Session management (v2)
5 February 2018 570 views | Documentation v2
Initialising sessions
Sessions are managed by the \Tfish\Session class. Sessions are initialised in the FrontController, which calls $session->start() on every page load.
Session security
The $session->start() method sets session cookie parameters as follows:
- Sessions are locked to cookies, to avoid the possibility of session ID being passed as a query string parameter, which is a session hijacking risk.
- The name of the session and session lifetime as set as per the Tuskfish preferences and can be customised. The defaults are 'tfish' and 20 minutes, respectively.
- Session cookies are enabled over all paths and subdomains.
- If the site is running over SSL then Tuskfish will pass the cookie via encrypted (https) protocol; and obviously if it isn't then it won't.
- Tuskfish will attempt to set the httponly flag when passing the cookie.
Session implements a few additional measures to try and improve session security:
- The session ID is regenerated on privilege escalation (admin login), if the remote client's IP address or user agent (browser) changes, and randomly (10% chance per page load).
- If an IP or user agent change is detected, session data will also be reset.
Admin authentication on routes
On the administrator successfully logging in Tuskfish will set a flag $_SESSION['TFISH_LOGIN] = true.
An admin authentication check is run by \Tfish\FrontController on every page load. The route definitions in routingTable.php contains a flag indicating whether the route is admin-only (login required) or public. If you set the flag for a route to 'false' then only a logged-in administrator can access it:
'/' => new Route(
'\\Tfish\\Content\\Model\\Listing',
'\\Tfish\\Content\\ViewModel\\Listing',
'\\Tfish\\View\\Listing',
'\\Tfish\\Content\\Controller\\Listing',
false), // Flag indicates if route is restricted to admins (true) or public (false).
To test if the current session is the administrator \Tfish\FrontController first checks if the route requires login with loginRequired(), and then tests the session for the admin flag with isAdmin():
/**
* Check if the present route is restricted to admins.
*
* @param \Tfish\Route $route
*/
private function checkAdminOnly(Route $route)
{
if ($route->loginRequired() && !$this->session->isAdmin()) {
\header('Location: ' . TFISH_URL . 'login/');
exit;
}
}
Admin authentication in templates
You can test if the the current user is an admin in any template by calling $session->isAdmin(), as the session is passed into the template by the view. This is useful for customising menu entries (eg. hiding links that are only relevant to admins):
<ul class="navbar-nav me-auto mb-2 mb-md-0">
<?php if ($session->isAdmin()): ?>
<li class="nav-item">
<a class="nav-link" href="<?php echo TFISH_ADMIN_URL; ?>"><?php echo TFISH_ADMIN; ?></a>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" id="settings" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"><?php echo TFISH_SETTINGS; ?></a>
<ul class="dropdown-menu" aria-labelledby="settings">
<a class="dropdown-item" href="<?php echo TFISH_PREFERENCE_URL; ?>"><?php echo TFISH_PREFERENCES; ?></a>
<a class="dropdown-item" href="<?php echo TFISH_PASSWORD_URL; ?>"><?php echo TFISH_PASSWORD; ?></a>
<a class="dropdown-item" href="<?php echo TFISH_URL . 'flush/'; ?>"><?php echo TFISH_FLUSH_CACHE; ?></a>
<a class="dropdown-item" href="<?php echo TFISH_URL . 'sitemap/'; ?>"><?php echo TFISH_UPDATE_SITEMAP; ?></a>
</ul>
</li>
<?php endif; ?>
...
Copyright, all rights reserved.