SessionManager: remove unused UID token
There already are dedicated tokens for: - CSRF protection - user stay-signed-in feature, via cookie This token was most likely intended as a randomly generated, server-side, secret key to be used when generating hashes. See http://sebsauvage.net/wiki/doku.php?id=php:session [FR] Relevant section: Une clé secrète unique aléatoire est générée côté serveur (et jamais envoyée). Elle peut servir pour signer les formulaires (HMAC) ou générer des token de formulaires (protection contre XSRF). Voir $_SESSION['uid']. Translation: A unique, server-side secret key is randomly generated (and never transmitted). It can be used to sign forms (HMAC) or generate form tokens (protection against XSRF). See $_SESSION['uid'] Signed-off-by: VirtualTam <virtualtam@flibidi.net>
This commit is contained in:
VirtualTam
parent
c689e10863
commit
ebf6151738
2 changed files with 0 additions and 19 deletions
|
|
@ -113,8 +113,6 @@ public static function checkId($sessionId)
|
||||||
*/
|
*/
|
||||||
public function storeLoginInfo($clientIpId)
|
public function storeLoginInfo($clientIpId)
|
||||||
{
|
{
|
||||||
// Generate unique random number (different than phpsessionid)
|
|
||||||
$this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
|
|
||||||
$this->session['ip'] = $clientIpId;
|
$this->session['ip'] = $clientIpId;
|
||||||
$this->session['username'] = $this->conf->get('credentials.login');
|
$this->session['username'] = $this->conf->get('credentials.login');
|
||||||
$this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
|
$this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
|
||||||
|
|
@ -154,7 +152,6 @@ protected function extendTimeValidityBy($duration)
|
||||||
public function logout()
|
public function logout()
|
||||||
{
|
{
|
||||||
if (isset($this->session)) {
|
if (isset($this->session)) {
|
||||||
unset($this->session['uid']);
|
|
||||||
unset($this->session['ip']);
|
unset($this->session['ip']);
|
||||||
unset($this->session['expires_on']);
|
unset($this->session['expires_on']);
|
||||||
unset($this->session['username']);
|
unset($this->session['username']);
|
||||||
|
|
@ -172,9 +169,6 @@ public function logout()
|
||||||
*/
|
*/
|
||||||
public function hasSessionExpired()
|
public function hasSessionExpired()
|
||||||
{
|
{
|
||||||
if (empty($this->session['uid'])) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
if (time() >= $this->session['expires_on']) {
|
if (time() >= $this->session['expires_on']) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -164,7 +164,6 @@ public function testStoreLoginInfo()
|
||||||
{
|
{
|
||||||
$this->sessionManager->storeLoginInfo('ip_id');
|
$this->sessionManager->storeLoginInfo('ip_id');
|
||||||
|
|
||||||
$this->assertTrue(isset($this->session['uid']));
|
|
||||||
$this->assertGreaterThan(time(), $this->session['expires_on']);
|
$this->assertGreaterThan(time(), $this->session['expires_on']);
|
||||||
$this->assertEquals('ip_id', $this->session['ip']);
|
$this->assertEquals('ip_id', $this->session['ip']);
|
||||||
$this->assertEquals('johndoe', $this->session['username']);
|
$this->assertEquals('johndoe', $this->session['username']);
|
||||||
|
|
@ -209,7 +208,6 @@ public function testExtendSessionStaySignedIn()
|
||||||
public function testLogout()
|
public function testLogout()
|
||||||
{
|
{
|
||||||
$this->session = [
|
$this->session = [
|
||||||
'uid' => 'some-uid',
|
|
||||||
'ip' => 'ip_id',
|
'ip' => 'ip_id',
|
||||||
'expires_on' => time() + 1000,
|
'expires_on' => time() + 1000,
|
||||||
'username' => 'johndoe',
|
'username' => 'johndoe',
|
||||||
|
|
@ -218,7 +216,6 @@ public function testLogout()
|
||||||
];
|
];
|
||||||
$this->sessionManager->logout();
|
$this->sessionManager->logout();
|
||||||
|
|
||||||
$this->assertFalse(isset($this->session['uid']));
|
|
||||||
$this->assertFalse(isset($this->session['ip']));
|
$this->assertFalse(isset($this->session['ip']));
|
||||||
$this->assertFalse(isset($this->session['expires_on']));
|
$this->assertFalse(isset($this->session['expires_on']));
|
||||||
$this->assertFalse(isset($this->session['username']));
|
$this->assertFalse(isset($this->session['username']));
|
||||||
|
|
@ -226,20 +223,11 @@ public function testLogout()
|
||||||
$this->assertFalse(isset($this->session['untaggedonly']));
|
$this->assertFalse(isset($this->session['untaggedonly']));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* The session is considered as expired because the UID is missing
|
|
||||||
*/
|
|
||||||
public function testHasExpiredNoUid()
|
|
||||||
{
|
|
||||||
$this->assertTrue($this->sessionManager->hasSessionExpired());
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The session is active and expiration time has been reached
|
* The session is active and expiration time has been reached
|
||||||
*/
|
*/
|
||||||
public function testHasExpiredTimeElapsed()
|
public function testHasExpiredTimeElapsed()
|
||||||
{
|
{
|
||||||
$this->session['uid'] = 'some-uid';
|
|
||||||
$this->session['expires_on'] = time() - 10;
|
$this->session['expires_on'] = time() - 10;
|
||||||
|
|
||||||
$this->assertTrue($this->sessionManager->hasSessionExpired());
|
$this->assertTrue($this->sessionManager->hasSessionExpired());
|
||||||
|
|
@ -250,7 +238,6 @@ public function testHasExpiredTimeElapsed()
|
||||||
*/
|
*/
|
||||||
public function testHasNotExpired()
|
public function testHasNotExpired()
|
||||||
{
|
{
|
||||||
$this->session['uid'] = 'some-uid';
|
|
||||||
$this->session['expires_on'] = time() + 1000;
|
$this->session['expires_on'] = time() + 1000;
|
||||||
|
|
||||||
$this->assertFalse($this->sessionManager->hasSessionExpired());
|
$this->assertFalse($this->sessionManager->hasSessionExpired());
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue