aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--index.php85
1 files changed, 43 insertions, 42 deletions
diff --git a/index.php b/index.php
index b1d0c994..1ed1ef26 100644
--- a/index.php
+++ b/index.php
@@ -177,42 +177,42 @@ if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
177 */ 177 */
178function setup_login_state($conf) 178function setup_login_state($conf)
179{ 179{
180 if ($conf->get('security.open_shaarli')) { 180 if ($conf->get('security.open_shaarli')) {
181 return true; 181 return true;
182 } 182 }
183 $userIsLoggedIn = false; // By default, we do not consider the user as logged in; 183 $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
184 $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. 184 $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
185 if (! $conf->exists('credentials.login')) { 185 if (! $conf->exists('credentials.login')) {
186 $userIsLoggedIn = false; // Shaarli is not configured yet. 186 $userIsLoggedIn = false; // Shaarli is not configured yet.
187 $loginFailure = true; 187 $loginFailure = true;
188 } 188 }
189 if (isset($_COOKIE['shaarli_staySignedIn']) && 189 if (isset($_COOKIE['shaarli_staySignedIn']) &&
190 $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && 190 $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
191 !$loginFailure) 191 !$loginFailure)
192 { 192 {
193 fillSessionInfo($conf); 193 fillSessionInfo($conf);
194 $userIsLoggedIn = true; 194 $userIsLoggedIn = true;
195 } 195 }
196 // If session does not exist on server side, or IP address has changed, or session has expired, logout. 196 // If session does not exist on server side, or IP address has changed, or session has expired, logout.
197 if (empty($_SESSION['uid']) 197 if (empty($_SESSION['uid'])
198 || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) 198 || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())
199 || time() >= $_SESSION['expires_on']) 199 || time() >= $_SESSION['expires_on'])
200 { 200 {
201 logout(); 201 logout();
202 $userIsLoggedIn = false; 202 $userIsLoggedIn = false;
203 $loginFailure = true; 203 $loginFailure = true;
204 } 204 }
205 if (!empty($_SESSION['longlastingsession'])) { 205 if (!empty($_SESSION['longlastingsession'])) {
206 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. 206 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
207 } 207 }
208 else { 208 else {
209 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. 209 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
210 } 210 }
211 if (!$loginFailure) { 211 if (!$loginFailure) {
212 $userIsLoggedIn = true; 212 $userIsLoggedIn = true;
213 } 213 }
214 214
215 return $userIsLoggedIn; 215 return $userIsLoggedIn;
216} 216}
217$userIsLoggedIn = setup_login_state($conf); 217$userIsLoggedIn = setup_login_state($conf);
218 218
@@ -236,10 +236,10 @@ function allIPs()
236 */ 236 */
237function fillSessionInfo($conf) 237function fillSessionInfo($conf)
238{ 238{
239 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) 239 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
240 $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. 240 $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
241 $_SESSION['username']= $conf->get('credentials.login'); 241 $_SESSION['username']= $conf->get('credentials.login');
242 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. 242 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
243} 243}
244 244
245/** 245/**
@@ -256,7 +256,7 @@ function check_auth($login, $password, $conf)
256 $hash = sha1($password . $login . $conf->get('credentials.salt')); 256 $hash = sha1($password . $login . $conf->get('credentials.salt'));
257 if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) 257 if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))
258 { // Login/password is correct. 258 { // Login/password is correct.
259 fillSessionInfo($conf); 259 fillSessionInfo($conf);
260 logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); 260 logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
261 return true; 261 return true;
262 } 262 }
@@ -385,9 +385,10 @@ if (isset($_POST['login']))
385 // If user wants to keep the session cookie even after the browser closes: 385 // If user wants to keep the session cookie even after the browser closes:
386 if (!empty($_POST['longlastingsession'])) 386 if (!empty($_POST['longlastingsession']))
387 { 387 {
388 setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH); 388 $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
389 $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) 389 $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
390 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. 390 setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
391 $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side.
391 392
392 $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; 393 $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
393 session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side 394 session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side