source: trunk/include/functions_session.inc.php @ 30781

Last change on this file since 30781 was 28615, checked in by plg, 10 years ago

bug 3082: increase generate_key randomness with openssl_random_pseudo_bytes (with fallback on mt_rand for Windows+PHP<5.3.4)
  • Property svn:eol-style set to LF
File size: 6.1 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based photo gallery                                    |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2014 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24/**
25 * @package functions\session
26 */
27
28
29if (isset($conf['session_save_handler'])
30  and ($conf['session_save_handler'] == 'db')
31  and defined('PHPWG_INSTALLED'))
32{
33  session_set_save_handler(
34    'pwg_session_open',
35    'pwg_session_close',
36    'pwg_session_read',
37    'pwg_session_write',
38    'pwg_session_destroy',
39    'pwg_session_gc'
40  );
41
42  if (function_exists('ini_set'))
43  {
44    ini_set('session.use_cookies', $conf['session_use_cookies']);
45    ini_set('session.use_only_cookies', $conf['session_use_only_cookies']);
46    ini_set('session.use_trans_sid', intval($conf['session_use_trans_sid']));
47    ini_set('session.cookie_httponly', 1);
48  }
49
50  session_name($conf['session_name']);
51  session_set_cookie_params(0, cookie_path());
52  register_shutdown_function('session_write_close');
53}
54
55
56/**
57 * Generates a pseudo random string.
58 * Characters used are a-z A-Z and numerical values.
59 *
60 * @param int $size
61 * @return string
62 */
63function generate_key($size)
64{
65  if (
66    is_callable('openssl_random_pseudo_bytes')
67    and !(version_compare(PHP_VERSION, '5.3.4') < 0 and defined('PHP_WINDOWS_VERSION_MAJOR'))
68    )
69  {
70    return substr(
71      str_replace(
72        array('+', '/'),
73        '',
74        base64_encode(openssl_random_pseudo_bytes($size))
75        ),
76      0,
77      $size
78      );
79  }
80  else
81  {
82    $alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
83    $l = strlen($alphabet)-1;
84    $key = '';
85    for ($i=0; $i<$size; $i++)
86    {
87      $key.= $alphabet[mt_rand(0, $l)];
88    }
89    return $key;
90  }
91}
92
93/**
94 * Called by PHP session manager, always return true.
95 *
96 * @param string $path
97 * @param sring $name
98 * @return true
99 */
100function pwg_session_open($path, $name)
101{
102  return true;
103}
104
105/**
106 * Called by PHP session manager, always return true.
107 *
108 * @return true
109 */
110function pwg_session_close()
111{
112  return true;
113}
114
115/**
116 * Returns a hash from current user IP
117 *
118 * @return string
119 */
120function get_remote_addr_session_hash()
121{
122  global $conf;
123
124  if (!$conf['session_use_ip_address'])
125  {
126    return '';
127  }
128 
129  if (strpos($_SERVER['REMOTE_ADDR'],':')===false)
130  {//ipv4
131    return vsprintf(
132      "%02X%02X",
133      explode('.',$_SERVER['REMOTE_ADDR'])
134    );
135  }
136  return ''; //ipv6 not yet
137}
138
139/**
140 * Called by PHP session manager, retrieves data stored in the sessions table.
141 *
142 * @param string $session_id
143 * @return string
144 */
145function pwg_session_read($session_id)
146{
147  $query = '
148SELECT data
149  FROM '.SESSIONS_TABLE.'
150  WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
151;';
152  $result = pwg_query($query);
153  if ($result)
154  {
155    $row = pwg_db_fetch_assoc($result);
156    return $row['data'];
157  }
158  else
159  {
160    return '';
161  }
162}
163
164/**
165 * Called by PHP session manager, writes data in the sessions table.
166 *
167 * @param string $session_id
168 * @param sring $data
169 * @return true
170 */
171function pwg_session_write($session_id, $data)
172{
173  $query = '
174REPLACE INTO '.SESSIONS_TABLE.'
175  (id,data,expiration)
176  VALUES(\''.get_remote_addr_session_hash().$session_id.'\',\''.pwg_db_real_escape_string($data).'\',now())
177;';
178  pwg_query($query);
179  return true;
180}
181
182/**
183 * Called by PHP session manager, deletes data in the sessions table.
184 *
185 * @param string $session_id
186 * @return true
187 */
188function pwg_session_destroy($session_id)
189{
190  $query = '
191DELETE
192  FROM '.SESSIONS_TABLE.'
193  WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
194;';
195  pwg_query($query);
196  return true;
197}
198
199/**
200 * Called by PHP session manager, garbage collector for expired sessions.
201 *
202 * @return true
203 */
204function pwg_session_gc()
205{
206  global $conf;
207
208  $query = '
209DELETE
210  FROM '.SESSIONS_TABLE.'
211  WHERE '.pwg_db_date_to_ts('NOW()').' - '.pwg_db_date_to_ts('expiration').' > '
212  .$conf['session_length'].'
213;';
214  pwg_query($query);
215  return true;
216}
217
218/**
219 * Persistently stores a variable for the current session.
220 *
221 * @param string $var
222 * @param mixed $value
223 * @return bool
224 */
225function pwg_set_session_var($var, $value)
226{
227  if ( !isset($_SESSION) )
228    return false;
229  $_SESSION['pwg_'.$var] = $value;
230  return true;
231}
232
233/**
234 * Retrieves the value of a persistent variable for the current session.
235 *
236 * @param string $var
237 * @param mixed $default
238 * @return mixed
239 */
240function pwg_get_session_var($var, $default = null)
241{
242  if (isset( $_SESSION['pwg_'.$var] ) )
243  {
244    return $_SESSION['pwg_'.$var];
245  }
246  return $default;
247}
248
249/**
250 * Deletes a persistent variable for the current session.
251 *
252 * @param string $var
253 * @return bool
254 */
255function pwg_unset_session_var($var)
256{
257  if ( !isset($_SESSION) )
258    return false;
259  unset( $_SESSION['pwg_'.$var] );
260  return true;
261}
262
263?>
Note: See TracBrowser for help on using the repository browser.