Added cookie path handling via Aura\Session to enable multiple instan…

…ces on the same server with login, fixes #173.

By default session cookies used the "/" path. With multiple instances on the same server this meant that a session was valid for all instances on this server. The new session handling uses the instance path, e.g. .../bbs, to  qualify a session cookie for only this instance.

ChangeLog

@@ -5,6 +5,7 @@
 * Added admin configuration to specify the kind of date used for sorting (timestamp, pubdate or modified)
 * Updated layout
 * Replaced outdated auth library Slim\Strong with Aura\Auth
+* Added Aura\Session library to handle sessions properly, #173
 
 2015-09-11 Version 1.2.6
 * Security changes: protection against SQL injection, see #175

composer.json

@@ -5,7 +5,7 @@
     	"slim/views": "0.1.2",
     	"swiftmailer/swiftmailer": "5.0.1",
       "twig/twig": "1.16.0",
-      "aura/auth": "2.0.0-beta2",
+	  "aura/auth": "2.x-dev",
       "aura/session": "2.0.1",
       "ircmaxell/password-compat": "v1.0.4"
   	},

lib/BicBucStriim/app_constants.php

@@ -2,10 +2,11 @@
 /**
  * BicBucStriim
  *
- * Copyright 2012-2013 Rainer Volz
+ * Copyright 2012-2015 Rainer Volz
  * Licensed under MIT License, see LICENSE
- * 
- */ 
+ *
+ */
+
 # Current DB schema version
 const DB_SCHEMA_VERSION = 3;
 

lib/BicBucStriim/login_middleware.php

@@ -9,6 +9,9 @@
 
 require 'vendor/autoload.php';
 require_once 'lib/BicBucStriim/bicbucstriim.php';
+require_once 'lib/BicBucStriim/session_factory.php';
+require_once 'lib/BicBucStriim/segment_factory.php';
+require_once 'lib/BicBucStriim/session.php';
 use Aura\Auth;
 
 class LoginMiddleware extends \Slim\Middleware {
@@ -42,8 +45,7 @@ public function authBeforeDispatch() {
         $resource = $request->getResourceUri();
         $accept = $request->headers('ACCEPT');
         $app->getLog()->debug('login resource: '.$resource);
-        $app->getLog()->debug('login accept: '.var_export($accept,true));
-        if ($globalSettings[LOGIN_REQUIRED] === 1) {         
+        if ($globalSettings[LOGIN_REQUIRED] === 1) {
             if (!$this->is_static_resource($resource) && !$this->is_authorized()) {
                 if ($resource === '/login/') {
                     // special case login page
@@ -104,7 +106,10 @@ protected function is_static_resource($resource) {
     protected function is_authorized() {
         $app = $this->app;
         $req = $app->request;
-        $auth_factory = new \Aura\Auth\AuthFactory($_COOKIE);
+        $session_factory = new \BicBucStriim\SessionFactory();
+        $session = $session_factory->newInstance($_COOKIE);
+        $session->setCookieParams(array('path' => $app->request->getRootUri()));
+        $auth_factory = new \Aura\Auth\AuthFactory($_COOKIE, $session);
         $app->auth = $auth_factory->newInstance();
         $hash = new \Aura\Auth\Verifier\PasswordVerifier(PASSWORD_BCRYPT);
         $cols = array('username', 'password', 'id', 'email', 'role', 'languages', 'tags');
@@ -113,6 +118,7 @@ protected function is_authorized() {
         $app->logout_service = $auth_factory->newLogoutService($pdo_adapter);
         $resume_service = $auth_factory->newResumeService($pdo_adapter);
         $resume_service->resume($app->auth);
+        $app->getLog()->debug("after resume: " . $app->auth->getStatus());
         if ($app->auth->isValid()) {
             // already logged in
             return true;

lib/BicBucStriim/segment.php

@@ -0,0 +1,22 @@
+<?php
+/**
+ * Created by IntelliJ IDEA.
+ * User: rv
+ * Date: 01.10.15
+ * Time: 09:31
+ */
+
+namespace BicBucStriim;
+
+
+use Aura\Auth\Session\SegmentInterface;
+use Aura\Session\Segment as AuraSessionSegment;
+
+/**
+ *
+ * Segment that integrates Aura Auth and Session..
+ *
+ */
+class Segment extends AuraSessionSegment implements SegmentInterface
+{
+}

lib/BicBucStriim/segment_factory.php

@@ -0,0 +1,31 @@
+<?php
+/**
+ * Created by IntelliJ IDEA.
+ * User: rv
+ * Date: 01.10.15
+ * Time: 09:39
+ */
+
+namespace BicBucStriim;
+
+/**
+ *
+ * A factory to create session segment objects.
+ *
+ */
+class SegmentFactory extends \Aura\Session\SegmentFactory
+{
+    /**
+     *
+     * Creates a session segment object.
+     *
+     * @param Session $session
+     * @param string $name
+     *
+     * @return Segment
+     */
+    public function newInstance(Session $session, $name)
+    {
+        return new Segment($session, $name);
+    }
+}

lib/BicBucStriim/session.php

@@ -0,0 +1,15 @@
+<?php
+
+namespace BicBucStriim;
+
+use Aura\Auth\Session\SessionInterface;
+use Aura\Session\Session as AuraSession;
+
+/**
+ *
+ * Session that integrates Aura Auth and Session.
+ *
+ */
+class Session extends AuraSession implements SessionInterface
+{
+}

lib/BicBucStriim/session_factory.php

@@ -0,0 +1,44 @@
+<?php
+/**
+ * Created by IntelliJ IDEA.
+ * User: rv
+ * Date: 01.10.15
+ * Time: 09:37
+ */
+
+namespace BicBucStriim;
+
+use Aura\Session\Randval;
+use Aura\Session\CsrfTokenFactory;
+use Aura\Session\Phpfunc;
+
+/**
+ *
+ * A factory to create a Session manager.
+ *
+ */
+class SessionFactory extends \Aura\Session\SessionFactory
+{
+    /**
+     *
+     * Creates a new Session manager.
+     *
+     * @param array $cookies An array of cookie values, typically $_COOKIE.
+     *
+     * @param callable|null $delete_cookie Optional: An alternative callable
+     * to invoke when deleting the session cookie. Defaults to `null`.
+     *
+     * @return Session New Session manager instance
+     */
+    public function newInstance(array $cookies, $delete_cookie = null)
+    {
+        $phpfunc = new Phpfunc;
+        return new Session(
+            new SegmentFactory,
+            new CsrfTokenFactory(new Randval($phpfunc)),
+            $phpfunc,
+            $cookies,
+            $delete_cookie
+        );
+    }
+}