From c689e108639a4f6aa9e15928422e14db7cbe30ca Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sun, 6 May 2018 17:06:36 +0200 Subject: Refactor LoginManager stay-signed-in token management Signed-off-by: VirtualTam --- application/security/LoginManager.php | 37 +++++++++++++++++++++++++++++---- application/security/SessionManager.php | 3 --- 2 files changed, 33 insertions(+), 7 deletions(-) (limited to 'application/security') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 27247f3f..41fa9a20 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -8,6 +8,9 @@ use Shaarli\Config\ConfigManager; */ class LoginManager { + /** @var string Name of the cookie set after logging in **/ + public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn'; + /** @var array A reference to the $_GLOBALS array */ protected $globals = []; @@ -26,6 +29,9 @@ class LoginManager /** @var bool Whether the Shaarli instance is open to public edition **/ protected $openShaarli = false; + /** @var string User sign-in token depending on remote IP and credentials */ + protected $staySignedInToken = ''; + /** * Constructor * @@ -45,16 +51,39 @@ class LoginManager } } + /** + * Generate a token depending on deployment salt, user password and client IP + * + * @param string $clientIpAddress The remote client IP address + */ + public function generateStaySignedInToken($clientIpAddress) + { + $this->staySignedInToken = sha1( + $this->configManager->get('credentials.hash') + . $clientIpAddress + . $this->configManager->get('credentials.salt') + ); + } + + /** + * Return the user's client stay-signed-in token + * + * @return string User's client stay-signed-in token + */ + public function getStaySignedInToken() + { + return $this->staySignedInToken; + } + /** * Check user session state and validity (expiration) * * @param array $cookie The $_COOKIE array * @param string $clientIpId Client IP address identifier - * @param string $token Session token * * @return bool true if the user session is valid, false otherwise */ - public function checkLoginState($cookie, $clientIpId, $token) + public function checkLoginState($cookie, $clientIpId) { if (! $this->configManager->exists('credentials.login')) { // Shaarli is not configured yet @@ -62,8 +91,8 @@ class LoginManager return; } - if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE]) - && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token + if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) + && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken ) { $this->sessionManager->storeLoginInfo($clientIpId); $this->isLoggedIn = true; diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php index 0dcd7f90..58973130 100644 --- a/application/security/SessionManager.php +++ b/application/security/SessionManager.php @@ -14,9 +14,6 @@ class SessionManager /** @var int Session expiration timeout, in seconds */ public static $LONG_TIMEOUT = 31536000; // 1 year - /** @var string Name of the cookie set after logging in **/ - public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn'; - /** @var array Local reference to the global $_SESSION array */ protected $session = []; -- cgit v1.2.3