Source for file session-defs.php

Documentation is available at session-defs.php

  1. <?php
  2. /* ******************************************************************** */
  3. /* CATALYST PHP Source Code */
  4. /* -------------------------------------------------------------------- */
  5. /* This program is free software; you can redistribute it and/or modify */
  6. /* it under the terms of the GNU General Public License as published by */
  7. /* the Free Software Foundation; either version 2 of the License, or */
  8. /* (at your option) any later version. */
  9. /* */
  10. /* This program is distributed in the hope that it will be useful, */
  11. /* but WITHOUT ANY WARRANTY; without even the implied warranty of */
  12. /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
  13. /* GNU General Public License for more details. */
  14. /* */
  15. /* You should have received a copy of the GNU General Public License */
  16. /* along with this program; if not, write to: */
  17. /* The Free Software Foundation, Inc., 59 Temple Place, Suite 330, */
  18. /* Boston, MA 02111-1307 USA */
  19. /* -------------------------------------------------------------------- */
  20. /* */
  21. /* Filename: session-defs.php */
  22. /* Author: Paul Waite */
  23. /* Description: Definitions for managing SESSIONS. */
  24. /* We regard the session as a generic thing which will be */
  25. /* constant in functionality and data across any */
  26. /* application we might write. It deals only with the */
  27. /* the basics of user identity, group membership and */
  28. /* maintaining this across multiple page accesses within */
  29. /* the website. For context variables which will differ */
  30. /* from application to application, see context-defs.php. */
  31. /* */
  32. /* ******************************************************************** */
  33. /** @package core */// SESSION DATABASE OPTIONS
  34. // The user session can be backed by a database, or not. This allows
  35. // simple code-only websites to be implemented, where there is no
  36. // need to track users, sessions and other data.
  37.  
  38. /** Session is backed by a database connection */
  39. ("SESS_DATABASE_BACKED", true );
  40. /** Session is standalone, no database */
  41. ("SESS_STANDALONE", false );
  42.  
  43. // -----------------------------------------------------------------------
  44. // SESSION LIFETIMES
  45. // This value is the number of seconds that you wish a session cookie
  46. // lifetime to be, before it is deemed to have expired. Common choices
  47. // are provided as defines, otherwise use your own value.
  48.  
  49. /** Session lasts forever.. well, 10 years is near enough. */
  50. ("SESS_FOREVER", SECS_10_YEARS);
  51. /** Session lasts for 1 year */
  52. ("SESS_1_YEAR", SECS_1_YEAR);
  53. /** Session lasts for 1 month */
  54. ("SESS_1_MONTH", SECS_1_MONTH);
  55. /** Session lasts for 1 week */
  56. ("SESS_1_WEEK", SECS_1_WEEK);
  57. /** Session lasts for 24 hours */
  58. ("SESS_1_DAY", SECS_1_DAY);
  59. /** Session lasts for 12 hours */
  60. ("SESS_12_HOURS", SECS_12_HOURS);
  61. /** Session lasts for 8 hours */
  62. ("SESS_8_HOURS", SECS_8_HOURS);
  63. /** Session lasts for 4 hours */
  64. ("SESS_4_HOURS", SECS_4_HOURS);
  65. /** Session lasts for 1 hour */
  66. ("SESS_1_HOUR", SECS_1_HOUR);
  67. /** Session lasts for 20 minutes */
  68. ("SESS_20_MINS", SECS_20_MINS);
  69. /** Session lasts as long as user browser is open */
  70. ("SESS_BROWSER_LIFETIME", -1);
  71. /** Session has no lifetime, immediate expiry */
  72. ("SESS_ZERO_LIFETIME", 0);
  73.  
  74. // -----------------------------------------------------------------------
  75. // SESSION LOGIN LIMIT ACTION
  76. // Possibilities for handling a login limit which has been exceeded.
  77.  
  78. /** Login limit exceeded: Allow, assume app. takes action */
  79. ("SESS_ALLOW", 0);
  80. /** Login limit exceeded: Allow session, cull oldest */
  81. ("SESS_ALLOW_CULL", 1);
  82. /** Login limit exceeded: Block session, nice message */
  83. ("SESS_BLOCK_MSG", 2);
  84. /** Login limit exceeded: Block session, no message */
  85. ("SESS_BLOCK_SILENT", 3);
  86. /** Login limit exceeded: Block session, redirect to URL */
  87. ("SESS_BLOCK_REDIRECT", 4);
  88. /** Login limit exceeded: Block session, login as guest instead */
  89. ("SESS_BLOCK_GUEST", 5);
  90.  
  91. // -----------------------------------------------------------------------
  92. // SESSION LOGIN TYPE CODES
  93. // This flags the way the user originally logged in.
  94.  
  95. /** No known login has been achieved */
  96. ("LOGIN_UNKNOWN", 0);
  97. /** Login by using guest account */
  98. ("LOGIN_BY_GUEST", 1);
  99. /** Login by remote IP address match */
  100. ("LOGIN_BY_IP", 2);
  101. /** Login by standard username/password */
  102. ("LOGIN_BY_PASSWD", 3);
  103. /** Login by using authorisation code (MD5 string usually) */
  104. ("LOGIN_BY_AUTHCODE", 4);
  105.  
  106. // -----------------------------------------------------------------------
  107. /**
  108. * THE SESSION CLASS
  109. * A class to manage user sessions. A session is simply a thing which
  110. * contains information about a user who has logged on to the system,
  111. * so in fact the session is just an extension of a user.
  112. * To access the system a user must either create a new session, or
  113. * recover an existing session. A new session is created if the user
  114. * provides login details: userid/password or unique $authid (MD5).
  115. * An existing session may be 'recovered' if the login details are
  116. * absent, and if a cookie is sent containing a valid session key.
  117. * @package core
  118. */
  119. class session extends user {
  120. /** The ID of this session */
  121.  
  122. var $session_id = false;
  123. /** The type of this session */
  124.  
  125. var $db_backed = SESS_DATABASE_BACKED;
  126. /** The session record complete */
  127.  
  128. var $session_record;
  129. /** The session lifetime, in seconds */
  130.  
  131. var $lifetime = 0;
  132. /** True if we should limit 'guest' to browser lifetime */
  133.  
  134. var $guest_browser_lifetime = false;
  135. /** The session cookie name */
  136.  
  137. var $cookiename = "";
  138. /** Time of last login (Unix timestamp) */
  139.  
  140. var $last_logintime = 0;
  141. /** Error condition message if any */
  142.  
  143. var $error_message = "";
  144. /** Option to take on logins exceeded for user */
  145.  
  146. var $logins_exceeded_option = SESS_ALLOW_CULL;
  147. /** Custom message to deliver when blocking */
  148.  
  149. var $logins_exceeded_msg = "";
  150. /** URL to redirect to on logins exceeded */
  151.  
  152. var $logins_exceeded_redirect = "";
  153. /** Login type for this session */
  154.  
  155. var $login_type = LOGIN_BY_PASSWD;
  156. /** Whether we are tracking session logins */
  157.  
  158. var $session_track_logins = true;
  159. // .....................................................................
  160. /**
  161. * Constructor
  162. * Create a new session.
  163. * Initial creation of the session object does nothing.
  164. * The activate() method sets it up, when called.
  165. */
  166. function session() {
  167. $this->session_clear();
  168. } // session
  169. // .....................................................................
  170. /**
  171. * Retrieve the session cookie
  172. * This function looks for the cookie which is appropriate to the
  173. * current application, and returns the session ID if the cookie
  174. * was submitted. Returns false otherwise..
  175. * @return mixed The session ID as a string, or false
  176. * @access private
  177. */
  178. function get_session_cookie() {
  179. $session_id = false;
  180. $cookiename = $this->cookiename;
  181. global $$cookiename;
  182. if (isset($$cookiename)) {
  183. $session_id = $$cookiename;
  184. }
  185. return $session_id;
  186. } // get_session_cookie
  187. // .....................................................................
  188. /**
  189. * Identify the user/client
  190. * Here is where we activate our session. This involves searching
  191. * for the cookie, username/password sequence, or authorisation
  192. * code which will allow us to identify the requester and create
  193. * the proper session for them to access the website..
  194. * @return bool True if we succeeded in identifying the user, else false
  195. */
  196. function identify_user() {
  197. // Access to the vars..
  198. global $tbxUsername, $user; // Userid textbox fieldname submitted from a form
  199. global $tbxPassword, $pass; // Password textbox fieldname submitted from a form
  200. global $chkRememberMe; // Checkbox specific user request for extended cookie life
  201. global $tbxLogoff; // Logoff hidden field sent from a form
  202. global $authid; // Authorisation code (MD5) from form or URL
  203. global $REMOTE_ADDR; // IP address of remote browser/client
  204.  
  205. // Map alternative fieldnames onto standard ones..
  206. if (isset($user) && $user != "" && !isset($tbxUsername)) $tbxUsername = $user;
  207. if (isset($pass) && $pass != "" && !isset($tbxPassword)) $tbxPassword = $pass;
  208.  
  209. // Initialise some variables..
  210. $this->session_clear();
  211. $this->user();
  212.  
  213. // If no database we are not tracking sessions..
  214. if (!$this->db_backed) return true;
  215.  
  216. // Turn tracing on..
  217. debug_trace($this);
  218.  
  219. // SUBMITTED COOKIE
  220. // Gather in any submitted cookie..
  221. $session_id = $this->get_session_cookie();
  222.  
  223. // LOGIN via SUBMITTED AUTHORISATION
  224. // Now we check for login/logoff action. Clear out any session id
  225. // if they have submitted a login, or an authorisation code..
  226. if (((isset($tbxUsername) && $tbxUsername != "") && (isset($tbxPassword) && $tbxPassword != ""))
  227. || (isset($authid))
  228. ) {
  229. // Clear any existing session..
  230. debugbr("authorisation detected, clearing session", DBG_DEBUG);
  231. $session_id = false;
  232. $this->session_clear();
  233. }
  234.  
  235. // EXISTING SESSION RECOVERY
  236. // If we still have a session id, then we try recovery..
  237. if ($session_id) {
  238. debugbr("session id detected.", DBG_DEBUG);
  239. if ($this->recover($session_id)) {
  240. // Check if they want to logoff..
  241. debugbr("recovered session: '$this->session_id'", DBG_DEBUG);
  242. if (isset($tbxLogoff) && strcasecmp($tbxLogoff, "logoff") == 0) {
  243. debugbr("logging off, deleting session", DBG_DEBUG);
  244. $this->session_delete();
  245. }
  246. else {
  247. // Special case: where recovered session is a GUEST session. In
  248. // this case we check for a possible IP login, so that these
  249. // users don't get marooned in a guest login session..
  250. if ($this->login_type == LOGIN_BY_GUEST) {
  251. debugbr("guest recovered: checking for IP authentication..", DBG_DEBUG);
  252. $login_type = $this->authenticate_ipaddress($REMOTE_ADDR);
  253. if ($login_type != LOGIN_UNKNOWN) {
  254. $this->session_create($login_type);
  255. }
  256. else {
  257. // Keep the original guest authentication..
  258. debugbr("falling back to guest", DBG_DEBUG);
  259. $this->valid = true;
  260. $this->authenticated = true;
  261. }
  262. }
  263. }
  264. }
  265. } // existing session
  266.  
  267. // NEW SESSION CREATION
  268. // If no real session id exists at this point then check
  269. // for a username and password or an authorisation code
  270. // and log them in..
  271. if (!$this->session_id) {
  272. $authenticated = false;
  273. debugbr("no session, looking to create new one", DBG_DEBUG);
  274.  
  275. // AUTH CODE AUTHENTICATION..
  276. if (!$authenticated && isset($authid)) {
  277. debugbr("trying authid authentication..", DBG_DEBUG);
  278. $login_type = $this->authenticate_authid($authid);
  279. if ($login_type != LOGIN_UNKNOWN) {
  280. $this->session_create($login_type);
  281. $authenticated = true;
  282. }
  283. }
  284.  
  285. // IP ADDRESS AUTHENTICATION..
  286. if (!$authenticated && !isset($tbxUsername)) {
  287. debugbr("trying IP authentication..", DBG_DEBUG);
  288. $login_type = $this->authenticate_ipaddress($REMOTE_ADDR);
  289. if ($login_type != LOGIN_UNKNOWN) {
  290. $this->session_create($login_type);
  291. $authenticated = true;
  292. }
  293. }
  294.  
  295. // USERNAME/PASSWORD AUTHENTICATION..
  296. // Login with userid/password. If none provided then we default
  297. // them to 'guest'. For websites which are subscriber-only we
  298. // expect the application code to handle it.
  299. if (!$authenticated) {
  300. // Default to guest, if no login supplied..
  301. if (!isset($tbxUsername)) {
  302. debugbr("username not set, falling back to guest", DBG_DEBUG);
  303. $tbxUsername = "guest";
  304. }
  305. if (!isset($tbxPassword)) $tbxPassword = "";
  306. $tbxUsername = trim($tbxUsername);
  307.  
  308. // Authenticate the login attempt. If successful, this
  309. // populates the user and usergroups information..
  310. $login_type = $this->authenticate_userid($tbxUsername, $tbxPassword);
  311. if ($login_type != LOGIN_UNKNOWN) {
  312. // Check for user request to extend cookie life..
  313. if (isset($chkRememberMe)) {
  314. debugbr("forcing session lifetime to forever", DBG_DEBUG);
  315. $this->set_lifetime(SESS_FOREVER);
  316. }
  317. $this->session_create($login_type);
  318. $authenticated = true;
  319. }
  320. }
  321. } // new session
  322.  
  323. // Return status..
  324. if (debugging() && $this->session_valid()) {
  325. debug("session type: ", DBG_DEBUG);
  326. switch ($this->login_type) {
  327. case LOGIN_BY_GUEST:
  328. debugbr("guest", DBG_DEBUG);
  329. break;
  330. case LOGIN_BY_IP:
  331. debugbr("authorised by IP address", DBG_DEBUG);
  332. break;
  333. case LOGIN_BY_PASSWD:
  334. debugbr("authorised by userid/password", DBG_DEBUG);
  335. break;
  336. case LOGIN_BY_AUTHCODE:
  337. debugbr("authorised by auth code", DBG_DEBUG);
  338. break;
  339. default:
  340. debugbr("unknown", DBG_DEBUG);
  341. } // switch
  342. }
  343. return $this->session_valid();
  344.  
  345. debug_trace();
  346. } // identify_user
  347. // ....................................................................
  348. /**
  349. * Check if we should bump our login count.
  350. * @access private
  351. */
  352. function track_logins() {
  353. if ($this->login_type != LOGIN_BY_GUEST && $this->session_track_logins === true) {
  354. debugbr("session login tracking is enabled", DBG_DEBUG);
  355. debug_trace($this);
  356. // Timestamp of now...
  357. $tinow = time();
  358. $dtnow = timestamp_to_datetime($tinow);
  359.  
  360. // Now check last login time. If the current time is more
  361. // than 4 hours later, then we increment the login count.
  362. if ( $tinow > ($this->last_logintime + SESS_4_HOURS) ) {
  363. if ($this->valid) {
  364. // Update the user record..
  365. $uQ = new dbupdate("ax_user");
  366. $uQ->set("total_logins", ($this->total_logins + 1));
  367. $uQ->set("last_login", $dtnow);
  368. $uQ->where("user_id='" . addslashes($this->userid) . "'");
  369. $uQ->execute();
  370.  
  371. // Update the session record..
  372. $uQ = new dbupdate("ax_wwwsession");
  373. $uQ->set("login_datetime", $dtnow);
  374. $uQ->where("session_id='$this->session_id'");
  375. $uQ->execute();
  376.  
  377. // Set the resident var..
  378. $this->last_logintime = $tinow;
  379. }
  380. }
  381. debug_trace();
  382. }
  383. else {
  384. debugbr("session login tracking is disabled", DBG_DEBUG);
  385. }
  386. } // track_logins
  387. // ...................................................................
  388. /**
  389. * Set logins exceeded action
  390. * This sets the action for when the number of logins for a given
  391. * user of the system exceeds a maximum, if specified. The options
  392. * for the action to take are:
  393. * SESS_ALLOW Allow, assume app. will take action
  394. * SESS_ALLOW_CULL Allow session, cull oldest
  395. * SESS_BLOCK_MSG Block session, nice message
  396. * SESS_BLOCK_SILENT Block session, no message
  397. * SESS_BLOCK_REDIRECT Block session, redirect to URL
  398. * SESS_BLOCK_GUEST Block session, login as guest instead
  399. */
  400. function on_logins_exceeded($option=SESS_ALLOW_CULL, $parm="") {
  401. $this->logins_exceeded_option = $option;
  402. switch ($option) {
  403. case SESS_BLOCK_REDIRECT:
  404. $this->logins_exceeded_redirect = $parm;
  405. break;
  406. case SESS_BLOCK_MSG:
  407. $this->logins_exceeded_msg = $parm;
  408. break;
  409. } // switch
  410. } // on_logins_exceeded
  411. // ....................................................................
  412. /**
  413. * Check for any excess sessions over and above the number which are
  414. * allowed for this user. We may cull oldest sessions first, or take
  415. * other actions as specified in the $RESPONSE.
  416. * @access private
  417. */
  418. function check_excess_sessions() {
  419. global $RESPONSE;
  420. debug_trace($this);
  421. // Check for multiple login limit restriction..
  422. if ($this->limit_logins > 0) {
  423. debugbr("checking login limit of $this->limit_logins.", DBG_DEBUG);
  424. $q = "SELECT session_id";
  425. $q .= " FROM ax_wwwsession";
  426. $q .= " WHERE user_id='" . addslashes($this->userid) . "'";
  427. $q .= " ORDER BY login_datetime";
  428. $loginQ = dbrecordset($q);
  429. // We do +1 to take account of the login we will be
  430. // adding as part of this process shortly..
  431. $excesslogins = 1 + $loginQ->rowcount - $this->limit_logins;
  432. if ($excesslogins > 0) {
  433. debugbr("oops: " . ($loginQ->rowcount) . " logins already; $excesslogins too many.", DBG_DEBUG);
  434. switch ($this->logins_exceeded_option) {
  435. case SESS_ALLOW:
  436. // Do nothing. This is for when the developer
  437. // wants to handle it at application level..
  438. break;
  439. case SESS_ALLOW_CULL:
  440. // Delete the number we need, starting with the oldest..
  441. for ($ix=0; $ix < $excesslogins; $ix++) {
  442. $sessid = $loginQ->field("session_id");
  443. dbcommand("DELETE FROM ax_wwwsession WHERE session_id='$sessid'");
  444. $loginQ->get_next();
  445. } // for
  446. error_log(APP_NAME . ": User '$this->userid' excess logins($excesslogins) triggered a session cull.", 0);
  447. break;
  448. case SESS_BLOCK_MSG:
  449. // Stop the process dead, with nice message in the browser..
  450. if ($RESPONSE->browser_type == BROWSER_HTML || $RESPONSE->browser_type == BROWSER_XHTML) {
  451. $msg = $RESPONSE->logins_exceeded_msg;
  452. if ($msg == "") {
  453. $msg = "<h2>". APP_NAME . " Login Count Exceeded</h2>\n";
  454. $msg .= "<p>You have exceeded your login count. If you closed your browser ";
  455. $msg .= "on another computer, and you are trying to login somewhere else ";
  456. $msg .= "you will have to log off the first machine before you can do so ";
  457. $msg .= "due to the login restrictions on your account.</p>";
  458. $msg .= "<p>Sorry for any inconvenience.</p>";
  459. }
  460. die("<html><body>\n" . $msg . "</body></html>\n");
  461. }
  462. else {
  463. die();
  464. }
  465. break;
  466. case SESS_BLOCK_SILENT:
  467. // Stop the process dead, no message, no nuthin'
  468. // and lucky to get that!
  469. die();
  470. break;
  471. case SESS_BLOCK_REDIRECT:
  472. // Redirect to a given page instead of logging in..
  473. header("Location: $this->logins_exceeded_redirect");
  474. break;
  475. case SESS_BLOCK_GUEST:
  476. // Let them log in, but as a guest instead..
  477. if (!($this->user("guest") && $this->enabled)) {
  478. $this->crash(500);
  479. }
  480. break;
  481.  
  482. } // switch
  483. }
  484. else {
  485. debugbr("no excess logins.", DBG_DEBUG);
  486. }
  487. }
  488. debug_trace();
  489. } // check_excess_sessions
  490. // .....................................................................
  491. /** Recover session
  492. * Recover an existing session. This will obliterate any pre-existing
  493. * session information in this object, since we expect it to succeed..
  494. * @return mixed Session ID or else false
  495. */
  496. function recover($session_id) {
  497. debug_trace($this);
  498. $this->session_clear();
  499. if (!empty($session_id)) {
  500. $session = dbrecordset("SELECT * FROM ax_wwwsession WHERE session_id='$session_id'");
  501. if ($session->hasdata) {
  502. // Find user record and check enabled..
  503. $this->user($session->field("user_id"));
  504. if (!$this->locked) {
  505. if ($this->enabled) {
  506. $this->session_id = $session_id;
  507. $this->userid = $session->field("user_id");
  508. $this->session_record = $session->current_row;
  509. $this->login_type = $session->field("login_type");
  510. $this->last_logintime = datetime_to_timestamp($session->field("login_datetime"));
  511. // This writes login total to the uuser record, and
  512. // login datetime to the wwwsession record..
  513. $this->track_logins();
  514. debugbr("found session record.", DBG_DEBUG);
  515. }
  516. else {
  517. debugbr("session rejected: user '" . $session->field("user_id") . "' not enabled", DBG_DEBUG);
  518. $this->valid = false;
  519. }
  520. }
  521. else {
  522. debugbr("session rejected: '" . $session->field("user_id") . "' account is locked", DBG_DEBUG);
  523. $this->valid = false;
  524. }
  525. }
  526. else {
  527. // Invalidate session and clear cookie..
  528. debugbr("no valid session record found: clearing session data and cookie.", DBG_DEBUG);
  529. $this->session_clear();
  530. $this->delete_cookie();
  531. }
  532. }
  533. debug_trace();
  534.  
  535. // Return session id, or else 'false'..
  536. return $this->session_id;
  537. } // recover
  538. // .....................................................................
  539. /**
  540. * Set the session cookie.
  541. * @param string $content The content of the cookie
  542. * @param integer $expires The Unix time() value for expiry datetime of the cookie
  543. */
  544. function set_cookie($content, $expires=false) {
  545. global $RESPONSE;
  546. global $_SERVER;
  547. if (!isset($RESPONSE)
  548. || $RESPONSE->browser_type == BROWSER_TYPE_HTML
  549. || $RESPONSE->browser_type == BROWSER_TYPE_XHTML
  550. ) {
  551. if ($expires === false) {
  552. if ($this->lifetime == SESS_BROWSER_LIFETIME
  553. || ($this->guest_browser_lifetime && $this->userid == "guest")
  554. ) {
  555. // Cookie lasts for browser lifetime
  556. debugbr("cookie lifetime: browser", DBG_DEBUG);
  557. $expires = 0;
  558. }
  559. else {
  560. // Cookie lasts for given number of seconds..
  561. $expires = time() + $this->lifetime;
  562. debugbr("cookie lifetime: " . (($this->lifetime == SESS_FOREVER) ? "forever" : $this->lifetime) . " secs", DBG_DEBUG);
  563. }
  564. }
  565. if (isset($RESPONSE) && $RESPONSE->browser == BROWSER_NETSCAPE) {
  566. debugbr("Setting Netscape cookie ".$this->cookiename.": $content, $expires", DBG_DEBUG);
  567. setcookie($this->cookiename, $content, $expires);
  568. }
  569. else {
  570. if ($_SERVER["SERVER_ADDR"] == "127.0.0.1") {
  571. debugbr("Server running on localhost - setting cookie ".$this->cookiename.": $content, $expires, /", DBG_DEBUG);
  572. setcookie($this->cookiename, $content, $expires, "/");
  573. }
  574. else {
  575. debugbr("Setting cookie ".$this->cookiename.": $content, $expires, /, ".$this->http_host, DBG_DEBUG);
  576. setcookie($this->cookiename, $content, $expires, "/", $this->http_host);
  577. }
  578. }
  579. }
  580. } // set_cookie
  581. // .....................................................................
  582. /**
  583. * Delete session cookie
  584. * Deletes the session cookie from the user's browser.
  585. */
  586. function delete_cookie() {
  587. global $RESPONSE;
  588. debugbr("Expiring cookie ".$this->cookiename, DBG_DEBUG);
  589. if (!isset($RESPONSE)
  590. || $RESPONSE->browser_type == BROWSER_TYPE_HTML
  591. || $RESPONSE->browser_type == BROWSER_TYPE_XHTML
  592. ) {
  593. if (isset($RESPONSE) && $RESPONSE->browser == BROWSER_NETSCAPE) {
  594. setcookie($this->cookiename, "", time() - SESS_1_HOUR);
  595. }
  596. else {
  597. setcookie($this->cookiename, "", time() - SESS_1_HOUR, "/", $this->http_host);
  598. }
  599. }
  600. } // delete_cookie
  601. // ...................................................................
  602. /**
  603. * Set session database backing type
  604. * The database backing 'type' can be either SESS_DATABASE_BACKED, or
  605. * SESS_STANDALONE.
  606. * @param bool $type Session type
  607. */
  608. function set_sessiontype($type=SESS_DATABASE_BACKED) {
  609. $this->db_backed = $type;
  610. } // set_sessiontype
  611. // ...................................................................
  612. /**
  613. * Set session lifetime
  614. * Set the session cookie lifetime in seconds.
  615. * @param integer $secs Seconds lifetime for the session cookie
  616. */
  617. function set_lifetime($secs=SESS_1_DAY) {
  618. $this->lifetime = $secs;
  619. } // set_lifetime
  620. // ...................................................................
  621. /**
  622. * Set session cookie name
  623. * @param string $name Cookie name to use for session ID
  624. */
  625. function set_cookiename($name="session_id") {
  626. $this->cookiename = $name;
  627. } // set_cookiename
  628. // ...................................................................
  629. /**
  630. * Set session guest browser lifetime flag
  631. * If set True this causes the cookie lifetime to be forced to the
  632. * browser lifetime if the user is 'guest'.
  633. * @param bool $guest_browser_lifetime True if guest cookie limited to browser lifetime
  634. */
  635. function set_guest_browser_lifetime($guest_browser_lifetime=false) {
  636. $this->guest_browser_lifetime = $guest_browser_lifetime;
  637. } // set_guest_browser_lifetime
  638. // ...................................................................
  639. /**
  640. * Set session track logins flag
  641. * If set True this causes the session logins for this site to be tracked for
  642. * each user. This amounts to an extra DB update of a login count field.
  643. * @param bool $session_track_logins True if we should track all user logins
  644. */
  645. function set_session_track_logins($session_track_logins=false) {
  646. $this->session_track_logins = $session_track_logins;
  647. } // session_track_logins
  648. // .....................................................................
  649. /**
  650. * Create new session
  651. * Make a brand new session for the user.
  652. * @param integer $logintype Type of login for this session
  653. */
  654. function session_create($logintype=LOGIN_BY_PASSWD) {
  655. debug_trace($this);
  656.  
  657. // Check for any excess sessions first..
  658. $this->check_excess_sessions();
  659.  
  660. // Get next session key, and create session..
  661.  
  662. // Generate a unique session handle..
  663. $this->session_id = md5(uniqid(rand(),1));
  664.  
  665. // Initialise the login detail..
  666. $this->login_type = $logintype;
  667. $this->last_logintime = time();
  668. // If we are tracking logins, and it's a real user, then we set the
  669. // login datetime far enough back for the track_logins() method to act..
  670. if ($this->session_track_logins && $this->login_type != LOGIN_BY_GUEST) {
  671. $this->last_logintime -= SESS_FOREVER;
  672. }
  673. // Create the new session..
  674. $ugroups = "";
  675. if (isset($this->user_groups)) {
  676. $ugroups = implode("|", $this->user_groups);
  677. }
  678. $wwwQ = new dbinsert("ax_wwwsession");
  679. $wwwQ->set("session_id", $this->session_id);
  680. $wwwQ->set("user_id", $this->userid);
  681. $wwwQ->set("user_groups", $ugroups);
  682. $wwwQ->set("login_type", $logintype);
  683. $wwwQ->set("login_datetime", timestamp_to_datetime($this->last_logintime));
  684.  
  685. // Create the record..
  686. $wwwQ->execute();
  687.  
  688. // Track logins for this user..
  689. $this->track_logins();
  690.  
  691. // Everything went Ok, so set the cookie for next time..
  692. if ($this->browser_type == BROWSER_TYPE_HTML || $this->browser_type == BROWSER_TYPE_XHTML) {
  693. // Set client session cookie, with appropriate lifetime..
  694. $this->set_cookie($this->session_id);
  695. }
  696.  
  697. debug_trace();
  698.  
  699. // Return session id, or else 'false'..
  700. return $this->session_id;
  701. } // session_create
  702. // .....................................................................
  703. /**
  704. * Delete the session
  705. * Delete the current session from the system.
  706. */
  707. function session_delete() {
  708. debug_trace($this);
  709. if ($this->session_id) {
  710. dbcommand("DELETE FROM ax_wwwsession WHERE session_id='$this->session_id'");
  711. $this->session_clear();
  712. }
  713. debug_trace();
  714. } // session_delete
  715. // .....................................................................
  716. /**
  717. * Clear session vars
  718. * Common method for clearing out the current session info
  719. * from the object variables.
  720. */
  721. function session_clear() {
  722. $this->session_id = false;
  723. if (isset($this->session_record)) {
  724. unset($this->session_record);
  725. }
  726. $this->last_logintime = 0;
  727. $this->error_message = "";
  728. } // session_clear
  729. // .....................................................................
  730. /**
  731. * Is session valid
  732. * Return validity status. If there is a session ID and a valid user
  733. * then the whole session is deemed valid, otherwise not.
  734. * @return bool True if this session is valid
  735. */
  736. function session_valid() {
  737. return ($this->valid && $this->session_id);
  738. } // session_valid
  739.  
  740. } // session class
  741. // -----------------------------------------------------------------------
  742.  
  743. ?>

Documentation generated by phpDocumentor 1.3.0RC3