forked from Public/pics
Session: centralise how session tokens are handled
This commit is contained in:
parent
5f778d73b4
commit
65ee07d95b
@ -11,7 +11,7 @@ class Logout extends HTMLController
|
||||
public function __construct()
|
||||
{
|
||||
// Clear the entire sesssion.
|
||||
$_SESSION = [];
|
||||
Session::clear();
|
||||
|
||||
// Back to the frontpage you go.
|
||||
header('Location: ' . BASEURL);
|
||||
|
||||
@ -3,22 +3,52 @@
|
||||
* Session.php
|
||||
* Contains the key class Session.
|
||||
*
|
||||
* Kabuki CMS (C) 2013-2015, Aaron van Geffen
|
||||
* Kabuki CMS (C) 2013-2023, Aaron van Geffen
|
||||
*****************************************************************************/
|
||||
|
||||
class Session
|
||||
{
|
||||
public static function clear()
|
||||
{
|
||||
$_SESSION = [];
|
||||
}
|
||||
|
||||
public static function start()
|
||||
{
|
||||
session_start();
|
||||
|
||||
if (!isset($_SESSION['session_token_key'], $_SESSION['session_token']))
|
||||
self::generateSessionToken();
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
public static function generateSessionToken()
|
||||
{
|
||||
$_SESSION['session_token'] = sha1(session_id() . mt_rand());
|
||||
$_SESSION['session_token_key'] = substr(preg_replace('~^\d+~', '', sha1(mt_rand() . session_id() . mt_rand())), 0, rand(7, 12));
|
||||
return true;
|
||||
}
|
||||
|
||||
public static function getSessionToken()
|
||||
{
|
||||
if (empty($_SESSION['session_token']))
|
||||
trigger_error('Call to getSessionToken without a session token being set!', E_USER_ERROR);
|
||||
|
||||
return $_SESSION['session_token'];
|
||||
}
|
||||
|
||||
public static function getSessionTokenKey()
|
||||
{
|
||||
if (empty($_SESSION['session_token_key']))
|
||||
trigger_error('Call to getSessionTokenKey without a session token key being set!', E_USER_ERROR);
|
||||
|
||||
return $_SESSION['session_token_key'];
|
||||
}
|
||||
|
||||
public static function resetSessionToken()
|
||||
{
|
||||
$_SESSION['session_token'] = sha1(session_id() . mt_rand());
|
||||
$_SESSION['session_token_key'] = substr(preg_replace('~^\d+~', '', sha1(mt_rand() . session_id() . mt_rand())), 0, rand(7, 12));
|
||||
// Old interface; now always true.
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -45,23 +75,7 @@ class Session
|
||||
throw new UserFacingException('Invalid referring URL. Please reload the page and try again.');
|
||||
}
|
||||
|
||||
// All looks good from here! But you can only use this token once, so...
|
||||
return self::resetSessionToken();
|
||||
}
|
||||
|
||||
public static function getSessionToken()
|
||||
{
|
||||
if (empty($_SESSION['session_token']))
|
||||
trigger_error('Call to getSessionToken without a session token being set!', E_USER_ERROR);
|
||||
|
||||
return $_SESSION['session_token'];
|
||||
}
|
||||
|
||||
public static function getSessionTokenKey()
|
||||
{
|
||||
if (empty($_SESSION['session_token_key']))
|
||||
trigger_error('Call to getSessionTokenKey without a session token key being set!', E_USER_ERROR);
|
||||
|
||||
return $_SESSION['session_token_key'];
|
||||
// All looks good from here!
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user