aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Web/SessionHandler.php
diff options
context:
space:
mode:
Diffstat (limited to 'Zotlabs/Web/SessionHandler.php')
-rw-r--r--Zotlabs/Web/SessionHandler.php80
1 files changed, 38 insertions, 42 deletions
diff --git a/Zotlabs/Web/SessionHandler.php b/Zotlabs/Web/SessionHandler.php
index 359279384..6980a6408 100644
--- a/Zotlabs/Web/SessionHandler.php
+++ b/Zotlabs/Web/SessionHandler.php
@@ -5,24 +5,30 @@ namespace Zotlabs\Web;
class SessionHandler implements \SessionHandlerInterface {
- private $session_exists;
- private $session_expire;
-
function open ($s, $n) {
- $this->session_exists = 0;
- $this->session_expire = 180000;
return true;
}
+ // IMPORTANT: if we read the session and it doesn't exist, create an empty record.
+ // We rely on this due to differing PHP implementation of session_regenerate_id()
+ // some which call read explicitly and some that do not. So we call it explicitly
+ // just after sid regeneration to force a record to exist.
+
function read ($id) {
- if(x($id))
+ if($id) {
$r = q("SELECT `data` FROM `session` WHERE `sid`= '%s'", dbesc($id));
- if($r) {
- $this->session_exists = true;
- return $r[0]['data'];
+ if($r) {
+ return $r[0]['data'];
+ }
+ else {
+ q("INSERT INTO `session` (sid, expire) values ('%s', '%s')",
+ dbesc($id),
+ dbesc(time() + 300)
+ );
+ }
}
return '';
@@ -35,30 +41,30 @@ class SessionHandler implements \SessionHandlerInterface {
return false;
}
- // Can't just use $data here because we can't be certain of the serialisation algorithm
-
- if($_SESSION && array_key_exists('remember_me',$_SESSION) && intval($_SESSION['remember_me']))
- $expire = time() + (60 * 60 * 24 * 365);
- else
- $expire = time() + $this->session_expire;
- $default_expire = time() + 300;
-
- if($this->session_exists) {
- q("UPDATE `session`
- SET `data` = '%s', `expire` = '%s' WHERE `sid` = '%s'",
- dbesc($data),
- dbesc($expire),
- dbesc($id)
- );
- }
- else {
- q("INSERT INTO `session` (sid, expire, data) values ('%s', '%s', '%s')",
- dbesc($id),
- dbesc($default_expire),
- dbesc($data)
- );
+ // Unless we authenticate somehow, only keep a session for 5 minutes
+ // The viewer can extend this by performing any web action using the
+ // original cookie, but this allows us to cleanup the hundreds or
+ // thousands of empty sessions left around from web crawlers which are
+ // assigned cookies on each page that they never use.
+
+ $expire = time() + 300;
+
+ if($_SESSION) {
+ if(array_key_exists('remember_me',$_SESSION) && intval($_SESSION['remember_me']))
+ $expire = time() + (60 * 60 * 24 * 365);
+ elseif(local_channel())
+ $expire = time() + (60 * 60 * 24 * 3);
+ elseif(remote_channel())
+ $expire = time() + (60 * 60 * 24 * 1);
}
+ q("UPDATE `session`
+ SET `data` = '%s', `expire` = '%s' WHERE `sid` = '%s'",
+ dbesc($data),
+ dbesc($expire),
+ dbesc($id)
+ );
+
return true;
}
@@ -79,14 +85,4 @@ class SessionHandler implements \SessionHandlerInterface {
return true;
}
-
- // not part of the official interface, used when regenerating the session id
-
- function rename($old,$new) {
- $v = q("UPDATE session SET sid = '%s' WHERE sid = '%s'",
- dbesc($new),
- dbesc($old)
- );
- }
-
-} \ No newline at end of file
+}