diff options
author | VirtualTam <virtualtam@flibidi.net> | 2018-04-27 23:17:38 +0200 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2018-06-02 16:46:06 +0200 |
commit | 51f0128cdba52099c40693379e72f094b42a6f80 (patch) | |
tree | 57f71dc7d38611aaf91e77703acfd7ffbd0ac7c1 /index.php | |
parent | fab87c2696b9d6a26310f1bfc024b018ca5184fe (diff) | |
download | Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.gz Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.zst Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.zip |
Refactor session and cookie timeout control
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'index.php')
-rw-r--r-- | index.php | 47 |
1 files changed, 26 insertions, 21 deletions
@@ -179,7 +179,7 @@ if (! is_file($conf->getConfigFileExt())) { | |||
179 | // a token depending of deployment salt, user password, and the current ip | 179 | // a token depending of deployment salt, user password, and the current ip |
180 | define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt'))); | 180 | define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt'))); |
181 | 181 | ||
182 | $loginManager->checkLoginState($_COOKIE, WEB_PATH, $clientIpId, STAY_SIGNED_IN_TOKEN); | 182 | $loginManager->checkLoginState($_COOKIE, $clientIpId, STAY_SIGNED_IN_TOKEN); |
183 | 183 | ||
184 | /** | 184 | /** |
185 | * Adapter function to ensure compatibility with third-party templates | 185 | * Adapter function to ensure compatibility with third-party templates |
@@ -205,31 +205,35 @@ if (isset($_POST['login'])) { | |||
205 | && $sessionManager->checkToken($_POST['token']) | 205 | && $sessionManager->checkToken($_POST['token']) |
206 | && $loginManager->checkCredentials($_SERVER['REMOTE_ADDR'], $clientIpId, $_POST['login'], $_POST['password']) | 206 | && $loginManager->checkCredentials($_SERVER['REMOTE_ADDR'], $clientIpId, $_POST['login'], $_POST['password']) |
207 | ) { | 207 | ) { |
208 | // Login/password is OK. | ||
209 | $loginManager->handleSuccessfulLogin($_SERVER); | 208 | $loginManager->handleSuccessfulLogin($_SERVER); |
210 | 209 | ||
211 | // If user wants to keep the session cookie even after the browser closes: | 210 | $cookiedir = ''; |
212 | if (!empty($_POST['longlastingsession'])) { | 211 | if (dirname($_SERVER['SCRIPT_NAME']) != '/') { |
213 | $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) | ||
214 | $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) | ||
215 | setcookie($sessionManager::$LOGGED_IN_COOKIE, STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); | ||
216 | $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. | ||
217 | |||
218 | $cookiedir = ''; | ||
219 | if (dirname($_SERVER['SCRIPT_NAME']) != '/') { | ||
220 | $cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/'; | ||
221 | } | ||
222 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side | ||
223 | // Note: Never forget the trailing slash on the cookie path! | 212 | // Note: Never forget the trailing slash on the cookie path! |
224 | session_regenerate_id(true); // Send cookie with new expiration date to browser. | 213 | $cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/'; |
225 | } | 214 | } |
226 | else // Standard session expiration (=when browser closes) | 215 | |
227 | { | 216 | if (!empty($_POST['longlastingsession'])) { |
228 | $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; | 217 | // Keep the session cookie even after the browser closes |
229 | session_set_cookie_params(0,$cookiedir,$_SERVER['SERVER_NAME']); // 0 means "When browser closes" | 218 | $sessionManager->setStaySignedIn(true); |
230 | session_regenerate_id(true); | 219 | $expirationTime = $sessionManager->extendSession(); |
220 | |||
221 | setcookie( | ||
222 | $sessionManager::$LOGGED_IN_COOKIE, | ||
223 | STAY_SIGNED_IN_TOKEN, | ||
224 | $expirationTime, | ||
225 | WEB_PATH | ||
226 | ); | ||
227 | |||
228 | } else { | ||
229 | // Standard session expiration (=when browser closes) | ||
230 | $expirationTime = 0; | ||
231 | } | 231 | } |
232 | 232 | ||
233 | // Send cookie with the new expiration date to the browser | ||
234 | session_set_cookie_params($expirationTime, $cookiedir, $_SERVER['SERVER_NAME']); | ||
235 | session_regenerate_id(true); | ||
236 | |||
233 | // Optional redirect after login: | 237 | // Optional redirect after login: |
234 | if (isset($_GET['post'])) { | 238 | if (isset($_GET['post'])) { |
235 | $uri = '?post='. urlencode($_GET['post']); | 239 | $uri = '?post='. urlencode($_GET['post']); |
@@ -590,7 +594,8 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager, | |||
590 | if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout')) | 594 | if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout')) |
591 | { | 595 | { |
592 | invalidateCaches($conf->get('resource.page_cache')); | 596 | invalidateCaches($conf->get('resource.page_cache')); |
593 | $sessionManager->logout(WEB_PATH); | 597 | $sessionManager->logout(); |
598 | setcookie(SessionManager::$LOGGED_IN_COOKIE, 'false', 0, WEB_PATH); | ||
594 | header('Location: ?'); | 599 | header('Location: ?'); |
595 | exit; | 600 | exit; |
596 | } | 601 | } |