aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--application/SessionManager.php4
-rw-r--r--index.php48
2 files changed, 28 insertions, 24 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php
index 71f0b38d..704f8504 100644
--- a/application/SessionManager.php
+++ b/application/SessionManager.php
@@ -6,6 +6,10 @@ namespace Shaarli;
6 */ 6 */
7class SessionManager 7class SessionManager
8{ 8{
9 /** Session expiration timeout, in seconds */
10 public static $INACTIVITY_TIMEOUT = 3600;
11
12 /** Local reference to the global $_SESSION array */
9 protected $session = []; 13 protected $session = [];
10 14
11 /** 15 /**
diff --git a/index.php b/index.php
index 08a69327..9cbc9241 100644
--- a/index.php
+++ b/index.php
@@ -101,8 +101,6 @@ if (dirname($_SERVER['SCRIPT_NAME']) != '/') {
101// Set default cookie expiration and path. 101// Set default cookie expiration and path.
102session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']); 102session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']);
103// Set session parameters on server side. 103// Set session parameters on server side.
104// If the user does not access any page within this time, his/her session is considered expired.
105define('INACTIVITY_TIMEOUT', 3600); // in seconds.
106// Use cookies to store session. 104// Use cookies to store session.
107ini_set('session.use_cookies', 1); 105ini_set('session.use_cookies', 1);
108// Force cookies for session (phpsessionID forbidden in URL). 106// Force cookies for session (phpsessionID forbidden in URL).
@@ -183,11 +181,12 @@ define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['R
183/** 181/**
184 * Checking session state (i.e. is the user still logged in) 182 * Checking session state (i.e. is the user still logged in)
185 * 183 *
186 * @param ConfigManager $conf The configuration manager. 184 * @param ConfigManager $conf Configuration Manager instance.
185 * @param SessionManager $sessionManager SessionManager instance
187 * 186 *
188 * @return bool: true if the user is logged in, false otherwise. 187 * @return bool true if the user is logged in, false otherwise.
189 */ 188 */
190function setup_login_state($conf) 189function setup_login_state($conf, $sessionManager)
191{ 190{
192 if ($conf->get('security.open_shaarli')) { 191 if ($conf->get('security.open_shaarli')) {
193 return true; 192 return true;
@@ -202,7 +201,7 @@ function setup_login_state($conf)
202 $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && 201 $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
203 !$loginFailure) 202 !$loginFailure)
204 { 203 {
205 fillSessionInfo($conf); 204 fillSessionInfo($conf, $sessionManager);
206 $userIsLoggedIn = true; 205 $userIsLoggedIn = true;
207 } 206 }
208 // If session does not exist on server side, or IP address has changed, or session has expired, logout. 207 // If session does not exist on server side, or IP address has changed, or session has expired, logout.
@@ -216,9 +215,8 @@ function setup_login_state($conf)
216 } 215 }
217 if (!empty($_SESSION['longlastingsession'])) { 216 if (!empty($_SESSION['longlastingsession'])) {
218 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. 217 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
219 } 218 } else {
220 else { 219 $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT;
221 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
222 } 220 }
223 if (!$loginFailure) { 221 if (!$loginFailure) {
224 $userIsLoggedIn = true; 222 $userIsLoggedIn = true;
@@ -226,39 +224,42 @@ function setup_login_state($conf)
226 224
227 return $userIsLoggedIn; 225 return $userIsLoggedIn;
228} 226}
229$userIsLoggedIn = setup_login_state($conf); 227
228$userIsLoggedIn = setup_login_state($conf, $sessionManager);
230 229
231// ------------------------------------------------------------------------------------------ 230// ------------------------------------------------------------------------------------------
232// Session management 231// Session management
233 232
234/** 233/**
235 * Load user session. 234 * Load user session
236 * 235 *
237 * @param ConfigManager $conf Configuration Manager instance. 236 * @param ConfigManager $conf Configuration Manager instance.
237 * @param SessionManager $sessionManager SessionManager instance
238 */ 238 */
239function fillSessionInfo($conf) 239function fillSessionInfo($conf, $sessionManager)
240{ 240{
241 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) 241 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
242 $_SESSION['ip'] = client_ip_id($_SERVER); 242 $_SESSION['ip'] = client_ip_id($_SERVER);
243 $_SESSION['username']= $conf->get('credentials.login'); 243 $_SESSION['username']= $conf->get('credentials.login');
244 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. 244 $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT;
245} 245}
246 246
247/** 247/**
248 * Check that user/password is correct. 248 * Check that user/password is correct.
249 * 249 *
250 * @param string $login Username 250 * @param string $login Username
251 * @param string $password User password 251 * @param string $password User password
252 * @param ConfigManager $conf Configuration Manager instance. 252 * @param ConfigManager $conf Configuration Manager instance.
253 * @param SessionManager $sessionManager SessionManager instance
253 * 254 *
254 * @return bool: authentication successful or not. 255 * @return bool: authentication successful or not.
255 */ 256 */
256function check_auth($login, $password, $conf) 257function check_auth($login, $password, $conf, $sessionManager)
257{ 258{
258 $hash = sha1($password . $login . $conf->get('credentials.salt')); 259 $hash = sha1($password . $login . $conf->get('credentials.salt'));
259 if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) 260 if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) {
260 { // Login/password is correct. 261 // Login/password is correct.
261 fillSessionInfo($conf); 262 fillSessionInfo($conf, $sessionManager);
262 logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); 263 logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
263 return true; 264 return true;
264 } 265 }
@@ -287,14 +288,13 @@ function logout() {
287 288
288// ------------------------------------------------------------------------------------------ 289// ------------------------------------------------------------------------------------------
289// Process login form: Check if login/password is correct. 290// Process login form: Check if login/password is correct.
290if (isset($_POST['login'])) 291if (isset($_POST['login'])) {
291{
292 if (! $loginManager->canLogin($_SERVER)) { 292 if (! $loginManager->canLogin($_SERVER)) {
293 die(t('I said: NO. You are banned for the moment. Go away.')); 293 die(t('I said: NO. You are banned for the moment. Go away.'));
294 } 294 }
295 if (isset($_POST['password']) 295 if (isset($_POST['password'])
296 && $sessionManager->checkToken($_POST['token']) 296 && $sessionManager->checkToken($_POST['token'])
297 && (check_auth($_POST['login'], $_POST['password'], $conf)) 297 && (check_auth($_POST['login'], $_POST['password'], $conf, $sessionManager))
298 ) { 298 ) {
299 // Login/password is OK. 299 // Login/password is OK.
300 $loginManager->handleSuccessfulLogin($_SERVER); 300 $loginManager->handleSuccessfulLogin($_SERVER);