2 /***************************************************************************
5 * begin : Saturday, Feb 13, 2001
6 * copyright : (C) 2001 The phpBB Group
7 * email : support@phpbb.com
9 * $Id: sessions.php,v 1.58.2.11 2004/07/11 16:46:19 acydburn Exp $
12 ***************************************************************************/
14 /***************************************************************************
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 2 of the License, or
19 * (at your option) any later version.
21 ***************************************************************************/
24 // Adds/updates a new session to the database for the given userid.
25 // Returns the new session ID on success.
27 function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_autologin = 0)
29 global $db, $board_config;
30 global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $SID;
32 $cookiename = $board_config['cookie_name'];
33 $cookiepath = $board_config['cookie_path'];
34 $cookiedomain = $board_config['cookie_domain'];
35 $cookiesecure = $board_config['cookie_secure'];
37 if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) || isset($HTTP_COOKIE_VARS[$cookiename . '_data']) )
39 $session_id = isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) ? $HTTP_COOKIE_VARS[$cookiename . '_sid'] : '';
40 $sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
41 $sessionmethod = SESSION_METHOD_COOKIE;
45 $sessiondata = array();
46 $session_id = ( isset($HTTP_GET_VARS['sid']) ) ? $HTTP_GET_VARS['sid'] : '';
47 $sessionmethod = SESSION_METHOD_GET;
51 if (!preg_match('/^[A-Za-z0-9]*$/', $session_id))
57 $current_time = time();
58 $expiry_time = $current_time - $board_config['session_length'];
61 // Try and pull the last time stored in a cookie, if it exists
64 FROM " . USERS_TABLE . "
65 WHERE user_id = $user_id";
66 if ( !($result = $db->sql_query($sql)) )
68 message_die(CRITICAL_ERROR, 'Could not obtain lastvisit data from user table', '', __LINE__, __FILE__, $sql);
71 $userdata = $db->sql_fetchrow($result);
73 if ( $user_id != ANONYMOUS )
75 $auto_login_key = $userdata['user_password'];
79 if ( isset($sessiondata['autologinid']) && $userdata['user_active'] )
81 // We have to login automagically
82 if( $sessiondata['autologinid'] == $auto_login_key )
84 // autologinid matches password
86 $enable_autologin = 1;
90 // No match; don't login, set as anonymous user
92 $enable_autologin = 0;
93 $user_id = $userdata['user_id'] = ANONYMOUS;
98 // Autologin is not set. Don't login, set as anonymous user
100 $enable_autologin = 0;
101 $user_id = $userdata['user_id'] = ANONYMOUS;
112 $enable_autologin = 0;
116 // Initial ban check against user id, IP and email address
118 preg_match('/(..)(..)(..)(..)/', $user_ip, $user_ip_parts);
120 $sql = "SELECT ban_ip, ban_userid, ban_email
121 FROM " . BANLIST_TABLE . "
122 WHERE ban_ip IN ('" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . $user_ip_parts[4] . "', '" . $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . "ff', '" . $user_ip_parts[1] . $user_ip_parts[2] . "ffff', '" . $user_ip_parts[1] . "ffffff')
123 OR ban_userid = $user_id";
124 if ( $user_id != ANONYMOUS )
126 $sql .= " OR ban_email LIKE '" . str_replace("\'", "''", $userdata['user_email']) . "'
127 OR ban_email LIKE '" . substr(str_replace("\'", "''", $userdata['user_email']), strpos(str_replace("\'", "''", $userdata['user_email']), "@")) . "'";
129 if ( !($result = $db->sql_query($sql)) )
131 message_die(CRITICAL_ERROR, 'Could not obtain ban information', '', __LINE__, __FILE__, $sql);
134 if ( $ban_info = $db->sql_fetchrow($result) )
136 if ( $ban_info['ban_ip'] || $ban_info['ban_userid'] || $ban_info['ban_email'] )
138 message_die(CRITICAL_MESSAGE, 'You_been_banned');
143 // Create or update the session
145 $sql = "UPDATE " . SESSIONS_TABLE . "
146 SET session_user_id = $user_id, session_start = $current_time, session_time = $current_time, session_page = $page_id, session_logged_in = $login
147 WHERE session_id = '" . $session_id . "'
148 AND session_ip = '$user_ip'";
149 if ( !$db->sql_query($sql) || !$db->sql_affectedrows() )
151 $session_id = md5(uniqid($user_ip));
153 $sql = "INSERT INTO " . SESSIONS_TABLE . "
154 (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in)
155 VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)";
156 if ( !$db->sql_query($sql) )
158 message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
162 if ( $user_id != ANONYMOUS )
163 {// ( $userdata['user_session_time'] > $expiry_time && $auto_create ) ? $userdata['user_lastvisit'] : (
164 $last_visit = ( $userdata['user_session_time'] > 0 ) ? $userdata['user_session_time'] : $current_time;
166 $sql = "UPDATE " . USERS_TABLE . "
167 SET user_session_time = $current_time, user_session_page = $page_id, user_lastvisit = $last_visit
168 WHERE user_id = $user_id";
169 if ( !$db->sql_query($sql) )
171 message_die(CRITICAL_ERROR, 'Error updating last visit time', '', __LINE__, __FILE__, $sql);
174 $userdata['user_lastvisit'] = $last_visit;
176 $sessiondata['autologinid'] = ( $enable_autologin && $sessionmethod == SESSION_METHOD_COOKIE ) ? $auto_login_key : '';
177 $sessiondata['userid'] = $user_id;
180 $userdata['session_id'] = $session_id;
181 $userdata['session_ip'] = $user_ip;
182 $userdata['session_user_id'] = $user_id;
183 $userdata['session_logged_in'] = $login;
184 $userdata['session_page'] = $page_id;
185 $userdata['session_start'] = $current_time;
186 $userdata['session_time'] = $current_time;
188 setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
189 setcookie($cookiename . '_sid', $session_id, 0, $cookiepath, $cookiedomain, $cookiesecure);
191 $SID = 'sid=' . $session_id;
197 // Checks for a given user session, tidies session table and updates user
198 // sessions at each page refresh
200 function session_pagestart($user_ip, $thispage_id)
202 global $db, $lang, $board_config;
203 global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $SID;
205 $cookiename = $board_config['cookie_name'];
206 $cookiepath = $board_config['cookie_path'];
207 $cookiedomain = $board_config['cookie_domain'];
208 $cookiesecure = $board_config['cookie_secure'];
210 $current_time = time();
213 if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) || isset($HTTP_COOKIE_VARS[$cookiename . '_data']) )
215 $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
216 $session_id = isset( $HTTP_COOKIE_VARS[$cookiename . '_sid'] ) ? $HTTP_COOKIE_VARS[$cookiename . '_sid'] : '';
217 $sessionmethod = SESSION_METHOD_COOKIE;
221 $sessiondata = array();
222 $session_id = ( isset($HTTP_GET_VARS['sid']) ) ? $HTTP_GET_VARS['sid'] : '';
223 $sessionmethod = SESSION_METHOD_GET;
227 if (!preg_match('/^[A-Za-z0-9]*$/', $session_id))
233 // Does a session exist?
235 if ( !empty($session_id) )
238 // session_id exists so go ahead and attempt to grab all
239 // data in preparation
241 $sql = "SELECT u.*, s.*
242 FROM " . SESSIONS_TABLE . " s, " . USERS_TABLE . " u
243 WHERE s.session_id = '$session_id'
244 AND u.user_id = s.session_user_id";
245 if ( !($result = $db->sql_query($sql)) )
247 message_die(CRITICAL_ERROR, 'Error doing DB query userdata row fetch', '', __LINE__, __FILE__, $sql);
250 $userdata = $db->sql_fetchrow($result);
253 // Did the session exist in the DB?
255 if ( isset($userdata['user_id']) )
258 // Do not check IP assuming equivalence, if IPv4 we'll check only first 24
259 // bits ... I've been told (by vHiker) this should alleviate problems with
260 // load balanced et al proxies while retaining some reliance on IP security.
262 $ip_check_s = substr($userdata['session_ip'], 0, 6);
263 $ip_check_u = substr($user_ip, 0, 6);
265 if ($ip_check_s == $ip_check_u)
267 $SID = ($sessionmethod == SESSION_METHOD_GET || defined('IN_ADMIN')) ? 'sid=' . $session_id : '';
270 // Only update session DB a minute or so after last update
272 if ( $current_time - $userdata['session_time'] > 60 )
274 $sql = "UPDATE " . SESSIONS_TABLE . "
275 SET session_time = $current_time, session_page = $thispage_id
276 WHERE session_id = '" . $userdata['session_id'] . "'";
277 if ( !$db->sql_query($sql) )
279 message_die(CRITICAL_ERROR, 'Error updating sessions table', '', __LINE__, __FILE__, $sql);
282 if ( $userdata['user_id'] != ANONYMOUS )
284 $sql = "UPDATE " . USERS_TABLE . "
285 SET user_session_time = $current_time, user_session_page = $thispage_id
286 WHERE user_id = " . $userdata['user_id'];
287 if ( !$db->sql_query($sql) )
289 message_die(CRITICAL_ERROR, 'Error updating sessions table', '', __LINE__, __FILE__, $sql);
294 // Delete expired sessions
296 $expiry_time = $current_time - $board_config['session_length'];
297 $sql = "DELETE FROM " . SESSIONS_TABLE . "
298 WHERE session_time < $expiry_time
299 AND session_id <> '$session_id'";
300 if ( !$db->sql_query($sql) )
302 message_die(CRITICAL_ERROR, 'Error clearing sessions table', '', __LINE__, __FILE__, $sql);
305 setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
306 setcookie($cookiename . '_sid', $session_id, 0, $cookiepath, $cookiedomain, $cookiesecure);
315 // If we reach here then no (valid) session exists. So we'll create a new one,
316 // using the cookie user_id if available to pull basic user prefs.
318 $user_id = ( isset($sessiondata['userid']) ) ? intval($sessiondata['userid']) : ANONYMOUS;
320 if ( !($userdata = session_begin($user_id, $user_ip, $thispage_id, TRUE)) )
322 message_die(CRITICAL_ERROR, 'Error creating user session', '', __LINE__, __FILE__, $sql);
330 // session_end closes out a session
331 // deleting the corresponding entry
332 // in the sessions table
334 function session_end($session_id, $user_id)
336 global $db, $lang, $board_config;
337 global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $SID;
339 $cookiename = $board_config['cookie_name'];
340 $cookiepath = $board_config['cookie_path'];
341 $cookiedomain = $board_config['cookie_domain'];
342 $cookiesecure = $board_config['cookie_secure'];
344 $current_time = time();
347 // Pull cookiedata or grab the URI propagated sid
349 if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) )
351 $session_id = isset( $HTTP_COOKIE_VARS[$cookiename . '_sid'] ) ? $HTTP_COOKIE_VARS[$cookiename . '_sid'] : '';
352 $sessionmethod = SESSION_METHOD_COOKIE;
356 $session_id = ( isset($HTTP_GET_VARS['sid']) ) ? $HTTP_GET_VARS['sid'] : '';
357 $sessionmethod = SESSION_METHOD_GET;
360 if (!preg_match('/^[A-Za-z0-9]*$/', $session_id))
366 // Delete existing session
368 $sql = "DELETE FROM " . SESSIONS_TABLE . "
369 WHERE session_id = '$session_id'
370 AND session_user_id = $user_id";
371 if ( !$db->sql_query($sql) )
373 message_die(CRITICAL_ERROR, 'Error removing user session', '', __LINE__, __FILE__, $sql);
376 setcookie($cookiename . '_data', '', $current_time - 31536000, $cookiepath, $cookiedomain, $cookiesecure);
377 setcookie($cookiename . '_sid', '', $current_time - 31536000, $cookiepath, $cookiedomain, $cookiesecure);
383 // Append $SID to a url. Borrowed from phplib and modified. This is an
384 // extra routine utilised by the session code above and acts as a wrapper
385 // around every single URL and form action. If you replace the session
386 // code you must include this routine, even if it's empty.
388 function append_sid($url, $non_html_amp = false)
392 if ( !empty($SID) && !preg_match('#sid=#', $url) )
394 $url .= ( ( strpos($url, '?') != false ) ? ( ( $non_html_amp ) ? '&' : '&' ) : '?' ) . $SID;