From 0e9ab7b9ff17172e6220fb32982e02520d1607fb Mon Sep 17 00:00:00 2001 From: kristuff Date: Sat, 6 Jun 2020 13:30:00 +0200 Subject: [PATCH] Session validation improvement like proposed her https://github.com/panique/huge/issues/885 --- application/core/Auth.php | 2 +- application/core/Session.php | 13 +++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/application/core/Auth.php b/application/core/Auth.php index 10430b14a..84761fe7d 100644 --- a/application/core/Auth.php +++ b/application/core/Auth.php @@ -72,7 +72,7 @@ public static function checkAdminAuthentication() */ public static function checkSessionConcurrency(){ if(Session::userIsLoggedIn()){ - if(Session::isConcurrentSessionExists()){ + if(Session::isSessionBroken()){ LoginModel::logout(); Redirect::home(); exit(); diff --git a/application/core/Session.php b/application/core/Session.php index 89d64c6ef..a489a6ec5 100644 --- a/application/core/Session.php +++ b/application/core/Session.php @@ -84,8 +84,10 @@ public static function updateSessionId($userId, $sessionId = null) } /** - * checks for session concurrency - * + * checks for broken session + * Session could be broken by Session concurrency or when user is deleted / suspended + * + * - Session concurrency is done as the following: * This is done as the following: * UserA logs in with his session id('123') and it will be stored in the database. * Then, UserB logs in also using the same email and password of UserA from another PC, @@ -94,6 +96,9 @@ public static function updateSessionId($userId, $sessionId = null) * Now, Whenever UserA performs any action, * You then check the session_id() against the last one stored in the database('456'), * If they don't match then log both of them out. + * + * - Check for deleted / suspended users: + * Suspended/deleted users have no userSessionId anymore stored in database * * @access public * @static static method @@ -101,7 +106,7 @@ public static function updateSessionId($userId, $sessionId = null) * @see Session::updateSessionId() * @see http://stackoverflow.com/questions/6126285/php-stop-concurrent-user-logins */ - public static function isConcurrentSessionExists() + public static function isSessionBroken() { $session_id = session_id(); $userId = Session::get('user_id'); @@ -117,7 +122,7 @@ public static function isConcurrentSessionExists() $result = $query->fetch(); $userSessionId = !empty($result)? $result->session_id: null; - return $session_id !== $userSessionId; + return empty($userSessionId) || $session_id !== $userSessionId; } return false;