| [ Index ] |
|
Code source de GeekLog 1.4.1 |
1 <?php 2 3 /* Reminder: always indent with 4 spaces (no tabs). */ 4 // +---------------------------------------------------------------------------+ 5 // | Geeklog 1.4 | 6 // +---------------------------------------------------------------------------+ 7 // | lib-sessions.php | 8 // | | 9 // | Geeklog session library. | 10 // +---------------------------------------------------------------------------+ 11 // | Copyright (C) 2000-2006 by the following authors: | 12 // | | 13 // | Authors: Tony Bibbs - tony@tonybibbs.com | 14 // | Mark Limburg - mlimburg@users.sourceforge.net | 15 // +---------------------------------------------------------------------------+ 16 // | | 17 // | This program is free software; you can redistribute it and/or | 18 // | modify it under the terms of the GNU General Public License | 19 // | as published by the Free Software Foundation; either version 2 | 20 // | of the License, or (at your option) any later version. | 21 // | | 22 // | This program is distributed in the hope that it will be useful, | 23 // | but WITHOUT ANY WARRANTY; without even the implied warranty of | 24 // | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 25 // | GNU General Public License for more details. | 26 // | | 27 // | You should have received a copy of the GNU General Public License | 28 // | along with this program; if not, write to the Free Software Foundation, | 29 // | Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | 30 // | | 31 // +---------------------------------------------------------------------------+ 32 // 33 // $Id: lib-sessions.php,v 1.43 2006/10/24 08:09:50 ospiess Exp $ 34 35 /** 36 * This is the session management library for Geeklog. Some of this code was 37 * borrowed from phpBB 1.4.x which is also GPL'd 38 * 39 */ 40 41 // Turn this on if you want to see various debug messages from this library 42 $_SESS_VERBOSE = false; 43 44 if (strpos ($_SERVER['PHP_SELF'], 'lib-sessions.php') !== false) { 45 die ('This file can not be used on its own!'); 46 } 47 48 if (empty ($_CONF['cookiedomain'])) { 49 preg_match ("/\/\/([^\/:]*)/", $_CONF['site_url'], $server); 50 if (substr ($server[1], 0, 4) == 'www.') { 51 $_CONF['cookiedomain'] = substr ($server[1], 3); 52 } else { 53 if (strchr ($server[1], '.') === false) { 54 // e.g. 'localhost' or other local names 55 $_CONF['cookiedomain'] = ''; 56 } else { 57 $_CONF['cookiedomain'] = '.' . $server[1]; 58 } 59 } 60 if ($_SESS_VERBOSE) { 61 COM_errorLog ("Setting cookiedomain='" . $_CONF['cookiedomain'] . "'", 1); 62 } 63 } 64 65 // LOAD USER DATA. NOTE: I'm not sure why I have to set $_USER like this because 66 // it's supposed to be a global variable. I tried setting $_USER from within 67 // SESS_sessionCheck() and it doesn't work. 68 $_USER = SESS_sessionCheck(); 69 70 /** 71 * This gets the state for the user 72 * 73 * Much of this code if from phpBB (www.phpbb.org). This checks the session 74 * cookie and long term cookie to get the users state. 75 * 76 * @return array returns $_USER array 77 * 78 */ 79 function SESS_sessionCheck() 80 { 81 global $_CONF, $_TABLES, $_USER, $_SESS_VERBOSE; 82 83 if ($_SESS_VERBOSE) { 84 COM_errorLog("***Inside SESS_sessionCheck***",1); 85 } 86 87 unset($_USER); 88 89 // We MUST do this up here, so it's set even if the cookie's not present. 90 $user_logged_in = 0; 91 $logged_in = 0; 92 $userdata = Array(); 93 94 // Check for a cookie on the users's machine. If the cookie exists, build 95 // an array of the users info and setup the theme. 96 97 if (isset ($_COOKIE[$_CONF['cookie_session']])) { 98 $sessid = COM_applyFilter ($_COOKIE[$_CONF['cookie_session']]); 99 if ($_SESS_VERBOSE) { 100 COM_errorLog("got $sessid as the session id from lib-sessions.php",1); 101 } 102 103 $userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']); 104 105 if ($_SESS_VERBOSE) { 106 COM_errorLog("Got $userid as User ID from the session ID",1); 107 } 108 109 if ($userid > 1) { 110 // Check user status 111 SEC_checkUserStatus($userid); 112 $user_logged_in = 1; 113 SESS_updateSessionTime($sessid, $_CONF['cookie_ip']); 114 $userdata = SESS_getUserDataFromId($userid); 115 if ($_SESS_VERBOSE) { 116 COM_errorLog("Got " . count($userdata) . " pieces of data from userdata",1); 117 COM_errorLog(COM_debug($userdata),1); 118 // COM_debug($userdata); 119 } 120 $_USER = $userdata; 121 $_USER['auto_login'] = false; 122 } else { 123 // Session probably expired, now check permanent cookie 124 if (isset ($_COOKIE[$_CONF['cookie_name']])) { 125 $userid = $_COOKIE[$_CONF['cookie_name']]; 126 if (empty ($userid) || ($userid == 'deleted')) { 127 unset ($userid); 128 } else { 129 $userid = COM_applyFilter ($userid, true); 130 $cookie_password = ''; 131 $userpass = ''; 132 if ($userid > 1) { 133 $cookie_password = $_COOKIE[$_CONF['cookie_password']]; 134 $userpass = DB_getItem ($_TABLES['users'], 'passwd', 135 "uid = $userid"); 136 } 137 if (empty ($cookie_password) || ($cookie_password <> $userpass)) { 138 // User may have modified their UID in cookie, ignore them 139 } else if ($userid > 1) { 140 // Check user status 141 SEC_checkUserStatus ($userid); 142 $user_logged_in = 1; 143 $sessid = SESS_newSession ($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']); 144 SESS_setSessionCookie ($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']); 145 $userdata = SESS_getUserDataFromId ($userid); 146 $_USER = $userdata; 147 $_USER['auto_login'] = true; 148 } 149 } 150 } 151 } 152 } else { 153 if ($_SESS_VERBOSE) { 154 COM_errorLog('session cookie not found from lib-sessions.php',1); 155 } 156 157 // Check if the persistent cookie exists 158 159 if (isset ($_COOKIE[$_CONF['cookie_name']])) { 160 // Session cookie doesn't exist but a permanent cookie does. 161 // Start a new session cookie; 162 if ($_SESS_VERBOSE) { 163 COM_errorLog('perm cookie found from lib-sessions.php',1); 164 } 165 166 $userid = $_COOKIE[$_CONF['cookie_name']]; 167 if (empty ($userid) || ($userid == 'deleted')) { 168 unset ($userid); 169 } else { 170 $userid = COM_applyFilter ($userid, true); 171 $cookie_password = ''; 172 $userpass = ''; 173 if ($userid > 1) { 174 $userpass = DB_getItem ($_TABLES['users'], 'passwd', 175 "uid = $userid"); 176 $cookie_password = $_COOKIE[$_CONF['cookie_password']]; 177 } 178 if (empty ($cookie_password) || ($cookie_password <> $userpass)) { 179 // User could have modified UID in cookie, don't do shit 180 } else if ($userid > 1) { 181 // Check user status 182 SEC_checkUserStatus ($userid); 183 $user_logged_in = 1; 184 185 // Create new session and write cookie 186 $sessid = SESS_newSession ($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']); 187 SESS_setSessionCookie ($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']); 188 $userdata = SESS_getUserDataFromId ($userid); 189 $_USER = $userdata; 190 $_USER['auto_login'] = true; 191 } 192 } 193 } 194 } 195 196 if ($_SESS_VERBOSE) { 197 COM_errorLog("***Leaving SESS_sessionCheck***",1); 198 } 199 200 // Ensure $_USER is set to avoid warnings (path exposure...) 201 if(isset($_USER)) 202 { 203 return $_USER; 204 } else { 205 return NULL; 206 } 207 } 208 209 /** 210 * Creates new user session (short term cookie) 211 * 212 * Adds a new session to the database for the given userid and returns a new session ID. 213 * Also deletes all expired sessions from the database, based on the given session lifespan. 214 * 215 * @param int $userid User ID to create session for 216 * @param string $remote_ip IP address user is connected from 217 * @param string $lifespan How long (seconds) this cookie should persist 218 * @param string $md5_based If 1 session will be MD5 hash of ip address 219 * @return string Session ID 220 * 221 */ 222 function SESS_newSession($userid, $remote_ip, $lifespan, $md5_based=0) 223 { 224 global $_TABLES, $_CONF, $_SESS_VERBOSE; 225 226 if ($_SESS_VERBOSE) { 227 COM_errorLog("*************inside new_session*****************",1); 228 COM_errorLog("Args to new_session: userid = $userid, remote_ip = $remote_ip, lifespan = $lifespan, md5_based = $md5_based",1); 229 } 230 mt_srand((double)microtime()*1000000); 231 $sessid = mt_rand(); 232 233 // For added security we are adding the option to build a IP-based 234 // session ID. This has the advantage of better security but it may 235 // required dialed users to login every time. You can turn the below 236 // code on in config.php (it's turned off by default) 237 if ($md5_based == 1) { 238 $ip = str_replace('.','',$remote_ip); 239 $md5_sessid = md5($ip + $sessid); 240 } else { 241 $md5_sessid = ''; 242 } 243 244 $currtime = (string) (time()); 245 $expirytime = (string) (time() - $lifespan); 246 if (!isset($_COOKIE[$_CONF['cookie_session']])) { 247 // ok, delete any old sessons for this user 248 DB_query("DELETE FROM {$_TABLES['sessions']} WHERE uid = $userid"); 249 } else { 250 $deleteSQL = "DELETE FROM {$_TABLES['sessions']} WHERE (start_time < $expirytime)"; 251 $delresult = DB_query($deleteSQL); 252 253 if ($_SESS_VERBOSE) { 254 COM_errorLog("Attempted to delete rows from session table with following SQL\n$deleteSQL\n",1); 255 COM_errorLog("Got $delresult as a result from the query",1); 256 } 257 258 if (!$delresult) { 259 die("Delete failed in new_session()"); 260 } 261 } 262 // Remove the anonymous sesssion for this user 263 DB_query("DELETE FROM {$_TABLES['sessions']} WHERE uid = 1 AND remote_ip = '$remote_ip'"); 264 265 // Create new session 266 if (empty ($md5_sessid)) { 267 $sql = "INSERT INTO {$_TABLES['sessions']} (sess_id, uid, start_time, remote_ip) VALUES ($sessid, $userid, $currtime, '$remote_ip')"; 268 } else { 269 $sql = "INSERT INTO {$_TABLES['sessions']} (sess_id, md5_sess_id, uid, start_time, remote_ip) VALUES ($sessid, '$md5_sessid', $userid, $currtime, '$remote_ip')"; 270 } 271 $result = DB_query($sql); 272 if ($result) { 273 if ($_CONF['lastlogin'] == true) { 274 // Update userinfo record to record the date and time as lastlogin 275 DB_query("UPDATE {$_TABLES['userinfo']} SET lastlogin = UNIX_TIMESTAMP() WHERE uid=$userid"); 276 } 277 if ($_SESS_VERBOSE) COM_errorLog("Assigned the following session id: $sessid",1); 278 if ($_SESS_VERBOSE) COM_errorLog("*************leaving SESS_newSession*****************",1); 279 if ($md5_based == 1) { 280 return $md5_sessid; 281 } else { 282 return $sessid; 283 } 284 } else { 285 echo DB_error().": ".DB_error()."<BR>"; 286 die("Insert failed in new_session()"); 287 } 288 if ($_SESS_VERBOSE) COM_errorLog("*************leaving SESS_newSession*****************",1); 289 } 290 291 /** 292 * Sets the session cookie 293 * 294 * This saves the session ID to the session cookie on client's machine for 295 * later use 296 * 297 * @param string $sessid Session ID to save to cookie 298 * @param int $cookietime Cookie timeout value (not used) 299 * @param string $cookiename Name of cookie to save sessiond ID to 300 * @param string $cookiepath Path in which cookie should be sent to server for 301 * @param string $cookiedomain Domain in which cookie should be sent to server for 302 * @param int $cookiesecure if =1, set cookie only on https connection 303 * 304 */ 305 function SESS_setSessionCookie($sessid, $cookietime, $cookiename, $cookiepath, $cookiedomain, $cookiesecure) 306 { 307 global $_SESS_VERBOSE; 308 309 // This sets a cookie that will persist until the user closes their browser 310 // window. since session expiry is handled on the server-side, cookie expiry 311 // time isn't a big deal. 312 if ($_SESS_VERBOSE) { 313 COM_errorLog ("Setting session cookie: setcookie($cookiename, $sessid, 0, $cookiepath, $cookiedomain, $cookiesecure);", 1); 314 } 315 316 if (setcookie ($cookiename, $sessid, 0, $cookiepath, $cookiedomain, 317 $cookiesecure) === false) { 318 COM_errorLog ('Failed to set session cookie.', 1); 319 } 320 } 321 322 /** 323 * Gets the user id from Session ID 324 * 325 * Returns the userID associated with the given session, based on 326 * the given session lifespan $cookietime and the given remote IP 327 * address. If no match found, returns 0. 328 * 329 * @param string $sessid Session ID to get user ID from 330 * @param string $cookietime Used to query DB for valid sessions 331 * @param string $remote_ip Used to pull session we need 332 * @param int $md5_based Let's us now if we need to take MD5 hash into consideration 333 * @return int User ID 334 */ 335 function SESS_getUserIdFromSession($sessid, $cookietime, $remote_ip, $md5_based=0) 336 { 337 global $_CONF, $_TABLES, $_SESS_VERBOSE; 338 339 if ($_SESS_VERBOSE) { 340 COM_errorLog("****Inside SESS_getUserIdFromSession",1); 341 } 342 343 $mintime = time() - $cookietime; 344 345 if ($md5_based == 1) { 346 $sql = "SELECT uid FROM {$_TABLES['sessions']} WHERE " 347 . "(md5_sess_id = '$sessid') AND (start_time > $mintime) AND (remote_ip = '$remote_ip')"; 348 } else { 349 $sql = "SELECT uid FROM {$_TABLES['sessions']} WHERE " 350 . "(sess_id = '$sessid') AND (start_time > $mintime) AND (remote_ip = '$remote_ip')"; 351 } 352 353 if ($_SESS_VERBOSE) { 354 COM_errorLog("SQL in SESS_getUserIdFromSession is:\n<BR> $sql <BR>\n"); 355 } 356 357 $result = DB_query($sql); 358 $row = DB_fetchArray($result); 359 360 if ($_SESS_VERBOSE) { 361 COM_errorLog("****Leaving SESS_getUserIdFromSession",1); 362 } 363 364 if (!$row) { 365 return 0; 366 } else { 367 return $row['uid']; 368 } 369 } 370 371 /** 372 * Updates a session cookies timeout 373 * 374 * Refresh the start_time of the given session in the database. 375 * This is called whenever a page is hit by a user with a valid session. 376 * 377 * @param string $sessid Session ID to update time for 378 * @param int $md5_based Indicates if sessid is MD5 hash 379 * @return boolean always true for some reason 380 * 381 */ 382 function SESS_updateSessionTime($sessid, $md5_based=0) 383 { 384 global $_TABLES; 385 386 $newtime = (string) time(); 387 388 if ($md5_based == 1) { 389 $sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE (md5_sess_id = '$sessid')"; 390 } else { 391 $sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE (sess_id = $sessid)"; 392 } 393 394 $result = DB_query($sql); 395 396 return 1; 397 } 398 399 /** 400 * This ends a user session 401 * 402 * Delete the given session from the database. Used by the logout page. 403 * 404 * @param int $userid User ID to end session of 405 * @return boolean Always true for some reason 406 * 407 */ 408 function SESS_endUserSession($userid) 409 { 410 global $_TABLES; 411 412 $sql = "DELETE FROM {$_TABLES['sessions']} WHERE (uid = $userid)"; 413 $result = DB_query($sql); 414 415 return 1; 416 } 417 418 /** 419 * Gets a user's data 420 * 421 * Gets user's data based on their username 422 * 423 * @param string $username Username of user to get data for 424 * @return array returns user's data in an array 425 * 426 */ 427 function SESS_getUserData($username) 428 { 429 global $_TABLES; 430 431 $sql = "SELECT *,format FROM {$_TABLES['users']}, {$_TABLES['userprefs']}, {$_TABLES['dateformats']} " 432 . "WHERE {$_TABLES['dateformats']}.dfid = {$_TABLES['userprefs']}.dfid AND " 433 . "{$_TABLES['userprefs']}.uid = {$_TABLES['users']}.uid AND username = '$username'"; 434 435 if(!$result = DB_query($sql)) { 436 COM_errorLog("error in get_userdata"); 437 } 438 439 if(!$myrow = DB_fetchArray($result)) { 440 COM_errorLog("error in get_userdata"); 441 } 442 443 return($myrow); 444 } 445 446 /** 447 * Gets user's data 448 * 449 * Gets user's data based on their user id 450 * 451 * @param int $userid User ID of user to get data for 452 * @return array returns user'd data in an array 453 * 454 */ 455 function SESS_getUserDataFromId($userid) 456 { 457 global $_TABLES; 458 459 $sql = "SELECT *,format FROM {$_TABLES['dateformats']},{$_TABLES["users"]},{$_TABLES['userprefs']} " 460 . "WHERE {$_TABLES['dateformats']}.dfid = {$_TABLES['userprefs']}.dfid AND " 461 . "{$_TABLES['userprefs']}.uid = $userid AND {$_TABLES['users']}.uid = $userid"; 462 463 if(!$result = DB_query($sql)) { 464 $userdata = array("error" => "1"); 465 return ($userdata); 466 } 467 468 if(!$myrow = DB_fetchArray($result)) { 469 $userdata = array("error" => "1"); 470 return ($userdata); 471 } 472 return($myrow); 473 } 474 475 ?>
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Wed Nov 21 12:27:40 2007 | par Balluche grâce à PHPXref 0.7 |
|
|