move session handling out of the user class

ylebre · ylebre · commit 4ee943914f18 · 2025-07-07T15:24:52.000+02:00
diff --git a/lib/Session.php b/lib/Session.php
@@ -0,0 +1,20 @@
+<?php
+	namespace Pdsinterop\PhpSolid;
+
+	class Session {
+		private $cookieLifetime = 24*60*60;
+		public static function start($username) {
+			session_start([
+				'cookie_lifetime' => 24*60*60 // 1 day
+			]);
+			$_SESSION['username'] = $email;
+		}
+		
+		public static function getLoggedInUser() {
+			session_start();
+			if (!isset($_SESSION['username'])) {
+				return false;
+			}
+			return self::getUser($_SESSION['username']);
+		}
+	}
diff --git a/lib/User.php b/lib/User.php
@@ -247,24 +247,12 @@ public static function checkPassword($email, $password) {
 			$result = $query->fetchAll();
 			if (sizeof($result) === 1) {
 				if (password_verify($password, $result[0]['password'])) {
-					session_start([
-						'cookie_lifetime' => 24*60*60 // 1 day
-					]);
-					$_SESSION['username'] = $email;
 					return true;
 				}
 			}
 			return false;
 		}
 
-		public static function getLoggedInUser() {
-			session_start();
-			if (!isset($_SESSION['username'])) {
-				return false;
-			}
-			return self::getUser($_SESSION['username']);
-		}
-
 		public static function userIdExists($userId) {
 			Db::connect();
 			$query = Db::$pdo->prepare(
diff --git a/www/idp/index.php b/www/idp/index.php
@@ -10,6 +10,7 @@
 	use Pdsinterop\PhpSolid\Server;
 	use Pdsinterop\PhpSolid\ClientRegistration;
 	use Pdsinterop\PhpSolid\User;
+	use Pdsinterop\PhpSolid\Session;
 	use Pdsinterop\PhpSolid\Mailer;
 	use Pdsinterop\PhpSolid\IpAttempts;
 	use Pdsinterop\PhpSolid\JtiStore;
@@ -36,7 +37,7 @@
 				break;
 				case "/authorize":
 				case "/authorize/":
-					$user = User::getLoggedInUser();
+					$user = Session::getLoggedInUser();
 					if (!$user) {
 						header("Location: /login/?redirect_uri=" . urlencode($_SERVER['REQUEST_URI']));
 						exit();
@@ -124,7 +125,7 @@
 				break;
 				case "/dashboard":
 				case "/dashboard/":
-					$user = User::getLoggedInUser();
+					$user = Session::getLoggedInUser();
 					if (!$user) {
 						header("Location: /login/");
 						exit();
@@ -133,7 +134,7 @@
 				break;
 				case "/logout":
 				case "/logout/":
-					$user = User::getLoggedInUser();
+					$user = Session::getLoggedInUser();
 					if ($user) {
 						session_destroy();
 					}
@@ -161,7 +162,7 @@
 				break;
 				case "/sharing":
 				case "/sharing/":
-					$user = User::getLoggedInUser();
+					$user = Session::getLoggedInUser();
 					if (!$user) {
 						header("Location: /login/");
 						exit();
@@ -311,6 +312,7 @@
 						exit();
 					}
 					if (User::checkPassword($_POST['username'], $_POST['password'])) {
+						Session::start($_POST['username']);
 						if (!isset($_POST['redirect_uri']) || $_POST['redirect_uri'] === '') {
 							header("Location: /dashboard/");
 							exit();
@@ -366,7 +368,7 @@
 				break;
 				case "/api/sharing":
 				case "/api/sharing/":
-					$user = User::getLoggedInUser();
+					$user = Session::getLoggedInUser();
 					if (!$user) {
 						header("HTTP/1.1 400 Bad request");
 					} else {
