. */ /* Default values */ define('_IT_SESSION_COOKIE', 'SESSION'); define('_IT_SESSION_COOKIE_EXPIRY', 0); define('_IT_SESSION_LIFETIME', 3600); class it_session { /* PRIVATE */ var $cookiename; /* Cookie to store session */ var $cookie; /* Session identifier of this session */ var $uid; /* Session user id */ var $domain = ''; /* Session domain (e.g. ".relog.ch") */ var $address = ''; /* Guessed IP address of client */ var $ssl; /* Session using SSL? */ var $lifetime; /* Session life-time in seconds */ var $secret; /* Session secret to generate session ids */ var $now; /* This session start time slot */ var $prev; /* Previous session start time slot */ var $hascookies; /* Do cookies work? Used by has_cookies() */ /* Constructor */ function it_session() { $this->cookiename = _IT_SESSION_COOKIE; $this->lifetime = _IT_SESSION_LIFETIME; /* * NOTE: Does not work with dynamic IPs (dialup with low timeout, * load balanced Proxies and maybe more weird stuff). * $this->address = $_SERVER['REMOTE_ADDR'] . '/' . $_SERVER['HTTP_X_FORWARDED_FOR']; */ $this->ssl = !empty($_SERVER['HTTPS']); } function set_cookiename($cookiename) { if ($cookiename) $this->cookiename = $cookiename; } function get_uid() { return $this->uid; } function set_uid($uid) { $this->uid = $uid; } function set_domain($domain) { $this->domain = $domain; } function set_lifetime($lifetime) { $this->lifetime = $lifetime; } function set_secret($secret) { $this->secret = $secret; } function init() { if (empty($this->secret)) it::fatal('it_session requires secret to be set'); /* Got a cookie? */ if ($this->hascookies = isset($_COOKIE[$this->cookiename])) $this->cookie = $_COOKIE[$this->cookiename]; else $this->cookie = ''; #debug("hascookies '$this->hascookies', '$this->cookie', " . $_COOKIE[$this->cookiename]); $now = time(); /* * Valid time range is now - 1/2 lifetime to now + 1/2 lifetime * I.e. session has to be either from start or now */ $this->now = $now - ($now % ($this->lifetime / 2)); $this->prev = $this->now - ($this->lifetime / 2); /* Set user id from valid session */ $this->uid = substr($this->cookie, 1, strlen($this->cookie) - 33); if (!$this->is_valid()) $this->uid = ""; #debug("it_session::new session=$this->cookie, user=$this->uid"); } /* INTERNAL: Create session id from session data */ function _mkcookie($uid, $timeslot) { return "A" . $uid . md5("$uid,$this->domain,$this->address,$this->secret,$timeslot"); } /* Check if this session is valid */ function is_valid() { $result = true; if ($this->_mkcookie($this->uid, $this->now) != $this->cookie) { /* Check if using id from previous time slot */ if ($this->_mkcookie($this->uid, $this->prev) == $this->cookie) $this->set_valid(); /* Rejuvenate session */ else $result = false; } return $result; } /* * Validate this session * @param $valid Should this session be validated or invalidated? * @param $login_identifier_required Does session validation require login magic? * @param $login_identifier Session validation magic cookie to be checked * @return true if successful */ function set_valid($valid = true, $login_identifier_required = false, $login_identifier = "") { $result = false; if ($valid && (!$login_identifier_required || ($login_identifier == $this->_mkcookie("", $this->cookie)))) { $this->cookie = $this->_mkcookie($this->uid, $this->now); $result = true; } else { $this->cookie = md5(uniqid(rand())); /* random garbage */ $result = !$valid; /* Setting to invalid succeeded or setting to valid failed */ } @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl, true); $_COOKIE[$this->cookiename] = $this->cookie; return $result; } function purge() { $this->cookie = ""; $_COOKIE[$this->cookiename] = ""; $this->uid = ""; } /* * Create a login identifier and set session to login identifier 'secret' value * Returns a value to be put into the login