/**
*
* @return \Application\Models\User
*/
public static function getCurrentLogged()
{
$user = null;
$username = Filter::html_entity_invert(\Application\Services\Session::get(\Application\Services\Session::SESSION_USER_NAME));
if ($username !== null) {
$user = self::getByUsername($username);
}
return $user;
}
/**
* gets/returns the value of a specific key of the session
*
* @param mixed $key Usually a string, right ?
* @return mixed the key's value or nothing
*/
public static function get($key)
{
$value = null;
if (isset($_SESSION[$key])) {
$value = $_SESSION[$key];
if (is_string($_SESSION[$key])) {
// Filter the value for XSS vulnerabilities
// Regola: "Make sure you escape on output, not on input", per questo non applico il filtro nel metodo Session::set() ma qui
// Vedere:
// http://stackoverflow.com/questions/14111659/securing-php-sessions-from-xss-attacks
// https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
if (false) {
$value = Filter::XSSFilter($value);
// Ho disabilitato questo controllo (presente nel codice di Panique) perchè causa problemi
} else {
$value = Filter::MyXSSFilter($value);
// questa è la mia soluzione che evita il loop di codifica sul carattere "&"
}
}
return $value;
}
}
/**
* Deletes the cookie
* It's necessary to split deleteCookie() and logout() as cookies are deleted without logging out too!
* Sets the remember-me-cookie to ten years ago (3600sec * 24 hours * 365 days * 10).
* that's obviously the best practice to kill a cookie @see http://stackoverflow.com/a/686166/1114320
*/
public static function deleteCookie($user_name = null)
{
// is $user_name was set, then clear remember_me token in database
if ($user_name) {
$user_name = Filter::html_entity_invert($user_name);
$user = UserModel::getByUsername($user_name);
$user->setRemembermetoken(NULL);
$em = DbResource::getEntityManager();
$em->persist($user);
$em->flush();
}
// delete remember_me cookie in browser
setcookie(self::COOKIE_REMEMBER_ME, false, time() - 3600 * 24 * 3650, Config::get('cookie.path'), Config::get('cookie.domain'), Config::get('cookie.secure'), Config::get('cookie.http'));
}
