Session: centralise how session tokens are handled

This commit is contained in:
Aaron van Geffen 2023-11-20 20:59:35 +01:00
parent 5f778d73b4
commit 65ee07d95b
2 changed files with 36 additions and 22 deletions

View File

@ -11,7 +11,7 @@ class Logout extends HTMLController
public function __construct() public function __construct()
{ {
// Clear the entire sesssion. // Clear the entire sesssion.
$_SESSION = []; Session::clear();
// Back to the frontpage you go. // Back to the frontpage you go.
header('Location: ' . BASEURL); header('Location: ' . BASEURL);

View File

@ -3,22 +3,52 @@
* Session.php * Session.php
* Contains the key class Session. * Contains the key class Session.
* *
* Kabuki CMS (C) 2013-2015, Aaron van Geffen * Kabuki CMS (C) 2013-2023, Aaron van Geffen
*****************************************************************************/ *****************************************************************************/
class Session class Session
{ {
public static function clear()
{
$_SESSION = [];
}
public static function start() public static function start()
{ {
session_start(); session_start();
if (!isset($_SESSION['session_token_key'], $_SESSION['session_token']))
self::generateSessionToken();
return true; return true;
} }
public static function generateSessionToken()
{
$_SESSION['session_token'] = sha1(session_id() . mt_rand());
$_SESSION['session_token_key'] = substr(preg_replace('~^\d+~', '', sha1(mt_rand() . session_id() . mt_rand())), 0, rand(7, 12));
return true;
}
public static function getSessionToken()
{
if (empty($_SESSION['session_token']))
trigger_error('Call to getSessionToken without a session token being set!', E_USER_ERROR);
return $_SESSION['session_token'];
}
public static function getSessionTokenKey()
{
if (empty($_SESSION['session_token_key']))
trigger_error('Call to getSessionTokenKey without a session token key being set!', E_USER_ERROR);
return $_SESSION['session_token_key'];
}
public static function resetSessionToken() public static function resetSessionToken()
{ {
$_SESSION['session_token'] = sha1(session_id() . mt_rand()); // Old interface; now always true.
$_SESSION['session_token_key'] = substr(preg_replace('~^\d+~', '', sha1(mt_rand() . session_id() . mt_rand())), 0, rand(7, 12));
return true; return true;
} }
@ -45,23 +75,7 @@ class Session
throw new UserFacingException('Invalid referring URL. Please reload the page and try again.'); throw new UserFacingException('Invalid referring URL. Please reload the page and try again.');
} }
// All looks good from here! But you can only use this token once, so... // All looks good from here!
return self::resetSessionToken(); return true;
}
public static function getSessionToken()
{
if (empty($_SESSION['session_token']))
trigger_error('Call to getSessionToken without a session token being set!', E_USER_ERROR);
return $_SESSION['session_token'];
}
public static function getSessionTokenKey()
{
if (empty($_SESSION['session_token_key']))
trigger_error('Call to getSessionTokenKey without a session token key being set!', E_USER_ERROR);
return $_SESSION['session_token_key'];
} }
} }