33 files changed, 1242 insertions, 228 deletions

diff --git a/application/ApplicationUtils.php b/application/ApplicationUtils.php
index 911873a0..a3b2dcb1 100644
--- a/application/ApplicationUtils.php
+++ b/application/ApplicationUtils.php
@@ -24,7 +24,7 @@ class ApplicationUtils
      *
      * @return mixed the version code from the repository if available, else 'false'
      */
-    public static function getLatestGitVersionCode($url, $timeout=2)
+    public static function getLatestGitVersionCode($url, $timeout = 2)
     {
         list($headers, $data) = get_http_response($url, $timeout);
 
@@ -86,13 +86,14 @@ class ApplicationUtils
      *
      * @return mixed the new version code if available and greater, else 'false'
      */
-    public static function checkUpdate($currentVersion,
-                                       $updateFile,
-                                       $checkInterval,
-                                       $enableCheck,
-                                       $isLoggedIn,
-                                       $branch='stable')
-    {
+    public static function checkUpdate(
+        $currentVersion,
+        $updateFile,
+        $checkInterval,
+        $enableCheck,
+        $isLoggedIn,
+        $branch = 'stable'
+    ) {
         // Do not check versions for visitors
         // Do not check if the user doesn't want to
         // Do not check with dev version
diff --git a/application/Base64Url.php b/application/Base64Url.php
index 61590e43..54d0fcd5 100644
--- a/application/Base64Url.php
+++ b/application/Base64Url.php
@@ -2,7 +2,6 @@
 
 namespace Shaarli;
 
-
 /**
  * URL-safe Base64 operations
  *
@@ -17,7 +16,8 @@ class Base64Url
      *
      * @return string Base64Url-encoded data
      */
-    public static function encode($data) {
+    public static function encode($data)
+    {
         return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
     }
 
@@ -28,7 +28,8 @@ class Base64Url
      *
      * @return string Decoded data
      */
-    public static function decode($data) {
+    public static function decode($data)
+    {
         return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT));
     }
 }
diff --git a/application/FeedBuilder.php b/application/FeedBuilder.php
index ebae18b4..73fafcbe 100644
--- a/application/FeedBuilder.php
+++ b/application/FeedBuilder.php
@@ -163,7 +163,8 @@ class FeedBuilder
             $upDate = $link['updated'];
             $link['up_iso_date'] = $this->getIsoDate($upDate, DateTime::ATOM);
         } else {
-            $link['up_iso_date'] = $this->getIsoDate($pubDate, DateTime::ATOM);;
+            $link['up_iso_date'] = $this->getIsoDate($pubDate, DateTime::ATOM);
+            ;
         }
 
         // Save the more recent item.
@@ -261,7 +262,6 @@ class FeedBuilder
         }
         if ($this->feedType == self::$FEED_RSS) {
             return $date->format(DateTime::RSS);
-
         }
         return $date->format(DateTime::ATOM);
     }
diff --git a/application/FileUtils.php b/application/FileUtils.php
index 918cb83b..b89ea12b 100644
--- a/application/FileUtils.php
+++ b/application/FileUtils.php
@@ -37,7 +37,7 @@ class FileUtils
         if (is_file($file) && !is_writeable($file)) {
             // The datastore exists but is not writeable
             throw new IOException($file);
-        } else if (!is_file($file) && !is_writeable(dirname($file))) {
+        } elseif (!is_file($file) && !is_writeable(dirname($file))) {
             // The datastore does not exist and its parent directory is not writeable
             throw new IOException(dirname($file));
         }
diff --git a/application/HttpUtils.php b/application/HttpUtils.php
index 83a4c5e2..9c438160 100644
--- a/application/HttpUtils.php
+++ b/application/HttpUtils.php
@@ -1,13 +1,14 @@
 <?php
 /**
  * GET an HTTP URL to retrieve its content
- * Uses the cURL library or a fallback method 
+ * Uses the cURL library or a fallback method
  *
  * @param string          $url               URL to get (http://...)
  * @param int             $timeout           network timeout (in seconds)
  * @param int             $maxBytes          maximum downloaded bytes (default: 4 MiB)
  * @param callable|string $curlWriteFunction Optional callback called during the download (cURL CURLOPT_WRITEFUNCTION).
- *                                           Can be used to add download conditions on the headers (response code, content type, etc.).
+ *                                           Can be used to add download conditions on the
+ *                                           headers (response code, content type, etc.).
  *
  * @return array HTTP response headers, downloaded content
  *
@@ -64,29 +65,30 @@ function get_http_response($url, $timeout = 30, $maxBytes = 4194304, $curlWriteF
     }
 
     // General cURL settings
-    curl_setopt($ch, CURLOPT_AUTOREFERER,       true);
-    curl_setopt($ch, CURLOPT_FOLLOWLOCATION,    true);
-    curl_setopt($ch, CURLOPT_HEADER,            true);
+    curl_setopt($ch, CURLOPT_AUTOREFERER, true);
+    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+    curl_setopt($ch, CURLOPT_HEADER, true);
     curl_setopt(
         $ch,
         CURLOPT_HTTPHEADER,
         array('Accept-Language: ' . $acceptLanguage)
     );
-    curl_setopt($ch, CURLOPT_MAXREDIRS,         $maxRedirs);
-    curl_setopt($ch, CURLOPT_RETURNTRANSFER,    true);
-    curl_setopt($ch, CURLOPT_TIMEOUT,           $timeout);
-    curl_setopt($ch, CURLOPT_USERAGENT,         $userAgent);
+    curl_setopt($ch, CURLOPT_MAXREDIRS, $maxRedirs);
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+    curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
+    curl_setopt($ch, CURLOPT_USERAGENT, $userAgent);
 
     if (is_callable($curlWriteFunction)) {
         curl_setopt($ch, CURLOPT_WRITEFUNCTION, $curlWriteFunction);
     }
 
     // Max download size management
-    curl_setopt($ch, CURLOPT_BUFFERSIZE,        1024*16);
-    curl_setopt($ch, CURLOPT_NOPROGRESS,        false);
-    curl_setopt($ch, CURLOPT_PROGRESSFUNCTION,
-        function($arg0, $arg1, $arg2, $arg3, $arg4 = 0) use ($maxBytes)
-        {
+    curl_setopt($ch, CURLOPT_BUFFERSIZE, 1024*16);
+    curl_setopt($ch, CURLOPT_NOPROGRESS, false);
+    curl_setopt(
+        $ch,
+        CURLOPT_PROGRESSFUNCTION,
+        function ($arg0, $arg1, $arg2, $arg3, $arg4 = 0) use ($maxBytes) {
             if (version_compare(phpversion(), '5.5', '<')) {
                 // PHP version lower than 5.5
                 // Callback has 4 arguments
@@ -232,7 +234,6 @@ function get_redirected_headers($url, $redirectionLimit = 3)
         && !empty($headers)
         && (strpos($headers[0], '301') !== false || strpos($headers[0], '302') !== false)
         && !empty($headers['Location'])) {
-
         $redirection = is_array($headers['Location']) ? end($headers['Location']) : $headers['Location'];
         if ($redirection != $url) {
             $redirection = getAbsoluteUrl($url, $redirection);
@@ -415,6 +416,37 @@ function getIpAddressFromProxy($server, $trustedIps)
     return array_pop($ips);
 }
 
+
+/**
+ * Return an identifier based on the advertised client IP address(es)
+ *
+ * This aims at preventing session hijacking from users behind the same proxy
+ * by relying on HTTP headers.
+ *
+ * See:
+ * - https://secure.php.net/manual/en/reserved.variables.server.php
+ * - https://stackoverflow.com/questions/3003145/how-to-get-the-client-ip-address-in-php
+ * - https://stackoverflow.com/questions/12233406/preventing-session-hijacking
+ * - https://stackoverflow.com/questions/21354859/trusting-x-forwarded-for-to-identify-a-visitor
+ *
+ * @param array $server The $_SERVER array
+ *
+ * @return string An identifier based on client IP address information
+ */
+function client_ip_id($server)
+{
+    $ip = $server['REMOTE_ADDR'];
+
+    if (isset($server['HTTP_X_FORWARDED_FOR'])) {
+        $ip = $ip . '_' . $server['HTTP_X_FORWARDED_FOR'];
+    }
+    if (isset($server['HTTP_CLIENT_IP'])) {
+        $ip = $ip . '_' . $server['HTTP_CLIENT_IP'];
+    }
+    return $ip;
+}
+
+
 /**
  * Returns true if Shaarli's currently browsed in HTTPS.
  * Supports reverse proxies (if the headers are correctly set).
diff --git a/application/Languages.php b/application/Languages.php
index 3eb3388f..b9c5d0e8 100644
--- a/application/Languages.php
+++ b/application/Languages.php
@@ -92,12 +92,18 @@ class Languages
     /**
      * Initialize the translator using php gettext extension (gettext dependency act as a wrapper).
      */
-    protected function initGettextTranslator ()
+    protected function initGettextTranslator()
     {
         $this->translator = new GettextTranslator();
         $this->translator->setLanguage($this->language);
         $this->translator->loadDomain(self::DEFAULT_DOMAIN, 'inc/languages');
 
+        // Default extension translation from the current theme
+        $themeTransFolder = rtrim($this->conf->get('raintpl_tpl'), '/') .'/'. $this->conf->get('theme') .'/language';
+        if (is_dir($themeTransFolder)) {
+            $this->translator->loadDomain($this->conf->get('theme'), $themeTransFolder, false);
+        }
+
         foreach ($this->conf->get('translation.extensions', []) as $domain => $translationPath) {
             if ($domain !== self::DEFAULT_DOMAIN) {
                 $this->translator->loadDomain($domain, $translationPath, false);
@@ -116,12 +122,25 @@ class Languages
         $translations = new Translations();
         // Core translations
         try {
-            /** @var Translations $translations */
             $translations = $translations->addFromPoFile('inc/languages/'. $this->language .'/LC_MESSAGES/shaarli.po');
             $translations->setDomain('shaarli');
             $this->translator->loadTranslations($translations);
-        } catch (\InvalidArgumentException $e) {}
+        } catch (\InvalidArgumentException $e) {
+        }
 
+        // Default extension translation from the current theme
+        $theme = $this->conf->get('theme');
+        $themeTransFolder = rtrim($this->conf->get('raintpl_tpl'), '/') .'/'. $theme .'/language';
+        if (is_dir($themeTransFolder)) {
+            try {
+                $translations = Translations::fromPoFile(
+                    $themeTransFolder .'/'. $this->language .'/LC_MESSAGES/'. $theme .'.po'
+                );
+                $translations->setDomain($theme);
+                $this->translator->loadTranslations($translations);
+            } catch (\InvalidArgumentException $e) {
+            }
+        }
 
         // Extension translations (plugins, themes, etc.).
         foreach ($this->conf->get('translation.extensions', []) as $domain => $translationPath) {
@@ -130,11 +149,13 @@ class Languages
             }
 
             try {
-                /** @var Translations $extension */
-                $extension = Translations::fromPoFile($translationPath . $this->language .'/LC_MESSAGES/'. $domain .'.po');
+                $extension = Translations::fromPoFile(
+                    $translationPath . $this->language .'/LC_MESSAGES/'. $domain .'.po'
+                );
                 $extension->setDomain($domain);
                 $this->translator->loadTranslations($extension);
-            } catch (\InvalidArgumentException $e) {}
+            } catch (\InvalidArgumentException $e) {
+            }
         }
     }
 
@@ -161,6 +182,7 @@ class Languages
             'auto' => t('Automatic'),
             'en' => t('English'),
             'fr' => t('French'),
+            'de' => t('German'),
         ];
     }
 }
diff --git a/application/LinkDB.php b/application/LinkDB.php
index c1661d52..803757ca 100644
--- a/application/LinkDB.php
+++ b/application/LinkDB.php
@@ -107,8 +107,7 @@ class LinkDB implements Iterator, Countable, ArrayAccess
         $hidePublicLinks,
         $redirector = '',
         $redirectorEncode = true
-    )
-    {
+    ) {
         $this->datastore = $datastore;
         $this->loggedIn = $isLoggedIn;
         $this->hidePublicLinks = $hidePublicLinks;
@@ -250,14 +249,18 @@ class LinkDB implements Iterator, Countable, ArrayAccess
             'id' => 1,
             'title'=> t('The personal, minimalist, super-fast, database free, bookmarking service'),
             'url'=>'https://shaarli.readthedocs.io',
-            'description'=>t('Welcome to Shaarli! This is your first public bookmark. To edit or delete me, you must first login.
+            'description'=>t(
+                'Welcome to Shaarli! This is your first public bookmark. '
+                .'To edit or delete me, you must first login.
 
 To learn how to use Shaarli, consult the link "Documentation" at the bottom of this page.
 
-You use the community supported version of the original Shaarli project, by Sebastien Sauvage.'),
+You use the community supported version of the original Shaarli project, by Sebastien Sauvage.'
+            ),
             'private'=>0,
             'created'=> new DateTime(),
-            'tags'=>'opensource software'
+            'tags'=>'opensource software',
+            'sticky' => false,
         );
         $link['shorturl'] = link_small_hash($link['created'], $link['id']);
         $this->links[1] = $link;
@@ -270,6 +273,7 @@ You use the community supported version of the original Shaarli project, by Seba
             'private'=>1,
             'created'=> new DateTime('1 minute ago'),
             'tags'=>'secretstuff',
+            'sticky' => false,
         );
         $link['shorturl'] = link_small_hash($link['created'], $link['id']);
         $this->links[0] = $link;
@@ -317,11 +321,12 @@ You use the community supported version of the original Shaarli project, by Seba
                 } else {
                     $link['real_url'] .= $link['url'];
                 }
-            }
-            else {
+            } else {
                 $link['real_url'] = $link['url'];
             }
 
+            $link['sticky'] = isset($link['sticky']) ? $link['sticky'] : false;
+
             // To be able to load links before running the update, and prepare the update
             if (! isset($link['created'])) {
                 $link['id'] = $link['linkdate'];
@@ -403,7 +408,8 @@ You use the community supported version of the original Shaarli project, by Seba
      *
      * @return array list of shaare found.
      */
-    public function filterDay($request) {
+    public function filterDay($request)
+    {
         $linkFilter = new LinkFilter($this->links);
         return $linkFilter->filter(LinkFilter::$FILTER_DAY, $request);
     }
@@ -420,8 +426,12 @@ You use the community supported version of the original Shaarli project, by Seba
      *
      * @return array filtered links, all links if no suitable filter was provided.
      */
-    public function filterSearch($filterRequest = array(), $casesensitive = false, $visibility = 'all', $untaggedonly = false)
-    {
+    public function filterSearch(
+        $filterRequest = array(),
+        $casesensitive = false,
+        $visibility = 'all',
+        $untaggedonly = false
+    ) {
         // Filter link database according to parameters.
         $searchtags = isset($filterRequest['searchtags']) ? escape($filterRequest['searchtags']) : '';
         $searchterm = isset($filterRequest['searchterm']) ? escape($filterRequest['searchterm']) : '';
@@ -436,15 +446,17 @@ You use the community supported version of the original Shaarli project, by Seba
 
     /**
      * Returns the list tags appearing in the links with the given tags
-     * @param $filteringTags: tags selecting the links to consider
-     * @param $visibility: process only all/private/public links
-     * @return: a tag=>linksCount array
+     *
+     * @param array $filteringTags tags selecting the links to consider
+     * @param string $visibility   process only all/private/public links
+     *
+     * @return array tag => linksCount
      */
     public function linksCountPerTag($filteringTags = [], $visibility = 'all')
     {
-        $links = empty($filteringTags) ? $this->links : $this->filterSearch(['searchtags' => $filteringTags], false, $visibility);
-        $tags = array();
-        $caseMapping = array();
+        $links = $this->filterSearch(['searchtags' => $filteringTags], false, $visibility);
+        $tags = [];
+        $caseMapping = [];
         foreach ($links as $link) {
             foreach (preg_split('/\s+/', $link['tags'], 0, PREG_SPLIT_NO_EMPTY) as $tag) {
                 if (empty($tag)) {
@@ -458,8 +470,19 @@ You use the community supported version of the original Shaarli project, by Seba
                 $tags[$caseMapping[strtolower($tag)]]++;
             }
         }
-        // Sort tags by usage (most used tag first)
-        arsort($tags);
+
+        /*
+         * Formerly used arsort(), which doesn't define the sort behaviour for equal values.
+         * Also, this function doesn't produce the same result between PHP 5.6 and 7.
+         *
+         * So we now use array_multisort() to sort tags by DESC occurrences,
+         * then ASC alphabetically for equal values.
+         *
+         * @see https://github.com/shaarli/Shaarli/issues/1142
+         */
+        $keys = array_keys($tags);
+        $tmpTags = array_combine($keys, $keys);
+        array_multisort($tags, SORT_DESC, $tmpTags, SORT_ASC, $tags);
         return $tags;
     }
 
@@ -479,8 +502,7 @@ You use the community supported version of the original Shaarli project, by Seba
         $delete = empty($to);
         // True for case-sensitive tag search.
         $linksToAlter = $this->filterSearch(['searchtags' => $from], true);
-        foreach($linksToAlter as $key => &$value)
-        {
+        foreach ($linksToAlter as $key => &$value) {
             $tags = preg_split('/\s+/', trim($value['tags']));
             if (($pos = array_search($from, $tags)) !== false) {
                 if ($delete) {
@@ -523,7 +545,10 @@ You use the community supported version of the original Shaarli project, by Seba
     {
         $order = $order === 'ASC' ? -1 : 1;
         // Reorder array by dates.
-        usort($this->links, function($a, $b) use ($order) {
+        usort($this->links, function ($a, $b) use ($order) {
+            if (isset($a['sticky']) && isset($b['sticky']) && $a['sticky'] !== $b['sticky']) {
+                return $a['sticky'] ? -1 : 1;
+            }
             return $a['created'] < $b['created'] ? 1 * $order : -1 * $order;
         });
 
diff --git a/application/LinkFilter.php b/application/LinkFilter.php
index 12376e27..8f147974 100644
--- a/application/LinkFilter.php
+++ b/application/LinkFilter.php
@@ -62,7 +62,7 @@ class LinkFilter
             $visibility = 'all';
         }
 
-        switch($type) {
+        switch ($type) {
             case self::$FILTER_HASH:
                 return $this->filterSmallHash($request);
             case self::$FILTER_TAG | self::$FILTER_TEXT: // == "vuotext"
@@ -117,7 +117,7 @@ class LinkFilter
         foreach ($this->links as $key => $value) {
             if ($value['private'] && $visibility === 'private') {
                 $out[$key] = $value;
-            } else if (! $value['private'] && $visibility === 'public') {
+            } elseif (! $value['private'] && $visibility === 'public') {
                 $out[$key] = $value;
             }
         }
@@ -205,12 +205,11 @@ class LinkFilter
 
         // Iterate over every stored link.
         foreach ($this->links as $id => $link) {
-
             // ignore non private links when 'privatonly' is on.
             if ($visibility !== 'all') {
                 if (! $link['private'] && $visibility === 'private') {
                     continue;
-                } else if ($link['private'] && $visibility === 'public') {
+                } elseif ($link['private'] && $visibility === 'public') {
                     continue;
                 }
             }
@@ -257,11 +256,11 @@ class LinkFilter
     private static function tag2regex($tag)
     {
         $len = strlen($tag);
-        if(!$len || $tag === "-" || $tag === "*"){
+        if (!$len || $tag === "-" || $tag === "*") {
             // nothing to search, return empty regex
             return '';
         }
-        if($tag[0] === "-") {
+        if ($tag[0] === "-") {
             // query is negated
             $i = 1; // use offset to start after '-' character
             $regex = '(?!'; // create negative lookahead
@@ -271,14 +270,14 @@ class LinkFilter
         }
         $regex .= '.*(?:^| )'; // before tag may only be a space or the beginning
         // iterate over string, separating it into placeholder and content
-        for(; $i < $len; $i++){
-            if($tag[$i] === '*'){
+        for (; $i < $len; $i++) {
+            if ($tag[$i] === '*') {
                 // placeholder found
                 $regex .= '[^ ]*?';
             } else {
                 // regular characters
                 $offset = strpos($tag, '*', $i);
-                if($offset === false){
+                if ($offset === false) {
                     // no placeholder found, set offset to end of string
                     $offset = $len;
                 }
@@ -310,19 +309,19 @@ class LinkFilter
     {
         // get single tags (we may get passed an array, even though the docs say different)
         $inputTags = $tags;
-        if(!is_array($tags)) {
+        if (!is_array($tags)) {
             // we got an input string, split tags
             $inputTags = preg_split('/(?:\s+)|,/', $inputTags, -1, PREG_SPLIT_NO_EMPTY);
         }
 
-        if(!count($inputTags)){
+        if (!count($inputTags)) {
             // no input tags
             return $this->noFilter($visibility);
         }
 
         // build regex from all tags
         $re = '/^' . implode(array_map("self::tag2regex", $inputTags)) . '.*$/';
-        if(!$casesensitive) {
+        if (!$casesensitive) {
             // make regex case insensitive
             $re .= 'i';
         }
@@ -337,12 +336,12 @@ class LinkFilter
             if ($visibility !== 'all') {
                 if (! $link['private'] && $visibility === 'private') {
                     continue;
-                } else if ($link['private'] && $visibility === 'public') {
+                } elseif ($link['private'] && $visibility === 'public') {
                     continue;
                 }
             }
             $search = $link['tags']; // build search string, start with tags of current link
-            if(strlen(trim($link['description'])) && strpos($link['description'], '#') !== false){
+            if (strlen(trim($link['description'])) && strpos($link['description'], '#') !== false) {
                 // description given and at least one possible tag found
                 $descTags = array();
                 // find all tags in the form of #tag in the description
@@ -351,13 +350,13 @@ class LinkFilter
                     $link['description'],
                     $descTags
                 );
-                if(count($descTags[1])){
+                if (count($descTags[1])) {
                     // there were some tags in the description, add them to the search string
                     $search .= ' ' . implode(' ', $descTags[1]);
                 }
             };
             // match regular expression with search string
-            if(!preg_match($re, $search)){
+            if (!preg_match($re, $search)) {
                 // this entry does _not_ match our regex
                 continue;
             }
@@ -380,7 +379,7 @@ class LinkFilter
             if ($visibility !== 'all') {
                 if (! $link['private'] && $visibility === 'private') {
                     continue;
-                } else if ($link['private'] && $visibility === 'public') {
+                } elseif ($link['private'] && $visibility === 'public') {
                     continue;
                 }
             }
diff --git a/application/LinkUtils.php b/application/LinkUtils.php
index 3705f7e9..d56e019f 100644
--- a/application/LinkUtils.php
+++ b/application/LinkUtils.php
@@ -11,6 +11,7 @@
  */
 function get_curl_download_callback(&$charset, &$title, $curlGetInfo = 'curl_getinfo')
 {
+    $isRedirected = false;
     /**
      * cURL callback function for CURLOPT_WRITEFUNCTION (called during the download).
      *
@@ -22,16 +23,24 @@ function get_curl_download_callback(&$charset, &$title, $curlGetInfo = 'curl_get
      *
      * @return int|bool length of $data or false if we need to stop the download
      */
-    return function(&$ch, $data) use ($curlGetInfo, &$charset, &$title) {
+    return function (&$ch, $data) use ($curlGetInfo, &$charset, &$title, &$isRedirected) {
         $responseCode = $curlGetInfo($ch, CURLINFO_RESPONSE_CODE);
-        if (!empty($responseCode) && $responseCode != 200) {
+        if (!empty($responseCode) && in_array($responseCode, [301, 302])) {
+            $isRedirected = true;
+            return strlen($data);
+        }
+        if (!empty($responseCode) && $responseCode !== 200) {
             return false;
         }
-        $contentType = $curlGetInfo($ch, CURLINFO_CONTENT_TYPE);
+        // After a redirection, the content type will keep the previous request value
+        // until it finds the next content-type header.
+        if (! $isRedirected || strpos(strtolower($data), 'content-type') !== false) {
+            $contentType = $curlGetInfo($ch, CURLINFO_CONTENT_TYPE);
+        }
         if (!empty($contentType) && strpos($contentType, 'text/html') === false) {
             return false;
         }
-        if (empty($charset)) {
+        if (!empty($contentType) && empty($charset)) {
             $charset = header_extract_charset($contentType);
         }
         if (empty($charset)) {
@@ -192,7 +201,8 @@ function space2nbsp($text)
 
  * @return string formatted description.
  */
-function format_description($description, $redirector = '', $urlEncode = true, $indexUrl = '') {
+function format_description($description, $redirector = '', $urlEncode = true, $indexUrl = '')
+{
     return nl2br(space2nbsp(hashtag_autolink(text2clickable($description, $redirector, $urlEncode), $indexUrl)));
 }
 
diff --git a/application/NetscapeBookmarkUtils.php b/application/NetscapeBookmarkUtils.php
index dd7057f8..84dd2b20 100644
--- a/application/NetscapeBookmarkUtils.php
+++ b/application/NetscapeBookmarkUtils.php
@@ -72,18 +72,20 @@ class NetscapeBookmarkUtils
     private static function importStatus(
         $filename,
         $filesize,
-        $importCount=0,
-        $overwriteCount=0,
-        $skipCount=0,
-        $duration=0
-    )
-    {
+        $importCount = 0,
+        $overwriteCount = 0,
+        $skipCount = 0,
+        $duration = 0
+    ) {
         $status = sprintf(t('File %s (%d bytes) '), $filename, $filesize);
         if ($importCount == 0 && $overwriteCount == 0 && $skipCount == 0) {
             $status .= t('has an unknown file format. Nothing was imported.');
         } else {
             $status .= vsprintf(
-                t('was successfully processed in %d seconds: %d links imported, %d links overwritten, %d links skipped.'),
+                t(
+                    'was successfully processed in %d seconds: '
+                    .'%d links imported, %d links overwritten, %d links skipped.'
+                ),
                 [$duration, $importCount, $overwriteCount, $skipCount]
             );
         }
@@ -108,7 +110,7 @@ class NetscapeBookmarkUtils
         $filesize = $files['filetoupload']['size'];
         $data = file_get_contents($files['filetoupload']['tmp_name']);
 
-        if (strpos($data, '<!DOCTYPE NETSCAPE-Bookmark-file-1>') === false) {
+        if (preg_match('/<!DOCTYPE NETSCAPE-Bookmark-file-1>/i', $data) === 0) {
             return self::importStatus($filename, $filesize);
         }
 
@@ -154,13 +156,13 @@ class NetscapeBookmarkUtils
             if (empty($post['privacy']) || $post['privacy'] == 'default') {
                 // use value from the imported file
                 $private = $bkm['pub'] == '1' ? 0 : 1;
-            } else if ($post['privacy'] == 'private') {
+            } elseif ($post['privacy'] == 'private') {
                 // all imported links are private
                 $private = 1;
-            } else if ($post['privacy'] == 'public') {
+            } elseif ($post['privacy'] == 'public') {
                 // all imported links are public
                 $private = 0;
-            }                
+            }
 
             $newLink = array(
                 'title' => $bkm['title'],
diff --git a/application/PageBuilder.php b/application/PageBuilder.php
index 468f144b..2ca95832 100644
--- a/application/PageBuilder.php
+++ b/application/PageBuilder.php
@@ -1,6 +1,7 @@
 <?php
 
 use Shaarli\Config\ConfigManager;
+use Shaarli\Thumbnailer;
 
 /**
  * This class is in charge of building the final page.
@@ -22,24 +23,41 @@ class PageBuilder
     protected $conf;
 
     /**
+     * @var array $_SESSION
+     */
+    protected $session;
+
+    /**
      * @var LinkDB $linkDB instance.
      */
     protected $linkDB;
 
     /**
+     * @var null|string XSRF token
+     */
+    protected $token;
+
+    /** @var bool $isLoggedIn Whether the user is logged in **/
+    protected $isLoggedIn = false;
+
+    /**
      * PageBuilder constructor.
      * $tpl is initialized at false for lazy loading.
      *
-     * @param ConfigManager $conf   Configuration Manager instance (reference).
-     * @param LinkDB        $linkDB instance.
-     * @param string        $token  Session token
+     * @param ConfigManager $conf       Configuration Manager instance (reference).
+     * @param array         $session    $_SESSION array
+     * @param LinkDB        $linkDB     instance.
+     * @param string        $token      Session token
+     * @param bool          $isLoggedIn
      */
-    public function __construct(&$conf, $linkDB = null, $token = null)
+    public function __construct(&$conf, $session, $linkDB = null, $token = null, $isLoggedIn = false)
     {
         $this->tpl = false;
         $this->conf = $conf;
+        $this->session = $session;
         $this->linkDB = $linkDB;
         $this->token = $token;
+        $this->isLoggedIn = $isLoggedIn;
     }
 
     /**
@@ -55,18 +73,18 @@ class PageBuilder
                 $this->conf->get('resource.update_check'),
                 $this->conf->get('updates.check_updates_interval'),
                 $this->conf->get('updates.check_updates'),
-                isLoggedIn(),
+                $this->isLoggedIn,
                 $this->conf->get('updates.check_updates_branch')
             );
             $this->tpl->assign('newVersion', escape($version));
             $this->tpl->assign('versionError', '');
-
         } catch (Exception $exc) {
             logm($this->conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], $exc->getMessage());
             $this->tpl->assign('newVersion', '');
             $this->tpl->assign('versionError', escape($exc->getMessage()));
         }
 
+        $this->tpl->assign('is_logged_in', $this->isLoggedIn);
         $this->tpl->assign('feedurl', escape(index_url($_SERVER)));
         $searchcrits = ''; // Search criteria
         if (!empty($_GET['searchtags'])) {
@@ -82,8 +100,9 @@ class PageBuilder
             'version_hash',
             ApplicationUtils::getVersionHash(SHAARLI_VERSION, $this->conf->get('credentials.salt'))
         );
-        $this->tpl->assign('scripturl', index_url($_SERVER));
-        $this->tpl->assign('privateonly', !empty($_SESSION['privateonly'])); // Show only private links?
+        $this->tpl->assign('index_url', index_url($_SERVER));
+        $visibility = ! empty($_SESSION['visibility']) ? $_SESSION['visibility'] : '';
+        $this->tpl->assign('visibility', $visibility);
         $this->tpl->assign('untaggedonly', !empty($_SESSION['untaggedonly']));
         $this->tpl->assign('pagetitle', $this->conf->get('general.title', 'Shaarli'));
         if ($this->conf->exists('general.header_link')) {
@@ -99,6 +118,19 @@ class PageBuilder
         if ($this->linkDB !== null) {
             $this->tpl->assign('tags', $this->linkDB->linksCountPerTag());
         }
+
+        $this->tpl->assign(
+            'thumbnails_enabled',
+            $this->conf->get('thumbnails.mode', Thumbnailer::MODE_NONE) !== Thumbnailer::MODE_NONE
+        );
+        $this->tpl->assign('thumbnails_width', $this->conf->get('thumbnails.width'));
+        $this->tpl->assign('thumbnails_height', $this->conf->get('thumbnails.height'));
+
+        if (! empty($_SESSION['warnings'])) {
+            $this->tpl->assign('global_warnings', $_SESSION['warnings']);
+            unset($_SESSION['warnings']);
+        }
+
         // To be removed with a proper theme configuration.
         $this->tpl->assign('conf', $this->conf);
     }
@@ -130,7 +162,7 @@ class PageBuilder
             $this->initialize();
         }
 
-        if (empty($data) || !is_array($data)){
+        if (empty($data) || !is_array($data)) {
             return false;
         }
 
diff --git a/application/PluginManager.php b/application/PluginManager.php
index cf603845..1ed4db4b 100644
--- a/application/PluginManager.php
+++ b/application/PluginManager.php
@@ -75,8 +75,7 @@ class PluginManager
 
             try {
                 $this->loadPlugin($dirs[$index], $plugin);
-            }
-            catch (PluginFileNotFoundException $e) {
+            } catch (PluginFileNotFoundException $e) {
                 error_log($e->getMessage());
             }
         }
diff --git a/application/Router.php b/application/Router.php
index 4df0387c..beb3165b 100644
--- a/application/Router.php
+++ b/application/Router.php
@@ -7,6 +7,8 @@
  */
 class Router
 {
+    public static $AJAX_THUMB_UPDATE = 'ajax_thumb_update';
+
     public static $PAGE_LOGIN = 'login';
 
     public static $PAGE_PICWALL = 'picwall';
@@ -35,6 +37,8 @@ class Router
 
     public static $PAGE_DELETELINK = 'delete_link';
 
+    public static $PAGE_PINLINK = 'pin';
+
     public static $PAGE_EXPORT = 'export';
 
     public static $PAGE_IMPORT = 'import';
@@ -47,6 +51,8 @@ class Router
 
     public static $PAGE_SAVE_PLUGINSADMIN = 'save_pluginadmin';
 
+    public static $PAGE_THUMBS_UPDATE = 'thumbs_update';
+
     public static $GET_TOKEN = 'token';
 
     /**
@@ -101,6 +107,14 @@ class Router
             return self::$PAGE_FEED_RSS;
         }
 
+        if (startsWith($query, 'do='. self::$PAGE_THUMBS_UPDATE)) {
+            return self::$PAGE_THUMBS_UPDATE;
+        }
+
+        if (startsWith($query, 'do='. self::$AJAX_THUMB_UPDATE)) {
+            return self::$AJAX_THUMB_UPDATE;
+        }
+
         // At this point, only loggedin pages.
         if (!$loggedIn) {
             return self::$PAGE_LINKLIST;
@@ -134,6 +148,10 @@ class Router
             return self::$PAGE_DELETELINK;
         }
 
+        if (startsWith($query, 'do='. self::$PAGE_PINLINK)) {
+            return self::$PAGE_PINLINK;
+        }
+
         if (startsWith($query, 'do='. self::$PAGE_EXPORT)) {
             return self::$PAGE_EXPORT;
         }
diff --git a/application/SessionManager.php b/application/SessionManager.php
deleted file mode 100644
index 71f0b38d..00000000
--- a/application/SessionManager.php
+++ /dev/null
@@ -1,83 +0,0 @@
-<?php
-namespace Shaarli;
-
-/**
- * Manages the server-side session
- */
-class SessionManager
-{
-    protected $session = [];
-
-    /**
-     * Constructor
-     *
-     * @param array         $session The $_SESSION array (reference)
-     * @param ConfigManager $conf    ConfigManager instance
-     */
-    public function __construct(& $session, $conf)
-    {
-        $this->session = &$session;
-        $this->conf = $conf;
-    }
-
-    /**
-     * Generates a session token
-     *
-     * @return string token
-     */
-    public function generateToken()
-    {
-        $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
-        $this->session['tokens'][$token] = 1;
-        return $token;
-    }
-
-    /**
-     * Checks the validity of a session token, and destroys it afterwards
-     *
-     * @param string $token The token to check
-     *
-     * @return bool true if the token is valid, else false
-     */
-    public function checkToken($token)
-    {
-        if (! isset($this->session['tokens'][$token])) {
-            // the token is wrong, or has already been used
-            return false;
-        }
-
-        // destroy the token to prevent future use
-        unset($this->session['tokens'][$token]);
-        return true;
-    }
-
-    /**
-     * Validate session ID to prevent Full Path Disclosure.
-     *
-     * See #298.
-     * The session ID's format depends on the hash algorithm set in PHP settings
-     *
-     * @param string $sessionId Session ID
-     *
-     * @return true if valid, false otherwise.
-     *
-     * @see http://php.net/manual/en/function.hash-algos.php
-     * @see http://php.net/manual/en/session.configuration.php
-     */
-    public static function checkId($sessionId)
-    {
-        if (empty($sessionId)) {
-            return false;
-        }
-
-        if (!$sessionId) {
-            return false;
-        }
-
-        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
-            return false;
-        }
-
-        return true;
-    }
-}
diff --git a/application/Thumbnailer.php b/application/Thumbnailer.php
new file mode 100644
index 00000000..167d6296
--- /dev/null
+++ b/application/Thumbnailer.php
@@ -0,0 +1,130 @@
+<?php
+
+namespace Shaarli;
+
+use Shaarli\Config\ConfigManager;
+use WebThumbnailer\Exception\WebThumbnailerException;
+use WebThumbnailer\WebThumbnailer;
+use WebThumbnailer\Application\ConfigManager as WTConfigManager;
+
+/**
+ * Class Thumbnailer
+ *
+ * Utility class used to retrieve thumbnails using web-thumbnailer dependency.
+ */
+class Thumbnailer
+{
+    const COMMON_MEDIA_DOMAINS = [
+        'imgur.com',
+        'flickr.com',
+        'youtube.com',
+        'wikimedia.org',
+        'redd.it',
+        'gfycat.com',
+        'media.giphy.com',
+        'twitter.com',
+        'twimg.com',
+        'instagram.com',
+        'pinterest.com',
+        'pinterest.fr',
+        'tumblr.com',
+        'deviantart.com',
+    ];
+
+    const MODE_ALL = 'all';
+    const MODE_COMMON = 'common';
+    const MODE_NONE = 'none';
+
+    /**
+     * @var WebThumbnailer instance.
+     */
+    protected $wt;
+
+    /**
+     * @var ConfigManager instance.
+     */
+    protected $conf;
+
+    /**
+     * Thumbnailer constructor.
+     *
+     * @param ConfigManager $conf instance.
+     */
+    public function __construct($conf)
+    {
+        $this->conf = $conf;
+
+        if (! $this->checkRequirements()) {
+            $this->conf->set('thumbnails.mode', Thumbnailer::MODE_NONE);
+            $this->conf->write(true);
+            // TODO: create a proper error handling system able to catch exceptions...
+            die(t(
+                'php-gd extension must be loaded to use thumbnails. '
+                .'Thumbnails are now disabled. Please reload the page.'
+            ));
+        }
+
+        $this->wt = new WebThumbnailer();
+        WTConfigManager::addFile('inc/web-thumbnailer.json');
+        $this->wt->maxWidth($this->conf->get('thumbnails.width'))
+                 ->maxHeight($this->conf->get('thumbnails.height'))
+                 ->crop(true)
+                 ->debug($this->conf->get('dev.debug', false));
+    }
+
+    /**
+     * Retrieve a thumbnail for given URL
+     *
+     * @param string $url where to look for a thumbnail.
+     *
+     * @return bool|string The thumbnail relative cache file path, or false if none has been found.
+     */
+    public function get($url)
+    {
+        if ($this->conf->get('thumbnails.mode') === self::MODE_COMMON
+            && ! $this->isCommonMediaOrImage($url)
+        ) {
+            return false;
+        }
+
+        try {
+            return $this->wt->thumbnail($url);
+        } catch (WebThumbnailerException $e) {
+            // Exceptions are only thrown in debug mode.
+            error_log(get_class($e) . ': ' . $e->getMessage());
+        }
+        return false;
+    }
+
+    /**
+     * We check weather the given URL is from a common media domain,
+     * or if the file extension is an image.
+     *
+     * @param string $url to check
+     *
+     * @return bool true if it's an image or from a common media domain, false otherwise.
+     */
+    public function isCommonMediaOrImage($url)
+    {
+        foreach (self::COMMON_MEDIA_DOMAINS as $domain) {
+            if (strpos($url, $domain) !== false) {
+                return true;
+            }
+        }
+
+        if (endsWith($url, '.jpg') || endsWith($url, '.png') || endsWith($url, '.jpeg')) {
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Make sure that requirements are match to use thumbnails:
+     *   - php-gd is loaded
+     */
+    protected function checkRequirements()
+    {
+        return extension_loaded('gd');
+    }
+}
diff --git a/application/Updater.php b/application/Updater.php
index 034b8ed8..86a21fc3 100644
--- a/application/Updater.php
+++ b/application/Updater.php
@@ -2,6 +2,7 @@
 use Shaarli\Config\ConfigJson;
 use Shaarli\Config\ConfigPhp;
 use Shaarli\Config\ConfigManager;
+use Shaarli\Thumbnailer;
 
 /**
  * Class Updater.
@@ -31,6 +32,11 @@ class Updater
     protected $isLoggedIn;
 
     /**
+     * @var array $_SESSION
+     */
+    protected $session;
+
+    /**
      * @var ReflectionMethod[] List of current class methods.
      */
     protected $methods;
@@ -42,13 +48,17 @@ class Updater
      * @param LinkDB        $linkDB      LinkDB instance.
      * @param ConfigManager $conf        Configuration Manager instance.
      * @param boolean       $isLoggedIn  True if the user is logged in.
+     * @param array         $session     $_SESSION (by reference)
+     *
+     * @throws ReflectionException
      */
-    public function __construct($doneUpdates, $linkDB, $conf, $isLoggedIn)
+    public function __construct($doneUpdates, $linkDB, $conf, $isLoggedIn, &$session = [])
     {
         $this->doneUpdates = $doneUpdates;
         $this->linkDB = $linkDB;
         $this->conf = $conf;
         $this->isLoggedIn = $isLoggedIn;
+        $this->session = &$session;
 
         // Retrieve all update methods.
         $class = new ReflectionClass($this);
@@ -173,7 +183,7 @@ class Updater
             }
         }
 
-        try{
+        try {
             $this->conf->write($this->isLoggedIn);
             return true;
         } catch (IOException $e) {
@@ -447,6 +457,88 @@ class Updater
         $this->linkDB->save($this->conf->get('resource.page_cache'));
         return true;
     }
+
+    /**
+     * Change privateonly session key to visibility.
+     */
+    public function updateMethodVisibilitySession()
+    {
+        if (isset($_SESSION['privateonly'])) {
+            unset($_SESSION['privateonly']);
+            $_SESSION['visibility'] = 'private';
+        }
+        return true;
+    }
+
+    /**
+     * Add download size and timeout to the configuration file
+     *
+     * @return bool true if the update is successful, false otherwise.
+     */
+    public function updateMethodDownloadSizeAndTimeoutConf()
+    {
+        if ($this->conf->exists('general.download_max_size')
+            && $this->conf->exists('general.download_timeout')
+        ) {
+            return true;
+        }
+
+        if (! $this->conf->exists('general.download_max_size')) {
+            $this->conf->set('general.download_max_size', 1024*1024*4);
+        }
+
+        if (! $this->conf->exists('general.download_timeout')) {
+            $this->conf->set('general.download_timeout', 30);
+        }
+
+        $this->conf->write($this->isLoggedIn);
+        return true;
+    }
+
+    /**
+     * * Move thumbnails management to WebThumbnailer, coming with new settings.
+     */
+    public function updateMethodWebThumbnailer()
+    {
+        if ($this->conf->exists('thumbnails.mode')) {
+            return true;
+        }
+
+        $thumbnailsEnabled = extension_loaded('gd') && $this->conf->get('thumbnail.enable_thumbnails', true);
+        $this->conf->set('thumbnails.mode', $thumbnailsEnabled ? Thumbnailer::MODE_ALL : Thumbnailer::MODE_NONE);
+        $this->conf->set('thumbnails.width', 125);
+        $this->conf->set('thumbnails.height', 90);
+        $this->conf->remove('thumbnail');
+        $this->conf->write(true);
+
+        if ($thumbnailsEnabled) {
+            $this->session['warnings'][] = t(
+                'You have enabled or changed thumbnails mode. <a href="?do=thumbs_update">Please synchronize them</a>.'
+            );
+        }
+
+        return true;
+    }
+
+    /**
+     * Set sticky = false on all links
+     *
+     * @return bool true if the update is successful, false otherwise.
+     */
+    public function updateMethodSetSticky()
+    {
+        foreach ($this->linkDB as $key => $link) {
+            if (isset($link['sticky'])) {
+                return true;
+            }
+            $link['sticky'] = false;
+            $this->linkDB[$key] = $link;
+        }
+
+        $this->linkDB->save($this->conf->get('resource.page_cache'));
+
+        return true;
+    }
 }
 
 /**
diff --git a/application/Url.php b/application/Url.php
index b3759377..3b7f19c2 100644
--- a/application/Url.php
+++ b/application/Url.php
@@ -34,8 +34,8 @@ function unparse_url($parsedUrl)
  */
 function cleanup_url($url)
 {
-  $obj_url = new Url($url);
-  return $obj_url->cleanup();
+    $obj_url = new Url($url);
+    return $obj_url->cleanup();
 }
 
 /**
@@ -47,8 +47,8 @@ function cleanup_url($url)
  */
 function get_url_scheme($url)
 {
-  $obj_url = new Url($url);
-  return $obj_url->getScheme();
+    $obj_url = new Url($url);
+    return $obj_url->getScheme();
 }
 
 /**
@@ -81,7 +81,7 @@ function whitelist_protocols($url, $protocols)
     // Protocol not allowed: we remove it and replace it with http
     if ($protocol === 1 && ! in_array($match[1], $protocols)) {
         $url = str_replace($match[0], 'http://', $url);
-    } else if ($protocol !== 1) {
+    } elseif ($protocol !== 1) {
         $url = 'http://' . $url;
     }
     return $url;
@@ -217,7 +217,7 @@ class Url
         }
 
         $this->parts['query'] = implode('&', $queryParams);
-    }    
+    }
 
     /**
      * Removes undesired fragments
@@ -260,7 +260,7 @@ class Url
         if (! function_exists('idn_to_ascii') || ! isset($this->parts['host'])) {
             return $out;
         }
-        $asciiHost = idn_to_ascii($this->parts['host']);
+        $asciiHost = idn_to_ascii($this->parts['host'], 0, INTL_IDNA_VARIANT_UTS46);
         return str_replace($this->parts['host'], $asciiHost, $out);
     }
 
@@ -269,7 +269,8 @@ class Url
      *
      * @return string the URL scheme or false if none is provided.
      */
-    public function getScheme() {
+    public function getScheme()
+    {
         if (!isset($this->parts['scheme'])) {
             return false;
         }
@@ -281,7 +282,8 @@ class Url
      *
      * @return string the URL host or false if none is provided.
      */
-    public function getHost() {
+    public function getHost()
+    {
         if (empty($this->parts['host'])) {
             return false;
         }
@@ -293,7 +295,8 @@ class Url
      *
      * @return true is HTTP, false otherwise.
      */
-    public function isHttp() {
+    public function isHttp()
+    {
         return strpos(strtolower($this->parts['scheme']), 'http') !== false;
     }
 }
diff --git a/application/Utils.php b/application/Utils.php
index 97b12fcf..925e1a22 100644
--- a/application/Utils.php
+++ b/application/Utils.php
@@ -97,7 +97,7 @@ function escape($input)
 
     if (is_array($input)) {
         $out = array();
-        foreach($input as $key => $value) {
+        foreach ($input as $key => $value) {
             $out[$key] = escape($value);
         }
         return $out;
@@ -355,10 +355,13 @@ function return_bytes($val)
     $val = trim($val);
     $last = strtolower($val[strlen($val)-1]);
     $val = intval(substr($val, 0, -1));
-    switch($last) {
-        case 'g': $val *= 1024;
-        case 'm': $val *= 1024;
-        case 'k': $val *= 1024;
+    switch ($last) {
+        case 'g':
+            $val *= 1024;
+        case 'm':
+            $val *= 1024;
+        case 'k':
+            $val *= 1024;
     }
     return $val;
 }
@@ -452,6 +455,7 @@ function alphabetical_sort(&$data, $reverse = false, $byKeys = false)
  *
  * @return string Text translated.
  */
-function t($text, $nText = '', $nb = 1, $domain = 'shaarli') {
+function t($text, $nText = '', $nb = 1, $domain = 'shaarli')
+{
     return dn__($domain, $text, $nText, $nb);
 }
diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php
index ff209393..66eac133 100644
--- a/application/api/ApiMiddleware.php
+++ b/application/api/ApiMiddleware.php
@@ -65,7 +65,7 @@ class ApiMiddleware
         try {
             $this->checkRequest($request);
             $response = $next($request, $response);
-        } catch(ApiException $e) {
+        } catch (ApiException $e) {
             $e->setResponse($response);
             $e->setDebug($this->conf->get('dev.debug', false));
             $response = $e->getApiResponse();
@@ -98,7 +98,8 @@ class ApiMiddleware
      *
      * @throws ApiAuthorizationException The token couldn't be validated.
      */
-    protected function checkToken($request) {
+    protected function checkToken($request)
+    {
         if (! $request->hasHeader('Authorization')) {
             throw new ApiAuthorizationException('JWT token not provided');
         }
diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
index f154bb52..fc5ecaf1 100644
--- a/application/api/ApiUtils.php
+++ b/application/api/ApiUtils.php
@@ -134,4 +134,20 @@ class ApiUtils
 
         return $oldLink;
     }
+
+    /**
+     * Format a Tag for the REST API.
+     *
+     * @param string $tag         Tag name
+     * @param int    $occurrences Number of links using this tag
+     *
+     * @return array Link data formatted for the REST API.
+     */
+    public static function formatTag($tag, $occurences)
+    {
+        return [
+            'name'       => $tag,
+            'occurrences' => $occurences,
+        ];
+    }
 }
diff --git a/application/api/controllers/ApiController.php b/application/api/controllers/ApiController.php
index 3be85b98..9edefcf6 100644
--- a/application/api/controllers/ApiController.php
+++ b/application/api/controllers/ApiController.php
@@ -41,7 +41,7 @@ abstract class ApiController
 
     /**
      * ApiController constructor.
-     * 
+     *
      * Note: enabling debug mode displays JSON with readable formatting.
      *
      * @param Container $ci Slim container.
diff --git a/application/api/controllers/History.php b/application/api/controllers/History.php
index 2ff9deaf..4582e8b2 100644
--- a/application/api/controllers/History.php
+++ b/application/api/controllers/History.php
@@ -35,8 +35,7 @@ class History extends ApiController
         $offset = $request->getParam('offset');
         if (empty($offset)) {
             $offset = 0;
-        }
-        else if (ctype_digit($offset)) {
+        } elseif (ctype_digit($offset)) {
             $offset = (int) $offset;
         } else {
             throw new ApiBadParametersException('Invalid offset');
@@ -46,7 +45,7 @@ class History extends ApiController
         $limit = $request->getParam('limit');
         if (empty($limit)) {
             $limit = count($history);
-        } else if (ctype_digit($limit)) {
+        } elseif (ctype_digit($limit)) {
             $limit = (int) $limit;
         } else {
             throw new ApiBadParametersException('Invalid limit');
diff --git a/application/api/controllers/Info.php b/application/api/controllers/Info.php
index 25433f72..f37dcae5 100644
--- a/application/api/controllers/Info.php
+++ b/application/api/controllers/Info.php
@@ -7,7 +7,7 @@ use Slim\Http\Response;
 
 /**
  * Class Info
- * 
+ *
  * REST API Controller: /info
  *
  * @package Api\Controllers
@@ -17,7 +17,7 @@ class Info extends ApiController
 {
     /**
      * Service providing various information about Shaarli instance.
-     * 
+     *
      * @param Request  $request  Slim request.
      * @param Response $response Slim response.
      *
diff --git a/application/api/controllers/Links.php b/application/api/controllers/Links.php
index eb78dd26..ffcfd4c7 100644
--- a/application/api/controllers/Links.php
+++ b/application/api/controllers/Links.php
@@ -59,25 +59,25 @@ class Links extends ApiController
         $limit = $request->getParam('limit');
         if (empty($limit)) {
             $limit = self::$DEFAULT_LIMIT;
-        } else if (ctype_digit($limit)) {
+        } elseif (ctype_digit($limit)) {
             $limit = intval($limit);
-        } else if ($limit === 'all') {
+        } elseif ($limit === 'all') {
             $limit = count($links);
         } else {
             throw new ApiBadParametersException('Invalid limit');
         }
 
         // 'environment' is set by Slim and encapsulate $_SERVER.
-        $index = index_url($this->ci['environment']);
+        $indexUrl = index_url($this->ci['environment']);
 
         $out = [];
-        $cpt = 0;
+        $index = 0;
         foreach ($links as $link) {
             if (count($out) >= $limit) {
                 break;
             }
-            if ($cpt++ >= $offset) {
-                $out[] = ApiUtils::formatLink($link, $index);
+            if ($index++ >= $offset) {
+                $out[] = ApiUtils::formatLink($link, $indexUrl);
             }
         }
 
diff --git a/application/api/controllers/Tags.php b/application/api/controllers/Tags.php
new file mode 100644
index 00000000..6dd78750
--- /dev/null
+++ b/application/api/controllers/Tags.php
@@ -0,0 +1,161 @@
+<?php
+
+namespace Shaarli\Api\Controllers;
+
+use Shaarli\Api\ApiUtils;
+use Shaarli\Api\Exceptions\ApiBadParametersException;
+use Shaarli\Api\Exceptions\ApiLinkNotFoundException;
+use Shaarli\Api\Exceptions\ApiTagNotFoundException;
+use Slim\Http\Request;
+use Slim\Http\Response;
+
+/**
+ * Class Tags
+ *
+ * REST API Controller: all services related to tags collection.
+ *
+ * @package Api\Controllers
+ */
+class Tags extends ApiController
+{
+    /**
+     * @var int Number of links returned if no limit is provided.
+     */
+    public static $DEFAULT_LIMIT = 'all';
+
+    /**
+     * Retrieve a list of tags, allowing different filters.
+     *
+     * @param Request  $request  Slim request.
+     * @param Response $response Slim response.
+     *
+     * @return Response response.
+     *
+     * @throws ApiBadParametersException Invalid parameters.
+     */
+    public function getTags($request, $response)
+    {
+        $visibility = $request->getParam('visibility');
+        $tags = $this->linkDb->linksCountPerTag([], $visibility);
+
+        // Return tags from the {offset}th tag, starting from 0.
+        $offset = $request->getParam('offset');
+        if (! empty($offset) && ! ctype_digit($offset)) {
+            throw new ApiBadParametersException('Invalid offset');
+        }
+        $offset = ! empty($offset) ? intval($offset) : 0;
+        if ($offset > count($tags)) {
+            return $response->withJson([], 200, $this->jsonStyle);
+        }
+
+        // limit parameter is either a number of links or 'all' for everything.
+        $limit = $request->getParam('limit');
+        if (empty($limit)) {
+            $limit = self::$DEFAULT_LIMIT;
+        }
+        if (ctype_digit($limit)) {
+            $limit = intval($limit);
+        } elseif ($limit === 'all') {
+            $limit = count($tags);
+        } else {
+            throw new ApiBadParametersException('Invalid limit');
+        }
+
+        $out = [];
+        $index = 0;
+        foreach ($tags as $tag => $occurrences) {
+            if (count($out) >= $limit) {
+                break;
+            }
+            if ($index++ >= $offset) {
+                $out[] = ApiUtils::formatTag($tag, $occurrences);
+            }
+        }
+
+        return $response->withJson($out, 200, $this->jsonStyle);
+    }
+
+    /**
+     * Return a single formatted tag by its name.
+     *
+     * @param Request  $request  Slim request.
+     * @param Response $response Slim response.
+     * @param array    $args     Path parameters. including the tag name.
+     *
+     * @return Response containing the link array.
+     *
+     * @throws ApiTagNotFoundException generating a 404 error.
+     */
+    public function getTag($request, $response, $args)
+    {
+        $tags = $this->linkDb->linksCountPerTag();
+        if (!isset($tags[$args['tagName']])) {
+            throw new ApiTagNotFoundException();
+        }
+        $out = ApiUtils::formatTag($args['tagName'], $tags[$args['tagName']]);
+
+        return $response->withJson($out, 200, $this->jsonStyle);
+    }
+
+    /**
+     * Rename a tag from the given name.
+     * If the new name provided matches an existing tag, they will be merged.
+     *
+     * @param Request  $request  Slim request.
+     * @param Response $response Slim response.
+     * @param array    $args     Path parameters. including the tag name.
+     *
+     * @return Response response.
+     *
+     * @throws ApiTagNotFoundException generating a 404 error.
+     * @throws ApiBadParametersException new tag name not provided
+     */
+    public function putTag($request, $response, $args)
+    {
+        $tags = $this->linkDb->linksCountPerTag();
+        if (! isset($tags[$args['tagName']])) {
+            throw new ApiTagNotFoundException();
+        }
+
+        $data = $request->getParsedBody();
+        if (empty($data['name'])) {
+            throw new ApiBadParametersException('New tag name is required in the request body');
+        }
+
+        $updated = $this->linkDb->renameTag($args['tagName'], $data['name']);
+        $this->linkDb->save($this->conf->get('resource.page_cache'));
+        foreach ($updated as $link) {
+            $this->history->updateLink($link);
+        }
+
+        $tags = $this->linkDb->linksCountPerTag();
+        $out = ApiUtils::formatTag($data['name'], $tags[$data['name']]);
+        return $response->withJson($out, 200, $this->jsonStyle);
+    }
+
+    /**
+     * Delete an existing tag by its name.
+     *
+     * @param Request  $request  Slim request.
+     * @param Response $response Slim response.
+     * @param array    $args     Path parameters. including the tag name.
+     *
+     * @return Response response.
+     *
+     * @throws ApiTagNotFoundException generating a 404 error.
+     */
+    public function deleteTag($request, $response, $args)
+    {
+        $tags = $this->linkDb->linksCountPerTag();
+        if (! isset($tags[$args['tagName']])) {
+            throw new ApiTagNotFoundException();
+        }
+        $updated = $this->linkDb->renameTag($args['tagName'], null);
+        $this->linkDb->save($this->conf->get('resource.page_cache'));
+        foreach ($updated as $link) {
+            $this->history->updateLink($link);
+        }
+
+        return $response->withStatus(204);
+    }
+}
diff --git a/application/api/exceptions/ApiException.php b/application/api/exceptions/ApiException.php
index c8490e0c..d6b66323 100644
--- a/application/api/exceptions/ApiException.php
+++ b/application/api/exceptions/ApiException.php
@@ -10,7 +10,8 @@ use Slim\Http\Response;
  * Parent Exception related to the API, able to generate a valid Response (ResponseInterface).
  * Also can include various information in debug mode.
  */
-abstract class ApiException extends \Exception {
+abstract class ApiException extends \Exception
+{
 
     /**
      * @var Response instance from Slim.
@@ -27,7 +28,7 @@ abstract class ApiException extends \Exception {
      *
      * @return Response Final response to give.
      */
-    public abstract function getApiResponse();
+    abstract public function getApiResponse();
 
     /**
      * Creates ApiResponse body.
@@ -36,7 +37,8 @@ abstract class ApiException extends \Exception {
      *
      * @return array|string response body
      */
-    protected function getApiResponseBody() {
+    protected function getApiResponseBody()
+    {
         if ($this->debug !== true) {
             return $this->getMessage();
         }
diff --git a/application/api/exceptions/ApiLinkNotFoundException.php b/application/api/exceptions/ApiLinkNotFoundException.php
index de7e14f5..c727f4f0 100644
--- a/application/api/exceptions/ApiLinkNotFoundException.php
+++ b/application/api/exceptions/ApiLinkNotFoundException.php
@@ -2,7 +2,6 @@
 
 namespace Shaarli\Api\Exceptions;
 
-
 use Slim\Http\Response;
 
 /**
diff --git a/application/api/exceptions/ApiTagNotFoundException.php b/application/api/exceptions/ApiTagNotFoundException.php
new file mode 100644
index 00000000..eee152fe
--- /dev/null
+++ b/application/api/exceptions/ApiTagNotFoundException.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace Shaarli\Api\Exceptions;
+
+use Slim\Http\Response;
+
+/**
+ * Class ApiTagNotFoundException
+ *
+ * Tag selected by name couldn't be found in the datastore, results in a 404 error.
+ *
+ * @package Shaarli\Api\Exceptions
+ */
+class ApiTagNotFoundException extends ApiException
+{
+    /**
+     * ApiLinkNotFoundException constructor.
+     */
+    public function __construct()
+    {
+        $this->message = 'Tag not found';
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getApiResponse()
+    {
+        return $this->buildApiResponse(404);
+    }
+}
diff --git a/application/config/ConfigManager.php b/application/config/ConfigManager.php
index 9e4c9f63..32aaea48 100644
--- a/application/config/ConfigManager.php
+++ b/application/config/ConfigManager.php
@@ -123,7 +123,7 @@ class ConfigManager
      * Supports nested settings with dot separated keys.
      *
      * @param string $setting    Asked setting, keys separated with dots.
-     * @param string $value      Value to set.
+     * @param mixed  $value      Value to set.
      * @param bool   $write      Write the new setting in the config file, default false.
      * @param bool   $isLoggedIn User login state, default false.
      *
@@ -148,6 +148,33 @@ class ConfigManager
     }
 
     /**
+     * Remove a config element from the config file.
+     *
+     * @param string $setting    Asked setting, keys separated with dots.
+     * @param bool   $write      Write the new setting in the config file, default false.
+     * @param bool   $isLoggedIn User login state, default false.
+     *
+     * @throws \Exception Invalid
+     */
+    public function remove($setting, $write = false, $isLoggedIn = false)
+    {
+        if (empty($setting) || ! is_string($setting)) {
+            throw new \Exception(t('Invalid setting key parameter. String expected, got: '). gettype($setting));
+        }
+
+        // During the ConfigIO transition, map legacy settings to the new ones.
+        if ($this->configIO instanceof ConfigPhp && isset(ConfigPhp::$LEGACY_KEYS_MAPPING[$setting])) {
+            $setting = ConfigPhp::$LEGACY_KEYS_MAPPING[$setting];
+        }
+
+        $settings = explode('.', $setting);
+        self::removeConfig($settings, $this->loadedConfig);
+        if ($write) {
+            $this->write($isLoggedIn);
+        }
+    }
+
+    /**
      * Check if a settings exists.
      *
      * Supports nested settings with dot separated keys.
@@ -272,7 +299,7 @@ class ConfigManager
      *
      * @param array $settings Ordered array which contains keys to find.
      * @param mixed $value
-     * @param array $conf   Loaded settings, then sub-array.
+     * @param array $conf     Loaded settings, then sub-array.
      *
      * @return mixed Found setting or NOT_FOUND flag.
      */
@@ -290,6 +317,27 @@ class ConfigManager
     }
 
     /**
+     * Recursive function which find asked setting in the loaded config and deletes it.
+     *
+     * @param array $settings Ordered array which contains keys to find.
+     * @param array $conf     Loaded settings, then sub-array.
+     *
+     * @return mixed Found setting or NOT_FOUND flag.
+     */
+    protected static function removeConfig($settings, &$conf)
+    {
+        if (!is_array($settings) || count($settings) == 0) {
+            return self::$NOT_FOUND;
+        }
+
+        $setting = array_shift($settings);
+        if (count($settings) > 0) {
+            return self::removeConfig($settings, $conf[$setting]);
+        }
+        unset($conf[$setting]);
+    }
+
+    /**
      * Set a bunch of default values allowing Shaarli to start without a config file.
      */
     protected function setDefaultValues()
@@ -333,12 +381,12 @@ class ConfigManager
         // default state of the 'remember me' checkbox of the login form
         $this->setEmpty('privacy.remember_user_default', true);
 
-        $this->setEmpty('thumbnail.enable_thumbnails', true);
-        $this->setEmpty('thumbnail.enable_localcache', true);
-
         $this->setEmpty('redirector.url', '');
         $this->setEmpty('redirector.encode_url', true);
 
+        $this->setEmpty('thumbnails.width', '125');
+        $this->setEmpty('thumbnails.height', '90');
+
         $this->setEmpty('translation.language', 'auto');
         $this->setEmpty('translation.mode', 'php');
         $this->setEmpty('translation.extensions', []);
diff --git a/application/config/ConfigPhp.php b/application/config/ConfigPhp.php
index 8add8bcd..9625fe1a 100644
--- a/application/config/ConfigPhp.php
+++ b/application/config/ConfigPhp.php
@@ -104,12 +104,20 @@ class ConfigPhp implements ConfigIO
 
         // Store all $conf['config']
         foreach ($conf['config'] as $key => $value) {
-            $configStr .= '$GLOBALS[\'config\'][\''. $key .'\'] = '.var_export($conf['config'][$key], true).';'. PHP_EOL;
+            $configStr .= '$GLOBALS[\'config\'][\''
+                . $key
+                .'\'] = '
+                .var_export($conf['config'][$key], true).';'
+                . PHP_EOL;
         }
 
         if (isset($conf['plugins'])) {
             foreach ($conf['plugins'] as $key => $value) {
-                $configStr .= '$GLOBALS[\'plugins\'][\''. $key .'\'] = '.var_export($conf['plugins'][$key], true).';'. PHP_EOL;
+                $configStr .= '$GLOBALS[\'plugins\'][\''
+                    . $key
+                    .'\'] = '
+                    .var_export($conf['plugins'][$key], true).';'
+                    . PHP_EOL;
             }
         }
 
diff --git a/application/config/ConfigPlugin.php b/application/config/ConfigPlugin.php
index b3d9752b..dbb24937 100644
--- a/application/config/ConfigPlugin.php
+++ b/application/config/ConfigPlugin.php
@@ -34,8 +34,7 @@ function save_plugin_config($formData)
         // If there is no order, it means a disabled plugin has been enabled.
         if (isset($formData['order_' . $key])) {
             $plugins[(int) $formData['order_' . $key]] = $key;
-        }
-        else {
+        } else {
             $newEnabledPlugins[] = $key;
         }
     }
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
new file mode 100644
index 00000000..0f315483
--- /dev/null
+++ b/application/security/LoginManager.php
@@ -0,0 +1,264 @@
+<?php
+namespace Shaarli\Security;
+
+use Shaarli\Config\ConfigManager;
+
+/**
+ * User login management
+ */
+class LoginManager
+{
+    /** @var string Name of the cookie set after logging in **/
+    public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
+
+    /** @var array A reference to the $_GLOBALS array */
+    protected $globals = [];
+
+    /** @var ConfigManager Configuration Manager instance **/
+    protected $configManager = null;
+
+    /** @var SessionManager Session Manager instance **/
+    protected $sessionManager = null;
+
+    /** @var string Path to the file containing IP bans */
+    protected $banFile = '';
+
+    /** @var bool Whether the user is logged in **/
+    protected $isLoggedIn = false;
+
+    /** @var bool Whether the Shaarli instance is open to public edition **/
+    protected $openShaarli = false;
+
+    /** @var string User sign-in token depending on remote IP and credentials */
+    protected $staySignedInToken = '';
+
+    /**
+     * Constructor
+     *
+     * @param array          $globals        The $GLOBALS array (reference)
+     * @param ConfigManager  $configManager  Configuration Manager instance
+     * @param SessionManager $sessionManager SessionManager instance
+     */
+    public function __construct(& $globals, $configManager, $sessionManager)
+    {
+        $this->globals = &$globals;
+        $this->configManager = $configManager;
+        $this->sessionManager = $sessionManager;
+        $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
+        $this->readBanFile();
+        if ($this->configManager->get('security.open_shaarli') === true) {
+            $this->openShaarli = true;
+        }
+    }
+
+    /**
+     * Generate a token depending on deployment salt, user password and client IP
+     *
+     * @param string $clientIpAddress The remote client IP address
+     */
+    public function generateStaySignedInToken($clientIpAddress)
+    {
+        $this->staySignedInToken = sha1(
+            $this->configManager->get('credentials.hash')
+            . $clientIpAddress
+            . $this->configManager->get('credentials.salt')
+        );
+    }
+
+    /**
+     * Return the user's client stay-signed-in token
+     *
+     * @return string User's client stay-signed-in token
+     */
+    public function getStaySignedInToken()
+    {
+        return $this->staySignedInToken;
+    }
+
+    /**
+     * Check user session state and validity (expiration)
+     *
+     * @param array  $cookie     The $_COOKIE array
+     * @param string $clientIpId Client IP address identifier
+     */
+    public function checkLoginState($cookie, $clientIpId)
+    {
+        if (! $this->configManager->exists('credentials.login')) {
+            // Shaarli is not configured yet
+            $this->isLoggedIn = false;
+            return;
+        }
+
+        if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
+            && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
+        ) {
+            // The user client has a valid stay-signed-in cookie
+            // Session information is updated with the current client information
+            $this->sessionManager->storeLoginInfo($clientIpId);
+        } elseif ($this->sessionManager->hasSessionExpired()
+            || $this->sessionManager->hasClientIpChanged($clientIpId)
+        ) {
+            $this->sessionManager->logout();
+            $this->isLoggedIn = false;
+            return;
+        }
+
+        $this->isLoggedIn = true;
+        $this->sessionManager->extendSession();
+    }
+
+    /**
+     * Return whether the user is currently logged in
+     *
+     * @return true when the user is logged in, false otherwise
+     */
+    public function isLoggedIn()
+    {
+        if ($this->openShaarli) {
+            return true;
+        }
+        return $this->isLoggedIn;
+    }
+
+    /**
+     * Check user credentials are valid
+     *
+     * @param string $remoteIp   Remote client IP address
+     * @param string $clientIpId Client IP address identifier
+     * @param string $login      Username
+     * @param string $password   Password
+     *
+     * @return bool true if the provided credentials are valid, false otherwise
+     */
+    public function checkCredentials($remoteIp, $clientIpId, $login, $password)
+    {
+        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+
+        if ($login != $this->configManager->get('credentials.login')
+            || $hash != $this->configManager->get('credentials.hash')
+        ) {
+            logm(
+                $this->configManager->get('resource.log'),
+                $remoteIp,
+                'Login failed for user ' . $login
+            );
+            return false;
+        }
+
+        $this->sessionManager->storeLoginInfo($clientIpId);
+        logm(
+            $this->configManager->get('resource.log'),
+            $remoteIp,
+            'Login successful'
+        );
+        return true;
+    }
+
+    /**
+     * Read a file containing banned IPs
+     */
+    protected function readBanFile()
+    {
+        if (! file_exists($this->banFile)) {
+            return;
+        }
+        include $this->banFile;
+    }
+
+    /**
+     * Write the banned IPs to a file
+     */
+    protected function writeBanFile()
+    {
+        if (! array_key_exists('IPBANS', $this->globals)) {
+            return;
+        }
+        file_put_contents(
+            $this->banFile,
+            "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
+        );
+    }
+
+    /**
+     * Handle a failed login and ban the IP after too many failed attempts
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleFailedLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        $trusted = $this->configManager->get('security.trusted_proxies', []);
+
+        if (in_array($ip, $trusted)) {
+            $ip = getIpAddressFromProxy($server, $trusted);
+            if (! $ip) {
+                // the IP is behind a trusted forward proxy, but is not forwarded
+                // in the HTTP headers, so we do nothing
+                return;
+            }
+        }
+
+        // increment the fail count for this IP
+        if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
+            $this->globals['IPBANS']['FAILURES'][$ip]++;
+        } else {
+            $this->globals['IPBANS']['FAILURES'][$ip] = 1;
+        }
+
+        if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
+            $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
+            logm(
+                $this->configManager->get('resource.log'),
+                $server['REMOTE_ADDR'],
+                'IP address banned from login'
+            );
+        }
+        $this->writeBanFile();
+    }
+
+    /**
+     * Handle a successful login
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleSuccessfulLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        // FIXME unban when behind a trusted proxy?
+
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+
+        $this->writeBanFile();
+    }
+
+    /**
+     * Check if the user can login from this IP
+     *
+     * @param array $server The $_SERVER array
+     *
+     * @return bool true if the user is allowed to login
+     */
+    public function canLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+
+        if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
+            // the user is not banned
+            return true;
+        }
+
+        if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
+            // the user is still banned
+            return false;
+        }
+
+        // the ban has expired, the user can attempt to log in again
+        logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+
+        $this->writeBanFile();
+        return true;
+    }
+}
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
new file mode 100644
index 00000000..b8b8ab8d
--- /dev/null
+++ b/application/security/SessionManager.php
@@ -0,0 +1,199 @@
+<?php
+namespace Shaarli\Security;
+
+use Shaarli\Config\ConfigManager;
+
+/**
+ * Manages the server-side session
+ */
+class SessionManager
+{
+    /** @var int Session expiration timeout, in seconds */
+    public static $SHORT_TIMEOUT = 3600;    // 1 hour
+
+    /** @var int Session expiration timeout, in seconds */
+    public static $LONG_TIMEOUT = 31536000; // 1 year
+
+    /** @var array Local reference to the global $_SESSION array */
+    protected $session = [];
+
+    /** @var ConfigManager Configuration Manager instance **/
+    protected $conf = null;
+
+    /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */
+    protected $staySignedIn = false;
+
+    /**
+     * Constructor
+     *
+     * @param array         $session The $_SESSION array (reference)
+     * @param ConfigManager $conf    ConfigManager instance
+     */
+    public function __construct(& $session, $conf)
+    {
+        $this->session = &$session;
+        $this->conf = $conf;
+    }
+
+    /**
+     * Define whether the user should stay signed in across browser sessions
+     *
+     * @param bool $staySignedIn Keep the user signed in
+     */
+    public function setStaySignedIn($staySignedIn)
+    {
+        $this->staySignedIn = $staySignedIn;
+    }
+
+    /**
+     * Generates a session token
+     *
+     * @return string token
+     */
+    public function generateToken()
+    {
+        $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
+        $this->session['tokens'][$token] = 1;
+        return $token;
+    }
+
+    /**
+     * Checks the validity of a session token, and destroys it afterwards
+     *
+     * @param string $token The token to check
+     *
+     * @return bool true if the token is valid, else false
+     */
+    public function checkToken($token)
+    {
+        if (! isset($this->session['tokens'][$token])) {
+            // the token is wrong, or has already been used
+            return false;
+        }
+
+        // destroy the token to prevent future use
+        unset($this->session['tokens'][$token]);
+        return true;
+    }
+
+    /**
+     * Validate session ID to prevent Full Path Disclosure.
+     *
+     * See #298.
+     * The session ID's format depends on the hash algorithm set in PHP settings
+     *
+     * @param string $sessionId Session ID
+     *
+     * @return true if valid, false otherwise.
+     *
+     * @see http://php.net/manual/en/function.hash-algos.php
+     * @see http://php.net/manual/en/session.configuration.php
+     */
+    public static function checkId($sessionId)
+    {
+        if (empty($sessionId)) {
+            return false;
+        }
+
+        if (!$sessionId) {
+            return false;
+        }
+
+        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Store user login information after a successful login
+     *
+     * @param string $clientIpId Client IP address identifier
+     */
+    public function storeLoginInfo($clientIpId)
+    {
+        $this->session['ip'] = $clientIpId;
+        $this->session['username'] = $this->conf->get('credentials.login');
+        $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
+    }
+
+    /**
+     * Extend session validity
+     */
+    public function extendSession()
+    {
+        if ($this->staySignedIn) {
+            return $this->extendTimeValidityBy(self::$LONG_TIMEOUT);
+        }
+        return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
+    }
+
+    /**
+     * Extend expiration time
+     *
+     * @param int $duration Expiration time extension (seconds)
+     *
+     * @return int New session expiration time
+     */
+    protected function extendTimeValidityBy($duration)
+    {
+        $expirationTime = time() + $duration;
+        $this->session['expires_on'] = $expirationTime;
+        return $expirationTime;
+    }
+
+    /**
+     * Logout a user by unsetting all login information
+     *
+     * See:
+     * - https://secure.php.net/manual/en/function.setcookie.php
+     */
+    public function logout()
+    {
+        if (isset($this->session)) {
+            unset($this->session['ip']);
+            unset($this->session['expires_on']);
+            unset($this->session['username']);
+            unset($this->session['visibility']);
+            unset($this->session['untaggedonly']);
+        }
+    }
+
+    /**
+     * Check whether the session has expired
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the session has expired, false otherwise
+     */
+    public function hasSessionExpired()
+    {
+        if (empty($this->session['expires_on'])) {
+            return true;
+        }
+        if (time() >= $this->session['expires_on']) {
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Check whether the client IP address has changed
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the IP has changed, false if it has not, or
+     *              if session protection has been disabled
+     */
+    public function hasClientIpChanged($clientIpId)
+    {
+        if ($this->conf->get('security.session_protection_disabled') === true) {
+            return false;
+        }
+        if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) {
+            return false;
+        }
+        return true;
+    }
+}