1 files changed, 59 insertions, 7 deletions
diff --git a/application/SessionManager.php b/application/SessionManager.php
index 7bfd2220..63eeb8aa 100644
--- a/application/SessionManager.php
+++ b/application/SessionManager.php
@@ -1,21 +1,23 @@
 <?php
 namespace Shaarli;
+use Shaarli\Config\ConfigManager;
 /**
 * Manages the server-side session
 */
 class SessionManager
 {
-    /** Session expiration timeout, in seconds */
+    /** @var int Session expiration timeout, in seconds */
    public static $INACTIVITY_TIMEOUT = 3600;
-    /** Name of the cookie set after logging in **/
+    /** @var string Name of the cookie set after logging in **/
    public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn';
-    /** Local reference to the global $_SESSION array */
+    /** @var array Local reference to the global $_SESSION array */
    protected $session = [];
-    /** ConfigManager instance **/
+    /** @var ConfigManager Configuration Manager instance **/
    protected $conf = null;
    /**
@@ -94,18 +96,31 @@ class SessionManager
    /**
     * Store user login information after a successful login
     *
-     * @param array $server The global $_SERVER array
+     * @param string $clientIpId Client IP address identifier
     */
-    public function storeLoginInfo($server)
+    public function storeLoginInfo($clientIpId)
    {
        // Generate unique random number (different than phpsessionid)
        $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
-        $this->session['ip'] = client_ip_id($server);
+        $this->session['ip'] = $clientIpId;
        $this->session['username'] = $this->conf->get('credentials.login');
        $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
    }
    /**
+     * Extend session validity
+     */
+    public function extendSession()
+    {
+        if (! empty($this->session['longlastingsession'])) {
+            // "Stay signed in" is enabled
+            $this->session['expires_on'] = time() + $this->session['longlastingsession'];
+            return;
+        }
+        $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
+    }
+    /**
     * Logout a user by unsetting all login information
     *
     * See:
@@ -124,4 +139,41 @@ class SessionManager
        }
        setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath);
    }
+    /**
+     * Check whether the session has expired
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the session has expired, false otherwise
+     */
+    public function hasSessionExpired()
+    {
+        if (empty($this->session['uid'])) {
+            return true;
+        }
+        if (time() >= $this->session['expires_on']) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Check whether the client IP address has changed
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the IP has changed, false if it has not, or
+     *              if session protection has been disabled
+     */
+    public function hasClientIpChanged($clientIpId)
+    {
+        if ($this->conf->get('security.session_protection_disabled') === true) {
+            return false;
+        }
+        if ($this->session['ip'] == $clientIpId) {
+            return false;
+        }
+        return true;
+    }
 }

diff --git a/application/SessionManager.php b/application/SessionManager.php index 7bfd2220..63eeb8aa 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php
@@ -1,21 +1,23 @@
1	<?php	1	<?php
2	namespace Shaarli;	2	namespace Shaarli;
3		3
		4	use Shaarli\Config\ConfigManager;
		5
4	/**	6	/**
5	* Manages the server-side session	7	* Manages the server-side session
6	*/	8	*/
7	class SessionManager	9	class SessionManager
8	{	10	{
9	/** Session expiration timeout, in seconds */	11	/** @var int Session expiration timeout, in seconds */
10	public static $INACTIVITY_TIMEOUT = 3600;	12	public static $INACTIVITY_TIMEOUT = 3600;
11		13
12	/ Name of the cookie set after logging in /	14	/ @var string Name of the cookie set after logging in /
13	public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn';	15	public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn';
14		16
15	/** Local reference to the global $_SESSION array */	17	/** @var array Local reference to the global $_SESSION array */
16	protected $session = [];	18	protected $session = [];
17		19
18	/ ConfigManager instance /	20	/ @var ConfigManager Configuration Manager instance /
19	protected $conf = null;	21	protected $conf = null;
20		22
21	/**	23	/**
@@ -94,18 +96,31 @@ class SessionManager
94	/**	96	/**
95	* Store user login information after a successful login	97	* Store user login information after a successful login
96	*	98	*
97	* @param array $server The global $_SERVER array	99	* @param string $clientIpId Client IP address identifier
98	*/	100	*/
99	public function storeLoginInfo($server)	101	public function storeLoginInfo($clientIpId)
100	{	102	{
101	// Generate unique random number (different than phpsessionid)	103	// Generate unique random number (different than phpsessionid)
102	$this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());	104	$this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
103	$this->session['ip'] = client_ip_id($server);	105	$this->session['ip'] = $clientIpId;
104	$this->session['username'] = $this->conf->get('credentials.login');	106	$this->session['username'] = $this->conf->get('credentials.login');
105	$this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;	107	$this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
106	}	108	}
107		109
108	/**	110	/**
		111	* Extend session validity
		112	*/
		113	public function extendSession()
		114	{
		115	if (! empty($this->session['longlastingsession'])) {
		116	// "Stay signed in" is enabled
		117	$this->session['expires_on'] = time() + $this->session['longlastingsession'];
		118	return;
		119	}
		120	$this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
		121	}
		122
		123	/**
109	* Logout a user by unsetting all login information	124	* Logout a user by unsetting all login information
110	*	125	*
111	* See:	126	* See:
@@ -124,4 +139,41 @@ class SessionManager
124	}	139	}
125	setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath);	140	setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath);
126	}	141	}
		142
		143	/**
		144	* Check whether the session has expired
		145	*
		146	* @param string $clientIpId Client IP address identifier
		147	*
		148	* @return bool true if the session has expired, false otherwise
		149	*/
		150	public function hasSessionExpired()
		151	{
		152	if (empty($this->session['uid'])) {
		153	return true;
		154	}
		155	if (time() >= $this->session['expires_on']) {
		156	return true;
		157	}
		158	return false;
		159	}
		160
		161	/**
		162	* Check whether the client IP address has changed
		163	*
		164	* @param string $clientIpId Client IP address identifier
		165	*
		166	* @return bool true if the IP has changed, false if it has not, or
		167	* if session protection has been disabled
		168	*/
		169	public function hasClientIpChanged($clientIpId)
		170	{
		171	if ($this->conf->get('security.session_protection_disabled') === true) {
		172	return false;
		173	}
		174	if ($this->session['ip'] == $clientIpId) {
		175	return false;
		176	}
		177	return true;
		178	}
127	}	179	}