Home Explore Help
Sign In
kotnik
/
shaarli
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 47978e8772
Branches Tags
shaarli
/
application
/
SessionManager.php

SessionManager.php 1.9 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283 
  1. <?php
    2. 

  2. namespace Shaarli;
    3. 

  3. 

  4. /**
    5. 

  5.  * Manages the server-side session
    6. 

  6.  */
    7. 

  7. class SessionManager
    8. 

  8. {
    9. 

  9.     protected $session = [];
    10. 

  10. 

  11.     /**
    12. 

  12.      * Constructor
    13. 

  13.      *
    14. 

  14.      * @param array         $session The $_SESSION array (reference)
    15. 

  15.      * @param ConfigManager $conf    ConfigManager instance
    16. 

  16.      */
    17. 

  17.     public function __construct(& $session, $conf)
    18. 

  18.     {
    19. 

  19.         $this->session = &$session;
    20. 

  20.         $this->conf = $conf;
    21. 

  21.     }
    22. 

  22. 

  23.     /**
    24. 

  24.      * Generates a session token
    25. 

  25.      *
    26. 

  26.      * @return string token
    27. 

  27.      */
    28. 

  28.     public function generateToken()
    29. 

  29.     {
    30. 

  30.         $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
    31. 

  31.         $this->session['tokens'][$token] = 1;
    32. 

  32.         return $token;
    33. 

  33.     }
    34. 

  34. 

  35.     /**
    36. 

  36.      * Checks the validity of a session token, and destroys it afterwards
    37. 

  37.      *
    38. 

  38.      * @param string $token The token to check
    39. 

  39.      *
    40. 

  40.      * @return bool true if the token is valid, else false
    41. 

  41.      */
    42. 

  42.     public function checkToken($token)
    43. 

  43.     {
    44. 

  44.         if (! isset($this->session['tokens'][$token])) {
    45. 

  45.             // the token is wrong, or has already been used
    46. 

  46.             return false;
    47. 

  47.         }
    48. 

  48. 

  49.         // destroy the token to prevent future use
    50. 

  50.         unset($this->session['tokens'][$token]);
    51. 

  51.         return true;
    52. 

  52.     }
    53. 

  53. 

  54.     /**
    55. 

  55.      * Validate session ID to prevent Full Path Disclosure.
    56. 

  56.      *
    57. 

  57.      * See #298.
    58. 

  58.      * The session ID's format depends on the hash algorithm set in PHP settings
    59. 

  59.      *
    60. 

  60.      * @param string $sessionId Session ID
    61. 

  61.      *
    62. 

  62.      * @return true if valid, false otherwise.
    63. 

  63.      *
    64. 

  64.      * @see http://php.net/manual/en/function.hash-algos.php
    65. 

  65.      * @see http://php.net/manual/en/session.configuration.php
    66. 

  66.      */
    67. 

  67.     public static function checkId($sessionId)
    68. 

  68.     {
    69. 

  69.         if (empty($sessionId)) {
    70. 

  70.             return false;
    71. 

  71.         }
    72. 

  72. 

  73.         if (!$sessionId) {
    74. 

  74.             return false;
    75. 

  75.         }
    76. 

  76. 

  77.         if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
    78. 

  78.             return false;
    79. 

  79.         }
    80. 

  80. 

  81.         return true;
    82. 

  82.     }
    83. 

  83. }
    84.