Skip to content

Commit

Permalink
Merge pull request #3391 from zikula/sessions
Browse files Browse the repository at this point in the history 
correct rememberme function. fixes #3290
  • Loading branch information
@craigh
craigh committed Jan 17, 2017
2 parents a432d03 + 5de6d7f commit bef03c9
Show file tree
Hide file tree
Showing 11 changed files with 62 additions and 462 deletions.
1 change: 1 addition & 0 deletions CHANGELOG-1.4.md
View file
Expand Up @@ -25,6 +25,7 @@ CHANGELOG - ZIKULA 1.4.x
- Fixed wrong join criteria in Groups user api (#3361).
- Fixed wrong data transformation in CategoriesType for non-multiple assignments.
- Added core module metadata resync on all core version upgrades (#3358, 3387).
- Fixed rememberme function on user login (#3290, #3391).

- Core-2.0 Features:
- \Zikula\Bundle\CoreBundle\HttpKernel\ZikulaHttpKernelInterface created and implemented. Use this for typehinting
Expand Down
2 changes: 0 additions & 2 deletions src/app/config/config.yml
View file
Expand Up @@ -25,8 +25,6 @@ framework:
trusted_proxies: ~
session:
name: "%zikula.session.name%"
# handler_id: zikula_core.legacy.session_handler
# storage_id: zikula_core.legacy.session_storage
handler_id: zikula_core.bridge.http_foundation.doctrine_session_handler
storage_id: zikula_core.bridge.http_foundation.zikula_session_storage
cookie_httponly: true
Expand Down
9 changes: 6 additions & 3 deletions src/lib/Zikula/Bridge/HttpFoundation/DoctrineSessionHandler.php
View file
Expand Up @@ -42,19 +42,22 @@ class DoctrineSessionHandler implements \SessionHandlerInterface
private $installed;

/**
* @param SessionStorageInterface $storage
* @param UserSessionRepositoryInterface $userSessionRepository
* @param VariableApi $variableApi
* @param $installed
*/
public function __construct(SessionStorageInterface $storage, UserSessionRepositoryInterface $userSessionRepository, VariableApi $variableApi, $installed)
public function __construct(UserSessionRepositoryInterface $userSessionRepository, VariableApi $variableApi, $installed)
{
$this->storage = $storage;
$this->userSessionRepository = $userSessionRepository;
$this->variableApi = $variableApi;
$this->installed = $installed;
}

public function setStorage(SessionStorageInterface $storage)
{
$this->storage = $storage;
}

/**
* {@inheritdoc}
*/
Expand Down
51 changes: 36 additions & 15 deletions src/lib/Zikula/Bridge/HttpFoundation/ZikulaSessionStorage.php
View file
Expand Up @@ -11,8 +11,10 @@

namespace Zikula\Bridge\HttpFoundation;

use Symfony\Component\HttpFoundation\Session\Storage\Handler\NativeSessionHandler;
use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
use Symfony\Component\HttpFoundation\Session\Storage\MetadataBag;
use Symfony\Component\HttpFoundation\Session\Storage\Proxy\AbstractProxy;
use Zikula\ExtensionsModule\Api\VariableApi;

/**
Expand Down Expand Up @@ -40,19 +42,37 @@ class ZikulaSessionStorage extends NativeSessionStorage
const SECURITY_LEVEL_HIGH = 'High';

/**
* @var VariableApi
* @var string
*/
private $variableApi;
private $securityLevel = self::SECURITY_LEVEL_MEDIUM;

/**
* @var int
*/
private $inactiveSeconds = 1200;

/**
* @var int
*/
private $autoLogoutAfterSeconds = 604800;

/**
* @var int
*/
private $cookieLifeTime = 604800;

/**
* @param VariableApi $variableApi
* @param array $options
* @param null $handler
* @param AbstractProxy|NativeSessionHandler|\SessionHandlerInterface|null $handler
* @param MetadataBag $metaBag
*/
public function __construct(VariableApi $variableApi, array $options = [], $handler = null, MetadataBag $metaBag = null)
{
$this->variableApi = $variableApi;
$this->securityLevel = $variableApi->getSystemVar('seclevel', self::SECURITY_LEVEL_MEDIUM);
$this->inactiveSeconds = $variableApi->getSystemVar('secinactivemins', 20) * 60;
$this->autoLogoutAfterSeconds = $variableApi->getSystemVar('secmeddays', 7) * 24 * 60 * 60;

parent::__construct($options, $handler, $metaBag);
}

Expand All @@ -64,24 +84,25 @@ public function start()
if (parent::start()) {
// check if session has expired or not
$now = time();
$inactive = ($now - (int)($this->variableApi->getSystemVar('secinactivemins', 20) * 60));
$daysold = ($now - (int)($this->variableApi->getSystemVar('secmeddays', 7) * 86400));
$lastused = $this->getMetadataBag()->getLastUsed();
$rememberme = $this->getBag('attributes')->get('rememberme');
$uid = $this->getBag('attributes')->get('uid');

switch ($this->variableApi->getSystemVar('seclevel')) {
$inactiveTime = $now - $this->inactiveSeconds;
$daysOldTime = $now - $this->autoLogoutAfterSeconds;
$cookieLastUsed = $this->getMetadataBag()->getLastUsed();
$cookieExpired = $cookieLastUsed < $inactiveTime;
$cookieAgedOut = $cookieLastUsed < $daysOldTime;
$rememberMe = $this->getBag('attributes')->get('rememberme');
$uid = $this->getBag('attributes')->get('uid', 0); // @todo default to anonymous uid?
switch ($this->securityLevel) {
case self::SECURITY_LEVEL_LOW:
break;
case self::SECURITY_LEVEL_MEDIUM:
if ((!$rememberme && $lastused < $inactive) || ($lastused < $daysold) || ($uid == '0' && $lastused < $inactive)) {
parent::regenerate(true);
if ((!$rememberMe && $cookieExpired) || ($cookieAgedOut) || ($uid == 0 && $cookieExpired)) {
parent::regenerate(true, 2 * 365 * 24 * 60 * 60); // two years
}
break;
case self::SECURITY_LEVEL_HIGH:
default:
if ($lastused < $inactive) {
parent::regenerate(true);
if ($cookieExpired) {
parent::regenerate(true, $this->cookieLifeTime);
}
break;
}
Expand Down
23 changes: 2 additions & 21 deletions src/lib/Zikula/Bundle/CoreBundle/Resources/config/session.yml
View file
@@ -1,32 +1,13 @@
parameters:
# session.storage.legacy.class: Zikula_Session_Storage_Legacy
# session.handler.legacy.class: Zikula_Session_LegacyHandler

services:
# zikula_core.legacy.session_storage:
# class: Zikula_Session_Storage_Legacy
# public: false
# arguments: ["@zikula_extensions_module.api.variable", "%session.storage.options%", "@=null", "@=null"]
# calls:
# - [setSaveHandler, ["@zikula_core.legacy.session_handler"]]
#
# zikula_core.legacy.session_handler:
# class: Zikula_Session_LegacyHandler
# public: false
# arguments: ["%installed%"]
# calls:
# - [setStorage, ["@zikula_core.legacy.session_storage"]]
# - [setConnection, ["@doctrine.dbal.default_connection"]]
# - [setVariableApi, ["@zikula_extensions_module.api.variable"]]

zikula_core.bridge.http_foundation.doctrine_session_handler:
class: Zikula\Bridge\HttpFoundation\DoctrineSessionHandler
public: false
arguments:
- "@zikula_core.bridge.http_foundation.zikula_session_storage"
- "@zikula_users_module.user_session_repository"
- "@zikula_extensions_module.api.variable"
- "%installed%"
calls:
- [setStorage, ["@zikula_core.bridge.http_foundation.zikula_session_storage"]]


zikula_core.bridge.http_foundation.zikula_session_storage:
Expand Down
11 changes: 6 additions & 5 deletions src/lib/Zikula/Bundle/CoreBundle/Resources/config/symfony_overrides.yml
View file
Expand Up @@ -17,11 +17,12 @@ services:
# remove in Core-2.0 and use native session
session:
class: Zikula_Session
arguments:
- "@session.storage"
- "@session.attribute_bag"
- "@session.flash_bag"

# @todo check if this is required in Core-2.0 (may be the default - or may default to AttributeBag)
session.attribute_bag:
# default class is Symfony\Component\HttpFoundation\Session\Attribute\AttributeBag
class: Symfony\Component\HttpFoundation\Session\Attribute\NamespacedAttributeBag

# @todo check if this is required in Core-2.0 (may be the default)
session.flashbag:
class: Symfony\Component\HttpFoundation\Session\Flash\FlashBag
public: false
212 changes: 0 additions & 212 deletions src/lib/legacy/Zikula/Session/LegacyHandler.php
View file

This file was deleted.

0 comments on commit bef03c9

Please sign in to comment.