Merge branch 'master' into 'dev'

Master

See merge request sibidharan/php-class-project!8

libs/includes/UserSession.class.php

@@ -10,12 +10,12 @@ class UserSession
     public static function authenticate($user, $pass)
     {
         $username = User::login($user, $pass);
-        $user = new User($username);
         if ($username) {
+            $user = new User($username);
             $conn = Database::getConnection();
             $ip = $_SERVER['REMOTE_ADDR'];
             $agent = $_SERVER['HTTP_USER_AGENT'];
-            $token = md5(rand(0, 9999999) .$ip.$agent.time());
+            $token = md5(rand(0, 9999999) . $ip . $agent . time());
             $sql = "INSERT INTO `session` (`uid`, `token`, `login_time`, `ip`, `user_agent`, `active`)
             VALUES ('$user->id', '$token', now(), '$ip', '$agent', '1')";
             if ($conn->query($sql)) {
@@ -29,9 +29,34 @@ class UserSession
         }
     }
 
+    /*
+    * Authorize function have has 4 level of checks 
+        1.Check that the IP and User agent field is filled.
+        2.Check if the session is correct and active.
+        3.Check that the current IP is the same as the previous IP
+        4.Check that the current user agent is the same as the previous user agent
+
+        @return true else false;
+    */
     public static function authorize($token)
     {
-        $sess = new UserSession($token);
+        try {
+            $session = new UserSession($token);
+            if (isset($_SERVER['REMOTE_ADDR']) and isset($_SERVER["HTTP_USER_AGENT"])) {
+                if ($session->isValid() and $session->isActive()) {
+                    if ($_SERVER['REMOTE_ADDR'] == $session->getIP()) {
+                        if ($_SERVER['HTTP_USER_AGENT'] == $session->getUserAgent()) {
+                            return true;
+                        } else throw new Exception("User agent does't match");
+                    } else throw new Exception("IP does't match");
+                } else {
+                    $session->removeSession();
+                    throw new Exception("Invalid session");
+                }
+            } else throw new Exception("IP and User_agent is null");
+        } catch (Exception $e) {
+            return false;
+        }
     }
 
     public function __construct($token)
@@ -39,7 +64,7 @@ class UserSession
         $this->conn = Database::getConnection();
         $this->token = $token;
         $this->data = null;
-        $sql = "SELECT * FROM `session` WHERE `token`=$token LIMIT 1";
+        $sql = "SELECT * FROM `session` WHERE `token`='$token' LIMIT 1";
         $result = $this->conn->query($sql);
         if ($result->num_rows) {
             $row = $result->fetch_assoc();
@@ -62,17 +87,52 @@ class UserSession
      */
     public function isValid()
     {
+        if (isset($this->data['login_time'])) {
+            $login_time = DateTime::createFromFormat('Y-m-d H:i:s', $this->data['login_time']);
+            if (3600 > time() - $login_time->getTimestamp()) {
+                return true;
+            } else {
+                return false;
+            }
+        } else throw new Exception("login tiem is null");
     }
 
     public function getIP()
     {
+        return isset($this->data["ip"]) ? $this->data["ip"] : false;
     }
 
     public function getUserAgent()
     {
+        return isset($this->data["user_agent"]) ? $this->data["user_agent"] : false;
     }
 
     public function deactivate()
     {
+        if (!$this->conn)
+            $this->conn = Database::getConnection();
+        $sql = "UPDATE `session` SET `active` = 0 WHERE `uid`=$this->uid";
+
+        return $this->conn->query($sql) ? true : false;
+    }
+
+    public function isActive()
+    {
+        if (isset($this->data['active'])) {
+            return $this->data['active'] ? true : false;
+        }
+    }
+
+    //This function remove current session
+    public function removeSession()
+    {
+        if (isset($this->data['id'])) {
+            $id = $this->data['id'];
+            if (!$this->conn) $this->conn = Database::getConnection();
+            $sql = "DELETE FROM `session` WHERE `id` = $id;";
+            if ($this->conn->query($sql)) {
+                return true;
+            } else return false;
+        }
     }
 }

logintest2.php

+<?php
+include 'libs/load.php';
+
+$user = "gopi";
+
+if (isset($_GET['logout'])) {
+    if (Session::isset("session_token")) {
+        $Session = new UserSession(Session::get("session_token"));
+        if ($Session->removeSession()) {
+            echo "<h3> Pervious Session is removing from db </h3>";
+        } else {
+            echo "<h3>Pervious Session not removing from db </h3>";
+        }
+    }
+    Session::destroy();
+    die("Session destroyed, <a href='logintest2.php'>Login Again</a>");
+}
+
+/*
+1. Check if session_token in PHP session is available
+2. If yes, construct UserSession and see if its successful.
+3. Check if the session is valid one
+4. If valid, print "Session validated"
+5. Else, print "Invalid Session" and ask user to login.
+*/
+
+if (Session::isset("session_token")) {
+    if (UserSession::authorize(Session::get("session_token"))) {
+        echo "<h1>Session Login, WELCOME $user </h1>";
+    } else {
+        Session::destroy();
+        die("<h1>Invalid Session, <a href='logintest2.php'>Login Again</a></h1>");
+    }
+} else {
+    $pass = isset($_GET['pass']) ? $_GET['pass'] : '';
+    if (!$pass) die("<h1>Password  is Empty</h1>");
+    if (UserSession::authenticate($user, $pass)) {
+        echo "<h1>New LOGIN Success,  WELCOME $user</h1>";
+    } else echo "<h1>New Login Failed! $user</h1>";
+}
+
+echo <<<EOL
+<br><br><a href="logintest2.php?logout">Logout</a>
+EOL;