2 files changed, 464 insertions, 0 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
new file mode 100644
index 00000000..d6784d6d
--- /dev/null
+++ b/application/security/LoginManager.php
@@ -0,0 +1,265 @@
+<?php
+namespace Shaarli\Security;
+use Shaarli\Config\ConfigManager;
+/**
+ * User login management
+ */
+class LoginManager
+{
+    /** @var string Name of the cookie set after logging in **/
+    public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
+    /** @var array A reference to the $_GLOBALS array */
+    protected $globals = [];
+    /** @var ConfigManager Configuration Manager instance **/
+    protected $configManager = null;
+    /** @var SessionManager Session Manager instance **/
+    protected $sessionManager = null;
+    /** @var string Path to the file containing IP bans */
+    protected $banFile = '';
+    /** @var bool Whether the user is logged in **/
+    protected $isLoggedIn = false;
+    /** @var bool Whether the Shaarli instance is open to public edition **/
+    protected $openShaarli = false;
+    /** @var string User sign-in token depending on remote IP and credentials */
+    protected $staySignedInToken = '';
+    /**
+     * Constructor
+     *
+     * @param array          $globals        The $GLOBALS array (reference)
+     * @param ConfigManager  $configManager  Configuration Manager instance
+     * @param SessionManager $sessionManager SessionManager instance
+     */
+    public function __construct(& $globals, $configManager, $sessionManager)
+    {
+        $this->globals = &$globals;
+        $this->configManager = $configManager;
+        $this->sessionManager = $sessionManager;
+        $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
+        $this->readBanFile();
+        if ($this->configManager->get('security.open_shaarli') === true) {
+            $this->openShaarli = true;
+        }
+    }
+    /**
+     * Generate a token depending on deployment salt, user password and client IP
+     *
+     * @param string $clientIpAddress The remote client IP address
+     */
+    public function generateStaySignedInToken($clientIpAddress)
+    {
+        $this->staySignedInToken = sha1(
+            $this->configManager->get('credentials.hash')
+            . $clientIpAddress
+            . $this->configManager->get('credentials.salt')
+        );
+    }
+    /**
+     * Return the user's client stay-signed-in token
+     *
+     * @return string User's client stay-signed-in token
+     */
+    public function getStaySignedInToken()
+    {
+        return $this->staySignedInToken;
+    }
+    /**
+     * Check user session state and validity (expiration)
+     *
+     * @param array  $cookie     The $_COOKIE array
+     * @param string $clientIpId Client IP address identifier
+     */
+    public function checkLoginState($cookie, $clientIpId)
+    {
+        if (! $this->configManager->exists('credentials.login')) {
+            // Shaarli is not configured yet
+            $this->isLoggedIn = false;
+            return;
+        }
+        if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
+            && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
+        ) {
+            // The user client has a valid stay-signed-in cookie
+            // Session information is updated with the current client information
+            $this->sessionManager->storeLoginInfo($clientIpId);
+        } elseif ($this->sessionManager->hasSessionExpired()
+            || $this->sessionManager->hasClientIpChanged($clientIpId)
+        ) {
+            $this->sessionManager->logout();
+            $this->isLoggedIn = false;
+            return;
+        }
+        $this->isLoggedIn = true;
+        $this->sessionManager->extendSession();
+    }
+    /**
+     * Return whether the user is currently logged in
+     *
+     * @return true when the user is logged in, false otherwise
+     */
+    public function isLoggedIn()
+    {
+        if ($this->openShaarli) {
+            return true;
+        }
+        return $this->isLoggedIn;
+    }
+    /**
+     * Check user credentials are valid
+     *
+     * @param string $remoteIp   Remote client IP address
+     * @param string $clientIpId Client IP address identifier
+     * @param string $login      Username
+     * @param string $password   Password
+     *
+     * @return bool true if the provided credentials are valid, false otherwise
+     */
+    public function checkCredentials($remoteIp, $clientIpId, $login, $password)
+    {
+        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+        if ($login != $this->configManager->get('credentials.login')
+            || $hash != $this->configManager->get('credentials.hash')
+        ) {
+            logm(
+                $this->configManager->get('resource.log'),
+                $remoteIp,
+                'Login failed for user ' . $login
+            );
+            return false;
+        }
+        $this->sessionManager->storeLoginInfo($clientIpId);
+        logm(
+            $this->configManager->get('resource.log'),
+            $remoteIp,
+            'Login successful'
+        );
+        return true;
+    }
+    /**
+     * Read a file containing banned IPs
+     */
+    protected function readBanFile()
+    {
+        if (! file_exists($this->banFile)) {
+            return;
+        }
+        include $this->banFile;
+    }
+    /**
+     * Write the banned IPs to a file
+     */
+    protected function writeBanFile()
+    {
+        if (! array_key_exists('IPBANS', $this->globals)) {
+            return;
+        }
+        file_put_contents(
+            $this->banFile,
+            "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
+        );
+    }
+    /**
+     * Handle a failed login and ban the IP after too many failed attempts
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleFailedLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        $trusted = $this->configManager->get('security.trusted_proxies', []);
+        if (in_array($ip, $trusted)) {
+            $ip = getIpAddressFromProxy($server, $trusted);
+            if (! $ip) {
+                // the IP is behind a trusted forward proxy, but is not forwarded
+                // in the HTTP headers, so we do nothing
+                return;
+            }
+        }
+        // increment the fail count for this IP
+        if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
+            $this->globals['IPBANS']['FAILURES'][$ip]++;
+        } else {
+            $this->globals['IPBANS']['FAILURES'][$ip] = 1;
+        }
+        if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
+            $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
+            logm(
+                $this->configManager->get('resource.log'),
+                $server['REMOTE_ADDR'],
+                'IP address banned from login'
+            );
+        }
+        $this->writeBanFile();
+    }
+    /**
+     * Handle a successful login
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleSuccessfulLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        // FIXME unban when behind a trusted proxy?
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+    }
+    /**
+     * Check if the user can login from this IP
+     *
+     * @param array $server The $_SERVER array
+     *
+     * @return bool true if the user is allowed to login
+     */
+    public function canLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
+            // the user is not banned
+            return true;
+        }
+        if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
+            // the user is still banned
+            return false;
+        }
+        // the ban has expired, the user can attempt to log in again
+        logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+        return true;
+    }
+}
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
new file mode 100644
index 00000000..b8b8ab8d
--- /dev/null
+++ b/application/security/SessionManager.php
@@ -0,0 +1,199 @@
+<?php
+namespace Shaarli\Security;
+use Shaarli\Config\ConfigManager;
+/**
+ * Manages the server-side session
+ */
+class SessionManager
+{
+    /** @var int Session expiration timeout, in seconds */
+    public static $SHORT_TIMEOUT = 3600;    // 1 hour
+    /** @var int Session expiration timeout, in seconds */
+    public static $LONG_TIMEOUT = 31536000; // 1 year
+    /** @var array Local reference to the global $_SESSION array */
+    protected $session = [];
+    /** @var ConfigManager Configuration Manager instance **/
+    protected $conf = null;
+    /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */
+    protected $staySignedIn = false;
+    /**
+     * Constructor
+     *
+     * @param array         $session The $_SESSION array (reference)
+     * @param ConfigManager $conf    ConfigManager instance
+     */
+    public function __construct(& $session, $conf)
+    {
+        $this->session = &$session;
+        $this->conf = $conf;
+    }
+    /**
+     * Define whether the user should stay signed in across browser sessions
+     *
+     * @param bool $staySignedIn Keep the user signed in
+     */
+    public function setStaySignedIn($staySignedIn)
+    {
+        $this->staySignedIn = $staySignedIn;
+    }
+    /**
+     * Generates a session token
+     *
+     * @return string token
+     */
+    public function generateToken()
+    {
+        $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
+        $this->session['tokens'][$token] = 1;
+        return $token;
+    }
+    /**
+     * Checks the validity of a session token, and destroys it afterwards
+     *
+     * @param string $token The token to check
+     *
+     * @return bool true if the token is valid, else false
+     */
+    public function checkToken($token)
+    {
+        if (! isset($this->session['tokens'][$token])) {
+            // the token is wrong, or has already been used
+            return false;
+        }
+        // destroy the token to prevent future use
+        unset($this->session['tokens'][$token]);
+        return true;
+    }
+    /**
+     * Validate session ID to prevent Full Path Disclosure.
+     *
+     * See #298.
+     * The session ID's format depends on the hash algorithm set in PHP settings
+     *
+     * @param string $sessionId Session ID
+     *
+     * @return true if valid, false otherwise.
+     *
+     * @see http://php.net/manual/en/function.hash-algos.php
+     * @see http://php.net/manual/en/session.configuration.php
+     */
+    public static function checkId($sessionId)
+    {
+        if (empty($sessionId)) {
+            return false;
+        }
+        if (!$sessionId) {
+            return false;
+        }
+        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Store user login information after a successful login
+     *
+     * @param string $clientIpId Client IP address identifier
+     */
+    public function storeLoginInfo($clientIpId)
+    {
+        $this->session['ip'] = $clientIpId;
+        $this->session['username'] = $this->conf->get('credentials.login');
+        $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
+    }
+    /**
+     * Extend session validity
+     */
+    public function extendSession()
+    {
+        if ($this->staySignedIn) {
+            return $this->extendTimeValidityBy(self::$LONG_TIMEOUT);
+        }
+        return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
+    }
+    /**
+     * Extend expiration time
+     *
+     * @param int $duration Expiration time extension (seconds)
+     *
+     * @return int New session expiration time
+     */
+    protected function extendTimeValidityBy($duration)
+    {
+        $expirationTime = time() + $duration;
+        $this->session['expires_on'] = $expirationTime;
+        return $expirationTime;
+    }
+    /**
+     * Logout a user by unsetting all login information
+     *
+     * See:
+     * - https://secure.php.net/manual/en/function.setcookie.php
+     */
+    public function logout()
+    {
+        if (isset($this->session)) {
+            unset($this->session['ip']);
+            unset($this->session['expires_on']);
+            unset($this->session['username']);
+            unset($this->session['visibility']);
+            unset($this->session['untaggedonly']);
+        }
+    }
+    /**
+     * Check whether the session has expired
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the session has expired, false otherwise
+     */
+    public function hasSessionExpired()
+    {
+        if (empty($this->session['expires_on'])) {
+            return true;
+        }
+        if (time() >= $this->session['expires_on']) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Check whether the client IP address has changed
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the IP has changed, false if it has not, or
+     *              if session protection has been disabled
+     */
+    public function hasClientIpChanged($clientIpId)
+    {
+        if ($this->conf->get('security.session_protection_disabled') === true) {
+            return false;
+        }
+        if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) {
+            return false;
+        }
+        return true;
+    }
+}

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php new file mode 100644 index 00000000..d6784d6d --- /dev/null +++ b/application/security/LoginManager.php
@@ -0,0 +1,265 @@
	1	<?php
	2	namespace Shaarli\Security;
	3
	4	use Shaarli\Config\ConfigManager;
	5
	6	/**
	7	* User login management
	8	*/
	9	class LoginManager
	10	{
	11	/ @var string Name of the cookie set after logging in /
	12	public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
	13
	14	/** @var array A reference to the $_GLOBALS array */
	15	protected $globals = [];
	16
	17	/ @var ConfigManager Configuration Manager instance /
	18	protected $configManager = null;
	19
	20	/ @var SessionManager Session Manager instance /
	21	protected $sessionManager = null;
	22
	23	/** @var string Path to the file containing IP bans */
	24	protected $banFile = '';
	25
	26	/ @var bool Whether the user is logged in /
	27	protected $isLoggedIn = false;
	28
	29	/ @var bool Whether the Shaarli instance is open to public edition /
	30	protected $openShaarli = false;
	31
	32	/** @var string User sign-in token depending on remote IP and credentials */
	33	protected $staySignedInToken = '';
	34
	35	/**
	36	* Constructor
	37	*
	38	* @param array $globals The $GLOBALS array (reference)
	39	* @param ConfigManager $configManager Configuration Manager instance
	40	* @param SessionManager $sessionManager SessionManager instance
	41	*/
	42	public function __construct(& $globals, $configManager, $sessionManager)
	43	{
	44	$this->globals = &$globals;
	45	$this->configManager = $configManager;
	46	$this->sessionManager = $sessionManager;
	47	$this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
	48	$this->readBanFile();
	49	if ($this->configManager->get('security.open_shaarli') === true) {
	50	$this->openShaarli = true;
	51	}
	52	}
	53
	54	/**
	55	* Generate a token depending on deployment salt, user password and client IP
	56	*
	57	* @param string $clientIpAddress The remote client IP address
	58	*/
	59	public function generateStaySignedInToken($clientIpAddress)
	60	{
	61	$this->staySignedInToken = sha1(
	62	$this->configManager->get('credentials.hash')
	63	. $clientIpAddress
	64	. $this->configManager->get('credentials.salt')
	65	);
	66	}
	67
	68	/**
	69	* Return the user's client stay-signed-in token
	70	*
	71	* @return string User's client stay-signed-in token
	72	*/
	73	public function getStaySignedInToken()
	74	{
	75	return $this->staySignedInToken;
	76	}
	77
	78	/**
	79	* Check user session state and validity (expiration)
	80	*
	81	* @param array $cookie The $_COOKIE array
	82	* @param string $clientIpId Client IP address identifier
	83	*/
	84	public function checkLoginState($cookie, $clientIpId)
	85	{
	86	if (! $this->configManager->exists('credentials.login')) {
	87	// Shaarli is not configured yet
	88	$this->isLoggedIn = false;
	89	return;
	90	}
	91
	92	if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
	93	&& $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
	94	) {
	95	// The user client has a valid stay-signed-in cookie
	96	// Session information is updated with the current client information
	97	$this->sessionManager->storeLoginInfo($clientIpId);
	98
	99	} elseif ($this->sessionManager->hasSessionExpired()
	100	\|\| $this->sessionManager->hasClientIpChanged($clientIpId)
	101	) {
	102	$this->sessionManager->logout();
	103	$this->isLoggedIn = false;
	104	return;
	105	}
	106
	107	$this->isLoggedIn = true;
	108	$this->sessionManager->extendSession();
	109	}
	110
	111	/**
	112	* Return whether the user is currently logged in
	113	*
	114	* @return true when the user is logged in, false otherwise
	115	*/
	116	public function isLoggedIn()
	117	{
	118	if ($this->openShaarli) {
	119	return true;
	120	}
	121	return $this->isLoggedIn;
	122	}
	123
	124	/**
	125	* Check user credentials are valid
	126	*
	127	* @param string $remoteIp Remote client IP address
	128	* @param string $clientIpId Client IP address identifier
	129	* @param string $login Username
	130	* @param string $password Password
	131	*
	132	* @return bool true if the provided credentials are valid, false otherwise
	133	*/
	134	public function checkCredentials($remoteIp, $clientIpId, $login, $password)
	135	{
	136	$hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
	137
	138	if ($login != $this->configManager->get('credentials.login')
	139	\|\| $hash != $this->configManager->get('credentials.hash')
	140	) {
	141	logm(
	142	$this->configManager->get('resource.log'),
	143	$remoteIp,
	144	'Login failed for user ' . $login
	145	);
	146	return false;
	147	}
	148
	149	$this->sessionManager->storeLoginInfo($clientIpId);
	150	logm(
	151	$this->configManager->get('resource.log'),
	152	$remoteIp,
	153	'Login successful'
	154	);
	155	return true;
	156	}
	157
	158	/**
	159	* Read a file containing banned IPs
	160	*/
	161	protected function readBanFile()
	162	{
	163	if (! file_exists($this->banFile)) {
	164	return;
	165	}
	166	include $this->banFile;
	167	}
	168
	169	/**
	170	* Write the banned IPs to a file
	171	*/
	172	protected function writeBanFile()
	173	{
	174	if (! array_key_exists('IPBANS', $this->globals)) {
	175	return;
	176	}
	177	file_put_contents(
	178	$this->banFile,
	179	"<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
	180	);
	181	}
	182
	183	/**
	184	* Handle a failed login and ban the IP after too many failed attempts
	185	*
	186	* @param array $server The $_SERVER array
	187	*/
	188	public function handleFailedLogin($server)
	189	{
	190	$ip = $server['REMOTE_ADDR'];
	191	$trusted = $this->configManager->get('security.trusted_proxies', []);
	192
	193	if (in_array($ip, $trusted)) {
	194	$ip = getIpAddressFromProxy($server, $trusted);
	195	if (! $ip) {
	196	// the IP is behind a trusted forward proxy, but is not forwarded
	197	// in the HTTP headers, so we do nothing
	198	return;
	199	}
	200	}
	201
	202	// increment the fail count for this IP
	203	if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
	204	$this->globals['IPBANS']['FAILURES'][$ip]++;
	205	} else {
	206	$this->globals['IPBANS']['FAILURES'][$ip] = 1;
	207	}
	208
	209	if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
	210	$this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
	211	logm(
	212	$this->configManager->get('resource.log'),
	213	$server['REMOTE_ADDR'],
	214	'IP address banned from login'
	215	);
	216	}
	217	$this->writeBanFile();
	218	}
	219
	220	/**
	221	* Handle a successful login
	222	*
	223	* @param array $server The $_SERVER array
	224	*/
	225	public function handleSuccessfulLogin($server)
	226	{
	227	$ip = $server['REMOTE_ADDR'];
	228	// FIXME unban when behind a trusted proxy?
	229
	230	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	231	unset($this->globals['IPBANS']['BANS'][$ip]);
	232
	233	$this->writeBanFile();
	234	}
	235
	236	/**
	237	* Check if the user can login from this IP
	238	*
	239	* @param array $server The $_SERVER array
	240	*
	241	* @return bool true if the user is allowed to login
	242	*/
	243	public function canLogin($server)
	244	{
	245	$ip = $server['REMOTE_ADDR'];
	246
	247	if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
	248	// the user is not banned
	249	return true;
	250	}
	251
	252	if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
	253	// the user is still banned
	254	return false;
	255	}
	256
	257	// the ban has expired, the user can attempt to log in again
	258	logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
	259	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	260	unset($this->globals['IPBANS']['BANS'][$ip]);
	261
	262	$this->writeBanFile();
	263	return true;
	264	}
	265	}


diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php new file mode 100644 index 00000000..b8b8ab8d --- /dev/null +++ b/application/security/SessionManager.php
@@ -0,0 +1,199 @@
	1	<?php
	2	namespace Shaarli\Security;
	3
	4	use Shaarli\Config\ConfigManager;
	5
	6	/**
	7	* Manages the server-side session
	8	*/
	9	class SessionManager
	10	{
	11	/** @var int Session expiration timeout, in seconds */
	12	public static $SHORT_TIMEOUT = 3600; // 1 hour
	13
	14	/** @var int Session expiration timeout, in seconds */
	15	public static $LONG_TIMEOUT = 31536000; // 1 year
	16
	17	/** @var array Local reference to the global $_SESSION array */
	18	protected $session = [];
	19
	20	/ @var ConfigManager Configuration Manager instance /
	21	protected $conf = null;
	22
	23	/** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */
	24	protected $staySignedIn = false;
	25
	26	/**
	27	* Constructor
	28	*
	29	* @param array $session The $_SESSION array (reference)
	30	* @param ConfigManager $conf ConfigManager instance
	31	*/
	32	public function __construct(& $session, $conf)
	33	{
	34	$this->session = &$session;
	35	$this->conf = $conf;
	36	}
	37
	38	/**
	39	* Define whether the user should stay signed in across browser sessions
	40	*
	41	* @param bool $staySignedIn Keep the user signed in
	42	*/
	43	public function setStaySignedIn($staySignedIn)
	44	{
	45	$this->staySignedIn = $staySignedIn;
	46	}
	47
	48	/**
	49	* Generates a session token
	50	*
	51	* @return string token
	52	*/
	53	public function generateToken()
	54	{
	55	$token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
	56	$this->session['tokens'][$token] = 1;
	57	return $token;
	58	}
	59
	60	/**
	61	* Checks the validity of a session token, and destroys it afterwards
	62	*
	63	* @param string $token The token to check
	64	*
	65	* @return bool true if the token is valid, else false
	66	*/
	67	public function checkToken($token)
	68	{
	69	if (! isset($this->session['tokens'][$token])) {
	70	// the token is wrong, or has already been used
	71	return false;
	72	}
	73
	74	// destroy the token to prevent future use
	75	unset($this->session['tokens'][$token]);
	76	return true;
	77	}
	78
	79	/**
	80	* Validate session ID to prevent Full Path Disclosure.
	81	*
	82	* See #298.
	83	* The session ID's format depends on the hash algorithm set in PHP settings
	84	*
	85	* @param string $sessionId Session ID
	86	*
	87	* @return true if valid, false otherwise.
	88	*
	89	* @see http://php.net/manual/en/function.hash-algos.php
	90	* @see http://php.net/manual/en/session.configuration.php
	91	*/
	92	public static function checkId($sessionId)
	93	{
	94	if (empty($sessionId)) {
	95	return false;
	96	}
	97
	98	if (!$sessionId) {
	99	return false;
	100	}
	101
	102	if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
	103	return false;
	104	}
	105
	106	return true;
	107	}
	108
	109	/**
	110	* Store user login information after a successful login
	111	*
	112	* @param string $clientIpId Client IP address identifier
	113	*/
	114	public function storeLoginInfo($clientIpId)
	115	{
	116	$this->session['ip'] = $clientIpId;
	117	$this->session['username'] = $this->conf->get('credentials.login');
	118	$this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
	119	}
	120
	121	/**
	122	* Extend session validity
	123	*/
	124	public function extendSession()
	125	{
	126	if ($this->staySignedIn) {
	127	return $this->extendTimeValidityBy(self::$LONG_TIMEOUT);
	128	}
	129	return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
	130	}
	131
	132	/**
	133	* Extend expiration time
	134	*
	135	* @param int $duration Expiration time extension (seconds)
	136	*
	137	* @return int New session expiration time
	138	*/
	139	protected function extendTimeValidityBy($duration)
	140	{
	141	$expirationTime = time() + $duration;
	142	$this->session['expires_on'] = $expirationTime;
	143	return $expirationTime;
	144	}
	145
	146	/**
	147	* Logout a user by unsetting all login information
	148	*
	149	* See:
	150	* - https://secure.php.net/manual/en/function.setcookie.php
	151	*/
	152	public function logout()
	153	{
	154	if (isset($this->session)) {
	155	unset($this->session['ip']);
	156	unset($this->session['expires_on']);
	157	unset($this->session['username']);
	158	unset($this->session['visibility']);
	159	unset($this->session['untaggedonly']);
	160	}
	161	}
	162
	163	/**
	164	* Check whether the session has expired
	165	*
	166	* @param string $clientIpId Client IP address identifier
	167	*
	168	* @return bool true if the session has expired, false otherwise
	169	*/
	170	public function hasSessionExpired()
	171	{
	172	if (empty($this->session['expires_on'])) {
	173	return true;
	174	}
	175	if (time() >= $this->session['expires_on']) {
	176	return true;
	177	}
	178	return false;
	179	}
	180
	181	/**
	182	* Check whether the client IP address has changed
	183	*
	184	* @param string $clientIpId Client IP address identifier
	185	*
	186	* @return bool true if the IP has changed, false if it has not, or
	187	* if session protection has been disabled
	188	*/
	189	public function hasClientIpChanged($clientIpId)
	190	{
	191	if ($this->conf->get('security.session_protection_disabled') === true) {
	192	return false;
	193	}
	194	if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) {
	195	return false;
	196	}
	197	return true;
	198	}
	199	}