diff options
| author | VirtualTam <virtualtam@flibidi.net> | 2018-05-10 13:07:51 +0200 |
|---|---|---|
| committer | VirtualTam <virtualtam@flibidi.net> | 2018-06-02 16:46:06 +0200 |
| commit | ebf615173824a46de82fa97a165bcfd883db15ce (patch) | |
| tree | 26374298b3c7f2009ef939c5d5e3d787938581be /application | |
| parent | c689e108639a4f6aa9e15928422e14db7cbe30ca (diff) | |
| download | Shaarli-ebf615173824a46de82fa97a165bcfd883db15ce.tar.gz Shaarli-ebf615173824a46de82fa97a165bcfd883db15ce.tar.zst Shaarli-ebf615173824a46de82fa97a165bcfd883db15ce.zip | |
SessionManager: remove unused UID token
There already are dedicated tokens for:
- CSRF protection
- user stay-signed-in feature, via cookie
This token was most likely intended as a randomly generated,
server-side, secret key to be used when generating hashes.
See http://sebsauvage.net/wiki/doku.php?id=php:session [FR]
Relevant section:
Une clé secrète unique aléatoire est générée côté serveur (et jamais
envoyée). Elle peut servir pour signer les formulaires (HMAC) ou
générer des token de formulaires (protection contre XSRF).
Voir $_SESSION['uid'].
Translation:
A unique, server-side secret key is randomly generated (and never
transmitted). It can be used to sign forms (HMAC) or generate form
tokens (protection against XSRF).
See $_SESSION['uid']
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application')
| -rw-r--r-- | application/security/SessionManager.php | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php index 58973130..24e25528 100644 --- a/application/security/SessionManager.php +++ b/application/security/SessionManager.php | |||
| @@ -113,8 +113,6 @@ class SessionManager | |||
| 113 | */ | 113 | */ |
| 114 | public function storeLoginInfo($clientIpId) | 114 | public function storeLoginInfo($clientIpId) |
| 115 | { | 115 | { |
| 116 | // Generate unique random number (different than phpsessionid) | ||
| 117 | $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); | ||
| 118 | $this->session['ip'] = $clientIpId; | 116 | $this->session['ip'] = $clientIpId; |
| 119 | $this->session['username'] = $this->conf->get('credentials.login'); | 117 | $this->session['username'] = $this->conf->get('credentials.login'); |
| 120 | $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); | 118 | $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); |
| @@ -154,7 +152,6 @@ class SessionManager | |||
| 154 | public function logout() | 152 | public function logout() |
| 155 | { | 153 | { |
| 156 | if (isset($this->session)) { | 154 | if (isset($this->session)) { |
| 157 | unset($this->session['uid']); | ||
| 158 | unset($this->session['ip']); | 155 | unset($this->session['ip']); |
| 159 | unset($this->session['expires_on']); | 156 | unset($this->session['expires_on']); |
| 160 | unset($this->session['username']); | 157 | unset($this->session['username']); |
| @@ -172,9 +169,6 @@ class SessionManager | |||
| 172 | */ | 169 | */ |
| 173 | public function hasSessionExpired() | 170 | public function hasSessionExpired() |
| 174 | { | 171 | { |
| 175 | if (empty($this->session['uid'])) { | ||
| 176 | return true; | ||
| 177 | } | ||
| 178 | if (time() >= $this->session['expires_on']) { | 172 | if (time() >= $this->session['expires_on']) { |
| 179 | return true; | 173 | return true; |
| 180 | } | 174 | } |