[tt-rss.git] / include / sessions.php

<?php
	// Original from http://www.daniweb.com/code/snippet43.html

	require_once "config.php";
	require_once "classes/db.php";
	require_once "autoload.php";
	require_once "errorhandler.php";
	require_once "lib/accept-to-gettext.php";
	require_once "lib/gettext/gettext.inc";
	require_once "version.php";

	$session_expire = min(2147483647 - time() - 1, max(SESSION_COOKIE_LIFETIME, 86400));
	$session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;

	if (is_server_https()) {
		ini_set("session.cookie_secure", true);
	}

	ini_set("session.gc_probability", 75);
	ini_set("session.name", $session_name);
	ini_set("session.use_only_cookies", true);
	ini_set("session.gc_maxlifetime", $session_expire);
	ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));

	function session_get_schema_version() {
		global $schema_version;

		if (!$schema_version) {
			$row = Db::pdo()->query("SELECT schema_version FROM ttrss_version")->fetch();

			$version = $row["schema_version"];

			$schema_version = $version;
			return $version;
		} else {
			return $schema_version;
		}
	}

	function validate_session() {
		if (SINGLE_USER_MODE) return true;

		if (isset($_SESSION["ref_schema_version"]) && $_SESSION["ref_schema_version"] != session_get_schema_version()) {
			$_SESSION["login_error_msg"] =
				__("Session failed to validate (schema version changed)");
			return false;
		}
        $pdo = Db::pdo();

		if ($_SESSION["uid"]) {

			if (!defined('_SKIP_SESSION_ADDRESS_CHECKS') || !_SKIP_SESSION_ADDRESS_CHECKS) {
				if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
					$_SESSION["login_error_msg"] = __("Session failed to validate.");
					return false;
				}
			}

			if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
				$_SESSION["login_error_msg"] = __("Session failed to validate.");
				return false;
			}

			$sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
			$sth->execute([$_SESSION['uid']]);

			// user not found
			if ($row = $sth->fetch()) {
                $pwd_hash = $row["pwd_hash"];

                if ($pwd_hash != $_SESSION["pwd_hash"]) {

                    $_SESSION["login_error_msg"] =
                        __("Session failed to validate (password changed)");

                    return false;
                }
			} else {

                $_SESSION["login_error_msg"] =
                    __("Session failed to validate (user not found)");

                return false;

			}
		}

		return true;
	}

	/**
	 * @SuppressWarnings(PHPMD.UnusedFormalParameter)
	 */
	function ttrss_open ($s, $n) {
		return true;
	}

	function ttrss_read ($id){
		global $session_expire;

		$sth = Db::pdo()->prepare("SELECT data FROM ttrss_sessions WHERE id=?");
		$sth->execute([$id]);

		if ($row = $sth->fetch()) {
            return base64_decode($row["data"]);

		} else {
            $expire = time() + $session_expire;

            $sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
					VALUES (?, '', ?)");
            $sth->execute([$id, $expire]);

            return "";

		}

	}

	function ttrss_write ($id, $data) {
		global $session_expire;

		$data = base64_encode($data);
		$expire = time() + $session_expire;

        $sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
        $sth->execute([$data, $expire, $id]);

		return true;
	}

	function ttrss_close () {
		return true;
	}

	function ttrss_destroy($id) {
		$sth = Db::pdo()->prepare("DELETE FROM ttrss_sessions WHERE id = ?");
		$sth->execute([$id]);

		return true;
	}

	/**
	 * @SuppressWarnings(PHPMD.UnusedFormalParameter)
	 */
	function ttrss_gc ($expire) {
		Db::pdo()->query("DELETE FROM ttrss_sessions WHERE expire < " . time());

		return true;
	}

	if (!SINGLE_USER_MODE /* && DB_TYPE == "pgsql" */) {
		session_set_save_handler("ttrss_open",
			"ttrss_close", "ttrss_read", "ttrss_write",
			"ttrss_destroy", "ttrss_gc");
		register_shutdown_function('session_write_close');
	}

	if (!defined('NO_SESSION_AUTOSTART')) {
		if (isset($_COOKIE[session_name()])) {
			@session_start();
		}
	}
Commit	Line	Data
1d3a17c7	1	<?php
36bfab86 AD	2	// Original from http://www.daniweb.com/code/snippet43.html
	3
	4	require_once "config.php";
404e2e36 AD	5	require_once "classes/db.php";
404e2e36 AD	6	require_once "autoload.php";
889a5f9f	7	require_once "errorhandler.php";
7081aaa0 RP	8	require_once "lib/accept-to-gettext.php";
7081aaa0 RP	9	require_once "lib/gettext/gettext.inc";
81020562	10	require_once "version.php";
36bfab86	11
09628e1b	12	$session_expire = min(2147483647 - time() - 1, max(SESSION_COOKIE_LIFETIME, 86400));
3dd46f19	13	$session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
36bfab86	14
1b5b1e5f	15	if (is_server_https()) {
3d72afa1 AD	16	ini_set("session.cookie_secure", true);
	17	}
	18
9ce7a554	19	ini_set("session.gc_probability", 75);
3dd46f19	20	ini_set("session.name", $session_name);
c5466b7f	21	ini_set("session.use_only_cookies", true);
6cfd3c14	22	ini_set("session.gc_maxlifetime", $session_expire);
9ce7a554	23	ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));
36bfab86	24
7b55001e	25	function session_get_schema_version() {
e9b74692 AD	26	global $schema_version;
	27
	28	if (!$schema_version) {
4d13514d AD	29	$row = Db::pdo()->query("SELECT schema_version FROM ttrss_version")->fetch();
	30
	31	$version = $row["schema_version"];
	32
e9b74692 AD	33	$schema_version = $version;
	34	return $version;
	35	} else {
	36	return $schema_version;
	37	}
	38	}
	39
6322ac79	40	function validate_session() {
e9b74692 AD	41	if (SINGLE_USER_MODE) return true;
e9b74692 AD	42
7b55001e	43	if (isset($_SESSION["ref_schema_version"]) && $_SESSION["ref_schema_version"] != session_get_schema_version()) {
04a8c206 AD	44	$_SESSION["login_error_msg"] =
04a8c206 AD	45	__("Session failed to validate (schema version changed)");
e9b74692	46	return false;
04a8c206	47	}
4d13514d	48	$pdo = Db::pdo();
e9b74692 AD	49
e9b74692 AD	50	if ($_SESSION["uid"]) {
7d53c2b5 AD	51
	52	if (!defined('_SKIP_SESSION_ADDRESS_CHECKS') \|\| !_SKIP_SESSION_ADDRESS_CHECKS) {
	53	if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
	54	$_SESSION["login_error_msg"] = __("Session failed to validate.");
	55	return false;
	56	}
	57	}
	58
	59	if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
	60	$_SESSION["login_error_msg"] = __("Session failed to validate.");
	61	return false;
	62	}
	63
4d13514d AD	64	$sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
4d13514d AD	65	$sth->execute([$_SESSION['uid']]);
e9b74692 AD	66
e9b74692 AD	67	// user not found
4d13514d AD	68	if ($row = $sth->fetch()) {
	69	$pwd_hash = $row["pwd_hash"];
	70
	71	if ($pwd_hash != $_SESSION["pwd_hash"]) {
04a8c206	72
4d13514d AD	73	$_SESSION["login_error_msg"] =
4d13514d AD	74	__("Session failed to validate (password changed)");
04a8c206	75
4d13514d AD	76	return false;
4d13514d AD	77	}
e9b74692	78	} else {
e9b74692	79
4d13514d AD	80	$_SESSION["login_error_msg"] =
4d13514d AD	81	__("Session failed to validate (user not found)");
04a8c206	82
4d13514d	83	return false;
04a8c206	84
e9b74692 AD	85	}
	86	}
	87
e9b74692 AD	88	return true;
	89	}
	90
7b55001e AD	91	/**
	92	* @SuppressWarnings(PHPMD.UnusedFormalParameter)
	93	*/
5be00836	94	function ttrss_open ($s, $n) {
36bfab86 AD	95	return true;
	96	}
	97
5be00836	98	function ttrss_read ($id){
404e2e36 AD	99	global $session_expire;
404e2e36 AD	100
4d13514d AD	101	$sth = Db::pdo()->prepare("SELECT data FROM ttrss_sessions WHERE id=?");
4d13514d AD	102	$sth->execute([$id]);
3d72afa1	103
4d13514d AD	104	if ($row = $sth->fetch()) {
4d13514d AD	105	return base64_decode($row["data"]);
36bfab86	106
4d13514d AD	107	} else {
4d13514d AD	108	$expire = time() + $session_expire;
36bfab86	109
4d13514d AD	110	$sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
	111	VALUES (?, '', ?)");
	112	$sth->execute([$id, $expire]);
	113
	114	return "";
3d72afa1	115
36bfab86	116	}
404e2e36	117
36bfab86 AD	118	}
36bfab86 AD	119
5be00836	120	function ttrss_write ($id, $data) {
404e2e36	121	global $session_expire;
3d72afa1	122
404e2e36	123	$data = base64_encode($data);
36bfab86	124	$expire = time() + $session_expire;
3d72afa1	125
4d13514d AD	126	$sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
4d13514d AD	127	$sth->execute([$data, $expire, $id]);
3d72afa1	128
36bfab86 AD	129	return true;
	130	}
	131
5be00836	132	function ttrss_close () {
36bfab86 AD	133	return true;
	134	}
	135
404e2e36	136	function ttrss_destroy($id) {
4d13514d AD	137	$sth = Db::pdo()->prepare("DELETE FROM ttrss_sessions WHERE id = ?");
4d13514d AD	138	$sth->execute([$id]);
3d72afa1	139
36bfab86 AD	140	return true;
	141	}
	142
7b55001e AD	143	/**
	144	* @SuppressWarnings(PHPMD.UnusedFormalParameter)
	145	*/
5be00836	146	function ttrss_gc ($expire) {
4d13514d	147	Db::pdo()->query("DELETE FROM ttrss_sessions WHERE expire < " . time());
33d131d6 AD	148
33d131d6 AD	149	return true;
36bfab86 AD	150	}
36bfab86 AD	151
5c81e817	152	if (!SINGLE_USER_MODE /* && DB_TYPE == "pgsql" */) {
3d72afa1 AD	153	session_set_save_handler("ttrss_open",
3d72afa1 AD	154	"ttrss_close", "ttrss_read", "ttrss_write",
5be00836	155	"ttrss_destroy", "ttrss_gc");
404e2e36	156	register_shutdown_function('session_write_close');
8fd92701	157	}
d620cfe7	158
9ce7a554 AD	159	if (!defined('NO_SESSION_AUTOSTART')) {
9ce7a554 AD	160	if (isset($_COOKIE[session_name()])) {
5160620c AD	161	@session_start();
5160620c AD	162	}
964f1533	163	}