/**
* Verifies the given session token and lifetime
*
* @param \Zepi\Turbo\Request\WebRequest $request
* @param string $token
* @param string $lifetime
* @return array
*/
protected function verifyToken(WebRequest $request, $token, $lifetime)
{
$notValid = false;
// Cookie does not exists - this is maybe a session hijacking attack
if ($request->getCookieData($token) === false) {
$notValid = true;
}
// Check for the old data
if ($notValid && $request->getSessionData('oldUserSessionToken') !== false) {
$token = $request->getSessionData('oldUserSessionToken');
$lifetime = $request->getSessionData('oldUserSessionTokenLifetime');
// Look for the old session token cookie...
if ($request->getCookieData($token) === false) {
$notValid = true;
}
}
// Check the lifetime of the cookie and the session
if (!$notValid && $request->getCookieData($token) != $lifetime) {
$notValid = true;
}
// If the session token expired more than 30 minutes ago
// the session isn't valid anymore
if (!$notValid && $lifetime < time() - 1800) {
$notValid = true;
}
$userUuid = $request->getSessionData('userUuid');
// If the given uuid doesn't exists, this session can't be valid
if (!$notValid && !$this->userManager->hasUserForUuid($userUuid)) {
$notValid = true;
}
return array($notValid, $token, $lifetime, $userUuid);
}
