updated userSession

a99b99aa · GopiKrishnan · 98b1059b · a99b99aa · a99b99aa
Commit a99b99aa authored 2 years ago by GopiKrishnan
--- a/libs/includes/UserSession.class.php
+++ b/libs/includes/UserSession.class.php
@@ -10,12 +10,12 @@ class UserSession
    public static function authenticate($user, $pass)
    {
        $username = User::login($user, $pass);
-        $user = new User($username);
        if ($username) {
+            $user = new User($username);
            $conn = Database::getConnection();
            $ip = $_SERVER['REMOTE_ADDR'];
            $agent = $_SERVER['HTTP_USER_AGENT'];
-            $token = md5(rand(0, 9999999) .$ip.$agent.time());
+            $token = md5(rand(0, 9999999) . $ip . $agent . time());
            $sql = "INSERT INTO `session` (`uid`, `token`, `login_time`, `ip`, `user_agent`, `active`)
            VALUES ('$user->id', '$token', now(), '$ip', '$agent', '1')";
            if ($conn->query($sql)) {
@@ -29,9 +29,34 @@ class UserSession
        }
    }

+    /*
+    * Authorize function have has 4 level of checks 
+        1.Check that the IP and User agent field is filled.
+        2.Check if the session is correct and active.
+        3.Check that the current IP is the same as the previous IP
+        4.Check that the current user agent is the same as the previous user agent
+
+        @return true else false;
+    */
    public static function authorize($token)
    {
-        $sess = new UserSession($token);
+        try {
+            $session = new UserSession($token);
+            if (isset($_SERVER['REMOTE_ADDR']) and isset($_SERVER["HTTP_USER_AGENT"])) {
+                if ($session->isValid() and $session->isActive()) {
+                    if ($_SERVER['REMOTE_ADDR'] == $session->getIP()) {
+                        if ($_SERVER['HTTP_USER_AGENT'] == $session->getUserAgent()) {
+                            return true;
+                        } else throw new Exception("User agent does't match");
+                    } else throw new Exception("IP does't match");
+                } else {
+                    $session->removeSession();
+                    throw new Exception("Invalid session");
+                }
+            } else throw new Exception("IP and User_agent is null");
+        } catch (Exception $e) {
+            return false;
+        }
    }

    public function __construct($token)
@@ -39,7 +64,7 @@ class UserSession
        $this->conn = Database::getConnection();
        $this->token = $token;
        $this->data = null;
-        $sql = "SELECT * FROM `session` WHERE `token`=$token LIMIT 1";
+        $sql = "SELECT * FROM `session` WHERE `token`='$token' LIMIT 1";
        $result = $this->conn->query($sql);
        if ($result->num_rows) {
            $row = $result->fetch_assoc();
@@ -62,17 +87,52 @@ class UserSession
     */
    public function isValid()
    {
+        if (isset($this->data['login_time'])) {
+            $login_time = DateTime::createFromFormat('Y-m-d H:i:s', $this->data['login_time']);
+            if (3600 > time() - $login_time->getTimestamp()) {
+                return true;
+            } else {
+                return false;
+            }
+        } else throw new Exception("login tiem is null");
    }

    public function getIP()
    {
+        return isset($this->data["ip"]) ? $this->data["ip"] : false;
    }

    public function getUserAgent()
    {
+        return isset($this->data["user_agent"]) ? $this->data["user_agent"] : false;
    }

    public function deactivate()
    {
+        if (!$this->conn)
+            $this->conn = Database::getConnection();
+        $sql = "UPDATE `session` SET `active` = 0 WHERE `uid`=$this->uid";
+
+        return $this->conn->query($sql) ? true : false;
+    }
+
+    public function isActive()
+    {
+        if (isset($this->data['active'])) {
+            return $this->data['active'] ? true : false;
+        }
+    }
+
+    //This function remove current session
+    public function removeSession()
+    {
+        if (isset($this->data['id'])) {
+            $id = $this->data['id'];
+            if (!$this->conn) $this->conn = Database::getConnection();
+            $sql = "DELETE FROM `session` WHERE `id` = $id;";
+            if ($this->conn->query($sql)) {
+                return true;
+            } else return false;
+        }
    }
 }
--- a/logintest2.php
+++ b/logintest2.php
+<?php
+include 'libs/load.php';
+
+$user = "gopi";
+
+if (isset($_GET['logout'])) {
+    if (Session::isset("session_token")) {
+        $Session = new UserSession(Session::get("session_token"));
+        if ($Session->removeSession()) {
+            echo "<h3> Pervious Session is removing from db </h3>";
+        } else {
+            echo "<h3>Pervious Session not removing from db </h3>";
+        }
+    }
+    Session::destroy();
+    die("Session destroyed, <a href='logintest2.php'>Login Again</a>");
+}
+
+/*
+1. Check if session_token in PHP session is available
+2. If yes, construct UserSession and see if its successful.
+3. Check if the session is valid one
+4. If valid, print "Session validated"
+5. Else, print "Invalid Session" and ask user to login.
+*/
+
+if (Session::isset("session_token")) {
+    if (UserSession::authorize(Session::get("session_token"))) {
+        echo "<h1>Session Login, WELCOME $user </h1>";
+    } else {
+        Session::destroy();
+        die("<h1>Invalid Session, <a href='logintest2.php'>Login Again</a></h1>");
+    }
+} else {
+    $pass = isset($_GET['pass']) ? $_GET['pass'] : '';
+    if (!$pass) die("<h1>Password  is Empty</h1>");
+    if (UserSession::authenticate($user, $pass)) {
+        echo "<h1>New LOGIN Success,  WELCOME $user</h1>";
+    } else echo "<h1>New Login Failed! $user</h1>";
+}
+
+echo <<<EOL
+<br><br><a href="logintest2.php?logout">Logout</a>
+EOL;