From 3c8309a7e621ede168cf7f6dfd8c8d55144525ea Mon Sep 17 00:00:00 2001 From: z0rglub Date: Sat, 2 Oct 2004 23:12:50 +0000 Subject: - deletion of session_time and session_id_size as config parameter - new feature : "remember me" creates a long time cookie - possibility to set the default authentication method to URI or cookie - really technical parameters (session identifier size, session duration) are set in the config file and not in database + configuration.php git-svn-id: http://piwigo.org/svn/trunk@541 68402e56-0260-453c-a942-63ccdbb3a9ee --- include/common.inc.php | 7 ++-- include/config.inc.php | 12 +++++++ include/functions_session.inc.php | 63 ++++++++++++++++++++------------- include/user.inc.php | 74 ++++++++++++++++++++++----------------- 4 files changed, 97 insertions(+), 59 deletions(-) (limited to 'include') diff --git a/include/common.inc.php b/include/common.inc.php index 6d4b37195..8853e67f1 100644 --- a/include/common.inc.php +++ b/include/common.inc.php @@ -167,9 +167,10 @@ $user_ip = encode_ip($client_ip); // Setup gallery wide options, if this fails then we output a CRITICAL_ERROR // since basic gallery information is not available // -$query = 'SELECT param,value'; -$query.= ' FROM '.CONFIG_TABLE; -$query.= ';'; +$query = ' +SELECT param,value + FROM '.CONFIG_TABLE.' +;'; if( !( $result = mysql_query( $query ) ) ) { die("Could not query config information"); diff --git a/include/config.inc.php b/include/config.inc.php index 1e4c4dcc5..a2a3b0d4c 100644 --- a/include/config.inc.php +++ b/include/config.inc.php @@ -89,4 +89,16 @@ $conf['show_exif_fields'] = array('Make', $conf['calendar_datefield'] = 'date_available'; $conf['rate'] = true; + +// time of validity for "remember me" cookies, in seconds. +$conf['remember_me_length'] = 31536000; + +// time of validity for normal session, in seconds. +$conf['session_length'] = 3600; + +// session id length when session id in URI +$conf['session_id_size_URI'] = 4; + +// session id length when session id in cookie +$conf['session_id_size_cookie'] = 50; ?> diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php index a92deb7a4..ce66e3a30 100644 --- a/include/functions_session.inc.php +++ b/include/functions_session.inc.php @@ -31,7 +31,7 @@ // "Er4Tgh6", "Rrp08P", "54gj" // input : none (using global variable) // output : $key -function generate_key() +function generate_key($size) { global $conf; @@ -44,7 +44,7 @@ function generate_key() $init = substr( $init, 0, 8 ); mt_srand( $init ); $key = ''; - for ( $i = 0; $i < $conf['session_id_size']; $i++ ) + for ( $i = 0; $i < $size; $i++ ) { $c = mt_rand( 0, 2 ); if ( $c == 0 ) $key .= chr( mt_rand( 65, 90 ) ); @@ -54,38 +54,53 @@ function generate_key() return $key; } -// The function create_session finds a non-already-used session key and -// returns it once found for the given user. -function session_create( $username ) +/** + * create a new session and returns the session identifier + * + * - find a non-already-used session key + * - create a session in database + * - return session identifier + * + * @param int userid + * @param string method : cookie or URI + * @param int session_lentgh : in seconds + * @return string + */ +function session_create($userid, $method, $session_length) { global $conf; + // 1. searching an unused session key $id_found = false; - while ( !$id_found ) + while (!$id_found) { - $generated_id = generate_key(); - $query = 'select id'; - $query.= ' from '.PREFIX_TABLE.'sessions'; - $query.= " where id = '".$generated_id."';"; - $result = mysql_query( $query ); - if ( mysql_num_rows( $result ) == 0 ) + $generated_id = generate_key($conf['session_id_size_'.$method]); + $query = ' +SELECT id + FROM '.SESSIONS_TABLE.' + WHERE id = \''.$generated_id.'\' +;'; + $result = mysql_query($query); + if (mysql_num_rows($result) == 0) { $id_found = true; } } - // 2. retrieving id of the username given in parameter - $query = 'select id'; - $query.= ' from '.USERS_TABLE; - $query.= " where username = '".$username."';"; - $row = mysql_fetch_array( mysql_query( $query ) ); - $user_id = $row['id']; // 3. inserting session in database - $expiration = $conf['session_time'] * 60 + time(); - $query = 'insert into '.PREFIX_TABLE.'sessions'; - $query.= ' (id,user_id,expiration,ip) values'; - $query.= "('".$generated_id."','".$user_id; - $query.= "','".$expiration."','".$_SERVER['REMOTE_ADDR']."');"; - mysql_query( $query ); + $expiration = $session_length + time(); + $query = ' +INSERT INTO '.SESSIONS_TABLE.' + (id,user_id,expiration,ip) + VALUES + (\''.$generated_id.'\','.$userid.','.$expiration.', + \''.$_SERVER['REMOTE_ADDR'].'\') +;'; + mysql_query($query); + + if ($method == 'cookie') + { + setcookie('id', $generated_id, $session_length+time(), cookie_path()); + } return $generated_id; } diff --git a/include/user.inc.php b/include/user.inc.php index c1f018f92..01a7243d1 100644 --- a/include/user.inc.php +++ b/include/user.inc.php @@ -30,55 +30,65 @@ // Each field becomes an information of the array $user. // Example : // status --> $user['status'] -$infos = array( 'id', 'username', 'mail_address', 'nb_image_line', - 'nb_line_page', 'status', 'language', 'maxwidth', - 'maxheight', 'expand', 'show_nb_comments', 'recent_period', - 'template', 'forbidden_categories' ); +$infos = array('id','username','mail_address','nb_image_line','nb_line_page', + 'status','language','maxwidth','maxheight','expand', + 'show_nb_comments','recent_period','template', + 'forbidden_categories'); $query_user = 'SELECT * FROM '.USERS_TABLE; $query_done = false; $user['is_the_guest'] = false; // cookie deletion if administrator don't authorize them anymore -if ( !$conf['authorize_cookies'] and isset( $_COOKIE['id'] ) ) +if (!$conf['authorize_remembering'] and isset($_COOKIE['id'])) { - setcookie( 'id', '', 0, cookie_path() ); + setcookie('id', '', 0, cookie_path()); $url = 'category.php'; - redirect( $url ); + redirect($url); } -$user['has_cookie'] = false; -if ( isset( $_GET['id'] ) ) $session_id = $_GET['id']; -elseif ( isset( $_COOKIE['id'] ) ) +if (isset($_GET['id'])) +{ + $session_id = $_GET['id']; + $user['has_cookie'] = false; + $session_id_size = $conf['session_id_size_URI']; +} +elseif (isset($_COOKIE['id'])) { $session_id = $_COOKIE['id']; $user['has_cookie'] = true; + $session_id_size = $conf['session_id_size_cookie']; +} +else +{ + $user['has_cookie'] = false; } -if ( isset( $session_id ) - and ereg( "^[0-9a-zA-Z]{".$conf['session_id_size']."}$", $session_id ) ) +if (isset($session_id) + and ereg("^[0-9a-zA-Z]{".$session_id_size."}$", $session_id)) { $page['session_id'] = $session_id; - $query = 'SELECT user_id,expiration,ip'; - $query.= ' FROM '.SESSIONS_TABLE; - $query.= " WHERE id = '".$page['session_id']."'"; - $query.= ';'; - $result = mysql_query( $query ); - if ( mysql_num_rows( $result ) > 0 ) + $query = ' +SELECT user_id,expiration,ip + FROM '.SESSIONS_TABLE.' + WHERE id = \''.$page['session_id'].'\' +;'; + $result = mysql_query($query); + if (mysql_num_rows($result) > 0) { - $row = mysql_fetch_array( $result ); - if ( !$user['has_cookie'] ) + $row = mysql_fetch_array($result); + if (!$user['has_cookie']) { - if ( $row['expiration'] < time() ) + if ($row['expiration'] < time()) { // deletion of the session from the database, // because it is out-of-date $delete_query = 'DELETE FROM '.SESSIONS_TABLE; $delete_query.= " WHERE id = '".$page['session_id']."'"; $delete_query.= ';'; - mysql_query( $delete_query ); + mysql_query($delete_query); } - else if ( $_SERVER['REMOTE_ADDR'] == $row['ip'] ) + else if ($_SERVER['REMOTE_ADDR'] == $row['ip']) { $query_user .= ' WHERE id = '.$row['user_id']; $query_done = true; @@ -91,23 +101,23 @@ if ( isset( $session_id ) } } } -if ( !$query_done ) +if (!$query_done) { $query_user .= ' WHERE id = 2'; $user['is_the_guest'] = true; } $query_user .= ';'; -$row = mysql_fetch_array( mysql_query( $query_user ) ); +$row = mysql_fetch_array(mysql_query($query_user)); // affectation of each value retrieved in the users table into a variable // of the array $user. -foreach ( $infos as $info ) { - if ( isset( $row[$info] ) ) +foreach ($infos as $info) { + if (isset($row[$info])) { // If the field is true or false, the variable is transformed into a // boolean value. - if ( $row[$info] == 'true' or $row[$info] == 'false' ) - $user[$info] = get_boolean( $row[$info] ); + if ($row[$info] == 'true' or $row[$info] == 'false') + $user[$info] = get_boolean($row[$info]); else $user[$info] = $row[$info]; } @@ -118,14 +128,14 @@ foreach ( $infos as $info ) { } // special for $user['restrictions'] array -$user['restrictions'] = explode( ',', $user['forbidden_categories'] ); -if ( $user['restrictions'][0] == '' ) +$user['restrictions'] = explode(',', $user['forbidden_categories']); +if ($user['restrictions'][0] == '') { $user['restrictions'] = array(); } $isadmin = false; -if ( $user['status'] == 'admin' ) +if ($user['status'] == 'admin') { $isadmin =true; } -- cgit v1.2.3