Refactor SessionManager::$INACTIVITY_TIMEOUT
Changed: - move INACTIVITY_TIMEOUT to SessionManager - inject a dependency to a SessionManager instance in: - fillSessionInfo() - setup_login_state() - check_auth() - cleanup related code and comments Signed-off-by: VirtualTam <virtualtam@flibidi.net>
This commit is contained in:
parent
88110550b8
commit
db45a36a53
2 changed files with 28 additions and 24 deletions
|
@ -6,6 +6,10 @@
|
||||||
*/
|
*/
|
||||||
class SessionManager
|
class SessionManager
|
||||||
{
|
{
|
||||||
|
/** Session expiration timeout, in seconds */
|
||||||
|
public static $INACTIVITY_TIMEOUT = 3600;
|
||||||
|
|
||||||
|
/** Local reference to the global $_SESSION array */
|
||||||
protected $session = [];
|
protected $session = [];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
40
index.php
40
index.php
|
@ -101,8 +101,6 @@
|
||||||
// Set default cookie expiration and path.
|
// Set default cookie expiration and path.
|
||||||
session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']);
|
session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']);
|
||||||
// Set session parameters on server side.
|
// Set session parameters on server side.
|
||||||
// If the user does not access any page within this time, his/her session is considered expired.
|
|
||||||
define('INACTIVITY_TIMEOUT', 3600); // in seconds.
|
|
||||||
// Use cookies to store session.
|
// Use cookies to store session.
|
||||||
ini_set('session.use_cookies', 1);
|
ini_set('session.use_cookies', 1);
|
||||||
// Force cookies for session (phpsessionID forbidden in URL).
|
// Force cookies for session (phpsessionID forbidden in URL).
|
||||||
|
@ -183,11 +181,12 @@
|
||||||
/**
|
/**
|
||||||
* Checking session state (i.e. is the user still logged in)
|
* Checking session state (i.e. is the user still logged in)
|
||||||
*
|
*
|
||||||
* @param ConfigManager $conf The configuration manager.
|
* @param ConfigManager $conf Configuration Manager instance.
|
||||||
|
* @param SessionManager $sessionManager SessionManager instance
|
||||||
*
|
*
|
||||||
* @return bool: true if the user is logged in, false otherwise.
|
* @return bool true if the user is logged in, false otherwise.
|
||||||
*/
|
*/
|
||||||
function setup_login_state($conf)
|
function setup_login_state($conf, $sessionManager)
|
||||||
{
|
{
|
||||||
if ($conf->get('security.open_shaarli')) {
|
if ($conf->get('security.open_shaarli')) {
|
||||||
return true;
|
return true;
|
||||||
|
@ -202,7 +201,7 @@ function setup_login_state($conf)
|
||||||
$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
|
$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
|
||||||
!$loginFailure)
|
!$loginFailure)
|
||||||
{
|
{
|
||||||
fillSessionInfo($conf);
|
fillSessionInfo($conf, $sessionManager);
|
||||||
$userIsLoggedIn = true;
|
$userIsLoggedIn = true;
|
||||||
}
|
}
|
||||||
// If session does not exist on server side, or IP address has changed, or session has expired, logout.
|
// If session does not exist on server side, or IP address has changed, or session has expired, logout.
|
||||||
|
@ -216,9 +215,8 @@ function setup_login_state($conf)
|
||||||
}
|
}
|
||||||
if (!empty($_SESSION['longlastingsession'])) {
|
if (!empty($_SESSION['longlastingsession'])) {
|
||||||
$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
|
$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
|
||||||
}
|
} else {
|
||||||
else {
|
$_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT;
|
||||||
$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
|
|
||||||
}
|
}
|
||||||
if (!$loginFailure) {
|
if (!$loginFailure) {
|
||||||
$userIsLoggedIn = true;
|
$userIsLoggedIn = true;
|
||||||
|
@ -226,22 +224,24 @@ function setup_login_state($conf)
|
||||||
|
|
||||||
return $userIsLoggedIn;
|
return $userIsLoggedIn;
|
||||||
}
|
}
|
||||||
$userIsLoggedIn = setup_login_state($conf);
|
|
||||||
|
$userIsLoggedIn = setup_login_state($conf, $sessionManager);
|
||||||
|
|
||||||
// ------------------------------------------------------------------------------------------
|
// ------------------------------------------------------------------------------------------
|
||||||
// Session management
|
// Session management
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Load user session.
|
* Load user session
|
||||||
*
|
*
|
||||||
* @param ConfigManager $conf Configuration Manager instance.
|
* @param ConfigManager $conf Configuration Manager instance.
|
||||||
|
* @param SessionManager $sessionManager SessionManager instance
|
||||||
*/
|
*/
|
||||||
function fillSessionInfo($conf)
|
function fillSessionInfo($conf, $sessionManager)
|
||||||
{
|
{
|
||||||
$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
|
$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
|
||||||
$_SESSION['ip'] = client_ip_id($_SERVER);
|
$_SESSION['ip'] = client_ip_id($_SERVER);
|
||||||
$_SESSION['username']= $conf->get('credentials.login');
|
$_SESSION['username']= $conf->get('credentials.login');
|
||||||
$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
|
$_SESSION['expires_on'] = time() + $sessionManager::$INACTIVITY_TIMEOUT;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -250,15 +250,16 @@ function fillSessionInfo($conf)
|
||||||
* @param string $login Username
|
* @param string $login Username
|
||||||
* @param string $password User password
|
* @param string $password User password
|
||||||
* @param ConfigManager $conf Configuration Manager instance.
|
* @param ConfigManager $conf Configuration Manager instance.
|
||||||
|
* @param SessionManager $sessionManager SessionManager instance
|
||||||
*
|
*
|
||||||
* @return bool: authentication successful or not.
|
* @return bool: authentication successful or not.
|
||||||
*/
|
*/
|
||||||
function check_auth($login, $password, $conf)
|
function check_auth($login, $password, $conf, $sessionManager)
|
||||||
{
|
{
|
||||||
$hash = sha1($password . $login . $conf->get('credentials.salt'));
|
$hash = sha1($password . $login . $conf->get('credentials.salt'));
|
||||||
if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))
|
if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) {
|
||||||
{ // Login/password is correct.
|
// Login/password is correct.
|
||||||
fillSessionInfo($conf);
|
fillSessionInfo($conf, $sessionManager);
|
||||||
logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
|
logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -287,14 +288,13 @@ function logout() {
|
||||||
|
|
||||||
// ------------------------------------------------------------------------------------------
|
// ------------------------------------------------------------------------------------------
|
||||||
// Process login form: Check if login/password is correct.
|
// Process login form: Check if login/password is correct.
|
||||||
if (isset($_POST['login']))
|
if (isset($_POST['login'])) {
|
||||||
{
|
|
||||||
if (! $loginManager->canLogin($_SERVER)) {
|
if (! $loginManager->canLogin($_SERVER)) {
|
||||||
die(t('I said: NO. You are banned for the moment. Go away.'));
|
die(t('I said: NO. You are banned for the moment. Go away.'));
|
||||||
}
|
}
|
||||||
if (isset($_POST['password'])
|
if (isset($_POST['password'])
|
||||||
&& $sessionManager->checkToken($_POST['token'])
|
&& $sessionManager->checkToken($_POST['token'])
|
||||||
&& (check_auth($_POST['login'], $_POST['password'], $conf))
|
&& (check_auth($_POST['login'], $_POST['password'], $conf, $sessionManager))
|
||||||
) {
|
) {
|
||||||
// Login/password is OK.
|
// Login/password is OK.
|
||||||
$loginManager->handleSuccessfulLogin($_SERVER);
|
$loginManager->handleSuccessfulLogin($_SERVER);
|
||||||
|
|
Loading…
Reference in a new issue