<?php
/*
** Copyright (C) 1995-2021 by the ITools Authors.
** This file is part of ITools - the Internet Tools Library
**
** ITools is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 3 of the License, or
** (at your option) any later version.
**
** ITools is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/* Default values */
define('_IT_SESSION_COOKIE', 'SESSION');
define('_IT_SESSION_COOKIE_EXPIRY', 0);
define('_IT_SESSION_LIFETIME', 3600);
class it_session
{
/* PRIVATE */
var $cookiename; /* Cookie to store session */
var $cookie; /* Session identifier of this session */
var $uid; /* Session user id */
var $domain = ''; /* Session domain (e.g. ".relog.ch") */
var $address = ''; /* Guessed IP address of client */
var $ssl; /* Session using SSL? */
var $lifetime; /* Session life-time in seconds */
var $secret; /* Session secret to generate session ids */
var $now; /* This session start time slot */
var $prev; /* Previous session start time slot */
var $hascookies; /* Do cookies work? Used by has_cookies() */
/* Constructor */
function __construct()
{
$this->cookiename = _IT_SESSION_COOKIE;
$this->lifetime = _IT_SESSION_LIFETIME;
/*
* NOTE: Does not work with dynamic IPs (dialup with low timeout,
* load balanced Proxies and maybe more weird stuff).
* $this->address = $_SERVER['REMOTE_ADDR'] . '/' . $_SERVER['HTTP_X_FORWARDED_FOR'];
*/
$this->ssl = !empty($_SERVER['HTTPS']) && !$GLOBALS['ULTRATRUSTED']; # No SSL cookies for trusted IPs because Chrome does not overwrite SSL cookies with non-SSL ones and thus prevents login to devel after live, reported by David
}
function set_cookiename($cookiename)
{
if ($cookiename)
$this->cookiename = $cookiename;
}
function get_uid()
{
return $this->uid;
}
function set_uid($uid)
{
$this->uid = $uid;
}
function set_domain($domain)
{
$this->domain = $domain;
}
function set_lifetime($lifetime)
{
$this->lifetime = $lifetime;
}
function set_secret($secret)
{
$this->secret = $secret;
}
function init()
{
if (empty($this->secret))
it::fatal('it_session requires secret to be set');
/* Got a cookie? */
if ($this->hascookies = isset($_COOKIE[$this->cookiename]))
$this->cookie = $_COOKIE[$this->cookiename];
else
$this->cookie = '';
#debug("hascookies '$this->hascookies', '$this->cookie', " . $_COOKIE[$this->cookiename]);
$now = time();
/*
* Valid time range is now - 1/2 lifetime to now + 1/2 lifetime
* I.e. session has to be either from start or now
*/
$this->now = $now - ($now % ($this->lifetime / 2));
$this->prev = $this->now - ($this->lifetime / 2);
/* Set user id from valid session */
$this->uid = substr($this->cookie, 1, strlen($this->cookie) - 33);
if (!$this->is_valid())
$this->uid = "";
#debug("it_session::new session=$this->cookie, user=$this->uid");
}
/* INTERNAL: Create session id from session data */
function _mkcookie($uid, $timeslot)
{
return "A" . $uid . md5("$uid,$this->domain,$this->address,$this->secret,$timeslot");
}
/* Check if this session is valid */
function is_valid()
{
$result = true;
if ($this->_mkcookie($this->uid, $this->now) != $this->cookie)
{
/* Check if using id from previous time slot */
if ($this->_mkcookie($this->uid, $this->prev) == $this->cookie)
$this->set_valid(); /* Rejuvenate session */
else
$result = false;
}
return $result;
}
/*
* Validate this session
* @param $valid Should this session be validated or invalidated?
* @param $login_identifier_required Does session validation require login magic?
* @param $login_identifier Session validation magic cookie to be checked
* @return true if successful
*/
function set_valid($valid = true, $login_identifier_required = false, $login_identifier = "")
{
$result = false;
if ($valid && (!$login_identifier_required || ($login_identifier == $this->_mkcookie("", $this->cookie))))
{
$this->cookie = $this->_mkcookie($this->uid, $this->now);
$result = true;
}
else
{
$this->cookie = bin2hex(random_bytes(16)); /* random garbage */
$result = !$valid; /* Setting to invalid succeeded or setting to valid failed */
}
it::setcookie($this->cookiename, $this->cookie, [ 'expires' => _IT_SESSION_COOKIE_EXPIRY, 'path' => "/", 'domain' => $this->domain, 'secure' => $this->ssl, 'httponly' => true, 'samesite' => _IT_USER_COOKIE_SAMESITE ]);
$_COOKIE[$this->cookiename] = $this->cookie;
return $result;
}
function purge()
{
$this->cookie = "";
$_COOKIE[$this->cookiename] = "";
$this->uid = "";
}
/*
* Create a login identifier and set session to login identifier 'secret' value
* Returns a value to be put into the login <form> which has to be passed to
* set_valid() to create a valid session
*/
function create_login_identifier()
{
if (!$this->cookie)
{
$this->cookie = bin2hex(random_bytes(16)); /* random garbage */
it::setcookie($this->cookiename, $this->cookie, [ 'expires' => _IT_SESSION_COOKIE_EXPIRY, 'path' => "/", 'domain' => $this->domain, 'secure' => $this->ssl, 'httponly' => true, 'samesite' => _IT_USER_COOKIE_SAMESITE ]);
}
$login_identifier = $this->_mkcookie("", $this->cookie);
return $login_identifier;
}
/*
* Check if cookies are enabled.
* NOTE: Only works if you used create_login_identifier() on previous page
*/
function has_cookies()
{
return $this->hascookies;
}
/*
* Sign string for current session
* @param $text Text to be signed
* @return Signature for $text
*/
function _sign($text, $timeslot)
{
return "B" . md5("$text,$this->uid,$this->domain,$this->address,$this->secret,$timeslot");
}
/*
* Sign string for current session
* @param $text Text to be signed
* @return Signature for $text
*/
function create_signature($text)
{
return $this->_sign($text, $this->now);
}
/*
* Check signature for string for current session
* @param $text Text which was signed
* @param $signature Signature to be checked
* @return True if signature ok, false otherwise
*/
function check_signature($text, $signature)
{
return (($this->_sign($text, $this->now) == $signature) ||
($this->_sign($text, $this->prev) == $signature));
}
} /* End class it_session */