aboutsummaryrefslogtreecommitdiffhomepage
path: root/inc/3rdparty/Session.class.php
diff options
context:
space:
mode:
authorNicolas LÅ“uillet <nicolas.loeuillet@gmail.com>2013-08-07 10:41:26 -0700
committerNicolas LÅ“uillet <nicolas.loeuillet@gmail.com>2013-08-07 10:41:26 -0700
commit01c0e050ad8eca54f115dfa21db99e4f61ab7ca7 (patch)
treee1bdacb68b3a56644f4525974844dd954d6e3c6b /inc/3rdparty/Session.class.php
parentda2c5d6fc33587c775a7d8a738c2c18de41f83b2 (diff)
parent339d510fda0a43b08981309f7540acedf3a4976c (diff)
downloadwallabag-01c0e050ad8eca54f115dfa21db99e4f61ab7ca7.tar.gz
wallabag-01c0e050ad8eca54f115dfa21db99e4f61ab7ca7.tar.zst
wallabag-01c0e050ad8eca54f115dfa21db99e4f61ab7ca7.zip
Merge pull request #104 from inthepoche/twig
Twig version on dev branch
Diffstat (limited to 'inc/3rdparty/Session.class.php')
-rw-r--r--inc/3rdparty/Session.class.php136
1 files changed, 136 insertions, 0 deletions
diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php
new file mode 100644
index 00000000..3162f507
--- /dev/null
+++ b/inc/3rdparty/Session.class.php
@@ -0,0 +1,136 @@
1<?php
2/**
3 * Session management class
4 * http://www.developpez.net/forums/d51943/php/langage/sessions/
5 * http://sebsauvage.net/wiki/doku.php?id=php:session
6 * http://sebsauvage.net/wiki/doku.php?id=php:shaarli
7 *
8 * Features:
9 * - Everything is stored on server-side (we do not trust client-side data,
10 * such as cookie expiration)
11 * - IP addresses + user agent are checked on each access to prevent session
12 * cookie hijacking (such as Firesheep)
13 * - Session expires on user inactivity (Session expiration date is
14 * automatically updated everytime the user accesses a page.)
15 * - A unique secret key is generated on server-side for this session
16 * (and never sent over the wire) which can be used
17 * to sign forms (HMAC) (See $_SESSION['uid'] )
18 * - Token management to prevent XSRF attacks.
19 *
20 * TODO:
21 * - log login fail
22 * - prevent brute force (ban IP)
23 *
24 * HOWTOUSE:
25 * - Just call Session::init(); to initialize session and
26 * check if connected with Session::isLogged()
27 */
28
29class Session
30{
31 // If the user does not access any page within this time,
32 // his/her session is considered expired (in seconds).
33 public static $inactivity_timeout = 3600;
34 private static $_instance;
35
36 // constructor
37 private function __construct()
38 {
39 // Use cookies to store session.
40 ini_set('session.use_cookies', 1);
41 // Force cookies for session (phpsessionID forbidden in URL)
42 ini_set('session.use_only_cookies', 1);
43 if (!session_id()){
44 // Prevent php to use sessionID in URL if cookies are disabled.
45 ini_set('session.use_trans_sid', false);
46 session_start('poche');
47 }
48 }
49
50 // initialize session
51 public static function init()
52 {
53 if (!isset(self::$_instance)) {
54 self::$_instance = new Session();
55 }
56 }
57
58 // Returns the IP address, user agent and language of the client
59 // (Used to prevent session cookie hijacking.)
60 private static function _allInfos()
61 {
62 $infos = $_SERVER["REMOTE_ADDR"];
63 if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
64 $infos.=$_SERVER['HTTP_X_FORWARDED_FOR'];
65 }
66 if (isset($_SERVER['HTTP_CLIENT_IP'])) {
67 $infos.='_'.$_SERVER['HTTP_CLIENT_IP'];
68 }
69 $infos.='_'.$_SERVER['HTTP_USER_AGENT'];
70 $infos.='_'.$_SERVER['HTTP_ACCEPT_LANGUAGE'];
71 return sha1($infos);
72 }
73
74 // Check that user/password is correct and init some SESSION variables.
75 public static function login($login,$password,$login_test,$password_test,
76 $pValues = array())
77 {
78 foreach ($pValues as $key => $value) {
79 $_SESSION[$key] = $value;
80 }
81 if ($login==$login_test && $password==$password_test){
82 // generate unique random number to sign forms (HMAC)
83 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand());
84 $_SESSION['info']=Session::_allInfos();
85 $_SESSION['username']=$login;
86 // Set session expiration.
87 $_SESSION['expires_on']=time()+Session::$inactivity_timeout;
88 return true;
89 }
90 return false;
91 }
92
93 // Force logout
94 public static function logout()
95 {
96 unset($_SESSION['uid'],$_SESSION['info'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']);
97 }
98
99 // Make sure user is logged in.
100 public static function isLogged()
101 {
102 if (!isset ($_SESSION['uid'])
103 || $_SESSION['info']!=Session::_allInfos()
104 || time()>=$_SESSION['expires_on']){
105 Session::logout();
106 return false;
107 }
108 // User accessed a page : Update his/her session expiration date.
109 $_SESSION['expires_on']=time()+Session::$inactivity_timeout;
110 return true;
111 }
112
113 // Returns a token.
114 public static function getToken()
115 {
116 if (!isset($_SESSION['tokens'])){
117 $_SESSION['tokens']=array();
118 }
119 // We generate a random string and store it on the server side.
120 $rnd = sha1(uniqid('',true).'_'.mt_rand());
121 $_SESSION['tokens'][$rnd]=1;
122 return $rnd;
123 }
124
125 // Tells if a token is ok. Using this function will destroy the token.
126 // return true if token is ok.
127 public static function isToken($token)
128 {
129 if (isset($_SESSION['tokens'][$token]))
130 {
131 unset($_SESSION['tokens'][$token]); // Token is used: destroy it.
132 return true; // Token is ok.
133 }
134 return false; // Wrong token, or already used.
135 }
136} \ No newline at end of file