include/sessions.php

   1 <?php
   2         // Original from http://www.daniweb.com/code/snippet43.html
   3
   4         require_once "config.php";
   5         require_once "db.php";
   6
   7         $session_expire = max(SESSION_COOKIE_LIFETIME, 86400);
   8         $session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
   9
  10         if (@$_SERVER['HTTPS'] == "on") {
  11                 $session_name .= "_ssl";
  12                 ini_set("session.cookie_secure", true);
  13         }
  14
  15         ini_set("session.gc_probability", 50);
  16         ini_set("session.name", $session_name);
  17         ini_set("session.use_only_cookies", true);
  18         ini_set("session.gc_maxlifetime", $session_expire);
  19
  20         function session_get_schema_version($link, $nocache = false) {
  21                 global $schema_version;
  22
  23                 if (!$schema_version) {
  24                         $result = db_query($link, "SELECT schema_version FROM ttrss_version");
  25                         $version = db_fetch_result($result, 0, "schema_version");
  26                         $schema_version = $version;
  27                         return $version;
  28                 } else {
  29                         return $schema_version;
  30                 }
  31         }
  32
  33         function validate_session($link) {
  34                 if (SINGLE_USER_MODE) return true;
  35
  36                 $check_ip = $_SESSION['ip_address'];
  37
  38                 switch (SESSION_CHECK_ADDRESS) {
  39                 case 0:
  40                         $check_ip = '';
  41                         break;
  42                 case 1:
  43                         $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
  44                         break;
  45                 case 2:
  46                         $check_ip = substr($check_ip, 0, strrpos($check_ip, '.'));
  47                         $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
  48                         break;
  49                 };
  50
  51                 if ($check_ip && strpos($_SERVER['REMOTE_ADDR'], $check_ip) !== 0) {
  52                         $_SESSION["login_error_msg"] =
  53                                 __("Session failed to validate (incorrect IP)");
  54                         return false;
  55                 }
  56
  57                 if ($_SESSION["ref_schema_version"] != session_get_schema_version($link, true))
  58                         return false;
  59
  60                 if ($_SESSION["uid"]) {
  61                         $result = db_query($link,
  62                                 "SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'");
  63
  64                         // user not found
  65                         if (db_num_rows($result) == 0) {
  66                                 return false;
  67                         } else {
  68                                 $pwd_hash = db_fetch_result($result, 0, "pwd_hash");
  69
  70                                 if ($pwd_hash != $_SESSION["pwd_hash"]) {
  71                                         return false;
  72                                 }
  73                         }
  74                 }
  75
  76 /*              if ($_SESSION["cookie_lifetime"] && $_SESSION["uid"]) {
  77
  78                         //print_r($_SESSION);
  79
  80                         if (time() > $_SESSION["cookie_lifetime"]) {
  81                                 return false;
  82                         }
  83                 } */
  84
  85                 return true;
  86         }
  87
  88
  89         function ttrss_open ($s, $n) {
  90
  91                 global $session_connection;
  92
  93                 $session_connection = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);
  94
  95                 return true;
  96         }
  97
  98         function ttrss_read ($id){
  99
 100                 global $session_connection,$session_read;
 101
 102                 $query = "SELECT data FROM ttrss_sessions WHERE id='$id'";
 103
 104                 $res = db_query($session_connection, $query);
 105
 106                 if (db_num_rows($res) != 1) {
 107                         return "";
 108                 } else {
 109                         $session_read = db_fetch_assoc($res);
 110                         $session_read["data"] = base64_decode($session_read["data"]);
 111                         return $session_read["data"];
 112                 }
 113         }
 114
 115         function ttrss_write ($id, $data) {
 116
 117                 if (! $data) {
 118                         return false;
 119                 }
 120
 121                 global $session_connection, $session_read, $session_expire;
 122
 123                 $expire = time() + $session_expire;
 124
 125                 $data = db_escape_string($session_connection, base64_encode($data), false);
 126
 127                 if ($session_read) {
 128                         $query = "UPDATE ttrss_sessions SET data='$data',
 129                                         expire='$expire' WHERE id='$id'";
 130                 } else {
 131                         $query = "INSERT INTO ttrss_sessions (id, data, expire)
 132                                         VALUES ('$id', '$data', '$expire')";
 133                 }
 134
 135                 db_query($session_connection, $query);
 136                 return true;
 137         }
 138
 139         function ttrss_close () {
 140
 141                 global $session_connection;
 142
 143                 //db_close($session_connection);
 144
 145                 return true;
 146         }
 147
 148         function ttrss_destroy ($id) {
 149
 150                 global $session_connection;
 151
 152                 $query = "DELETE FROM ttrss_sessions WHERE id = '$id'";
 153
 154                 db_query($session_connection, $query);
 155
 156                 return true;
 157         }
 158
 159         function ttrss_gc ($expire) {
 160
 161                 global $session_connection;
 162
 163                 $query = "DELETE FROM ttrss_sessions WHERE expire < " . time();
 164
 165                 db_query($session_connection, $query);
 166         }
 167
 168         if (!SINGLE_USER_MODE /* && DB_TYPE == "pgsql" */) {
 169                 session_set_save_handler("ttrss_open",
 170                         "ttrss_close", "ttrss_read", "ttrss_write",
 171                         "ttrss_destroy", "ttrss_gc");
 172         }
 173
 174         if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') {
 175                 if (isset($_COOKIE[$session_name])) {
 176                         @session_start();
 177
 178                         if (!isset($_SESSION["uid"]) || !$_SESSION["uid"] || !validate_session($session_connection)) {
 179                                 session_destroy();
 180                            setcookie(session_name(), '', time()-42000, '/');
 181                         }
 182                 }
 183         }
 184 ?>