kazhnuz/koblog
1
0
Fork 0
Code Issues 30 Pull requests Projects 3 Releases Packages Wiki Activity Actions

Bug fix in Session handler for multiples Bludit installation in the same root folder

Browse source
This commit is contained in:
Diego Najar 2021-11-25 20:17:38 +01:00
parent 9718e03590
commit 320f9a2f0c
4 changed files with 227 additions and 211 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
bl-kernel/boot/admin.php
View file

@ -2,8 +2,8 @@
// Start the session // Start the session
// If the session is not started the admin area is not available // If the session is not started the admin area is not available
Session::start(); Session::start($site->urlPath(), $site->isHTTPS());
if (Session::started()===false) { if (!Session::started()) {
exit('Bludit CMS. Session initialization failed.'); exit('Bludit CMS. Session initialization failed.');
} }

122
bl-kernel/helpers/session.class.php
View file

@ -2,82 +2,78 @@
class Session { class Session {
private static $started = false; private static $started = false;
private static $sessionName = 'BLUDIT-KEY'; private static $sessionName = 'BLUDIT-KEY';
public static function start() public static function start($path, $secure)
{ {
// Try to set the session timeout on server side, 1 hour of timeout // Try to set the session timeout on server side, 1 hour of timeout
ini_set('session.gc_maxlifetime', SESSION_GC_MAXLIFETIME); ini_set('session.gc_maxlifetime', SESSION_GC_MAXLIFETIME);
// If TRUE cookie will only be sent over secure connections. // Gets current cookies parameters
$secure = false; $cookieParams = session_get_cookie_params();
// If set to TRUE then PHP will attempt to send the httponly flag when setting the session cookie. if (empty($path)) {
$httponly = true; $path = '/';
}
// Gets current cookies params. session_set_cookie_params([
$cookieParams = session_get_cookie_params(); 'lifetime' => $cookieParams["lifetime"],
'path' => $path,
'domain' => $cookieParams["domain"],
'secure' => $secure,
'httponly' => true,
'samesite' => 'Lax'
]);
session_set_cookie_params( // Sets the session name
SESSION_COOKIE_LIFE_TIME, session_name(self::$sessionName);
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly
);
// Sets the session name to the one set above. // Start session
session_name(self::$sessionName); self::$started = session_start();
// Start session. if (!self::$started) {
self::$started = session_start(); Log::set(__METHOD__.LOG_SEP.'Error occurred when trying to start the session.');
}
}
// Regenerated the session, delete the old one. There are problems with AJAX. public static function started()
//session_regenerate_id(true); {
return self::$started;
}
if (!self::$started) { public static function destroy()
Log::set(__METHOD__.LOG_SEP.'Error occurred when trying to start the session.'); {
} session_destroy();
} unset($_SESSION);
unset($_COOKIE[self::$sessionName]);
Cookie::set(self::$sessionName, '', -1);
self::$started = false;
Log::set(__METHOD__.LOG_SEP.'Session destroyed.');
return !isset($_SESSION);
}
public static function started() public static function set($key, $value)
{ {
return self::$started; $key = 's_'.$key;
}
public static function destroy() $_SESSION[$key] = $value;
{ }
session_destroy();
unset($_SESSION);
unset($_COOKIE[self::$sessionName]);
Cookie::set(self::$sessionName, '', -1);
self::$started = false;
Log::set(__METHOD__.LOG_SEP.'Session destroyed.');
return !isset($_SESSION);
}
public static function set($key, $value) public static function get($key)
{ {
$key = 's_'.$key; $key = 's_'.$key;
$_SESSION[$key] = $value; if (isset($_SESSION[$key])) {
} return $_SESSION[$key];
}
return false;
}
public static function get($key) public static function remove($key)
{ {
$key = 's_'.$key; $key = 's_'.$key;
if (isset($_SESSION[$key])) { unset($_SESSION[$key]);
return $_SESSION[$key]; }
}
return false;
}
public static function remove($key)
{
$key = 's_'.$key;
unset($_SESSION[$key]);
}
} }

299
bl-kernel/login.class.php
View file

@ -2,180 +2,187 @@
class Login { class Login {
protected $users; protected $users;
protected $site;
function __construct() function __construct()
{ {
if (isset($GLOBALS['users'])) { if (isset($GLOBALS['users'])) {
$this->users = $GLOBALS['users']; $this->users = $GLOBALS['users'];
} else { } else {
$this->users = new Users(); $this->users = new Users();
} }
// Start the Session if (isset($GLOBALS['site'])) {
if (!Session::started()) { $this->site = $GLOBALS['site'];
Session::start(); } else {
} $this->site = new Site();
} }
// Returns the username // Start the Session
public function username() if (!Session::started()) {
{ Session::start($this->site->urlPath(), $this->site->isHTTPS());
return Session::get('username'); }
} }
// Returns the role // Returns the username
public function role() public function username()
{ {
return Session::get('role'); return Session::get('username');
} }
// Returns the authentication token // Returns the role
public function tokenAuth() public function role()
{ {
return Session::get('tokenAuth'); return Session::get('role');
} }
// Returns TRUE if the user is logged, FALSE otherwise // Returns the authentication token
public function isLogged() public function tokenAuth()
{ {
if (Session::get('fingerPrint')===$this->fingerPrint()) { return Session::get('tokenAuth');
$username = Session::get('username'); }
if (!empty($username)) {
return true;
} else {
Log::set(__METHOD__.LOG_SEP.'Session username empty, destroying the session.');
Session::destroy();
return false;
}
}
Log::set(__METHOD__.LOG_SEP.'FingerPrints are different. ['.Session::get('fingerPrint').'] != ['.$this->fingerPrint().']'); // Returns TRUE if the user is logged, FALSE otherwise
return false; public function isLogged()
} {
if (Session::get('fingerPrint')===$this->fingerPrint()) {
$username = Session::get('username');
if (!empty($username)) {
return true;
} else {
Log::set(__METHOD__.LOG_SEP.'Session username empty, destroying the session.');
Session::destroy();
return false;
}
}
// Set the session for the user logged Log::set(__METHOD__.LOG_SEP.'FingerPrints are different. ['.Session::get('fingerPrint').'] != ['.$this->fingerPrint().']');
public function setLogin($username, $role, $tokenAuth) return false;
{ }
Session::set('username', $username);
Session::set('role', $role);
Session::set('tokenAuth', $tokenAuth);
Session::set('fingerPrint', $this->fingerPrint());
Session::set('sessionTime', time());
Log::set(__METHOD__.LOG_SEP.'User logged, fingerprint ['.$this->fingerPrint().']'); // Set the session for the user logged
} public function setLogin($username, $role, $tokenAuth)
{
Session::set('username', $username);
Session::set('role', $role);
Session::set('tokenAuth', $tokenAuth);
Session::set('fingerPrint', $this->fingerPrint());
Session::set('sessionTime', time());
public function setRememberMe($username) Log::set(__METHOD__.LOG_SEP.'User logged, fingerprint ['.$this->fingerPrint().']');
{ }
$username = Sanitize::html($username);
// Set the token on the users database public function setRememberMe($username)
$token = $this->users->generateRememberToken(); {
$this->users->setRememberToken($username, $token); $username = Sanitize::html($username);
// Set the token on the cookies // Set the token on the users database
Cookie::set(REMEMBER_COOKIE_USERNAME, $username, REMEMBER_COOKIE_EXPIRE_IN_DAYS); $token = $this->users->generateRememberToken();
Cookie::set(REMEMBER_COOKIE_TOKEN, $token, REMEMBER_COOKIE_EXPIRE_IN_DAYS); $this->users->setRememberToken($username, $token);
Log::set(__METHOD__.LOG_SEP.'Cookies set for Remember Me.'); // Set the token on the cookies
} Cookie::set(REMEMBER_COOKIE_USERNAME, $username, REMEMBER_COOKIE_EXPIRE_IN_DAYS);
Cookie::set(REMEMBER_COOKIE_TOKEN, $token, REMEMBER_COOKIE_EXPIRE_IN_DAYS);
public function invalidateRememberMe() Log::set(__METHOD__.LOG_SEP.'Cookies set for Remember Me.');
{ }
// Invalidate all tokens on the user databases
$this->users->invalidateAllRememberTokens();
// Destroy the cookies public function invalidateRememberMe()
Cookie::set(REMEMBER_COOKIE_USERNAME, '', -1); {
Cookie::set(REMEMBER_COOKIE_TOKEN, '', -1); // Invalidate all tokens on the user databases
unset($_COOKIE[REMEMBER_COOKIE_USERNAME]); $this->users->invalidateAllRememberTokens();
unset($_COOKIE[REMEMBER_COOKIE_TOKEN]);
}
// Check if the username and the password are valid // Destroy the cookies
// Returns TRUE if valid and set the session Cookie::set(REMEMBER_COOKIE_USERNAME, '', -1);
// Returns FALSE for invalid username or password Cookie::set(REMEMBER_COOKIE_TOKEN, '', -1);
public function verifyUser($username, $password) unset($_COOKIE[REMEMBER_COOKIE_USERNAME]);
{ unset($_COOKIE[REMEMBER_COOKIE_TOKEN]);
$username = Sanitize::html($username); }
$username = trim($username);
if (empty($username) || empty($password)) { // Check if the username and the password are valid
Log::set(__METHOD__.LOG_SEP.'Username or password empty. Username: '.$username); // Returns TRUE if valid and set the session
return false; // Returns FALSE for invalid username or password
} public function verifyUser($username, $password)
{
$username = Sanitize::html($username);
$username = trim($username);
if (Text::length($password)<PASSWORD_LENGTH) { if (empty($username) || empty($password)) {
Log::set(__METHOD__.LOG_SEP.'Password length is shorter than required.'); Log::set(__METHOD__.LOG_SEP.'Username or password empty. Username: '.$username);
return false; return false;
} }
try { if (Text::length($password)<PASSWORD_LENGTH) {
$user = new User($username); Log::set(__METHOD__.LOG_SEP.'Password length is shorter than required.');
} catch (Exception $e) { return false;
return false; }
}
$passwordHash = $this->users->generatePasswordHash($password, $user->salt()); try {
if ($passwordHash===$user->password()) { $user = new User($username);
$this->setLogin($username, $user->role(), $user->tokenAuth()); } catch (Exception $e) {
Log::set(__METHOD__.LOG_SEP.'Successful user login by username and password - Username ['.$username.']'); return false;
return true; }
}
Log::set(__METHOD__.LOG_SEP.'Password incorrect.'); $passwordHash = $this->users->generatePasswordHash($password, $user->salt());
return false; if ($passwordHash===$user->password()) {
} $this->setLogin($username, $user->role(), $user->tokenAuth());
Log::set(__METHOD__.LOG_SEP.'Successful user login by username and password - Username ['.$username.']');
return true;
}
// Check if the user has the cookies and the correct token Log::set(__METHOD__.LOG_SEP.'Password incorrect.');
public function verifyUserByRemember() return false;
{ }
if (Cookie::isEmpty(REMEMBER_COOKIE_USERNAME) || Cookie::isEmpty(REMEMBER_COOKIE_TOKEN)) {
return false;
}
$username = Cookie::get(REMEMBER_COOKIE_USERNAME); // Check if the user has the cookies and the correct token
$token = Cookie::get(REMEMBER_COOKIE_TOKEN); public function verifyUserByRemember()
{
if (Cookie::isEmpty(REMEMBER_COOKIE_USERNAME) || Cookie::isEmpty(REMEMBER_COOKIE_TOKEN)) {
return false;
}
$username = Sanitize::html($username); $username = Cookie::get(REMEMBER_COOKIE_USERNAME);
$token = Sanitize::html($token); $token = Cookie::get(REMEMBER_COOKIE_TOKEN);
$username = trim($username); $username = Sanitize::html($username);
$token = trim($token); $token = Sanitize::html($token);
if (empty($username) || empty($token)) { $username = trim($username);
$this->invalidateRememberMe(); $token = trim($token);
Log::set(__METHOD__.LOG_SEP.'Username or Token empty. Username: '.$username.' - Token: '.$token);
return false;
}
if ($username !== $this->users->getByRememberToken($token)) { if (empty($username) || empty($token)) {
$this->invalidateRememberMe(); $this->invalidateRememberMe();
Log::set(__METHOD__.LOG_SEP.'The user has different token or the token doesn\'t exist.'); Log::set(__METHOD__.LOG_SEP.'Username or Token empty. Username: '.$username.' - Token: '.$token);
return false; return false;
} }
// Get user from database and login if ($username !== $this->users->getByRememberToken($token)) {
$user = $this->users->getUserDB($username); $this->invalidateRememberMe();
$this->setLogin($username, $user['role'], $user->tokenAuth()); Log::set(__METHOD__.LOG_SEP.'The user has different token or the token doesn\'t exist.');
Log::set(__METHOD__.LOG_SEP.'User authenticated via Remember Me.'); return false;
return true; }
}
public function fingerPrint() // Get user from database and login
{ $user = $this->users->getUserDB($username);
$agent = getenv('HTTP_USER_AGENT'); $this->setLogin($username, $user['role'], $user->tokenAuth());
if (empty($agent)) { Log::set(__METHOD__.LOG_SEP.'User authenticated via Remember Me.');
$agent = 'Bludit/2.0 (Mr Nibbler Protocol)'; return true;
} }
return sha1($agent);
}
public function logout() public function fingerPrint()
{ {
$this->invalidateRememberMe(); $agent = getenv('HTTP_USER_AGENT');
Session::destroy(); if (empty($agent)) {
return true; $agent = 'Bludit/2.0 (Mr Nibbler Protocol)';
} }
return sha1($agent);
}
public function logout()
{
$this->invalidateRememberMe();
Session::destroy();
return true;
}
} }

13
bl-kernel/site.class.php
View file

@ -332,6 +332,19 @@ class Site extends dbJSON
return $this->getField('url'); return $this->getField('url');
} }
public function urlPath()
{
$url = $this->getField('url');
return parse_url($url, PHP_URL_PATH);
}
public function isHTTPS()
{
$url = $this->getField('url');
return parse_url($url, PHP_URL_SCHEME) === 'https';
}
// Returns the protocol and the domain, without the base url // Returns the protocol and the domain, without the base url
// For example, http://www.domain.com // For example, http://www.domain.com
public function domain() public function domain()