aboutsummaryrefslogtreecommitdiffhomepage
path: root/index.php
diff options
context:
space:
mode:
authorChristophe HENRY <christophe.henry@sbgodin.fr>2013-12-05 18:23:02 +0100
committerChristophe HENRY <christophe.henry@sbgodin.fr>2013-12-05 22:26:04 +0100
commitae00595b1ca1cdcbbef5090b1ab907c54be4aa48 (patch)
tree8d5dd3266f990da84cb4516ca36b5fa5815488ba /index.php
parent067e66acfee19019ea3c1efa7f4ea305259bbd74 (diff)
downloadShaarli-ae00595b1ca1cdcbbef5090b1ab907c54be4aa48.tar.gz
Shaarli-ae00595b1ca1cdcbbef5090b1ab907c54be4aa48.tar.zst
Shaarli-ae00595b1ca1cdcbbef5090b1ab907c54be4aa48.zip
A real "Stay signed in": keep the connection
Instead of trusting the php session, it uses a cookie. The php session sooner or later is distroyed if not used. It depends upon the server settings. Using a cookie ensures that one really stays signed in. Dev notes: I wanted to avoid merge conflicts, stay with the main developper standards and keep the "index.php" in one file. That's why the code may not be that nice. My own dev level my also explain.
Diffstat (limited to 'index.php')
-rw-r--r--index.php26
1 files changed, 21 insertions, 5 deletions
diff --git a/index.php b/index.php
index acc3fe49..c102e422 100644
--- a/index.php
+++ b/index.php
@@ -37,6 +37,8 @@ if (is_file($GLOBALS['config']['DATADIR'].'/options.php')) require($GLOBALS['con
37define('shaarli_version','0.0.41 beta'); 37define('shaarli_version','0.0.41 beta');
38define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code. 38define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code.
39define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code. 39define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code.
40// http://server.com/x/shaarli --> /shaarli/
41define('WEB_PATH', substr($_SERVER["REQUEST_URI"], 0, 1+strrpos($_SERVER["REQUEST_URI"], '/', 0)));
40 42
41// Force cookie path (but do not change lifetime) 43// Force cookie path (but do not change lifetime)
42$cookie=session_get_cookie_params(); 44$cookie=session_get_cookie_params();
@@ -110,6 +112,8 @@ if (!is_file($GLOBALS['config']['CONFIG_FILE'])) install();
110 112
111require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS. 113require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS.
112 114
115// a token depending of deployment salt, user password, and the current ip
116define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt']));
113 117
114autoLocale(); // Sniff browser language and set date format accordingly. 118autoLocale(); // Sniff browser language and set date format accordingly.
115header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. 119header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling.
@@ -294,16 +298,20 @@ function allIPs()
294 return $ip; 298 return $ip;
295} 299}
296 300
301function fillSessionInfo() {
302 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid)
303 $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
304 $_SESSION['username']=$GLOBALS['login'];
305 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
306}
307
297// Check that user/password is correct. 308// Check that user/password is correct.
298function check_auth($login,$password) 309function check_auth($login,$password)
299{ 310{
300 $hash = sha1($password.$login.$GLOBALS['salt']); 311 $hash = sha1($password.$login.$GLOBALS['salt']);
301 if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash']) 312 if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash'])
302 { // Login/password is correct. 313 { // Login/password is correct.
303 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid) 314 fillSessionInfo();
304 $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
305 $_SESSION['username']=$login;
306 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
307 logm('Login successful'); 315 logm('Login successful');
308 return True; 316 return True;
309 } 317 }
@@ -318,6 +326,11 @@ function isLoggedIn()
318 326
319 if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet. 327 if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet.
320 328
329 if (@$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN)
330 {
331 fillSessionInfo();
332 return true;
333 }
321 // If session does not exist on server side, or IP address has changed, or session has expired, logout. 334 // If session does not exist on server side, or IP address has changed, or session has expired, logout.
322 if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on']) 335 if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on'])
323 { 336 {
@@ -331,7 +344,9 @@ function isLoggedIn()
331} 344}
332 345
333// Force logout. 346// Force logout.
334function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); } } 347function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); }
348setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH);
349}
335 350
336 351
337// ------------------------------------------------------------------------------------------ 352// ------------------------------------------------------------------------------------------
@@ -393,6 +408,7 @@ if (isset($_POST['login']))
393 // If user wants to keep the session cookie even after the browser closes: 408 // If user wants to keep the session cookie even after the browser closes:
394 if (!empty($_POST['longlastingsession'])) 409 if (!empty($_POST['longlastingsession']))
395 { 410 {
411 setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH);
396 $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) 412 $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year)
397 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. 413 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side.
398 414