Session management

5 February 2018 | 30 views | Tags: Documentation

Initialising sessions

Sessions are managed by the TfishSession class.

Sessions are initialised in tfish_header.php, which calls TfishSession::start() and must be included on every page after mainfile.php. Include the first two lines as the first order of business on every public-facing page:

// Access trust path, DB credentials and preferences. These files must be included in *ALL* public-facing pages.
require_once TFISH_PATH . 'mainfile.php';
require_once TFISH_PATH . 'tfish_header.php';

On administrative (back end) pages, where only the site administrator is allowed, use tfish_admin_header.php instead. This is basically a wrapper for tfish_header.php except that it does an additional admin check (and will exit if user is not logged in):

// Access trust path, DB credentials and preferences. These files must be included in *ALL* administrative pages.
require_once "../mainfile.php";
require_once TFISH_ADMIN_PATH . "tfish_admin_header.php";

Session security

The TfishSession::start() method sets session cookie parameters as follows:

  • Sessions are locked to cookies, to avoid the possibility of session ID being passed as a query string parameter, which is a session hijacking risk.
  • The name of the session and session lifetime as set as per the Tuskfish preferences and can be customised. The defaults are 'tfish' and 20 minutes, respectively.
  • Session cookies are enabled over all paths and subdomains.
  • If the site is running under SSL then Tuskfish will pass the cookie via encrypted (https) protocol; and obviously if it isn't, then it won't. These days you should always be running websites over SSL.
  • Tuskfish will attempt to set the httponly flag when passing the cookie.

TfishSession implements a few additional measures to try and improve session security:

  • The session ID is regenerated on privilege escalation (admin login), if the remote client's IP address or user agent (browser) changes, and randomly (10% chance per page load).
  • If an IP or user agent change is detected, session data will also be reset.

Admin authentication

On the administrator successfully logging in Tuskfish will set a flag $_SESSION['TFISH_LOGIN] = true. To test if the current session is the administrator call TfishSession::isAdmin(). This will return true if the session is the (logged in) administrator and false otherwise. As an example of usage, this is how the admin check is done in tfish_admin_header.php:

/** CRITICAL - ADMIN CHECK - DENY ACCESS UNLESS LOGGED IN. */
if (!TfishSession::isAdmin()) {
    TfishSession::logout(TFISH_ADMIN_URL . "login.php");
    exit;
}

Note that if you include tfish_admin_header.php at the beginning of a page (instead of tfish_header.php) then you get the admin check automatically.

Copyright, all rights reserved.

Related

Tuskfish CMS Developer Guide

This guide will give you an overview of the architecture of Tuskfish CMS, how to write code to perform common operations and how to extend the system to suit yourself. The guide accompanies theĀ Tuskfish API documentation. Keep a copy handy as you read this guide. It is best to review links to the API where provided, as not every detail will be discussed in the text. This is the first version of the guide, so it is still a work in progress.