Mercurial > defr > drupal > core
comparison includes/session.inc @ 1:c1f4ac30525a 6.0
Drupal 6.0
| author | Franck Deroche <webmaster@defr.org> |
|---|---|
| date | Tue, 23 Dec 2008 14:28:28 +0100 |
| parents | |
| children | acef7ccb09b5 |
comparison
equal
deleted
inserted
replaced
| 0:5a113a1c4740 | 1:c1f4ac30525a |
|---|---|
| 1 <?php | |
| 2 // $Id: session.inc,v 1.44.2.1 2008/02/07 11:58:40 goba Exp $ | |
| 3 | |
| 4 /** | |
| 5 * @file | |
| 6 * User session handling functions. | |
| 7 */ | |
| 8 | |
| 9 function sess_open($save_path, $session_name) { | |
| 10 return TRUE; | |
| 11 } | |
| 12 | |
| 13 function sess_close() { | |
| 14 return TRUE; | |
| 15 } | |
| 16 | |
| 17 function sess_read($key) { | |
| 18 global $user; | |
| 19 | |
| 20 // Write and Close handlers are called after destructing objects since PHP 5.0.5 | |
| 21 // Thus destructors can use sessions but session handler can't use objects. | |
| 22 // So we are moving session closure before destructing objects. | |
| 23 register_shutdown_function('session_write_close'); | |
| 24 | |
| 25 // Handle the case of first time visitors and clients that don't store cookies (eg. web crawlers). | |
| 26 if (!isset($_COOKIE[session_name()])) { | |
| 27 $user = drupal_anonymous_user(); | |
| 28 return ''; | |
| 29 } | |
| 30 | |
| 31 // Otherwise, if the session is still active, we have a record of the client's session in the database. | |
| 32 $user = db_fetch_object(db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s'", $key)); | |
| 33 | |
| 34 // We found the client's session record and they are an authenticated user | |
| 35 if ($user && $user->uid > 0) { | |
| 36 // This is done to unserialize the data member of $user | |
| 37 $user = drupal_unpack($user); | |
| 38 | |
| 39 // Add roles element to $user | |
| 40 $user->roles = array(); | |
| 41 $user->roles[DRUPAL_AUTHENTICATED_RID] = 'authenticated user'; | |
| 42 $result = db_query("SELECT r.rid, r.name FROM {role} r INNER JOIN {users_roles} ur ON ur.rid = r.rid WHERE ur.uid = %d", $user->uid); | |
| 43 while ($role = db_fetch_object($result)) { | |
| 44 $user->roles[$role->rid] = $role->name; | |
| 45 } | |
| 46 } | |
| 47 // We didn't find the client's record (session has expired), or they are an anonymous user. | |
| 48 else { | |
| 49 $session = isset($user->session) ? $user->session : ''; | |
| 50 $user = drupal_anonymous_user($session); | |
| 51 } | |
| 52 | |
| 53 return $user->session; | |
| 54 } | |
| 55 | |
| 56 function sess_write($key, $value) { | |
| 57 global $user; | |
| 58 | |
| 59 // If saving of session data is disabled or if the client doesn't have a session, | |
| 60 // and one isn't being created ($value), do nothing. | |
| 61 if (!session_save_session() || (empty($_COOKIE[session_name()]) && empty($value))) { | |
| 62 return TRUE; | |
| 63 } | |
| 64 | |
| 65 $result = db_result(db_query("SELECT COUNT(*) FROM {sessions} WHERE sid = '%s'", $key)); | |
| 66 | |
| 67 if (!$result) { | |
| 68 // Only save session data when when the browser sends a cookie. This keeps | |
| 69 // crawlers out of session table. This reduces memory and server load, | |
| 70 // and gives more useful statistics. We can't eliminate anonymous session | |
| 71 // table rows without breaking throttle module and "Who's Online" block. | |
| 72 if ($user->uid || $value || count($_COOKIE)) { | |
| 73 db_query("INSERT INTO {sessions} (sid, uid, cache, hostname, session, timestamp) VALUES ('%s', %d, %d, '%s', '%s', %d)", $key, $user->uid, isset($user->cache) ? $user->cache : '', ip_address(), $value, time()); | |
| 74 } | |
| 75 } | |
| 76 else { | |
| 77 db_query("UPDATE {sessions} SET uid = %d, cache = %d, hostname = '%s', session = '%s', timestamp = %d WHERE sid = '%s'", $user->uid, isset($user->cache) ? $user->cache : '', ip_address(), $value, time(), $key); | |
| 78 | |
| 79 // Last access time is updated no more frequently than once every 180 seconds. | |
| 80 // This reduces contention in the users table. | |
| 81 if ($user->uid && time() - $user->access > variable_get('session_write_interval', 180)) { | |
| 82 db_query("UPDATE {users} SET access = %d WHERE uid = %d", time(), $user->uid); | |
| 83 } | |
| 84 } | |
| 85 | |
| 86 return TRUE; | |
| 87 } | |
| 88 | |
| 89 /** | |
| 90 * Called when an anonymous user becomes authenticated or vice-versa. | |
| 91 */ | |
| 92 function sess_regenerate() { | |
| 93 $old_session_id = session_id(); | |
| 94 | |
| 95 // We code around http://bugs.php.net/bug.php?id=32802 by destroying | |
| 96 // the session cookie by setting expiration in the past (a negative | |
| 97 // value). This issue only arises in PHP versions before 4.4.0, | |
| 98 // regardless of the Drupal configuration. | |
| 99 // TODO: remove this when we require at least PHP 4.4.0 | |
| 100 if (isset($_COOKIE[session_name()])) { | |
| 101 setcookie(session_name(), '', time() - 42000, '/'); | |
| 102 } | |
| 103 | |
| 104 session_regenerate_id(); | |
| 105 | |
| 106 db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id); | |
| 107 } | |
| 108 | |
| 109 /** | |
| 110 * Counts how many users have sessions. Can count either anonymous sessions, authenticated sessions, or both. | |
| 111 * | |
| 112 * @param int $timestamp | |
| 113 * A Unix timestamp representing a point of time in the past. | |
| 114 * The default is 0, which counts all existing sessions. | |
| 115 * @param int $anonymous | |
| 116 * TRUE counts only anonymous users. | |
| 117 * FALSE counts only authenticated users. | |
| 118 * Any other value will return the count of both authenticated and anonymous users. | |
| 119 * @return int | |
| 120 * The number of users with sessions. | |
| 121 */ | |
| 122 function sess_count($timestamp = 0, $anonymous = true) { | |
| 123 $query = $anonymous ? ' AND uid = 0' : ' AND uid > 0'; | |
| 124 return db_result(db_query('SELECT COUNT(sid) AS count FROM {sessions} WHERE timestamp >= %d'. $query, $timestamp)); | |
| 125 } | |
| 126 | |
| 127 /** | |
| 128 * Called by PHP session handling with the PHP session ID to end a user's session. | |
| 129 * | |
| 130 * @param string $sid | |
| 131 * the session id | |
| 132 */ | |
| 133 function sess_destroy_sid($sid) { | |
| 134 db_query("DELETE FROM {sessions} WHERE sid = '%s'", $sid); | |
| 135 } | |
| 136 | |
| 137 /** | |
| 138 * End a specific user's session | |
| 139 * | |
| 140 * @param string $uid | |
| 141 * the user id | |
| 142 */ | |
| 143 function sess_destroy_uid($uid) { | |
| 144 db_query('DELETE FROM {sessions} WHERE uid = %d', $uid); | |
| 145 } | |
| 146 | |
| 147 function sess_gc($lifetime) { | |
| 148 // Be sure to adjust 'php_value session.gc_maxlifetime' to a large enough | |
| 149 // value. For example, if you want user sessions to stay in your database | |
| 150 // for three weeks before deleting them, you need to set gc_maxlifetime | |
| 151 // to '1814400'. At that value, only after a user doesn't log in after | |
| 152 // three weeks (1814400 seconds) will his/her session be removed. | |
| 153 db_query("DELETE FROM {sessions} WHERE timestamp < %d", time() - $lifetime); | |
| 154 | |
| 155 return TRUE; | |
| 156 } | |
| 157 | |
| 158 /** | |
| 159 * Determine whether to save session data of the current request. | |
| 160 * | |
| 161 * This function allows the caller to temporarily disable writing of session data, | |
| 162 * should the request end while performing potentially dangerous operations, such as | |
| 163 * manipulating the global $user object. See http://drupal.org/node/218104 for usage | |
| 164 * | |
| 165 * @param $status | |
| 166 * Disables writing of session data when FALSE, (re-)enables writing when TRUE. | |
| 167 * @return | |
| 168 * FALSE if writing session data has been disabled. Otherwise, TRUE. | |
| 169 */ | |
| 170 function session_save_session($status = NULL) { | |
| 171 static $save_session = TRUE; | |
| 172 if (isset($status)) { | |
| 173 $save_session = $status; | |
| 174 } | |
| 175 return ($save_session); | |
| 176 } |