From eceb7756cfcf117c2a18984291181a84697ed3cd Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Sun, 10 Aug 2014 20:29:43 +0200 Subject: Add possibility to keep logged in with form Add an option to keep logged in. Change lifetime of session cookie to 1 year. See https://github.com/marienfressinaud/FreshRSS/issues/465 --- lib/Minz/Session.php | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) (limited to 'lib/Minz/Session.php') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index ddabc4658..c859be2ed 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -15,13 +15,15 @@ class Minz_Session { * Le nom de session est utilisé comme nom pour les cookies et les URLs (i.e. PHPSESSID). * Il ne doit contenir que des caractères alphanumériques ; il doit être court et descriptif */ - public static function init ($name) { + public static function init($name) { + $cookie = session_get_cookie_params(); + self::keepCookie($cookie['lifetime']); + // démarre la session - session_name ($name); - session_set_cookie_params (0, dirname(empty($_SERVER['REQUEST_URI']) ? '/' : dirname($_SERVER['REQUEST_URI'])), null, false, true); - session_start (); + session_name($name); + session_start(); - if (isset ($_SESSION)) { + if (isset($_SESSION)) { self::$session = $_SESSION; } } @@ -68,4 +70,27 @@ class Minz_Session { Minz_Translate::reset (); } } + + + /** + * Spécifie la durée de vie des cookies + * @param $l la durée de vie + */ + public static function keepCookie($l) { + $cookie_dir = dirname( + empty($_SERVER['SCRIPT_NAME']) ? '' : $_SERVER['SCRIPT_NAME'] + ) . '/'; + session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], + false, true); + } + + + /** + * Régénère un id de session. + * Utile pour appeler session_set_cookie_params après session_start() + */ + public static function regenerateID() { + session_regenerate_id(true); + } + } -- cgit v1.2.3 From df47217839ccddb8e03015959c61b61e748d9700 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Sun, 10 Aug 2014 23:41:36 +0200 Subject: Set session.gc_maxlifetime Take the maxvalue between 1440 (24m) and cookie lifetime when calling Minz_Session::keepCookie() See https://github.com/marienfressinaud/FreshRSS/issues/465 --- lib/Minz/Session.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib/Minz/Session.php') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index c859be2ed..fb3c5d74b 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -82,6 +82,9 @@ class Minz_Session { ) . '/'; session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], false, true); + + $l_session = max(1440, $l); + ini_set('session.gc_maxlifetime', $l_session); } -- cgit v1.2.3 From bc71a577fe3154080df9949b394c7ae552773c7b Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Mon, 11 Aug 2014 18:39:22 +0200 Subject: Revert "Set session.gc_maxlifetime" This reverts commit df47217839ccddb8e03015959c61b61e748d9700. See https://github.com/marienfressinaud/FreshRSS/issues/465 --- lib/Minz/Session.php | 3 --- 1 file changed, 3 deletions(-) (limited to 'lib/Minz/Session.php') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index fb3c5d74b..c859be2ed 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -82,9 +82,6 @@ class Minz_Session { ) . '/'; session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], false, true); - - $l_session = max(1440, $l); - ini_set('session.gc_maxlifetime', $l_session); } -- cgit v1.2.3 From ed7d8aa44fe5a005380056b7d164fc53079506fb Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:04:39 +0200 Subject: Use REQUEST_URI instead of SCRIPT_NAME for cookies See https://github.com/marienfressinaud/FreshRSS/commit/eceb7756cfcf117c2a18984291181a84697ed3cd#commitcomment-7345438 --- lib/Minz/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/Minz/Session.php') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index c859be2ed..efc8332e5 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -78,7 +78,7 @@ class Minz_Session { */ public static function keepCookie($l) { $cookie_dir = dirname( - empty($_SERVER['SCRIPT_NAME']) ? '' : $_SERVER['SCRIPT_NAME'] + empty($_SERVER['REQUEST_URI']) ? '' : $_SERVER['REQUEST_URI'] ) . '/'; session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], false, true); -- cgit v1.2.3 From 08a9009c19b2ae84555340622c344a2da38ae019 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:09:13 +0200 Subject: Fix a Minz_Session TODO Not use additional variable to manipulate session variables Fix coding style --- lib/Minz/Session.php | 32 ++++++++++---------------------- 1 file changed, 10 insertions(+), 22 deletions(-) (limited to 'lib/Minz/Session.php') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index efc8332e5..906acc03c 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -2,17 +2,11 @@ /** * La classe Session gère la session utilisateur - * C'est un singleton */ class Minz_Session { - /** - * $session stocke les variables de session - */ - private static $session = array (); //TODO: Try to avoid having another local copy - /** * Initialise la session, avec un nom - * Le nom de session est utilisé comme nom pour les cookies et les URLs (i.e. PHPSESSID). + * Le nom de session est utilisé comme nom pour les cookies et les URLs(i.e. PHPSESSID). * Il ne doit contenir que des caractères alphanumériques ; il doit être court et descriptif */ public static function init($name) { @@ -22,10 +16,6 @@ class Minz_Session { // démarre la session session_name($name); session_start(); - - if (isset($_SESSION)) { - self::$session = $_SESSION; - } } @@ -34,8 +24,8 @@ class Minz_Session { * @param $p le paramètre à récupérer * @return la valeur de la variable de session, false si n'existe pas */ - public static function param ($p, $default = false) { - return isset(self::$session[$p]) ? self::$session[$p] : $default; + public static function param($p, $default = false) { + return isset($_SESSION[$p]) ? $_SESSION[$p] : $default; } @@ -44,13 +34,11 @@ class Minz_Session { * @param $p le paramètre à créer ou modifier * @param $v la valeur à attribuer, false pour supprimer */ - public static function _param ($p, $v = false) { + public static function _param($p, $v = false) { if ($v === false) { - unset ($_SESSION[$p]); - unset (self::$session[$p]); + unset($_SESSION[$p]); } else { $_SESSION[$p] = $v; - self::$session[$p] = $v; } } @@ -59,15 +47,15 @@ class Minz_Session { * Permet d'effacer une session * @param $force si à false, n'efface pas le paramètre de langue */ - public static function unset_session ($force = false) { - $language = self::param ('language'); + public static function unset_session($force = false) { + $language = self::param('language'); session_destroy(); - self::$session = array (); + $_SESSION = array(); if (!$force) { - self::_param ('language', $language); - Minz_Translate::reset (); + self::_param('language', $language); + Minz_Translate::reset(); } } -- cgit v1.2.3 From ee1b8f6f72e8c2cbd3e0ad7b4322a4bb6863c028 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 13 Aug 2014 00:09:48 +0200 Subject: Long term cookie to keep session open Token system https://github.com/marienfressinaud/FreshRSS/issues/465 --- app/Controllers/indexController.php | 41 +++++++++++++++++++++++++++++-------- app/FreshRSS.php | 28 ++++++++++++++++++++++--- data/tokens/.gitignore | 1 + data/tokens/index.html | 13 ++++++++++++ lib/Minz/Session.php | 19 ++++++++++++----- 5 files changed, 86 insertions(+), 16 deletions(-) create mode 100644 data/tokens/.gitignore create mode 100644 data/tokens/index.html (limited to 'lib/Minz/Session.php') diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php index b907c8eed..dd5b91e47 100755 --- a/app/Controllers/indexController.php +++ b/app/Controllers/indexController.php @@ -295,10 +295,39 @@ class FreshRSS_index_Controller extends Minz_ActionController { Minz_Session::_param('passwordHash'); } + private static function makeLongTermCookie($username, $passwordHash) { + do { + $token = sha1(Minz_Configuration::salt() . $username . uniqid(mt_rand(), true)); + $tokenFile = DATA_PATH . '/tokens/' . $token . '.txt'; + } while (file_exists($tokenFile)); + if (@file_put_contents($tokenFile, $username . "\t" . $passwordHash) === false) { + return false; + } + $expire = time() + 2629744; //1 month //TODO: Use a configuration instead + Minz_Session::setLongTermCookie('FreshRSS_login', $token, $expire); + Minz_Session::_param('token', $token); + return $token; + } + + private static function deleteLongTermCookie() { + Minz_Session::deleteLongTermCookie('FreshRSS_login'); + $token = Minz_Session::param('token', null); + if (ctype_alnum($token)) { + @unlink(DATA_PATH . '/tokens/' . $token . '.txt'); + } + Minz_Session::_param('token'); + if (rand(0, 10) === 1) { + self::purgeTokens(); + } + } + + private static function purgeTokens() { + //TODO: Delete old token files + } + public function formLoginAction () { if (Minz_Request::isPost()) { $ok = false; - $keep_logged_in = Minz_Request::param('keep_logged_in', false); $nonce = Minz_Session::param('nonce'); $username = Minz_Request::param('username', ''); $c = Minz_Request::param('challenge', ''); @@ -313,10 +342,8 @@ class FreshRSS_index_Controller extends Minz_ActionController { if ($ok) { Minz_Session::_param('currentUser', $username); Minz_Session::_param('passwordHash', $s); - if ($keep_logged_in) { - // New cookie with a lifetime of 1 month. - Minz_Session::keepCookie(2592000); - Minz_Session::regenerateID(); + if (Minz_Request::param('keep_logged_in', false)) { + self::makeLongTermCookie($username, $s); } } else { Minz_Log::record('Password mismatch for user ' . $username . ', nonce=' . $nonce . ', c=' . $c, Minz_Log::WARNING); @@ -377,9 +404,7 @@ class FreshRSS_index_Controller extends Minz_ActionController { Minz_Session::_param('currentUser'); Minz_Session::_param('mail'); Minz_Session::_param('passwordHash'); - Minz_Session::keepCookie(0); - Minz_Session::regenerateID(); - + self::deleteLongTermCookie(); Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true); } } diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 7c333b090..30f711e20 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -20,13 +20,35 @@ class FreshRSS extends Minz_FrontController { $this->loadNotifications(); } + private static function getCredentialsFromLongTermCookie() { + $token = Minz_Session::getLongTermCookie('FreshRSS_login'); + if (!ctype_alnum($token)) { + return array(); + } + $tokenFile = DATA_PATH . '/tokens/' . $token . '.txt'; + $mtime = @filemtime($tokenFile); + if ($mtime + 2629744 < time()) { //1 month //TODO: Use a configuration instead + @unlink($tokenFile); + return array(); //Expired or token does not exist + } + $credentials = @file_get_contents($tokenFile); + return $credentials === false ? array() : explode("\t", $credentials, 2); + } + private function accessControl($currentUser) { if ($currentUser == '') { switch (Minz_Configuration::authType()) { case 'form': - $currentUser = Minz_Configuration::defaultUser(); - Minz_Session::_param('passwordHash'); - $loginOk = false; + $credentials = self::getCredentialsFromLongTermCookie(); + if (isset($credentials[1])) { + $currentUser = trim($credentials[0]); + Minz_Session::_param('passwordHash', trim($credentials[1])); + } + $loginOk = $currentUser != ''; + if (!$loginOk) { + $currentUser = Minz_Configuration::defaultUser(); + Minz_Session::_param('passwordHash'); + } break; case 'http_auth': $currentUser = httpAuthUser(); diff --git a/data/tokens/.gitignore b/data/tokens/.gitignore new file mode 100644 index 000000000..2211df63d --- /dev/null +++ b/data/tokens/.gitignore @@ -0,0 +1 @@ +*.txt diff --git a/data/tokens/index.html b/data/tokens/index.html new file mode 100644 index 000000000..85faaa37e --- /dev/null +++ b/data/tokens/index.html @@ -0,0 +1,13 @@ + + + + + +Redirection + + + + +

Redirection

+ + diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index 906acc03c..af4de75bb 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -65,11 +65,8 @@ class Minz_Session { * @param $l la durée de vie */ public static function keepCookie($l) { - $cookie_dir = dirname( - empty($_SERVER['REQUEST_URI']) ? '' : $_SERVER['REQUEST_URI'] - ) . '/'; - session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], - false, true); + $cookie_dir = empty($_SERVER['REQUEST_URI']) ? '' : $_SERVER['REQUEST_URI']; + session_set_cookie_params($l, $cookie_dir, '', false, true); } @@ -81,4 +78,16 @@ class Minz_Session { session_regenerate_id(true); } + public static function deleteLongTermCookie($name) { + setcookie($name, '', 1, '', '', false, true); + } + + public static function setLongTermCookie($name, $value, $expire) { + setcookie($name, $value, $expire, '', '', false, true); + } + + public static function getLongTermCookie($name) { + return isset($_COOKIE[$name]) ? $_COOKIE[$name] : null; + } + } -- cgit v1.2.3 From addcea9cd45a87f2ae56f879bad86425efc16fba Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 6 Jan 2015 21:10:51 +0100 Subject: Fix i18n loading and availableLanguages calls - Change the way to init i18n - Add a availableLanguages() method to Minz_Translate See https://github.com/FreshRSS/FreshRSS/issues/730 --- app/FreshRSS.php | 18 ++++++++++++++---- app/views/configure/display.phtml | 2 +- app/views/user/manage.phtml | 2 +- lib/Minz/Session.php | 2 +- lib/Minz/Translate.php | 31 +++++++++++++++++++++++-------- 5 files changed, 40 insertions(+), 15 deletions(-) (limited to 'lib/Minz/Session.php') diff --git a/app/FreshRSS.php b/app/FreshRSS.php index a53174394..7b5df7ced 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -31,15 +31,25 @@ class FreshRSS extends Minz_FrontController { // Load context and configuration. FreshRSS_Context::init(); - // Init i18n. - Minz_Session::_param('language', FreshRSS_Context::$user_conf->language); - Minz_Translate::init(); - + $this->initI18n(); $this->loadStylesAndScripts(); $this->loadNotifications(); $this->loadExtensions(); } + private function initI18n() { + $lang = Minz_Session::param('language'); + if ($lang === false) { + Minz_Session::_param('language', FreshRSS_Context::$user_conf->language); + $lang = FreshRSS_Context::$user_conf->language; + } + + Minz_Translate::init(array( + 'en' => 'English', + 'fr' => 'Français', + ), $lang); + } + private function loadStylesAndScripts() { $theme = FreshRSS_Themes::load(FreshRSS_Context::$user_conf->theme); if ($theme) { diff --git a/app/views/configure/display.phtml b/app/views/configure/display.phtml index b68bf925b..36a075ea7 100644 --- a/app/views/configure/display.phtml +++ b/app/views/configure/display.phtml @@ -10,7 +10,7 @@
- availableLanguages(); ?> + $lib) { ?> diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index af4de75bb..cfe8debe9 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -55,7 +55,7 @@ class Minz_Session { if (!$force) { self::_param('language', $language); - Minz_Translate::reset(); + Minz_Translate::reset($language); } } diff --git a/lib/Minz/Translate.php b/lib/Minz/Translate.php index 39200e81f..1b4102ca9 100644 --- a/lib/Minz/Translate.php +++ b/lib/Minz/Translate.php @@ -9,6 +9,11 @@ * It uses files in `./app/i18n/` */ class Minz_Translate { + /** + * $lang_list is the list of available languages. + */ + private static $lang_list = array(); + /** * $lang_name is the name of the current language to use. */ @@ -25,20 +30,30 @@ class Minz_Translate { private static $translates = array(); /** - * Load $lang_name and $lang_path based on configuration and selected language. + * Init the translation object. + * @param $lang_list the list of available languages. + * @param $lang_name the lang to show. */ - public static function init() { - $conf = Minz_Configuration::get('system'); - $l = $conf->language; - self::$lang_name = Minz_Session::param('language', $l); + public static function init($lang_list, $lang_name) { + self::$lang_list = $lang_list; + self::$lang_name = $lang_name; self::$lang_path = APP_PATH . '/i18n/' . self::$lang_name . '/'; } /** - * Alias for init(). + * Reset the translation object with a new language. + * @param $lang_name the new language to use + */ + public static function reset($lang_name) { + self::init(self::$lang_list, $lang_name); + } + + /** + * Return the list of available languages. + * @return an array. */ - public static function reset() { - self::init(); + public static function availableLanguages() { + return self::$lang_list; } /** -- cgit v1.2.3 From eec95ffb6a414f00f0ddd6cb1f81ac7ee55d4f6b Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Wed, 21 Jan 2015 15:43:25 +0100 Subject: Fix bug related to cookie path Fix https://github.com/FreshRSS/FreshRSS/issues/700 --- lib/Minz/Session.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/Minz/Session.php') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index cfe8debe9..4c0c37e54 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -65,7 +65,9 @@ class Minz_Session { * @param $l la durée de vie */ public static function keepCookie($l) { - $cookie_dir = empty($_SERVER['REQUEST_URI']) ? '' : $_SERVER['REQUEST_URI']; + // Get the script_name (e.g. /p/i/index.php) and remove index.php + $cookie_dir = empty($_SERVER['SCRIPT_NAME']) ? '' : $_SERVER['SCRIPT_NAME']; + $cookie_dir = substr($cookie_dir, 0, -strlen(basename($cookie_dir))); session_set_cookie_params($l, $cookie_dir, '', false, true); } -- cgit v1.2.3 From 22d7e0d638b91063741fe82fe77822b1d7d5be1d Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Wed, 21 Jan 2015 16:28:29 +0100 Subject: Simplify code for cookie dir See https://github.com/FreshRSS/FreshRSS/issues/700 See https://github.com/FreshRSS/FreshRSS/commit/eec95ffb6a414f00f0ddd6cb1f81ac7ee55d4f6b --- lib/Minz/Session.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/Minz/Session.php') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index 4c0c37e54..058685ada 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -65,9 +65,9 @@ class Minz_Session { * @param $l la durée de vie */ public static function keepCookie($l) { - // Get the script_name (e.g. /p/i/index.php) and remove index.php + // Get the script_name (e.g. /p/i/index.php) and keep only the path. $cookie_dir = empty($_SERVER['SCRIPT_NAME']) ? '' : $_SERVER['SCRIPT_NAME']; - $cookie_dir = substr($cookie_dir, 0, -strlen(basename($cookie_dir))); + $cookie_dir = dirname($cookie_dir); session_set_cookie_params($l, $cookie_dir, '', false, true); } -- cgit v1.2.3 From f7190c34e1a1ea36bbc81a7dea8dcb7a39cea7cf Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Thu, 30 Jul 2015 23:42:28 +0200 Subject: Minz session cookie path bug https://github.com/FreshRSS/FreshRSS/issues/924#issuecomment-126499403 --- lib/Minz/Session.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'lib/Minz/Session.php') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index 058685ada..14a093bf7 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -65,10 +65,9 @@ class Minz_Session { * @param $l la durée de vie */ public static function keepCookie($l) { - // Get the script_name (e.g. /p/i/index.php) and keep only the path. - $cookie_dir = empty($_SERVER['SCRIPT_NAME']) ? '' : $_SERVER['SCRIPT_NAME']; - $cookie_dir = dirname($cookie_dir); - session_set_cookie_params($l, $cookie_dir, '', false, true); + // Get the script_name (e.g. /p/i/index.php) and keep only the path. + $cookie_dir = dirname(empty($_SERVER['REQUEST_URI']) ? '/' : dirname($_SERVER['REQUEST_URI'])); + session_set_cookie_params($l, $cookie_dir, '', false, false); } -- cgit v1.2.3 From 59daed3d4eca6bf6260a8dc422c54f470895ac63 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Fri, 31 Jul 2015 00:12:55 +0200 Subject: Minz slight change in session cookie path https://github.com/FreshRSS/FreshRSS/issues/924#issuecomment-126499403 --- lib/Minz/Session.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib/Minz/Session.php') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index 14a093bf7..705aae2ec 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -66,7 +66,10 @@ class Minz_Session { */ public static function keepCookie($l) { // Get the script_name (e.g. /p/i/index.php) and keep only the path. - $cookie_dir = dirname(empty($_SERVER['REQUEST_URI']) ? '/' : dirname($_SERVER['REQUEST_URI'])); + $cookie_dir = empty($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI']; + if (substr($cookie_dir, -1) !== '/') { + $cookie_dir = dirname($cookie_dir) . '/'; + } session_set_cookie_params($l, $cookie_dir, '', false, false); } -- cgit v1.2.3 From 760ec5f223c4a18c8e8c8f3ecdf6b7140aa70611 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Fri, 31 Jul 2015 00:17:32 +0200 Subject: Whitespace --- lib/Minz/Session.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'lib/Minz/Session.php') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index 705aae2ec..de671f173 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -65,12 +65,12 @@ class Minz_Session { * @param $l la durée de vie */ public static function keepCookie($l) { - // Get the script_name (e.g. /p/i/index.php) and keep only the path. - $cookie_dir = empty($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI']; - if (substr($cookie_dir, -1) !== '/') { - $cookie_dir = dirname($cookie_dir) . '/'; - } - session_set_cookie_params($l, $cookie_dir, '', false, false); + // Get the script_name (e.g. /p/i/index.php) and keep only the path. + $cookie_dir = empty($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI']; + if (substr($cookie_dir, -1) !== '/') { + $cookie_dir = dirname($cookie_dir) . '/'; + } + session_set_cookie_params($l, $cookie_dir, '', false, false); } -- cgit v1.2.3 From 189e790f32d4e389cf1dc6da669a579717fff436 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Fri, 31 Jul 2015 11:26:57 +0200 Subject: Minz cookie session httpOnly https://github.com/FreshRSS/FreshRSS/issues/924 https://github.com/FreshRSS/FreshRSS/pull/936/files#r35948311 --- lib/Minz/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/Minz/Session.php') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index de671f173..057e7746a 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -70,7 +70,7 @@ class Minz_Session { if (substr($cookie_dir, -1) !== '/') { $cookie_dir = dirname($cookie_dir) . '/'; } - session_set_cookie_params($l, $cookie_dir, '', false, false); + session_set_cookie_params($l, $cookie_dir, '', false, true); } -- cgit v1.2.3 From e4a459a6edc40b64cba7845b52f3e90666b2818a Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Tue, 16 Feb 2016 23:53:39 +0100 Subject: CSP no inline javascript draft https://github.com/FreshRSS/FreshRSS/issues/1075 --- app/FreshRSS.php | 62 +++++++++++++++++++++++++++++ app/layout/layout.phtml | 6 +-- app/views/helpers/javascript_vars.phtml | 70 --------------------------------- lib/Minz/Session.php | 15 ++++--- p/scripts/main.js | 13 +++++- p/scripts/persona.js | 2 +- 6 files changed, 87 insertions(+), 81 deletions(-) delete mode 100644 app/views/helpers/javascript_vars.phtml (limited to 'lib/Minz/Session.php') diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 044de9cd4..e0e82457c 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -110,6 +110,68 @@ class FreshRSS extends Minz_FrontController { } } + private static function setJavascriptCookie() { + $mark = FreshRSS_Context::$user_conf->mark_when; + $mail = Minz_Session::param('mail', false); + $s = FreshRSS_Context::$user_conf->shortcuts; + $json = json_encode(array( + 'context' => array( + 'auto_remove_article' => !!FreshRSS_Context::isAutoRemoveAvailable(), + 'hide_posts' => !(FreshRSS_Context::$user_conf->display_posts || Minz_Request::actionName() === 'reader'), + 'display_order' => Minz_Request::param('order', FreshRSS_Context::$user_conf->sort_order), + 'auto_mark_article' => !!$mark['article'], + 'auto_mark_site' => !!$mark['site'], + 'auto_mark_scroll' => !!$mark['scroll'], + 'auto_load_more' => !!FreshRSS_Context::$user_conf->auto_load_more, + 'auto_actualize_feeds' => !!Minz_Session::param('actualize_feeds', false), + 'does_lazyload' => !!FreshRSS_Context::$user_conf->lazyload , + 'sticky_post' => !!FreshRSS_Context::isStickyPostEnabled(), + 'html5_notif_timeout' => FreshRSS_Context::$user_conf->html5_notif_timeout, + 'auth_type' => FreshRSS_Context::$system_conf->auth_type, + 'current_user_mail' => $mail ? ('"' . $mail . '"') : null, + 'current_view' => Minz_Request::actionName(), + ), + 'shortcuts' => array( + 'mark_read' => @$s['mark_read'], + 'mark_favorite' => @$s['mark_favorite'], + 'go_website' => @$s['go_website'], + 'prev_entry' => @$s['prev_entry'], + 'next_entry' => @$s['next_entry'], + 'first_entry' => @$s['first_entry'], + 'last_entry' => @$s['last_entry'], + 'collapse_entry' => @$s['collapse_entry'], + 'load_more' => @$s['load_more'], + 'auto_share' => @$s['auto_share'], + 'focus_search' => @$s['focus_search'], + 'user_filter' => @$s['user_filter'], + 'help' => @$s['help'], + 'close_dropdown' => @$s['close_dropdown'], + ), + 'url' => array( + 'index' => _url('index', 'index'), + 'login' => Minz_Url::display(array('c' => 'auth', 'a' => 'login'), 'php'), + 'logout' => Minz_Url::display(array('c' => 'auth', 'a' => 'logout'), 'php'), + 'help' => FRESHRSS_WIKI, + ), + 'i18n' => array( + 'confirmation_default' => _t('gen.js.confirm_action'), + 'notif_title_articles' => _t('gen.js.feedback.title_new_articles'), + 'notif_body_articles' => _t('gen.js.feedback.body_new_articles'), + 'notif_request_failed' => _t('gen.js.feedback.request_failed'), + 'category_empty' => _t('gen.js.category_empty'), + ), + 'icons' => array( + 'close' => _i('close'), + ), + ), JSON_UNESCAPED_UNICODE); + setrawcookie('FreshRSS-vars', rawurlencode($json), 0, Minz_Session::getCookieDir()); + } + + public static function preLayout() { + header("Content-Security-Policy: default-src 'self'; img-src * data:; media-src *; style-src 'self' 'unsafe-inline'"); + self::setJavascriptCookie(); + } + private function loadNotifications() { $notif = Minz_Session::param('notification'); if ($notif) { diff --git a/app/layout/layout.phtml b/app/layout/layout.phtml index 1d3afbf71..7d718efbd 100644 --- a/app/layout/layout.phtml +++ b/app/layout/layout.phtml @@ -1,3 +1,6 @@ + @@ -5,9 +8,6 @@ - mark_when; -$mail = Minz_Session::param('mail', false); -$auto_actualize = Minz_Session::param('actualize_feeds', false); -$hide_posts = !(FreshRSS_Context::$user_conf->display_posts || Minz_Request::actionName() === 'reader'); -$s = FreshRSS_Context::$user_conf->shortcuts; - -$url_login = Minz_Url::display(array( - 'c' => 'auth', - 'a' => 'login' -), 'php'); -$url_logout = Minz_Url::display(array( - 'c' => 'auth', - 'a' => 'logout' -), 'php'); - -echo 'var context={', - 'auto_remove_article:', FreshRSS_Context::isAutoRemoveAvailable() ? 'true' : 'false', ',', - 'hide_posts:', $hide_posts ? 'true' : 'false', ',', - 'display_order:"', Minz_Request::param('order', FreshRSS_Context::$user_conf->sort_order), '",', - 'auto_mark_article:', $mark['article'] ? 'true' : 'false', ',', - 'auto_mark_site:', $mark['site'] ? 'true' : 'false', ',', - 'auto_mark_scroll:', $mark['scroll'] ? 'true' : 'false', ',', - 'auto_load_more:', FreshRSS_Context::$user_conf->auto_load_more ? 'true' : 'false', ',', - 'auto_actualize_feeds:', $auto_actualize ? 'true' : 'false', ',', - 'does_lazyload:', FreshRSS_Context::$user_conf->lazyload ? 'true' : 'false', ',', - 'sticky_post:', FreshRSS_Context::isStickyPostEnabled() ? 'true' : 'false', ',', - 'html5_notif_timeout:', FreshRSS_Context::$user_conf->html5_notif_timeout, ',', - 'auth_type:"', FreshRSS_Context::$system_conf->auth_type, '",', - 'current_user_mail:', $mail ? ('"' . $mail . '"') : 'null', ',', - 'current_view:"', Minz_Request::actionName(), '"', -"},\n"; - -echo 'shortcuts={', - 'mark_read:"', @$s['mark_read'], '",', - 'mark_favorite:"', @$s['mark_favorite'], '",', - 'go_website:"', @$s['go_website'], '",', - 'prev_entry:"', @$s['prev_entry'], '",', - 'next_entry:"', @$s['next_entry'], '",', - 'first_entry:"', @$s['first_entry'], '",', - 'last_entry:"', @$s['last_entry'], '",', - 'collapse_entry:"', @$s['collapse_entry'], '",', - 'load_more:"', @$s['load_more'], '",', - 'auto_share:"', @$s['auto_share'], '",', - 'focus_search:"', @$s['focus_search'], '",', - 'user_filter:"', @$s['user_filter'], '",', - 'help:"', @$s['help'], '",', - 'close_dropdown:"', @$s['close_dropdown'], '"', -"},\n"; - -echo 'url={', - 'index:"', _url('index', 'index'), '",', - 'login:"', $url_login, '",', - 'logout:"', $url_logout, '",', - 'help:"', FRESHRSS_WIKI, '"', -"},\n"; - -echo 'i18n={', - 'confirmation_default:"', _t('gen.js.confirm_action'), '",', - 'notif_title_articles:"', _t('gen.js.feedback.title_new_articles'), '",', - 'notif_body_articles:"', _t('gen.js.feedback.body_new_articles'), '",', - 'notif_request_failed:"', _t('gen.js.feedback.request_failed'), '",', - 'category_empty:"', _t('gen.js.category_empty'), '"', -"},\n"; - -echo 'icons={', - 'close:\'', _i('close'), '\'', -"}\n"; \ No newline at end of file diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index 057e7746a..940cd27d9 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -59,18 +59,21 @@ class Minz_Session { } } + public static function getCookieDir() { + // Get the script_name (e.g. /p/i/index.php) and keep only the path. + $cookie_dir = empty($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI']; + if (substr($cookie_dir, -1) !== '/') { + $cookie_dir = dirname($cookie_dir) . '/'; + } + return $cookie_dir; + } /** * Spécifie la durée de vie des cookies * @param $l la durée de vie */ public static function keepCookie($l) { - // Get the script_name (e.g. /p/i/index.php) and keep only the path. - $cookie_dir = empty($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI']; - if (substr($cookie_dir, -1) !== '/') { - $cookie_dir = dirname($cookie_dir) . '/'; - } - session_set_cookie_params($l, $cookie_dir, '', false, true); + session_set_cookie_params($l, self::getCookieDir(), '', false, true); } diff --git a/p/scripts/main.js b/p/scripts/main.js index 968c945c8..32a2ca913 100644 --- a/p/scripts/main.js +++ b/p/scripts/main.js @@ -1245,8 +1245,19 @@ function init_configuration_alert() { }); } +function parseJavaScriptCookie() { + var json = JSON.parse(decodeURIComponent(document.cookie.replace(/(?:(?:^|.*;\s*)FreshRSS-vars\s*\=\s*([^;]*).*$)|^.*$/, "$1"))) || {}; + document.cookie = 'FreshRSS-vars=; expires=Thu, 01 Jan 1970 00:00:00 GMT'; + window.context = json.context; + window.shortcuts = json.shortcuts; + window.url = json.url; + window.i18n = json.i18n; + window.icons = json.icons; +} + function init_all() { - if (!(window.$ && window.context)) { + parseJavaScriptCookie(); + if (!window.$) { if (window.console) { console.log('FreshRSS waiting for JS…'); } diff --git a/p/scripts/persona.js b/p/scripts/persona.js index 36aeeaf56..63ab43795 100644 --- a/p/scripts/persona.js +++ b/p/scripts/persona.js @@ -1,7 +1,7 @@ "use strict"; function init_persona() { - if (!(navigator.id && window.$)) { + if (!(navigator.id && window.$ && window.url)) { if (window.console) { console.log('FreshRSS (Persona) waiting for JS…'); } -- cgit v1.2.3 From ba9f4461d8935bb9de256a5bedf0c89d3d317c7f Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Tue, 8 Mar 2016 19:00:04 +0100 Subject: Secure cookie HTTPS --- CHANGELOG.md | 1 + lib/Minz/Request.php | 17 ++++++++++++----- lib/Minz/Session.php | 6 +++--- 3 files changed, 16 insertions(+), 8 deletions(-) (limited to 'lib/Minz/Session.php') diff --git a/CHANGELOG.md b/CHANGELOG.md index 74cb9d250..7298c4523 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ * Security * Added CSP `Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/issues/1075), [#1114](https://github.com/FreshRSS/FreshRSS/issues/1114) * Added `X-Content-Type-Options: nosniff` [#1116](https://github.com/FreshRSS/FreshRSS/pull/1116) + * Cookie with `Secure` tag when used over HTTPS []() * Features * New list of domains for which to force HTTPS (for images, videos, iframes…) defined in `./data/force-https.default.txt` and `./data/force-https.txt` [#1083](https://github.com/FreshRSS/FreshRSS/issues/1083) * In particular useful for privacy and to avoid mixed content errors, e.g. to see YouTube videos when FreshRSS is in HTTPS diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index effb9943c..81457df9e 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -84,6 +84,17 @@ class Minz_Request { self::magicQuotesOff(); } + /** + * Return true if the request is over HTTPS, false otherwise (HTTP) + */ + public static function isHttps() { + if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) { + return strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https'; + } else { + return isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on'; + } + } + /** * Try to guess the base URL from $_SERVER information * @@ -92,11 +103,7 @@ class Minz_Request { public static function guessBaseUrl() { $url = 'http'; - if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) { - $https = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https'; - } else { - $https = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on'; - } + $https = self::isHttps(); if (!empty($_SERVER['HTTP_HOST'])) { $host = $_SERVER['HTTP_HOST']; diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index 940cd27d9..c94f2b646 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -73,7 +73,7 @@ class Minz_Session { * @param $l la durée de vie */ public static function keepCookie($l) { - session_set_cookie_params($l, self::getCookieDir(), '', false, true); + session_set_cookie_params($l, self::getCookieDir(), '', Minz_Request::isHttps(), true); } @@ -86,11 +86,11 @@ class Minz_Session { } public static function deleteLongTermCookie($name) { - setcookie($name, '', 1, '', '', false, true); + setcookie($name, '', 1, '', '', Minz_Request::isHttps(), true); } public static function setLongTermCookie($name, $value, $expire) { - setcookie($name, $value, $expire, '', '', false, true); + setcookie($name, $value, $expire, '', '', Minz_Request::isHttps(), true); } public static function getLongTermCookie($name) { -- cgit v1.2.3