SessionManager: remove unused UID token

There already are dedicated tokens for:
- CSRF protection
- user stay-signed-in feature, via cookie

This token was most likely intended as a randomly generated,
server-side, secret key to be used when generating hashes.

See http://sebsauvage.net/wiki/doku.php?id=php:session [FR]

Relevant section:

  Une clé secrète unique aléatoire est générée côté serveur (et jamais
  envoyée). Elle peut servir pour signer les formulaires (HMAC) ou
  générer des token de formulaires (protection contre XSRF).
  Voir $_SESSION['uid'].

Translation:

  A unique, server-side secret key is randomly generated (and never
  transmitted). It can be used to sign forms (HMAC) or generate form
  tokens (protection against XSRF).
  See $_SESSION['uid']

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
This commit is contained in:
VirtualTam 2018-05-10 13:07:51 +02:00
parent c689e10863
commit ebf6151738
2 changed files with 0 additions and 19 deletions

View file

@ -113,8 +113,6 @@ public static function checkId($sessionId)
*/ */
public function storeLoginInfo($clientIpId) public function storeLoginInfo($clientIpId)
{ {
// Generate unique random number (different than phpsessionid)
$this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
$this->session['ip'] = $clientIpId; $this->session['ip'] = $clientIpId;
$this->session['username'] = $this->conf->get('credentials.login'); $this->session['username'] = $this->conf->get('credentials.login');
$this->extendTimeValidityBy(self::$SHORT_TIMEOUT); $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
@ -154,7 +152,6 @@ protected function extendTimeValidityBy($duration)
public function logout() public function logout()
{ {
if (isset($this->session)) { if (isset($this->session)) {
unset($this->session['uid']);
unset($this->session['ip']); unset($this->session['ip']);
unset($this->session['expires_on']); unset($this->session['expires_on']);
unset($this->session['username']); unset($this->session['username']);
@ -172,9 +169,6 @@ public function logout()
*/ */
public function hasSessionExpired() public function hasSessionExpired()
{ {
if (empty($this->session['uid'])) {
return true;
}
if (time() >= $this->session['expires_on']) { if (time() >= $this->session['expires_on']) {
return true; return true;
} }

View file

@ -164,7 +164,6 @@ public function testStoreLoginInfo()
{ {
$this->sessionManager->storeLoginInfo('ip_id'); $this->sessionManager->storeLoginInfo('ip_id');
$this->assertTrue(isset($this->session['uid']));
$this->assertGreaterThan(time(), $this->session['expires_on']); $this->assertGreaterThan(time(), $this->session['expires_on']);
$this->assertEquals('ip_id', $this->session['ip']); $this->assertEquals('ip_id', $this->session['ip']);
$this->assertEquals('johndoe', $this->session['username']); $this->assertEquals('johndoe', $this->session['username']);
@ -209,7 +208,6 @@ public function testExtendSessionStaySignedIn()
public function testLogout() public function testLogout()
{ {
$this->session = [ $this->session = [
'uid' => 'some-uid',
'ip' => 'ip_id', 'ip' => 'ip_id',
'expires_on' => time() + 1000, 'expires_on' => time() + 1000,
'username' => 'johndoe', 'username' => 'johndoe',
@ -218,7 +216,6 @@ public function testLogout()
]; ];
$this->sessionManager->logout(); $this->sessionManager->logout();
$this->assertFalse(isset($this->session['uid']));
$this->assertFalse(isset($this->session['ip'])); $this->assertFalse(isset($this->session['ip']));
$this->assertFalse(isset($this->session['expires_on'])); $this->assertFalse(isset($this->session['expires_on']));
$this->assertFalse(isset($this->session['username'])); $this->assertFalse(isset($this->session['username']));
@ -226,20 +223,11 @@ public function testLogout()
$this->assertFalse(isset($this->session['untaggedonly'])); $this->assertFalse(isset($this->session['untaggedonly']));
} }
/**
* The session is considered as expired because the UID is missing
*/
public function testHasExpiredNoUid()
{
$this->assertTrue($this->sessionManager->hasSessionExpired());
}
/** /**
* The session is active and expiration time has been reached * The session is active and expiration time has been reached
*/ */
public function testHasExpiredTimeElapsed() public function testHasExpiredTimeElapsed()
{ {
$this->session['uid'] = 'some-uid';
$this->session['expires_on'] = time() - 10; $this->session['expires_on'] = time() - 10;
$this->assertTrue($this->sessionManager->hasSessionExpired()); $this->assertTrue($this->sessionManager->hasSessionExpired());
@ -250,7 +238,6 @@ public function testHasExpiredTimeElapsed()
*/ */
public function testHasNotExpired() public function testHasNotExpired()
{ {
$this->session['uid'] = 'some-uid';
$this->session['expires_on'] = time() + 1000; $this->session['expires_on'] = time() + 1000;
$this->assertFalse($this->sessionManager->hasSessionExpired()); $this->assertFalse($this->sessionManager->hasSessionExpired());