Implements the new session class
parent
dbdbe1bf49
commit
f77e15bf44
|
|
@ -17,7 +17,7 @@ class Session {
|
|||
* Start or resume a session with secure options
|
||||
*/
|
||||
public static function startSession() {
|
||||
session_name('totalmeet');
|
||||
session_name('jilo');
|
||||
if (session_status() !== PHP_SESSION_ACTIVE && !headers_sent()) {
|
||||
session_start(self::$sessionOptions);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,21 +33,23 @@ try {
|
|||
if ($action === 'verify' && isset($_SESSION['2fa_pending_user_id'])) {
|
||||
// Handle 2FA verification
|
||||
$code = $_POST['code'] ?? '';
|
||||
$userId = $_SESSION['2fa_pending_user_id'];
|
||||
$username = $_SESSION['2fa_pending_username'];
|
||||
$rememberMe = isset($_SESSION['2fa_pending_remember']);
|
||||
$pending2FA = Session::get2FAPending();
|
||||
|
||||
if (!$pending2FA) {
|
||||
header('Location: ' . htmlspecialchars($app_root) . '?page=login');
|
||||
exit();
|
||||
}
|
||||
|
||||
require_once '../app/classes/twoFactorAuth.php';
|
||||
$twoFactorAuth = new TwoFactorAuthentication($db);
|
||||
|
||||
if ($twoFactorAuth->verify($userId, $code)) {
|
||||
if ($twoFactorAuth->verify($pending2FA['user_id'], $code)) {
|
||||
// Complete login
|
||||
handleSuccessfulLogin($userId, $username, $rememberMe, $config, $logObject, $user_IP);
|
||||
handleSuccessfulLogin($pending2FA['user_id'], $pending2FA['username'],
|
||||
$pending2FA['remember_me'], $config, $logObject, $user_IP);
|
||||
|
||||
// Clean up 2FA session data
|
||||
unset($_SESSION['2fa_pending_user_id']);
|
||||
unset($_SESSION['2fa_pending_username']);
|
||||
unset($_SESSION['2fa_pending_remember']);
|
||||
Session::clear2FAPending();
|
||||
|
||||
exit();
|
||||
}
|
||||
|
|
@ -232,11 +234,8 @@ try {
|
|||
switch ($loginResult['status']) {
|
||||
case 'requires_2fa':
|
||||
// Store pending 2FA info
|
||||
$_SESSION['2fa_pending_user_id'] = $loginResult['user_id'];
|
||||
$_SESSION['2fa_pending_username'] = $loginResult['username'];
|
||||
if (isset($formData['remember_me'])) {
|
||||
$_SESSION['2fa_pending_remember'] = true;
|
||||
}
|
||||
Session::store2FAPending($loginResult['user_id'], $loginResult['username'],
|
||||
isset($formData['remember_me']));
|
||||
|
||||
// Redirect to 2FA verification
|
||||
header('Location: ?page=login&action=verify');
|
||||
|
|
@ -282,36 +281,8 @@ include '../app/templates/form-login.php';
|
|||
* Handle successful login by setting up session and cookies
|
||||
*/
|
||||
function handleSuccessfulLogin($userId, $username, $rememberMe, $config, $logObject, $userIP) {
|
||||
if ($rememberMe) {
|
||||
// 30*24*60*60 = 30 days
|
||||
$cookie_lifetime = 30 * 24 * 60 * 60;
|
||||
$setcookie_lifetime = time() + 30 * 24 * 60 * 60;
|
||||
} else {
|
||||
// 0 - session end on browser close
|
||||
$cookie_lifetime = 0;
|
||||
$setcookie_lifetime = 0;
|
||||
}
|
||||
|
||||
// Regenerate session ID to prevent session fixation
|
||||
session_regenerate_id(true);
|
||||
|
||||
// set session lifetime and cookies
|
||||
setcookie('username', $username, [
|
||||
'expires' => $setcookie_lifetime,
|
||||
'path' => $config['folder'],
|
||||
'domain' => $config['domain'],
|
||||
'secure' => isset($_SERVER['HTTPS']),
|
||||
'httponly' => true,
|
||||
'samesite' => 'Strict'
|
||||
]);
|
||||
|
||||
// Set session variables
|
||||
$_SESSION['user_id'] = $userId;
|
||||
$_SESSION['USERNAME'] = $username;
|
||||
$_SESSION['LAST_ACTIVITY'] = time();
|
||||
if ($rememberMe) {
|
||||
$_SESSION['REMEMBER_ME'] = true;
|
||||
}
|
||||
// Create authenticated session
|
||||
Session::createAuthSession($userId, $username, $rememberMe, $config);
|
||||
|
||||
// Log successful login
|
||||
$logObject->insertLog($userId, "Login: User \"$username\" logged in. IP: $userIP", 'user');
|
||||
|
|
|
|||
|
|
@ -15,14 +15,18 @@
|
|||
// flush it later only when there is no redirect
|
||||
ob_start();
|
||||
|
||||
// Start session before any session-dependent code
|
||||
require_once '../app/classes/session.php';
|
||||
Session::startSession();
|
||||
|
||||
// Apply security headers
|
||||
require_once '../app/includes/security_headers_middleware.php';
|
||||
|
||||
// sanitize all input vars that may end up in URLs or forms
|
||||
require '../app/includes/sanitize.php';
|
||||
|
||||
session_name('jilo');
|
||||
session_start();
|
||||
// Check session validity
|
||||
$validSession = Session::isValidSession();
|
||||
|
||||
// Initialize feedback message system
|
||||
require_once '../app/classes/feedback.php';
|
||||
|
|
@ -64,6 +68,8 @@ $allowed_urls = [
|
|||
'login',
|
||||
'logout',
|
||||
'register',
|
||||
|
||||
'about',
|
||||
];
|
||||
|
||||
// cnfig file
|
||||
|
|
@ -92,17 +98,26 @@ if ($config_file) {
|
|||
|
||||
$app_root = $config['folder'];
|
||||
|
||||
// check if logged in
|
||||
unset($currentUser);
|
||||
if (isset($_COOKIE['username'])) {
|
||||
if ( !isset($_SESSION['username']) ) {
|
||||
$_SESSION['username'] = $_COOKIE['username'];
|
||||
}
|
||||
$currentUser = htmlspecialchars($_SESSION['username']);
|
||||
// List of pages that don't require authentication
|
||||
$public_pages = ['login', 'register', 'help', 'about'];
|
||||
|
||||
// Check if the requested page requires authentication
|
||||
if (!isset($_COOKIE['username']) && !$validSession && !in_array($page, $public_pages)) {
|
||||
require_once '../app/includes/session_middleware.php';
|
||||
applySessionMiddleware($config, $app_root);
|
||||
}
|
||||
|
||||
// redirect to login
|
||||
if ( !isset($_COOKIE['username']) && ($page !== 'login' && $page !== 'register') ) {
|
||||
// Check session and redirect if needed
|
||||
$currentUser = null;
|
||||
if ($validSession) {
|
||||
$currentUser = Session::getUsername();
|
||||
} else if (isset($_COOKIE['username']) && !in_array($page, $public_pages)) {
|
||||
// Cookie exists but session is invalid - redirect to login
|
||||
Feedback::flash('LOGIN', 'SESSION_TIMEOUT');
|
||||
header('Location: ' . htmlspecialchars($app_root) . '?page=login&timeout=1');
|
||||
exit();
|
||||
} else if (!in_array($page, $public_pages)) {
|
||||
// No valid session or cookie, and not a public page
|
||||
header('Location: ' . htmlspecialchars($app_root) . '?page=login');
|
||||
exit();
|
||||
}
|
||||
|
|
@ -164,11 +179,10 @@ if ($page == 'logout') {
|
|||
$user_id = $userObject->getUserId($currentUser)[0]['id'];
|
||||
|
||||
// clean up session
|
||||
session_unset();
|
||||
session_destroy();
|
||||
Session::destroySession();
|
||||
|
||||
// start new session for the login page
|
||||
session_start();
|
||||
Session::startSession();
|
||||
|
||||
setcookie('username', "", time() - 100, $config['folder'], $config['domain'], isset($_SERVER['HTTPS']), true);
|
||||
|
||||
|
|
@ -186,8 +200,7 @@ if ($page == 'logout') {
|
|||
} else {
|
||||
|
||||
// if user is logged in, we need user details and rights
|
||||
if (isset($currentUser)) {
|
||||
|
||||
if ($validSession) {
|
||||
// If by error a logged in user requests the login page
|
||||
if ($page === 'login') {
|
||||
header('Location: ' . htmlspecialchars($app_root));
|
||||
|
|
@ -211,18 +224,10 @@ if ($page == 'logout') {
|
|||
}
|
||||
}
|
||||
|
||||
// List of pages that don't require authentication
|
||||
$public_pages = ['login', 'register'];
|
||||
|
||||
// Check if the requested page requires authentication
|
||||
if (!in_array($page, $public_pages)) {
|
||||
require_once '../app/includes/session_middleware.php';
|
||||
}
|
||||
|
||||
// page building
|
||||
include '../app/templates/page-header.php';
|
||||
include '../app/templates/page-menu.php';
|
||||
if (isset($currentUser)) {
|
||||
if ($validSession) {
|
||||
include '../app/templates/page-sidebar.php';
|
||||
}
|
||||
if (in_array($page, $allowed_urls)) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue