[phpMP-CVS] CVS: phpMP/core sessions.php,NONE,1.1 main.php,1.11,1.12 user.php,1.3,1.4 session.php,1.7,NONE

[Brian R. <hei...@us...>]

Update of /cvsroot/phpmp/phpMP/core
In directory sc8-pr-cvs1:/tmp/cvs-serv16164/core

Modified Files:
	main.php user.php 
Added Files:
	sessions.php 
Removed Files:
	session.php 
Log Message:
Drastic rewrite of session.php (now sessions.php).  We'll see how it goes.

--- NEW FILE: sessions.php ---
<?php

/*
 * phpMP - The PHP Modular Portal System
 * Copyright (C) 2002-2003 Brian Rose and the phpMP group
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * $Id: sessions.php,v 1.1 2003/09/22 09:52:28 heimidal Exp $
 *
 */

class Session
{
	
	var $_started = false;
	var $_logged_in = false;
	var $_session_exists = false;
	var $_sess_key = false;
	
	function sess_start($create=true)
	{
		
		if(!$this->_started)
		{
			if( isset($_POST['login_user']) && isset($_POST['login_password']) )
			{
				$this->_sess_do_login($_POST['login_user'], $_POST['login_password'], $_POST['login_auto'], $POST['login_invisible']);
			}
			
			$this->_started = true;
		}
		
		if($create)
		{
			$this->sess_create();
		}
		
	}
	
	function sess_create()
	{
		
		global $DB, $Portal, $SID;
		
		if(!$this->_started)
		{
			//In the future, die with a trigger_error.
			die('Sessions must be started explicitly.');
		}
		
		$time = time();
		$exp_time = $time + $Portal->cfg_get('session_length');
		$ip = $this->_sess_ip_encoded();
		$session_exists = false;
		
		if(!$this->_logged_in)
		{
		
			////////////////////////////////////////////
			// The following code tests for 
			// a valid cookie that may or may not 
			// exist.
			// 
			// If a session is found, we will
			// continue to use it.  If none is found, 
			// we will go ahead and create one.
			////////////////////////////////////////////
			
			if($_COOKIE[$Portal->cfg_get('cookie_name') . '_data'])
			{
				$cookie_data = $_COOKIE[$Portal->cfg_get('cookie_name') . '_data'];
				$cookie_array =  explode(':', urldecode($cookie_data) );
				
				if( ( !empty($cookie_array[0]) ) && ( strlen($cookie_array[1]) == 32 ) )
				{
					$user_id = $cookie_array[0];
					$this->_sess_key = $cookie_array[1];
				}
			}
			elseif(!empty($_GET['sid']))
			{
				$this->_sess_key = $_GET['sid'];
			}
			
			if( !$user_id )
			{
				if( !empty( $_COOKIE[$Portal->cfg_get('cookie_name') . '_auto'] ) )
				{
					$cookie_data = $_COOKIE[$Portal->cfg_get('cookie_name') . '_auto'];
					$cookie_array =  explode(':', urldecode($cookie_data) );
		
					$sql = "SELECT * FROM " . DB_USERS_TABLE . "
								WHERE user_id=" . $cookie_array[0] . "
								AND password='" . $cookie_array[1] . "'";
					
					$result = $DB->sql_query($sql);
					
					if($DB->sql_num_rows($result))
					{
						$this->_data = $DB->sql_fetch_row($result);
						$this->_data['invisible_mode'] = $cookie_array[2];
						$user_id = $cookie_array[0];
						$this->_logged_in = true;
					}
					else
					{
						setcookie($Portal->cfg_get('cookie_name') . '_auto', '', time() - 31536000, $Portal->cfg_get('cookie_path'), $Portal->cfg_get('cookie_domain'), $Portal->cfg_get('cookie_secure'));
						$user_id = ANONYMOUS;
						$this->_logged_in = false;
					}
				}
				else
				{
					$user_id = ANONYMOUS;
					$this->_logged_in = false;
				}
			}
		}
		else
		{
			$user_id = $this->_data['user_id'];
		}
		
		////////////////////////////////////////////
		// If we have reached this point,
		// the $user_id variable has been set.
		// Either the user has logged in or
		// they have a user_id of ANONYMOUS.
		////////////////////////////////////////////
		
		if(empty($this->_sess_key))
		{
			$this->_sess_key = md5( uniqid (microtime(), 1) );
			
			$sql = "INSERT INTO " . DB_SESSIONS_TABLE . "
				(session_key, session_user_id, session_start_time, session_exp_time, session_ip)
				VALUES('" . $this->_sess_key . "', " . $user_id . ", " . $time . ", " . $exp_time . ", '" . $ip . "')";
			
			$result = $DB->sql_query($sql);
			
			$this->_data['session_key'] = $this->_sess_key;
			$this->_data['session_user_id'] = $user_id;
			$this->_data['session_start_time'] = $exp_time;
			$this->_data['session_ip'] = $ip;
		}
		else
		{
			$sql = "SELECT * FROM " . DB_USERS_TABLE . " u, " . DB_SESSIONS_TABLE . " s
				WHERE s.session_key='" . $this->_sess_key . "'
				AND s.session_exp_time>" . $time . "
				AND s.session_user_id=u.user_id
				LIMIT 1";
			
			$result = $DB->sql_query($sql);
			
			if($DB->sql_num_rows($result))
			{
				$this->_data = $DB->sql_fetch_row($result);
				($user_id == ANONYMOUS) ? ($this->_logged_in = false) : ($this->_logged_in = true);
			}
			else
			{
				// Trigger invalid session error.
				die('Invalid session. Please try again.');
			}
			
		}
		
		////////////////////////////////////////////////////////
		// The next if() statement is a bit confusing.
		// If the session will expire in less than 1/3
		// of the session_length, we'll update it.
		// 
		// EXAMPLES
		// session_length=30, time to expire is 7 minutes.
		// This session would be updated.
		// 
		// session_length=30, time to expire is 11 minutes.
		// This session would not be updated.
		////////////////////////////////////////////////////////
		
		if( ($this->_data['session_exp_time'] - $time) < ($Portal->cfg_get('session_length') * .33333) )
		{
			$sql = "UPDATE " . DB_SESSIONS_TABLE . " SET
				session_exp_time=" . $exp_time . " WHERE
				session_key=" . $this->_sess_key;
			
			$result = $DB->sql_query($sql);
		}
		
		$cookie_data = urlencode( $this->user_id . ':' . $this->_sess_key );
		(setcookie($Portal->cfg_get('cookie_name') . '_data', $cookie_data, $cur_time + $Portal->cfg_get('session_length'), $Portal->cfg_get('cookie_path'), $Portal->cfg_get('cookie_domain'), $Portal->cfg_get('cookie_secure'))) ? ($SID = "?sid=") : ($SID = "?sid=" . $this->_sess_key);
		$this->clean();
	}
	
	function _sess_do_login($username, $password, $autologin=0, $invisible_mode=0)
	{
		
		global $DB, $Portal;
		
		$username = addslashes($username);
		$enc_password = md5($password);
		
		$sql = "SELECT * FROM " . DB_USERS_TABLE . "
			WHERE user_name='$username' AND password='$enc_password'";
		
		$result = $DB->sql_query($sql);
		
		if($DB->sql_num_rows($result))
		{
			$this->_data = $DB->sql_fetch_row($result); // _data is a variable that exists in the User class.
			$this->_logged_in = true;
			
			$user_id = $this->_data['user_id'];
			$this->_data['invisible_mode'] = $invisible_mode;
			
			if($autologin)
			{
				$cookie_data = urlencode( $user_id . ':' . $passwd_enc . ':' . $invisible_mode );
				setcookie($Portal->cfg_get('cookie_name') . '_auto', $cookie_data, time() + 31536000, $Portal->cfg_get('cookie_path'), $Portal->cfg_get('cookie_domain'), $Portal->cfg_get('cookie_secure'));
			}
		}
		else
		{
			// Trigger error concerning invalid username/password.
			// The following is temporary.
			die('Your username/password are incorrect.');
		}
	
	}
	
	/**
	 * @return void
	 * @desc Fetches the user's IP in hex-encoded form.
	 * Taken from phpBB2.
	 */
	function _sess_ip_encoded()
	{
		$this->ip = $_SERVER['REMOTE_ADDR'];

		if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
		{
			if (preg_match('#^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)#', $_SERVER['HTTP_X_FORWARDED_FOR'], $ip_list))
			{
				$private_ip = array('#^0\.#', '#^127\.0\.0\.1#', '#^192\.168\.#', '#^172\.16\.#', '#^10\.#', '#^224\.#', '#^240\.#');
				$this->ip = preg_replace($private_ip, $this->ip, $ip_list[1]);
			}
		}
	}
	
	/**
	 * @return string
	 * @param encoded_ip string
	 * @desc Decodes a hexed IP.
	 *	 Taken from phpBB2. 
	 */
	function _sess_decode_ip($encoded_ip)
	{
		$hexipbang = explode('.', chunk_split($encoded_ip, 2, '.'));
		return hexdec($hexipbang[0]). '.' . hexdec($hexipbang[1]) . '.' . hexdec($hexipbang[2]) . '.' . hexdec($hexipbang[3]);
	}
	
	function sess_clean($all = false)
	{
		global $DB, $SID;

		// 1:10 chance of session cleanup.  This may later become a setting.
		$rand = rand(0,10);
		if(($rand <= 1) || $all)
		{
			$sql = "DELETE FROM " . DB_SESSIONS_TABLE . " WHERE session_exp_time<" . time();
			$DB->sql_query($sql);
		}
	}
	
}

?>
Index: main.php
===================================================================
RCS file: /cvsroot/phpmp/phpMP/core/main.php,v
retrieving revision 1.11
retrieving revision 1.12
diff -C2 -r1.11 -r1.12
*** main.php	15 Sep 2003 07:26:06 -0000	1.11
--- main.php	22 Sep 2003 09:52:28 -0000	1.12
***************
*** 99,109 ****
  		include_once(C_PHPMP_ROOT . CORE_DIR . 'functions.php');
  
  		include_once(C_PHPMP_ROOT . CORE_DIR . 'user.php');
  		$User = new User();  // Create an instance of User.
  
  		//create_vars();
- 		
- 		include_once(C_PHPMP_ROOT . CORE_DIR . 'session.php');
- 		$Session = new Session();
  		
  		$Session->start();
--- 99,109 ----
  		include_once(C_PHPMP_ROOT . CORE_DIR . 'functions.php');
  
+ 		include_once(C_PHPMP_ROOT . CORE_DIR . 'sessions.php');
  		include_once(C_PHPMP_ROOT . CORE_DIR . 'user.php');
  		$User = new User();  // Create an instance of User.
+ 		
+ 		$User->sess_start();
  
  		//create_vars();
  		
  		$Session->start();

Index: user.php
===================================================================
RCS file: /cvsroot/phpmp/phpMP/core/user.php,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -r1.3 -r1.4
*** user.php	15 Sep 2003 06:40:24 -0000	1.3
--- user.php	22 Sep 2003 09:52:28 -0000	1.4
***************
*** 23,27 ****
   */
   
! class User
  {
  
--- 23,27 ----
   */
   
! class User extends Session
  {
  
***************
*** 75,108 ****
  	}
  	
- 	/**
- 	 * @return void
- 	 * @desc Fetches the user's IP in hex-encoded form.
- 	 * Taken from phpBB2.
- 	 */
- 	function get_ip_encoded()
- 	{
- 		$this->ip = $_SERVER['REMOTE_ADDR'];
- 
- 		if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
- 		{
- 			if (preg_match('#^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)#', $_SERVER['HTTP_X_FORWARDED_FOR'], $ip_list))
- 			{
- 				$private_ip = array('#^0\.#', '#^127\.0\.0\.1#', '#^192\.168\.#', '#^172\.16\.#', '#^10\.#', '#^224\.#', '#^240\.#');
- 				$this->ip = preg_replace($private_ip, $this->ip, $ip_list[1]);
- 			}
- 		}
- 	}
- 	
- 	/**
- 	 * @return string
- 	 * @param encoded_ip string
- 	 * @desc Decodes a hexed IP.
- 	 *	 Taken from phpBB2. 
- 	 */
- 	function decode_ip($encoded_ip)
- 	{
- 		$hexipbang = explode('.', chunk_split($encoded_ip, 2, '.'));
- 		return hexdec($hexipbang[0]). '.' . hexdec($hexipbang[1]) . '.' . hexdec($hexipbang[2]) . '.' . hexdec($hexipbang[3]);
- 	} 
  }
  
--- 75,78 ----

--- session.php DELETED ---