From db45a36a53dbd722e5e891827e49d9e7651f2a5e Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Fri, 16 Feb 2018 22:21:59 +0100 Subject: Refactor SessionManager::$INACTIVITY_TIMEOUT Changed: - move INACTIVITY_TIMEOUT to SessionManager - inject a dependency to a SessionManager instance in: - fillSessionInfo() - setup_login_state() - check_auth() - cleanup related code and comments Signed-off-by: VirtualTam --- application/SessionManager.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'application/SessionManager.php') diff --git a/application/SessionManager.php b/application/SessionManager.php index 71f0b38d..704f8504 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php @@ -6,6 +6,10 @@ namespace Shaarli; */ class SessionManager { + /** Session expiration timeout, in seconds */ + public static $INACTIVITY_TIMEOUT = 3600; + + /** Local reference to the global $_SESSION array */ protected $session = []; /** -- cgit v1.2.3 From 49f183231662c642ca9df6ceabf43fe128a5ffc1 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sat, 17 Feb 2018 01:14:58 +0100 Subject: Refactor PHP session handling during login/logout Changed: - move $_SESSION handling to SessionManager - code cleanup Signed-off-by: VirtualTam --- application/SessionManager.php | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) (limited to 'application/SessionManager.php') diff --git a/application/SessionManager.php b/application/SessionManager.php index 704f8504..7bfd2220 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php @@ -9,9 +9,15 @@ class SessionManager /** Session expiration timeout, in seconds */ public static $INACTIVITY_TIMEOUT = 3600; + /** Name of the cookie set after logging in **/ + public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn'; + /** Local reference to the global $_SESSION array */ protected $session = []; + /** ConfigManager instance **/ + protected $conf = null; + /** * Constructor * @@ -84,4 +90,38 @@ class SessionManager return true; } + + /** + * Store user login information after a successful login + * + * @param array $server The global $_SERVER array + */ + public function storeLoginInfo($server) + { + // Generate unique random number (different than phpsessionid) + $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); + $this->session['ip'] = client_ip_id($server); + $this->session['username'] = $this->conf->get('credentials.login'); + $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; + } + + /** + * Logout a user by unsetting all login information + * + * See: + * - https://secure.php.net/manual/en/function.setcookie.php + * + * @param string $webPath path on the server in which the cookie will be available on + */ + public function logout($webPath) + { + if (isset($this->session)) { + unset($this->session['uid']); + unset($this->session['ip']); + unset($this->session['username']); + unset($this->session['visibility']); + unset($this->session['untaggedonly']); + } + setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath); + } } -- cgit v1.2.3 From c7721487b2459e6760cae9d6292b7d39c306d3d6 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Wed, 4 Apr 2018 00:54:59 +0200 Subject: Delegate session operations to SessionManager Signed-off-by: VirtualTam --- application/SessionManager.php | 66 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 59 insertions(+), 7 deletions(-) (limited to 'application/SessionManager.php') diff --git a/application/SessionManager.php b/application/SessionManager.php index 7bfd2220..63eeb8aa 100644 --- a/application/SessionManager.php +++ b/application/SessionManager.php @@ -1,21 +1,23 @@ session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); - $this->session['ip'] = client_ip_id($server); + $this->session['ip'] = $clientIpId; $this->session['username'] = $this->conf->get('credentials.login'); $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; } + /** + * Extend session validity + */ + public function extendSession() + { + if (! empty($this->session['longlastingsession'])) { + // "Stay signed in" is enabled + $this->session['expires_on'] = time() + $this->session['longlastingsession']; + return; + } + $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; + } + /** * Logout a user by unsetting all login information * @@ -124,4 +139,41 @@ class SessionManager } setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath); } + + /** + * Check whether the session has expired + * + * @param string $clientIpId Client IP address identifier + * + * @return bool true if the session has expired, false otherwise + */ + public function hasSessionExpired() + { + if (empty($this->session['uid'])) { + return true; + } + if (time() >= $this->session['expires_on']) { + return true; + } + return false; + } + + /** + * Check whether the client IP address has changed + * + * @param string $clientIpId Client IP address identifier + * + * @return bool true if the IP has changed, false if it has not, or + * if session protection has been disabled + */ + public function hasClientIpChanged($clientIpId) + { + if ($this->conf->get('security.session_protection_disabled') === true) { + return false; + } + if ($this->session['ip'] == $clientIpId) { + return false; + } + return true; + } } -- cgit v1.2.3 From fab87c2696b9d6a26310f1bfc024b018ca5184fe Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Fri, 27 Apr 2018 22:12:22 +0200 Subject: Move LoginManager and SessionManager to the Security namespace Signed-off-by: VirtualTam --- application/SessionManager.php | 179 ----------------------------------------- 1 file changed, 179 deletions(-) delete mode 100644 application/SessionManager.php (limited to 'application/SessionManager.php') diff --git a/application/SessionManager.php b/application/SessionManager.php deleted file mode 100644 index 63eeb8aa..00000000 --- a/application/SessionManager.php +++ /dev/null @@ -1,179 +0,0 @@ -session = &$session; - $this->conf = $conf; - } - - /** - * Generates a session token - * - * @return string token - */ - public function generateToken() - { - $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt')); - $this->session['tokens'][$token] = 1; - return $token; - } - - /** - * Checks the validity of a session token, and destroys it afterwards - * - * @param string $token The token to check - * - * @return bool true if the token is valid, else false - */ - public function checkToken($token) - { - if (! isset($this->session['tokens'][$token])) { - // the token is wrong, or has already been used - return false; - } - - // destroy the token to prevent future use - unset($this->session['tokens'][$token]); - return true; - } - - /** - * Validate session ID to prevent Full Path Disclosure. - * - * See #298. - * The session ID's format depends on the hash algorithm set in PHP settings - * - * @param string $sessionId Session ID - * - * @return true if valid, false otherwise. - * - * @see http://php.net/manual/en/function.hash-algos.php - * @see http://php.net/manual/en/session.configuration.php - */ - public static function checkId($sessionId) - { - if (empty($sessionId)) { - return false; - } - - if (!$sessionId) { - return false; - } - - if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { - return false; - } - - return true; - } - - /** - * Store user login information after a successful login - * - * @param string $clientIpId Client IP address identifier - */ - public function storeLoginInfo($clientIpId) - { - // Generate unique random number (different than phpsessionid) - $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); - $this->session['ip'] = $clientIpId; - $this->session['username'] = $this->conf->get('credentials.login'); - $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; - } - - /** - * Extend session validity - */ - public function extendSession() - { - if (! empty($this->session['longlastingsession'])) { - // "Stay signed in" is enabled - $this->session['expires_on'] = time() + $this->session['longlastingsession']; - return; - } - $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; - } - - /** - * Logout a user by unsetting all login information - * - * See: - * - https://secure.php.net/manual/en/function.setcookie.php - * - * @param string $webPath path on the server in which the cookie will be available on - */ - public function logout($webPath) - { - if (isset($this->session)) { - unset($this->session['uid']); - unset($this->session['ip']); - unset($this->session['username']); - unset($this->session['visibility']); - unset($this->session['untaggedonly']); - } - setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath); - } - - /** - * Check whether the session has expired - * - * @param string $clientIpId Client IP address identifier - * - * @return bool true if the session has expired, false otherwise - */ - public function hasSessionExpired() - { - if (empty($this->session['uid'])) { - return true; - } - if (time() >= $this->session['expires_on']) { - return true; - } - return false; - } - - /** - * Check whether the client IP address has changed - * - * @param string $clientIpId Client IP address identifier - * - * @return bool true if the IP has changed, false if it has not, or - * if session protection has been disabled - */ - public function hasClientIpChanged($clientIpId) - { - if ($this->conf->get('security.session_protection_disabled') === true) { - return false; - } - if ($this->session['ip'] == $clientIpId) { - return false; - } - return true; - } -} -- cgit v1.2.3