Delegate session operations to SessionManager

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-04-04 00:54:59 +02:00 · 2018-04-04 00:54:59 +02:00 · c7721487b2
parent 1b28c66cc7
commit c7721487b2
2 changed files with 69 additions and 24 deletions
--- a/application/LoginManager.php
+++ b/application/LoginManager.php
@ -1,6 +1,8 @@
 <?php
 namespace Shaarli;

+use Shaarli\Config\ConfigManager;
+
 /**
 * User login management
 */
@ -62,34 +64,24 @@ class LoginManager
            return;
        }

+        $clientIpId = client_ip_id($server);
+
        if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE])
            && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token
        ) {
-            $this->sessionManager->storeLoginInfo($server);
+            $this->sessionManager->storeLoginInfo($clientIpId);
            $this->isLoggedIn = true;
        }

-        // Logout when:
-        // - the session does not exist on the server side
-        // - the session has expired
-        // - the client IP address has changed
-        if (empty($session['uid'])
-            || ($this->configManager->get('security.session_protection_disabled') === false
-                && $session['ip'] != client_ip_id($server))
-            || time() >= $session['expires_on']
+        if ($this->sessionManager->hasSessionExpired()
+            || $this->sessionManager->hasClientIpChanged($clientIpId)
        ) {
            $this->sessionManager->logout($webPath);
            $this->isLoggedIn = false;
            return;
        }

-        // Extend session validity
-        if (! empty($session['longlastingsession'])) {
-            // "Stay signed in" is enabled
-            $session['expires_on'] = time() + $session['longlastingsession'];
-        } else {
-            $session['expires_on'] = time() + SessionManager::$INACTIVITY_TIMEOUT;
-        }
+        $this->sessionManager->extendSession();
    }

    /**
@ -129,7 +121,8 @@ class LoginManager
            return false;
        }

-        $this->sessionManager->storeLoginInfo($server);
+        $clientIpId = client_ip_id($server);
+        $this->sessionManager->storeLoginInfo($clientIpId);
        logm(
            $this->configManager->get('resource.log'),
            $server['REMOTE_ADDR'],
--- a/application/SessionManager.php
+++ b/application/SessionManager.php
@ -1,21 +1,23 @@
 <?php
 namespace Shaarli;

+use Shaarli\Config\ConfigManager;
+
 /**
 * Manages the server-side session
 */
 class SessionManager
 {
-    /** Session expiration timeout, in seconds */
+    /** @var int Session expiration timeout, in seconds */
    public static $INACTIVITY_TIMEOUT = 3600;

-    /** Name of the cookie set after logging in **/
+    /** @var string Name of the cookie set after logging in **/
    public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn';

-    /** Local reference to the global $_SESSION array */
+    /** @var array Local reference to the global $_SESSION array */
    protected $session = [];

-    /** ConfigManager instance **/
+    /** @var ConfigManager Configuration Manager instance **/
    protected $conf = null;

    /**
@ -94,17 +96,30 @@ class SessionManager
    /**
     * Store user login information after a successful login
     *
-     * @param array $server The global $_SERVER array
+     * @param string $clientIpId Client IP address identifier
     */
-    public function storeLoginInfo($server)
+    public function storeLoginInfo($clientIpId)
    {
        // Generate unique random number (different than phpsessionid)
        $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
-        $this->session['ip'] = client_ip_id($server);
+        $this->session['ip'] = $clientIpId;
        $this->session['username'] = $this->conf->get('credentials.login');
        $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
    }

+    /**
+     * Extend session validity
+     */
+    public function extendSession()
+    {
+        if (! empty($this->session['longlastingsession'])) {
+            // "Stay signed in" is enabled
+            $this->session['expires_on'] = time() + $this->session['longlastingsession'];
+            return;
+        }
+        $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
+    }
+
    /**
     * Logout a user by unsetting all login information
     *
@ -124,4 +139,41 @@ class SessionManager
        }
        setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath);
    }
+
+    /**
+     * Check whether the session has expired
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the session has expired, false otherwise
+     */
+    public function hasSessionExpired()
+    {
+        if (empty($this->session['uid'])) {
+            return true;
+        }
+        if (time() >= $this->session['expires_on']) {
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Check whether the client IP address has changed
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the IP has changed, false if it has not, or
+     *              if session protection has been disabled
+     */
+    public function hasClientIpChanged($clientIpId)
+    {
+        if ($this->conf->get('security.session_protection_disabled') === true) {
+            return false;
+        }
+        if ($this->session['ip'] == $clientIpId) {
+            return false;
+        }
+        return true;
+    }
 }