Session and ACL Login Class update

Session: regenerate session id after some time or random. Default is 'never', can be 'interval' form 0 to 1h and random from always to 1 in 100 Session also checks that strict session settings are enabled Login class: Automatic re-read of acl settings after some time (default 5min, can be chnaged via option). Default set strict headers, can be turned off via option Moved various parts into their own methods and cleaned up double call logic. Login is now recorded in the last login entry no more debug flags are read from the database anymore All options are set via array and not with a single option (was auto login)
2024-12-11 21:02:21 +09:00
parent 2b0434e36b
commit 8d3882a6fe
9 changed files with 944 additions and 527 deletions
--- a/www/admin/class_test.login.php
+++ b/www/admin/class_test.login.php
@@ -21,7 +21,10 @@ $SET_SESSION_NAME = EDIT_SESSION_NAME;
 use CoreLibs\Debug\Support;

 // init login & backend class
-$session = new CoreLibs\Create\Session($SET_SESSION_NAME);
+$session = new CoreLibs\Create\Session($SET_SESSION_NAME, [
+	'regenerate' => 'interval',
+	'regenerate_interval' => 10, // every 10 seconds
+]);
 $log = new CoreLibs\Logging\Logging([
 	'log_folder' => BASE . LOG,
 	'log_file_id' => $LOG_FILE_ID,
@@ -90,6 +93,8 @@ print <<<HTML
 </div>
 HTML;

+echo "SESSION ID: " . $session->getSessionIdCall() . "<br>";
+
 echo "CHECK PERMISSION: " . ($login->loginCheckPermissions() ? 'OK' : 'BAD') . "<br>";
 echo "IS ADMIN: " . ($login->loginIsAdmin() ? 'OK' : 'BAD') . "<br>";
 echo "MIN ACCESS BASE: " . ($login->loginCheckAccessBase('admin') ? 'OK' : 'BAD') . "<br>";
@@ -118,8 +123,7 @@ if (isset($login->loginGetAcl()['unit'])) {
 	print "Something went wrong with the login<br>";
 }

-echo "<hr>";
-
+// echo "<hr>";
 // IP check: 'REMOTE_ADDR', 'HTTP_X_FORWARDED_FOR', 'CLIENT_IP' in _SERVER
 // Agent check: 'HTTP_USER_AGENT'

--- a/www/admin/class_test.session.php
+++ b/www/admin/class_test.session.php
@@ -146,7 +146,7 @@ $_SESSION['this_will_be_written'] = 'not empty';
 // open again with same name
 $session_name = 'class-test-session';
 try {
-	$session_alt = new Session($session_name, auto_write_close:true);
+	$session_alt = new Session($session_name, ['auto_write_close' => true]);
 	print "[4 SET] Current session id: " . $session_alt->getSessionId() . "<br>";
 	print "[4 SET] Current session auto write close: " . ($session_alt->checkAutoWriteClose() ? 'Yes' : 'No') . "<br>";
 	print "[START AGAIN] Current session id: " . $session_alt->getSessionId() . "<br>";
--- a/www/lib/CoreLibs/ACL/Login.php
+++ b/www/lib/CoreLibs/ACL/Login.php
--- a/www/lib/CoreLibs/Create/Session.php
+++ b/www/lib/CoreLibs/Create/Session.php
@@ -21,21 +21,107 @@ class Session
 	private string $session_id = '';
 	/** @var bool flag auto write close */
 	private bool $auto_write_close = false;
+	/** @var string regenerate option, default never */
+	private string $regenerate = 'never';
+	/** @var int regenerate interval either 1 to 100 for random or 0 to 3600 for interval */
+	private int $regenerate_interval = 0;
+
+	/** @var array<string> allowed session id regenerate (rotate) options */
+	private const ALLOWED_REGENERATE_OPTIONS = ['none', 'random', 'interval'];
+	/** @var int default random interval */
+	public const DEFAULT_REGENERATE_RANDOM = 100;
+	/** @var int default rotate internval in minutes */
+	public const DEFAULT_REGENERATE_INTERVAL = 5 * 60;
+	/** @var int maximum time for regenerate interval is one hour */
+	public const MAX_REGENERATE_INTERAL = 60 * 60;

 	/**
 	 * init a session, if array is empty or array does not have session_name set
 	 * then no auto init is run
 	 *
 	 * @param string $session_name if set and not empty, will start session
+	 * @param  array<string,bool> $options
 	 */
-	public function __construct(string $session_name, bool $auto_write_close = false)
-	{
+	public function __construct(
+		string $session_name,
+		array $options = []
+	) {
+		$this->setOptions($options);
 		$this->initSession($session_name);
-		$this->auto_write_close = $auto_write_close;
 	}

 	// MARK: private methods

+	/**
+	 * set session class options
+	 *
+	 * @param  array<string,bool> $options
+	 * @return void
+	 */
+	private function setOptions(array $options): void
+	{
+		if (
+			!isset($options['auto_write_close']) ||
+			!is_bool($options['auto_write_close'])
+		) {
+			$options['auto_write_close'] = false;
+		}
+		$this->auto_write_close = $options['auto_write_close'];
+		if (
+			!isset($options['session_strict']) ||
+			!is_bool($options['session_strict'])
+		) {
+			$options['session_strict'] = true;
+		}
+		// set strict options, on not started sessiononly
+		if (
+			$options['session_strict'] &&
+			$this->getSessionStatus() === PHP_SESSION_NONE
+		) {
+			// use cookies to store session IDs
+			ini_set('session.use_cookies', 1);
+			// use cookies only (do not send session IDs in URLs)
+			ini_set('session.use_only_cookies', 1);
+			// do not send session IDs in URLs
+			ini_set('session.use_trans_sid', 0);
+		}
+		// session regenerate id options
+		if (
+			empty($options['regenerate']) ||
+			!in_array($options['regenerate'], self::ALLOWED_REGENERATE_OPTIONS)
+		) {
+			$options['regenerate'] = 'never';
+		}
+		$this->regenerate = (string)$options['regenerate'];
+		// for regenerate: 'random' (default 100)
+		// regenerate_interval must be between (1 = always) and 100 (1 in 100)
+		// for regenerate: 'interval' (default 5min)
+		// regenerate_interval must be 0 = always, to 3600 (every hour)
+		if (
+			$options['regenerate'] == 'random' &&
+			(
+				!isset($options['regenerate_interval']) ||
+				!is_numeric($options['regenerate_interval']) ||
+				$options['regenerate_interval'] < 0 ||
+				$options['regenerate_interval'] > 100
+			)
+		) {
+			$options['regenerate_interval'] = self::DEFAULT_REGENERATE_RANDOM;
+		}
+		if (
+			$options['regenerate'] == 'interval' &&
+			(
+				!isset($options['regenerate_interval']) ||
+				!is_numeric($options['regenerate_interval']) ||
+				$options['regenerate_interval'] < 1 ||
+				$options['regenerate_interval'] > self::MAX_REGENERATE_INTERAL
+			)
+		) {
+			$options['regenerate_interval'] = self::DEFAULT_REGENERATE_INTERVAL;
+		}
+		$this->regenerate_interval = (int)($options['regenerate_interval'] ?? 0);
+	}
+
 	/**
 	 * Start session
 	 * startSession should be called for complete check
@@ -72,6 +158,72 @@ class Session
 		return false;
 	}

+	// MARK: regenerate session
+
+	/**
+	 * auto rotate session id
+	 *
+	 * @return void
+	 * @throws \RuntimeException failure to regenerate session id
+	 * @throws \UnexpectedValueException failed to get new session id
+	 * @throws \RuntimeException failed to set new sesson id
+	 * @throws \UnexpectedValueException new session id generated does not match the new set one
+	 */
+	private function sessionRegenerateSessionId()
+	{
+		// never
+		if ($this->regenerate == 'never') {
+			return;
+		}
+		// regenerate
+		if (
+			!(
+				// is not session obsolete
+				empty($_SESSION['SESSION_REGENERATE_OBSOLETE']) &&
+				(
+					(
+						// random
+						$this->regenerate == 'random' &&
+						mt_rand(1, $this->regenerate_interval) == 1
+					) || (
+						// interval type
+						$this->regenerate == 'interval' &&
+						($_SESSION['SESSION_REGENERATE_TIMESTAMP'] ?? 0) + $this->regenerate_interval < time()
+					)
+				)
+			)
+		) {
+			return;
+		}
+		// Set current session to expire in 1 minute
+		$_SESSION['SESSION_REGENERATE_OBSOLETE'] = true;
+		$_SESSION['SESSION_REGENERATE_EXPIRES'] = time() + 60;
+		$_SESSION['SESSION_REGENERATE_TIMESTAMP'] = time();
+		// Create new session without destroying the old one
+		if (session_regenerate_id(false) === false) {
+			throw new \RuntimeException('[SESSION] Session id regeneration failed', 1);
+		}
+		// Grab current session ID and close both sessions to allow other scripts to use them
+		if (false === ($new_session_id = $this->getSessionIdCall())) {
+			throw new \UnexpectedValueException('[SESSION] getSessionIdCall did not return a session id', 2);
+		}
+		$this->writeClose();
+		// Set session ID to the new one, and start it back up again
+		if (($get_new_session_id = session_id($new_session_id)) === false) {
+			throw new \RuntimeException('[SESSION] set session_id failed', 3);
+		}
+		if ($get_new_session_id != $new_session_id) {
+			throw new \UnexpectedValueException('[SESSION] new session id does not match the new set one', 4);
+		}
+		$this->session_id = $new_session_id;
+		$this->startSessionCall();
+		// Don't want this one to expire
+		unset($_SESSION['SESSION_REGENERATE_OBSOLETE']);
+		unset($_SESSION['SESSION_REGENERATE_EXPIRES']);
+	}
+
+	// MARK: session validation
+
 	/**
 	 * check if session name is valid
 	 *
@@ -151,6 +303,13 @@ class Session
 			if (!$this->checkActiveSession()) {
 				throw new \RuntimeException('[SESSION] Failed to activate session', 5);
 			}
+			if (
+				!empty($_SESSION['SESSION_REGENERATE_OBSOLETE']) &&
+				!empty($_SESSION['SESSION_REGENERATE_EXPIRES']) && $_SESSION['SESSION_REGENERATE_EXPIRES'] < time()
+			) {
+				$this->sessionDestroy();
+				throw new \RuntimeException('[SESSION] Expired session found', 6);
+			}
 		} elseif ($session_name != $this->getSessionName()) {
 			throw new \UnexpectedValueException(
 				'[SESSION] Another session exists with a different name: ' . $this->getSessionName(),
@@ -159,10 +318,12 @@ class Session
 		}
 		// check session id
 		if (false === ($session_id = $this->getSessionIdCall())) {
-			throw new \UnexpectedValueException('[SESSION] getSessionId did not return a session id', 6);
+			throw new \UnexpectedValueException('[SESSION] getSessionIdCall did not return a session id', 7);
 		}
 		// set session id
 		$this->session_id = $session_id;
+		// run session id re-create from time to time
+		$this->sessionRegenerateSessionId();
 		// if flagged auto close, write close session
 		if ($this->auto_write_close) {
 			$this->writeClose();