Merge pull request #745 from PennyDreadfulMTG/sessions

Better session handling, (many) fewer logouts
PennyDreadfulMTG · Sep 8, 2024 · d87748c · d87748c
2 parents 58897cb + 53b5e68
commit d87748c
Show file tree

Hide file tree

Showing 7 changed files with 82 additions and 13 deletions.
diff --git a/gatherling/Auth/Session.php b/gatherling/Auth/Session.php
@@ -0,0 +1,74 @@
+<?php
+
+namespace Gatherling\Auth;
+
+use Gatherling\Data\DB;
+
+class Session
+{
+    private static $LIFETIME = 60 * 60 * 24 * 60;
+
+    public static function start(): void
+    {
+        session_start();
+        self::init();
+        register_shutdown_function([self::class, 'save']);
+    }
+
+    private static function init(): void
+    {
+        if (!empty($_SESSION)) {
+            return;
+        }
+        if (!isset($_COOKIE['remember_me'])) {
+            return;
+        }
+        $token = $_COOKIE['remember_me'];
+        $_SESSION = self::load($token);
+    }
+
+    private static function load(string $token): array
+    {
+        $sql = '
+            SELECT
+                details
+            FROM
+                sessions
+            WHERE
+                token = :token
+            AND
+                expiry >= NOW()';
+        $args = ['token' => $token];
+        $details = DB::value($sql, $args);
+        return $details ? json_decode($details, true) : [];
+    }
+
+    private static function save(): void
+    {
+        if (isset($_COOKIE['remember_me'])) {
+            $token = $_COOKIE['remember_me'];
+        } else {
+            $token = bin2hex(random_bytes(32));
+        }
+        // Force to object so that we get '{}' instead of '[]' when empty
+        $details = json_encode((object) $_SESSION);
+        $expiry = time() + self::$LIFETIME;
+        $sql = '
+            INSERT INTO
+                sessions (token, details, expiry)
+            VALUES
+                (:token, :details, FROM_UNIXTIME(:expiry))
+            ON DUPLICATE KEY UPDATE
+                details = :details,
+                expiry = FROM_UNIXTIME(:expiry)';
+        $args = [
+            'token' => $token,
+            'details' => $details,
+            'expiry' => $expiry,
+        ];
+        DB::execute($sql, $args);
+        setcookie('remember_me', $token, $expiry, '/');
+        $sql = 'DELETE FROM sessions WHERE expiry < NOW()';
+        DB::execute($sql);
+    }
+}
diff --git a/gatherling/Data/sql/migrations/52.sql → gatherling/Data/sql/migrations/54.sql b/gatherling/Data/sql/migrations/52.sql → gatherling/Data/sql/migrations/54.sql
diff --git a/gatherling/Data/sql/migrations/55.sql b/gatherling/Data/sql/migrations/55.sql
@@ -0,0 +1,6 @@
+CREATE TABLE IF NOT EXISTS sessions (
+    id INT AUTO_INCREMENT PRIMARY KEY,
+    token VARCHAR(64) UNIQUE NOT NULL,
+    details TEXT NOT NULL,
+    expiry TIMESTAMP NOT NULL
+);
diff --git a/gatherling/admin/db-upgrade.php b/gatherling/admin/db-upgrade.php
@@ -11,7 +11,6 @@
 function main(): void
 {
     Setup::setupDatabase();
-    Setup::setupTestDatabase();
     echo 'done';
 }
 

diff --git a/gatherling/config.php.docker b/gatherling/config.php.docker
@@ -24,9 +24,6 @@ $CONFIG['style'] = "ChandraNeue";
 # A description for the ical calendar which is accessible at calendar.php
 $CONFIG['calendar_description'] = "a description for the events calendar";
 
-# How long to store session cookies in seconds
-$CONFIG['cookie_lifetime'] = 5184000;
-
 # API Key for Brevo email sending (password reset)
 $CONFIG['brevo_api_key'] = 'xkeysib-foobar-baz';
 

diff --git a/gatherling/config.php.example b/gatherling/config.php.example
@@ -29,9 +29,6 @@ $CONFIG['style'] = "ChandraNeue";
 # A description for the ical calendar which is accessible at calendar.php
 $CONFIG['calendar_description'] = "a description for the events calendar";
 
-# How long to store session cookies in seconds
-$CONFIG['cookie_lifetime'] = 5184000;
-
 # API Key for Brevo email sending (password reset)
 $CONFIG['brevo_api_key'] = 'xkeysib-foobar-baz';
 

diff --git a/gatherling/lib.php b/gatherling/lib.php
@@ -1,21 +1,17 @@
 <?php
 
+use Gatherling\Auth\Session;
 use Gatherling\Models\Database;
 use Gatherling\Models\Format;
 use Gatherling\Models\Player;
 
 require_once 'bootstrap.php';
 ob_start();
-if (isset($CONFIG['cookie_lifetime'])) {
-    ini_set('session.gc_maxlifetime', $CONFIG['cookie_lifetime']);
-    ini_set('session.cookie_lifetime', $CONFIG['cookie_lifetime']);
-    session_set_cookie_params($CONFIG['cookie_lifetime']);
-}
 header('Strict-Transport-Security: max-age=63072000; includeSubDomains; preload');
 header('Referrer-Policy: strict-origin-when-cross-origin');
 
 if (php_sapi_name() !== 'cli' && session_status() !== PHP_SESSION_ACTIVE) {
-    session_start();
+    Session::start();
 }
 
 $HC = '#DDDDDD';