sessions.php 4.29 KB
Newer Older
1
<?php
Andrew Dolgov's avatar
Andrew Dolgov committed
2 3 4 5
	// Original from http://www.daniweb.com/code/snippet43.html

	require_once "config.php";
	require_once "db.php";
Ryan Parrish's avatar
Ryan Parrish committed
6 7
	require_once "lib/accept-to-gettext.php";
	require_once "lib/gettext/gettext.inc";
8
	require_once "version.php";
Andrew Dolgov's avatar
Andrew Dolgov committed
9

Andrew Dolgov's avatar
Andrew Dolgov committed
10
	$session_expire = max(SESSION_COOKIE_LIFETIME, 86400);
11
	$session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
Andrew Dolgov's avatar
Andrew Dolgov committed
12

13
	if (@$_SERVER['HTTPS'] == "on") {
14 15 16 17
		$session_name .= "_ssl";
		ini_set("session.cookie_secure", true);
	}

18
	ini_set("session.gc_probability", 75);
19
	ini_set("session.name", $session_name);
Andrew Dolgov's avatar
Andrew Dolgov committed
20
	ini_set("session.use_only_cookies", true);
Andrew Dolgov's avatar
Andrew Dolgov committed
21
	ini_set("session.gc_maxlifetime", $session_expire);
22
	ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));
Andrew Dolgov's avatar
Andrew Dolgov committed
23

24 25
	global $session_connection;

Andrew Dolgov's avatar
Andrew Dolgov committed
26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
	function session_get_schema_version($link, $nocache = false) {
		global $schema_version;

		if (!$schema_version) {
			$result = db_query($link, "SELECT schema_version FROM ttrss_version");
			$version = db_fetch_result($result, 0, "schema_version");
			$schema_version = $version;
			return $version;
		} else {
			return $schema_version;
		}
	}

	function validate_session($link) {
		if (SINGLE_USER_MODE) return true;
41
		if (!$link) return false;
Andrew Dolgov's avatar
Andrew Dolgov committed
42

43 44
		if (VERSION != $_SESSION["version"]) return false;

Andrew Dolgov's avatar
Andrew Dolgov committed
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
		$check_ip = $_SESSION['ip_address'];

		switch (SESSION_CHECK_ADDRESS) {
		case 0:
			$check_ip = '';
			break;
		case 1:
			$check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
			break;
		case 2:
			$check_ip = substr($check_ip, 0, strrpos($check_ip, '.'));
			$check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
			break;
		};

		if ($check_ip && strpos($_SERVER['REMOTE_ADDR'], $check_ip) !== 0) {
			$_SESSION["login_error_msg"] =
				__("Session failed to validate (incorrect IP)");
			return false;
		}

		if ($_SESSION["ref_schema_version"] != session_get_schema_version($link, true))
			return false;

69 70 71
		if (sha1($_SERVER['HTTP_USER_AGENT']) != $_SESSION["user_agent"])
			return false;

Andrew Dolgov's avatar
Andrew Dolgov committed
72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100
		if ($_SESSION["uid"]) {
			$result = db_query($link,
				"SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'");

			// user not found
			if (db_num_rows($result) == 0) {
				return false;
			} else {
				$pwd_hash = db_fetch_result($result, 0, "pwd_hash");

				if ($pwd_hash != $_SESSION["pwd_hash"]) {
					return false;
				}
			}
		}

/*		if ($_SESSION["cookie_lifetime"] && $_SESSION["uid"]) {

			//print_r($_SESSION);

			if (time() > $_SESSION["cookie_lifetime"]) {
				return false;
			}
		} */

		return true;
	}


101
	function ttrss_open ($s, $n) {
Andrew Dolgov's avatar
Andrew Dolgov committed
102
		global $session_connection;
103

104 105
		$session_connection = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);

Andrew Dolgov's avatar
Andrew Dolgov committed
106 107 108
		return true;
	}

109
	function ttrss_read ($id){
110 111

		global $session_connection,$session_read;
Andrew Dolgov's avatar
Andrew Dolgov committed
112

113
		$query = "SELECT data FROM ttrss_sessions WHERE id='$id'";
Andrew Dolgov's avatar
Andrew Dolgov committed
114 115

		$res = db_query($session_connection, $query);
116

Andrew Dolgov's avatar
Andrew Dolgov committed
117 118 119 120 121 122 123 124 125
		if (db_num_rows($res) != 1) {
		 	return "";
		} else {
			$session_read = db_fetch_assoc($res);
			$session_read["data"] = base64_decode($session_read["data"]);
			return $session_read["data"];
		}
	}

126
	function ttrss_write ($id, $data) {
127 128 129

		if (! $data) {
			return false;
Andrew Dolgov's avatar
Andrew Dolgov committed
130
		}
131

Andrew Dolgov's avatar
Andrew Dolgov committed
132
		global $session_connection, $session_read, $session_expire;
133

Andrew Dolgov's avatar
Andrew Dolgov committed
134
		$expire = time() + $session_expire;
135

136
		$data = db_escape_string($session_connection, base64_encode($data), false);
137

Andrew Dolgov's avatar
Andrew Dolgov committed
138
		if ($session_read) {
139 140
		 	$query = "UPDATE ttrss_sessions SET data='$data',
					expire='$expire' WHERE id='$id'";
Andrew Dolgov's avatar
Andrew Dolgov committed
141
		} else {
142 143
		 	$query = "INSERT INTO ttrss_sessions (id, data, expire)
					VALUES ('$id', '$data', '$expire')";
Andrew Dolgov's avatar
Andrew Dolgov committed
144
		}
145

Andrew Dolgov's avatar
Andrew Dolgov committed
146 147 148 149
		db_query($session_connection, $query);
		return true;
	}

150
	function ttrss_close () {
151

Andrew Dolgov's avatar
Andrew Dolgov committed
152
		global $session_connection;
153

154
		//db_close($session_connection);
155

Andrew Dolgov's avatar
Andrew Dolgov committed
156 157 158
		return true;
	}

159
	function ttrss_destroy ($id) {
160

Andrew Dolgov's avatar
Andrew Dolgov committed
161
		global $session_connection;
162

163
		$query = "DELETE FROM ttrss_sessions WHERE id = '$id'";
164

Andrew Dolgov's avatar
Andrew Dolgov committed
165
		db_query($session_connection, $query);
166

Andrew Dolgov's avatar
Andrew Dolgov committed
167 168 169
		return true;
	}

170
	function ttrss_gc ($expire) {
171

Andrew Dolgov's avatar
Andrew Dolgov committed
172
		global $session_connection;
173

Andrew Dolgov's avatar
Andrew Dolgov committed
174
		$query = "DELETE FROM ttrss_sessions WHERE expire < " . time();
175

Andrew Dolgov's avatar
Andrew Dolgov committed
176 177 178
		db_query($session_connection, $query);
	}

179
	if (!SINGLE_USER_MODE /* && DB_TYPE == "pgsql" */) {
180 181
		session_set_save_handler("ttrss_open",
			"ttrss_close", "ttrss_read", "ttrss_write",
182
			"ttrss_destroy", "ttrss_gc");
183
	}
Andrew Dolgov's avatar
Andrew Dolgov committed
184

185 186
	if (!defined('NO_SESSION_AUTOSTART')) {
		if (isset($_COOKIE[session_name()])) {
187 188
			@session_start();
		}
189
	}
Andrew Dolgov's avatar
Andrew Dolgov committed
190
?>