kazhnuz/koblog
1
0
Fork 0
Code Issues 41 Pull requests 1 Projects 4 Releases Packages Wiki Activity Actions

Bug fix in Session handler for multiples Bludit installation in the same root folder

Browse source
This commit is contained in:
Diego Najar 2021-11-25 20:17:38 +01:00
parent 9718e03590
commit 320f9a2f0c
4 changed files with 227 additions and 211 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
bl-kernel/boot/admin.php
View file

@ -2,8 +2,8 @@
// Start the session
// If the session is not started the admin area is not available
Session::start();
if (Session::started()===false) {
Session::start($site->urlPath(), $site->isHTTPS());
if (!Session::started()) {
exit('Bludit CMS. Session initialization failed.');
}

122
bl-kernel/helpers/session.class.php
View file

@ -2,82 +2,78 @@
class Session {
private static $started = false;
private static $sessionName = 'BLUDIT-KEY';
private static $started = false;
private static $sessionName = 'BLUDIT-KEY';
public static function start()
{
// Try to set the session timeout on server side, 1 hour of timeout
ini_set('session.gc_maxlifetime', SESSION_GC_MAXLIFETIME);
public static function start($path, $secure)
{
// Try to set the session timeout on server side, 1 hour of timeout
ini_set('session.gc_maxlifetime', SESSION_GC_MAXLIFETIME);
// If TRUE cookie will only be sent over secure connections.
$secure = false;
// Gets current cookies parameters
$cookieParams = session_get_cookie_params();
// If set to TRUE then PHP will attempt to send the httponly flag when setting the session cookie.
$httponly = true;
if (empty($path)) {
$path = '/';
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params([
'lifetime' => $cookieParams["lifetime"],
'path' => $path,
'domain' => $cookieParams["domain"],
'secure' => $secure,
'httponly' => true,
'samesite' => 'Lax'
]);
session_set_cookie_params(
SESSION_COOKIE_LIFE_TIME,
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly
);
// Sets the session name
session_name(self::$sessionName);
// Sets the session name to the one set above.
session_name(self::$sessionName);
// Start session
self::$started = session_start();
// Start session.
self::$started = session_start();
if (!self::$started) {
Log::set(__METHOD__.LOG_SEP.'Error occurred when trying to start the session.');
}
}
// Regenerated the session, delete the old one. There are problems with AJAX.
//session_regenerate_id(true);
public static function started()
{
return self::$started;
}
if (!self::$started) {
Log::set(__METHOD__.LOG_SEP.'Error occurred when trying to start the session.');
}
}
public static function destroy()
{
session_destroy();
unset($_SESSION);
unset($_COOKIE[self::$sessionName]);
Cookie::set(self::$sessionName, '', -1);
self::$started = false;
Log::set(__METHOD__.LOG_SEP.'Session destroyed.');
return !isset($_SESSION);
}
public static function started()
{
return self::$started;
}
public static function set($key, $value)
{
$key = 's_'.$key;
public static function destroy()
{
session_destroy();
unset($_SESSION);
unset($_COOKIE[self::$sessionName]);
Cookie::set(self::$sessionName, '', -1);
self::$started = false;
Log::set(__METHOD__.LOG_SEP.'Session destroyed.');
return !isset($_SESSION);
}
$_SESSION[$key] = $value;
}
public static function set($key, $value)
{
$key = 's_'.$key;
public static function get($key)
{
$key = 's_'.$key;
$_SESSION[$key] = $value;
}
if (isset($_SESSION[$key])) {
return $_SESSION[$key];
}
return false;
}
public static function get($key)
{
$key = 's_'.$key;
public static function remove($key)
{
$key = 's_'.$key;
if (isset($_SESSION[$key])) {
return $_SESSION[$key];
}
return false;
}
public static function remove($key)
{
$key = 's_'.$key;
unset($_SESSION[$key]);
}
unset($_SESSION[$key]);
}
}

299
bl-kernel/login.class.php
View file

@ -2,180 +2,187 @@
class Login {
protected $users;
protected $users;
protected $site;
function __construct()
{
if (isset($GLOBALS['users'])) {
$this->users = $GLOBALS['users'];
} else {
$this->users = new Users();
}
function __construct()
{
if (isset($GLOBALS['users'])) {
$this->users = $GLOBALS['users'];
} else {
$this->users = new Users();
}
// Start the Session
if (!Session::started()) {
Session::start();
}
}
if (isset($GLOBALS['site'])) {
$this->site = $GLOBALS['site'];
} else {
$this->site = new Site();
}
// Returns the username
public function username()
{
return Session::get('username');
}
// Start the Session
if (!Session::started()) {
Session::start($this->site->urlPath(), $this->site->isHTTPS());
}
}
// Returns the role
public function role()
{
return Session::get('role');
}
// Returns the username
public function username()
{
return Session::get('username');
}
// Returns the authentication token
public function tokenAuth()
{
return Session::get('tokenAuth');
}
// Returns the role
public function role()
{
return Session::get('role');
}
// Returns TRUE if the user is logged, FALSE otherwise
public function isLogged()
{
if (Session::get('fingerPrint')===$this->fingerPrint()) {
$username = Session::get('username');
if (!empty($username)) {
return true;
} else {
Log::set(__METHOD__.LOG_SEP.'Session username empty, destroying the session.');
Session::destroy();
return false;
}
}
// Returns the authentication token
public function tokenAuth()
{
return Session::get('tokenAuth');
}
Log::set(__METHOD__.LOG_SEP.'FingerPrints are different. ['.Session::get('fingerPrint').'] != ['.$this->fingerPrint().']');
return false;
}
// Returns TRUE if the user is logged, FALSE otherwise
public function isLogged()
{
if (Session::get('fingerPrint')===$this->fingerPrint()) {
$username = Session::get('username');
if (!empty($username)) {
return true;
} else {
Log::set(__METHOD__.LOG_SEP.'Session username empty, destroying the session.');
Session::destroy();
return false;
}
}
// Set the session for the user logged
public function setLogin($username, $role, $tokenAuth)
{
Session::set('username', $username);
Session::set('role', $role);
Session::set('tokenAuth', $tokenAuth);
Session::set('fingerPrint', $this->fingerPrint());
Session::set('sessionTime', time());
Log::set(__METHOD__.LOG_SEP.'FingerPrints are different. ['.Session::get('fingerPrint').'] != ['.$this->fingerPrint().']');
return false;
}
Log::set(__METHOD__.LOG_SEP.'User logged, fingerprint ['.$this->fingerPrint().']');
}
// Set the session for the user logged
public function setLogin($username, $role, $tokenAuth)
{
Session::set('username', $username);
Session::set('role', $role);
Session::set('tokenAuth', $tokenAuth);
Session::set('fingerPrint', $this->fingerPrint());
Session::set('sessionTime', time());
public function setRememberMe($username)
{
$username = Sanitize::html($username);
Log::set(__METHOD__.LOG_SEP.'User logged, fingerprint ['.$this->fingerPrint().']');
}
// Set the token on the users database
$token = $this->users->generateRememberToken();
$this->users->setRememberToken($username, $token);
public function setRememberMe($username)
{
$username = Sanitize::html($username);
// Set the token on the cookies
Cookie::set(REMEMBER_COOKIE_USERNAME, $username, REMEMBER_COOKIE_EXPIRE_IN_DAYS);
Cookie::set(REMEMBER_COOKIE_TOKEN, $token, REMEMBER_COOKIE_EXPIRE_IN_DAYS);
// Set the token on the users database
$token = $this->users->generateRememberToken();
$this->users->setRememberToken($username, $token);
Log::set(__METHOD__.LOG_SEP.'Cookies set for Remember Me.');
}
// Set the token on the cookies
Cookie::set(REMEMBER_COOKIE_USERNAME, $username, REMEMBER_COOKIE_EXPIRE_IN_DAYS);
Cookie::set(REMEMBER_COOKIE_TOKEN, $token, REMEMBER_COOKIE_EXPIRE_IN_DAYS);
public function invalidateRememberMe()
{
// Invalidate all tokens on the user databases
$this->users->invalidateAllRememberTokens();
Log::set(__METHOD__.LOG_SEP.'Cookies set for Remember Me.');
}
// Destroy the cookies
Cookie::set(REMEMBER_COOKIE_USERNAME, '', -1);
Cookie::set(REMEMBER_COOKIE_TOKEN, '', -1);
unset($_COOKIE[REMEMBER_COOKIE_USERNAME]);
unset($_COOKIE[REMEMBER_COOKIE_TOKEN]);
}
public function invalidateRememberMe()
{
// Invalidate all tokens on the user databases
$this->users->invalidateAllRememberTokens();
// Check if the username and the password are valid
// Returns TRUE if valid and set the session
// Returns FALSE for invalid username or password
public function verifyUser($username, $password)
{
$username = Sanitize::html($username);
$username = trim($username);
// Destroy the cookies
Cookie::set(REMEMBER_COOKIE_USERNAME, '', -1);
Cookie::set(REMEMBER_COOKIE_TOKEN, '', -1);
unset($_COOKIE[REMEMBER_COOKIE_USERNAME]);
unset($_COOKIE[REMEMBER_COOKIE_TOKEN]);
}
if (empty($username) || empty($password)) {
Log::set(__METHOD__.LOG_SEP.'Username or password empty. Username: '.$username);
return false;
}
// Check if the username and the password are valid
// Returns TRUE if valid and set the session
// Returns FALSE for invalid username or password
public function verifyUser($username, $password)
{
$username = Sanitize::html($username);
$username = trim($username);
if (Text::length($password)<PASSWORD_LENGTH) {
Log::set(__METHOD__.LOG_SEP.'Password length is shorter than required.');
return false;
}
if (empty($username) || empty($password)) {
Log::set(__METHOD__.LOG_SEP.'Username or password empty. Username: '.$username);
return false;
}
try {
$user = new User($username);
} catch (Exception $e) {
return false;
}
if (Text::length($password)<PASSWORD_LENGTH) {
Log::set(__METHOD__.LOG_SEP.'Password length is shorter than required.');
return false;
}
$passwordHash = $this->users->generatePasswordHash($password, $user->salt());
if ($passwordHash===$user->password()) {
$this->setLogin($username, $user->role(), $user->tokenAuth());
Log::set(__METHOD__.LOG_SEP.'Successful user login by username and password - Username ['.$username.']');
return true;
}
try {
$user = new User($username);
} catch (Exception $e) {
return false;
}
Log::set(__METHOD__.LOG_SEP.'Password incorrect.');
return false;
}
$passwordHash = $this->users->generatePasswordHash($password, $user->salt());
if ($passwordHash===$user->password()) {
$this->setLogin($username, $user->role(), $user->tokenAuth());
Log::set(__METHOD__.LOG_SEP.'Successful user login by username and password - Username ['.$username.']');
return true;
}
// Check if the user has the cookies and the correct token
public function verifyUserByRemember()
{
if (Cookie::isEmpty(REMEMBER_COOKIE_USERNAME) || Cookie::isEmpty(REMEMBER_COOKIE_TOKEN)) {
return false;
}
Log::set(__METHOD__.LOG_SEP.'Password incorrect.');
return false;
}
$username = Cookie::get(REMEMBER_COOKIE_USERNAME);
$token = Cookie::get(REMEMBER_COOKIE_TOKEN);
// Check if the user has the cookies and the correct token
public function verifyUserByRemember()
{
if (Cookie::isEmpty(REMEMBER_COOKIE_USERNAME) || Cookie::isEmpty(REMEMBER_COOKIE_TOKEN)) {
return false;
}
$username = Sanitize::html($username);
$token = Sanitize::html($token);
$username = Cookie::get(REMEMBER_COOKIE_USERNAME);
$token = Cookie::get(REMEMBER_COOKIE_TOKEN);
$username = trim($username);
$token = trim($token);
$username = Sanitize::html($username);
$token = Sanitize::html($token);
if (empty($username) || empty($token)) {
$this->invalidateRememberMe();
Log::set(__METHOD__.LOG_SEP.'Username or Token empty. Username: '.$username.' - Token: '.$token);
return false;
}
$username = trim($username);
$token = trim($token);
if ($username !== $this->users->getByRememberToken($token)) {
$this->invalidateRememberMe();
Log::set(__METHOD__.LOG_SEP.'The user has different token or the token doesn\'t exist.');
return false;
}
if (empty($username) || empty($token)) {
$this->invalidateRememberMe();
Log::set(__METHOD__.LOG_SEP.'Username or Token empty. Username: '.$username.' - Token: '.$token);
return false;
}
// Get user from database and login
$user = $this->users->getUserDB($username);
$this->setLogin($username, $user['role'], $user->tokenAuth());
Log::set(__METHOD__.LOG_SEP.'User authenticated via Remember Me.');
return true;
}
if ($username !== $this->users->getByRememberToken($token)) {
$this->invalidateRememberMe();
Log::set(__METHOD__.LOG_SEP.'The user has different token or the token doesn\'t exist.');
return false;
}
public function fingerPrint()
{
$agent = getenv('HTTP_USER_AGENT');
if (empty($agent)) {
$agent = 'Bludit/2.0 (Mr Nibbler Protocol)';
}
return sha1($agent);
}
// Get user from database and login
$user = $this->users->getUserDB($username);
$this->setLogin($username, $user['role'], $user->tokenAuth());
Log::set(__METHOD__.LOG_SEP.'User authenticated via Remember Me.');
return true;
}
public function logout()
{
$this->invalidateRememberMe();
Session::destroy();
return true;
}
public function fingerPrint()
{
$agent = getenv('HTTP_USER_AGENT');
if (empty($agent)) {
$agent = 'Bludit/2.0 (Mr Nibbler Protocol)';
}
return sha1($agent);
}
public function logout()
{
$this->invalidateRememberMe();
Session::destroy();
return true;
}
}

13
bl-kernel/site.class.php
View file

@ -332,6 +332,19 @@ class Site extends dbJSON
return $this->getField('url');
}
public function urlPath()
{
$url = $this->getField('url');
return parse_url($url, PHP_URL_PATH);
}
public function isHTTPS()
{
$url = $this->getField('url');
return parse_url($url, PHP_URL_SCHEME) === 'https';
}
// Returns the protocol and the domain, without the base url
// For example, http://www.domain.com
public function domain()