1 files changed, 136 insertions, 0 deletions
diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php
new file mode 100644
index 00000000..3162f507
--- /dev/null
+++ b/inc/3rdparty/Session.class.php
@@ -0,0 +1,136 @@
+<?php
+/**
+ * Session management class
+ * http://www.developpez.net/forums/d51943/php/langage/sessions/
+ * http://sebsauvage.net/wiki/doku.php?id=php:session
+ * http://sebsauvage.net/wiki/doku.php?id=php:shaarli
+ *
+ * Features:
+ * - Everything is stored on server-side (we do not trust client-side data,
+ *   such as cookie expiration)
+ * - IP addresses + user agent are checked on each access to prevent session
+ *   cookie hijacking (such as Firesheep)
+ * - Session expires on user inactivity (Session expiration date is
+ *   automatically updated everytime the user accesses a page.)
+ * - A unique secret key is generated on server-side for this session
+ *   (and never sent over the wire) which can be used
+ *   to sign forms (HMAC) (See $_SESSION['uid'] )
+ * - Token management to prevent XSRF attacks.
+ *
+ * TODO:
+ * - log login fail
+ * - prevent brute force (ban IP)
+ *
+ * HOWTOUSE:
+ * - Just call Session::init(); to initialize session and
+ *   check if connected with Session::isLogged()
+ */
+class Session
+{
+    // If the user does not access any page within this time,
+    // his/her session is considered expired (in seconds).
+    public static $inactivity_timeout = 3600;
+    private static $_instance;
+    // constructor
+    private function __construct()
+    {
+        // Use cookies to store session.
+        ini_set('session.use_cookies', 1);
+        // Force cookies for session  (phpsessionID forbidden in URL)
+        ini_set('session.use_only_cookies', 1);
+        if (!session_id()){
+            // Prevent php to use sessionID in URL if cookies are disabled.
+            ini_set('session.use_trans_sid', false);
+            session_start('poche');
+        }
+    }
+    // initialize session
+    public static function init()
+    {
+        if (!isset(self::$_instance)) {
+            self::$_instance = new Session();
+        }
+    }
+    // Returns the IP address, user agent and language of the client
+    // (Used to prevent session cookie hijacking.)
+    private static function _allInfos()
+    {
+        $infos = $_SERVER["REMOTE_ADDR"];
+        if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+            $infos.=$_SERVER['HTTP_X_FORWARDED_FOR'];
+        }
+        if (isset($_SERVER['HTTP_CLIENT_IP'])) {
+            $infos.='_'.$_SERVER['HTTP_CLIENT_IP'];
+        }
+        $infos.='_'.$_SERVER['HTTP_USER_AGENT'];
+        $infos.='_'.$_SERVER['HTTP_ACCEPT_LANGUAGE'];
+        return sha1($infos);
+    }
+    // Check that user/password is correct and init some SESSION variables.
+    public static function login($login,$password,$login_test,$password_test,
+                                 $pValues = array())
+    {
+        foreach ($pValues as $key => $value) {
+            $_SESSION[$key] = $value;
+        }
+        if ($login==$login_test && $password==$password_test){
+            // generate unique random number to sign forms (HMAC)
+            $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand());
+            $_SESSION['info']=Session::_allInfos();
+            $_SESSION['username']=$login;
+            // Set session expiration.
+            $_SESSION['expires_on']=time()+Session::$inactivity_timeout;
+            return true;
+        }
+        return false;
+    }
+    // Force logout
+    public static function logout()
+    {
+        unset($_SESSION['uid'],$_SESSION['info'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']);
+    }
+    // Make sure user is logged in.
+    public static function isLogged()
+    {
+        if (!isset ($_SESSION['uid'])
+            || $_SESSION['info']!=Session::_allInfos()
+            || time()>=$_SESSION['expires_on']){
+            Session::logout();
+            return false;
+        }
+        // User accessed a page : Update his/her session expiration date.
+        $_SESSION['expires_on']=time()+Session::$inactivity_timeout;
+        return true;
+    }
+    // Returns a token.
+    public static function getToken()
+    {
+        if (!isset($_SESSION['tokens'])){
+            $_SESSION['tokens']=array();
+        }
+        // We generate a random string and store it on the server side.
+        $rnd = sha1(uniqid('',true).'_'.mt_rand());
+        $_SESSION['tokens'][$rnd]=1;
+        return $rnd;
+    }
+    // Tells if a token is ok. Using this function will destroy the token.
+    // return true if token is ok.
+    public static function isToken($token)
+    {
+        if (isset($_SESSION['tokens'][$token]))
+        {
+            unset($_SESSION['tokens'][$token]); // Token is used: destroy it.
+            return true; // Token is ok.
+        }
+        return false; // Wrong token, or already used.
+    }
+}
+\ No newline at end of file

diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php new file mode 100644 index 00000000..3162f507 --- /dev/null +++ b/inc/3rdparty/Session.class.php
@@ -0,0 +1,136 @@
	1	<?php
	2	/**
	3	* Session management class
	4	* http://www.developpez.net/forums/d51943/php/langage/sessions/
	5	* http://sebsauvage.net/wiki/doku.php?id=php:session
	6	* http://sebsauvage.net/wiki/doku.php?id=php:shaarli
	7	*
	8	* Features:
	9	* - Everything is stored on server-side (we do not trust client-side data,
	10	* such as cookie expiration)
	11	* - IP addresses + user agent are checked on each access to prevent session
	12	* cookie hijacking (such as Firesheep)
	13	* - Session expires on user inactivity (Session expiration date is
	14	* automatically updated everytime the user accesses a page.)
	15	* - A unique secret key is generated on server-side for this session
	16	* (and never sent over the wire) which can be used
	17	* to sign forms (HMAC) (See $_SESSION['uid'] )
	18	* - Token management to prevent XSRF attacks.
	19	*
	20	* TODO:
	21	* - log login fail
	22	* - prevent brute force (ban IP)
	23	*
	24	* HOWTOUSE:
	25	* - Just call Session::init(); to initialize session and
	26	* check if connected with Session::isLogged()
	27	*/
	28
	29	class Session
	30	{
	31	// If the user does not access any page within this time,
	32	// his/her session is considered expired (in seconds).
	33	public static $inactivity_timeout = 3600;
	34	private static $_instance;
	35
	36	// constructor
	37	private function __construct()
	38	{
	39	// Use cookies to store session.
	40	ini_set('session.use_cookies', 1);
	41	// Force cookies for session (phpsessionID forbidden in URL)
	42	ini_set('session.use_only_cookies', 1);
	43	if (!session_id()){
	44	// Prevent php to use sessionID in URL if cookies are disabled.
	45	ini_set('session.use_trans_sid', false);
	46	session_start('poche');
	47	}
	48	}
	49
	50	// initialize session
	51	public static function init()
	52	{
	53	if (!isset(self::$_instance)) {
	54	self::$_instance = new Session();
	55	}
	56	}
	57
	58	// Returns the IP address, user agent and language of the client
	59	// (Used to prevent session cookie hijacking.)
	60	private static function _allInfos()
	61	{
	62	$infos = $_SERVER["REMOTE_ADDR"];
	63	if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
	64	$infos.=$_SERVER['HTTP_X_FORWARDED_FOR'];
	65	}
	66	if (isset($_SERVER['HTTP_CLIENT_IP'])) {
	67	$infos.='_'.$_SERVER['HTTP_CLIENT_IP'];
	68	}
	69	$infos.='_'.$_SERVER['HTTP_USER_AGENT'];
	70	$infos.='_'.$_SERVER['HTTP_ACCEPT_LANGUAGE'];
	71	return sha1($infos);
	72	}
	73
	74	// Check that user/password is correct and init some SESSION variables.
	75	public static function login($login,$password,$login_test,$password_test,
	76	$pValues = array())
	77	{
	78	foreach ($pValues as $key => $value) {
	79	$_SESSION[$key] = $value;
	80	}
	81	if ($login==$login_test && $password==$password_test){
	82	// generate unique random number to sign forms (HMAC)
	83	$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand());
	84	$_SESSION['info']=Session::_allInfos();
	85	$_SESSION['username']=$login;
	86	// Set session expiration.
	87	$_SESSION['expires_on']=time()+Session::$inactivity_timeout;
	88	return true;
	89	}
	90	return false;
	91	}
	92
	93	// Force logout
	94	public static function logout()
	95	{
	96	unset($_SESSION['uid'],$_SESSION['info'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']);
	97	}
	98
	99	// Make sure user is logged in.
	100	public static function isLogged()
	101	{
	102	if (!isset ($_SESSION['uid'])
	103	\|\| $_SESSION['info']!=Session::_allInfos()
	104	\|\| time()>=$_SESSION['expires_on']){
	105	Session::logout();
	106	return false;
	107	}
	108	// User accessed a page : Update his/her session expiration date.
	109	$_SESSION['expires_on']=time()+Session::$inactivity_timeout;
	110	return true;
	111	}
	112
	113	// Returns a token.
	114	public static function getToken()
	115	{
	116	if (!isset($_SESSION['tokens'])){
	117	$_SESSION['tokens']=array();
	118	}
	119	// We generate a random string and store it on the server side.
	120	$rnd = sha1(uniqid('',true).'_'.mt_rand());
	121	$_SESSION['tokens'][$rnd]=1;
	122	return $rnd;
	123	}
	124
	125	// Tells if a token is ok. Using this function will destroy the token.
	126	// return true if token is ok.
	127	public static function isToken($token)
	128	{
	129	if (isset($_SESSION['tokens'][$token]))
	130	{
	131	unset($_SESSION['tokens'][$token]); // Token is used: destroy it.
	132	return true; // Token is ok.
	133	}
	134	return false; // Wrong token, or already used.
	135	}
	136	} \ No newline at end of file