aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--index.php26
1 files changed, 21 insertions, 5 deletions
diff --git a/index.php b/index.php
index acc3fe49..c102e422 100644
--- a/index.php
+++ b/index.php
@@ -37,6 +37,8 @@ if (is_file($GLOBALS['config']['DATADIR'].'/options.php')) require($GLOBALS['con
37define('shaarli_version','0.0.41 beta'); 37define('shaarli_version','0.0.41 beta');
38define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code. 38define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code.
39define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code. 39define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code.
40// http://server.com/x/shaarli --> /shaarli/
41define('WEB_PATH', substr($_SERVER["REQUEST_URI"], 0, 1+strrpos($_SERVER["REQUEST_URI"], '/', 0)));
40 42
41// Force cookie path (but do not change lifetime) 43// Force cookie path (but do not change lifetime)
42$cookie=session_get_cookie_params(); 44$cookie=session_get_cookie_params();
@@ -110,6 +112,8 @@ if (!is_file($GLOBALS['config']['CONFIG_FILE'])) install();
110 112
111require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS. 113require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS.
112 114
115// a token depending of deployment salt, user password, and the current ip
116define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt']));
113 117
114autoLocale(); // Sniff browser language and set date format accordingly. 118autoLocale(); // Sniff browser language and set date format accordingly.
115header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. 119header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling.
@@ -294,16 +298,20 @@ function allIPs()
294 return $ip; 298 return $ip;
295} 299}
296 300
301function fillSessionInfo() {
302 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid)
303 $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
304 $_SESSION['username']=$GLOBALS['login'];
305 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
306}
307
297// Check that user/password is correct. 308// Check that user/password is correct.
298function check_auth($login,$password) 309function check_auth($login,$password)
299{ 310{
300 $hash = sha1($password.$login.$GLOBALS['salt']); 311 $hash = sha1($password.$login.$GLOBALS['salt']);
301 if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash']) 312 if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash'])
302 { // Login/password is correct. 313 { // Login/password is correct.
303 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid) 314 fillSessionInfo();
304 $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
305 $_SESSION['username']=$login;
306 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
307 logm('Login successful'); 315 logm('Login successful');
308 return True; 316 return True;
309 } 317 }
@@ -318,6 +326,11 @@ function isLoggedIn()
318 326
319 if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet. 327 if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet.
320 328
329 if (@$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN)
330 {
331 fillSessionInfo();
332 return true;
333 }
321 // If session does not exist on server side, or IP address has changed, or session has expired, logout. 334 // If session does not exist on server side, or IP address has changed, or session has expired, logout.
322 if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on']) 335 if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on'])
323 { 336 {
@@ -331,7 +344,9 @@ function isLoggedIn()
331} 344}
332 345
333// Force logout. 346// Force logout.
334function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); } } 347function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); }
348setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH);
349}
335 350
336 351
337// ------------------------------------------------------------------------------------------ 352// ------------------------------------------------------------------------------------------
@@ -393,6 +408,7 @@ if (isset($_POST['login']))
393 // If user wants to keep the session cookie even after the browser closes: 408 // If user wants to keep the session cookie even after the browser closes:
394 if (!empty($_POST['longlastingsession'])) 409 if (!empty($_POST['longlastingsession']))
395 { 410 {
411 setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH);
396 $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) 412 $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year)
397 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. 413 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side.
398 414