aboutsummaryrefslogtreecommitdiffstats
path: root/include/session.php
blob: 6060e47124035b67fd421aefe0fe743f91ea439f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
<?php

/**
 * @file include/session.php
 *
 * @brief This file includes session related functions.
 *
 * Session management functions. These provide database storage of PHP
 * session info.
 */

$session_exists = 0;
$session_expire = 180000;


/**
 * @brief Resets the current session.
 *
 * @return void
 */

function nuke_session() {
	new_cookie(0); // 0 means delete on browser exit

	unset($_SESSION['authenticated']);
	unset($_SESSION['account_id']);
	unset($_SESSION['uid']);
	unset($_SESSION['visitor_id']);
	unset($_SESSION['administrator']);
	unset($_SESSION['cid']);
	unset($_SESSION['theme']);
	unset($_SESSION['mobile_theme']);
	unset($_SESSION['show_mobile']);
	unset($_SESSION['page_flags']);
	unset($_SESSION['delegate']);
	unset($_SESSION['delegate_channel']);
	unset($_SESSION['my_url']);
	unset($_SESSION['my_address']);
	unset($_SESSION['addr']);
	unset($_SESSION['return_url']);
	unset($_SESSION['remote_service_class']);
	unset($_SESSION['remote_hub']);
}



function new_cookie($time) {
	$old_sid = session_id();

	// ??? This shouldn't have any effect if called after session_start()
	// We probably need to set the session expiration and change the PHPSESSID cookie.

	session_set_cookie_params($time);
	session_regenerate_id(false);

	q("UPDATE session SET sid = '%s' WHERE sid = '%s'",
			dbesc(session_id()),
			dbesc($old_sid)
	);

	if (x($_COOKIE, 'jsAvailable')) {
		if ($time) {
			$expires = time() + $time;
		} else {
			$expires = 0;
		}
		setcookie('jsAvailable', $_COOKIE['jsAvailable'], $expires);
	}
}


function ref_session_open ($s, $n) {
	return true;
}


function ref_session_read ($id) {
	global $session_exists;
	if(x($id))
		$r = q("SELECT `data` FROM `session` WHERE `sid`= '%s'", dbesc($id));

	if(count($r)) {
		$session_exists = true;
		return $r[0]['data'];
	}

	return '';
}


function ref_session_write ($id, $data) {
	global $session_exists, $session_expire;

	if(! $id || ! $data) {
		return false;
	}

	$expire = time() + $session_expire;
	$default_expire = time() + 300;

	if($session_exists) {
		q("UPDATE `session`
				SET `data` = '%s', `expire` = '%s' WHERE `sid` = '%s'",
				dbesc($data),
				dbesc($expire),
				dbesc($id)
		);
	} else {
		q("INSERT INTO `session` (sid, expire, data) values ('%s', '%s', '%s')",
				//SET `sid` = '%s', `expire` = '%s', `data` = '%s'",
				dbesc($id),
				dbesc($default_expire),
				dbesc($data)
		);
	}

	return true;
}


function ref_session_close() {
	return true;
}


function ref_session_destroy ($id) {
	q("DELETE FROM `session` WHERE `sid` = '%s'", dbesc($id));
	return true;
}


function ref_session_gc($expire) {
	q("DELETE FROM session WHERE expire < %d", dbesc(time()));
	return true;
}

$gc_probability = 50;

ini_set('session.gc_probability', $gc_probability);
ini_set('session.use_only_cookies', 1);
ini_set('session.cookie_httponly', 1);

/*
 * Set our session storage functions.
 */

session_set_save_handler(
		'ref_session_open',
		'ref_session_close',
		'ref_session_read',
		'ref_session_write',
		'ref_session_destroy',
		'ref_session_gc'
);


   // Force cookies to be secure (https only) if this site is SSL enabled. Must be done before session_start().

    if(intval(get_app()->config['system']['ssl_cookie_protection'])) {
        $arr = session_get_cookie_params();
        session_set_cookie_params(
            ((isset($arr['lifetime']))  ? $arr['lifetime'] : 0),
            ((isset($arr['path']))      ? $arr['path']     : '/'),
            ((isset($arr['domain']))    ? $arr['domain']   : get_app()->get_hostname()),
            ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
            ((isset($arr['httponly']))  ? $arr['httponly'] : true));
    }