Knah-Tsaeb/MyShaarli
Knah-Tsaeb/MyShaarli
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

SessionManager+LoginManager: fix checkLoginState logic

Browse source 
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
This commit is contained in:
VirtualTam 2018-05-30 02:09:09 +02:00
parent 704637bfeb
commit 8edd7f1588
3 changed files with 15 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
application/security/LoginManager.php
View file

@ -95,7 +95,6 @@ public function checkLoginState($cookie, $clientIpId)
// The user client has a valid stay-signed-in cookie // The user client has a valid stay-signed-in cookie
// Session information is updated with the current client information // Session information is updated with the current client information
$this->sessionManager->storeLoginInfo($clientIpId); $this->sessionManager->storeLoginInfo($clientIpId);
$this->isLoggedIn = true;
} elseif ($this->sessionManager->hasSessionExpired() } elseif ($this->sessionManager->hasSessionExpired()
|| $this->sessionManager->hasClientIpChanged($clientIpId) || $this->sessionManager->hasClientIpChanged($clientIpId)
@ -105,6 +104,7 @@ public function checkLoginState($cookie, $clientIpId)
return; return;
} }
$this->isLoggedIn = true;
$this->sessionManager->extendSession(); $this->sessionManager->extendSession();
} }

5
application/security/SessionManager.php
View file

@ -169,6 +169,9 @@ public function logout()
*/ */
public function hasSessionExpired() public function hasSessionExpired()
{ {
if (empty($this->session['expires_on'])) {
return true;
}
if (time() >= $this->session['expires_on']) { if (time() >= $this->session['expires_on']) {
return true; return true;
} }
@ -188,7 +191,7 @@ public function hasClientIpChanged($clientIpId)
if ($this->conf->get('security.session_protection_disabled') === true) { if ($this->conf->get('security.session_protection_disabled') === true) {
return false; return false;
} }
if ($this->session['ip'] == $clientIpId) { if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) {
return false; return false;
} }
return true; return true;

15
tests/security/LoginManagerTest.php
View file

@ -84,10 +84,7 @@ public function setUp()
$this->globals = &$GLOBALS; $this->globals = &$GLOBALS;
unset($this->globals['IPBANS']); unset($this->globals['IPBANS']);
$this->session = [ $this->session = [];
'expires_on' => time() + 100,
'ip' => $this->clientIpAddress,
];
$this->sessionManager = new SessionManager($this->session, $this->configManager); $this->sessionManager = new SessionManager($this->session, $this->configManager);
$this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager); $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager);
@ -281,12 +278,18 @@ public function testCheckLoginStateNotConfigured()
*/ */
public function testCheckLoginStateStaySignedInWithInvalidToken() public function testCheckLoginStateStaySignedInWithInvalidToken()
{ {
// simulate a previous login
$this->session = [
'ip' => $this->clientIpAddress,
'expires_on' => time() + 100,
];
$this->loginManager->generateStaySignedInToken($this->clientIpAddress); $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
$this->cookie[LoginManager::$STAY_SIGNED_IN_COOKIE] = 'nope'; $this->cookie[LoginManager::$STAY_SIGNED_IN_COOKIE] = 'nope';
$this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress); $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress);
$this->assertFalse($this->loginManager->isLoggedIn()); $this->assertTrue($this->loginManager->isLoggedIn());
$this->assertTrue(empty($this->session['username']));
} }
/** /**
@ -300,6 +303,8 @@ public function testCheckLoginStateStaySignedInWithValidToken()
$this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress); $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress);
$this->assertTrue($this->loginManager->isLoggedIn()); $this->assertTrue($this->loginManager->isLoggedIn());
$this->assertEquals($this->login, $this->session['username']);
$this->assertEquals($this->clientIpAddress, $this->session['ip']);
} }
/** /**