Merge branch 'master' into myShaarli

2014-02-12 10:51:35 +01:00 · 2014-02-12 10:51:35 +01:00 · 0396d42bba
commit 0396d42bba
parent 921e7020c9 020df22d1e
1 changed files with 21 additions and 5 deletions
--- a/index.php
+++ b/index.php
@ -40,6 +40,8 @@
 define('shaarli_version','0.0.41 beta');
 define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code.
 define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code.
+// http://server.com/x/shaarli --> /shaarli/
+define('WEB_PATH', substr($_SERVER["REQUEST_URI"], 0, 1+strrpos($_SERVER["REQUEST_URI"], '/', 0)));

 // Force cookie path (but do not change lifetime)
 $cookie=session_get_cookie_params();
@ -116,6 +118,8 @@ function stripslashes_deep($value) { $value = is_array($value) ? array_map('stri

 require $GLOBALS['config']['CONFIG_FILE'];  // Read login/password hash into $GLOBALS.

+// a token depending of deployment salt, user password, and the current ip
+define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt']));

 autoLocale(); // Sniff browser language and set date format accordingly.
 header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling.
@ -300,16 +304,20 @@ function allIPs()
    return $ip;
 }

+function fillSessionInfo() {
+	$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid)
+	$_SESSION['ip']=allIPs();                // We store IP address(es) of the client to make sure session is not hijacked.
+	$_SESSION['username']=$GLOBALS['login'];
+	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT;  // Set session expiration.
+}
+
 // Check that user/password is correct.
 function check_auth($login,$password)
 {
    $hash = sha1($password.$login.$GLOBALS['salt']);
    if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash'])
    {   // Login/password is correct.
-        $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid)
-        $_SESSION['ip']=allIPs();                // We store IP address(es) of the client to make sure session is not hijacked.
-        $_SESSION['username']=$login;
-        $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT;  // Set session expiration.
+		fillSessionInfo();
        logm('Login successful');
        return True;
    }
@ -324,6 +332,11 @@ function isLoggedIn()

    if (!isset($GLOBALS['login'])) return false;  // Shaarli is not configured yet.

+	if (@$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN)
+	{
+		fillSessionInfo();
+		return true;
+	}
    // If session does not exist on server side, or IP address has changed, or session has expired, logout.
    if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on'])
    {
@ -337,7 +350,9 @@ function isLoggedIn()
 }

 // Force logout.
-function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); }  }
+function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); }  
+setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH);
+}


 // ------------------------------------------------------------------------------------------
@ -399,6 +414,7 @@ function ban_canLogin()
        // If user wants to keep the session cookie even after the browser closes:
        if (!empty($_POST['longlastingsession']))
        {
+			setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH);
            $_SESSION['longlastingsession']=31536000;  // (31536000 seconds = 1 year)
            $_SESSION['expires_on']=time()+$_SESSION['longlastingsession'];  // Set session expiration on server-side.