diff --git a/lib/Session.inc b/lib/Session.inc index 87739da..6149cbb 100644 --- a/lib/Session.inc +++ b/lib/Session.inc @@ -24,30 +24,21 @@ class Session { session_start(); // bind userID to session - $_SESSION['userID'] = $userID; + $_SESSION["userID"] = $userID; // lookup group id and add to session - //$_SESSION['groupID'] = lookupGroupID($userID); - $_SESSION['groupID'] = owlusergroup($userID); + $_SESSION["groupID"] = owlusergroup($userID); // use the PHP generated session id $sessionID = session_id(); // retrieve client ip - if(getenv("HTTP_CLIENT_IP")) { - $ip = getenv("HTTP_CLIENT_IP"); - } elseif(getenv("HTTP_X_FORWARDED_FOR")) { - $forwardedip = getenv("HTTP_X_FORWARDED_FOR"); - list($ip,$ip2,$ip3,$ip4)= split (",", $forwardedip); - } else { - $ip = getenv("REMOTE_ADDR"); - } - - $current = time(); + $ip = $this->getClientIP(); // insert session information into db $sql = new Owl_DB; - $query = "insert into $default->owl_sessions_table (id, user_id, lastused, ip) values ('$sessionID', '$userID', '" . date("Y-m-d H:i:s",$current) . "', '$ip')"; + $query = "insert into $default->owl_sessions_table (session_id, user_id, lastused, ip) values ('$sessionID', '$userID', '" . date("Y-m-d H:i:s", time()) . "', '$ip')"; + //echo "query=$query
"; $result = $sql->query($query); if(!$result) { die("$lang_err_sess_write"); @@ -65,7 +56,7 @@ class Session { session_start(); // remove the session information from the database $sql = new Owl_DB; - $query = "delete from $default->owl_sessions_table where id = '" . session_id() . "'"; + $query = "delete from $default->owl_sessions_table where session_id = '" . session_id() . "'"; $sql->query($query); // remove the php4 session @@ -84,77 +75,92 @@ class Session { // deletes any sessions for this userID where the default timeout has elapsed. $time = time() - $default->owl_timeout; $sql = new Owl_DB; - $sql->query("delete from $default->owl_sessions_table where user_id = '" . $userID . "' and lastused <= $time "); + $sql->query("delete from $default->owl_sessions_table where user_id = '" . $userID . "' and lastused <= '" . date("Y-m-d H:i:s",$time) . "'"); } - + /** * Used to verify the current user's session. * * @return * array containing the userID, groupID and session verification status */ - function verify() { + function verify() { + global $default, $lang_sesstimeout, $lang_sessinuse, $lang_err_sess_notvalid; + getprefs(); - global $default, $lang_sesstimeout, $lang_sessinuse, $lang_clicklogin; - session_start(); $sessionID = session_id(); + if (strlen($sessionID) > 0) { - // initialise return status - $verified["status"] = 0; - - // this should be an existing session, so check the db - $sql = new Owl_DB; - $sql->query("select * from $default->owl_sessions_table where id = '$sessionID'"); - $numrows = $sql->num_rows($sql); - $time = time(); - - if ($numrows == "1") { - while($sql->next_record()) { - // get client ip - if(getenv("HTTP_CLIENT_IP")) { - $ip = getenv("HTTP_CLIENT_IP"); - } elseif(getenv("HTTP_X_FORWARDED_FOR")) { - $forwardedip = getenv("HTTP_X_FORWARDED_FOR"); - list($ip,$ip2,$ip3,$ip4)= split (",", $forwardedip); - } else { - $ip = getenv("REMOTE_ADDR"); - } - - // check that ip matches - if ($ip == $sql->f("ip")) { - // if timeout not exceeded - if(($time - strtotime($sql->f("lastused"))) <= $default->owl_timeout) { - // set verified status - $verified["status"] = 1; - // update userID? this should be the same value on the session - $verified["userID"] = $sql->f("user_id"); - $sql->query("select * from $default->owl_users_table where id = '".$verified["userid"]."'"); - while($sql->next_record()) { - $verified["groupID"] = $sql->f("groupid"); + // initialise return status + $sessionStatus["status"] = 0; + + // this should be an existing session, so check the db + $sql = new Owl_DB; + $sql->query("select * from $default->owl_sessions_table where session_id = '$sessionID'"); + $numrows = $sql->num_rows($sql); + $time = time(); + + // found one match + if ($numrows == "1") { + while($sql->next_record()) { + $ip = $this->getClientIP(); + // check that ip matches + if ($ip == $sql->f("ip")) { + // now check if the timeout has been exceeded + if(($time - strtotime($sql->f("lastused"))) <= $default->owl_timeout) { + // session has been verified, update status + $sessionStatus["status"] = 1; + // only set the userID if its not in the array already + if (!$sessionStatus["userID"]) { + $sessionStatus["userID"] = $sql->f("user_id"); + } + // lookup the user + $sql->query("select * from $default->owl_users_table where id = '".$sessionStatus["userid"]."'"); + while($sql->next_record()) { + // only set the groupID if its not in the array already + if (!$sessionStatus["groupID"]) { + $sessionStatus["groupID"] = $sql->f("group_id"); + } + } + // update last used timestamps + $sql->query("update $default->owl_sessions_table set lastused = '" . date("Y-m-d H:i:s",time()) ."' where user_id = '" . $sessionStatus["userID"] . "'"); + // add the array to the session + $_SESSION["sessionStatus"] = $sessionStatus; + } else { + // session timed out status + $sessionStatus["status"] = 2; + $default->errorMessage = $lang_sesstimeout; } - // session verified, so update last user time - $lastused = time(); - $userID = $sessionStatus["userID"]; - $sql->query("update $default->owl_sessions_table set lastused = '$lastused' where user_id = '$userID'"); - } else { - // session timed out status - $verified["status"] = 2; - $default->errorMessage = $lang_sesstimeout; + // session in use status + $sessionStatus["status"] = 3; + $default->errorMessage = $lang_sessinuse; } - } else { - // session in use status - $verified["status"] = 3; - $default->errorMessage = $lang_sessinuse; } - } + } + } else { + // there is no session + return false; } - // add this array to the session - session_register($sessionStatus); - - // also return the array for good measure - return $verified; + // return the array + return $sessionStatus; + } + + /** + * Retrieves and returns the IP address of the current user + */ + function getClientIP() { + // get client ip + if(getenv("HTTP_CLIENT_IP")) { + $ip = getenv("HTTP_CLIENT_IP"); + } elseif(getenv("HTTP_X_FORWARDED_FOR")) { + $forwardedip = getenv("HTTP_X_FORWARDED_FOR"); + list($ip,$ip2,$ip3,$ip4)= split (",", $forwardedip); + } else { + $ip = getenv("REMOTE_ADDR"); + } + return $ip; } } ?>