Mercurial > hg > fapweb
annotate msession.inc.php @ 360:2af8458058ab
Implement CSRF token checks.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Tue, 03 Dec 2013 11:13:44 +0200 |
parents | 8f0d81f9c648 |
children | a3caded43f6d |
rev | line source |
---|---|
33 | 1 <? |
2 // | |
136
aeebfedb5709
Add some copyright headers.
Matti Hamalainen <ccr@tnsp.org>
parents:
108
diff
changeset
|
3 // FAPWeb Simple Demoparty System |
33 | 4 // Session management and authentication |
136
aeebfedb5709
Add some copyright headers.
Matti Hamalainen <ccr@tnsp.org>
parents:
108
diff
changeset
|
5 // (C) Copyright 2012-2013 Tecnic Software productions (TNSP) |
33 | 6 // |
7 | |
176
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
8 define("SESS_USER", "user"); |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
9 define("SESS_ADMIN", "admin"); |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
10 |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
11 |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
12 if (function_exists("ini_set")) |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
13 { |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
14 // Use cookies to store the session ID on the client side |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
15 @ini_set("session.use_only_cookies", 1); |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
16 |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
17 // Disable transparent Session ID support |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
18 @ini_set("session.use_trans_sid", 0); |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
19 } |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
20 |
8f0d81f9c648
Move some session related code to its rightful place in session module.
Matti Hamalainen <ccr@tnsp.org>
parents:
173
diff
changeset
|
21 |
51 | 22 function stGetSpecSessionItem($stype, $name, $default = "") |
23 { | |
24 if (isset($stype)) | |
25 return (isset($_SESSION[$stype]) && isset($_SESSION[$stype][$name])) ? $_SESSION[$stype][$name] : $default; | |
26 else | |
27 return $default; | |
28 } | |
29 | |
30 | |
33 | 31 function stGetSessionItem($name, $default = "") |
32 { | |
33 global $sessionType; | |
51 | 34 return stGetSpecSessionItem($sessionType, $name, $default); |
33 | 35 } |
36 | |
37 | |
38 function stSetSessionItem($name, $value) | |
39 { | |
40 global $sessionType; | |
41 if (!isset($sessionType)) | |
42 die("Session type not set."); | |
43 | |
44 $_SESSION[$sessionType][$name] = $value; | |
45 } | |
46 | |
47 | |
51 | 48 function stSessionExpire($stype) |
33 | 49 { |
50 // Check for session expiration | |
51 | 51 if (!isset($_SESSION[$stype]) || !isset($_SESSION[$stype]["expires"])) |
33 | 52 { |
51 | 53 stDebug("Session ".$stype." expires due to expire time not set."); |
54 stSessionEnd($stype); | |
33 | 55 return FALSE; |
56 } | |
57 | |
51 | 58 if ($_SESSION[$stype]["expires"] < time()) |
33 | 59 { |
51 | 60 stDebug("Session ".$stype." / ".session_id()." expires due to timeout ".$_SESSION[$stype]["expires"]." < ".time()); |
61 stSessionEnd($stype); | |
33 | 62 return FALSE; |
63 } | |
64 | |
65 // Add more time to expiration | |
51 | 66 $timeout = stGetSetting($_SESSION[$stype]["timeout"], 0); |
67 stDebug("Adding more time to ".$stype." session ".session_id()." :: ".$timeout); | |
68 $_SESSION[$stype]["expires"] = time() + $timeout * 60; | |
33 | 69 return TRUE; |
70 } | |
71 | |
72 | |
51 | 73 function stSessionEnd($stype) |
33 | 74 { |
75 $result = FALSE; | |
76 | |
51 | 77 stDebug("Request END session ".$stype); |
33 | 78 |
79 if (@session_start() === TRUE && isset($_SESSION)) | |
80 { | |
81 // End current session type | |
51 | 82 if (isset($_SESSION[$stype])) |
33 | 83 { |
51 | 84 stDebug("END session ".$stype." / ".$_SESSION[$stype]["expires"]); |
85 $_SESSION[$stype] = array(); | |
86 unset($_SESSION[$stype]); | |
33 | 87 $result = TRUE; |
88 } | |
89 | |
90 // If all session types are ended, clear the cookies etc | |
51 | 91 if (!isset($_SESSION[SESS_USER]) && !isset($_SESSION[SESS_ADMIN])) |
33 | 92 { |
51 | 93 stDebug("Clearing all session data."); |
33 | 94 $_SESSION = array(); |
95 | |
96 if (ini_get("session.use_cookies")) | |
97 { | |
98 $params = session_get_cookie_params(); | |
99 setcookie(session_name(), "", time() - 242000, | |
100 $params["path"], $params["domain"], | |
101 $params["secure"], $params["httponly"] | |
102 ); | |
103 } | |
104 | |
105 @session_destroy(); | |
106 } | |
107 } | |
108 | |
109 return $result; | |
110 } | |
111 | |
112 | |
51 | 113 function stSessionStart($stype, $key, $timeout) |
33 | 114 { |
115 if (@session_start() === TRUE) | |
116 { | |
51 | 117 stDebug("START ".$stype." session OK."); |
118 $_SESSION[$stype] = array( | |
33 | 119 "key" => $key, |
120 "timeout" => $timeout, | |
121 "expires" => time() + stGetSetting($timeout) * 60, | |
122 "message" => "", | |
123 "status" => 0, | |
360
2af8458058ab
Implement CSRF token checks.
Matti Hamalainen <ccr@tnsp.org>
parents:
176
diff
changeset
|
124 "csrfID" => hash("sha512", mt_rand(0, mt_getrandmax())), |
33 | 125 ); |
126 return TRUE; | |
127 } | |
128 else | |
129 { | |
51 | 130 stDebug("START ".$stype." session --FAILED--"); |
33 | 131 return FALSE; |
132 } | |
133 } | |
134 | |
135 | |
360
2af8458058ab
Implement CSRF token checks.
Matti Hamalainen <ccr@tnsp.org>
parents:
176
diff
changeset
|
136 function stCSRFCheck() |
2af8458058ab
Implement CSRF token checks.
Matti Hamalainen <ccr@tnsp.org>
parents:
176
diff
changeset
|
137 { |
2af8458058ab
Implement CSRF token checks.
Matti Hamalainen <ccr@tnsp.org>
parents:
176
diff
changeset
|
138 $csrfID = stGetRequestItem("csrfID", FALSE); |
2af8458058ab
Implement CSRF token checks.
Matti Hamalainen <ccr@tnsp.org>
parents:
176
diff
changeset
|
139 return ($csrfID !== FALSE && stGetSessionItem("csrfID", FALSE) == $csrfID); |
2af8458058ab
Implement CSRF token checks.
Matti Hamalainen <ccr@tnsp.org>
parents:
176
diff
changeset
|
140 } |
2af8458058ab
Implement CSRF token checks.
Matti Hamalainen <ccr@tnsp.org>
parents:
176
diff
changeset
|
141 |
2af8458058ab
Implement CSRF token checks.
Matti Hamalainen <ccr@tnsp.org>
parents:
176
diff
changeset
|
142 |
84
1f34037a7cae
Set some default parameters.
Matti Hamalainen <ccr@tnsp.org>
parents:
77
diff
changeset
|
143 function stAdmSessionAuth($silent = FALSE) |
33 | 144 { |
145 if (@session_start() === TRUE && | |
51 | 146 stGetSpecSessionItem(SESS_ADMIN, "key", FALSE) == stGetSetting("admPassword")) |
33 | 147 { |
77
70c0b21f0781
Support silent auth checks (no debug info).
Matti Hamalainen <ccr@tnsp.org>
parents:
51
diff
changeset
|
148 if (!$silent) stDebug("AUTH admin session OK."); |
51 | 149 return stSessionExpire(SESS_ADMIN); |
33 | 150 } |
151 else | |
152 { | |
77
70c0b21f0781
Support silent auth checks (no debug info).
Matti Hamalainen <ccr@tnsp.org>
parents:
51
diff
changeset
|
153 if (!$silent) stDebug("AUTH admin session FAIL."); |
33 | 154 return FALSE; |
155 } | |
156 } | |
157 | |
158 | |
84
1f34037a7cae
Set some default parameters.
Matti Hamalainen <ccr@tnsp.org>
parents:
77
diff
changeset
|
159 function stUserSessionAuth($silent = FALSE) |
33 | 160 { |
161 if (@session_start() === TRUE && | |
51 | 162 stGetSpecSessionItem(SESS_USER, "key", FALSE) !== FALSE) |
163 { | |
77
70c0b21f0781
Support silent auth checks (no debug info).
Matti Hamalainen <ccr@tnsp.org>
parents:
51
diff
changeset
|
164 if (!$silent) stDebug("AUTH user session OK."); |
108
70bf38b071dd
Oops, mistakenly used SESS_ADMIN instead of SESS_USER.
Matti Hamalainen <ccr@tnsp.org>
parents:
84
diff
changeset
|
165 return stSessionExpire(SESS_USER); |
51 | 166 } |
33 | 167 else |
51 | 168 { |
77
70c0b21f0781
Support silent auth checks (no debug info).
Matti Hamalainen <ccr@tnsp.org>
parents:
51
diff
changeset
|
169 if (!$silent) stDebug("AUTH user session FAIL."); |
33 | 170 return FALSE; |
51 | 171 } |
33 | 172 } |
173 | |
174 | |
175 function stSetSessionStatus($status) | |
176 { | |
177 global $sessionType; | |
178 if (isset($_SESSION[$sessionType]) || session_start() === TRUE) | |
179 { | |
180 if ($status >= 0) | |
181 stSetSessionItem("prevstatus", stGetSessionItem("status", FALSE)); | |
182 | |
183 stSetSessionItem("status", $status); | |
184 } | |
185 } | |
186 | |
187 ?> |