diff options
-rw-r--r-- | application/SessionManager.php | 4 | ||||
-rw-r--r-- | index.php | 48 |
2 files changed, 28 insertions, 24 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php index 71f0b38d..704f8504 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php | |||
@@ -6,6 +6,10 @@ namespace Shaarli; | |||
6 | */ | 6 | */ |
7 | class SessionManager | 7 | class SessionManager |
8 | { | 8 | { |
9 | /** Session expiration timeout, in seconds */ | ||
10 | public static $INACTIVITY_TIMEOUT = 3600; | ||
11 | |||
12 | /** Local reference to the global $_SESSION array */ | ||
9 | protected $session = []; | 13 | protected $session = []; |
10 | 14 | ||
11 | /** | 15 | /** |
@@ -101,8 +101,6 @@ if (dirname($_SERVER['SCRIPT_NAME']) != '/') { | |||
101 | // Set default cookie expiration and path. | 101 | // Set default cookie expiration and path. |
102 | session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']); | 102 | session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']); |
103 | // Set session parameters on server side. | 103 | // Set session parameters on server side. |
104 | // If the user does not access any page within this time, his/her session is considered expired. | ||
105 | define('INACTIVITY_TIMEOUT', 3600); // in seconds. | ||
106 | // Use cookies to store session. | 104 | // Use cookies to store session. |
107 | ini_set('session.use_cookies', 1); | 105 | ini_set('session.use_cookies', 1); |
108 | // Force cookies for session (phpsessionID forbidden in URL). | 106 | // Force cookies for session (phpsessionID forbidden in URL). |
@@ -183,11 +181,12 @@ define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['R | |||
183 | /** | 181 | /** |
184 | * Checking session state (i.e. is the user still logged in) | 182 | * Checking session state (i.e. is the user still logged in) |
185 | * | 183 | * |
186 | * @param ConfigManager $conf The configuration manager. | 184 | * @param ConfigManager $conf Configuration Manager instance. |
185 | * @param SessionManager $sessionManager SessionManager instance | ||
187 | * | 186 | * |
188 | * @return bool: true if the user is logged in, false otherwise. | 187 | * @return bool true if the user is logged in, false otherwise. |
189 | */ | 188 | */ |
190 | function setup_login_state($conf) | 189 | function setup_login_state($conf, $sessionManager) |
191 | { | 190 | { |
192 | if ($conf->get('security.open_shaarli')) { | 191 | if ($conf->get('security.open_shaarli')) { |
193 | return true; | 192 | return true; |
@@ -202,7 +201,7 @@ function setup_login_state($conf) | |||
202 | $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && | 201 | $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && |
203 | !$loginFailure) | 202 | !$loginFailure) |
204 | { | 203 | { |
205 | fillSessionInfo($conf); | 204 | fillSessionInfo($conf, $sessionManager); |
206 | $userIsLoggedIn = true; | 205 | $userIsLoggedIn = true; |
207 | } | 206 | } |
208 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. | 207 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. |
@@ -216,9 +215,8 @@ function setup_login_state($conf) | |||
216 | } | 215 | } |
217 | if (!empty($_SESSION['longlastingsession'])) { | 216 | if (!empty($_SESSION['longlastingsession'])) { |
218 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. | 217 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. |
219 | } | 218 | } else { |
220 | else { | 219 | $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT; |
221 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. | ||
222 | } | 220 | } |
223 | if (!$loginFailure) { | 221 | if (!$loginFailure) { |
224 | $userIsLoggedIn = true; | 222 | $userIsLoggedIn = true; |
@@ -226,39 +224,42 @@ function setup_login_state($conf) | |||
226 | 224 | ||
227 | return $userIsLoggedIn; | 225 | return $userIsLoggedIn; |
228 | } | 226 | } |
229 | $userIsLoggedIn = setup_login_state($conf); | 227 | |
228 | $userIsLoggedIn = setup_login_state($conf, $sessionManager); | ||
230 | 229 | ||
231 | // ------------------------------------------------------------------------------------------ | 230 | // ------------------------------------------------------------------------------------------ |
232 | // Session management | 231 | // Session management |
233 | 232 | ||
234 | /** | 233 | /** |
235 | * Load user session. | 234 | * Load user session |
236 | * | 235 | * |
237 | * @param ConfigManager $conf Configuration Manager instance. | 236 | * @param ConfigManager $conf Configuration Manager instance. |
237 | * @param SessionManager $sessionManager SessionManager instance | ||
238 | */ | 238 | */ |
239 | function fillSessionInfo($conf) | 239 | function fillSessionInfo($conf, $sessionManager) |
240 | { | 240 | { |
241 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) | 241 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) |
242 | $_SESSION['ip'] = client_ip_id($_SERVER); | 242 | $_SESSION['ip'] = client_ip_id($_SERVER); |
243 | $_SESSION['username']= $conf->get('credentials.login'); | 243 | $_SESSION['username']= $conf->get('credentials.login'); |
244 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. | 244 | $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT; |
245 | } | 245 | } |
246 | 246 | ||
247 | /** | 247 | /** |
248 | * Check that user/password is correct. | 248 | * Check that user/password is correct. |
249 | * | 249 | * |
250 | * @param string $login Username | 250 | * @param string $login Username |
251 | * @param string $password User password | 251 | * @param string $password User password |
252 | * @param ConfigManager $conf Configuration Manager instance. | 252 | * @param ConfigManager $conf Configuration Manager instance. |
253 | * @param SessionManager $sessionManager SessionManager instance | ||
253 | * | 254 | * |
254 | * @return bool: authentication successful or not. | 255 | * @return bool: authentication successful or not. |
255 | */ | 256 | */ |
256 | function check_auth($login, $password, $conf) | 257 | function check_auth($login, $password, $conf, $sessionManager) |
257 | { | 258 | { |
258 | $hash = sha1($password . $login . $conf->get('credentials.salt')); | 259 | $hash = sha1($password . $login . $conf->get('credentials.salt')); |
259 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) | 260 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) { |
260 | { // Login/password is correct. | 261 | // Login/password is correct. |
261 | fillSessionInfo($conf); | 262 | fillSessionInfo($conf, $sessionManager); |
262 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); | 263 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); |
263 | return true; | 264 | return true; |
264 | } | 265 | } |
@@ -287,14 +288,13 @@ function logout() { | |||
287 | 288 | ||
288 | // ------------------------------------------------------------------------------------------ | 289 | // ------------------------------------------------------------------------------------------ |
289 | // Process login form: Check if login/password is correct. | 290 | // Process login form: Check if login/password is correct. |
290 | if (isset($_POST['login'])) | 291 | if (isset($_POST['login'])) { |
291 | { | ||
292 | if (! $loginManager->canLogin($_SERVER)) { | 292 | if (! $loginManager->canLogin($_SERVER)) { |
293 | die(t('I said: NO. You are banned for the moment. Go away.')); | 293 | die(t('I said: NO. You are banned for the moment. Go away.')); |
294 | } | 294 | } |
295 | if (isset($_POST['password']) | 295 | if (isset($_POST['password']) |
296 | && $sessionManager->checkToken($_POST['token']) | 296 | && $sessionManager->checkToken($_POST['token']) |
297 | && (check_auth($_POST['login'], $_POST['password'], $conf)) | 297 | && (check_auth($_POST['login'], $_POST['password'], $conf, $sessionManager)) |
298 | ) { | 298 | ) { |
299 | // Login/password is OK. | 299 | // Login/password is OK. |
300 | $loginManager->handleSuccessfulLogin($_SERVER); | 300 | $loginManager->handleSuccessfulLogin($_SERVER); |