diff options
| author | VirtualTam <virtualtam@flibidi.net> | 2018-02-17 01:14:58 +0100 |
|---|---|---|
| committer | VirtualTam <virtualtam@flibidi.net> | 2018-05-29 22:53:54 +0200 |
| commit | 49f183231662c642ca9df6ceabf43fe128a5ffc1 (patch) | |
| tree | 37367944aef0f998b12e307a2510cb2c06d3aa0f /index.php | |
| parent | db45a36a53dbd722e5e891827e49d9e7651f2a5e (diff) | |
| download | Shaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.tar.gz Shaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.tar.zst Shaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.zip | |
Refactor PHP session handling during login/logout
Changed:
- move $_SESSION handling to SessionManager
- code cleanup
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'index.php')
| -rw-r--r-- | index.php | 49 |
1 files changed, 13 insertions, 36 deletions
| @@ -197,11 +197,11 @@ function setup_login_state($conf, $sessionManager) | |||
| 197 | $userIsLoggedIn = false; // Shaarli is not configured yet. | 197 | $userIsLoggedIn = false; // Shaarli is not configured yet. |
| 198 | $loginFailure = true; | 198 | $loginFailure = true; |
| 199 | } | 199 | } |
| 200 | if (isset($_COOKIE['shaarli_staySignedIn']) && | 200 | if (isset($_COOKIE[SessionManager::$LOGGED_IN_COOKIE]) |
| 201 | $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && | 201 | && $_COOKIE[SessionManager::$LOGGED_IN_COOKIE] === STAY_SIGNED_IN_TOKEN |
| 202 | !$loginFailure) | 202 | && !$loginFailure |
| 203 | { | 203 | ) { |
| 204 | fillSessionInfo($conf, $sessionManager); | 204 | $sessionManager->storeLoginInfo($_SERVER); |
| 205 | $userIsLoggedIn = true; | 205 | $userIsLoggedIn = true; |
| 206 | } | 206 | } |
| 207 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. | 207 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. |
| @@ -209,7 +209,7 @@ function setup_login_state($conf, $sessionManager) | |||
| 209 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != client_ip_id($_SERVER)) | 209 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != client_ip_id($_SERVER)) |
| 210 | || time() >= $_SESSION['expires_on']) | 210 | || time() >= $_SESSION['expires_on']) |
| 211 | { | 211 | { |
| 212 | logout(); | 212 | $sessionManager->logout(WEB_PATH); |
| 213 | $userIsLoggedIn = false; | 213 | $userIsLoggedIn = false; |
| 214 | $loginFailure = true; | 214 | $loginFailure = true; |
| 215 | } | 215 | } |
| @@ -231,20 +231,6 @@ $userIsLoggedIn = setup_login_state($conf, $sessionManager); | |||
| 231 | // Session management | 231 | // Session management |
| 232 | 232 | ||
| 233 | /** | 233 | /** |
| 234 | * Load user session | ||
| 235 | * | ||
| 236 | * @param ConfigManager $conf Configuration Manager instance. | ||
| 237 | * @param SessionManager $sessionManager SessionManager instance | ||
| 238 | */ | ||
| 239 | function fillSessionInfo($conf, $sessionManager) | ||
| 240 | { | ||
| 241 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) | ||
| 242 | $_SESSION['ip'] = client_ip_id($_SERVER); | ||
| 243 | $_SESSION['username']= $conf->get('credentials.login'); | ||
| 244 | $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT; | ||
| 245 | } | ||
| 246 | |||
| 247 | /** | ||
| 248 | * Check that user/password is correct. | 234 | * Check that user/password is correct. |
| 249 | * | 235 | * |
| 250 | * @param string $login Username | 236 | * @param string $login Username |
| @@ -259,7 +245,7 @@ function check_auth($login, $password, $conf, $sessionManager) | |||
| 259 | $hash = sha1($password . $login . $conf->get('credentials.salt')); | 245 | $hash = sha1($password . $login . $conf->get('credentials.salt')); |
| 260 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) { | 246 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) { |
| 261 | // Login/password is correct. | 247 | // Login/password is correct. |
| 262 | fillSessionInfo($conf, $sessionManager); | 248 | $sessionManager->storeLoginInfo($_SERVER); |
| 263 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); | 249 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); |
| 264 | return true; | 250 | return true; |
| 265 | } | 251 | } |
| @@ -274,18 +260,6 @@ function isLoggedIn() | |||
| 274 | return $userIsLoggedIn; | 260 | return $userIsLoggedIn; |
| 275 | } | 261 | } |
| 276 | 262 | ||
| 277 | // Force logout. | ||
| 278 | function logout() { | ||
| 279 | if (isset($_SESSION)) { | ||
| 280 | unset($_SESSION['uid']); | ||
| 281 | unset($_SESSION['ip']); | ||
| 282 | unset($_SESSION['username']); | ||
| 283 | unset($_SESSION['visibility']); | ||
| 284 | unset($_SESSION['untaggedonly']); | ||
| 285 | } | ||
| 286 | setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH); | ||
| 287 | } | ||
| 288 | |||
| 289 | // ------------------------------------------------------------------------------------------ | 263 | // ------------------------------------------------------------------------------------------ |
| 290 | // Process login form: Check if login/password is correct. | 264 | // Process login form: Check if login/password is correct. |
| 291 | if (isset($_POST['login'])) { | 265 | if (isset($_POST['login'])) { |
| @@ -303,10 +277,13 @@ if (isset($_POST['login'])) { | |||
| 303 | if (!empty($_POST['longlastingsession'])) { | 277 | if (!empty($_POST['longlastingsession'])) { |
| 304 | $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) | 278 | $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) |
| 305 | $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) | 279 | $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) |
| 306 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); | 280 | setcookie($sessionManager::$LOGGED_IN_COOKIE, STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); |
| 307 | $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. | 281 | $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. |
| 308 | 282 | ||
| 309 | $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; | 283 | $cookiedir = ''; |
| 284 | if (dirname($_SERVER['SCRIPT_NAME']) != '/') { | ||
| 285 | $cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/'; | ||
| 286 | } | ||
| 310 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side | 287 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side |
| 311 | // Note: Never forget the trailing slash on the cookie path! | 288 | // Note: Never forget the trailing slash on the cookie path! |
| 312 | session_regenerate_id(true); // Send cookie with new expiration date to browser. | 289 | session_regenerate_id(true); // Send cookie with new expiration date to browser. |
| @@ -676,7 +653,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager, | |||
| 676 | if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout')) | 653 | if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout')) |
| 677 | { | 654 | { |
| 678 | invalidateCaches($conf->get('resource.page_cache')); | 655 | invalidateCaches($conf->get('resource.page_cache')); |
| 679 | logout(); | 656 | $sessionManager->logout(WEB_PATH); |
| 680 | header('Location: ?'); | 657 | header('Location: ?'); |
| 681 | exit; | 658 | exit; |
| 682 | } | 659 | } |