SessionAuthenticationHandler::regenerateSessionId() - Code Metrics - Inspection of "NEW: Add AuthenticationHandler interface" - sminnee/silverstripe-framework - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — authenticator-refactor ( 3617c4...16f104 )

by Sam

created 2017-05-07 19:11 UTC

regenerateSessionId() A

↳ Parent: SessionAuthenticationHandler

Complexity

Conditions	4
Paths	4

Size

Total Lines	20
Code Lines	9

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	4
eloc	9
nc	4
nop	0
dl	0
loc	20
rs	9.2
c	0
b	0
f	0

<?php

namespace SilverStripe\Security\MemberAuthenticator;

use SilverStripe\ORM\DataObject;
use SilverStripe\Security\Member;
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Control\HTTPResponse;
use SilverStripe\Control\Session;
use SilverStripe\Control\Director;
use SilverStripe\Security\AuthenticationHandler as AuthenticationHandlerInterface;
use SilverStripe\ORM\ValidationException;
use SilverStripe\Security\IdentityStore;

/**
 * Authenticate a member pased on a session cookie
 */
class SessionAuthenticationHandler implements AuthenticationHandlerInterface, IdentityStore
{

    private $sessionVariable;

    /**
     * Get the session variable name used to track member ID
     *
     * @return string
     */
    public function getSessionVariable()
    {
        return $this->sessionVariable;
    }

    /**
     * Set the session variable name used to track member ID
     *
     * @param string $sessionVariable
     * @return null
     */
    public function setSessionVariable($sessionVariable)
    {
        $this->sessionVariable = $sessionVariable;
    }

    /**
     * @inherit
     */
    public function authenticateRequest(HTTPRequest $request)
    {
        // @todo couple the session to a request object
        // $session = $request->getSession();

        if ($id = Session::get($this->getSessionVariable())) {
            // If ID is a bad ID it will be treated as if the user is not logged in, rather than throwing a
            // ValidationException
            return DataObject::get_by_id(Member::class, $id);
        }

        return null;
    }

    /**
     * @inherit
     */
    public function logIn(Member $member, $persistent, HTTPRequest $request)
    {
        // @todo couple the session to a request object
        // $session = $request->getSession();

        $this->regenerateSessionId();
        Session::set($this->getSessionVariable(), $member->ID);

        // This lets apache rules detect whether the user has logged in
        // @todo make this a settign on the authentication handler
        if (Member::config()->login_marker_cookie) {
            Cookie::set(Member::config()->login_marker_cookie, 1, 0);
        }
    }

    /**
     * Regenerate the session_id.
     */
    protected static function regenerateSessionId()
    {
        if (!Member::config()->session_regenerate_id) {
            return;
        }

        // This can be called via CLI during testing.
        if (Director::is_cli()) {
            return;
        }

        $file = '';
        $line = '';

        // @ is to supress win32 warnings/notices when session wasn't cleaned up properly
        // There's nothing we can do about this, because it's an operating system function!
        if (!headers_sent($file, $line)) {
            @session_regenerate_id(true);
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
        }
    }
    /**
     * @inherit
     */
    public function logOut(HTTPRequest $request)
    {
        // @todo couple the session to a request object
        // $session = $request->getSession();

        Session::clear($this->getSessionVariable());
    }
}


1			<?php
2
3			namespace SilverStripe\Security\MemberAuthenticator;
4
5			use SilverStripe\ORM\DataObject;
6			use SilverStripe\Security\Member;
7			use SilverStripe\Control\HTTPRequest;
8			use SilverStripe\Control\HTTPResponse;
9			use SilverStripe\Control\Session;
10			use SilverStripe\Control\Director;
11			use SilverStripe\Security\AuthenticationHandler as AuthenticationHandlerInterface;
12			use SilverStripe\ORM\ValidationException;
13			use SilverStripe\Security\IdentityStore;
14
15			/**
16			* Authenticate a member pased on a session cookie
17			*/
18			class SessionAuthenticationHandler implements AuthenticationHandlerInterface, IdentityStore
19			{
20
21			private $sessionVariable;
22
23			/**
24			* Get the session variable name used to track member ID
25			*
26			* @return string
27			*/
28			public function getSessionVariable()
29			{
30			return $this->sessionVariable;
31			}
32
33			/**
34			* Set the session variable name used to track member ID
35			*
36			* @param string $sessionVariable
37			* @return null
38			*/
39			public function setSessionVariable($sessionVariable)
40			{
41			$this->sessionVariable = $sessionVariable;
42			}
43
44			/**
45			* @inherit
46			*/
47			public function authenticateRequest(HTTPRequest $request)
48			{
49			// @todo couple the session to a request object
50			// $session = $request->getSession();
51
52			if ($id = Session::get($this->getSessionVariable())) {
53			// If ID is a bad ID it will be treated as if the user is not logged in, rather than throwing a
54			// ValidationException
55			return DataObject::get_by_id(Member::class, $id);
56			}
57
58			return null;
59			}
60
61			/**
62			* @inherit
63			*/
64			public function logIn(Member $member, $persistent, HTTPRequest $request)
65			{
66			// @todo couple the session to a request object
67			// $session = $request->getSession();
68
69			$this->regenerateSessionId();
70			Session::set($this->getSessionVariable(), $member->ID);
71
72			// This lets apache rules detect whether the user has logged in
73			// @todo make this a settign on the authentication handler
74			if (Member::config()->login_marker_cookie) {
75			Cookie::set(Member::config()->login_marker_cookie, 1, 0);
76			}
77			}
78
79			/**
80			* Regenerate the session_id.
81			*/
82			protected static function regenerateSessionId()
83			{
84			if (!Member::config()->session_regenerate_id) {
85			return;
86			}
87
88			// This can be called via CLI during testing.
89			if (Director::is_cli()) {
90			return;
91			}
92
93			$file = '';
94			$line = '';
95
96			// @ is to supress win32 warnings/notices when session wasn't cleaned up properly
97			// There's nothing we can do about this, because it's an operating system function!
98			if (!headers_sent($file, $line)) {
99			@session_regenerate_id(true);
			0 ignored issues – show Security Best Practice introduced 2016-12-18 23:35 UTC by Report Bug Copy Issue Report It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
100			}
101			}
102			/**
103			* @inherit
104			*/
105			public function logOut(HTTPRequest $request)
106			{
107			// @todo couple the session to a request object
108			// $session = $request->getSession();
109
110			Session::clear($this->getSessionVariable());
111			}
112			}
113

sminnee / silverstripe-framework

Push — authenticator-refactor ( 3617c4...16f104 )

regenerateSessionId() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like