diff options
author | Nicolas Lœuillet <nicolas@loeuillet.org> | 2014-04-03 14:42:03 +0200 |
---|---|---|
committer | Nicolas Lœuillet <nicolas@loeuillet.org> | 2014-04-03 14:42:03 +0200 |
commit | 0d67b00d5d3b7ce1b76b639dcc65c415a5f13439 (patch) | |
tree | 7c4d113bb1c3d90ef53e08138a2850576395780f /inc/3rdparty/Session.class.php | |
parent | 99679d06884120c57f43b44e55e03595f1f87bed (diff) | |
parent | 7d2f1aa2793595aa6cdc58a58260184234cfa809 (diff) | |
download | wallabag-0d67b00d5d3b7ce1b76b639dcc65c415a5f13439.tar.gz wallabag-0d67b00d5d3b7ce1b76b639dcc65c415a5f13439.tar.zst wallabag-0d67b00d5d3b7ce1b76b639dcc65c415a5f13439.zip |
wallabag 1.6.0
Diffstat (limited to 'inc/3rdparty/Session.class.php')
-rw-r--r-- | inc/3rdparty/Session.class.php | 40 |
1 files changed, 33 insertions, 7 deletions
diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php index b30a31f3..59dfbe67 100644 --- a/inc/3rdparty/Session.class.php +++ b/inc/3rdparty/Session.class.php | |||
@@ -31,9 +31,9 @@ class Session | |||
31 | public static $sessionName = ''; | 31 | public static $sessionName = ''; |
32 | // If the user does not access any page within this time, | 32 | // If the user does not access any page within this time, |
33 | // his/her session is considered expired (3600 sec. = 1 hour) | 33 | // his/her session is considered expired (3600 sec. = 1 hour) |
34 | public static $inactivityTimeout = 86400; | 34 | public static $inactivityTimeout = 3600; |
35 | // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours) | 35 | // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours) |
36 | public static $longSessionTimeout = 31536000; | 36 | public static $longSessionTimeout = 7776000; // 7776000 = 90 days |
37 | // If you get disconnected often or if your IP address changes often. | 37 | // If you get disconnected often or if your IP address changes often. |
38 | // Let you disable session cookie hijacking protection | 38 | // Let you disable session cookie hijacking protection |
39 | public static $disableSessionProtection = false; | 39 | public static $disableSessionProtection = false; |
@@ -48,8 +48,13 @@ class Session | |||
48 | /** | 48 | /** |
49 | * Initialize session | 49 | * Initialize session |
50 | */ | 50 | */ |
51 | public static function init() | 51 | public static function init($longlastingsession = false) |
52 | { | 52 | { |
53 | //check if session name is correct | ||
54 | if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) || $longlastingsession ) { | ||
55 | session_destroy(); | ||
56 | } | ||
57 | |||
53 | // Force cookie path (but do not change lifetime) | 58 | // Force cookie path (but do not change lifetime) |
54 | $cookie = session_get_cookie_params(); | 59 | $cookie = session_get_cookie_params(); |
55 | // Default cookie expiration and path. | 60 | // Default cookie expiration and path. |
@@ -61,12 +66,22 @@ class Session | |||
61 | if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") { | 66 | if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") { |
62 | $ssl = true; | 67 | $ssl = true; |
63 | } | 68 | } |
64 | session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl); | 69 | |
70 | if ( $longlastingsession ) { | ||
71 | session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true); | ||
72 | } | ||
73 | else { | ||
74 | session_set_cookie_params(0, $cookiedir, null, $ssl, true); | ||
75 | } | ||
76 | //set server side valid session timeout | ||
77 | //WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application | ||
78 | ini_set('session.gc_maxlifetime', self::$longSessionTimeout); | ||
79 | |||
65 | // Use cookies to store session. | 80 | // Use cookies to store session. |
66 | ini_set('session.use_cookies', 1); | 81 | ini_set('session.use_cookies', 1); |
67 | // Force cookies for session (phpsessionID forbidden in URL) | 82 | // Force cookies for session (phpsessionID forbidden in URL) |
68 | ini_set('session.use_only_cookies', 1); | 83 | ini_set('session.use_only_cookies', 1); |
69 | if (!session_id()) { | 84 | if ( !session_id() ) { |
70 | // Prevent php to use sessionID in URL if cookies are disabled. | 85 | // Prevent php to use sessionID in URL if cookies are disabled. |
71 | ini_set('session.use_trans_sid', false); | 86 | ini_set('session.use_trans_sid', false); |
72 | if (!empty(self::$sessionName)) { | 87 | if (!empty(self::$sessionName)) { |
@@ -115,6 +130,9 @@ class Session | |||
115 | if (self::banCanLogin()) { | 130 | if (self::banCanLogin()) { |
116 | if ($login === $loginTest && $password === $passwordTest) { | 131 | if ($login === $loginTest && $password === $passwordTest) { |
117 | self::banLoginOk(); | 132 | self::banLoginOk(); |
133 | |||
134 | self::init($longlastingsession); | ||
135 | |||
118 | // Generate unique random number to sign forms (HMAC) | 136 | // Generate unique random number to sign forms (HMAC) |
119 | $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand()); | 137 | $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand()); |
120 | $_SESSION['ip'] = self::_allIPs(); | 138 | $_SESSION['ip'] = self::_allIPs(); |
@@ -135,6 +153,7 @@ class Session | |||
135 | self::banLoginFailed(); | 153 | self::banLoginFailed(); |
136 | } | 154 | } |
137 | 155 | ||
156 | self::init(); | ||
138 | return false; | 157 | return false; |
139 | } | 158 | } |
140 | 159 | ||
@@ -143,7 +162,14 @@ class Session | |||
143 | */ | 162 | */ |
144 | public static function logout() | 163 | public static function logout() |
145 | { | 164 | { |
146 | unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']); | 165 | // unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']); |
166 | |||
167 | // Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres) | ||
168 | $args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params())); | ||
169 | $args[2] = time() - 3600; | ||
170 | call_user_func_array('setcookie', $args); | ||
171 | // Suppression physique de la session | ||
172 | session_destroy(); | ||
147 | } | 173 | } |
148 | 174 | ||
149 | /** | 175 | /** |
@@ -157,7 +183,7 @@ class Session | |||
157 | || (self::$disableSessionProtection === false | 183 | || (self::$disableSessionProtection === false |
158 | && $_SESSION['ip'] !== self::_allIPs()) | 184 | && $_SESSION['ip'] !== self::_allIPs()) |
159 | || time() >= $_SESSION['expires_on']) { | 185 | || time() >= $_SESSION['expires_on']) { |
160 | self::logout(); | 186 | //self::logout(); |
161 | 187 | ||
162 | return false; | 188 | return false; |
163 | } | 189 | } |