diff options
-rw-r--r-- | index.php | 85 |
1 files changed, 43 insertions, 42 deletions
@@ -177,42 +177,42 @@ if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) { | |||
177 | */ | 177 | */ |
178 | function setup_login_state($conf) | 178 | function setup_login_state($conf) |
179 | { | 179 | { |
180 | if ($conf->get('security.open_shaarli')) { | 180 | if ($conf->get('security.open_shaarli')) { |
181 | return true; | 181 | return true; |
182 | } | 182 | } |
183 | $userIsLoggedIn = false; // By default, we do not consider the user as logged in; | 183 | $userIsLoggedIn = false; // By default, we do not consider the user as logged in; |
184 | $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. | 184 | $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. |
185 | if (! $conf->exists('credentials.login')) { | 185 | if (! $conf->exists('credentials.login')) { |
186 | $userIsLoggedIn = false; // Shaarli is not configured yet. | 186 | $userIsLoggedIn = false; // Shaarli is not configured yet. |
187 | $loginFailure = true; | 187 | $loginFailure = true; |
188 | } | 188 | } |
189 | if (isset($_COOKIE['shaarli_staySignedIn']) && | 189 | if (isset($_COOKIE['shaarli_staySignedIn']) && |
190 | $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && | 190 | $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && |
191 | !$loginFailure) | 191 | !$loginFailure) |
192 | { | 192 | { |
193 | fillSessionInfo($conf); | 193 | fillSessionInfo($conf); |
194 | $userIsLoggedIn = true; | 194 | $userIsLoggedIn = true; |
195 | } | 195 | } |
196 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. | 196 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. |
197 | if (empty($_SESSION['uid']) | 197 | if (empty($_SESSION['uid']) |
198 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) | 198 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) |
199 | || time() >= $_SESSION['expires_on']) | 199 | || time() >= $_SESSION['expires_on']) |
200 | { | 200 | { |
201 | logout(); | 201 | logout(); |
202 | $userIsLoggedIn = false; | 202 | $userIsLoggedIn = false; |
203 | $loginFailure = true; | 203 | $loginFailure = true; |
204 | } | 204 | } |
205 | if (!empty($_SESSION['longlastingsession'])) { | 205 | if (!empty($_SESSION['longlastingsession'])) { |
206 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. | 206 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. |
207 | } | 207 | } |
208 | else { | 208 | else { |
209 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. | 209 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. |
210 | } | 210 | } |
211 | if (!$loginFailure) { | 211 | if (!$loginFailure) { |
212 | $userIsLoggedIn = true; | 212 | $userIsLoggedIn = true; |
213 | } | 213 | } |
214 | 214 | ||
215 | return $userIsLoggedIn; | 215 | return $userIsLoggedIn; |
216 | } | 216 | } |
217 | $userIsLoggedIn = setup_login_state($conf); | 217 | $userIsLoggedIn = setup_login_state($conf); |
218 | 218 | ||
@@ -236,10 +236,10 @@ function allIPs() | |||
236 | */ | 236 | */ |
237 | function fillSessionInfo($conf) | 237 | function fillSessionInfo($conf) |
238 | { | 238 | { |
239 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) | 239 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) |
240 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. | 240 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. |
241 | $_SESSION['username']= $conf->get('credentials.login'); | 241 | $_SESSION['username']= $conf->get('credentials.login'); |
242 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. | 242 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. |
243 | } | 243 | } |
244 | 244 | ||
245 | /** | 245 | /** |
@@ -256,7 +256,7 @@ function check_auth($login, $password, $conf) | |||
256 | $hash = sha1($password . $login . $conf->get('credentials.salt')); | 256 | $hash = sha1($password . $login . $conf->get('credentials.salt')); |
257 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) | 257 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) |
258 | { // Login/password is correct. | 258 | { // Login/password is correct. |
259 | fillSessionInfo($conf); | 259 | fillSessionInfo($conf); |
260 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); | 260 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); |
261 | return true; | 261 | return true; |
262 | } | 262 | } |
@@ -385,9 +385,10 @@ if (isset($_POST['login'])) | |||
385 | // If user wants to keep the session cookie even after the browser closes: | 385 | // If user wants to keep the session cookie even after the browser closes: |
386 | if (!empty($_POST['longlastingsession'])) | 386 | if (!empty($_POST['longlastingsession'])) |
387 | { | 387 | { |
388 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH); | 388 | $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) |
389 | $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) | 389 | $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) |
390 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. | 390 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); |
391 | $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. | ||
391 | 392 | ||
392 | $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; | 393 | $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; |
393 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side | 394 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side |