Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session validation improvement #889

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Session validation improvement #889

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0e9ab7b
Session validation improvement
kristuff Jun 6, 2020
a803656
Update ConfigTest.php
kristuff Jun 6, 2020
bb6ed33
Update ConfigTest.php
kristuff Jun 6, 2020
f3a04da
Update EnvironmentTest.php
kristuff Jun 6, 2020
b6d17ee
Update EnvironmentTest.php
kristuff Jun 6, 2020
5f2e086
Update .travis.yml
kristuff Jun 6, 2020
0b646c3
Update .travis.yml
kristuff Jun 6, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .travis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ before_script:
- cd tests

# run unit tests, create result file
script: ../vendor/bin/phpunit --configuration phpunit.xml --coverage-text --coverage-clover=coverage.clover
script: ../vendor/bin/phpunit --verbose --debug --configuration phpunit.xml --coverage-text --coverage-clover=coverage.clover

# gets tools from Scrutinizer, uploads unit tests results to Scrutinizer (?)
after_script:
Expand Down
2 changes: 1 addition & 1 deletion application/core/Auth.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ public static function checkAdminAuthentication()
*/
public static function checkSessionConcurrency(){
if(Session::userIsLoggedIn()){
if(Session::isConcurrentSessionExists()){
if(Session::isSessionBroken()){
LoginModel::logout();
Redirect::home();
exit();
Expand Down
13 changes: 9 additions & 4 deletions application/core/Session.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,10 @@ public static function updateSessionId($userId, $sessionId = null)
}

/**
* checks for session concurrency
*
* checks for broken session
* Session could be broken by Session concurrency or when user is deleted / suspended
*
* - Session concurrency is done as the following:
* This is done as the following:
* UserA logs in with his session id('123') and it will be stored in the database.
* Then, UserB logs in also using the same email and password of UserA from another PC,
Expand All @@ -94,14 +96,17 @@ public static function updateSessionId($userId, $sessionId = null)
* Now, Whenever UserA performs any action,
* You then check the session_id() against the last one stored in the database('456'),
* If they don't match then log both of them out.
*
* - Check for deleted / suspended users:
* Suspended/deleted users have no userSessionId anymore stored in database
*
* @access public
* @static static method
* @return bool
* @see Session::updateSessionId()
* @see https://stackoverflow.com/questions/6126285/php-stop-concurrent-user-logins
*/
public static function isConcurrentSessionExists()
public static function isSessionBroken()
{
$session_id = session_id();
$userId = Session::get('user_id');
Expand All @@ -117,7 +122,7 @@ public static function isConcurrentSessionExists()
$result = $query->fetch();
$userSessionId = !empty($result)? $result->session_id: null;

return $session_id !== $userSessionId;
return empty($userSessionId) || $session_id !== $userSessionId;
}

return false;
Expand Down
11 changes: 11 additions & 0 deletions tests/core/ConfigTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,18 +23,29 @@ public function tearDown()

/**
* Checks if the correct config file for an EXISTING environment / config is called.
*
* @runInSeparateProcess
*/
public function testGetDefaultEnvironment()
{
// for testing
header_remove();

// manually set environment to "development"
putenv('APPLICATION_ENV=development');

// now get the default action to see if the correct config file (for development) is called
$this->assertEquals('index', Config::get('DEFAULT_ACTION'));
}

/**
* @runInSeparateProcess
*/
public function testGetFailingEnvironment()
{
// for testing
header_remove();

// manually set environment to "foobar" (and non-existing environment)
putenv('APPLICATION_ENV=foobar');

Expand Down
20 changes: 13 additions & 7 deletions tests/core/EnvironmentTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,12 @@ class EnvironmentTest extends PHPUnit_Framework_TestCase
{
public function testGetDefault()
{
// call for environment should return "development"
$this->assertEquals('development', Environment::get());
}
// call for environment should return "testing" like set in .travis.yml
$this->assertEquals('testing', Environment::get());

public function testGetDevelopment()
{
putenv('APPLICATION_ENV=development');
// call for environment should return "development"
putenv('APPLICATION_ENV=');

// call for environment should now return "development", the default value
$this->assertEquals('development', Environment::get());
}

Expand All @@ -20,4 +18,12 @@ public function testGetProduction()
putenv('APPLICATION_ENV=production');
$this->assertEquals('production', Environment::get());
}

public function testGetDevelopment()
{
putenv('APPLICATION_ENV=development');
// call for environment should return "development"
$this->assertEquals('development', Environment::get());
}

}