Follow-up to bug #12499: re-added the removed function call and moved the deprecation...
[Packages/TYPO3.CMS.git] / t3lib / class.t3lib_userauth.php
index 8a9a39c..166ad92 100644 (file)
@@ -219,7 +219,6 @@ class t3lib_userAuth {
                $this->newSessionID = FALSE;
                        // $id is set to ses_id if cookie is present. Else set to false, which will start a new session
                $id = isset($_COOKIE[$this->name]) ? stripslashes($_COOKIE[$this->name]) : '';
-               $this->hash_length = t3lib_div::intInRange($this->hash_length,6,32);
                $this->svConfig = $TYPO3_CONF_VARS['SVCONF']['auth'];
 
                        // if we have a flash client, take the ID from the GP
@@ -238,7 +237,7 @@ class t3lib_userAuth {
                        // If new session or client tries to fix session...
                if (!$id || !$this->isExistingSessionRecord($id))       {
                                // New random session-$id is made
-                       $id = substr(md5(uniqid('').getmypid()),0,$this->hash_length);
+                       $id = $this->createSessionId();
                                // New session
                        $this->newSessionID = TRUE;
                }
@@ -275,41 +274,8 @@ class t3lib_userAuth {
                if ($this->writeDevLog && !is_array($this->user)) t3lib_div::devLog('No user session found.', 't3lib_userAuth', 2);
 
                        // Setting cookies
-               if ($TYPO3_CONF_VARS['SYS']['cookieDomain'])    {
-                       if ($TYPO3_CONF_VARS['SYS']['cookieDomain']{0} == '/')  {
-                               $matchCnt = @preg_match($TYPO3_CONF_VARS['SYS']['cookieDomain'], t3lib_div::getIndpEnv('TYPO3_HOST_ONLY'), $match);
-                               if ($matchCnt === FALSE)        {
-                                       t3lib_div::sysLog('The regular expression of $TYPO3_CONF_VARS[SYS][cookieDomain] contains errors. The session is not shared across sub-domains.', 'Core', 3);
-                               } elseif ($matchCnt)    {
-                                       $cookieDomain = $match[0];
-                               }
-                       } else {
-                               $cookieDomain = $TYPO3_CONF_VARS['SYS']['cookieDomain'];
-                       }
-               }
-
-                       // If new session and the cookie is a sessioncookie, we need to set it only once!
-               if ($this->isSetSessionCookie())        {
-                       if (!$this->dontSetCookie)      {
-                               if ($cookieDomain)      {
-                                       SetCookie($this->name, $id, 0, '/', $cookieDomain);
-                               } else {
-                                       SetCookie($this->name, $id, 0, t3lib_div::getIndpEnv('TYPO3_SITE_PATH'));
-                               }
-                               if ($this->writeDevLog)         t3lib_div::devLog('Set new Cookie: '.$id.($cookieDomain ? ', '.$cookieDomain : ''), 't3lib_userAuth');
-                       }
-               }
-
-                       // If it is NOT a session-cookie, we need to refresh it.
-               if ($this->isRefreshTimeBasedCookie())  {
-                       if (!$this->dontSetCookie)      {
-                               if ($cookieDomain)      {
-                                       SetCookie($this->name, $id, time()+$this->lifetime, '/', $cookieDomain);
-                               } else {
-                                       SetCookie($this->name, $id, time()+$this->lifetime, t3lib_div::getIndpEnv('TYPO3_SITE_PATH'));
-                               }
-                               if ($this->writeDevLog)         t3lib_div::devLog('Update Cookie: '.$id.($cookieDomain ? ', '.$cookieDomain : ''), 't3lib_userAuth');
-                       }
+               if (!$this->dontSetCookie)      {
+                       $this->setSessionCookie();
                }
 
                        // Hook for alternative ways of filling the $this->user array (is used by the "timtaw" extension)
@@ -346,6 +312,80 @@ class t3lib_userAuth {
        }
 
        /**
+        * Sets the session cookie for the current disposal.
+        *
+        * @return      void
+        */
+       protected function setSessionCookie() {
+               $isSetSessionCookie = $this->isSetSessionCookie();
+               $isRefreshTimeBasedCookie = $this->isRefreshTimeBasedCookie();
+
+               if ($isSetSessionCookie || $isRefreshTimeBasedCookie) {
+                       $settings = $GLOBALS['TYPO3_CONF_VARS']['SYS'];
+
+                       // Get the domain to be used for the cookie (if any):
+                       $cookieDomain = $this->getCookieDomain();
+                       // If no cookie domain is set, use the base path:
+                       $cookiePath = ($cookieDomain ? '/' : t3lib_div::getIndpEnv('TYPO3_SITE_PATH'));
+                       // If the cookie lifetime is set, use it:
+                       $cookieExpire = ($isRefreshTimeBasedCookie ? $GLOBALS['EXEC_TIME'] + $this->lifetime : 0);
+                       // Use the secure option when the current request is served by a secure connection:
+                       $cookieSecure = (bool)$settings['cookieSecure'] && t3lib_div::getIndpEnv('TYPO3_SSL');
+                       // Deliver cookies only via HTTP and prevent possible XSS by JavaScript:
+                       $cookieHttpOnly = (bool)$settings['cookieHttpOnly'];
+
+                       // Do not set cookie if cookieSecure is set to "1" (force HTTPS) and no secure channel is used:
+                       if ((int)$settings['cookieSecure'] !== 1 || t3lib_div::getIndpEnv('TYPO3_SSL')) {
+                               setcookie(
+                                       $this->name,
+                                       $this->id,
+                                       $cookieExpire,
+                                       $cookiePath,
+                                       $cookieDomain,
+                                       $cookieSecure,
+                                       $cookieHttpOnly
+                               );
+                       } else {
+                               throw new t3lib_exception(
+                                       'Cookie was not set since HTTPS was forced in $TYPO3_CONF_VARS[SYS][cookieSecure].',
+                                       1254325546
+                               );
+                       }
+
+                       if ($this->writeDevLog) {
+                               $devLogMessage = ($isRefreshTimeBasedCookie ? 'Updated Cookie: ' : 'Set Cookie: ') . $this->id;
+                               t3lib_div::devLog($devLogMessage . ($cookieDomain ? ', '.$cookieDomain : ''), 't3lib_userAuth');
+                       }
+               }
+       }
+
+       /**
+        * Gets the domain to be used on setting cookies.
+        * The information is taken from the value in $TYPO3_CONF_VARS[SYS][cookieDomain].
+        *
+        * @return      string          The domain to be used on setting cookies
+        */
+       protected function getCookieDomain() {
+               $result = '';
+               $cookieDomain = $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieDomain'];
+
+               if ($cookieDomain) {
+                       if ($cookieDomain{0} == '/') {
+                               $matchCnt = @preg_match($cookieDomain, t3lib_div::getIndpEnv('TYPO3_HOST_ONLY'), $match);
+                               if ($matchCnt === FALSE) {
+                                       t3lib_div::sysLog('The regular expression of $TYPO3_CONF_VARS[SYS][cookieDomain] contains errors. The session is not shared across sub-domains.', 'Core', 3);
+                               } elseif ($matchCnt) {
+                                       $result = $match[0];
+                               }
+                       } else {
+                               $result = $cookieDomain;
+                       }
+               }
+
+               return $result;
+       }
+
+       /**
         * Determine whether a session cookie needs to be set (lifetime=0)
         *
         * @return      boolean
@@ -610,6 +650,14 @@ class t3lib_userAuth {
                }
        }
 
+       /**
+        * Creates a new session ID.
+        *
+        * @return      string          The new session ID
+        */
+       public function createSessionId() {
+               return substr(md5(uniqid('') . getmypid()), 0, $this->hash_length);
+       }
 
 
 
@@ -822,8 +870,8 @@ class t3lib_userAuth {
                return  (($this->enablecolumns['rootLevel']) ? 'AND '.$this->user_table.'.pid=0 ' : '').
                                (($this->enablecolumns['disabled']) ? ' AND '.$this->user_table.'.'.$this->enablecolumns['disabled'].'=0' : '').
                                (($this->enablecolumns['deleted']) ? ' AND '.$this->user_table.'.'.$this->enablecolumns['deleted'].'=0' : '').
-                               (($this->enablecolumns['starttime']) ? ' AND ('.$this->user_table.'.'.$this->enablecolumns['starttime'].'<='.time().')' : '').
-                               (($this->enablecolumns['endtime']) ? ' AND ('.$this->user_table.'.'.$this->enablecolumns['endtime'].'=0 OR '.$this->user_table.'.'.$this->enablecolumns['endtime'].'>'.time().')' : '');
+                               (($this->enablecolumns['starttime']) ? ' AND (' . $this->user_table . '.' . $this->enablecolumns['starttime'] . '<=' . $GLOBALS['EXEC_TIME'] . ')' : '') .
+                               (($this->enablecolumns['endtime']) ? ' AND (' . $this->user_table . '.' . $this->enablecolumns['endtime'] . '=0 OR ' . $this->user_table . '.' . $this->enablecolumns['endtime'] . '>' . $GLOBALS['EXEC_TIME'] . ')' : '');
        }
 
        /**
@@ -1158,8 +1206,8 @@ class t3lib_userAuth {
        function gc() {
                $GLOBALS['TYPO3_DB']->exec_DELETEquery(
                                        $this->session_table,
-                                       'ses_tstamp < '.intval(time()-($this->gc_time)).'
-                                               AND ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table)
+                                       'ses_tstamp < ' . intval($GLOBALS['EXEC_TIME'] - ($this->gc_time)) .
+                                               ' AND ses_name = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table)
                                );
        }
 
@@ -1167,12 +1215,13 @@ class t3lib_userAuth {
         * Redirect to somewhere (obsolete).
         *
         * @return      void
-        * @deprecated since TYPO3 3.6
+        * @deprecated since TYPO3 3.6, this function will be removed in TYPO3 4.5.
         * @obsolete
         * @ignore
         */
        function redirect() {
                if (!$this->userid && $this->auth_url)  {        // if no userid AND an include-document for login is given
+                       t3lib_div::deprecationLog('Redirection after login via PHP include is deprecated.');
                        include ($this->auth_include);
                        exit;
                }