aboutsummaryrefslogtreecommitdiffhomepage
path: root/application
diff options
context:
space:
mode:
authorVirtualTam <virtualtam@flibidi.net>2018-04-27 23:17:38 +0200
committerVirtualTam <virtualtam@flibidi.net>2018-06-02 16:46:06 +0200
commit51f0128cdba52099c40693379e72f094b42a6f80 (patch)
tree57f71dc7d38611aaf91e77703acfd7ffbd0ac7c1 /application
parentfab87c2696b9d6a26310f1bfc024b018ca5184fe (diff)
downloadShaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.gz
Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.zst
Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.zip
Refactor session and cookie timeout control
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'application')
-rw-r--r--application/security/LoginManager.php5
-rw-r--r--application/security/SessionManager.php48
2 files changed, 39 insertions, 14 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index e7b9b21e..27247f3f 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -49,13 +49,12 @@ class LoginManager
49 * Check user session state and validity (expiration) 49 * Check user session state and validity (expiration)
50 * 50 *
51 * @param array $cookie The $_COOKIE array 51 * @param array $cookie The $_COOKIE array
52 * @param string $webPath Path on the server in which the cookie will be available on
53 * @param string $clientIpId Client IP address identifier 52 * @param string $clientIpId Client IP address identifier
54 * @param string $token Session token 53 * @param string $token Session token
55 * 54 *
56 * @return bool true if the user session is valid, false otherwise 55 * @return bool true if the user session is valid, false otherwise
57 */ 56 */
58 public function checkLoginState($cookie, $webPath, $clientIpId, $token) 57 public function checkLoginState($cookie, $clientIpId, $token)
59 { 58 {
60 if (! $this->configManager->exists('credentials.login')) { 59 if (! $this->configManager->exists('credentials.login')) {
61 // Shaarli is not configured yet 60 // Shaarli is not configured yet
@@ -73,7 +72,7 @@ class LoginManager
73 if ($this->sessionManager->hasSessionExpired() 72 if ($this->sessionManager->hasSessionExpired()
74 || $this->sessionManager->hasClientIpChanged($clientIpId) 73 || $this->sessionManager->hasClientIpChanged($clientIpId)
75 ) { 74 ) {
76 $this->sessionManager->logout($webPath); 75 $this->sessionManager->logout();
77 $this->isLoggedIn = false; 76 $this->isLoggedIn = false;
78 return; 77 return;
79 } 78 }
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
index 6f004b24..0dcd7f90 100644
--- a/application/security/SessionManager.php
+++ b/application/security/SessionManager.php
@@ -9,7 +9,10 @@ use Shaarli\Config\ConfigManager;
9class SessionManager 9class SessionManager
10{ 10{
11 /** @var int Session expiration timeout, in seconds */ 11 /** @var int Session expiration timeout, in seconds */
12 public static $INACTIVITY_TIMEOUT = 3600; 12 public static $SHORT_TIMEOUT = 3600; // 1 hour
13
14 /** @var int Session expiration timeout, in seconds */
15 public static $LONG_TIMEOUT = 31536000; // 1 year
13 16
14 /** @var string Name of the cookie set after logging in **/ 17 /** @var string Name of the cookie set after logging in **/
15 public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn'; 18 public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn';
@@ -20,6 +23,9 @@ class SessionManager
20 /** @var ConfigManager Configuration Manager instance **/ 23 /** @var ConfigManager Configuration Manager instance **/
21 protected $conf = null; 24 protected $conf = null;
22 25
26 /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */
27 protected $staySignedIn = false;
28
23 /** 29 /**
24 * Constructor 30 * Constructor
25 * 31 *
@@ -33,6 +39,16 @@ class SessionManager
33 } 39 }
34 40
35 /** 41 /**
42 * Define whether the user should stay signed in across browser sessions
43 *
44 * @param bool $staySignedIn Keep the user signed in
45 */
46 public function setStaySignedIn($staySignedIn)
47 {
48 $this->staySignedIn = $staySignedIn;
49 }
50
51 /**
36 * Generates a session token 52 * Generates a session token
37 * 53 *
38 * @return string token 54 * @return string token
@@ -104,7 +120,7 @@ class SessionManager
104 $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); 120 $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
105 $this->session['ip'] = $clientIpId; 121 $this->session['ip'] = $clientIpId;
106 $this->session['username'] = $this->conf->get('credentials.login'); 122 $this->session['username'] = $this->conf->get('credentials.login');
107 $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; 123 $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
108 } 124 }
109 125
110 /** 126 /**
@@ -112,12 +128,24 @@ class SessionManager
112 */ 128 */
113 public function extendSession() 129 public function extendSession()
114 { 130 {
115 if (! empty($this->session['longlastingsession'])) { 131 if ($this->staySignedIn) {
116 // "Stay signed in" is enabled 132 return $this->extendTimeValidityBy(self::$LONG_TIMEOUT);
117 $this->session['expires_on'] = time() + $this->session['longlastingsession'];
118 return;
119 } 133 }
120 $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; 134 return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
135 }
136
137 /**
138 * Extend expiration time
139 *
140 * @param int $duration Expiration time extension (seconds)
141 *
142 * @return int New session expiration time
143 */
144 protected function extendTimeValidityBy($duration)
145 {
146 $expirationTime = time() + $duration;
147 $this->session['expires_on'] = $expirationTime;
148 return $expirationTime;
121 } 149 }
122 150
123 /** 151 /**
@@ -125,19 +153,17 @@ class SessionManager
125 * 153 *
126 * See: 154 * See:
127 * - https://secure.php.net/manual/en/function.setcookie.php 155 * - https://secure.php.net/manual/en/function.setcookie.php
128 *
129 * @param string $webPath path on the server in which the cookie will be available on
130 */ 156 */
131 public function logout($webPath) 157 public function logout()
132 { 158 {
133 if (isset($this->session)) { 159 if (isset($this->session)) {
134 unset($this->session['uid']); 160 unset($this->session['uid']);
135 unset($this->session['ip']); 161 unset($this->session['ip']);
162 unset($this->session['expires_on']);
136 unset($this->session['username']); 163 unset($this->session['username']);
137 unset($this->session['visibility']); 164 unset($this->session['visibility']);
138 unset($this->session['untaggedonly']); 165 unset($this->session['untaggedonly']);
139 } 166 }
140 setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath);
141 } 167 }
142 168
143 /** 169 /**