diff options
Diffstat (limited to 'inc/Session.class.php')
-rw-r--r-- | inc/Session.class.php | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/inc/Session.class.php b/inc/Session.class.php new file mode 100644 index 00000000..06fa6a8e --- /dev/null +++ b/inc/Session.class.php | |||
@@ -0,0 +1,136 @@ | |||
1 | <?php | ||
2 | /** | ||
3 | * Session management class | ||
4 | * http://www.developpez.net/forums/d51943/php/langage/sessions/ | ||
5 | * http://sebsauvage.net/wiki/doku.php?id=php:session | ||
6 | * http://sebsauvage.net/wiki/doku.php?id=php:shaarli | ||
7 | * | ||
8 | * Features: | ||
9 | * - Everything is stored on server-side (we do not trust client-side data, | ||
10 | * such as cookie expiration) | ||
11 | * - IP addresses + user agent are checked on each access to prevent session | ||
12 | * cookie hijacking (such as Firesheep) | ||
13 | * - Session expires on user inactivity (Session expiration date is | ||
14 | * automatically updated everytime the user accesses a page.) | ||
15 | * - A unique secret key is generated on server-side for this session | ||
16 | * (and never sent over the wire) which can be used | ||
17 | * to sign forms (HMAC) (See $_SESSION['uid'] ) | ||
18 | * - Token management to prevent XSRF attacks. | ||
19 | * | ||
20 | * TODO: | ||
21 | * - log login fail | ||
22 | * - prevent brute force (ban IP) | ||
23 | * | ||
24 | * HOWTOUSE: | ||
25 | * - Just call Session::init(); to initialize session and | ||
26 | * check if connected with Session::isLogged() | ||
27 | */ | ||
28 | |||
29 | class Session | ||
30 | { | ||
31 | // If the user does not access any page within this time, | ||
32 | // his/her session is considered expired (in seconds). | ||
33 | public static $inactivity_timeout = 3600; | ||
34 | private static $_instance; | ||
35 | |||
36 | // constructor | ||
37 | private function __construct() | ||
38 | { | ||
39 | // Use cookies to store session. | ||
40 | ini_set('session.use_cookies', 1); | ||
41 | // Force cookies for session (phpsessionID forbidden in URL) | ||
42 | ini_set('session.use_only_cookies', 1); | ||
43 | if (!session_id()){ | ||
44 | // Prevent php to use sessionID in URL if cookies are disabled. | ||
45 | ini_set('session.use_trans_sid', false); | ||
46 | session_start('poche'); | ||
47 | } | ||
48 | } | ||
49 | |||
50 | // initialize session | ||
51 | public static function init() | ||
52 | { | ||
53 | if (!isset(self::$_instance)) { | ||
54 | self::$_instance = new Session(); | ||
55 | } | ||
56 | } | ||
57 | |||
58 | // Returns the IP address, user agent and language of the client | ||
59 | // (Used to prevent session cookie hijacking.) | ||
60 | private static function _allInfos() | ||
61 | { | ||
62 | $infos = $_SERVER["REMOTE_ADDR"]; | ||
63 | if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { | ||
64 | $infos.=$_SERVER['HTTP_X_FORWARDED_FOR']; | ||
65 | } | ||
66 | if (isset($_SERVER['HTTP_CLIENT_IP'])) { | ||
67 | $infos.='_'.$_SERVER['HTTP_CLIENT_IP']; | ||
68 | } | ||
69 | $infos.='_'.$_SERVER['HTTP_USER_AGENT']; | ||
70 | $infos.='_'.$_SERVER['HTTP_ACCEPT_LANGUAGE']; | ||
71 | return sha1($infos); | ||
72 | } | ||
73 | |||
74 | // Check that user/password is correct and init some SESSION variables. | ||
75 | public static function login($login,$password,$login_test,$password_test, | ||
76 | $pValues = array()) | ||
77 | { | ||
78 | foreach ($pValues as $key => $value) { | ||
79 | $_SESSION[$key] = $value; | ||
80 | } | ||
81 | if ($login==$login_test && $password==$password_test){ | ||
82 | // generate unique random number to sign forms (HMAC) | ||
83 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); | ||
84 | $_SESSION['info']=Session::_allInfos(); | ||
85 | $_SESSION['username']=$login; | ||
86 | // Set session expiration. | ||
87 | $_SESSION['expires_on']=time()+Session::$inactivity_timeout; | ||
88 | return true; | ||
89 | } | ||
90 | return false; | ||
91 | } | ||
92 | |||
93 | // Force logout | ||
94 | public static function logout() | ||
95 | { | ||
96 | unset($_SESSION['uid'],$_SESSION['info'],$_SESSION['expires_on']); | ||
97 | } | ||
98 | |||
99 | // Make sure user is logged in. | ||
100 | public static function isLogged() | ||
101 | { | ||
102 | if (!isset ($_SESSION['uid']) | ||
103 | || $_SESSION['info']!=Session::_allInfos() | ||
104 | || time()>=$_SESSION['expires_on']){ | ||
105 | Session::logout(); | ||
106 | return false; | ||
107 | } | ||
108 | // User accessed a page : Update his/her session expiration date. | ||
109 | $_SESSION['expires_on']=time()+Session::$inactivity_timeout; | ||
110 | return true; | ||
111 | } | ||
112 | |||
113 | // Returns a token. | ||
114 | public static function getToken() | ||
115 | { | ||
116 | if (!isset($_SESSION['tokens'])){ | ||
117 | $_SESSION['tokens']=array(); | ||
118 | } | ||
119 | // We generate a random string and store it on the server side. | ||
120 | $rnd = sha1(uniqid('',true).'_'.mt_rand()); | ||
121 | $_SESSION['tokens'][$rnd]=1; | ||
122 | return $rnd; | ||
123 | } | ||
124 | |||
125 | // Tells if a token is ok. Using this function will destroy the token. | ||
126 | // return true if token is ok. | ||
127 | public static function isToken($token) | ||
128 | { | ||
129 | if (isset($_SESSION['tokens'][$token])) | ||
130 | { | ||
131 | unset($_SESSION['tokens'][$token]); // Token is used: destroy it. | ||
132 | return true; // Token is ok. | ||
133 | } | ||
134 | return false; // Wrong token, or already used. | ||
135 | } | ||
136 | } \ No newline at end of file | ||