4 * SourceForge Session Module
6 * SourceForge: Breaking Down the Barriers to Open Source Development
7 * Copyright 1999-2001 (c) VA Linux Systems
8 * http://sourceforge.net
13 * A User object if user is logged in
15 * @var constant $G_SESSION
20 * session_build_session_cookie() - Construct session cookie for the user
22 * @param int User_id of the logged in user
23 * @return cookie value
25 function session_build_session_cookie($user_id) {
28 $session_serial = $user_id.'-'.time().'-'.$GLOBALS['REMOTE_ADDR'].'-'.$GLOBALS['HTTP_USER_AGENT'];
29 $td = mcrypt_module_open($GLOBALS['sys_session_cypher'], "", $GLOBALS['sys_session_cyphermode'], "");
30 $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
31 mcrypt_generic_init($td, $GLOBALS['sys_session_key'], $iv);
32 $encrypted_session_serial = mcrypt_generic($td, $session_serial);
33 mcrypt_generic_end($td);
34 $session_serial_hash = md5($encrypted_session_serial.$GLOBALS['sys_session_key']);
35 $session_serial_cookie = base64_encode($encrypted_session_serial).'-'.$session_serial_hash;
37 return $session_serial_cookie;
39 echo "<br>in session_build_session_cookie";
40 $session_serial = $user_id.'-'.time().'-'.$GLOBALS['REMOTE_ADDR'].'-'.$GLOBALS['HTTP_USER_AGENT'];
41 echo "<br>SESSION_BUILD_SESSION_COOKIE::mcrypt_module_open call";
42 $temp_sys_session_cypher=$GLOBALS['sys_session_cypher'];
43 echo "<br>--->cypher=$temp_sys_session_cypher";
44 echo "<br>--->2nd arg=\"\"";
45 $temp_sys_session_cyphermode=$GLOBALS['sys_session_cyphermode'];
46 echo "<br>--->cyphermode=$temp_sys_session_cyphermode";
47 echo "<br>--->4th arg=\"\"";
48 $td = mcrypt_module_open($GLOBALS['sys_session_cypher'], "", $GLOBALS['sys_session_cyphermode'], "");
49 echo "<br>===>returned value = $td";
50 echo "<br>SESSION_BUILD_SESSION_COOKIE::mcrypt_create_iv call";
51 echo "<br>--->1st arg = ($td)";
52 echo "<br>--->2nd arg = MCRYPT_RAND";
53 $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
54 echo "<br>===>returned value = $iv";
55 echo "<br>SESSION_BUILD_SESSION_COOKIE::mcrypt_generic_init call";
56 echo "<br>--->1st arg = $td";
57 $temp_sys_session_key=$GLOBALS['sys_session_key'];
58 echo "<br>--->session key = $temp_sys_session_key";
59 echo "<br>--->3rd arg = $iv";
60 $tempRetVal = mcrypt_generic_init($td, $GLOBALS['sys_session_key'], $iv);
61 echo "<br>===>returned value = $tempRetVal";
62 echo "<br>SESSION_BUILD_SESSION_COOKIE::mcrypt_generic call";
63 echo "<br>--->1st arg = $td";
64 echo "<br>--->serial = $session_serial";
66 $td = mcrypt_module_open("", "", "", "");
67 $encrypted_session_serial = mcrypt_generic($td, $session_serial);
68 echo "<br>===>returned value = $encrypted_session_serial";
69 echo "<br>SESSION_BUILD_SESSION_COOKIE::mcrypt_generic_end call";
70 mcrypt_generic_end($td);
71 echo "<br>SESSION_BUILD_SESSION_COOKIE::md5 call";
72 $session_serial_hash = md5($encrypted_session_serial.$GLOBALS['sys_session_key']);
73 echo "<br>SESSION_BUILD_SESSION_COOKIE::base64_encode call";
74 $session_serial_cookie = base64_encode($encrypted_session_serial).'-'.$session_serial_hash;
75 return $session_serial_cookie;
79 * session_build_username_cookie() - Construct username cookie
81 * @param string username of the logged in user
82 * @return cookie value
84 function session_build_username_cookie($username) {
86 // check if operating in plaintext or encrytped mode
88 if ($GLOBALS['sys_username_cookie_plaintext']) {
94 $td = mcrypt_module_open($GLOBALS['sys_username_cookie_cypher'], "", $GLOBALS['sys_username_cookie_cyphermode'], "");
95 $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
96 mcrypt_generic_init($td, $GLOBALS['sys_username_cookie_key'], $iv);
97 $encrypted_username = mcrypt_generic($td, $username);
98 mcrypt_generic_end($td);
99 $session_username_cookie = base64_encode($encrypted_username);
101 return $session_username_cookie;
107 * session_get_session_cookie_hash() - Get hash of session cookie
109 * This hash can be used as a key to identify session, e.g. in DB.
111 * @param string Value of the session cookie
114 function session_get_session_cookie_hash($session_cookie) {
115 list ($junk, $hash) = explode('-', $session_cookie);
120 * session_check_session_cookie() - Check that session cookie passed from user is ok
122 * @param string Value of the session cookie
123 * @return user_id if cookie is ok, false otherwise
125 function session_check_session_cookie($session_cookie) {
127 list ($encrypted_session_serial, $hash) = explode('-', $session_cookie);
128 $encrypted_session_serial = base64_decode($encrypted_session_serial);
129 $new_hash = md5($encrypted_session_serial.$GLOBALS['sys_session_key']);
131 if ($hash != $new_hash) {
135 $td = mcrypt_module_open($GLOBALS['sys_session_cypher'], "", $GLOBALS['sys_session_cyphermode'], "");
136 $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
137 mcrypt_generic_init($td, $GLOBALS['sys_session_key'], $iv);
138 $session_serial = mdecrypt_generic($td, $encrypted_session_serial);
139 mcrypt_generic_end($td);
141 list($user_id, $time, $ip, $user_agent) = explode('-', $session_serial, 4);
143 if (!session_check_ip($ip, $GLOBALS['REMOTE_ADDR'])) {
146 if (trim($user_agent) != $GLOBALS['HTTP_USER_AGENT']) {
149 if ($time - time() >= $GLOBALS['sys_session_expire']) {
157 * session_logout() - Log the user off the system.
159 * This function destroys object associated with the current session,
160 * making user "logged out". Deletes both user and session cookies.
165 function session_logout() {
167 // delete both session and username cookies
168 // NB: cookies must be deleted with the same scope parameters they were set with
170 session_cookie('session_ser', '');
171 session_cookie('username',
173 $GLOBALS['sys_username_cookie_urlspace'],
180 * session_login_valid() - Log the user to the system.
182 * High-level function for user login. Check credentials, and if they
183 * are valid, open new session.
185 * @param string User name
186 * @param string User password (in clear text)
187 * @param bool Allow login to non-confirmed user account (only for confirmation of the very account)
188 * @return true/false, if false reason is in global $feedback
192 function session_login_valid($loginname, $passwd, $allowpending=0) {
195 if (!$loginname || !$passwd) {
196 $feedback = 'Missing Password Or users Name';
200 //get the users from the database using user_id and password
202 SELECT user_id,status
204 WHERE user_name='$loginname'
205 AND user_pw='".md5($passwd)."'
207 if (!$res || db_numrows($res) < 1) {
208 //invalid password or user_name
209 $feedback='Invalid Password or User Name';
212 // check status of this user
213 $usr = db_fetch_array($res);
215 // if allowpending (for verify.php) then allow
216 if ($allowpending && ($usr['status'] == 'P')) {
219 if ($usr['status'] == 'S') {
221 $feedback = 'Account Suspended';
224 if ($usr['status'] == 'P') {
226 $feedback = 'Account Pending';
229 if ($usr['status'] == 'D') {
231 $feedback = 'Account Deleted';
234 if ($usr['status'] != 'A') {
235 //unacceptable account flag
236 $feedback = 'Account Not Active';
240 //create a new session
241 session_set_new(db_result($res,0,'user_id'));
248 * session_check_ip() - Check 2 IP addresses for match
250 * This function checks that IP addresses match
252 * IPv4 addresses are allowed to match with some
253 * fuzz factor (within 255.255.0.0 subnet).
255 * For IPv6 addresses, no fuzz is needed since there's
256 * usually no NAT in IPv6.
258 * @param string The old IP address
259 * @param string The new IP address
263 function session_check_ip($oldip,$newip) {
264 if (strstr ($oldip, ':')) {
266 if (strstr ($newip, ':')) {
267 // New IP is IPv6 too
268 return ($oldip == $newip) ;
274 if (strstr ($newip, ':')) {
278 $eoldip = explode(".",$oldip);
279 $enewip = explode(".",$newip);
281 // require same class b subnet
282 return ( ($eoldip[0] == $enewip[0])
283 && ($eoldip[1] == $enewip[1]) ) ;
289 * session_issecure() - Check if current session is secure
294 function session_issecure() {
295 return (getenv('SERVER_PORT') == '443');
299 * session_cookie() - Set a session cookie
301 * Set a cookie with default temporal scope of the current browser session
302 * and URL space of the current webserver
304 * @param string Name of cookie
305 * @param string Value of cookie
306 * @param string Domain scope (default '')
307 * @param string Expiration time in UNIX seconds (default 0)
310 function session_cookie($name ,$value, $domain = '', $expiration = 0) {
311 setcookie($name, $value, $expiration, '/', $domain, 0);
315 * session_redirect() - Redirect browser within the site
317 * @param string Absolute path within the site
318 * @return never returns
320 function session_redirect($loc) {
321 header('Location: http' . (session_issecure()?'s':'') . '://' . getenv('HTTP_HOST') . $loc);
327 * session_require() - Convenience function to easily enforce permissions
329 * Calling page will terminate with error message if current user
332 * @param array Associative array specifying criteria
333 * @return does not return if check is failed
336 function session_require($req) {
337 if (!user_isloggedin()) {
338 exit_not_logged_in();
339 //exit_permission_denied();
343 $group =& group_get_object($req['group']);
345 if (!$group || !is_object($group)) {
346 exit_error(_('Error'),
347 _('Error creating group object'));
348 } else if ($group->isError()) {
349 exit_error(_('Error'),
350 $group->getErrorMessage());
353 $perm =& $group->getPermission( session_get_user() );
354 if (!$perm || !is_object($perm)) {
355 exit_error(_('Error'),
356 _('Error creating permission object'));
357 } else if ($perm->isError()) {
358 exit_error(_('Error'),
359 $perm->getErrorMessage());
362 if ($req['admin_flags']) {
363 //$query .= " AND admin_flags = '$req[admin_flags]'";
364 if (!$perm->isAdmin()) {
365 exit_permission_denied();
368 if (!$perm->isMember()) {
369 exit_permission_denied();
372 } else if ($req['isloggedin']) {
373 //no need to check as long as the check is present at top of function
375 exit_permission_denied();
380 * session_set_new() - Setup session for the given user
382 * This function sets up SourceForge session for the given user,
383 * making one be "logged in".
385 * @param int The user ID
388 function session_set_new($user_id) {
391 // set session cookie
393 $cookie = session_build_session_cookie($user_id);
394 session_cookie("session_ser", $cookie);
397 INSERT INTO session (session_hash, ip_addr, time, user_id)
399 '".session_get_session_cookie_hash($cookie)."',
400 '".$GLOBALS['REMOTE_ADDR']."',
406 // check uniqueness of the session_hash in the database
408 $res = session_getdata($user_id);
410 if (!$res || db_numrows($res) < 1) {
411 exit_error("ERROR","ERROR - Cannot initialize session: ".db_error());
414 //set up the new user object
416 $G_SESSION = user_get_object($user_id,$res);
418 $G_SESSION->setLoggedIn(true);
422 // set username cookie for *.hostname.tld, expiration set in local.inc
424 session_cookie('username',
425 session_build_username_cookie($G_SESSION->getUnixName()),
426 $GLOBALS['sys_username_cookie_urlspace'],
427 time() + $GLOBALS['sys_username_cookie_expiration']);
431 * Private optimization function for logins - fetches user data, language, and session
434 * @param int The user ID
437 function session_getdata($user_id) {
438 $res=db_query("SELECT
440 u.*,sl.language_id, sl.name, sl.filename, sl.classname, sl.language_code
443 supported_languages sl
444 WHERE u.language=sl.language_id
445 AND u.user_id='$user_id'
451 * session_set() - Re-initialize session for the logged in user
453 * This function checks that the user is logged in and if so, initialize
454 * internal session environment.
458 function session_set() {
460 global $session_ser, $session_key;
462 // assume bad session_hash and session. If all checks work, then allow
463 // otherwise make new session
466 // If user says he's logged in (by presenting cookie), check that
469 $user_id = session_check_session_cookie($session_ser);
473 $result = session_getdata($user_id);
475 if (db_numrows($result) > 0) {
479 } // else (hash does not exist) or (session hash is bad)
482 $G_SESSION = user_get_object($user_id, $result);
484 $G_SESSION->setLoggedIn(true);
489 // if there was bad session cookie, kill it and the user cookie
498 * session_get_user() - Wrapper function to return the User object for the logged in user.
503 function &session_get_user() {
510 * Get user_id of logged in user
513 function user_getid() {
516 return $G_SESSION->getID();
524 * See if user is logged in
526 function user_isloggedin() {
530 return $G_SESSION->isLoggedIn();
538 // c-file-style: "bsd"