diff options
author | VirtualTam <virtualtam+github@flibidi.net> | 2017-10-25 22:49:22 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-10-25 22:49:22 +0200 |
commit | 88d38cb290aad669ad1406e2362d85c81e46d4f6 (patch) | |
tree | 9a0689e685ba42b44e507f2ae5e22595671b3bc4 /application | |
parent | 6bc7afab91c78b893da314220fe346a366aefb8f (diff) | |
parent | ae7c954b1279981cc23c9f67d88f55bfecc4d828 (diff) | |
download | Shaarli-88d38cb290aad669ad1406e2362d85c81e46d4f6.tar.gz Shaarli-88d38cb290aad669ad1406e2362d85c81e46d4f6.tar.zst Shaarli-88d38cb290aad669ad1406e2362d85c81e46d4f6.zip |
Merge pull request #1005 from virtualtam/refactor/authentication
Refactor session management utilities
Diffstat (limited to 'application')
-rw-r--r-- | application/PageBuilder.php | 6 | ||||
-rw-r--r-- | application/SessionManager.php | 83 | ||||
-rw-r--r-- | application/Utils.php | 30 |
3 files changed, 87 insertions, 32 deletions
diff --git a/application/PageBuilder.php b/application/PageBuilder.php index af290671..468f144b 100644 --- a/application/PageBuilder.php +++ b/application/PageBuilder.php | |||
@@ -32,12 +32,14 @@ class PageBuilder | |||
32 | * | 32 | * |
33 | * @param ConfigManager $conf Configuration Manager instance (reference). | 33 | * @param ConfigManager $conf Configuration Manager instance (reference). |
34 | * @param LinkDB $linkDB instance. | 34 | * @param LinkDB $linkDB instance. |
35 | * @param string $token Session token | ||
35 | */ | 36 | */ |
36 | public function __construct(&$conf, $linkDB = null) | 37 | public function __construct(&$conf, $linkDB = null, $token = null) |
37 | { | 38 | { |
38 | $this->tpl = false; | 39 | $this->tpl = false; |
39 | $this->conf = $conf; | 40 | $this->conf = $conf; |
40 | $this->linkDB = $linkDB; | 41 | $this->linkDB = $linkDB; |
42 | $this->token = $token; | ||
41 | } | 43 | } |
42 | 44 | ||
43 | /** | 45 | /** |
@@ -92,7 +94,7 @@ class PageBuilder | |||
92 | $this->tpl->assign('showatom', $this->conf->get('feed.show_atom', true)); | 94 | $this->tpl->assign('showatom', $this->conf->get('feed.show_atom', true)); |
93 | $this->tpl->assign('feed_type', $this->conf->get('feed.show_atom', true) !== false ? 'atom' : 'rss'); | 95 | $this->tpl->assign('feed_type', $this->conf->get('feed.show_atom', true) !== false ? 'atom' : 'rss'); |
94 | $this->tpl->assign('hide_timestamps', $this->conf->get('privacy.hide_timestamps', false)); | 96 | $this->tpl->assign('hide_timestamps', $this->conf->get('privacy.hide_timestamps', false)); |
95 | $this->tpl->assign('token', getToken($this->conf)); | 97 | $this->tpl->assign('token', $this->token); |
96 | 98 | ||
97 | if ($this->linkDB !== null) { | 99 | if ($this->linkDB !== null) { |
98 | $this->tpl->assign('tags', $this->linkDB->linksCountPerTag()); | 100 | $this->tpl->assign('tags', $this->linkDB->linksCountPerTag()); |
diff --git a/application/SessionManager.php b/application/SessionManager.php new file mode 100644 index 00000000..3aa4ddfc --- /dev/null +++ b/application/SessionManager.php | |||
@@ -0,0 +1,83 @@ | |||
1 | <?php | ||
2 | namespace Shaarli; | ||
3 | |||
4 | /** | ||
5 | * Manages the server-side session | ||
6 | */ | ||
7 | class SessionManager | ||
8 | { | ||
9 | protected $session = []; | ||
10 | |||
11 | /** | ||
12 | * Constructor | ||
13 | * | ||
14 | * @param array $session The $_SESSION array (reference) | ||
15 | * @param ConfigManager $conf ConfigManager instance (reference) | ||
16 | */ | ||
17 | public function __construct(& $session, & $conf) | ||
18 | { | ||
19 | $this->session = &$session; | ||
20 | $this->conf = &$conf; | ||
21 | } | ||
22 | |||
23 | /** | ||
24 | * Generates a session token | ||
25 | * | ||
26 | * @return string token | ||
27 | */ | ||
28 | public function generateToken() | ||
29 | { | ||
30 | $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt')); | ||
31 | $this->session['tokens'][$token] = 1; | ||
32 | return $token; | ||
33 | } | ||
34 | |||
35 | /** | ||
36 | * Checks the validity of a session token, and destroys it afterwards | ||
37 | * | ||
38 | * @param string $token The token to check | ||
39 | * | ||
40 | * @return bool true if the token is valid, else false | ||
41 | */ | ||
42 | public function checkToken($token) | ||
43 | { | ||
44 | if (! isset($this->session['tokens'][$token])) { | ||
45 | // the token is wrong, or has already been used | ||
46 | return false; | ||
47 | } | ||
48 | |||
49 | // destroy the token to prevent future use | ||
50 | unset($this->session['tokens'][$token]); | ||
51 | return true; | ||
52 | } | ||
53 | |||
54 | /** | ||
55 | * Validate session ID to prevent Full Path Disclosure. | ||
56 | * | ||
57 | * See #298. | ||
58 | * The session ID's format depends on the hash algorithm set in PHP settings | ||
59 | * | ||
60 | * @param string $sessionId Session ID | ||
61 | * | ||
62 | * @return true if valid, false otherwise. | ||
63 | * | ||
64 | * @see http://php.net/manual/en/function.hash-algos.php | ||
65 | * @see http://php.net/manual/en/session.configuration.php | ||
66 | */ | ||
67 | public static function checkId($sessionId) | ||
68 | { | ||
69 | if (empty($sessionId)) { | ||
70 | return false; | ||
71 | } | ||
72 | |||
73 | if (!$sessionId) { | ||
74 | return false; | ||
75 | } | ||
76 | |||
77 | if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { | ||
78 | return false; | ||
79 | } | ||
80 | |||
81 | return true; | ||
82 | } | ||
83 | } | ||
diff --git a/application/Utils.php b/application/Utils.php index 2f38a8de..97b12fcf 100644 --- a/application/Utils.php +++ b/application/Utils.php | |||
@@ -182,36 +182,6 @@ function generateLocation($referer, $host, $loopTerms = array()) | |||
182 | } | 182 | } |
183 | 183 | ||
184 | /** | 184 | /** |
185 | * Validate session ID to prevent Full Path Disclosure. | ||
186 | * | ||
187 | * See #298. | ||
188 | * The session ID's format depends on the hash algorithm set in PHP settings | ||
189 | * | ||
190 | * @param string $sessionId Session ID | ||
191 | * | ||
192 | * @return true if valid, false otherwise. | ||
193 | * | ||
194 | * @see http://php.net/manual/en/function.hash-algos.php | ||
195 | * @see http://php.net/manual/en/session.configuration.php | ||
196 | */ | ||
197 | function is_session_id_valid($sessionId) | ||
198 | { | ||
199 | if (empty($sessionId)) { | ||
200 | return false; | ||
201 | } | ||
202 | |||
203 | if (!$sessionId) { | ||
204 | return false; | ||
205 | } | ||
206 | |||
207 | if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { | ||
208 | return false; | ||
209 | } | ||
210 | |||
211 | return true; | ||
212 | } | ||
213 | |||
214 | /** | ||
215 | * Sniff browser language to set the locale automatically. | 185 | * Sniff browser language to set the locale automatically. |
216 | * Note that is may not work on your server if the corresponding locale is not installed. | 186 | * Note that is may not work on your server if the corresponding locale is not installed. |
217 | * | 187 | * |