Tuskfish API
  • Package
  • Class

Packages

  • content
  • core
  • database
  • installation
  • security
  • user
  • utilities

Classes

  • TfishFilter
  • TfishSecurityUtility
  • TfishSession
  • TfishYubikeyAuthenticator

Class TfishSession

Tuskfish session security class.

Provides functions for managing sessions in a security-conscious manner.

Package: security
Copyright: Simon Wilkinson 2013-2017 (https://tuskfish.biz)
License: GNU General Public License (GPL) V2
Author: Simon Wilkinson simon@isengard.biz
Version: Release: 1.0
Since: 1.0
Located at trust_path/libraries/tuskfish/class/TfishSession.php

Methods summary

public static
# destroy( )

Unset session variables and destroy the session.

Unset session variables and destroy the session.

public static boolean
# isAdmin( )

Shorthand admin privileges check.

Shorthand admin privileges check.

For added security this could retrieve an encrypted token, preferably the SSL session id, although thats availability seems to depend on server configuration.

Returns

boolean
True if admin false if not.
public static boolean
# isExpired( TfishPreference $tfish_preference )

Checks if a session has expired and sets last seen activity flag.

Checks if a session has expired and sets last seen activity flag.

Parameters

$tfish_preference
TfishPreference object.

Returns

boolean
True if session has expired, false if not.
public static boolean
# isClean( )

Checks if client IP address or user agent has changed.

Checks if client IP address or user agent has changed.

These tests can indicate session hijacking but are by no means definitive; however they do indicate elevated risk and the session should be regenerated as a counter measure.

Returns

boolean
True if IP/user agent are unchanged, false otherwise.
public static
# login( string $email, string $password )

Authenticate the user and establish a session.

Authenticate the user and establish a session.

The number of failed login attempts is tracked. Subsequent login attempts will sleep for an equivalent number of seconds before processing, in order to frustrate brute force attacks. A successful login will reset the counter to zero. Note that the password field is unrestricted content.

Parameters

$email
Input email.
$password
Input password.
public static
# twoFactorLogin( string $dirty_password, string $dirty_otp, object $yubikey )

Authenticate the user with two factors and establish a session.

Authenticate the user with two factors and establish a session.

Requires a Yubikey hardware token as the second factor. Note that the authenticator type is not declared, as the desired response is to logout and redirect, rather than to throw an error.

Parameters

$dirty_password
Input password.
$dirty_otp
Input Yubikey one-time password.
$yubikey
Instance of the TfishYubikeyAuthenticator class.
public static string
# loginLink( )

Returns a login or logout link for insertion in the template.

Returns a login or logout link for insertion in the template.

Returns

string
HTML login or logout link.
public static
# logout( string $url_redirect = '' )

Destroys the current session on logout

Destroys the current session on logout

Parameters

$url_redirect
The URL to redirect the user to on logging out.
public static
# reset( )

Reset session data after a session hijacking check fails. This will force logout.

Reset session data after a session hijacking check fails. This will force logout.

public static
# regenerate( )

Regenerates the session ID.

Regenerates the session ID.

Called whenever there is a privilege escalation (login) or at random intervals to reduce risk of session hijacking. Note that the cross-site request forgery validation token remains the same, unless the session is destroyed. This is to prevent the random session ID regeneration events creating false positive CSRF checks.

Note that it allows the new and old sessions to co-exist for a short period, this is to avoid headaches with flaky network connections and asynchronous (AJAX) requests, as explained in the PHP Manual warning: http://php.net/manual/en/function.session-regenerate-id.php

public static
# setToken( )

Sets a token for use in cross-site request forgery checks on form submissions.

Sets a token for use in cross-site request forgery checks on form submissions.

A random token is generated and stored in the current session (if not already set). The value of this token is included as a hidden field in forms when they are loaded by the user. This allows forms to be validated via validateFormToken().

public static
# start( TfishPreference $tfish_preference )

Initialises a session and sets session cookie parameters to security-conscious values.

Initialises a session and sets session cookie parameters to security-conscious values.

Parameters

$tfish_preference
TfishPreference object.
public static boolean
# validateToken( string $token )

Validate a cross-site request forgery token from a form submission.

Validate a cross-site request forgery token from a form submission.

Forms contain a hidden field with a random token taken from the user's session. This token is used to validate that a form submission did indeed originate from the user, by comparing the value against that stored in the user's session. If they do not match then the request could be a forgery and the form submission should be rejected.

Parameters

$token
A form token to validate against the user's session.

Returns

boolean
True if token is valid, otherwise false.
Tuskfish API API documentation generated by ApiGen