source: trunk/include/functions_session.inc.php @ 2699

Last change on this file since 2699 was 2521, checked in by rvelices, 16 years ago
  • images.file categories.permalink old_permalinks.permalink - become binary
  • session security improvement: now the sessions are valid only for originating ip addr (with mask 255.255.0.0 to allow users behind load balancing proxies) -> stealing the session cookie is almost a non issue (with the exception of the 65536 machines in range)
  • metadata sync from the sync button does not overwrite valid data with empty metadata
  • other small fixes/enhancements:
    • added event get_category_image_orders
    • fix display issue with redirect.tpl (h1/h2 within h1)
    • fix known_script smarty function registration
    • query search form not submitted if q is empty
    • better admin css rules
    • some other minor changes (ws_core, rest_handler, functions_search...)
  • Property svn:eol-style set to LF
  • Property svn:keywords set to Author Date Id Revision
File size: 6.2 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based picture gallery                                  |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008      Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24// The function generate_key creates a string with pseudo random characters.
25// the size of the string depends on the $conf['session_id_size'].
26// Characters used are a-z A-Z and numerical values. Examples :
27//                    "Er4Tgh6", "Rrp08P", "54gj"
28// input  : none (using global variable)
29// output : $key
30function generate_key($size)
31{
32  global $conf;
33
34  $md5 = md5(substr(microtime(), 2, 6));
35  $init = '';
36  for ( $i = 0; $i < strlen( $md5 ); $i++ )
37  {
38    if ( is_numeric( $md5[$i] ) ) $init.= $md5[$i];
39  }
40  $init = substr( $init, 0, 8 );
41  mt_srand( $init );
42  $key = '';
43  for ( $i = 0; $i < $size; $i++ )
44  {
45    $c = mt_rand( 0, 2 );
46    if ( $c == 0 )      $key .= chr( mt_rand( 65, 90 ) );
47    else if ( $c == 1 ) $key .= chr( mt_rand( 97, 122 ) );
48    else                $key .= mt_rand( 0, 9 );
49  }
50  return $key;
51}
52
53if (isset($conf['session_save_handler'])
54  and ($conf['session_save_handler'] == 'db')
55  and defined('PHPWG_INSTALLED'))
56{
57  session_set_save_handler('pwg_session_open',
58    'pwg_session_close',
59    'pwg_session_read',
60    'pwg_session_write',
61    'pwg_session_destroy',
62    'pwg_session_gc'
63  );
64  if ( function_exists('ini_set') )
65  {
66    ini_set('session.use_cookies', $conf['session_use_cookies']);
67    ini_set('session.use_only_cookies', $conf['session_use_only_cookies']);
68    ini_set('session.use_trans_sid', intval($conf['session_use_trans_sid']));
69  }
70  session_name($conf['session_name']);
71  session_set_cookie_params(0, cookie_path());
72}
73
74/**
75 * returns true; used when the session_start() function is called
76 *
77 * @params not use but useful for php engine
78 */
79function pwg_session_open($path, $name)
80{
81  return true;
82}
83
84/**
85 * returns true; used when the session is closed (unset($_SESSION))
86 *
87 */
88function pwg_session_close()
89{
90  return true;
91}
92
93function get_remote_addr_session_hash()
94{
95        return vsprintf( "%02X%02X", explode('.',$_SERVER['REMOTE_ADDR']) );
96}
97
98/**
99 * this function returns
100 * a string corresponding to the value of the variable save in the session
101 * or an empty string when the variable doesn't exist
102 *
103 * @param string session id
104 */
105function pwg_session_read($session_id)
106{
107  $query = '
108SELECT data
109  FROM '.SESSIONS_TABLE.'
110  WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
111;';
112  $result = pwg_query($query);
113  if ($result)
114  {
115    $row = mysql_fetch_assoc($result);
116    return $row['data'];
117  }
118  else
119  {
120    return '';
121  }
122}
123
124/**
125 * returns true; writes set a variable in the active session
126 *
127 * @param string session id
128 * @data string value of date to be saved
129 */
130function pwg_session_write($session_id, $data)
131{
132  $query = '
133UPDATE '.SESSIONS_TABLE.'
134  SET expiration = now(),
135  data = \''.$data.'\'
136  WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
137;';
138  pwg_query($query);
139  if ( mysql_affected_rows()>0 )
140  {
141    return true;
142  }
143  $query = '
144INSERT INTO '.SESSIONS_TABLE.'
145  (id,data,expiration)
146  VALUES(\''.get_remote_addr_session_hash().$session_id.'\',\''.$data.'\',now())
147;';
148  mysql_query($query);
149  return true;
150}
151
152/**
153 * returns true; delete the active session
154 *
155 * @param string session id
156 */
157function pwg_session_destroy($session_id)
158{
159  $query = '
160DELETE
161  FROM '.SESSIONS_TABLE.'
162  WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
163;';
164  pwg_query($query);
165  return true;
166}
167
168/**
169 * returns true; delete expired sessions
170 * called each time a session is closed.
171 */
172function pwg_session_gc()
173{
174  global $conf;
175
176  $query = '
177DELETE
178  FROM '.SESSIONS_TABLE.'
179  WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(expiration) > '
180  .$conf['session_length'].'
181;';
182  pwg_query($query);
183  return true;
184}
185
186
187/**
188 * persistently stores a variable for the current session
189 * currently we use standard php sessions but it might change
190 * @return boolean true on success
191 * @see pwg_get_session_var, pwg_unset_session_var
192 */
193function pwg_set_session_var($var, $value)
194{
195  if ( !isset($_SESSION) )
196    return false;
197  $_SESSION['pwg_'.$var] = $value;
198  return true;
199}
200
201/**
202 * retrieves the value of a persistent variable for the current session
203 * currently we use standard php sessions but it might change
204 * @return mixed
205 * @see pwg_set_session_var, pwg_unset_session_var
206 */
207function pwg_get_session_var($var, $default = null)
208{
209  if (isset( $_SESSION['pwg_'.$var] ) )
210  {
211    return $_SESSION['pwg_'.$var];
212  }
213  return $default;
214}
215
216/**
217 * deletes a persistent variable for the current session
218 * currently we use standard php sessions but it might change
219 * @return boolean true on success
220 * @see pwg_set_session_var, pwg_get_session_var
221 */
222function pwg_unset_session_var($var)
223{
224  if ( !isset($_SESSION) )
225    return false;
226  unset( $_SESSION['pwg_'.$var] );
227  return true;
228}
229
230?>
Note: See TracBrowser for help on using the repository browser.