|
webmaster@1
|
1 <?php |
|
webmaster@1
|
2 // $Id: session.inc,v 1.44.2.1 2008/02/07 11:58:40 goba Exp $ |
|
webmaster@1
|
3 |
|
webmaster@1
|
4 /** |
|
webmaster@1
|
5 * @file |
|
webmaster@1
|
6 * User session handling functions. |
|
webmaster@1
|
7 */ |
|
webmaster@1
|
8 |
|
webmaster@1
|
9 function sess_open($save_path, $session_name) { |
|
webmaster@1
|
10 return TRUE; |
|
webmaster@1
|
11 } |
|
webmaster@1
|
12 |
|
webmaster@1
|
13 function sess_close() { |
|
webmaster@1
|
14 return TRUE; |
|
webmaster@1
|
15 } |
|
webmaster@1
|
16 |
|
webmaster@1
|
17 function sess_read($key) { |
|
webmaster@1
|
18 global $user; |
|
webmaster@1
|
19 |
|
webmaster@1
|
20 // Write and Close handlers are called after destructing objects since PHP 5.0.5 |
|
webmaster@1
|
21 // Thus destructors can use sessions but session handler can't use objects. |
|
webmaster@1
|
22 // So we are moving session closure before destructing objects. |
|
webmaster@1
|
23 register_shutdown_function('session_write_close'); |
|
webmaster@1
|
24 |
|
webmaster@1
|
25 // Handle the case of first time visitors and clients that don't store cookies (eg. web crawlers). |
|
webmaster@1
|
26 if (!isset($_COOKIE[session_name()])) { |
|
webmaster@1
|
27 $user = drupal_anonymous_user(); |
|
webmaster@1
|
28 return ''; |
|
webmaster@1
|
29 } |
|
webmaster@1
|
30 |
|
webmaster@1
|
31 // Otherwise, if the session is still active, we have a record of the client's session in the database. |
|
webmaster@1
|
32 $user = db_fetch_object(db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s'", $key)); |
|
webmaster@1
|
33 |
|
webmaster@1
|
34 // We found the client's session record and they are an authenticated user |
|
webmaster@1
|
35 if ($user && $user->uid > 0) { |
|
webmaster@1
|
36 // This is done to unserialize the data member of $user |
|
webmaster@1
|
37 $user = drupal_unpack($user); |
|
webmaster@1
|
38 |
|
webmaster@1
|
39 // Add roles element to $user |
|
webmaster@1
|
40 $user->roles = array(); |
|
webmaster@1
|
41 $user->roles[DRUPAL_AUTHENTICATED_RID] = 'authenticated user'; |
|
webmaster@1
|
42 $result = db_query("SELECT r.rid, r.name FROM {role} r INNER JOIN {users_roles} ur ON ur.rid = r.rid WHERE ur.uid = %d", $user->uid); |
|
webmaster@1
|
43 while ($role = db_fetch_object($result)) { |
|
webmaster@1
|
44 $user->roles[$role->rid] = $role->name; |
|
webmaster@1
|
45 } |
|
webmaster@1
|
46 } |
|
webmaster@1
|
47 // We didn't find the client's record (session has expired), or they are an anonymous user. |
|
webmaster@1
|
48 else { |
|
webmaster@1
|
49 $session = isset($user->session) ? $user->session : ''; |
|
webmaster@1
|
50 $user = drupal_anonymous_user($session); |
|
webmaster@1
|
51 } |
|
webmaster@1
|
52 |
|
webmaster@1
|
53 return $user->session; |
|
webmaster@1
|
54 } |
|
webmaster@1
|
55 |
|
webmaster@1
|
56 function sess_write($key, $value) { |
|
webmaster@1
|
57 global $user; |
|
webmaster@1
|
58 |
|
webmaster@1
|
59 // If saving of session data is disabled or if the client doesn't have a session, |
|
webmaster@1
|
60 // and one isn't being created ($value), do nothing. |
|
webmaster@1
|
61 if (!session_save_session() || (empty($_COOKIE[session_name()]) && empty($value))) { |
|
webmaster@1
|
62 return TRUE; |
|
webmaster@1
|
63 } |
|
webmaster@1
|
64 |
|
webmaster@1
|
65 $result = db_result(db_query("SELECT COUNT(*) FROM {sessions} WHERE sid = '%s'", $key)); |
|
webmaster@1
|
66 |
|
webmaster@1
|
67 if (!$result) { |
|
webmaster@1
|
68 // Only save session data when when the browser sends a cookie. This keeps |
|
webmaster@1
|
69 // crawlers out of session table. This reduces memory and server load, |
|
webmaster@1
|
70 // and gives more useful statistics. We can't eliminate anonymous session |
|
webmaster@1
|
71 // table rows without breaking throttle module and "Who's Online" block. |
|
webmaster@1
|
72 if ($user->uid || $value || count($_COOKIE)) { |
|
webmaster@1
|
73 db_query("INSERT INTO {sessions} (sid, uid, cache, hostname, session, timestamp) VALUES ('%s', %d, %d, '%s', '%s', %d)", $key, $user->uid, isset($user->cache) ? $user->cache : '', ip_address(), $value, time()); |
|
webmaster@1
|
74 } |
|
webmaster@1
|
75 } |
|
webmaster@1
|
76 else { |
|
webmaster@1
|
77 db_query("UPDATE {sessions} SET uid = %d, cache = %d, hostname = '%s', session = '%s', timestamp = %d WHERE sid = '%s'", $user->uid, isset($user->cache) ? $user->cache : '', ip_address(), $value, time(), $key); |
|
webmaster@1
|
78 |
|
webmaster@1
|
79 // Last access time is updated no more frequently than once every 180 seconds. |
|
webmaster@1
|
80 // This reduces contention in the users table. |
|
webmaster@1
|
81 if ($user->uid && time() - $user->access > variable_get('session_write_interval', 180)) { |
|
webmaster@1
|
82 db_query("UPDATE {users} SET access = %d WHERE uid = %d", time(), $user->uid); |
|
webmaster@1
|
83 } |
|
webmaster@1
|
84 } |
|
webmaster@1
|
85 |
|
webmaster@1
|
86 return TRUE; |
|
webmaster@1
|
87 } |
|
webmaster@1
|
88 |
|
webmaster@1
|
89 /** |
|
webmaster@1
|
90 * Called when an anonymous user becomes authenticated or vice-versa. |
|
webmaster@1
|
91 */ |
|
webmaster@1
|
92 function sess_regenerate() { |
|
webmaster@1
|
93 $old_session_id = session_id(); |
|
webmaster@1
|
94 |
|
webmaster@1
|
95 // We code around http://bugs.php.net/bug.php?id=32802 by destroying |
|
webmaster@1
|
96 // the session cookie by setting expiration in the past (a negative |
|
webmaster@1
|
97 // value). This issue only arises in PHP versions before 4.4.0, |
|
webmaster@1
|
98 // regardless of the Drupal configuration. |
|
webmaster@1
|
99 // TODO: remove this when we require at least PHP 4.4.0 |
|
webmaster@1
|
100 if (isset($_COOKIE[session_name()])) { |
|
webmaster@1
|
101 setcookie(session_name(), '', time() - 42000, '/'); |
|
webmaster@1
|
102 } |
|
webmaster@1
|
103 |
|
webmaster@1
|
104 session_regenerate_id(); |
|
webmaster@1
|
105 |
|
webmaster@1
|
106 db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id); |
|
webmaster@1
|
107 } |
|
webmaster@1
|
108 |
|
webmaster@1
|
109 /** |
|
webmaster@1
|
110 * Counts how many users have sessions. Can count either anonymous sessions, authenticated sessions, or both. |
|
webmaster@1
|
111 * |
|
webmaster@1
|
112 * @param int $timestamp |
|
webmaster@1
|
113 * A Unix timestamp representing a point of time in the past. |
|
webmaster@1
|
114 * The default is 0, which counts all existing sessions. |
|
webmaster@1
|
115 * @param int $anonymous |
|
webmaster@1
|
116 * TRUE counts only anonymous users. |
|
webmaster@1
|
117 * FALSE counts only authenticated users. |
|
webmaster@1
|
118 * Any other value will return the count of both authenticated and anonymous users. |
|
webmaster@1
|
119 * @return int |
|
webmaster@1
|
120 * The number of users with sessions. |
|
webmaster@1
|
121 */ |
|
webmaster@1
|
122 function sess_count($timestamp = 0, $anonymous = true) { |
|
webmaster@1
|
123 $query = $anonymous ? ' AND uid = 0' : ' AND uid > 0'; |
|
webmaster@1
|
124 return db_result(db_query('SELECT COUNT(sid) AS count FROM {sessions} WHERE timestamp >= %d'. $query, $timestamp)); |
|
webmaster@1
|
125 } |
|
webmaster@1
|
126 |
|
webmaster@1
|
127 /** |
|
webmaster@1
|
128 * Called by PHP session handling with the PHP session ID to end a user's session. |
|
webmaster@1
|
129 * |
|
webmaster@1
|
130 * @param string $sid |
|
webmaster@1
|
131 * the session id |
|
webmaster@1
|
132 */ |
|
webmaster@1
|
133 function sess_destroy_sid($sid) { |
|
webmaster@1
|
134 db_query("DELETE FROM {sessions} WHERE sid = '%s'", $sid); |
|
webmaster@1
|
135 } |
|
webmaster@1
|
136 |
|
webmaster@1
|
137 /** |
|
webmaster@1
|
138 * End a specific user's session |
|
webmaster@1
|
139 * |
|
webmaster@1
|
140 * @param string $uid |
|
webmaster@1
|
141 * the user id |
|
webmaster@1
|
142 */ |
|
webmaster@1
|
143 function sess_destroy_uid($uid) { |
|
webmaster@1
|
144 db_query('DELETE FROM {sessions} WHERE uid = %d', $uid); |
|
webmaster@1
|
145 } |
|
webmaster@1
|
146 |
|
webmaster@1
|
147 function sess_gc($lifetime) { |
|
webmaster@1
|
148 // Be sure to adjust 'php_value session.gc_maxlifetime' to a large enough |
|
webmaster@1
|
149 // value. For example, if you want user sessions to stay in your database |
|
webmaster@1
|
150 // for three weeks before deleting them, you need to set gc_maxlifetime |
|
webmaster@1
|
151 // to '1814400'. At that value, only after a user doesn't log in after |
|
webmaster@1
|
152 // three weeks (1814400 seconds) will his/her session be removed. |
|
webmaster@1
|
153 db_query("DELETE FROM {sessions} WHERE timestamp < %d", time() - $lifetime); |
|
webmaster@1
|
154 |
|
webmaster@1
|
155 return TRUE; |
|
webmaster@1
|
156 } |
|
webmaster@1
|
157 |
|
webmaster@1
|
158 /** |
|
webmaster@1
|
159 * Determine whether to save session data of the current request. |
|
webmaster@1
|
160 * |
|
webmaster@1
|
161 * This function allows the caller to temporarily disable writing of session data, |
|
webmaster@1
|
162 * should the request end while performing potentially dangerous operations, such as |
|
webmaster@1
|
163 * manipulating the global $user object. See http://drupal.org/node/218104 for usage |
|
webmaster@1
|
164 * |
|
webmaster@1
|
165 * @param $status |
|
webmaster@1
|
166 * Disables writing of session data when FALSE, (re-)enables writing when TRUE. |
|
webmaster@1
|
167 * @return |
|
webmaster@1
|
168 * FALSE if writing session data has been disabled. Otherwise, TRUE. |
|
webmaster@1
|
169 */ |
|
webmaster@1
|
170 function session_save_session($status = NULL) { |
|
webmaster@1
|
171 static $save_session = TRUE; |
|
webmaster@1
|
172 if (isset($status)) { |
|
webmaster@1
|
173 $save_session = $status; |
|
webmaster@1
|
174 } |
|
webmaster@1
|
175 return ($save_session); |
|
webmaster@1
|
176 } |
