1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

$adminSession = new Zend_Session_Namespace('Admin');
$this->access = new Application_Model_accessControl(); // access control
 
// logged in user
$loginMsg = 'Please login';
$loginForm = new Zend_Form;
$loginForm
	->setMethod('post')
	->setAttrib('id','login')
	->addElement('text','user',array('label'=>'Username','required'=>true))
	->addElement('password','pass',array('label'=>'Password','required'=>true))
	->addElement('submit','Login');
 
if ($this->getRequest()->isPost() && $loginForm->isValid($_POST)){
	$session = $this->access->validateUser(
		$loginForm->getValue('user'), 
		$loginForm->getValue('pass')
		);
 
	if ($session){
		$adminSession->loggedInSession = $session;
		$adminSession->loggedInUser = $loginForm->getValue('user');
	}
 
	$loginMsg='Access denied';
} 			
 
if (!$this->access->sessionIsValid($adminSession->loggedInSession) || !$adminSession->loggedInUser){
       	$this->view->header=$loginMsg;			
	$this->view->content = $loginForm;
	$this->render('login');  
} else {
	// renew session, will always be the "Now" session, but three are provided, see the model 
	$adminSession->loggedInSession = $this->access->getValidSession();
    	$this->view->userIdent = $adminSession->loggedInUser;
}

$adminSession = new Zend_Session_Namespace('Admin'); $this->access = new Application_Model_accessControl(); // access control // logged in user $loginMsg = 'Please login'; $loginForm = new Zend_Form; $loginForm ->setMethod('post') ->setAttrib('id','login') ->addElement('text','user',array('label'=>'Username','required'=>true)) ->addElement('password','pass',array('label'=>'Password','required'=>true)) ->addElement('submit','Login'); if ($this->getRequest()->isPost() && $loginForm->isValid($_POST)){ $session = $this->access->validateUser( $loginForm->getValue('user'), $loginForm->getValue('pass') ); if ($session){ $adminSession->loggedInSession = $session; $adminSession->loggedInUser = $loginForm->getValue('user'); } $loginMsg='Access denied'; } if (!$this->access->sessionIsValid($adminSession->loggedInSession) || !$adminSession->loggedInUser){ $this->view->header=$loginMsg; $this->view->content = $loginForm; $this->render('login'); } else { // renew session, will always be the "Now" session, but three are provided, see the model $adminSession->loggedInSession = $this->access->getValidSession(); $this->view->userIdent = $adminSession->loggedInUser; }

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

<?php
 
class Application_Model_accessControl
{
 
 
	public function __construct(){
 
		// set users, password is the key, because this is less likely to be duplicated
        $this->setUsers(
        	array(
				'password1'=>'admin',
				'password2'=>'admin'
				)
       		);
        // salt for session key
		$this->setSalt('MySaltGoesHere1234');
	}
 
	public function validateUser($username, $password){
 
		/*
		 * return session if correct, null otherwise
		 */
 
		$users = $this->getUsers();
 
		if (isset($users[$password]) && $users[$password]==$username){
			return $this->getValidSession();
		}
	}
	public function sessionIsValid($session,$debug=false){
 
		$validSessions = $this->getValidSessions();
		if ($debug){
			echo "MY KEY: $session<br >KEYS: ".print_r($validSessions,true);
		}
		return in_array($session, $validSessions) ? true : false;
	}
 
	public function getValidSessions(){
 
		$sessions = array(
			$this->getValidSession('past'),
			$this->getValidSession('now'),
			$this->getValidSession('future')
			);
 
		return $sessions;
	}
	public function getValidSession($for='now'){
 
		/*
		 * Three sessions are provided,
		 * 
		 * past, now and present
		 * 
		 * past, person logs in at 11:59 spends ten minutes editing, clicks save at 12:09, past would be the valid session
		 * now, person is logged in during 11:00 - 11:59
		 * future, is provided encase of time travel, or if the british summer time kicks in while editing, unlikely but more is better than not enough...
		 */
 
		$hour = intval(date('H'));
 
		switch($for){
			case 'past' : 
				$validSession = ($hour-1) < 0 ? 23 : $hour-1;
			break;
			case 'now' : default:
				$validSession = $hour;
			break;
			case 'future' : 
				$validSession = ($hour+1) > 23 ? 0 : $hour+1;
			break;
 
		}
 
		/*
		 * obsfucation
		 */
		// firstly grab specific details to stop session hijacking 
		$ip = $_SERVER['REMOTE_ADDR'];
		$browser = $_SERVER['HTTP_USER_AGENT'];
		// then mix it up and md5 it
		$validSession = $ip.$validSession.$this->getSalt().$browser;
 
		if (!getenv('APPLICATION_ENV')){
			$validSession = md5($validSession);
		}
 
		return $validSession;
	}
 
	public function setUsers($users){
		$this->users = $users;
	}
	public function getUsers(){
		return $this->users;
	}
	public function setSalt($salt){
		$this->salt = $salt;
	}
	public function getSalt(){
		return $this->salt;
	}
 
 
}

<?php class Application_Model_accessControl { public function __construct(){ // set users, password is the key, because this is less likely to be duplicated $this->setUsers( array( 'password1'=>'admin', 'password2'=>'admin' ) ); // salt for session key $this->setSalt('MySaltGoesHere1234'); } public function validateUser($username, $password){ /* * return session if correct, null otherwise */ $users = $this->getUsers(); if (isset($users[$password]) && $users[$password]==$username){ return $this->getValidSession(); } } public function sessionIsValid($session,$debug=false){ $validSessions = $this->getValidSessions(); if ($debug){ echo "MY KEY: $session<br >KEYS: ".print_r($validSessions,true); } return in_array($session, $validSessions) ? true : false; } public function getValidSessions(){ $sessions = array( $this->getValidSession('past'), $this->getValidSession('now'), $this->getValidSession('future') ); return $sessions; } public function getValidSession($for='now'){ /* * Three sessions are provided, * * past, now and present * * past, person logs in at 11:59 spends ten minutes editing, clicks save at 12:09, past would be the valid session * now, person is logged in during 11:00 - 11:59 * future, is provided encase of time travel, or if the british summer time kicks in while editing, unlikely but more is better than not enough... */ $hour = intval(date('H')); switch($for){ case 'past' : $validSession = ($hour-1) < 0 ? 23 : $hour-1; break; case 'now' : default: $validSession = $hour; break; case 'future' : $validSession = ($hour+1) > 23 ? 0 : $hour+1; break; } /* * obsfucation */ // firstly grab specific details to stop session hijacking $ip = $_SERVER['REMOTE_ADDR']; $browser = $_SERVER['HTTP_USER_AGENT']; // then mix it up and md5 it $validSession = $ip.$validSession.$this->getSalt().$browser; if (!getenv('APPLICATION_ENV')){ $validSession = md5($validSession); } return $validSession; } public function setUsers($users){ $this->users = $users; } public function getUsers(){ return $this->users; } public function setSalt($salt){ $this->salt = $salt; } public function getSalt(){ return $this->salt; } }

1
2

<?php echo "<h2>{$this->header}</h2>";  ?>
<?php echo $this->content;  ?>

<?php echo "<h2>{$this->header}</h2>"; ?> <?php echo $this->content; ?>