diff options
author | Nicolas Lœuillet <nicolas@loeuillet.org> | 2015-01-19 11:29:25 +0100 |
---|---|---|
committer | Nicolas Lœuillet <nicolas@loeuillet.org> | 2015-01-19 11:29:25 +0100 |
commit | dda7884ace3a3906b65668669fb67b37f596fd62 (patch) | |
tree | 28bd16f76ce3ca307b8f7384083b1b1f13c54551 /inc/3rdparty/Session.class.php | |
parent | 10939766de3b6fb677e8acdd74220ad2da612a26 (diff) | |
download | wallabag-dda7884ace3a3906b65668669fb67b37f596fd62.tar.gz wallabag-dda7884ace3a3906b65668669fb67b37f596fd62.tar.zst wallabag-dda7884ace3a3906b65668669fb67b37f596fd62.zip |
pagination with composer and move FlattrItem
Diffstat (limited to 'inc/3rdparty/Session.class.php')
-rw-r--r-- | inc/3rdparty/Session.class.php | 346 |
1 files changed, 0 insertions, 346 deletions
diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php deleted file mode 100644 index b56e4c54..00000000 --- a/inc/3rdparty/Session.class.php +++ /dev/null | |||
@@ -1,346 +0,0 @@ | |||
1 | <?php | ||
2 | /** | ||
3 | * Session management class | ||
4 | * | ||
5 | * http://www.developpez.net/forums/d51943/php/langage/sessions/ | ||
6 | * http://sebsauvage.net/wiki/doku.php?id=php:session | ||
7 | * http://sebsauvage.net/wiki/doku.php?id=php:shaarli | ||
8 | * | ||
9 | * Features: | ||
10 | * - Everything is stored on server-side (we do not trust client-side data, | ||
11 | * such as cookie expiration) | ||
12 | * - IP addresses are checked on each access to prevent session cookie hijacking | ||
13 | * (such as Firesheep) | ||
14 | * - Session expires on user inactivity (Session expiration date is | ||
15 | * automatically updated everytime the user accesses a page.) | ||
16 | * - A unique secret key is generated on server-side for this session | ||
17 | * (and never sent over the wire) which can be used to sign forms (HMAC) | ||
18 | * (See $_SESSION['uid']) | ||
19 | * - Token management to prevent XSRF attacks | ||
20 | * - Brute force protection with ban management | ||
21 | * | ||
22 | * TODOs | ||
23 | * - Replace globals with variables in Session class | ||
24 | * | ||
25 | * How to use: | ||
26 | * - http://tontof.net/kriss/php5/session | ||
27 | */ | ||
28 | class Session | ||
29 | { | ||
30 | // Personnalize PHP session name | ||
31 | public static $sessionName = ''; | ||
32 | // If the user does not access any page within this time, | ||
33 | // his/her session is considered expired (3600 sec. = 1 hour) | ||
34 | public static $inactivityTimeout = 3600; | ||
35 | // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours) | ||
36 | public static $longSessionTimeout = 7776000; // 7776000 = 90 days | ||
37 | // If you get disconnected often or if your IP address changes often. | ||
38 | // Let you disable session cookie hijacking protection | ||
39 | public static $disableSessionProtection = false; | ||
40 | // Ban IP after this many failures. | ||
41 | public static $banAfter = 4; | ||
42 | // Ban duration for IP address after login failures (in seconds). | ||
43 | // (1800 sec. = 30 minutes) | ||
44 | public static $banDuration = 1800; | ||
45 | // File storage for failures and bans. If empty, no ban management. | ||
46 | public static $banFile = ''; | ||
47 | |||
48 | /** | ||
49 | * Initialize session | ||
50 | */ | ||
51 | public static function init($longlastingsession = false) | ||
52 | { | ||
53 | //check if session name is correct | ||
54 | if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) || $longlastingsession ) { | ||
55 | session_destroy(); | ||
56 | } | ||
57 | |||
58 | // Force cookie path (but do not change lifetime) | ||
59 | $cookie = session_get_cookie_params(); | ||
60 | // Default cookie expiration and path. | ||
61 | $cookiedir = ''; | ||
62 | if (dirname($_SERVER['SCRIPT_NAME'])!='/') { | ||
63 | $cookiedir = dirname($_SERVER["SCRIPT_NAME"]).'/'; | ||
64 | } | ||
65 | $ssl = false; | ||
66 | if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") { | ||
67 | $ssl = true; | ||
68 | } | ||
69 | |||
70 | if ( $longlastingsession ) { | ||
71 | session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true); | ||
72 | } | ||
73 | else { | ||
74 | session_set_cookie_params(0, $cookiedir, null, $ssl, true); | ||
75 | } | ||
76 | //set server side valid session timeout | ||
77 | //WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application | ||
78 | ini_set('session.gc_maxlifetime', self::$longSessionTimeout); | ||
79 | |||
80 | // Use cookies to store session. | ||
81 | ini_set('session.use_cookies', 1); | ||
82 | // Force cookies for session (phpsessionID forbidden in URL) | ||
83 | ini_set('session.use_only_cookies', 1); | ||
84 | if ( !session_id() ) { | ||
85 | // Prevent php to use sessionID in URL if cookies are disabled. | ||
86 | ini_set('session.use_trans_sid', false); | ||
87 | if (!empty(self::$sessionName)) { | ||
88 | session_name(self::$sessionName); | ||
89 | } | ||
90 | session_start(); | ||
91 | } | ||
92 | } | ||
93 | |||
94 | /** | ||
95 | * Returns the IP address | ||
96 | * (Used to prevent session cookie hijacking.) | ||
97 | * | ||
98 | * @return string IP addresses | ||
99 | */ | ||
100 | private static function _allIPs() | ||
101 | { | ||
102 | $ip = $_SERVER["REMOTE_ADDR"]; | ||
103 | $ip.= isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? '_'.$_SERVER['HTTP_X_FORWARDED_FOR'] : ''; | ||
104 | $ip.= isset($_SERVER['HTTP_CLIENT_IP']) ? '_'.$_SERVER['HTTP_CLIENT_IP'] : ''; | ||
105 | |||
106 | return $ip; | ||
107 | } | ||
108 | |||
109 | /** | ||
110 | * Check that user/password is correct and then init some SESSION variables. | ||
111 | * | ||
112 | * @param string $login Login reference | ||
113 | * @param string $password Password reference | ||
114 | * @param string $loginTest Login to compare with login reference | ||
115 | * @param string $passwordTest Password to compare with password reference | ||
116 | * @param array $pValues Array of variables to store in SESSION | ||
117 | * | ||
118 | * @return true|false True if login and password are correct, false | ||
119 | * otherwise | ||
120 | */ | ||
121 | public static function login ( | ||
122 | $login, | ||
123 | $password, | ||
124 | $loginTest, | ||
125 | $passwordTest, | ||
126 | $longlastingsession, | ||
127 | $pValues = array()) | ||
128 | { | ||
129 | self::banInit(); | ||
130 | if (self::banCanLogin()) { | ||
131 | if ($login === $loginTest && $password === $passwordTest) { | ||
132 | self::banLoginOk(); | ||
133 | |||
134 | self::init($longlastingsession); | ||
135 | |||
136 | // Generate unique random number to sign forms (HMAC) | ||
137 | $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand()); | ||
138 | $_SESSION['ip'] = self::_allIPs(); | ||
139 | $_SESSION['username'] = $login; | ||
140 | // Set session expiration. | ||
141 | $_SESSION['expires_on'] = time() + self::$inactivityTimeout; | ||
142 | if ($longlastingsession) { | ||
143 | $_SESSION['longlastingsession'] = self::$longSessionTimeout; | ||
144 | $_SESSION['expires_on'] += $_SESSION['longlastingsession']; | ||
145 | } | ||
146 | |||
147 | foreach ($pValues as $key => $value) { | ||
148 | $_SESSION[$key] = $value; | ||
149 | } | ||
150 | |||
151 | return true; | ||
152 | } | ||
153 | self::banLoginFailed(); | ||
154 | } | ||
155 | |||
156 | self::init(); | ||
157 | return false; | ||
158 | } | ||
159 | |||
160 | /** | ||
161 | * Unset SESSION variable to force logout | ||
162 | */ | ||
163 | public static function logout() | ||
164 | { | ||
165 | // unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']); | ||
166 | |||
167 | // Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres) | ||
168 | $args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params())); | ||
169 | $args[2] = time() - 3600; | ||
170 | call_user_func_array('setcookie', $args); | ||
171 | // Suppression physique de la session | ||
172 | session_destroy(); | ||
173 | } | ||
174 | |||
175 | /** | ||
176 | * Make sure user is logged in. | ||
177 | * | ||
178 | * @return true|false True if user is logged in, false otherwise | ||
179 | */ | ||
180 | public static function isLogged() | ||
181 | { | ||
182 | if (!isset ($_SESSION['uid']) | ||
183 | || (self::$disableSessionProtection === false | ||
184 | && $_SESSION['ip'] !== self::_allIPs()) | ||
185 | || time() >= $_SESSION['expires_on']) { | ||
186 | //self::logout(); | ||
187 | |||
188 | return false; | ||
189 | } | ||
190 | // User accessed a page : Update his/her session expiration date. | ||
191 | $_SESSION['expires_on'] = time() + self::$inactivityTimeout; | ||
192 | if (!empty($_SESSION['longlastingsession'])) { | ||
193 | $_SESSION['expires_on'] += $_SESSION['longlastingsession']; | ||
194 | } | ||
195 | |||
196 | return true; | ||
197 | } | ||
198 | |||
199 | /** | ||
200 | * Create a token, store it in SESSION and return it | ||
201 | * | ||
202 | * @param string $salt to prevent birthday attack | ||
203 | * | ||
204 | * @return string Token created | ||
205 | */ | ||
206 | public static function getToken($salt = '') | ||
207 | { | ||
208 | if (!isset($_SESSION['tokens'])) { | ||
209 | $_SESSION['tokens']=array(); | ||
210 | } | ||
211 | // We generate a random string and store it on the server side. | ||
212 | $rnd = sha1(uniqid('', true).'_'.mt_rand().$salt); | ||
213 | $_SESSION['tokens'][$rnd]=1; | ||
214 | |||
215 | return $rnd; | ||
216 | } | ||
217 | |||
218 | /** | ||
219 | * Tells if a token is ok. Using this function will destroy the token. | ||
220 | * | ||
221 | * @param string $token Token to test | ||
222 | * | ||
223 | * @return true|false True if token is correct, false otherwise | ||
224 | */ | ||
225 | public static function isToken($token) | ||
226 | { | ||
227 | if (isset($_SESSION['tokens'][$token])) { | ||
228 | unset($_SESSION['tokens'][$token]); // Token is used: destroy it. | ||
229 | |||
230 | return true; // Token is ok. | ||
231 | } | ||
232 | |||
233 | return false; // Wrong token, or already used. | ||
234 | } | ||
235 | |||
236 | /** | ||
237 | * Signal a failed login. Will ban the IP if too many failures: | ||
238 | */ | ||
239 | public static function banLoginFailed() | ||
240 | { | ||
241 | if (self::$banFile !== '') { | ||
242 | $ip = $_SERVER["REMOTE_ADDR"]; | ||
243 | $gb = $GLOBALS['IPBANS']; | ||
244 | |||
245 | if (!isset($gb['FAILURES'][$ip])) { | ||
246 | $gb['FAILURES'][$ip] = 0; | ||
247 | } | ||
248 | $gb['FAILURES'][$ip]++; | ||
249 | if ($gb['FAILURES'][$ip] > (self::$banAfter - 1)) { | ||
250 | $gb['BANS'][$ip]= time() + self::$banDuration; | ||
251 | } | ||
252 | |||
253 | $GLOBALS['IPBANS'] = $gb; | ||
254 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>"); | ||
255 | } | ||
256 | } | ||
257 | |||
258 | /** | ||
259 | * Signals a successful login. Resets failed login counter. | ||
260 | */ | ||
261 | public static function banLoginOk() | ||
262 | { | ||
263 | if (self::$banFile !== '') { | ||
264 | $ip = $_SERVER["REMOTE_ADDR"]; | ||
265 | $gb = $GLOBALS['IPBANS']; | ||
266 | unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]); | ||
267 | $GLOBALS['IPBANS'] = $gb; | ||
268 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>"); | ||
269 | } | ||
270 | } | ||
271 | |||
272 | /** | ||
273 | * Ban init | ||
274 | */ | ||
275 | public static function banInit() | ||
276 | { | ||
277 | if (self::$banFile !== '') { | ||
278 | if (!is_file(self::$banFile)) { | ||
279 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(), 'BANS'=>array()), true).";\n?>"); | ||
280 | } | ||
281 | include self::$banFile; | ||
282 | } | ||
283 | } | ||
284 | |||
285 | /** | ||
286 | * Checks if the user CAN login. If 'true', the user can try to login. | ||
287 | * | ||
288 | * @return boolean true if user is banned, false otherwise | ||
289 | */ | ||
290 | public static function banCanLogin() | ||
291 | { | ||
292 | if (self::$banFile !== '') { | ||
293 | $ip = $_SERVER["REMOTE_ADDR"]; | ||
294 | $gb = $GLOBALS['IPBANS']; | ||
295 | if (isset($gb['BANS'][$ip])) { | ||
296 | // User is banned. Check if the ban has expired: | ||
297 | if ($gb['BANS'][$ip] <= time()) { | ||
298 | // Ban expired, user can try to login again. | ||
299 | unset($gb['FAILURES'][$ip]); | ||
300 | unset($gb['BANS'][$ip]); | ||
301 | file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>"); | ||
302 | |||
303 | return true; // Ban has expired, user can login. | ||
304 | } | ||
305 | |||
306 | return false; // User is banned. | ||
307 | } | ||
308 | } | ||
309 | |||
310 | return true; // User is not banned. | ||
311 | } | ||
312 | |||
313 | |||
314 | /** | ||
315 | * Tells if a param exists in session | ||
316 | * | ||
317 | * @param $name name of the param to test | ||
318 | * @return bool | ||
319 | */ | ||
320 | public static function isInSession($name) | ||
321 | { | ||
322 | return (isset($_SESSION[$name]) ? : FALSE); | ||
323 | } | ||
324 | |||
325 | /** | ||
326 | * Returns param in session | ||
327 | * | ||
328 | * @param $name name of the param to return | ||
329 | * @return mixed param or null | ||
330 | */ | ||
331 | public static function getParam($name) | ||
332 | { | ||
333 | return (self::isInSession($name) ? $_SESSION[$name] : NULL); | ||
334 | } | ||
335 | |||
336 | /** | ||
337 | * Store value in session | ||
338 | * | ||
339 | * @param $name name of the variable to store | ||
340 | * @param $value value to store | ||
341 | */ | ||
342 | public static function setParam($name, $value) | ||
343 | { | ||
344 | $_SESSION[$name] = $value; | ||
345 | } | ||
346 | } | ||