diff --git a/controllers/Logout.php b/controllers/Logout.php index 19805189..fb2489fd 100644 --- a/controllers/Logout.php +++ b/controllers/Logout.php @@ -11,7 +11,7 @@ class Logout extends HTMLController public function __construct() { // Clear the entire sesssion. - $_SESSION = []; + Session::clear(); // Back to the frontpage you go. header('Location: ' . BASEURL); diff --git a/models/Session.php b/models/Session.php index 22e08448..d1f6e043 100644 --- a/models/Session.php +++ b/models/Session.php @@ -3,47 +3,55 @@ * Session.php * Contains the key class Session. * - * Kabuki CMS (C) 2013-2015, Aaron van Geffen + * Kabuki CMS (C) 2013-2023, Aaron van Geffen *****************************************************************************/ class Session { + public static function clear() + { + $_SESSION = []; + } + public static function start() { session_start(); - // Resuming an existing session? Check what we know! - if (isset($_SESSION['user_id'], $_SESSION['ip_address'], $_SESSION['user_agent'])) - { - // If we're not browsing over HTTPS, protect against session hijacking. - if (!isset($_SERVER['HTTPS']) && isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] !== $_SERVER['REMOTE_ADDR']) - { - $_SESSION = []; - Dispatcher::kickGuest('Your session failed to validate', 'Your IP address has changed. Please re-login and try again.'); - } - // Either way, require re-login if the browser identifier has changed. - elseif (isset($_SERVER['HTTP_USER_AGENT']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT']) - { - $_SESSION = []; - Dispatcher::kickGuest('Your session failed to validate', 'Your browser identifier has changed. Please re-login and try again.'); - } - } - elseif (!isset($_SESSION['ip_address'], $_SESSION['user_agent'])) - $_SESSION = [ - 'ip_address' => isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '', - 'user_agent' => isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '', - ]; + if (!isset($_SESSION['session_token_key'], $_SESSION['session_token'])) + self::generateSessionToken(); return true; } - public static function resetSessionToken() + public static function generateSessionToken() { $_SESSION['session_token'] = sha1(session_id() . mt_rand()); $_SESSION['session_token_key'] = substr(preg_replace('~^\d+~', '', sha1(mt_rand() . session_id() . mt_rand())), 0, rand(7, 12)); return true; } + public static function getSessionToken() + { + if (empty($_SESSION['session_token'])) + trigger_error('Call to getSessionToken without a session token being set!', E_USER_ERROR); + + return $_SESSION['session_token']; + } + + public static function getSessionTokenKey() + { + if (empty($_SESSION['session_token_key'])) + trigger_error('Call to getSessionTokenKey without a session token key being set!', E_USER_ERROR); + + return $_SESSION['session_token_key']; + } + + public static function resetSessionToken() + { + // Old interface; now always true. + return true; + } + public static function validateSession($method = 'post') { // First, check whether the submitted token and key match the ones in storage. @@ -67,23 +75,7 @@ class Session throw new UserFacingException('Invalid referring URL. Please reload the page and try again.'); } - // All looks good from here! But you can only use this token once, so... - return self::resetSessionToken(); - } - - public static function getSessionToken() - { - if (empty($_SESSION['session_token'])) - trigger_error('Call to getSessionToken without a session token being set!', E_USER_ERROR); - - return $_SESSION['session_token']; - } - - public static function getSessionTokenKey() - { - if (empty($_SESSION['session_token_key'])) - trigger_error('Call to getSessionTokenKey without a session token key being set!', E_USER_ERROR); - - return $_SESSION['session_token_key']; + // All looks good from here! + return true; } }