SessionAuthenticationHandler - Code Metrics - Inspection of "[FIX] CMSSecurity doesn't have Authenticators assi..." - silverstripe/silverstripe-framework - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#7007)

by Simon

created 2017-06-10 02:49 UTC

SessionAuthenticationHandler A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	93
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	6

Importance

Changes

Metric	Value
dl	0
loc	93
rs	10
c	0
b	0
f	0
wmc	11
lcom	1
cbo	6

6 Methods

Rating	Name	Size	Complexity
A	setSessionVariable()	4	1
A	getSessionVariable()	4	1
A	authenticateRequest()	12	2
A	logIn()	11	2
A	regenerateSessionId()	20	4
A	logOut()	4	1

<?php

namespace SilverStripe\Security\MemberAuthenticator;

use SilverStripe\Control\Cookie;
use SilverStripe\Control\Director;
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Control\Session;
use SilverStripe\Security\AuthenticationHandler;
use SilverStripe\Security\Member;

/**
 * Authenticate a member pased on a session cookie
 */
class SessionAuthenticationHandler implements AuthenticationHandler
{
    /**
     * @var string
     */
    private $sessionVariable;

    /**
     * Get the session variable name used to track member ID
     *
     * @return string
     */
    public function getSessionVariable()
    {
        return $this->sessionVariable;
    }

    /**
     * Set the session variable name used to track member ID
     *
     * @param string $sessionVariable
     */
    public function setSessionVariable($sessionVariable)
    {
        $this->sessionVariable = $sessionVariable;
    }

    /**
     * @param HTTPRequest $request
     * @return Member
     */
    public function authenticateRequest(HTTPRequest $request)
    {
        // If ID is a bad ID it will be treated as if the user is not logged in, rather than throwing a
        // ValidationException
        $id = Session::get($this->getSessionVariable());
        if (!$id) {
            return null;
        }
        /** @var Member $member */
        $member = Member::get()->byID($id);
        return $member;
    }

    /**
     * @param Member $member
     * @param bool $persistent
     * @param HTTPRequest $request
     */
    public function logIn(Member $member, $persistent = false, HTTPRequest $request = null)
    {
        static::regenerateSessionId();
        Session::set($this->getSessionVariable(), $member->ID);

        // This lets apache rules detect whether the user has logged in
        // @todo make this a setting on the authentication handler
        if (Member::config()->get('login_marker_cookie')) {
            Cookie::set(Member::config()->get('login_marker_cookie'), 1, 0);
        }
    }

    /**
     * Regenerate the session_id.
     */
    protected static function regenerateSessionId()
    {
        if (!Member::config()->get('session_regenerate_id')) {
            return;
        }

        // This can be called via CLI during testing.
        if (Director::is_cli()) {
            return;
        }

        $file = '';
        $line = '';

        // @ is to supress win32 warnings/notices when session wasn't cleaned up properly
        // There's nothing we can do about this, because it's an operating system function!
        if (!headers_sent($file, $line)) {
            @session_regenerate_id(true);
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
        }
    }

    /**
     * @param HTTPRequest $request
     */
    public function logOut(HTTPRequest $request = null)
    {
        Session::clear($this->getSessionVariable());
    }
}


1			<?php
2
3			namespace SilverStripe\Security\MemberAuthenticator;
4
5			use SilverStripe\Control\Cookie;
6			use SilverStripe\Control\Director;
7			use SilverStripe\Control\HTTPRequest;
8			use SilverStripe\Control\Session;
9			use SilverStripe\Security\AuthenticationHandler;
10			use SilverStripe\Security\Member;
11
12			/**
13			* Authenticate a member pased on a session cookie
14			*/
15			class SessionAuthenticationHandler implements AuthenticationHandler
16			{
17			/**
18			* @var string
19			*/
20			private $sessionVariable;
21
22			/**
23			* Get the session variable name used to track member ID
24			*
25			* @return string
26			*/
27			public function getSessionVariable()
28			{
29			return $this->sessionVariable;
30			}
31
32			/**
33			* Set the session variable name used to track member ID
34			*
35			* @param string $sessionVariable
36			*/
37			public function setSessionVariable($sessionVariable)
38			{
39			$this->sessionVariable = $sessionVariable;
40			}
41
42			/**
43			* @param HTTPRequest $request
44			* @return Member
45			*/
46			public function authenticateRequest(HTTPRequest $request)
47			{
48			// If ID is a bad ID it will be treated as if the user is not logged in, rather than throwing a
49			// ValidationException
50			$id = Session::get($this->getSessionVariable());
51			if (!$id) {
52			return null;
53			}
54			/** @var Member $member */
55			$member = Member::get()->byID($id);
56			return $member;
57			}
58
59			/**
60			* @param Member $member
61			* @param bool $persistent
62			* @param HTTPRequest $request
63			*/
64			public function logIn(Member $member, $persistent = false, HTTPRequest $request = null)
65			{
66			static::regenerateSessionId();
67			Session::set($this->getSessionVariable(), $member->ID);
68
69			// This lets apache rules detect whether the user has logged in
70			// @todo make this a setting on the authentication handler
71			if (Member::config()->get('login_marker_cookie')) {
72			Cookie::set(Member::config()->get('login_marker_cookie'), 1, 0);
73			}
74			}
75
76			/**
77			* Regenerate the session_id.
78			*/
79			protected static function regenerateSessionId()
80			{
81			if (!Member::config()->get('session_regenerate_id')) {
82			return;
83			}
84
85			// This can be called via CLI during testing.
86			if (Director::is_cli()) {
87			return;
88			}
89
90			$file = '';
91			$line = '';
92
93			// @ is to supress win32 warnings/notices when session wasn't cleaned up properly
94			// There's nothing we can do about this, because it's an operating system function!
95			if (!headers_sent($file, $line)) {
96			@session_regenerate_id(true);
			0 ignored issues – show Security Best Practice introduced 2016-11-28 05:56 UTC by Report Bug Copy Issue Report It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
97			}
98			}
99
100			/**
101			* @param HTTPRequest $request
102			*/
103			public function logOut(HTTPRequest $request = null)
104			{
105			Session::clear($this->getSessionVariable());
106			}
107			}
108

silverstripe / silverstripe-framework

Pull Request — master (#7007)

SessionAuthenticationHandler A

Complexity

Size/Duplication

Coupling/Cohesion

Importance

6 Methods

Duplication Side-by-Side

Filter issues like