Source for file session-defs.php

Documentation is available at session-defs.php

  1. <?php
  2. /* ******************************************************************** */
  3. /* CATALYST PHP Source Code */
  4. /* -------------------------------------------------------------------- */
  5. /* This program is free software; you can redistribute it and/or modify */
  6. /* it under the terms of the GNU General Public License as published by */
  7. /* the Free Software Foundation; either version 2 of the License, or */
  8. /* (at your option) any later version. */
  9. /* */
  10. /* This program is distributed in the hope that it will be useful, */
  11. /* but WITHOUT ANY WARRANTY; without even the implied warranty of */
  12. /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
  13. /* GNU General Public License for more details. */
  14. /* */
  15. /* You should have received a copy of the GNU General Public License */
  16. /* along with this program; if not, write to: */
  17. /* The Free Software Foundation, Inc., 59 Temple Place, Suite 330, */
  18. /* Boston, MA 02111-1307 USA */
  19. /* -------------------------------------------------------------------- */
  20. /* */
  21. /* Filename: session-defs.php */
  22. /* Author: Paul Waite */
  23. /* Description: Definitions for managing SESSIONS. */
  24. /* We regard the session as a generic thing which will be */
  25. /* constant in functionality and data across any */
  26. /* application we might write. It deals only with the */
  27. /* the basics of user identity, group membership and */
  28. /* maintaining this across multiple page accesses within */
  29. /* the website. For context variables which will differ */
  30. /* from application to application, see context-defs.php. */
  31. /* */
  32. /* ******************************************************************** */
  33. /** @package core */// SESSION DATABASE OPTIONS
  34. // The user session can be backed by a database, or not. This allows
  35. // simple code-only websites to be implemented, where there is no
  36. // need to track users, sessions and other data.
  37.  
  38. /** Session is backed by a database connection */
  39. ("SESS_DATABASE_BACKED", true );
  40. /** Session is standalone, no database */
  41. ("SESS_STANDALONE", false );
  42.  
  43. // -----------------------------------------------------------------------
  44. // SESSION LIFETIMES
  45. // This value is the number of seconds that you wish a session cookie
  46. // lifetime to be, before it is deemed to have expired. Common choices
  47. // are provided as defines, otherwise use your own value.
  48.  
  49. /** Session lasts forever.. well, 10 years is near enough. */
  50. ("SESS_FOREVER", SECS_10_YEARS);
  51. /** Session lasts for 1 year */
  52. ("SESS_1_YEAR", SECS_1_YEAR);
  53. /** Session lasts for 1 month */
  54. ("SESS_1_MONTH", SECS_1_MONTH);
  55. /** Session lasts for 1 week */
  56. ("SESS_1_WEEK", SECS_1_WEEK);
  57. /** Session lasts for 24 hours */
  58. ("SESS_1_DAY", SECS_1_DAY);
  59. /** Session lasts for 12 hours */
  60. ("SESS_12_HOURS", SECS_12_HOURS);
  61. /** Session lasts for 8 hours */
  62. ("SESS_8_HOURS", SECS_8_HOURS);
  63. /** Session lasts for 4 hours */
  64. ("SESS_4_HOURS", SECS_4_HOURS);
  65. /** Session lasts for 1 hour */
  66. ("SESS_1_HOUR", SECS_1_HOUR);
  67. /** Session lasts for 20 minutes */
  68. ("SESS_20_MINS", SECS_20_MINS);
  69. /** Session lasts as long as user browser is open */
  70. ("SESS_BROWSER_LIFETIME", -1);
  71. /** Session has no lifetime, immediate expiry */
  72. ("SESS_ZERO_LIFETIME", 0);
  73.  
  74. // -----------------------------------------------------------------------
  75. // SESSION LOGIN LIMIT ACTION
  76. // Possibilities for handling a login limit which has been exceeded.
  77.  
  78. /** Login limit exceeded: Allow, assume app. takes action */
  79. ("SESS_ALLOW", 0);
  80. /** Login limit exceeded: Allow session, cull oldest */
  81. ("SESS_ALLOW_CULL", 1);
  82. /** Login limit exceeded: Block session, nice message */
  83. ("SESS_BLOCK_MSG", 2);
  84. /** Login limit exceeded: Block session, no message */
  85. ("SESS_BLOCK_SILENT", 3);
  86. /** Login limit exceeded: Block session, redirect to URL */
  87. ("SESS_BLOCK_REDIRECT", 4);
  88. /** Login limit exceeded: Block session, login as guest instead */
  89. ("SESS_BLOCK_GUEST", 5);
  90.  
  91. // -----------------------------------------------------------------------
  92. // SESSION LOGIN TYPE CODES
  93. // This flags the way the user originally logged in.
  94.  
  95. /** No known login has been achieved */
  96. ("LOGIN_UNKNOWN", 0);
  97. /** Login by using guest account */
  98. ("LOGIN_BY_GUEST", 1);
  99. /** Login by remote IP address match */
  100. ("LOGIN_BY_IP", 2);
  101. /** Login by standard username/password */
  102. ("LOGIN_BY_PASSWD", 3);
  103. /** Login by using authorisation code (MD5 string usually) */
  104. ("LOGIN_BY_AUTHCODE", 4);
  105.  
  106. // -----------------------------------------------------------------------
  107. /**
  108. * THE SESSION CLASS
  109. * A class to manage user sessions. A session is simply a thing which
  110. * contains information about a user who has logged on to the system,
  111. * so in fact the session is just an extension of a user.
  112. * To access the system a user must either create a new session, or
  113. * recover an existing session. A new session is created if the user
  114. * provides login details: userid/password or unique $authid (MD5).
  115. * An existing session may be 'recovered' if the login details are
  116. * absent, and if a cookie is sent containing a valid session key.
  117. * @package core
  118. */
  119. class session extends user {
  120. /** The ID of this session */
  121.  
  122. var $session_id = false;
  123. /** The type of this session */
  124.  
  125. var $db_backed = SESS_DATABASE_BACKED;
  126. /** The session record complete */
  127.  
  128. var $session_record;
  129. /** The session lifetime, in seconds */
  130.  
  131. var $lifetime = 0;
  132. /** True if we should limit 'guest' to browser lifetime */
  133.  
  134. var $guest_browser_lifetime = false;
  135. /** The session cookie name */
  136.  
  137. var $cookiename = "";
  138. /** Time of last login (Unix timestamp) */
  139.  
  140. var $last_logintime = 0;
  141. /** Error condition message if any */
  142.  
  143. var $error_message = "";
  144. /** Option to take on logins exceeded for user */
  145.  
  146. var $logins_exceeded_option = SESS_ALLOW_CULL;
  147. /** Custom message to deliver when blocking */
  148.  
  149. var $logins_exceeded_msg = "";
  150. /** URL to redirect to on logins exceeded */
  151.  
  152. var $logins_exceeded_redirect = "";
  153. /** Login type for this session */
  154.  
  155. var $login_type = LOGIN_BY_PASSWD;
  156. // .....................................................................
  157. /**
  158. * Constructor
  159. * Create a new session.
  160. * Initial creation of the session object does nothing.
  161. * The activate() method sets it up, when called.
  162. */
  163. function session() {
  164. $this->session_clear();
  165. } // session
  166. // .....................................................................
  167. /**
  168. * Retrieve the session cookie
  169. * This function looks for the cookie which is appropriate to the
  170. * current application, and returns the session ID if the cookie
  171. * was submitted. Returns false otherwise..
  172. * @return mixed The session ID as a string, or false
  173. * @access private
  174. */
  175. function get_session_cookie() {
  176. $session_id = false;
  177. $cookiename = $this->cookiename;
  178. global $$cookiename;
  179. if (isset($$cookiename)) {
  180. $session_id = $$cookiename;
  181. }
  182. return $session_id;
  183. } // get_session_cookie
  184. // .....................................................................
  185. /**
  186. * Identify the user/client
  187. * Here is where we activate our session. This involves searching
  188. * for the cookie, username/password sequence, or authorisation
  189. * code which will allow us to identify the requester and create
  190. * the proper session for them to access the website..
  191. * @return bool True if we succeeded in identifying the user, else false
  192. */
  193. function identify_user() {
  194. // Access to the vars..
  195. global $tbxUsername, $user; // Userid textbox fieldname submitted from a form
  196. global $tbxPassword, $pass; // Password textbox fieldname submitted from a form
  197. global $tbxLogoff; // Logoff hidden field sent from a form
  198. global $authid; // Authorisation code (MD5) from form or URL
  199. global $REMOTE_ADDR; // IP address of remote browser/client
  200.  
  201. // Map alternative fieldnames onto standard ones..
  202. if (isset($user) && !isset($tbxUsername)) $tbxUsername = $user;
  203. if (isset($pass) && !isset($tbxPassword)) $tbxPassword = $pass;
  204.  
  205. // Initialise some variables..
  206. $this->session_clear();
  207.  
  208. // If no database we are not tracking sessions..
  209. if (!$this->db_backed) return true;
  210.  
  211. // Turn tracing on..
  212. debug_trace($this);
  213.  
  214. // SUBMITTED COOKIE
  215. // Gather in any submitted cookie..
  216. $session_id = $this->get_session_cookie();
  217.  
  218. // LOGIN via SUBMITTED AUTHORISATION
  219. // Now we check for login/logoff action. Clear out any session id
  220. // if they have submitted a login, or an authorisation code..
  221. if (((isset($tbxUsername) && $tbxUsername != "") && (isset($tbxPassword) && $tbxPassword != ""))
  222. || (isset($authid))
  223. ) {
  224. // Clear any existing session..
  225. debugbr("authorisation detected, clearing session");
  226. $session_id = false;
  227. $this->session_clear();
  228. }
  229.  
  230. // EXISTING SESSION RECOVERY
  231. // If we still have a session id, then we try recovery..
  232. if ($session_id) {
  233. debugbr("session id detected.");
  234. if ($this->recover($session_id)) {
  235. // Check if they want to logoff..
  236. debugbr("recovered session: '$this->session_id'");
  237. if (isset($tbxLogoff) && $tbxLogoff == "Logoff") {
  238. debugbr("logging off, deleting session");
  239. $this->session_delete();
  240. }
  241. else {
  242. // Special case: where recovered session is a GUEST session. In
  243. // this case we check for a possible IP login, so that these
  244. // users don't get marooned in a guest login session..
  245. if ($this->login_type == LOGIN_BY_GUEST) {
  246. debugbr("guest recovered: checking for IP authentication..");
  247. $login_type = $this->authenticate_ipaddress($REMOTE_ADDR);
  248. if ($login_type != LOGIN_UNKNOWN) {
  249. $this->session_create($login_type);
  250. }
  251. else {
  252. // Keep the original guest authentication..
  253. debugbr("falling back to guest");
  254. $this->valid = true;
  255. $this->authenticated = true;
  256. }
  257. }
  258. }
  259. }
  260. } // existing session
  261.  
  262. // NEW SESSION CREATION
  263. // If no real session id exists at this point then check
  264. // for a username and password or an authorisation code
  265. // and log them in..
  266. if (!$this->session_id) {
  267. $authenticated = false;
  268. debugbr("no session, looking to create new one");
  269.  
  270. // AUTH CODE AUTHENTICATION..
  271. if (!$authenticated && isset($authid)) {
  272. debugbr("trying authid authentication..");
  273. $login_type = $this->authenticate_authid($authid);
  274. if ($login_type != LOGIN_UNKNOWN) {
  275. $this->session_create($login_type);
  276. $authenticated = true;
  277. }
  278. }
  279.  
  280. // IP ADDRESS AUTHENTICATION..
  281. if (!$authenticated && !isset($tbxUsername)) {
  282. debugbr("trying IP authentication..");
  283. $login_type = $this->authenticate_ipaddress($REMOTE_ADDR);
  284. if ($login_type != LOGIN_UNKNOWN) {
  285. $this->session_create($login_type);
  286. $authenticated = true;
  287. }
  288. }
  289.  
  290. // USERNAME/PASSWORD AUTHENTICATION..
  291. // Login with userid/password. If none provided then we default
  292. // them to 'guest'. For websites which are subscriber-only we
  293. // expect the application code to handle it.
  294. if (!$authenticated) {
  295. // Default to guest, if no login supplied..
  296. if (!isset($tbxUsername)) {
  297. debugbr("username not set, falling back to guest");
  298. $tbxUsername = "guest";
  299. }
  300. if (!isset($tbxPassword)) $tbxPassword = "";
  301. $tbxUsername = trim($tbxUsername);
  302.  
  303. debugbr("user=$tbxUsername, passwd=$tbxPassword");
  304.  
  305. // Authenticate the login attempt. If successful, this
  306. // populates the user and usergroups information..
  307. $login_type = $this->authenticate_userid($tbxUsername, $tbxPassword);
  308. if ($login_type != LOGIN_UNKNOWN) {
  309. $authenticated = true;
  310. $this->session_create($login_type);
  311. }
  312. }
  313. } // new session
  314.  
  315. // Return status..
  316. if (debugging() && $this->session_valid()) {
  317. debug("session type: ");
  318. switch ($this->login_type) {
  319. case LOGIN_BY_GUEST:
  320. debugbr("guest");
  321. break;
  322. case LOGIN_BY_IP:
  323. debugbr("authorised by IP address");
  324. break;
  325. case LOGIN_BY_PASSWD:
  326. debugbr("authorised by userid/password");
  327. break;
  328. case LOGIN_BY_AUTHCODE:
  329. debugbr("authorised by auth code");
  330. break;
  331. default:
  332. debugbr("unknown");
  333. } // switch
  334. }
  335. return $this->session_valid();
  336.  
  337. debug_trace();
  338. } // identify_user
  339. // .....................................................................
  340. /**
  341. * Setup session parameters
  342. * Here is where we set up our session to suit..
  343. * @access private
  344. */
  345. function set_sessionparms() {
  346. global $RESPONSE;
  347. debug_trace($this);
  348. $RESPONSE->datasource->set_datestyle("ISO");
  349. $RESPONSE->datasource->set_char_encoding("UTF-8");
  350. debug_trace();
  351. } // set_sessionparms
  352. // ....................................................................
  353. /**
  354. * Check if we should bump our login count.
  355. * @access private
  356. */
  357. function track_logins() {
  358. if ($this->login_type != LOGIN_BY_GUEST) {
  359. debug_trace($this);
  360. // Timestamp of now...
  361. $tinow = time();
  362. $dtnow = timestamp_to_datetime($tinow);
  363.  
  364. // Now check last login time. If the current time is more
  365. // than 4 hours later, then we increment the login count.
  366. if ( $tinow > ($this->last_logintime + SESS_4_HOURS) ) {
  367. if ($this->valid) {
  368. // Update the user record..
  369. $uQ = new dbupdate("ax_user");
  370. $uQ->set("total_logins", ($this->total_logins + 1));
  371. $uQ->set("last_login", $dtnow);
  372. $uQ->where("user_id='" . addslashes($this->userid) . "'");
  373. $uQ->execute();
  374.  
  375. // Update the session record..
  376. $uQ = new dbupdate("ax_wwwsession");
  377. $uQ->set("login_datetime", $dtnow);
  378. $uQ->where("session_id='$this->session_id'");
  379. $uQ->execute();
  380.  
  381. // Set the resident var..
  382. $this->last_logintime = $tinow;
  383. }
  384. }
  385. debug_trace();
  386. }
  387. } // track_logins
  388. // ...................................................................
  389. /**
  390. * Set logins exceeded action
  391. * This sets the action for when the number of logins for a given
  392. * user of the system exceeds a maximum, if specified. The options
  393. * for the action to take are:
  394. * SESS_ALLOW Allow, assume app. will take action
  395. * SESS_ALLOW_CULL Allow session, cull oldest
  396. * SESS_BLOCK_MSG Block session, nice message
  397. * SESS_BLOCK_SILENT Block session, no message
  398. * SESS_BLOCK_REDIRECT Block session, redirect to URL
  399. * SESS_BLOCK_GUEST Block session, login as guest instead
  400. */
  401. function on_logins_exceeded($option=SESS_ALLOW_CULL, $parm="") {
  402. $this->logins_exceeded_option = $option;
  403. switch ($option) {
  404. case SESS_BLOCK_REDIRECT:
  405. $this->logins_exceeded_redirect = $parm;
  406. break;
  407. case SESS_BLOCK_MSG:
  408. $this->logins_exceeded_msg = $parm;
  409. break;
  410. } // switch
  411. } // on_logins_exceeded
  412. // ....................................................................
  413. /**
  414. * Check for any excess sessions over and above the number which are
  415. * allowed for this user. We may cull oldest sessions first, or take
  416. * other actions as specified in the $RESPONSE.
  417. * @access private
  418. */
  419. function check_excess_sessions() {
  420. global $RESPONSE;
  421. debug_trace($this);
  422. // Check for multiple login limit restriction..
  423. if ($this->limit_logins > 0) {
  424. debugbr("checking login limit of $this->limit_logins.");
  425. $q = "SELECT session_id";
  426. $q .= " FROM ax_wwwsession";
  427. $q .= " WHERE user_id='" . addslashes($this->userid) . "'";
  428. $q .= " ORDER BY login_datetime";
  429. $loginQ = dbrecordset($q);
  430. // We do +1 to take account of the login we will be
  431. // adding as part of this process shortly..
  432. $excesslogins = 1 + $loginQ->rowcount - $this->limit_logins;
  433. if ($excesslogins > 0) {
  434. debugbr("oops: " . ($loginQ->rowcount) . " logins already; $excesslogins too many.");
  435. switch ($this->logins_exceeded_option) {
  436. case SESS_ALLOW:
  437. // Do nothing. This is for when the developer
  438. // wants to handle it at application level..
  439. break;
  440. case SESS_ALLOW_CULL:
  441. // Delete the number we need, starting with the oldest..
  442. for ($ix=0; $ix < $excesslogins; $ix++) {
  443. $sessid = $loginQ->field("session_id");
  444. dbcommand("DELETE FROM ax_wwwsession WHERE session_id='$sessid'");
  445. $loginQ->get_next();
  446. } // for
  447. error_log(APP_NAME . ": User '$this->userid' excess logins($excesslogins) triggered a session cull.", 0);
  448. break;
  449. case SESS_BLOCK_MSG:
  450. // Stop the process dead, with nice message in the browser..
  451. if ($RESPONSE->browser_type == BROWSER_HTML || $RESPONSE->browser_type == BROWSER_XHTML) {
  452. $msg = $RESPONSE->logins_exceeded_msg;
  453. if ($msg == "") {
  454. $msg = "<h2>". APP_NAME . " Login Count Exceeded</h2>\n";
  455. $msg .= "<p>You have exceeded your login count. If you closed your browser ";
  456. $msg .= "on another computer, and you are trying to login somewhere else ";
  457. $msg .= "you will have to log off the first machine before you can do so ";
  458. $msg .= "due to the login restrictions on your account.</p>";
  459. $msg .= "<p>Sorry for any inconvenience.</p>";
  460. }
  461. die("<html><body>\n" . $msg . "</body></html>\n");
  462. }
  463. else {
  464. die();
  465. }
  466. break;
  467. case SESS_BLOCK_SILENT:
  468. // Stop the process dead, no message, no nuthin'
  469. // and lucky to get that!
  470. die();
  471. break;
  472. case SESS_BLOCK_REDIRECT:
  473. // Redirect to a given page instead of logging in..
  474. header("Location: $this->logins_exceeded_redirect");
  475. break;
  476. case SESS_BLOCK_GUEST:
  477. // Let them log in, but as a guest instead..
  478. if (!($this->user("guest") && $this->enabled)) {
  479. $this->crash(500);
  480. }
  481. break;
  482.  
  483. } // switch
  484. }
  485. else {
  486. debugbr("no excess logins.");
  487. }
  488. }
  489. debug_trace();
  490. } // check_excess_sessions
  491. // .....................................................................
  492. /** Recover session
  493. * Recover an existing session. This will obliterate any pre-existing
  494. * session information in this object, since we expect it to succeed..
  495. * @return mixed Session ID or else false
  496. */
  497. function recover($session_id) {
  498. debug_trace($this);
  499. $this->session_clear();
  500. if (!empty($session_id)) {
  501. $session = dbrecordset("SELECT * FROM ax_wwwsession WHERE session_id='$session_id'");
  502. if ($session->hasdata) {
  503. // Find user record and check enabled..
  504. $this->user($session->field("user_id"));
  505. if ($this->enabled) {
  506. $this->session_id = $session_id;
  507. $this->userid = $session->field("user_id");
  508. $this->session_record = $session->current_row;
  509. $this->login_type = $session->field("login_type");
  510. $this->last_logintime = datetime_to_timestamp($session->field("login_datetime"));
  511. // This writes login total to the uuser record, and
  512. // login datetime to the wwwsession record..
  513. $this->track_logins();
  514. // This sets the database session environment up..
  515. $this->set_sessionparms();
  516. debugbr("found session record.");
  517. }
  518. else {
  519. debugbr("session rejected: user '" . $session->field("user_id") . "' no longer enabled");
  520. $this->valid = false;
  521. }
  522. }
  523. else {
  524. // Invalidate session and clear cookie..
  525. debugbr("no valid session record found: clearing session data and cookie.");
  526. $this->session_clear();
  527. $this->delete_cookie();
  528. }
  529. }
  530. debug_trace();
  531.  
  532. // Return session id, or else 'false'..
  533. return $this->session_id;
  534. } // recover
  535. // .....................................................................
  536. /**
  537. * Set the session cookie.
  538. * @param string $content The content of the cookie
  539. * @param integer $expires The Unix time() value for expiry datetime of the cookie
  540. */
  541. function set_cookie($content, $expires=false) {
  542. global $RESPONSE;
  543. global $_SERVER;
  544. if (!isset($RESPONSE)
  545. || $RESPONSE->browser_type == BROWSER_TYPE_HTML
  546. || $RESPONSE->browser_type == BROWSER_TYPE_XHTML
  547. ) {
  548. if (!$expires) {
  549. if ($this->lifetime == SESS_BROWSER_LIFETIME
  550. || ($this->guest_browser_lifetime && $this->userid == "guest")
  551. ) {
  552. // Cookie lasts for browser lifetime
  553. debugbr("cookie lifetime: browser");
  554. $expires = 0;
  555. }
  556. else {
  557. // Cookie lasts for given number of seconds..
  558. $expires = time() + $this->lifetime;
  559. debugbr("cookie lifetime: $this->lifetime secs");
  560. }
  561. }
  562. if (isset($RESPONSE) && $RESPONSE->browser == BROWSER_NETSCAPE) {
  563. debugbr("Setting Netscape cookie ".$this->cookiename.": $content, $expires");
  564. setcookie($this->cookiename, $content, $expires);
  565. }
  566. else {
  567. if ($_SERVER["SERVER_ADDR"] == "127.0.0.1") {
  568. debugbr("Server running on localhost - setting cookie ".$this->cookiename.": $content, $expires, /");
  569. setcookie($this->cookiename, $content, $expires, "/");
  570. }
  571. else {
  572. debugbr("Setting cookie ".$this->cookiename.": $content, $expires, /, ".$this->http_host);
  573. setcookie($this->cookiename, $content, $expires, "/", $this->http_host);
  574. }
  575. }
  576. }
  577. } // set_cookie
  578. // .....................................................................
  579. /**
  580. * Delete session cookie
  581. * Deletes the session cookie from the user's browser.
  582. */
  583. function delete_cookie() {
  584. global $RESPONSE;
  585. debugbr("Expiring cookie ".$this->cookiename);
  586. if (!isset($RESPONSE)
  587. || $RESPONSE->browser_type == BROWSER_TYPE_HTML
  588. || $RESPONSE->browser_type == BROWSER_TYPE_XHTML
  589. ) {
  590. if (isset($RESPONSE) && $RESPONSE->browser == BROWSER_NETSCAPE) {
  591. setcookie($this->cookiename, "", time() - SESS_1_HOUR);
  592. }
  593. else {
  594. setcookie($this->cookiename, "", time() - SESS_1_HOUR, "/", $this->http_host);
  595. }
  596. }
  597. } // delete_cookie
  598. // ...................................................................
  599. /**
  600. * Set session database backing type
  601. * The database backing 'type' can be either SESS_DATABASE_BACKED, or
  602. * SESS_STANDALONE.
  603. * @param bool $type Session type
  604. */
  605. function set_sessiontype($type=SESS_DATABASE_BACKED) {
  606. $this->db_backed = $type;
  607. } // set_sessiontype
  608. // ...................................................................
  609. /**
  610. * Set session lifetime
  611. * Set the session cookie lifetime in seconds.
  612. * @param integer $secs Seconds lifetime for the session cookie
  613. */
  614. function set_lifetime($secs=SESS_1_DAY) {
  615. $this->lifetime = $secs;
  616. } // set_lifetime
  617. // ...................................................................
  618. /**
  619. * Set session cookie name
  620. * @param string $name Cookie name to use for session ID
  621. */
  622. function set_cookiename($name="session_id") {
  623. $this->cookiename = $name;
  624. } // set_cookiename
  625. // ...................................................................
  626. /**
  627. * Set session guest browser lifetime flag
  628. * If set True this causes the cookie lifetime to be forced to the
  629. * browser lifetime if the user is 'guest'.
  630. * @param bool $guest_browser_lifetime True if guest cookie limited to browser lifetime
  631. */
  632. function set_guest_browser_lifetime($guest_browser_lifetime=false) {
  633. $this->guest_browser_lifetime = $guest_browser_lifetime;
  634. } // set_guest_browser_lifetime
  635. // .....................................................................
  636. /**
  637. * Create new session
  638. * Make a brand new session for the user.
  639. * @param integer $logintype Type of login for this session
  640. */
  641. function session_create($logintype=LOGIN_BY_PASSWD) {
  642. debug_trace($this);
  643.  
  644. // Check for any excess sessions first..
  645. $this->check_excess_sessions();
  646.  
  647. // Get next session key, and create session..
  648. $this->set_sessionparms();
  649.  
  650. // Generate a unique session handle..
  651. $this->session_id = md5(uniqid(rand(),1));
  652.  
  653. // Initialise the login detail..
  654. $this->login_type = $logintype;
  655. $this->last_logintime = time() - SESS_FOREVER;
  656.  
  657. // Create the new session..
  658. $ugroups = "";
  659. if (isset($this->user_groups)) {
  660. $ugroups = implode("|", $this->user_groups);
  661. }
  662. $wwwQ = new dbinsert("ax_wwwsession");
  663. $wwwQ->set("session_id", $this->session_id);
  664. $wwwQ->set("user_id", $this->userid);
  665. $wwwQ->set("user_groups", $ugroups);
  666. $wwwQ->set("login_type", $logintype);
  667.  
  668. // Non-guests get initial login datetime set very early so
  669. // that track_logins() will increment the login counter. Guests
  670. // will always get the database default of 'now'..
  671. if ($this->login_type != LOGIN_BY_GUEST) {
  672. $wwwQ->set("login_datetime", timestamp_to_datetime($this->last_logintime));
  673. }
  674.  
  675. // Create the record..
  676. $wwwQ->execute();
  677.  
  678. // Track logins for this user..
  679. $this->track_logins();
  680.  
  681. // Everything went Ok, so set the cookie for next time..
  682. if ($this->browser_type == BROWSER_TYPE_HTML || $this->browser_type == BROWSER_TYPE_XHTML) {
  683. // Set client session cookie, with appropriate lifetime..
  684. $this->set_cookie($this->session_id);
  685. }
  686.  
  687. debug_trace();
  688.  
  689. // Return session id, or else 'false'..
  690. return $this->session_id;
  691. } // session_create
  692. // .....................................................................
  693. /**
  694. * Delete the session
  695. * Delete the current session from the system.
  696. */
  697. function session_delete() {
  698. debug_trace($this);
  699. if ($this->session_id) {
  700. dbcommand("DELETE FROM ax_wwwsession WHERE session_id='$this->session_id'");
  701. $this->session_clear();
  702. }
  703. debug_trace();
  704. } // session_delete
  705. // .....................................................................
  706. /**
  707. * Clear session vars
  708. * Common method for clearing out the current session info
  709. * from the object variables.
  710. */
  711. function session_clear() {
  712. $this->session_id = false;
  713. if (isset($this->session_record)) {
  714. unset($this->session_record);
  715. }
  716. $this->last_logintime = 0;
  717. $this->error_message = "";
  718. } // session_clear
  719. // .....................................................................
  720. /**
  721. * Is session valid
  722. * Return validity status. If there is a session ID and a valid user
  723. * then the whole session is deemed valid, otherwise not.
  724. * @return bool True if this session is valid
  725. */
  726. function session_valid() {
  727. return ($this->valid && $this->session_id);
  728. } // session_valid
  729.  
  730. } // session class
  731. // -----------------------------------------------------------------------
  732.  
  733. ?>

Documentation generated by phpDocumentor 1.3.0RC3