Knah-Tsaeb
/
MyShaarli
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SessionManager: remove unused UID token 

There already are dedicated tokens for:
- CSRF protection
- user stay-signed-in feature, via cookie

This token was most likely intended as a randomly generated,
server-side, secret key to be used when generating hashes.

See http://sebsauvage.net/wiki/doku.php?id=php:session [FR]

Relevant section:

  Une clé secrète unique aléatoire est générée côté serveur (et jamais
  envoyée). Elle peut servir pour signer les formulaires (HMAC) ou
  générer des token de formulaires (protection contre XSRF).
  Voir $_SESSION['uid'].

Translation:

  A unique, server-side secret key is randomly generated (and never
  transmitted). It can be used to sign forms (HMAC) or generate form
  tokens (protection against XSRF).
  See $_SESSION['uid']

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
This commit is contained in:
VirtualTam 2018-05-10 13:07:51 +02:00
parent c689e10863
commit ebf6151738
2 changed files with 0 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
application/security/SessionManager.php
View File

@ -113,8 +113,6 @@ class SessionManager
*/
public function storeLoginInfo($clientIpId)
{
// Generate unique random number (different than phpsessionid)
$this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
$this->session['ip'] = $clientIpId;
$this->session['username'] = $this->conf->get('credentials.login');
$this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
@ -154,7 +152,6 @@ class SessionManager
public function logout()
{
if (isset($this->session)) {
unset($this->session['uid']);
unset($this->session['ip']);
unset($this->session['expires_on']);
unset($this->session['username']);
@ -172,9 +169,6 @@ class SessionManager
*/
public function hasSessionExpired()
{
if (empty($this->session['uid'])) {
return true;
}
if (time() >= $this->session['expires_on']) {
return true;
}

13
tests/security/SessionManagerTest.php
View File

@ -164,7 +164,6 @@ class SessionManagerTest extends TestCase
{
$this->sessionManager->storeLoginInfo('ip_id');
$this->assertTrue(isset($this->session['uid']));
$this->assertGreaterThan(time(), $this->session['expires_on']);
$this->assertEquals('ip_id', $this->session['ip']);
$this->assertEquals('johndoe', $this->session['username']);
@ -209,7 +208,6 @@ class SessionManagerTest extends TestCase
public function testLogout()
{
$this->session = [
'uid' => 'some-uid',
'ip' => 'ip_id',
'expires_on' => time() + 1000,
'username' => 'johndoe',
@ -218,7 +216,6 @@ class SessionManagerTest extends TestCase
];
$this->sessionManager->logout();
$this->assertFalse(isset($this->session['uid']));
$this->assertFalse(isset($this->session['ip']));
$this->assertFalse(isset($this->session['expires_on']));
$this->assertFalse(isset($this->session['username']));
@ -226,20 +223,11 @@ class SessionManagerTest extends TestCase
$this->assertFalse(isset($this->session['untaggedonly']));
}
/**
* The session is considered as expired because the UID is missing
*/
public function testHasExpiredNoUid()
{
$this->assertTrue($this->sessionManager->hasSessionExpired());
}
/**
* The session is active and expiration time has been reached
*/
public function testHasExpiredTimeElapsed()
{
$this->session['uid'] = 'some-uid';
$this->session['expires_on'] = time() - 10;
$this->assertTrue($this->sessionManager->hasSessionExpired());
@ -250,7 +238,6 @@ class SessionManagerTest extends TestCase
*/
public function testHasNotExpired()
{
$this->session['uid'] = 'some-uid';
$this->session['expires_on'] = time() + 1000;
$this->assertFalse($this->sessionManager->hasSessionExpired());