From cdf192183d85f55cf3a144ac62f6c55993b0dfb6 Mon Sep 17 00:00:00 2001
From: Dominique Fournier <dominique@fournier38.fr>
Date: Fri, 6 Jul 2018 14:30:00 +0000
Subject: [PATCH] authentication: manage the session only if the authentication
 page is required. Do not set a session cookie if the user don't need to be
 authenticated

git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@4260 bf3deb0d-5f1a-0410-827f-c0cc1f45334c
---
 authentication.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/authentication.php b/authentication.php
index bc462b4..b3616db 100644
--- a/authentication.php
+++ b/authentication.php
@@ -84,6 +84,8 @@ class authentication
     */
   public function logout ($url = "")
   {
+    if (! isset ($_SESSION))
+      session_start ();
     if ($this->debug) echo "<pre>LOGOUT\n";
     $authsession = new \authsession ();
     $param = $authsession->getdetails ();
@@ -112,6 +114,8 @@ class authentication
   public function pageHTML ($url = "")
   {
     // If the user is already connected, redirect to the main page of the site
+    if (! isset ($_SESSION))
+      session_start ();
     $auth = new \auth ();
     $pre = new \authparams (array ("session"));
     if (isset ($_SESSION["domframework"]["authentication"]["message"]))
@@ -134,6 +138,9 @@ class authentication
     */
   public function verifAuthLoginPage ($url = "")
   {
+    if (! isset ($_SESSION))
+      session_start ();
+    if ($this->debug) echo "Call verifAuthLoginPage ($url) : Start\n";
     // rate-limit the connections
     $ratelimiter = new \ratelimitfile ();
     // 3 connections by minutes
@@ -145,6 +152,7 @@ class authentication
       $ipClient = $_SERVER["REMOTE_ADDR"];
     if ($ratelimiter->set ("loggin-$ipClient") === false)
     {
+      if ($this->debug) echo "Call verifAuthLoginPage ($url) : Ratelimit\n";
       call_user_func ($this->loggingFunc,
                       LOG_WARNING,
                       "Ratelimiting for $ipClient");
@@ -163,6 +171,7 @@ class authentication
     $res = $this->verifAuth ($authparams->email, $authparams->password);
     if (! is_array ($res))
     {
+      if ($this->debug) echo "Call verifAuthLoginPage ($url) : ERROR\n";
       // Authentication error
       // Redirect to login page after logout
       call_user_func ($this->loggingFunc,
@@ -183,6 +192,7 @@ class authentication
       }
     }
     // Login OK : save in SESSION and go to main page
+    if ($this->debug) echo "Call verifAuthLoginPage ($url) : USER OK\n";
     call_user_func ($this->loggingFunc,
                     LOG_NOTICE,
                     "Logging in for '$authparams->email'");
@@ -229,6 +239,8 @@ class authentication
     */
   public function verifAuthHTML ()
   {
+    // Do not force the session_start ! We don't want the cookie on all the
+    // pages
     if ($this->debug)
       echo "=== entering verifAuthHTML (htmlMethods=".
         print_r ($this->htmlMethods, true).")\n";
@@ -353,6 +365,8 @@ class authentication
     $this->route
     ->get ("authentication/logout({url})?", function ($url) use ($authObj)
     {
+      if (! isset ($_SESSION))
+        session_start ();
       $authObj->logout ($url);
     })
 
@@ -363,12 +377,16 @@ class authentication
 
     ->get ("authentication/({url})?", function ($url) use ($authObj)
     {
+      if (! isset ($_SESSION))
+        session_start ();
       $authObj->pageHTML ($url);
       exit;
     })
 
     ->post ("authentication/({url})?", function ($url) use ($authObj)
     {
+      if (! isset ($_SESSION))
+        session_start ();
       $authObj->verifAuthLoginPage ($url);
       exit;
     })