure.php.net/manual/en/function.setcookie.php
	151	*/
	152	public function logout()
	153	{
	154	if (isset($this->session)) {
	155	unset($this->session['ip']);
	156	unset($this->session['expires_on']);
	157	unset($this->session['username']);
	158	unset($this->session['visibility']);
	159	unset($this->session['untaggedonly']);
	160	}
	161	}
	162
	163	/**
	164	* Check whether the session has expired
	165	*
	166	* @param string $clientIpId Client IP address identifier
	167	*
	168	* @return bool true if the session has expired, false otherwise
	169	*/
	170	public function hasSessionExpired()
	171	{
	172	if (empty($this->session['expires_on'])) {
	173	return true;
	174	}
	175	if (time() >= $this->session['expires_on']) {
	176	return true;
	177	}
	178	return false;
	179	}
	180
	181	/**
	182	* Check whether the client IP address has changed
	183	*
	184	* @param string $clientIpId Client IP address identifier
	185	*
	186	* @return bool true if the IP has changed, false if it has not, or
	187	* if session protection has been disabled
	188	*/
	189	public function hasClientIpChanged($clientIpId)
	190	{
	191	if ($this->conf->get('security.session_protection_disabled') === true) {
	192	return false;
	193	}
	194	if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) {
	195	return false;
	196	}
	197	return true;
	198	}
	199	}