Refactor session and cookie timeout control

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
author: VirtualTam <virtualtam@flibidi.net> 2018-04-27 23:17:38 +0200
committer: VirtualTam <virtualtam@flibidi.net> 2018-06-02 16:46:06 +0200
commit: 51f0128cdba52099c40693379e72f094b42a6f80 (patch)
tree: 57f71dc7d38611aaf91e77703acfd7ffbd0ac7c1 /index.php
parent: fab87c2696b9d6a26310f1bfc024b018ca5184fe (diff)
download: Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.gz
Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.zst
Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.zip
1 files changed, 26 insertions, 21 deletions
diff --git a/index.php b/index.php
index 139812d7..8e3bade0 100644
--- a/index.php
+++ b/index.php
@@ -179,7 +179,7 @@ if (! is_file($conf->getConfigFileExt())) {
 // a token depending of deployment salt, user password, and the current ip
 define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt')));
-$loginManager->checkLoginState($_COOKIE, WEB_PATH, $clientIpId, STAY_SIGNED_IN_TOKEN);
+$loginManager->checkLoginState($_COOKIE, $clientIpId, STAY_SIGNED_IN_TOKEN);
 /**
 * Adapter function to ensure compatibility with third-party templates
@@ -205,31 +205,35 @@ if (isset($_POST['login'])) {
        && $sessionManager->checkToken($_POST['token'])
        && $loginManager->checkCredentials($_SERVER['REMOTE_ADDR'], $clientIpId, $_POST['login'], $_POST['password'])
    ) {
-        // Login/password is OK.
        $loginManager->handleSuccessfulLogin($_SERVER);
-        // If user wants to keep the session cookie even after the browser closes:
+        $cookiedir = '';
-        if (!empty($_POST['longlastingsession'])) {
+        if (dirname($_SERVER['SCRIPT_NAME']) != '/') {
-            $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
-            $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
-            setcookie($sessionManager::$LOGGED_IN_COOKIE, STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
-            $_SESSION['expires_on'] = $expiration;  // Set session expiration on server-side.
-            $cookiedir = '';
-            if (dirname($_SERVER['SCRIPT_NAME']) != '/') {
-                $cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/';
-            }
-            session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side
            // Note: Never forget the trailing slash on the cookie path!
-            session_regenerate_id(true);  // Send cookie with new expiration date to browser.
+            $cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/';
        }
-        else // Standard session expiration (=when browser closes)
-        {
+        if (!empty($_POST['longlastingsession'])) {
-            $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
+            // Keep the session cookie even after the browser closes
-            session_set_cookie_params(0,$cookiedir,$_SERVER['SERVER_NAME']); // 0 means "When browser closes"
+            $sessionManager->setStaySignedIn(true);
-            session_regenerate_id(true);
+            $expirationTime = $sessionManager->extendSession();
+            setcookie(
+                $sessionManager::$LOGGED_IN_COOKIE,
+                STAY_SIGNED_IN_TOKEN,
+                $expirationTime,
+                WEB_PATH
+            );
+        } else {
+            // Standard session expiration (=when browser closes)
+            $expirationTime = 0;
        }
+        // Send cookie with the new expiration date to the browser
+        session_set_cookie_params($expirationTime, $cookiedir, $_SERVER['SERVER_NAME']);
+        session_regenerate_id(true);
        // Optional redirect after login:
        if (isset($_GET['post'])) {
            $uri = '?post='. urlencode($_GET['post']);
@@ -590,7 +594,8 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager,
    if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout'))
    {
        invalidateCaches($conf->get('resource.page_cache'));
-        $sessionManager->logout(WEB_PATH);
+        $sessionManager->logout();
+        setcookie(SessionManager::$LOGGED_IN_COOKIE, 'false', 0, WEB_PATH);
        header('Location: ?');
        exit;
    }
author	VirtualTam <virtualtam@flibidi.net>	2018-04-27 23:17:38 +0200
committer	VirtualTam <virtualtam@flibidi.net>	2018-06-02 16:46:06 +0200
commit	51f0128cdba52099c40693379e72f094b42a6f80 (patch)
tree	57f71dc7d38611aaf91e77703acfd7ffbd0ac7c1 /index.php
parent	fab87c2696b9d6a26310f1bfc024b018ca5184fe (diff)
download	Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.gz Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.zst Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.zip

diff --git a/index.php b/index.php index 139812d7..8e3bade0 100644 --- a/index.php +++ b/index.php
@@ -179,7 +179,7 @@ if (! is_file($conf->getConfigFileExt())) {
179	// a token depending of deployment salt, user password, and the current ip	179	// a token depending of deployment salt, user password, and the current ip
180	define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt')));	180	define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt')));
181		181
182	$loginManager->checkLoginState($_COOKIE, WEB_PATH, $clientIpId, STAY_SIGNED_IN_TOKEN);	182	$loginManager->checkLoginState($_COOKIE, $clientIpId, STAY_SIGNED_IN_TOKEN);
183		183
184	/**	184	/**
185	* Adapter function to ensure compatibility with third-party templates	185	* Adapter function to ensure compatibility with third-party templates
@@ -205,31 +205,35 @@ if (isset($_POST['login'])) {
205	&& $sessionManager->checkToken($_POST['token'])	205	&& $sessionManager->checkToken($_POST['token'])
206	&& $loginManager->checkCredentials($_SERVER['REMOTE_ADDR'], $clientIpId, $_POST['login'], $_POST['password'])	206	&& $loginManager->checkCredentials($_SERVER['REMOTE_ADDR'], $clientIpId, $_POST['login'], $_POST['password'])
207	) {	207	) {
208	// Login/password is OK.
209	$loginManager->handleSuccessfulLogin($_SERVER);	208	$loginManager->handleSuccessfulLogin($_SERVER);
210		209
211	// If user wants to keep the session cookie even after the browser closes:	210	$cookiedir = '';
212	if (!empty($_POST['longlastingsession'])) {	211	if (dirname($_SERVER['SCRIPT_NAME']) != '/') {
213	$_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
214	$expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
215	setcookie($sessionManager::$LOGGED_IN_COOKIE, STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
216	$_SESSION['expires_on'] = $expiration; // Set session expiration on server-side.
217
218	$cookiedir = '';
219	if (dirname($_SERVER['SCRIPT_NAME']) != '/') {
220	$cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/';
221	}
222	session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side
223	// Note: Never forget the trailing slash on the cookie path!	212	// Note: Never forget the trailing slash on the cookie path!
224	session_regenerate_id(true); // Send cookie with new expiration date to browser.	213	$cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/';
225	}	214	}
226	else // Standard session expiration (=when browser closes)	215
227	{	216	if (!empty($_POST['longlastingsession'])) {
228	$cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';	217	// Keep the session cookie even after the browser closes
229	session_set_cookie_params(0,$cookiedir,$_SERVER['SERVER_NAME']); // 0 means "When browser closes"	218	$sessionManager->setStaySignedIn(true);
230	session_regenerate_id(true);	219	$expirationTime = $sessionManager->extendSession();
		220
		221	setcookie(
		222	$sessionManager::$LOGGED_IN_COOKIE,
		223	STAY_SIGNED_IN_TOKEN,
		224	$expirationTime,
		225	WEB_PATH
		226	);
		227
		228	} else {
		229	// Standard session expiration (=when browser closes)
		230	$expirationTime = 0;
231	}	231	}
232		232
		233	// Send cookie with the new expiration date to the browser
		234	session_set_cookie_params($expirationTime, $cookiedir, $_SERVER['SERVER_NAME']);
		235	session_regenerate_id(true);
		236
233	// Optional redirect after login:	237	// Optional redirect after login:
234	if (isset($_GET['post'])) {	238	if (isset($_GET['post'])) {
235	$uri = '?post='. urlencode($_GET['post']);	239	$uri = '?post='. urlencode($_GET['post']);
@@ -590,7 +594,8 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager,
590	if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout'))	594	if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout'))
591	{	595	{
592	invalidateCaches($conf->get('resource.page_cache'));	596	invalidateCaches($conf->get('resource.page_cache'));
593	$sessionManager->logout(WEB_PATH);	597	$sessionManager->logout();
		598	setcookie(SessionManager::$LOGGED_IN_COOKIE, 'false', 0, WEB_PATH);
594	header('Location: ?');	599	header('Location: ?');
595	exit;	600	exit;
596	}	601	}