aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-04-14 18:51:06 -0700
committerredmatrix <git@macgirvin.com>2016-04-14 18:51:06 -0700
commita8f7af20798de3bde73023c6e3f2b540e985767b (patch)
treec4c31417738b3d636e0615d4cfb3b0545ec358d4 /include
parent7ae7fac2349555e9658b6c46dc6dd5316adff589 (diff)
downloadvolse-hubzilla-a8f7af20798de3bde73023c6e3f2b540e985767b.tar.gz
volse-hubzilla-a8f7af20798de3bde73023c6e3f2b540e985767b.tar.bz2
volse-hubzilla-a8f7af20798de3bde73023c6e3f2b540e985767b.zip
provide general purpose verification class, remove include/session.php (no longer used)
Diffstat (limited to 'include')
-rw-r--r--include/session.php169
-rw-r--r--include/zot.php14
2 files changed, 3 insertions, 180 deletions
diff --git a/include/session.php b/include/session.php
deleted file mode 100644
index 4a7c8052e..000000000
--- a/include/session.php
+++ /dev/null
@@ -1,169 +0,0 @@
-<?php
-
-/**
- * @file include/session.php
- *
- * @brief This file includes session related functions.
- *
- * Session management functions. These provide database storage of PHP
- * session info.
- */
-
-$session_exists = 0;
-$session_expire = 180000;
-
-
-/**
- * @brief Resets the current session.
- *
- * @return void
- */
-
-function nuke_session() {
- new_cookie(0); // 0 means delete on browser exit
-
- unset($_SESSION['authenticated']);
- unset($_SESSION['account_id']);
- unset($_SESSION['uid']);
- unset($_SESSION['visitor_id']);
- unset($_SESSION['administrator']);
- unset($_SESSION['cid']);
- unset($_SESSION['theme']);
- unset($_SESSION['mobile_theme']);
- unset($_SESSION['show_mobile']);
- unset($_SESSION['page_flags']);
- unset($_SESSION['delegate']);
- unset($_SESSION['delegate_channel']);
- unset($_SESSION['my_url']);
- unset($_SESSION['my_address']);
- unset($_SESSION['addr']);
- unset($_SESSION['return_url']);
- unset($_SESSION['remote_service_class']);
- unset($_SESSION['remote_hub']);
-}
-
-
-
-function new_cookie($time) {
-
- $old_sid = session_id();
-
- // ??? This shouldn't have any effect if called after session_start()
- // We probably need to set the session expiration and change the PHPSESSID cookie.
- // session_set_cookie_params($time);
-
- session_regenerate_id(false);
-
- q("UPDATE session SET sid = '%s' WHERE sid = '%s'",
- dbesc(session_id()),
- dbesc($old_sid)
- );
-
- if (x($_COOKIE, 'jsAvailable')) {
- if ($time) {
- $expires = time() + $time;
- } else {
- $expires = 0;
- }
- setcookie('jsAvailable', $_COOKIE['jsAvailable'], $expires);
- }
- setcookie(session_name(),session_id(),$expires);
-}
-
-
-function ref_session_open ($s, $n) {
- return true;
-}
-
-
-function ref_session_read ($id) {
- global $session_exists;
- if(x($id))
- $r = q("SELECT `data` FROM `session` WHERE `sid`= '%s'", dbesc($id));
-
- if(count($r)) {
- $session_exists = true;
- return $r[0]['data'];
- }
-
- return '';
-}
-
-
-function ref_session_write ($id, $data) {
- global $session_exists, $session_expire;
-
- if(! $id || ! $data) {
- return false;
- }
-
- $expire = time() + $session_expire;
- $default_expire = time() + 300;
-
- if($session_exists) {
- q("UPDATE `session`
- SET `data` = '%s', `expire` = '%s' WHERE `sid` = '%s'",
- dbesc($data),
- dbesc($expire),
- dbesc($id)
- );
- } else {
- q("INSERT INTO `session` (sid, expire, data) values ('%s', '%s', '%s')",
- //SET `sid` = '%s', `expire` = '%s', `data` = '%s'",
- dbesc($id),
- dbesc($default_expire),
- dbesc($data)
- );
- }
-
- return true;
-}
-
-
-function ref_session_close() {
- return true;
-}
-
-
-function ref_session_destroy ($id) {
- q("DELETE FROM `session` WHERE `sid` = '%s'", dbesc($id));
- return true;
-}
-
-
-function ref_session_gc($expire) {
- q("DELETE FROM session WHERE expire < %d", dbesc(time()));
- return true;
-}
-
-$gc_probability = 50;
-
-ini_set('session.gc_probability', $gc_probability);
-ini_set('session.use_only_cookies', 1);
-ini_set('session.cookie_httponly', 1);
-
-/*
- * Set our session storage functions.
- */
-
-session_set_save_handler(
- 'ref_session_open',
- 'ref_session_close',
- 'ref_session_read',
- 'ref_session_write',
- 'ref_session_destroy',
- 'ref_session_gc'
-);
-
-
- // Force cookies to be secure (https only) if this site is SSL enabled. Must be done before session_start().
-
- if(intval(App::$config['system']['ssl_cookie_protection'])) {
- $arr = session_get_cookie_params();
- session_set_cookie_params(
- ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0),
- ((isset($arr['path'])) ? $arr['path'] : '/'),
- ((isset($arr['domain'])) ? $arr['domain'] : App::get_hostname()),
- ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
- ((isset($arr['httponly'])) ? $arr['httponly'] : true));
- } \ No newline at end of file
diff --git a/include/zot.php b/include/zot.php
index a5ab56154..0cdf7fc87 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -4289,9 +4289,7 @@ function zot_reply_auth_check($data,$encrypted_packet) {
// the web server. We should probably convert this to webserver time rather than DB time so
// that the different clocks won't affect it and allow us to keep the time short.
- q("delete from verify where type = 'auth' and created < %s - INTERVAL %s",
- db_utcnow(), db_quoteinterval('30 MINUTE')
- );
+ Zotlabs\Zot\Verify::purge('auth','30 MINUTE');
$y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1",
dbesc($sender_hash)
@@ -4330,19 +4328,13 @@ function zot_reply_auth_check($data,$encrypted_packet) {
// This additionally checks for forged sites since we already stored the expected result in meta
// and we've already verified that this is them via zot_gethub() and that their key signed our token
- $z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1",
- intval($c[0]['channel_id']),
- dbesc($data['secret']),
- dbesc($data['sender']['url'])
- );
+
+ $z = Zotlabs\Zot\Verify::match('auth',$c[0]['channel_id'],$data['secret'],$data['sender']['url']);
if (! $z) {
logger('mod_zot: auth_check: verification key not found.');
$ret['message'] .= 'verification key not found' . EOL;
json_return_and_die($ret);
}
- $r = q("delete from verify where id = %d",
- intval($z[0]['id'])
- );
$u = q("select account_service_class from account where account_id = %d limit 1",
intval($c[0]['channel_account_id'])