diff options
author | VirtualTam <virtualtam@flibidi.net> | 2018-02-17 01:14:58 +0100 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2018-05-29 22:53:54 +0200 |
commit | 49f183231662c642ca9df6ceabf43fe128a5ffc1 (patch) | |
tree | 37367944aef0f998b12e307a2510cb2c06d3aa0f /index.php | |
parent | db45a36a53dbd722e5e891827e49d9e7651f2a5e (diff) | |
download | Shaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.tar.gz Shaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.tar.zst Shaarli-49f183231662c642ca9df6ceabf43fe128a5ffc1.zip |
Refactor PHP session handling during login/logout
Changed:
- move $_SESSION handling to SessionManager
- code cleanup
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'index.php')
-rw-r--r-- | index.php | 49 |
1 files changed, 13 insertions, 36 deletions
@@ -197,11 +197,11 @@ function setup_login_state($conf, $sessionManager) | |||
197 | $userIsLoggedIn = false; // Shaarli is not configured yet. | 197 | $userIsLoggedIn = false; // Shaarli is not configured yet. |
198 | $loginFailure = true; | 198 | $loginFailure = true; |
199 | } | 199 | } |
200 | if (isset($_COOKIE['shaarli_staySignedIn']) && | 200 | if (isset($_COOKIE[SessionManager::$LOGGED_IN_COOKIE]) |
201 | $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && | 201 | && $_COOKIE[SessionManager::$LOGGED_IN_COOKIE] === STAY_SIGNED_IN_TOKEN |
202 | !$loginFailure) | 202 | && !$loginFailure |
203 | { | 203 | ) { |
204 | fillSessionInfo($conf, $sessionManager); | 204 | $sessionManager->storeLoginInfo($_SERVER); |
205 | $userIsLoggedIn = true; | 205 | $userIsLoggedIn = true; |
206 | } | 206 | } |
207 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. | 207 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. |
@@ -209,7 +209,7 @@ function setup_login_state($conf, $sessionManager) | |||
209 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != client_ip_id($_SERVER)) | 209 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != client_ip_id($_SERVER)) |
210 | || time() >= $_SESSION['expires_on']) | 210 | || time() >= $_SESSION['expires_on']) |
211 | { | 211 | { |
212 | logout(); | 212 | $sessionManager->logout(WEB_PATH); |
213 | $userIsLoggedIn = false; | 213 | $userIsLoggedIn = false; |
214 | $loginFailure = true; | 214 | $loginFailure = true; |
215 | } | 215 | } |
@@ -231,20 +231,6 @@ $userIsLoggedIn = setup_login_state($conf, $sessionManager); | |||
231 | // Session management | 231 | // Session management |
232 | 232 | ||
233 | /** | 233 | /** |
234 | * Load user session | ||
235 | * | ||
236 | * @param ConfigManager $conf Configuration Manager instance. | ||
237 | * @param SessionManager $sessionManager SessionManager instance | ||
238 | */ | ||
239 | function fillSessionInfo($conf, $sessionManager) | ||
240 | { | ||
241 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) | ||
242 | $_SESSION['ip'] = client_ip_id($_SERVER); | ||
243 | $_SESSION['username']= $conf->get('credentials.login'); | ||
244 | $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT; | ||
245 | } | ||
246 | |||
247 | /** | ||
248 | * Check that user/password is correct. | 234 | * Check that user/password is correct. |
249 | * | 235 | * |
250 | * @param string $login Username | 236 | * @param string $login Username |
@@ -259,7 +245,7 @@ function check_auth($login, $password, $conf, $sessionManager) | |||
259 | $hash = sha1($password . $login . $conf->get('credentials.salt')); | 245 | $hash = sha1($password . $login . $conf->get('credentials.salt')); |
260 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) { | 246 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) { |
261 | // Login/password is correct. | 247 | // Login/password is correct. |
262 | fillSessionInfo($conf, $sessionManager); | 248 | $sessionManager->storeLoginInfo($_SERVER); |
263 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); | 249 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); |
264 | return true; | 250 | return true; |
265 | } | 251 | } |
@@ -274,18 +260,6 @@ function isLoggedIn() | |||
274 | return $userIsLoggedIn; | 260 | return $userIsLoggedIn; |
275 | } | 261 | } |
276 | 262 | ||
277 | // Force logout. | ||
278 | function logout() { | ||
279 | if (isset($_SESSION)) { | ||
280 | unset($_SESSION['uid']); | ||
281 | unset($_SESSION['ip']); | ||
282 | unset($_SESSION['username']); | ||
283 | unset($_SESSION['visibility']); | ||
284 | unset($_SESSION['untaggedonly']); | ||
285 | } | ||
286 | setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH); | ||
287 | } | ||
288 | |||
289 | // ------------------------------------------------------------------------------------------ | 263 | // ------------------------------------------------------------------------------------------ |
290 | // Process login form: Check if login/password is correct. | 264 | // Process login form: Check if login/password is correct. |
291 | if (isset($_POST['login'])) { | 265 | if (isset($_POST['login'])) { |
@@ -303,10 +277,13 @@ if (isset($_POST['login'])) { | |||
303 | if (!empty($_POST['longlastingsession'])) { | 277 | if (!empty($_POST['longlastingsession'])) { |
304 | $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) | 278 | $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) |
305 | $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) | 279 | $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) |
306 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); | 280 | setcookie($sessionManager::$LOGGED_IN_COOKIE, STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); |
307 | $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. | 281 | $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. |
308 | 282 | ||
309 | $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; | 283 | $cookiedir = ''; |
284 | if (dirname($_SERVER['SCRIPT_NAME']) != '/') { | ||
285 | $cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/'; | ||
286 | } | ||
310 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side | 287 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side |
311 | // Note: Never forget the trailing slash on the cookie path! | 288 | // Note: Never forget the trailing slash on the cookie path! |
312 | session_regenerate_id(true); // Send cookie with new expiration date to browser. | 289 | session_regenerate_id(true); // Send cookie with new expiration date to browser. |
@@ -676,7 +653,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager, | |||
676 | if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout')) | 653 | if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout')) |
677 | { | 654 | { |
678 | invalidateCaches($conf->get('resource.page_cache')); | 655 | invalidateCaches($conf->get('resource.page_cache')); |
679 | logout(); | 656 | $sessionManager->logout(WEB_PATH); |
680 | header('Location: ?'); | 657 | header('Location: ?'); |
681 | exit; | 658 | exit; |
682 | } | 659 | } |