Rewrite of session management

3 files changed, 244 insertions, 0 deletions

diff --git a/app/Core/Session/FlashMessage.php b/app/Core/Session/FlashMessage.php
new file mode 100644
index 00000000..e02d056d
--- /dev/null
+++ b/app/Core/Session/FlashMessage.php
@@ -0,0 +1,71 @@
+<?php
+
+namespace Kanboard\Core\Session;
+
+use Kanboard\Core\Base;
+
+/**
+ * Session Flash Message
+ *
+ * @package  session
+ * @author   Frederic Guillot
+ */
+class FlashMessage extends Base
+{
+    /**
+     * Add success message
+     *
+     * @access public
+     * @param  string  $message
+     */
+    public function success($message)
+    {
+        $this->setMessage('success', $message);
+    }
+
+    /**
+     * Add failure message
+     *
+     * @access public
+     * @param  string  $message
+     */
+    public function failure($message)
+    {
+        $this->setMessage('failure', $message);
+    }
+
+    /**
+     * Add new flash message
+     *
+     * @access public
+     * @param  string  $key
+     * @param  string  $message
+     */
+    public function setMessage($key, $message)
+    {
+        if (! isset($this->sessionStorage->flash)) {
+            $this->sessionStorage->flash = array();
+        }
+
+        $this->sessionStorage->flash[$key] = $message;
+    }
+
+    /**
+     * Get flash message
+     *
+     * @access public
+     * @param  string  $key
+     * @return string
+     */
+    public function getMessage($key)
+    {
+        $message = '';
+
+        if (isset($this->sessionStorage->flash[$key])) {
+            $message = $this->sessionStorage->flash[$key];
+            unset($this->sessionStorage->flash[$key]);
+        }
+
+        return $message;
+    }
+}
diff --git a/app/Core/Session/SessionManager.php b/app/Core/Session/SessionManager.php
new file mode 100644
index 00000000..6153efeb
--- /dev/null
+++ b/app/Core/Session/SessionManager.php
@@ -0,0 +1,102 @@
+<?php
+
+namespace Kanboard\Core\Session;
+
+use Kanboard\Core\Base;
+use Kanboard\Core\Http\Request;
+
+/**
+ * Session Manager
+ *
+ * @package  session
+ * @author   Frederic Guillot
+ */
+class SessionManager extends Base
+{
+    /**
+     * Return true if the session is open
+     *
+     * @static
+     * @access public
+     * @return boolean
+     */
+    public static function isOpen()
+    {
+        return session_id() !== '';
+    }
+
+    /**
+     * Create a new session
+     *
+     * @access public
+     */
+    public function open()
+    {
+        $this->configure();
+
+        if (ini_get('session.auto_start') == 1) {
+            session_destroy();
+        }
+
+        session_name('KB_SID');
+        session_start();
+
+        $this->container['sessionStorage']->setStorage($_SESSION);
+    }
+
+    /**
+     * Destroy the session
+     *
+     * @access public
+     */
+    public function close()
+    {
+        // Destroy the session cookie
+        $params = session_get_cookie_params();
+
+        setcookie(
+            session_name(),
+            '',
+            time() - 42000,
+            $params['path'],
+            $params['domain'],
+            $params['secure'],
+            $params['httponly']
+        );
+
+        session_unset();
+        session_destroy();
+    }
+
+    /**
+     * Define session settings
+     *
+     * @access private
+     */
+    private function configure()
+    {
+        // Session cookie: HttpOnly and secure flags
+        session_set_cookie_params(
+            SESSION_DURATION,
+            $this->helper->url->dir() ?: '/',
+            null,
+            Request::isHTTPS(),
+            true
+        );
+
+        // Avoid session id in the URL
+        ini_set('session.use_only_cookies', '1');
+        ini_set('session.use_trans_sid', '0');
+
+        // Enable strict mode
+        ini_set('session.use_strict_mode', '1');
+
+        // Better session hash
+        ini_set('session.hash_function', 'sha512');
+        ini_set('session.hash_bits_per_character', 6);
+
+        // Set an additional entropy
+        ini_set('session.entropy_file', '/dev/urandom');
+        ini_set('session.entropy_length', '256');
+    }
+}
diff --git a/app/Core/Session/SessionStorage.php b/app/Core/Session/SessionStorage.php
new file mode 100644
index 00000000..54d803f7
--- /dev/null
+++ b/app/Core/Session/SessionStorage.php
@@ -0,0 +1,71 @@
+<?php
+
+namespace Kanboard\Core\Session;
+
+/**
+ * Session Storage
+ *
+ * @package  session
+ * @author   Frederic Guillot
+ *
+ * @property array  $config
+ * @property array  $user
+ * @property array  $flash
+ * @property array  $csrf
+ * @property array  $postAuth
+ * @property string $redirectAfterLogin
+ * @property string $captcha
+ * @property string $commentSorting
+ * @property bool   $hasSubtaskInProgress
+ * @property bool   $boardCollapsed
+ */
+class SessionStorage
+{
+    /**
+     * Pointer to external storage
+     *
+     * @access private
+     * @var array
+     */
+    private $storage = array();
+
+    /**
+     * Set external storage
+     *
+     * @access public
+     * @param  array  $storage  External session storage (example: $_SESSION)
+     */
+    public function setStorage(array &$storage)
+    {
+        $this->storage =& $storage;
+
+        // Load dynamically existing session variables into object properties
+        foreach ($storage as $key => $value) {
+            $this->$key = $value;
+        }
+    }
+
+    /**
+     * Get all session variables
+     *
+     * @access public
+     * @return array
+     */
+    public function getAll()
+    {
+        $session = get_object_vars($this);
+        unset($session['storage']);
+
+        return $session;
+    }
+
+    /**
+     * Copy class properties to external storage
+     *
+     * @access public
+     */
+    public function __destruct()
+    {
+        $this->storage = $this->getAll();
+    }
+}