From ebf615173824a46de82fa97a165bcfd883db15ce Mon Sep 17 00:00:00 2001
From: VirtualTam <virtualtam@flibidi.net>
Date: Thu, 10 May 2018 13:07:51 +0200
Subject: SessionManager: remove unused UID token
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There already are dedicated tokens for:
- CSRF protection
- user stay-signed-in feature, via cookie

This token was most likely intended as a randomly generated,
server-side, secret key to be used when generating hashes.

See http://sebsauvage.net/wiki/doku.php?id=php:session [FR]

Relevant section:

  Une clé secrète unique aléatoire est générée côté serveur (et jamais
  envoyée). Elle peut servir pour signer les formulaires (HMAC) ou
  générer des token de formulaires (protection contre XSRF).
  Voir $_SESSION['uid'].

Translation:

  A unique, server-side secret key is randomly generated (and never
  transmitted). It can be used to sign forms (HMAC) or generate form
  tokens (protection against XSRF).
  See $_SESSION['uid']

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
---
 application/security/SessionManager.php | 6 ------
 1 file changed, 6 deletions(-)

(limited to 'application')

diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
index 58973130..24e25528 100644
--- a/application/security/SessionManager.php
+++ b/application/security/SessionManager.php
@@ -113,8 +113,6 @@ class SessionManager
      */
     public function storeLoginInfo($clientIpId)
     {
-        // Generate unique random number (different than phpsessionid)
-        $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
         $this->session['ip'] = $clientIpId;
         $this->session['username'] = $this->conf->get('credentials.login');
         $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
@@ -154,7 +152,6 @@ class SessionManager
     public function logout()
     {
         if (isset($this->session)) {
-            unset($this->session['uid']);
             unset($this->session['ip']);
             unset($this->session['expires_on']);
             unset($this->session['username']);
@@ -172,9 +169,6 @@ class SessionManager
      */
     public function hasSessionExpired()
     {
-        if (empty($this->session['uid'])) {
-            return true;
-        }
         if (time() >= $this->session['expires_on']) {
             return true;
         }
-- 
cgit v1.2.3