Detect expired session use (#14502)

* Add INI config option and add tests.

* Detect expired sessions.

* Update config docs.

* Apply review feedback including storing expiration in session fingerprint.

* fixing tests.

* fix unit tests

* fix test

4 files changed, 75 insertions, 6 deletions

diff --git a/tests/PHPUnit/Integration/FrontControllerTest.php b/tests/PHPUnit/Integration/FrontControllerTest.php
index 12a396986b..89c426136a 100644
--- a/tests/PHPUnit/Integration/FrontControllerTest.php
+++ b/tests/PHPUnit/Integration/FrontControllerTest.php
@@ -59,6 +59,9 @@ FORMAT;
         $this->assertStringMatchesFormat($expectedFormat, $response['message']);
     }
 
+    /**
+     * @runInSeparateProcess
+     */
     public function test_authImplementationConfigured_EvenIfSessionAuthSucceeds()
     {
         Access::getInstance()->setSuperUserAccess(false);
diff --git a/tests/PHPUnit/Integration/Session/SessionAuthTest.php b/tests/PHPUnit/Integration/Session/SessionAuthTest.php
index 914e957d76..ae64512e9a 100644
--- a/tests/PHPUnit/Integration/Session/SessionAuthTest.php
+++ b/tests/PHPUnit/Integration/Session/SessionAuthTest.php
@@ -11,6 +11,7 @@ namespace Piwik\Tests\Integration\Session;
 
 use Piwik\AuthResult;
 use Piwik\Container\StaticContainer;
+use Piwik\Date;
 use Piwik\Plugins\UsersManager\UserUpdater;
 use Piwik\Session\SessionAuth;
 use Piwik\Session\SessionFingerprint;
@@ -74,24 +75,67 @@ class SessionAuthTest extends IntegrationTestCase
         $this->assertEquals(AuthResult::FAILURE, $result->getCode());
     }
 
+    /**
+     * @runInSeparateProcess
+     */
     public function test_authenticate_ReturnsSuccess_IfUserDataHasNoPasswordModifiedTimestamp()
     {
         $this->initializeSession(self::TEST_OTHER_USER);
 
+        $sessionFingerprint = new SessionFingerprint();
+        $expireTime = $sessionFingerprint->getExpirationTime();
+        $this->assertNotNull($expireTime);
+
         $usersModel = new UsersModel();
         $user = $usersModel->getUser(self::TEST_OTHER_USER);
         unset($user['ts_password_modified']);
 
+        sleep(1);
+
         $sessionAuth = new SessionAuth(new MockUsersModel($user));
         $result = $sessionAuth->authenticate();
 
+        $this->assertGreaterThan($expireTime, $sessionFingerprint->getExpirationTime());
+
         $this->assertEquals(AuthResult::SUCCESS, $result->getCode());
     }
 
-    private function initializeSession($userLogin)
+    public function test_authenticate_ReturnsFailure_IfSessionIsExpiredWhenRememberMeUsed()
+    {
+        Date::$now = strtotime('2012-02-03 04:55:44');
+        $this->initializeSession(self::TEST_OTHER_USER, true);
+
+        Date::$now = strtotime('2012-03-03 04:55:44');
+
+        $usersModel = new UsersModel();
+        $user = $usersModel->getUser(self::TEST_OTHER_USER);
+
+        $sessionAuth = new SessionAuth(new MockUsersModel($user));
+        $result = $sessionAuth->authenticate();
+
+        $this->assertEquals(AuthResult::FAILURE, $result->getCode());
+    }
+
+    public function test_authenticate_ReturnsFailure_IfSessionIsExpiredWhenRememberMeNotUsed()
+    {
+        Date::$now = strtotime('2012-02-03 04:55:44');
+        $this->initializeSession(self::TEST_OTHER_USER);
+
+        Date::$now = strtotime('2012-02-04 04:56:44');
+
+        $usersModel = new UsersModel();
+        $user = $usersModel->getUser(self::TEST_OTHER_USER);
+
+        $sessionAuth = new SessionAuth(new MockUsersModel($user));
+        $result = $sessionAuth->authenticate();
+
+        $this->assertEquals(AuthResult::FAILURE, $result->getCode());
+    }
+
+    private function initializeSession($userLogin, $isRemembered = false)
     {
         $sessionFingerprint = new SessionFingerprint();
-        $sessionFingerprint->initialize($userLogin);
+        $sessionFingerprint->initialize($userLogin, $isRemembered);
     }
 
     protected static function configureFixture($fixture)
diff --git a/tests/PHPUnit/Unit/Session/SessionFingerprintTest.php b/tests/PHPUnit/Unit/Session/SessionFingerprintTest.php
index a0cae1ef98..3fdd69c92f 100644
--- a/tests/PHPUnit/Unit/Session/SessionFingerprintTest.php
+++ b/tests/PHPUnit/Unit/Session/SessionFingerprintTest.php
@@ -10,6 +10,7 @@
 namespace Piwik\Tests\Unit\Session;
 
 
+use Piwik\Date;
 use Piwik\Session\SessionFingerprint;
 
 class SessionFingerprintTest extends \PHPUnit_Framework_TestCase
@@ -28,6 +29,13 @@ class SessionFingerprintTest extends \PHPUnit_Framework_TestCase
         $this->testInstance = new SessionFingerprint();
     }
 
+    public function tearDown()
+    {
+        Date::$now = null;
+
+        parent::tearDown();
+    }
+
     public function test_getUser_ReturnsUserNameSessionVar_WhenSessionVarIsSet()
     {
         $_SESSION[SessionFingerprint::USER_NAME_SESSION_VAR_NAME] = 'testuser';
@@ -60,7 +68,7 @@ class SessionFingerprintTest extends \PHPUnit_Framework_TestCase
 
         $this->assertEquals('testuser', $_SESSION[SessionFingerprint::USER_NAME_SESSION_VAR_NAME]);
         $this->assertEquals(
-            ['ts' => self::TEST_TIME_VALUE, 'remembered' => true],
+            ['ts' => self::TEST_TIME_VALUE, 'remembered' => true, 'expiration' => self::TEST_TIME_VALUE + 3600],
             $_SESSION[SessionFingerprint::SESSION_INFO_SESSION_VAR_NAME]
         );
     }
@@ -77,10 +85,24 @@ class SessionFingerprintTest extends \PHPUnit_Framework_TestCase
         $this->assertTrue($this->testInstance->hasVerifiedTwoFactor());
     }
 
-    public function test_getSessionStartTime_()
+    public function test_updateSessionExpireTime_SetsANewExpirationTime()
+    {
+        $this->testInstance->initialize('testuser', false, self::TEST_TIME_VALUE);
+
+        Date::$now = self::TEST_TIME_VALUE + 100;
+
+        $this->testInstance->updateSessionExpirationTime();
+
+        $this->assertEquals(
+            self::TEST_TIME_VALUE + 3700,
+            $_SESSION[SessionFingerprint::SESSION_INFO_SESSION_VAR_NAME]['expiration']
+        );
+    }
+
+    public function test_getSessionStartTime_ReturnsCorrectValue()
     {
         $_SESSION[SessionFingerprint::SESSION_INFO_SESSION_VAR_NAME] = [
-            'ts' => 123.
+            'ts' => 123,
         ];
         $this->assertEquals(123, $this->testInstance->getSessionStartTime());
     }
diff --git a/tests/PHPUnit/Unit/Session/SessionInitializerTest.php b/tests/PHPUnit/Unit/Session/SessionInitializerTest.php
index f24b69b8dc..0b0bde4c47 100644
--- a/tests/PHPUnit/Unit/Session/SessionInitializerTest.php
+++ b/tests/PHPUnit/Unit/Session/SessionInitializerTest.php
@@ -72,7 +72,7 @@ class SessionInitializerTest extends \PHPUnit_Framework_TestCase
         $fingerprint = new SessionFingerprint();
         $this->assertEquals('testlogin', $fingerprint->getUser());
         $this->assertNotEmpty($fingerprint->getSessionStartTime());
-        $this->assertEquals(['ts', 'remembered'], array_keys($fingerprint->getUserInfo()));
+        $this->assertEquals(['ts', 'remembered', 'expiration'], array_keys($fingerprint->getUserInfo()));
     }
 }