diff options
author | redmatrix <git@macgirvin.com> | 2016-04-14 18:51:06 -0700 |
---|---|---|
committer | redmatrix <git@macgirvin.com> | 2016-04-14 18:51:06 -0700 |
commit | a8f7af20798de3bde73023c6e3f2b540e985767b (patch) | |
tree | c4c31417738b3d636e0615d4cfb3b0545ec358d4 /include | |
parent | 7ae7fac2349555e9658b6c46dc6dd5316adff589 (diff) | |
download | volse-hubzilla-a8f7af20798de3bde73023c6e3f2b540e985767b.tar.gz volse-hubzilla-a8f7af20798de3bde73023c6e3f2b540e985767b.tar.bz2 volse-hubzilla-a8f7af20798de3bde73023c6e3f2b540e985767b.zip |
provide general purpose verification class, remove include/session.php (no longer used)
Diffstat (limited to 'include')
-rw-r--r-- | include/session.php | 169 | ||||
-rw-r--r-- | include/zot.php | 14 |
2 files changed, 3 insertions, 180 deletions
diff --git a/include/session.php b/include/session.php deleted file mode 100644 index 4a7c8052e..000000000 --- a/include/session.php +++ /dev/null @@ -1,169 +0,0 @@ -<?php - -/** - * @file include/session.php - * - * @brief This file includes session related functions. - * - * Session management functions. These provide database storage of PHP - * session info. - */ - -$session_exists = 0; -$session_expire = 180000; - - -/** - * @brief Resets the current session. - * - * @return void - */ - -function nuke_session() { - new_cookie(0); // 0 means delete on browser exit - - unset($_SESSION['authenticated']); - unset($_SESSION['account_id']); - unset($_SESSION['uid']); - unset($_SESSION['visitor_id']); - unset($_SESSION['administrator']); - unset($_SESSION['cid']); - unset($_SESSION['theme']); - unset($_SESSION['mobile_theme']); - unset($_SESSION['show_mobile']); - unset($_SESSION['page_flags']); - unset($_SESSION['delegate']); - unset($_SESSION['delegate_channel']); - unset($_SESSION['my_url']); - unset($_SESSION['my_address']); - unset($_SESSION['addr']); - unset($_SESSION['return_url']); - unset($_SESSION['remote_service_class']); - unset($_SESSION['remote_hub']); -} - - - -function new_cookie($time) { - - $old_sid = session_id(); - - // ??? This shouldn't have any effect if called after session_start() - // We probably need to set the session expiration and change the PHPSESSID cookie. - // session_set_cookie_params($time); - - session_regenerate_id(false); - - q("UPDATE session SET sid = '%s' WHERE sid = '%s'", - dbesc(session_id()), - dbesc($old_sid) - ); - - if (x($_COOKIE, 'jsAvailable')) { - if ($time) { - $expires = time() + $time; - } else { - $expires = 0; - } - setcookie('jsAvailable', $_COOKIE['jsAvailable'], $expires); - } - setcookie(session_name(),session_id(),$expires); -} - - -function ref_session_open ($s, $n) { - return true; -} - - -function ref_session_read ($id) { - global $session_exists; - if(x($id)) - $r = q("SELECT `data` FROM `session` WHERE `sid`= '%s'", dbesc($id)); - - if(count($r)) { - $session_exists = true; - return $r[0]['data']; - } - - return ''; -} - - -function ref_session_write ($id, $data) { - global $session_exists, $session_expire; - - if(! $id || ! $data) { - return false; - } - - $expire = time() + $session_expire; - $default_expire = time() + 300; - - if($session_exists) { - q("UPDATE `session` - SET `data` = '%s', `expire` = '%s' WHERE `sid` = '%s'", - dbesc($data), - dbesc($expire), - dbesc($id) - ); - } else { - q("INSERT INTO `session` (sid, expire, data) values ('%s', '%s', '%s')", - //SET `sid` = '%s', `expire` = '%s', `data` = '%s'", - dbesc($id), - dbesc($default_expire), - dbesc($data) - ); - } - - return true; -} - - -function ref_session_close() { - return true; -} - - -function ref_session_destroy ($id) { - q("DELETE FROM `session` WHERE `sid` = '%s'", dbesc($id)); - return true; -} - - -function ref_session_gc($expire) { - q("DELETE FROM session WHERE expire < %d", dbesc(time())); - return true; -} - -$gc_probability = 50; - -ini_set('session.gc_probability', $gc_probability); -ini_set('session.use_only_cookies', 1); -ini_set('session.cookie_httponly', 1); - -/* - * Set our session storage functions. - */ - -session_set_save_handler( - 'ref_session_open', - 'ref_session_close', - 'ref_session_read', - 'ref_session_write', - 'ref_session_destroy', - 'ref_session_gc' -); - - - // Force cookies to be secure (https only) if this site is SSL enabled. Must be done before session_start(). - - if(intval(App::$config['system']['ssl_cookie_protection'])) { - $arr = session_get_cookie_params(); - session_set_cookie_params( - ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0), - ((isset($arr['path'])) ? $arr['path'] : '/'), - ((isset($arr['domain'])) ? $arr['domain'] : App::get_hostname()), - ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), - ((isset($arr['httponly'])) ? $arr['httponly'] : true)); - }
\ No newline at end of file diff --git a/include/zot.php b/include/zot.php index a5ab56154..0cdf7fc87 100644 --- a/include/zot.php +++ b/include/zot.php @@ -4289,9 +4289,7 @@ function zot_reply_auth_check($data,$encrypted_packet) { // the web server. We should probably convert this to webserver time rather than DB time so // that the different clocks won't affect it and allow us to keep the time short. - q("delete from verify where type = 'auth' and created < %s - INTERVAL %s", - db_utcnow(), db_quoteinterval('30 MINUTE') - ); + Zotlabs\Zot\Verify::purge('auth','30 MINUTE'); $y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1", dbesc($sender_hash) @@ -4330,19 +4328,13 @@ function zot_reply_auth_check($data,$encrypted_packet) { // This additionally checks for forged sites since we already stored the expected result in meta // and we've already verified that this is them via zot_gethub() and that their key signed our token - $z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1", - intval($c[0]['channel_id']), - dbesc($data['secret']), - dbesc($data['sender']['url']) - ); + + $z = Zotlabs\Zot\Verify::match('auth',$c[0]['channel_id'],$data['secret'],$data['sender']['url']); if (! $z) { logger('mod_zot: auth_check: verification key not found.'); $ret['message'] .= 'verification key not found' . EOL; json_return_and_die($ret); } - $r = q("delete from verify where id = %d", - intval($z[0]['id']) - ); $u = q("select account_service_class from account where account_id = %d limit 1", intval($c[0]['channel_account_id']) |