diff options
Diffstat (limited to 'Zotlabs/Web/SessionHandler.php')
-rw-r--r-- | Zotlabs/Web/SessionHandler.php | 80 |
1 files changed, 38 insertions, 42 deletions
diff --git a/Zotlabs/Web/SessionHandler.php b/Zotlabs/Web/SessionHandler.php index 359279384..6980a6408 100644 --- a/Zotlabs/Web/SessionHandler.php +++ b/Zotlabs/Web/SessionHandler.php @@ -5,24 +5,30 @@ namespace Zotlabs\Web; class SessionHandler implements \SessionHandlerInterface { - private $session_exists; - private $session_expire; - function open ($s, $n) { - $this->session_exists = 0; - $this->session_expire = 180000; return true; } + // IMPORTANT: if we read the session and it doesn't exist, create an empty record. + // We rely on this due to differing PHP implementation of session_regenerate_id() + // some which call read explicitly and some that do not. So we call it explicitly + // just after sid regeneration to force a record to exist. + function read ($id) { - if(x($id)) + if($id) { $r = q("SELECT `data` FROM `session` WHERE `sid`= '%s'", dbesc($id)); - if($r) { - $this->session_exists = true; - return $r[0]['data']; + if($r) { + return $r[0]['data']; + } + else { + q("INSERT INTO `session` (sid, expire) values ('%s', '%s')", + dbesc($id), + dbesc(time() + 300) + ); + } } return ''; @@ -35,30 +41,30 @@ class SessionHandler implements \SessionHandlerInterface { return false; } - // Can't just use $data here because we can't be certain of the serialisation algorithm - - if($_SESSION && array_key_exists('remember_me',$_SESSION) && intval($_SESSION['remember_me'])) - $expire = time() + (60 * 60 * 24 * 365); - else - $expire = time() + $this->session_expire; - $default_expire = time() + 300; - - if($this->session_exists) { - q("UPDATE `session` - SET `data` = '%s', `expire` = '%s' WHERE `sid` = '%s'", - dbesc($data), - dbesc($expire), - dbesc($id) - ); - } - else { - q("INSERT INTO `session` (sid, expire, data) values ('%s', '%s', '%s')", - dbesc($id), - dbesc($default_expire), - dbesc($data) - ); + // Unless we authenticate somehow, only keep a session for 5 minutes + // The viewer can extend this by performing any web action using the + // original cookie, but this allows us to cleanup the hundreds or + // thousands of empty sessions left around from web crawlers which are + // assigned cookies on each page that they never use. + + $expire = time() + 300; + + if($_SESSION) { + if(array_key_exists('remember_me',$_SESSION) && intval($_SESSION['remember_me'])) + $expire = time() + (60 * 60 * 24 * 365); + elseif(local_channel()) + $expire = time() + (60 * 60 * 24 * 3); + elseif(remote_channel()) + $expire = time() + (60 * 60 * 24 * 1); } + q("UPDATE `session` + SET `data` = '%s', `expire` = '%s' WHERE `sid` = '%s'", + dbesc($data), + dbesc($expire), + dbesc($id) + ); + return true; } @@ -79,14 +85,4 @@ class SessionHandler implements \SessionHandlerInterface { return true; } - - // not part of the official interface, used when regenerating the session id - - function rename($old,$new) { - $v = q("UPDATE session SET sid = '%s' WHERE sid = '%s'", - dbesc($new), - dbesc($old) - ); - } - -}
\ No newline at end of file +} |