X-Git-Url: https://git.wh0rd.org/?a=blobdiff_plain;f=include%2Fsessions.php;h=5584c25bdbff3fd3ea446069c2a1e60d30f9bad9;hb=d246fb9fe1f18eb98037758f1b7369b34258fbf7;hp=1b1d00cc27237d55c4f09d7640fa8a655f0743b1;hpb=2137d67496232fb6c373598c2f046e24fc4adb82;p=tt-rss.git diff --git a/include/sessions.php b/include/sessions.php index 1b1d00cc..5584c25b 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -2,114 +2,155 @@ // Original from http://www.daniweb.com/code/snippet43.html require_once "config.php"; - require_once "db.php"; - - $session_expire = max(SESSION_COOKIE_LIFETIME, 86400); + require_once "classes/db.php"; + require_once "autoload.php"; + require_once "errorhandler.php"; + require_once "lib/accept-to-gettext.php"; + require_once "lib/gettext/gettext.inc"; + require_once "version.php"; + + $session_expire = min(2147483647 - time() - 1, max(SESSION_COOKIE_LIFETIME, 86400)); $session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME; - if (@$_SERVER['HTTPS'] == "on") { - $session_name .= "_ssl"; + if (is_server_https()) { ini_set("session.cookie_secure", true); } - ini_set("session.gc_probability", 50); + ini_set("session.gc_probability", 75); ini_set("session.name", $session_name); ini_set("session.use_only_cookies", true); ini_set("session.gc_maxlifetime", $session_expire); + ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME)); - function ttrss_open ($s, $n) { + function session_get_schema_version() { + global $schema_version; - global $session_connection; + if (!$schema_version) { + $row = Db::pdo()->query("SELECT schema_version FROM ttrss_version")->fetch(); - $session_connection = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); + $version = $row["schema_version"]; - return true; + $schema_version = $version; + return $version; + } else { + return $schema_version; + } } - function ttrss_read ($id){ + function validate_session() { + if (SINGLE_USER_MODE) return true; - global $session_connection,$session_read; + if (isset($_SESSION["ref_schema_version"]) && $_SESSION["ref_schema_version"] != session_get_schema_version()) { + $_SESSION["login_error_msg"] = + __("Session failed to validate (schema version changed)"); + return false; + } + $pdo = Db::pdo(); - $query = "SELECT data FROM ttrss_sessions WHERE id='$id'"; + if ($_SESSION["uid"]) { - $res = db_query($session_connection, $query); + if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) { + $_SESSION["login_error_msg"] = __("Session failed to validate (UA changed)."); + return false; + } - if (db_num_rows($res) != 1) { - return ""; - } else { - $session_read = db_fetch_assoc($res); - $session_read["data"] = base64_decode($session_read["data"]); - return $session_read["data"]; - } - } + $sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?"); + $sth->execute([$_SESSION['uid']]); - function ttrss_write ($id, $data) { + // user not found + if ($row = $sth->fetch()) { + $pwd_hash = $row["pwd_hash"]; - if (! $data) { - return false; - } + if ($pwd_hash != $_SESSION["pwd_hash"]) { - global $session_connection, $session_read, $session_expire; + $_SESSION["login_error_msg"] = + __("Session failed to validate (password changed)"); - $expire = time() + $session_expire; + return false; + } + } else { - $data = db_escape_string($session_connection, base64_encode($data), false); + $_SESSION["login_error_msg"] = + __("Session failed to validate (user not found)"); - if ($session_read) { - $query = "UPDATE ttrss_sessions SET data='$data', - expire='$expire' WHERE id='$id'"; - } else { - $query = "INSERT INTO ttrss_sessions (id, data, expire) - VALUES ('$id', '$data', '$expire')"; + return false; + + } } - db_query($session_connection, $query); return true; } - function ttrss_close () { + /** + * @SuppressWarnings(PHPMD.UnusedFormalParameter) + */ + function ttrss_open ($s, $n) { + return true; + } - global $session_connection; + function ttrss_read ($id){ + global $session_expire; - //db_close($session_connection); + $sth = Db::pdo()->prepare("SELECT data FROM ttrss_sessions WHERE id=?"); + $sth->execute([$id]); + + if ($row = $sth->fetch()) { + return base64_decode($row["data"]); + + } else { + $expire = time() + $session_expire; + + $sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire) + VALUES (?, '', ?)"); + $sth->execute([$id, $expire]); + + return ""; + + } - return true; } - function ttrss_destroy ($id) { + function ttrss_write ($id, $data) { + global $session_expire; - global $session_connection; + $data = base64_encode($data); + $expire = time() + $session_expire; - $query = "DELETE FROM ttrss_sessions WHERE id = '$id'"; + $sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?"); + $sth->execute([$data, $expire, $id]); - db_query($session_connection, $query); + return true; + } + function ttrss_close () { return true; } - function ttrss_gc ($expire) { + function ttrss_destroy($id) { + $sth = Db::pdo()->prepare("DELETE FROM ttrss_sessions WHERE id = ?"); + $sth->execute([$id]); - global $session_connection; + return true; + } - $query = "DELETE FROM ttrss_sessions WHERE expire < " . time(); + /** + * @SuppressWarnings(PHPMD.UnusedFormalParameter) + */ + function ttrss_gc ($expire) { + Db::pdo()->query("DELETE FROM ttrss_sessions WHERE expire < " . time()); - db_query($session_connection, $query); + return true; } if (!SINGLE_USER_MODE /* && DB_TYPE == "pgsql" */) { session_set_save_handler("ttrss_open", "ttrss_close", "ttrss_read", "ttrss_write", "ttrss_destroy", "ttrss_gc"); + register_shutdown_function('session_write_close'); } - if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') { - if (isset($_COOKIE[$session_name])) { + if (!defined('NO_SESSION_AUTOSTART')) { + if (isset($_COOKIE[session_name()])) { @session_start(); - - if (!$_SESSION["uid"]) { - session_destroy(); - setcookie(session_name(), '', time()-42000, '/'); - } } } -?>