[tt-rss.git] / include / sessions.php

<?php
	// Original from http://www.daniweb.com/code/snippet43.html

	require_once "config.php";
	require_once "classes/db.php";
	require_once "autoload.php";
	require_once "errorhandler.php";
	require_once "lib/accept-to-gettext.php";
	require_once "lib/gettext/gettext.inc";
	require_once "version.php";

	$session_expire = min(2147483647 - time() - 1, max(SESSION_COOKIE_LIFETIME, 86400));
	$session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;

	if (is_server_https()) {
		$session_name .= "_ssl";
		ini_set("session.cookie_secure", true);
	}

	ini_set("session.gc_probability", 75);
	ini_set("session.name", $session_name);
	ini_set("session.use_only_cookies", true);
	ini_set("session.gc_maxlifetime", $session_expire);
	ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));

	function session_get_schema_version() {
		global $schema_version;

		if (!$schema_version) {
			$row = Db::pdo()->query("SELECT schema_version FROM ttrss_version")->fetch();

			$version = $row["schema_version"];

			$schema_version = $version;
			return $version;
		} else {
			return $schema_version;
		}
	}

	function validate_session() {
		if (SINGLE_USER_MODE) return true;

		if (isset($_SESSION["ref_schema_version"]) && $_SESSION["ref_schema_version"] != session_get_schema_version()) {
			$_SESSION["login_error_msg"] =
				__("Session failed to validate (schema version changed)");
			return false;
		}
        $pdo = Db::pdo();

		if ($_SESSION["uid"]) {

			if (!defined('_SKIP_SESSION_ADDRESS_CHECKS') || !_SKIP_SESSION_ADDRESS_CHECKS) {
				if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
					$_SESSION["login_error_msg"] = __("Session failed to validate.");
					return false;
				}
			}

			if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
				$_SESSION["login_error_msg"] = __("Session failed to validate.");
				return false;
			}

			$sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
			$sth->execute([$_SESSION['uid']]);

			// user not found
			if ($row = $sth->fetch()) {
                $pwd_hash = $row["pwd_hash"];

                if ($pwd_hash != $_SESSION["pwd_hash"]) {

                    $_SESSION["login_error_msg"] =
                        __("Session failed to validate (password changed)");

                    return false;
                }
			} else {

                $_SESSION["login_error_msg"] =
                    __("Session failed to validate (user not found)");

                return false;

			}
		}

		return true;
	}

	/**
	 * @SuppressWarnings(PHPMD.UnusedFormalParameter)
	 */
	function ttrss_open ($s, $n) {
		return true;
	}

	function ttrss_read ($id){
		global $session_expire;

		$sth = Db::pdo()->prepare("SELECT data FROM ttrss_sessions WHERE id=?");
		$sth->execute([$id]);

		if ($row = $sth->fetch()) {
            return base64_decode($row["data"]);

		} else {
            $expire = time() + $session_expire;

            $sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
					VALUES (?, '', ?)");
            $sth->execute([$id, $expire]);

            return "";

		}

	}

	function ttrss_write ($id, $data) {
		global $session_expire;

		$data = base64_encode($data);
		$expire = time() + $session_expire;

        $sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
        $sth->execute([$data, $expire, $id]);

		return true;
	}

	function ttrss_close () {
		return true;
	}

	function ttrss_destroy($id) {
		$sth = Db::pdo()->prepare("DELETE FROM ttrss_sessions WHERE id = ?");
		$sth->execute([$id]);

		return true;
	}

	/**
	 * @SuppressWarnings(PHPMD.UnusedFormalParameter)
	 */
	function ttrss_gc ($expire) {
		Db::pdo()->query("DELETE FROM ttrss_sessions WHERE expire < " . time());

		return true;
	}

	if (!SINGLE_USER_MODE /* && DB_TYPE == "pgsql" */) {
		session_set_save_handler("ttrss_open",
			"ttrss_close", "ttrss_read", "ttrss_write",
			"ttrss_destroy", "ttrss_gc");
		register_shutdown_function('session_write_close');
	}

	if (!defined('NO_SESSION_AUTOSTART')) {
		if (isset($_COOKIE[session_name()])) {
			@session_start();

			if (!$_SESSION['uid']) {
				logout_user();
			}
		}
	}
Commit	Line	Data
1d3a17c7	1	<?php
36bfab86 AD	2	// Original from http://www.daniweb.com/code/snippet43.html
	3
	4	require_once "config.php";
404e2e36 AD	5	require_once "classes/db.php";
404e2e36 AD	6	require_once "autoload.php";
889a5f9f	7	require_once "errorhandler.php";
7081aaa0 RP	8	require_once "lib/accept-to-gettext.php";
7081aaa0 RP	9	require_once "lib/gettext/gettext.inc";
81020562	10	require_once "version.php";
36bfab86	11
09628e1b	12	$session_expire = min(2147483647 - time() - 1, max(SESSION_COOKIE_LIFETIME, 86400));
3dd46f19	13	$session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
36bfab86	14
1b5b1e5f	15	if (is_server_https()) {
3d72afa1 AD	16	$session_name .= "_ssl";
	17	ini_set("session.cookie_secure", true);
	18	}
	19
9ce7a554	20	ini_set("session.gc_probability", 75);
3dd46f19	21	ini_set("session.name", $session_name);
c5466b7f	22	ini_set("session.use_only_cookies", true);
6cfd3c14	23	ini_set("session.gc_maxlifetime", $session_expire);
9ce7a554	24	ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));
36bfab86	25
7b55001e	26	function session_get_schema_version() {
e9b74692 AD	27	global $schema_version;
	28
	29	if (!$schema_version) {
4d13514d AD	30	$row = Db::pdo()->query("SELECT schema_version FROM ttrss_version")->fetch();
	31
	32	$version = $row["schema_version"];
	33
e9b74692 AD	34	$schema_version = $version;
	35	return $version;
	36	} else {
	37	return $schema_version;
	38	}
	39	}
	40
6322ac79	41	function validate_session() {
e9b74692 AD	42	if (SINGLE_USER_MODE) return true;
e9b74692 AD	43
7b55001e	44	if (isset($_SESSION["ref_schema_version"]) && $_SESSION["ref_schema_version"] != session_get_schema_version()) {
04a8c206 AD	45	$_SESSION["login_error_msg"] =
04a8c206 AD	46	__("Session failed to validate (schema version changed)");
e9b74692	47	return false;
04a8c206	48	}
4d13514d	49	$pdo = Db::pdo();
e9b74692 AD	50
e9b74692 AD	51	if ($_SESSION["uid"]) {
7d53c2b5 AD	52
	53	if (!defined('_SKIP_SESSION_ADDRESS_CHECKS') \|\| !_SKIP_SESSION_ADDRESS_CHECKS) {
	54	if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
	55	$_SESSION["login_error_msg"] = __("Session failed to validate.");
	56	return false;
	57	}
	58	}
	59
	60	if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
	61	$_SESSION["login_error_msg"] = __("Session failed to validate.");
	62	return false;
	63	}
	64
4d13514d AD	65	$sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
4d13514d AD	66	$sth->execute([$_SESSION['uid']]);
e9b74692 AD	67
e9b74692 AD	68	// user not found
4d13514d AD	69	if ($row = $sth->fetch()) {
	70	$pwd_hash = $row["pwd_hash"];
	71
	72	if ($pwd_hash != $_SESSION["pwd_hash"]) {
04a8c206	73
4d13514d AD	74	$_SESSION["login_error_msg"] =
4d13514d AD	75	__("Session failed to validate (password changed)");
04a8c206	76
4d13514d AD	77	return false;
4d13514d AD	78	}
e9b74692	79	} else {
e9b74692	80
4d13514d AD	81	$_SESSION["login_error_msg"] =
4d13514d AD	82	__("Session failed to validate (user not found)");
04a8c206	83
4d13514d	84	return false;
04a8c206	85
e9b74692 AD	86	}
	87	}
	88
e9b74692 AD	89	return true;
	90	}
	91
7b55001e AD	92	/**
	93	* @SuppressWarnings(PHPMD.UnusedFormalParameter)
	94	*/
5be00836	95	function ttrss_open ($s, $n) {
36bfab86 AD	96	return true;
	97	}
	98
5be00836	99	function ttrss_read ($id){
404e2e36 AD	100	global $session_expire;
404e2e36 AD	101
4d13514d AD	102	$sth = Db::pdo()->prepare("SELECT data FROM ttrss_sessions WHERE id=?");
4d13514d AD	103	$sth->execute([$id]);
3d72afa1	104
4d13514d AD	105	if ($row = $sth->fetch()) {
4d13514d AD	106	return base64_decode($row["data"]);
36bfab86	107
4d13514d AD	108	} else {
4d13514d AD	109	$expire = time() + $session_expire;
36bfab86	110
4d13514d AD	111	$sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
	112	VALUES (?, '', ?)");
	113	$sth->execute([$id, $expire]);
	114
	115	return "";
3d72afa1	116
36bfab86	117	}
404e2e36	118
36bfab86 AD	119	}
36bfab86 AD	120
5be00836	121	function ttrss_write ($id, $data) {
404e2e36	122	global $session_expire;
3d72afa1	123
404e2e36	124	$data = base64_encode($data);
36bfab86	125	$expire = time() + $session_expire;
3d72afa1	126
4d13514d AD	127	$sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
4d13514d AD	128	$sth->execute([$data, $expire, $id]);
3d72afa1	129
36bfab86 AD	130	return true;
	131	}
	132
5be00836	133	function ttrss_close () {
36bfab86 AD	134	return true;
	135	}
	136
404e2e36	137	function ttrss_destroy($id) {
4d13514d AD	138	$sth = Db::pdo()->prepare("DELETE FROM ttrss_sessions WHERE id = ?");
4d13514d AD	139	$sth->execute([$id]);
3d72afa1	140
36bfab86 AD	141	return true;
	142	}
	143
7b55001e AD	144	/**
	145	* @SuppressWarnings(PHPMD.UnusedFormalParameter)
	146	*/
5be00836	147	function ttrss_gc ($expire) {
4d13514d	148	Db::pdo()->query("DELETE FROM ttrss_sessions WHERE expire < " . time());
33d131d6 AD	149
33d131d6 AD	150	return true;
36bfab86 AD	151	}
36bfab86 AD	152
5c81e817	153	if (!SINGLE_USER_MODE /* && DB_TYPE == "pgsql" */) {
3d72afa1 AD	154	session_set_save_handler("ttrss_open",
3d72afa1 AD	155	"ttrss_close", "ttrss_read", "ttrss_write",
5be00836	156	"ttrss_destroy", "ttrss_gc");
404e2e36	157	register_shutdown_function('session_write_close');
8fd92701	158	}
d620cfe7	159
9ce7a554 AD	160	if (!defined('NO_SESSION_AUTOSTART')) {
9ce7a554 AD	161	if (isset($_COOKIE[session_name()])) {
5160620c	162	@session_start();
74736fce AD	163
	164	if (!$_SESSION['uid']) {
	165	logout_user();
	166	}
5160620c	167	}
964f1533	168	}