From 730a5c153eefa871a968d6fbc8c4254736421119 Mon Sep 17 00:00:00 2001 From: Yasen Pramatarov Date: Mon, 17 Feb 2025 14:36:00 +0200 Subject: [PATCH] Adds session management --- app/includes/session_middleware.php | 49 +++++++++++++++++++++++++++++ app/pages/login.php | 18 +++++++++++ public_html/index.php | 16 +++++++--- 3 files changed, 78 insertions(+), 5 deletions(-) create mode 100644 app/includes/session_middleware.php diff --git a/app/includes/session_middleware.php b/app/includes/session_middleware.php new file mode 100644 index 0000000..59fc13d --- /dev/null +++ b/app/includes/session_middleware.php @@ -0,0 +1,49 @@ + $session_timeout)) { + // Session has expired + session_unset(); + session_destroy(); + setcookie('username', '', [ + 'expires' => time() - 3600, + 'path' => $config['folder'], + 'domain' => $config['domain'], + 'secure' => isset($_SERVER['HTTPS']), + 'httponly' => true, + 'samesite' => 'Strict' + ]); + header('Location: ' . $app_root . '?page=login&timeout=1'); + exit(); +} + +// Update last activity time +$_SESSION['LAST_ACTIVITY'] = time(); + +// Regenerate session ID periodically (every 30 minutes) +if (!isset($_SESSION['CREATED'])) { + $_SESSION['CREATED'] = time(); +} else if (time() - $_SESSION['CREATED'] > 1800) { + // Regenerate session ID and update creation time + session_regenerate_id(true); + $_SESSION['CREATED'] = time(); +} diff --git a/app/pages/login.php b/app/pages/login.php index d90a277..9ceedb2 100644 --- a/app/pages/login.php +++ b/app/pages/login.php @@ -82,6 +82,16 @@ try { $gc_maxlifetime = 1440; } + // Configure secure session settings + ini_set('session.cookie_httponly', 1); + ini_set('session.use_only_cookies', 1); + ini_set('session.cookie_secure', isset($_SERVER['HTTPS']) ? 1 : 0); + ini_set('session.cookie_samesite', 'Strict'); + ini_set('session.gc_maxlifetime', $gc_maxlifetime); + + // Regenerate session ID to prevent session fixation + session_regenerate_id(true); + // set session lifetime and cookies setcookie('username', $username, [ 'expires' => $setcookie_lifetime, @@ -92,6 +102,14 @@ try { 'samesite' => 'Strict' ]); + // Set session variables + $_SESSION['USER_ID'] = $userObject->getUserId($username)[0]['id']; + $_SESSION['USERNAME'] = $username; + $_SESSION['LAST_ACTIVITY'] = time(); + if (isset($formData['remember_me'])) { + $_SESSION['REMEMBER_ME'] = true; + } + // Log successful login $user_id = $userObject->getUserId($username)[0]['id']; $logObject->insertLog($user_id, "Login: User \"$username\" logged in. IP: $user_IP", 'user'); diff --git a/public_html/index.php b/public_html/index.php index 51b99d9..15cf392 100644 --- a/public_html/index.php +++ b/public_html/index.php @@ -29,11 +29,9 @@ $security = SecurityHelper::getInstance(); // Verify CSRF token for POST requests verifyCsrfToken(); -// Initialize message system -require_once '../app/classes/messages.php'; -$messages = []; - -//include '../app/includes/messages.php'; +// Initialize feedback message system +require_once '../app/classes/feedback.php'; +$system_messages = []; require '../app/includes/errors.php'; @@ -211,6 +209,14 @@ if ($page == 'logout') { } } + // List of pages that don't require authentication + $public_pages = ['login', 'register']; + + // Check if the requested page requires authentication + if (!in_array($page, $public_pages)) { + require_once '../app/includes/session_middleware.php'; + } + // page building include '../app/templates/page-header.php'; include '../app/templates/page-menu.php';