Refactor SessionManager::$INACTIVITY_TIMEOUT

Changed:
- move INACTIVITY_TIMEOUT to SessionManager
- inject a dependency to a SessionManager instance in:
  - fillSessionInfo()
  - setup_login_state()
  - check_auth()
- cleanup related code and comments

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
This commit is contained in:
VirtualTam 2018-02-16 22:21:59 +01:00
parent 88110550b8
commit db45a36a53
2 changed files with 28 additions and 24 deletions

View file

@ -6,6 +6,10 @@
*/ */
class SessionManager class SessionManager
{ {
/** Session expiration timeout, in seconds */
public static $INACTIVITY_TIMEOUT = 3600;
/** Local reference to the global $_SESSION array */
protected $session = []; protected $session = [];
/** /**

View file

@ -101,8 +101,6 @@
// Set default cookie expiration and path. // Set default cookie expiration and path.
session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']); session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']);
// Set session parameters on server side. // Set session parameters on server side.
// If the user does not access any page within this time, his/her session is considered expired.
define('INACTIVITY_TIMEOUT', 3600); // in seconds.
// Use cookies to store session. // Use cookies to store session.
ini_set('session.use_cookies', 1); ini_set('session.use_cookies', 1);
// Force cookies for session (phpsessionID forbidden in URL). // Force cookies for session (phpsessionID forbidden in URL).
@ -183,11 +181,12 @@
/** /**
* Checking session state (i.e. is the user still logged in) * Checking session state (i.e. is the user still logged in)
* *
* @param ConfigManager $conf The configuration manager. * @param ConfigManager $conf Configuration Manager instance.
* @param SessionManager $sessionManager SessionManager instance
* *
* @return bool: true if the user is logged in, false otherwise. * @return bool true if the user is logged in, false otherwise.
*/ */
function setup_login_state($conf) function setup_login_state($conf, $sessionManager)
{ {
if ($conf->get('security.open_shaarli')) { if ($conf->get('security.open_shaarli')) {
return true; return true;
@ -202,7 +201,7 @@ function setup_login_state($conf)
$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
!$loginFailure) !$loginFailure)
{ {
fillSessionInfo($conf); fillSessionInfo($conf, $sessionManager);
$userIsLoggedIn = true; $userIsLoggedIn = true;
} }
// If session does not exist on server side, or IP address has changed, or session has expired, logout. // If session does not exist on server side, or IP address has changed, or session has expired, logout.
@ -216,9 +215,8 @@ function setup_login_state($conf)
} }
if (!empty($_SESSION['longlastingsession'])) { if (!empty($_SESSION['longlastingsession'])) {
$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
} } else {
else { $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT;
$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
} }
if (!$loginFailure) { if (!$loginFailure) {
$userIsLoggedIn = true; $userIsLoggedIn = true;
@ -226,22 +224,24 @@ function setup_login_state($conf)
return $userIsLoggedIn; return $userIsLoggedIn;
} }
$userIsLoggedIn = setup_login_state($conf);
$userIsLoggedIn = setup_login_state($conf, $sessionManager);
// ------------------------------------------------------------------------------------------ // ------------------------------------------------------------------------------------------
// Session management // Session management
/** /**
* Load user session. * Load user session
* *
* @param ConfigManager $conf Configuration Manager instance. * @param ConfigManager $conf Configuration Manager instance.
* @param SessionManager $sessionManager SessionManager instance
*/ */
function fillSessionInfo($conf) function fillSessionInfo($conf, $sessionManager)
{ {
$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
$_SESSION['ip'] = client_ip_id($_SERVER); $_SESSION['ip'] = client_ip_id($_SERVER);
$_SESSION['username']= $conf->get('credentials.login'); $_SESSION['username']= $conf->get('credentials.login');
$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. $_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT;
} }
/** /**
@ -250,15 +250,16 @@ function fillSessionInfo($conf)
* @param string $login Username * @param string $login Username
* @param string $password User password * @param string $password User password
* @param ConfigManager $conf Configuration Manager instance. * @param ConfigManager $conf Configuration Manager instance.
* @param SessionManager $sessionManager SessionManager instance
* *
* @return bool: authentication successful or not. * @return bool: authentication successful or not.
*/ */
function check_auth($login, $password, $conf) function check_auth($login, $password, $conf, $sessionManager)
{ {
$hash = sha1($password . $login . $conf->get('credentials.salt')); $hash = sha1($password . $login . $conf->get('credentials.salt'));
if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) {
{ // Login/password is correct. // Login/password is correct.
fillSessionInfo($conf); fillSessionInfo($conf, $sessionManager);
logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
return true; return true;
} }
@ -287,14 +288,13 @@ function logout() {
// ------------------------------------------------------------------------------------------ // ------------------------------------------------------------------------------------------
// Process login form: Check if login/password is correct. // Process login form: Check if login/password is correct.
if (isset($_POST['login'])) if (isset($_POST['login'])) {
{
if (! $loginManager->canLogin($_SERVER)) { if (! $loginManager->canLogin($_SERVER)) {
die(t('I said: NO. You are banned for the moment. Go away.')); die(t('I said: NO. You are banned for the moment. Go away.'));
} }
if (isset($_POST['password']) if (isset($_POST['password'])
&& $sessionManager->checkToken($_POST['token']) && $sessionManager->checkToken($_POST['token'])
&& (check_auth($_POST['login'], $_POST['password'], $conf)) && (check_auth($_POST['login'], $_POST['password'], $conf, $sessionManager))
) { ) {
// Login/password is OK. // Login/password is OK.
$loginManager->handleSuccessfulLogin($_SERVER); $loginManager->handleSuccessfulLogin($_SERVER);