include/sessions.php

   1 <?php
   2         // Original from http://www.daniweb.com/code/snippet43.html
   3
   4         require_once "config.php";
   5         require_once "db.php";
   6
   7         $session_expire = max(SESSION_COOKIE_LIFETIME, 86400);
   8         $session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
   9
  10         if (@$_SERVER['HTTPS'] == "on") {
  11                 $session_name .= "_ssl";
  12                 ini_set("session.cookie_secure", true);
  13         }
  14
  15         ini_set("session.gc_probability", 50);
  16         ini_set("session.name", $session_name);
  17         ini_set("session.use_only_cookies", true);
  18         ini_set("session.gc_maxlifetime", $session_expire);
  19
  20         function session_get_schema_version($link, $nocache = false) {
  21                 global $schema_version;
  22
  23                 if (!$schema_version) {
  24                         $result = db_query($link, "SELECT schema_version FROM ttrss_version");
  25                         $version = db_fetch_result($result, 0, "schema_version");
  26                         $schema_version = $version;
  27                         return $version;
  28                 } else {
  29                         return $schema_version;
  30                 }
  31         }
  32
  33         function validate_session($link) {
  34                 if (SINGLE_USER_MODE) return true;
  35
  36                 $check_ip = $_SESSION['ip_address'];
  37
  38                 switch (SESSION_CHECK_ADDRESS) {
  39                 case 0:
  40                         $check_ip = '';
  41                         break;
  42                 case 1:
  43                         $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
  44                         break;
  45                 case 2:
  46                         $check_ip = substr($check_ip, 0, strrpos($check_ip, '.'));
  47                         $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
  48                         break;
  49                 };
  50
  51                 if ($check_ip && strpos($_SERVER['REMOTE_ADDR'], $check_ip) !== 0) {
  52                         $_SESSION["login_error_msg"] =
  53                                 __("Session failed to validate (incorrect IP)");
  54                         return false;
  55                 }
  56
  57                 if ($_SESSION["ref_schema_version"] != session_get_schema_version($link, true))
  58                         return false;
  59
  60                 if (sha1($_SERVER['HTTP_USER_AGENT']) != $_SESSION["user_agent"])
  61                         return false;
  62
  63                 if ($_SESSION["uid"]) {
  64                         $result = db_query($link,
  65                                 "SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'");
  66
  67                         // user not found
  68                         if (db_num_rows($result) == 0) {
  69                                 return false;
  70                         } else {
  71                                 $pwd_hash = db_fetch_result($result, 0, "pwd_hash");
  72
  73                                 if ($pwd_hash != $_SESSION["pwd_hash"]) {
  74                                         return false;
  75                                 }
  76                         }
  77                 }
  78
  79 /*              if ($_SESSION["cookie_lifetime"] && $_SESSION["uid"]) {
  80
  81                         //print_r($_SESSION);
  82
  83                         if (time() > $_SESSION["cookie_lifetime"]) {
  84                                 return false;
  85                         }
  86                 } */
  87
  88                 return true;
  89         }
  90
  91
  92         function ttrss_open ($s, $n) {
  93
  94                 global $session_connection;
  95
  96                 $session_connection = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);
  97
  98                 return true;
  99         }
 100
 101         function ttrss_read ($id){
 102
 103                 global $session_connection,$session_read;
 104
 105                 $query = "SELECT data FROM ttrss_sessions WHERE id='$id'";
 106
 107                 $res = db_query($session_connection, $query);
 108
 109                 if (db_num_rows($res) != 1) {
 110                         return "";
 111                 } else {
 112                         $session_read = db_fetch_assoc($res);
 113                         $session_read["data"] = base64_decode($session_read["data"]);
 114                         return $session_read["data"];
 115                 }
 116         }
 117
 118         function ttrss_write ($id, $data) {
 119
 120                 if (! $data) {
 121                         return false;
 122                 }
 123
 124                 global $session_connection, $session_read, $session_expire;
 125
 126                 $expire = time() + $session_expire;
 127
 128                 $data = db_escape_string($session_connection, base64_encode($data), false);
 129
 130                 if ($session_read) {
 131                         $query = "UPDATE ttrss_sessions SET data='$data',
 132                                         expire='$expire' WHERE id='$id'";
 133                 } else {
 134                         $query = "INSERT INTO ttrss_sessions (id, data, expire)
 135                                         VALUES ('$id', '$data', '$expire')";
 136                 }
 137
 138                 db_query($session_connection, $query);
 139                 return true;
 140         }
 141
 142         function ttrss_close () {
 143
 144                 global $session_connection;
 145
 146                 //db_close($session_connection);
 147
 148                 return true;
 149         }
 150
 151         function ttrss_destroy ($id) {
 152
 153                 global $session_connection;
 154
 155                 $query = "DELETE FROM ttrss_sessions WHERE id = '$id'";
 156
 157                 db_query($session_connection, $query);
 158
 159                 return true;
 160         }
 161
 162         function ttrss_gc ($expire) {
 163
 164                 global $session_connection;
 165
 166                 $query = "DELETE FROM ttrss_sessions WHERE expire < " . time();
 167
 168                 db_query($session_connection, $query);
 169         }
 170
 171         if (!SINGLE_USER_MODE /* && DB_TYPE == "pgsql" */) {
 172                 session_set_save_handler("ttrss_open",
 173                         "ttrss_close", "ttrss_read", "ttrss_write",
 174                         "ttrss_destroy", "ttrss_gc");
 175         }
 176
 177         if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') {
 178                 if (isset($_COOKIE[$session_name])) {
 179                         @session_start();
 180
 181                         if (!isset($_SESSION["uid"]) || !$_SESSION["uid"] || !validate_session($session_connection)) {
 182                                 session_destroy();
 183                            setcookie(session_name(), '', time()-42000, '/');
 184                         }
 185                 }
 186         }
 187 ?>