Populated release branch

1 files changed, 232 insertions, 0 deletions

diff --git a/it_session.class b/it_session.class
new file mode 100644
index 0000000..34ed379
--- /dev/null
+++ b/it_session.class
@@ -0,0 +1,232 @@
+<?php
+/*
+**	$Id$
+**
+*/
+
+/* Default values */
+define('_IT_SESSION_COOKIE', 'SESSION');
+define('_IT_SESSION_COOKIE_EXPIRY', 0);
+define('_IT_SESSION_LIFETIME', 3600);
+
+class it_session
+{
+	/* PRIVATE */
+	var $cookiename;	/* Cookie to store session */
+	var $cookie;		/* Session identifier of this session */
+	var $uid;		/* Session user id */
+	var $domain = '';	/* Session domain (e.g. ".relog.ch") */
+	var $address = '';	/* Guessed IP address of client */
+	var $ssl;		/* Session using SSL? */
+	var $lifetime;		/* Session life-time in seconds */
+	var $secret;		/* Session secret to generate session ids */
+	var $now;		/* This session start time slot */
+	var $prev;		/* Previous session start time slot */
+	var $hascookies;	/* Do cookies work? Used by has_cookies() */
+
+/* Constructor */
+function it_session()
+{
+	$this->cookiename = _IT_SESSION_COOKIE;
+	$this->lifetime = _IT_SESSION_LIFETIME;
+/*
+ * NOTE: Does not work with dynamic IPs (dialup with low timeout,
+ * load balanced Proxies and maybe more weird stuff).
+ *	$this->address = $_SERVER['REMOTE_ADDR'] . '/' . $_SERVER['HTTP_X_FORWARDED_FOR'];
+ */
+	$this->ssl = !empty($_SERVER['HTTPS']);
+}
+
+
+function set_cookiename($cookiename)
+{
+	if ($cookiename)
+		$this->cookiename = $cookiename;
+}
+
+
+function get_uid()
+{
+	return $this->uid;
+}
+
+
+function set_uid($uid)
+{
+	$this->uid = $uid;
+}
+
+
+function set_domain($domain)
+{
+	$this->domain = $domain;
+}
+
+
+function set_lifetime($lifetime)
+{
+	$this->lifetime = $lifetime;
+}
+
+
+function set_secret($secret)
+{
+	$this->secret = $secret;
+}
+
+
+function init()
+{
+	if (empty($this->secret))
+		it::fatal('it_session requires secret to be set');
+
+	/* Got a cookie? */
+	if ($this->hascookies = isset($_COOKIE[$this->cookiename]))
+		$this->cookie = $_COOKIE[$this->cookiename];
+	else
+		$this->cookie = '';
+	#debug("hascookies '$this->hascookies', '$this->cookie', " . $_COOKIE[$this->cookiename]);
+
+	$now = time();
+	/*
+	 * Valid time range is now - 1/2 lifetime to now + 1/2 lifetime
+	 * I.e. session has to be either from start or now
+	 */
+	$this->now = $now - ($now % ($this->lifetime / 2));
+	$this->prev = $this->now - ($this->lifetime / 2);
+
+	/* Set user id from valid session */
+	$this->uid = substr($this->cookie, 1, strlen($this->cookie) - 33);
+
+	if (!$this->is_valid())
+		$this->uid = "";
+
+	#debug("it_session::new session=$this->cookie, user=$this->uid");
+}
+
+
+/* INTERNAL: Create session id from session data */
+function _mkcookie($uid, $timeslot)
+{
+	return "A" . $uid . md5("$uid,$this->domain,$this->address,$this->secret,$timeslot");
+}
+
+
+/* Check if this session is valid */
+function is_valid()
+{
+	$result = true;
+
+	if ($this->_mkcookie($this->uid, $this->now) != $this->cookie)
+	{
+		/* Check if using id from previous time slot */
+		if ($this->_mkcookie($this->uid, $this->prev) == $this->cookie)
+			$this->set_valid();	/* Rejuvenate session */
+		else
+			$result = false;
+	}
+
+	return $result;
+}
+
+
+/*
+ * Validate this session
+ * @param $valid Should this session be validated or invalidated?
+ * @param $login_identifier_required Does session validation require login magic?
+ * @param $login_identifier Session validation magic cookie to be checked
+ * @return true if successful
+ */
+function set_valid($valid = true, $login_identifier_required = false, $login_identifier = "")
+{
+	$result = false;
+
+	if ($valid && (!$login_identifier_required || ($login_identifier == $this->_mkcookie("", $this->cookie))))
+	{
+		$this->cookie = $this->_mkcookie($this->uid, $this->now);
+		$result = true;
+	}
+	else
+	{
+		$this->cookie = md5(uniqid(rand()));	/* random garbage */
+		$result = !$valid;	/* Setting to invalid succeeded or setting to valid failed */
+	}
+
+	@setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl);
+	$_COOKIE[$this->cookiename] = $this->cookie;
+
+	return $result;
+}
+
+
+function purge()
+{
+	$this->cookie = "";
+	$_COOKIE[$this->cookiename] = "";
+	$this->uid = "";
+}
+
+
+/*
+ * Create a login identifier and set session to login identifier 'secret' value
+ * Returns a value to be put into the login <form> which has to be passed to 
+ * set_valid() to create a valid session
+ */
+function create_login_identifier()
+{
+	if (!$this->cookie)
+	{
+		$this->cookie = md5(uniqid(rand()));	/* random garbage */
+		@setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl);
+	}
+
+	$login_identifier = $this->_mkcookie("", $this->cookie);
+
+	return $login_identifier;
+}
+
+/*
+ * Check if cookies are enabled.
+ * NOTE: Only works if you used create_login_identifier() on previous page
+ */
+function has_cookies()
+{
+	return $this->hascookies;
+}
+
+
+/*
+ * Sign string for current session
+ * @param $text Text to be signed
+ * @return Signature for $text
+ */
+function _sign($text, $timeslot)
+{
+	return "B" . md5("$text,$this->uid,$this->domain,$this->address,$this->secret,$timeslot");
+}
+
+/*
+ * Sign string for current session
+ * @param $text Text to be signed
+ * @return Signature for $text
+ */
+function create_signature($text)
+{
+	return $this->_sign($text, $this->now);
+}
+
+/*
+ * Check signature for string for current session
+ * @param $text Text which was signed
+ * @param $signature Signature to be checked
+ * @return True if signature ok, false otherwise
+ */
+function check_signature($text, $signature)
+{
+	return (($this->_sign($text, $this->now) == $signature) ||
+		($this->_sign($text, $this->prev) == $signature));
+}
+
+} /* End class it_user */
+
+?>