aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--index.php39
1 files changed, 32 insertions, 7 deletions
diff --git a/index.php b/index.php
index 0bdb6d83..d66da41e 100644
--- a/index.php
+++ b/index.php
@@ -37,6 +37,14 @@ $cookie=session_get_cookie_params();
37$cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; 37$cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
38session_set_cookie_params($cookie['lifetime'],$cookiedir); // Set default cookie expiration and path. 38session_set_cookie_params($cookie['lifetime'],$cookiedir); // Set default cookie expiration and path.
39 39
40// Set session parameters on server side.
41define('INACTIVITY_TIMEOUT',3600); // (in seconds). If the user does not access any page within this time, his/her session is considered expired.
42ini_set('session.use_cookies', 1); // Use cookies to store session.
43ini_set('session.use_only_cookies', 1); // Force cookies for session (phpsessionID forbidden in URL)
44ini_set('session.use_trans_sid', false); // Prevent php to use sessionID in URL if cookies are disabled.
45session_name('shaarli');
46if (session_id() == '') session_start(); // Start session if needed (Some server auto-start sessions).
47
40// PHP Settings 48// PHP Settings
41ini_set('max_input_time','60'); // High execution time in case of problematic imports/exports. 49ini_set('max_input_time','60'); // High execution time in case of problematic imports/exports.
42ini_set('memory_limit', '128M'); // Try to set max upload file size and read (May not work on some hosts). 50ini_set('memory_limit', '128M'); // Try to set max upload file size and read (May not work on some hosts).
@@ -89,7 +97,6 @@ if (empty($GLOBALS['title'])) $GLOBALS['title']='Shared links on '.htmlspecialch
89if (empty($GLOBALS['timezone'])) $GLOBALS['timezone']=date_default_timezone_get(); 97if (empty($GLOBALS['timezone'])) $GLOBALS['timezone']=date_default_timezone_get();
90if (empty($GLOBALS['disablesessionprotection'])) $GLOBALS['disablesessionprotection']=false; 98if (empty($GLOBALS['disablesessionprotection'])) $GLOBALS['disablesessionprotection']=false;
91 99
92
93autoLocale(); // Sniff browser language and set date format accordingly. 100autoLocale(); // Sniff browser language and set date format accordingly.
94header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. 101header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling.
95 102
@@ -265,12 +272,6 @@ function pubsubhub()
265 272
266// ------------------------------------------------------------------------------------------ 273// ------------------------------------------------------------------------------------------
267// Session management 274// Session management
268define('INACTIVITY_TIMEOUT',3600); // (in seconds). If the user does not access any page within this time, his/her session is considered expired.
269ini_set('session.use_cookies', 1); // Use cookies to store session.
270ini_set('session.use_only_cookies', 1); // Force cookies for session (phpsessionID forbidden in URL)
271ini_set('session.use_trans_sid', false); // Prevent php to use sessionID in URL if cookies are disabled.
272session_name('shaarli');
273session_start();
274 275
275// Returns the IP address of the client (Used to prevent session cookie hijacking.) 276// Returns the IP address of the client (Used to prevent session cookie hijacking.)
276function allIPs() 277function allIPs()
@@ -303,6 +304,8 @@ function check_auth($login,$password)
303function isLoggedIn() 304function isLoggedIn()
304{ 305{
305 if ($GLOBALS['config']['OPEN_SHAARLI']) return true; 306 if ($GLOBALS['config']['OPEN_SHAARLI']) return true;
307
308 if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet.
306 309
307 // If session does not exist on server side, or IP address has changed, or session has expired, logout. 310 // If session does not exist on server side, or IP address has changed, or session has expired, logout.
308 if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on']) 311 if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on'])
@@ -1971,6 +1974,28 @@ function install()
1971 // On free.fr host, make sure the /sessions directory exists, otherwise login will not work. 1974 // On free.fr host, make sure the /sessions directory exists, otherwise login will not work.
1972 if (endsWith($_SERVER['SERVER_NAME'],'.free.fr') && !is_dir($_SERVER['DOCUMENT_ROOT'].'/sessions')) mkdir($_SERVER['DOCUMENT_ROOT'].'/sessions',0705); 1975 if (endsWith($_SERVER['SERVER_NAME'],'.free.fr') && !is_dir($_SERVER['DOCUMENT_ROOT'].'/sessions')) mkdir($_SERVER['DOCUMENT_ROOT'].'/sessions',0705);
1973 1976
1977
1978 // This part makes sure sessions works correctly.
1979 // (Because on some hosts, session.save_path may not be set correctly,
1980 // or we may not have write access to it.)
1981 if (isset($_GET['test_session']) && ( !isset($_SESSION) || !isset($_SESSION['session_tested']) || $_SESSION['session_tested']!='Working'))
1982 { // Step 2: Check if data in session is correct.
1983 echo '<pre>Sessions do not seem to work correctly on your server.<br>';
1984 echo 'Make sure the variable session.save_path is set correctly in your php config, and that you have write access to it.<br>';
1985 echo 'It currently points to '.session_save_path().'<br><br><a href="?">Click to try again.</a></pre>';
1986 die;
1987 }
1988 if (!isset($_SESSION['session_tested']))
1989 { // Step 1 : Try to store data in session and reload page.
1990 $_SESSION['session_tested'] = 'Working'; // Try to set a variable in session.
1991 header('Location: '.indexUrl().'?test_session'); // Redirect to check stored data.
1992 }
1993 if (isset($_GET['test_session']))
1994 { // Step 3: Sessions are ok. Remove test parameter from URL.
1995 header('Location: '.indexUrl());
1996 }
1997
1998
1974 if (!empty($_POST['setlogin']) && !empty($_POST['setpassword'])) 1999 if (!empty($_POST['setlogin']) && !empty($_POST['setpassword']))
1975 { 2000 {
1976 $tz = 'UTC'; 2001 $tz = 'UTC';