1 rizwank 1.1 <?php
2 /***************************************************************************
3 * sessions.php
4 * -------------------
5 * begin : Saturday, Feb 13, 2001
6 * copyright : (C) 2001 The phpBB Group
7 * email : support@phpbb.com
8 *
9 * $Id: sessions.php,v 1.58.2.8 2002/12/18 01:06:19 psotfx Exp $
10 *
11 *
12 ***************************************************************************/
13
14 /***************************************************************************
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 2 of the License, or
19 * (at your option) any later version.
20 *
21 ***************************************************************************/
22 rizwank 1.1
23 //
24 // Adds/updates a new session to the database for the given userid.
25 // Returns the new session ID on success.
26 //
27 function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_autologin = 0)
28 {
29 global $db, $board_config;
30 global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $SID;
31
32 $cookiename = $board_config['cookie_name'];
33 $cookiepath = $board_config['cookie_path'];
34 $cookiedomain = $board_config['cookie_domain'];
35 $cookiesecure = $board_config['cookie_secure'];
36
37 if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) || isset($HTTP_COOKIE_VARS[$cookiename . '_data']) )
38 {
39 $session_id = isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) ? $HTTP_COOKIE_VARS[$cookiename . '_sid'] : '';
40 $sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : '';
41 $sessionmethod = SESSION_METHOD_COOKIE;
42 }
43 rizwank 1.1 else
44 {
45 $sessiondata = '';
46 $session_id = ( isset($HTTP_GET_VARS['sid']) ) ? $HTTP_GET_VARS['sid'] : '';
47 $sessionmethod = SESSION_METHOD_GET;
48 }
49
50 $last_visit = 0;
51 $current_time = time();
52 $expiry_time = $current_time - $board_config['session_length'];
53
54 //
55 // Try and pull the last time stored in a cookie, if it exists
56 //
57 $sql = "SELECT *
58 FROM " . USERS_TABLE . "
59 WHERE user_id = $user_id";
60 if ( !($result = $db->sql_query($sql)) )
61 {
62 message_die(CRITICAL_ERROR, 'Could not obtain lastvisit data from user table', '', __LINE__, __FILE__, $sql);
63 }
64 rizwank 1.1
65 $userdata = $db->sql_fetchrow($result);
66
67 if ( $user_id != ANONYMOUS )
68 {
69 $auto_login_key = $userdata['user_password'];
70
71 if ( $auto_create )
72 {
73 if ( isset($sessiondata['autologinid']) && $userdata['user_active'] )
74 {
75 // We have to login automagically
76 if( $sessiondata['autologinid'] == $auto_login_key )
77 {
78 // autologinid matches password
79 $login = 1;
80 $enable_autologin = 1;
81 }
82 else
83 {
84 // No match; don't login, set as anonymous user
85 rizwank 1.1 $login = 0;
86 $enable_autologin = 0;
87 $user_id = $userdata['user_id'] = ANONYMOUS;
88 }
89 }
90 else
91 {
92 // Autologin is not set. Don't login, set as anonymous user
93 $login = 0;
94 $enable_autologin = 0;
95 $user_id = $userdata['user_id'] = ANONYMOUS;
96 }
97 }
98 else
99 {
100 $login = 1;
101 }
102 }
103 else
104 {
105 $login = 0;
106 rizwank 1.1 $enable_autologin = 0;
107 }
108
109 //
110 // Initial ban check against user id, IP and email address
111 //
112 preg_match('/(..)(..)(..)(..)/', $user_ip, $user_ip_parts);
113
114 $sql = "SELECT ban_ip, ban_userid, ban_email
115 FROM " . BANLIST_TABLE . "
116 WHERE ban_ip IN ('" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . $user_ip_parts[4] . "', '" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . "ff', '" . $user_ip_parts[1] . $user_ip_parts[2] . "ffff', '" . $user_ip_parts[1] . "ffffff')
117 OR ban_userid = $user_id";
118 if ( $user_id != ANONYMOUS )
119 {
120 $sql .= " OR ban_email LIKE '" . str_replace("\'", "''", $userdata['user_email']) . "'
121 OR ban_email LIKE '" . substr(str_replace("\'", "''", $userdata['user_email']), strpos(str_replace("\'", "''", $userdata['user_email']), "@")) . "'";
122 }
123 if ( !($result = $db->sql_query($sql)) )
124 {
125 message_die(CRITICAL_ERROR, 'Could not obtain ban information', '', __LINE__, __FILE__, $sql);
126 }
127 rizwank 1.1
128 if ( $ban_info = $db->sql_fetchrow($result) )
129 {
130 if ( $ban_info['ban_ip'] || $ban_info['ban_userid'] || $ban_info['ban_email'] )
131 {
132 message_die(CRITICAL_MESSAGE, 'You_been_banned');
133 }
134 }
135
136 //
137 // Create or update the session
138 //
139 $sql = "UPDATE " . SESSIONS_TABLE . "
140 SET session_user_id = $user_id, session_start = $current_time, session_time = $current_time, session_page = $page_id, session_logged_in = $login
141 WHERE session_id = '" . $session_id . "'
142 AND session_ip = '$user_ip'";
143 if ( !$db->sql_query($sql) || !$db->sql_affectedrows() )
144 {
145 $session_id = md5(uniqid($user_ip));
146
147 $sql = "INSERT INTO " . SESSIONS_TABLE . "
148 rizwank 1.1 (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in)
149 VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)";
150 if ( !$db->sql_query($sql) )
151 {
152 message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
153 }
154 }
155
156 if ( $user_id != ANONYMOUS )
157 {// ( $userdata['user_session_time'] > $expiry_time && $auto_create ) ? $userdata['user_lastvisit'] : (
158 $last_visit = ( $userdata['user_session_time'] > 0 ) ? $userdata['user_session_time'] : $current_time;
159
160 $sql = "UPDATE " . USERS_TABLE . "
161 SET user_session_time = $current_time, user_session_page = $page_id, user_lastvisit = $last_visit
162 WHERE user_id = $user_id";
163 if ( !$db->sql_query($sql) )
164 {
165 message_die(CRITICAL_ERROR, 'Error updating last visit time', '', __LINE__, __FILE__, $sql);
166 }
167
168 $userdata['user_lastvisit'] = $last_visit;
169 rizwank 1.1
170 $sessiondata['autologinid'] = ( $enable_autologin && $sessionmethod == SESSION_METHOD_COOKIE ) ? $auto_login_key : '';
171 $sessiondata['userid'] = $user_id;
172 }
173
174 $userdata['session_id'] = $session_id;
175 $userdata['session_ip'] = $user_ip;
176 $userdata['session_user_id'] = $user_id;
177 $userdata['session_logged_in'] = $login;
178 $userdata['session_page'] = $page_id;
179 $userdata['session_start'] = $current_time;
180 $userdata['session_time'] = $current_time;
181
182 setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
183 setcookie($cookiename . '_sid', $session_id, 0, $cookiepath, $cookiedomain, $cookiesecure);
184
185 $SID = 'sid=' . $session_id;
186
187 return $userdata;
188 }
189
190 rizwank 1.1 //
191 // Checks for a given user session, tidies session table and updates user
192 // sessions at each page refresh
193 //
194 function session_pagestart($user_ip, $thispage_id)
195 {
196 global $db, $lang, $board_config;
197 global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $SID;
198
199 $cookiename = $board_config['cookie_name'];
200 $cookiepath = $board_config['cookie_path'];
201 $cookiedomain = $board_config['cookie_domain'];
202 $cookiesecure = $board_config['cookie_secure'];
203
204 $current_time = time();
205 unset($userdata);
206
207 if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) || isset($HTTP_COOKIE_VARS[$cookiename . '_data']) )
208 {
209 $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : '';
210 $session_id = isset( $HTTP_COOKIE_VARS[$cookiename . '_sid'] ) ? $HTTP_COOKIE_VARS[$cookiename . '_sid'] : '';
211 rizwank 1.1 $sessionmethod = SESSION_METHOD_COOKIE;
212 }
213 else
214 {
215 $sessiondata = '';
216 $session_id = ( isset($HTTP_GET_VARS['sid']) ) ? $HTTP_GET_VARS['sid'] : '';
217 $sessionmethod = SESSION_METHOD_GET;
218 }
219
220 //
221 // Does a session exist?
222 //
223 if ( !empty($session_id) )
224 {
225 //
226 // session_id exists so go ahead and attempt to grab all
227 // data in preparation
228 //
229 $sql = "SELECT u.*, s.*
230 FROM " . SESSIONS_TABLE . " s, " . USERS_TABLE . " u
231 WHERE s.session_id = '$session_id'
232 rizwank 1.1 AND u.user_id = s.session_user_id";
233 if ( !($result = $db->sql_query($sql)) )
234 {
235 message_die(CRITICAL_ERROR, 'Error doing DB query userdata row fetch', '', __LINE__, __FILE__, $sql);
236 }
237
238 $userdata = $db->sql_fetchrow($result);
239
240 //
241 // Did the session exist in the DB?
242 //
243 if ( isset($userdata['user_id']) )
244 {
245 //
246 // Do not check IP assuming equivalence, if IPv4 we'll check only first 24
247 // bits ... I've been told (by vHiker) this should alleviate problems with
248 // load balanced et al proxies while retaining some reliance on IP security.
249 //
250 $ip_check_s = substr($userdata['session_ip'], 0, 6);
251 $ip_check_u = substr($user_ip, 0, 6);
252
253 rizwank 1.1 if ($ip_check_s == $ip_check_u)
254 {
255 $SID = ($sessionmethod == SESSION_METHOD_GET || defined('IN_ADMIN')) ? 'sid=' . $session_id : '';
256
257 //
258 // Only update session DB a minute or so after last update
259 //
260 if ( $current_time - $userdata['session_time'] > 60 )
261 {
262 $sql = "UPDATE " . SESSIONS_TABLE . "
263 SET session_time = $current_time, session_page = $thispage_id
264 WHERE session_id = '" . $userdata['session_id'] . "'";
265 if ( !$db->sql_query($sql) )
266 {
267 message_die(CRITICAL_ERROR, 'Error updating sessions table', '', __LINE__, __FILE__, $sql);
268 }
269
270 if ( $userdata['user_id'] != ANONYMOUS )
271 {
272 $sql = "UPDATE " . USERS_TABLE . "
273 SET user_session_time = $current_time, user_session_page = $thispage_id
274 rizwank 1.1 WHERE user_id = " . $userdata['user_id'];
275 if ( !$db->sql_query($sql) )
276 {
277 message_die(CRITICAL_ERROR, 'Error updating sessions table', '', __LINE__, __FILE__, $sql);
278 }
279 }
280
281 //
282 // Delete expired sessions
283 //
284 $expiry_time = $current_time - $board_config['session_length'];
285 $sql = "DELETE FROM " . SESSIONS_TABLE . "
286 WHERE session_time < $expiry_time
287 AND session_id <> '$session_id'";
288 if ( !$db->sql_query($sql) )
289 {
290 message_die(CRITICAL_ERROR, 'Error clearing sessions table', '', __LINE__, __FILE__, $sql);
291 }
292
293 setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
294 setcookie($cookiename . '_sid', $session_id, 0, $cookiepath, $cookiedomain, $cookiesecure);
295 rizwank 1.1 }
296
297 return $userdata;
298 }
299 }
300 }
301
302 //
303 // If we reach here then no (valid) session exists. So we'll create a new one,
304 // using the cookie user_id if available to pull basic user prefs.
305 //
306 $user_id = ( isset($sessiondata['userid']) ) ? intval($sessiondata['userid']) : ANONYMOUS;
307
308 if ( !($userdata = session_begin($user_id, $user_ip, $thispage_id, TRUE)) )
309 {
310 message_die(CRITICAL_ERROR, 'Error creating user session', '', __LINE__, __FILE__, $sql);
311 }
312
313 return $userdata;
314
315 }
316 rizwank 1.1
317 //
318 // session_end closes out a session
319 // deleting the corresponding entry
320 // in the sessions table
321 //
322 function session_end($session_id, $user_id)
323 {
324 global $db, $lang, $board_config;
325 global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $SID;
326
327 $cookiename = $board_config['cookie_name'];
328 $cookiepath = $board_config['cookie_path'];
329 $cookiedomain = $board_config['cookie_domain'];
330 $cookiesecure = $board_config['cookie_secure'];
331
332 //
333 // Pull cookiedata or grab the URI propagated sid
334 //
335 if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) )
336 {
337 rizwank 1.1 $session_id = isset( $HTTP_COOKIE_VARS[$cookiename . '_sid'] ) ? $HTTP_COOKIE_VARS[$cookiename . '_sid'] : '';
338 $sessionmethod = SESSION_METHOD_COOKIE;
339 }
340 else
341 {
342 $session_id = ( isset($HTTP_GET_VARS['sid']) ) ? $HTTP_GET_VARS['sid'] : '';
343 $sessionmethod = SESSION_METHOD_GET;
344 }
345
346 //
347 // Delete existing session
348 //
349 $sql = "DELETE FROM " . SESSIONS_TABLE . "
350 WHERE session_id = '$session_id'
351 AND session_user_id = $user_id";
352 if ( !$db->sql_query($sql) )
353 {
354 message_die(CRITICAL_ERROR, 'Error removing user session', '', __LINE__, __FILE__, $sql);
355 }
356
357 setcookie($cookiename . '_data', '', $current_time - 31536000, $cookiepath, $cookiedomain, $cookiesecure);
358 rizwank 1.1 setcookie($cookiename . '_sid', '', $current_time - 31536000, $cookiepath, $cookiedomain, $cookiesecure);
359
360 return true;
361 }
362
363 //
364 // Append $SID to a url. Borrowed from phplib and modified. This is an
365 // extra routine utilised by the session code above and acts as a wrapper
366 // around every single URL and form action. If you replace the session
367 // code you must include this routine, even if it's empty.
368 //
369 function append_sid($url, $non_html_amp = false)
370 {
371 global $SID;
372
373 if ( !empty($SID) && !preg_match('#sid=#', $url) )
374 {
375 $url .= ( ( strpos($url, '?') != false ) ? ( ( $non_html_amp ) ? '&' : '&' ) : '?' ) . $SID;
376 }
377
378 return $url;
379 rizwank 1.1 }
380
381 ?>
|
Return to
sessions.php
CVS log
Up to [RizwankCVS] / geekymedia_web / phpBB2 / includes