Merge branch 'improve_session' into storageareas
This commit is contained in:
commit
4e10e6f0ae
|
@ -3941,6 +3941,13 @@ our @options = (
|
|||
type => $types{string},
|
||||
category => 'mail',
|
||||
},
|
||||
{
|
||||
name => 'ZM_COOKIE_LIFETIME',
|
||||
default => '3600',
|
||||
description => q`The maximum life of a COOKIE used when setting up PHP's session handler. This will affect how long a session will be valid for since the last request. Keeping this short helps prevent session hijacking. Keeping it long allows you to stay logged in longer without refreshing the view.`,
|
||||
type => $types{integer},
|
||||
category => 'system',
|
||||
}
|
||||
);
|
||||
|
||||
our %options_hash = map { ( $_->{name}, $_ ) } @options;
|
||||
|
|
|
@ -93,7 +93,7 @@ function userLogin($username='', $password='', $passwordHashed=false) {
|
|||
if ( ZM_AUTH_TYPE == 'builtin' ) {
|
||||
$_SESSION['passwordHash'] = $user['Password'];
|
||||
}
|
||||
session_regenerate_id();
|
||||
zm_session_regenerate_id();
|
||||
} else {
|
||||
Warning("Login denied for user \"$username\"");
|
||||
$_SESSION['loginFailed'] = true;
|
||||
|
@ -107,10 +107,8 @@ function userLogin($username='', $password='', $passwordHashed=false) {
|
|||
function userLogout() {
|
||||
global $user;
|
||||
Info('User "'.$user['Username'].'" logged out');
|
||||
session_start();
|
||||
unset($_SESSION['user']);
|
||||
unset($user);
|
||||
session_destroy();
|
||||
zm_session_clear();
|
||||
}
|
||||
|
||||
function getAuthUser($auth) {
|
||||
|
@ -205,18 +203,6 @@ function canEdit($area, $mid=false) {
|
|||
return ( $user[$area] == 'Edit' && ( !$mid || visibleMonitor($mid) ));
|
||||
}
|
||||
|
||||
function is_session_started() {
|
||||
if ( php_sapi_name() !== 'cli' ) {
|
||||
if ( version_compare(phpversion(), '5.4.0', '>=') ) {
|
||||
return session_status() === PHP_SESSION_ACTIVE ? TRUE : FALSE;
|
||||
} else {
|
||||
return session_id() === '' ? FALSE : TRUE;
|
||||
}
|
||||
} else {
|
||||
Warning("php_sapi_name === 'cli'");
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if ( ZM_OPT_USE_AUTH ) {
|
||||
if ( ZM_AUTH_HASH_LOGINS && empty($user) && ! empty($_REQUEST['auth']) ) {
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
<?php
|
||||
// ZM session start function support timestamp management
|
||||
function zm_session_start() {
|
||||
// Make sure use_strict_mode is enabled.
|
||||
// use_strict_mode is mandatory for security reasons.
|
||||
ini_set('session.use_strict_mode', 1);
|
||||
|
||||
$currentCookieParams = session_get_cookie_params();
|
||||
$currentCookieParams['lifetime'] = ZM_COOKIE_LIFETIME;
|
||||
|
||||
Logger::Debug('Setting cookie parameters to lifetime('.$currentCookieParams['lifetime'].') path('.$currentCookieParams['path'].') domain ('.$currentCookieParams['domain'].') secure('.$currentCookieParams['secure'].') httpOnly(1)');
|
||||
session_set_cookie_params(
|
||||
$currentCookieParams['lifetime'],
|
||||
$currentCookieParams['path'],
|
||||
$currentCookieParams['domain'],
|
||||
$currentCookieParams['secure'],
|
||||
true
|
||||
);
|
||||
|
||||
ini_set('session.name', 'ZMSESSID');
|
||||
|
||||
session_start();
|
||||
// Do not allow to use too old session ID
|
||||
if (!empty($_SESSION['last_time']) && $_SESSION['last_time'] < time() - 180) {
|
||||
session_destroy();
|
||||
session_start();
|
||||
}
|
||||
}
|
||||
|
||||
// My session regenerate id function
|
||||
function zm_session_regenerate_id() {
|
||||
// Call session_create_id() while session is active to
|
||||
// make sure collision free.
|
||||
if ( session_status() != PHP_SESSION_ACTIVE ) {
|
||||
session_start();
|
||||
}
|
||||
// WARNING: Never use confidential strings for prefix!
|
||||
$newid = session_create_id();
|
||||
// Set deleted timestamp. Session data must not be deleted immediately for reasons.
|
||||
$_SESSION['last_time'] = time();
|
||||
// Finish session
|
||||
session_commit();
|
||||
// Make sure to accept user defined session ID
|
||||
// NOTE: You must enable use_strict_mode for normal operations.
|
||||
ini_set('session.use_strict_mode', 0);
|
||||
// Set new custome session ID
|
||||
session_id($newid);
|
||||
// Start with custome session ID
|
||||
session_start();
|
||||
}
|
||||
|
||||
function is_session_started() {
|
||||
if ( php_sapi_name() !== 'cli' ) {
|
||||
if ( version_compare(phpversion(), '5.4.0', '>=') ) {
|
||||
return session_status() === PHP_SESSION_ACTIVE ? TRUE : FALSE;
|
||||
} else {
|
||||
return session_id() === '' ? FALSE : TRUE;
|
||||
}
|
||||
} else {
|
||||
Warning("php_sapi_name === 'cli'");
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
function zm_session_clear() {
|
||||
session_start();
|
||||
$_SESSION = array();
|
||||
if ( ini_get('session.use_cookies') ) {
|
||||
$p = session_get_cookie_params();
|
||||
# Update the cookie to expire in the past.
|
||||
setcookie(session_name(), '', time() - 31536000, $p['path'], $p['domain'], $p['secure'], $p['httponly']);
|
||||
}
|
||||
session_unset();
|
||||
session_destroy();
|
||||
}
|
||||
?>
|
|
@ -44,6 +44,7 @@ if ( false ) {
|
|||
}
|
||||
|
||||
require_once('includes/config.php');
|
||||
require_once('includes/session.php');
|
||||
require_once('includes/logger.php');
|
||||
require_once('includes/Server.php');
|
||||
require_once('includes/Storage.php');
|
||||
|
@ -114,19 +115,7 @@ if ( !file_exists(ZM_SKIN_PATH) )
|
|||
Fatal("Invalid skin '$skin'");
|
||||
$skinBase[] = $skin;
|
||||
|
||||
$currentCookieParams = session_get_cookie_params();
|
||||
//Logger::Debug('Setting cookie parameters to lifetime('.$currentCookieParams['lifetime'].') path('.$currentCookieParams['path'].') domain ('.$currentCookieParams['domain'].') secure('.$currentCookieParams['secure'].') httpOnly(1)');
|
||||
session_set_cookie_params(
|
||||
$currentCookieParams['lifetime'],
|
||||
$currentCookieParams['path'],
|
||||
$currentCookieParams['domain'],
|
||||
$currentCookieParams['secure'],
|
||||
true
|
||||
);
|
||||
|
||||
ini_set('session.name', 'ZMSESSID');
|
||||
|
||||
session_start();
|
||||
zm_session_start();
|
||||
|
||||
if ( !isset($_SESSION['skin']) || isset($_REQUEST['skin']) || !isset($_COOKIE['zmSkin']) || $_COOKIE['zmSkin'] != $skin ) {
|
||||
$_SESSION['skin'] = $skin;
|
||||
|
|
Loading…
Reference in New Issue