aboutsummaryrefslogtreecommitdiffhomepage
path: root/inc/3rdparty/Session.class.php
diff options
context:
space:
mode:
authorNicolas Lœuillet <nicolas@loeuillet.org>2014-04-03 14:42:03 +0200
committerNicolas Lœuillet <nicolas@loeuillet.org>2014-04-03 14:42:03 +0200
commit0d67b00d5d3b7ce1b76b639dcc65c415a5f13439 (patch)
tree7c4d113bb1c3d90ef53e08138a2850576395780f /inc/3rdparty/Session.class.php
parent99679d06884120c57f43b44e55e03595f1f87bed (diff)
parent7d2f1aa2793595aa6cdc58a58260184234cfa809 (diff)
downloadwallabag-0d67b00d5d3b7ce1b76b639dcc65c415a5f13439.tar.gz
wallabag-0d67b00d5d3b7ce1b76b639dcc65c415a5f13439.tar.zst
wallabag-0d67b00d5d3b7ce1b76b639dcc65c415a5f13439.zip
Merge pull request #595 from wallabag/dev1.6.11.6.0
wallabag 1.6.0
Diffstat (limited to 'inc/3rdparty/Session.class.php')
-rw-r--r--inc/3rdparty/Session.class.php40
1 files changed, 33 insertions, 7 deletions
diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php
index b30a31f3..59dfbe67 100644
--- a/inc/3rdparty/Session.class.php
+++ b/inc/3rdparty/Session.class.php
@@ -31,9 +31,9 @@ class Session
31 public static $sessionName = ''; 31 public static $sessionName = '';
32 // If the user does not access any page within this time, 32 // If the user does not access any page within this time,
33 // his/her session is considered expired (3600 sec. = 1 hour) 33 // his/her session is considered expired (3600 sec. = 1 hour)
34 public static $inactivityTimeout = 86400; 34 public static $inactivityTimeout = 3600;
35 // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours) 35 // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours)
36 public static $longSessionTimeout = 31536000; 36 public static $longSessionTimeout = 7776000; // 7776000 = 90 days
37 // If you get disconnected often or if your IP address changes often. 37 // If you get disconnected often or if your IP address changes often.
38 // Let you disable session cookie hijacking protection 38 // Let you disable session cookie hijacking protection
39 public static $disableSessionProtection = false; 39 public static $disableSessionProtection = false;
@@ -48,8 +48,13 @@ class Session
48 /** 48 /**
49 * Initialize session 49 * Initialize session
50 */ 50 */
51 public static function init() 51 public static function init($longlastingsession = false)
52 { 52 {
53 //check if session name is correct
54 if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) || $longlastingsession ) {
55 session_destroy();
56 }
57
53 // Force cookie path (but do not change lifetime) 58 // Force cookie path (but do not change lifetime)
54 $cookie = session_get_cookie_params(); 59 $cookie = session_get_cookie_params();
55 // Default cookie expiration and path. 60 // Default cookie expiration and path.
@@ -61,12 +66,22 @@ class Session
61 if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") { 66 if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
62 $ssl = true; 67 $ssl = true;
63 } 68 }
64 session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl); 69
70 if ( $longlastingsession ) {
71 session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true);
72 }
73 else {
74 session_set_cookie_params(0, $cookiedir, null, $ssl, true);
75 }
76 //set server side valid session timeout
77 //WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application
78 ini_set('session.gc_maxlifetime', self::$longSessionTimeout);
79
65 // Use cookies to store session. 80 // Use cookies to store session.
66 ini_set('session.use_cookies', 1); 81 ini_set('session.use_cookies', 1);
67 // Force cookies for session (phpsessionID forbidden in URL) 82 // Force cookies for session (phpsessionID forbidden in URL)
68 ini_set('session.use_only_cookies', 1); 83 ini_set('session.use_only_cookies', 1);
69 if (!session_id()) { 84 if ( !session_id() ) {
70 // Prevent php to use sessionID in URL if cookies are disabled. 85 // Prevent php to use sessionID in URL if cookies are disabled.
71 ini_set('session.use_trans_sid', false); 86 ini_set('session.use_trans_sid', false);
72 if (!empty(self::$sessionName)) { 87 if (!empty(self::$sessionName)) {
@@ -115,6 +130,9 @@ class Session
115 if (self::banCanLogin()) { 130 if (self::banCanLogin()) {
116 if ($login === $loginTest && $password === $passwordTest) { 131 if ($login === $loginTest && $password === $passwordTest) {
117 self::banLoginOk(); 132 self::banLoginOk();
133
134 self::init($longlastingsession);
135
118 // Generate unique random number to sign forms (HMAC) 136 // Generate unique random number to sign forms (HMAC)
119 $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand()); 137 $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
120 $_SESSION['ip'] = self::_allIPs(); 138 $_SESSION['ip'] = self::_allIPs();
@@ -135,6 +153,7 @@ class Session
135 self::banLoginFailed(); 153 self::banLoginFailed();
136 } 154 }
137 155
156 self::init();
138 return false; 157 return false;
139 } 158 }
140 159
@@ -143,7 +162,14 @@ class Session
143 */ 162 */
144 public static function logout() 163 public static function logout()
145 { 164 {
146 unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']); 165 // unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']);
166
167 // Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres)
168 $args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params()));
169 $args[2] = time() - 3600;
170 call_user_func_array('setcookie', $args);
171 // Suppression physique de la session
172 session_destroy();
147 } 173 }
148 174
149 /** 175 /**
@@ -157,7 +183,7 @@ class Session
157 || (self::$disableSessionProtection === false 183 || (self::$disableSessionProtection === false
158 && $_SESSION['ip'] !== self::_allIPs()) 184 && $_SESSION['ip'] !== self::_allIPs())
159 || time() >= $_SESSION['expires_on']) { 185 || time() >= $_SESSION['expires_on']) {
160 self::logout(); 186 //self::logout();
161 187
162 return false; 188 return false;
163 } 189 }