- deletion of session_time and session_id_size as config parameter

- new feature : "remember me" creates a long time cookie - possibility to set the default authentication method to URI or cookie - really technical parameters (session identifier size, session duration) are set in the config file and not in database + configuration.php git-svn-id: http://piwigo.org/svn/trunk@541 68402e56-0260-453c-a942-63ccdbb3a9ee
author: z0rglub <z0rglub@piwigo.org> 2004-10-02 23:12:50 +0000
committer: z0rglub <z0rglub@piwigo.org> 2004-10-02 23:12:50 +0000
commit: 3c8309a7e621ede168cf7f6dfd8c8d55144525ea (patch)
tree: 8b13443d84b3eae9ddead399bea404a981b2bc60 /include
parent: da836ea95fce9a8b5711366253832d298e3c4a6e (diff)
4 files changed, 97 insertions, 59 deletions
diff --git a/include/common.inc.php b/include/common.inc.php
index 6d4b37195..8853e67f1 100644
--- a/include/common.inc.php
+++ b/include/common.inc.php
@@ -167,9 +167,10 @@ $user_ip = encode_ip($client_ip);
 // Setup gallery wide options, if this fails then we output a CRITICAL_ERROR
 // since basic gallery information is not available
 //
-$query = 'SELECT param,value';
-$query.= ' FROM '.CONFIG_TABLE;
-$query.= ';';
+$query = '
+SELECT param,value
+ FROM '.CONFIG_TABLE.'
+;';
 if( !( $result = mysql_query( $query ) ) )
 {
   die("Could not query config information");
diff --git a/include/config.inc.php b/include/config.inc.php
index 1e4c4dcc5..a2a3b0d4c 100644
--- a/include/config.inc.php
+++ b/include/config.inc.php
@@ -89,4 +89,16 @@ $conf['show_exif_fields'] = array('Make',
 
 $conf['calendar_datefield'] = 'date_available';
 $conf['rate'] = true;
+
+// time of validity for "remember me" cookies, in seconds.
+$conf['remember_me_length'] = 31536000;
+
+// time of validity for normal session, in seconds.
+$conf['session_length'] = 3600;
+
+// session id length when session id in URI
+$conf['session_id_size_URI'] = 4;
+
+// session id length when session id in cookie
+$conf['session_id_size_cookie'] = 50;
 ?>
diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php
index a92deb7a4..ce66e3a30 100644
--- a/include/functions_session.inc.php
+++ b/include/functions_session.inc.php
@@ -31,7 +31,7 @@
 //                    "Er4Tgh6", "Rrp08P", "54gj"
 // input  : none (using global variable)
 // output : $key
-function generate_key()
+function generate_key($size)
 {
   global $conf;
 
@@ -44,7 +44,7 @@ function generate_key()
   $init = substr( $init, 0, 8 );
   mt_srand( $init );
   $key = '';
-  for ( $i = 0; $i < $conf['session_id_size']; $i++ )
+  for ( $i = 0; $i < $size; $i++ )
   {
     $c = mt_rand( 0, 2 );
     if ( $c == 0 )      $key .= chr( mt_rand( 65, 90 ) );
@@ -54,38 +54,53 @@ function generate_key()
   return $key;
 }
 
-// The function create_session finds a non-already-used session key and
-// returns it once found for the given user.
-function session_create( $username )
+/**
+ * create a new session and returns the session identifier
+ *
+ * - find a non-already-used session key
+ * - create a session in database
+ * - return session identifier
+ *
+ * @param int userid
+ * @param string method : cookie or URI
+ * @param int session_lentgh : in seconds
+ * @return string
+ */
+function session_create($userid, $method, $session_length)
 {
   global $conf;
+
   // 1. searching an unused session key
   $id_found = false;
-  while ( !$id_found )
+  while (!$id_found)
   {
-    $generated_id = generate_key();
-    $query = 'select id';
-    $query.= ' from '.PREFIX_TABLE.'sessions';
-    $query.= " where id = '".$generated_id."';";
-    $result = mysql_query( $query );
-    if ( mysql_num_rows( $result ) == 0 )
+    $generated_id = generate_key($conf['session_id_size_'.$method]);
+    $query = '
+SELECT id
+  FROM '.SESSIONS_TABLE.'
+  WHERE id = \''.$generated_id.'\'
+;';
+    $result = mysql_query($query);
+    if (mysql_num_rows($result) == 0)
     {
       $id_found = true;
     }
   }
-  // 2. retrieving id of the username given in parameter
-  $query = 'select id';
-  $query.= ' from '.USERS_TABLE;
-  $query.= " where username = '".$username."';";
-  $row = mysql_fetch_array( mysql_query( $query ) );
-  $user_id = $row['id'];
   // 3. inserting session in database
-  $expiration = $conf['session_time'] * 60 + time();
-  $query = 'insert into '.PREFIX_TABLE.'sessions';
-  $query.= ' (id,user_id,expiration,ip) values';
-  $query.= "('".$generated_id."','".$user_id;
-  $query.= "','".$expiration."','".$_SERVER['REMOTE_ADDR']."');";
-  mysql_query( $query );
+  $expiration = $session_length + time();
+  $query = '
+INSERT INTO '.SESSIONS_TABLE.'
+  (id,user_id,expiration,ip)
+  VALUES
+  (\''.$generated_id.'\','.$userid.','.$expiration.',
+   \''.$_SERVER['REMOTE_ADDR'].'\')
+;';
+  mysql_query($query);
+
+  if ($method == 'cookie')
+  {
+    setcookie('id', $generated_id, $session_length+time(), cookie_path());
+  }
                 
   return $generated_id;
 }
diff --git a/include/user.inc.php b/include/user.inc.php
index c1f018f92..01a7243d1 100644
--- a/include/user.inc.php
+++ b/include/user.inc.php
@@ -30,55 +30,65 @@
 // Each field becomes an information of the array $user.
 // Example :
 //            status --> $user['status']
-$infos = array( 'id', 'username', 'mail_address', 'nb_image_line',
-                'nb_line_page', 'status', 'language', 'maxwidth',
-                'maxheight', 'expand', 'show_nb_comments', 'recent_period',
-                'template', 'forbidden_categories' );
+$infos = array('id','username','mail_address','nb_image_line','nb_line_page',
+               'status','language','maxwidth','maxheight','expand',
+               'show_nb_comments','recent_period','template',
+               'forbidden_categories');
 
 $query_user = 'SELECT * FROM '.USERS_TABLE;
 $query_done = false;
 $user['is_the_guest'] = false;
 
 // cookie deletion if administrator don't authorize them anymore
-if ( !$conf['authorize_cookies'] and isset( $_COOKIE['id'] ) )
+if (!$conf['authorize_remembering'] and isset($_COOKIE['id']))
 {
-  setcookie( 'id', '', 0, cookie_path() );
+  setcookie('id', '', 0, cookie_path());
   $url = 'category.php';
-  redirect( $url );
+  redirect($url);
 }
 
-$user['has_cookie'] = false;
-if     ( isset( $_GET['id']    ) ) $session_id = $_GET['id'];
-elseif ( isset( $_COOKIE['id'] ) )
+if (isset($_GET['id']))
+{
+  $session_id = $_GET['id'];
+  $user['has_cookie'] = false;
+  $session_id_size = $conf['session_id_size_URI'];
+}
+elseif (isset($_COOKIE['id']))
 {
   $session_id = $_COOKIE['id'];
   $user['has_cookie'] = true;
+  $session_id_size = $conf['session_id_size_cookie'];
+}
+else
+{
+  $user['has_cookie'] = false;
 }
 
-if ( isset( $session_id )
-     and ereg( "^[0-9a-zA-Z]{".$conf['session_id_size']."}$", $session_id ) )
+if (isset($session_id)
+     and ereg("^[0-9a-zA-Z]{".$session_id_size."}$", $session_id))
 {
   $page['session_id'] = $session_id;
-  $query = 'SELECT user_id,expiration,ip';
-  $query.= ' FROM '.SESSIONS_TABLE;
-  $query.= " WHERE id = '".$page['session_id']."'";
-  $query.= ';';
-  $result = mysql_query( $query );
-  if ( mysql_num_rows( $result ) > 0 )
+  $query = '
+SELECT user_id,expiration,ip
+  FROM '.SESSIONS_TABLE.'
+  WHERE id = \''.$page['session_id'].'\'
+;';
+  $result = mysql_query($query);
+  if (mysql_num_rows($result) > 0)
   {
-    $row = mysql_fetch_array( $result );
-    if ( !$user['has_cookie'] )
+    $row = mysql_fetch_array($result);
+    if (!$user['has_cookie'])
     {
-      if ( $row['expiration'] < time() )
+      if ($row['expiration'] < time())
       {
         // deletion of the session from the database,
         // because it is out-of-date
         $delete_query = 'DELETE FROM '.SESSIONS_TABLE;
         $delete_query.= " WHERE id = '".$page['session_id']."'";
         $delete_query.= ';';
-        mysql_query( $delete_query );
+        mysql_query($delete_query);
       }
-      else if ( $_SERVER['REMOTE_ADDR'] == $row['ip'] )
+      else if ($_SERVER['REMOTE_ADDR'] == $row['ip'])
       {
         $query_user .= ' WHERE id = '.$row['user_id'];
         $query_done = true;
@@ -91,23 +101,23 @@ if ( isset( $session_id )
     }
   }
 }
-if ( !$query_done )
+if (!$query_done)
 {
   $query_user .= ' WHERE id = 2';
   $user['is_the_guest'] = true;
 }
 $query_user .= ';';
-$row = mysql_fetch_array( mysql_query( $query_user ) );
+$row = mysql_fetch_array(mysql_query($query_user));
 
 // affectation of each value retrieved in the users table into a variable
 // of the array $user.
-foreach ( $infos as $info ) {
-  if ( isset( $row[$info] ) )
+foreach ($infos as $info) {
+  if (isset($row[$info]))
   {
     // If the field is true or false, the variable is transformed into a
     // boolean value.
-    if ( $row[$info] == 'true' or $row[$info] == 'false' )
-      $user[$info] = get_boolean( $row[$info] );
+    if ($row[$info] == 'true' or $row[$info] == 'false')
+      $user[$info] = get_boolean($row[$info]);
     else
       $user[$info] = $row[$info];    
   }
@@ -118,14 +128,14 @@ foreach ( $infos as $info ) {
 }
 
 // special for $user['restrictions'] array
-$user['restrictions'] = explode( ',', $user['forbidden_categories'] );
-if ( $user['restrictions'][0] == '' )
+$user['restrictions'] = explode(',', $user['forbidden_categories']);
+if ($user['restrictions'][0] == '')
 {
   $user['restrictions'] = array();
 }
 
 $isadmin = false;
-if ( $user['status'] == 'admin' )
+if ($user['status'] == 'admin')
 {
   $isadmin =true;
 }
author	z0rglub <z0rglub@piwigo.org>	2004-10-02 23:12:50 +0000
committer	z0rglub <z0rglub@piwigo.org>	2004-10-02 23:12:50 +0000
commit	3c8309a7e621ede168cf7f6dfd8c8d55144525ea (patch)
tree	8b13443d84b3eae9ddead399bea404a981b2bc60 /include
parent	da836ea95fce9a8b5711366253832d298e3c4a6e (diff)