diff options
Diffstat (limited to 'engine/lib/sessions.php')
-rw-r--r-- | engine/lib/sessions.php | 153 |
1 files changed, 101 insertions, 52 deletions
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php index e4a3bfc76..887904371 100644 --- a/engine/lib/sessions.php +++ b/engine/lib/sessions.php @@ -4,8 +4,8 @@ * Elgg session management * Functions to manage logins * - * @package Elgg - * @subpackage Core + * @package Elgg.Core + * @subpackage Session */ /** Elgg magic session */ @@ -14,8 +14,10 @@ global $SESSION; /** * Return the current logged in user, or NULL if no user is logged in. * - * If no user can be found in the current session, a plugin hook - 'session:get' 'user' to give plugin - * authors another way to provide user details to the ACL system without touching the session. + * If no user can be found in the current session, a plugin + * hook - 'session:get' 'user' to give plugin authors another + * way to provide user details to the ACL system without touching the session. + * * @return ElggUser|NULL */ function get_loggedin_user() { @@ -46,7 +48,7 @@ function get_loggedin_userid() { /** * Returns whether or not the user is currently logged in * - * @return true|false + * @return bool */ function isloggedin() { if (!is_installed()) { @@ -66,7 +68,7 @@ function isloggedin() { * Returns whether or not the user is currently logged in and that they are an admin user. * * @uses isloggedin() - * @return true|false + * @return bool */ function isadminloggedin() { if (!is_installed()) { @@ -84,9 +86,11 @@ function isadminloggedin() { /** * Check if the given user has full access. + * * @todo: Will always return full access if the user is an admin. * - * @param $user_guid + * @param int $user_guid The user to check + * * @return bool * @since 1.7.1 */ @@ -134,8 +138,10 @@ function elgg_is_admin_user($user_guid) { * Returns an ElggUser object for use with login. * * @see login + * * @param string $username The username, optionally (for standard logins) * @param string $password The password, optionally (for standard logins) + * * @return ElggUser|false The authenticated user object, or false on failure. */ @@ -151,8 +157,11 @@ function authenticate($username, $password) { * Hook into the PAM system which accepts a username and password and attempts to authenticate * it against a known user. * - * @param array $credentials Associated array of credentials passed to pam_authenticate. This function expects - * 'username' and 'password' (cleartext). + * @param array $credentials Associated array of credentials passed to + * pam_authenticate. This function expects + * 'username' and 'password' (cleartext). + * + * @return bool */ function pam_auth_userpass($credentials = NULL) { @@ -179,7 +188,8 @@ function pam_auth_userpass($credentials = NULL) { /** * Log a failed login for $user_guid * - * @param $user_guid + * @param int $user_guid User GUID + * * @return bool on success */ function log_login_failure($user_guid) { @@ -201,7 +211,8 @@ function log_login_failure($user_guid) { /** * Resets the fail login count for $user_guid * - * @param $user_guid + * @param int $user_guid User GUID + * * @return bool on success (success = user has no logged failed attempts) */ function reset_login_failure_count($user_guid) { @@ -212,7 +223,7 @@ function reset_login_failure_count($user_guid) { $fails = (int)$user->getPrivateSetting("login_failures"); if ($fails) { - for ($n=1; $n <= $fails; $n++) { + for ($n = 1; $n <= $fails; $n++) { $user->removePrivateSetting("login_failure_$n"); } @@ -231,7 +242,8 @@ function reset_login_failure_count($user_guid) { /** * Checks if the rate limit of failed logins has been exceeded for $user_guid. * - * @param $user_guid + * @param int $user_guid User GUID + * * @return bool on exceeded limit. */ function check_rate_limit_exceeded($user_guid) { @@ -245,13 +257,13 @@ function check_rate_limit_exceeded($user_guid) { if ($fails >= $limit) { $cnt = 0; $time = time(); - for ($n=$fails; $n>0; $n--) { + for ($n = $fails; $n > 0; $n--) { $f = $user->getPrivateSetting("login_failure_$n"); - if ($f > $time - (60*5)) { + if ($f > $time - (60 * 5)) { $cnt++; } - if ($cnt==$limit) { + if ($cnt == $limit) { // Limit reached return true; } @@ -267,9 +279,11 @@ function check_rate_limit_exceeded($user_guid) { * with authenticate. * * @see authenticate - * @param ElggUser $user A valid Elgg user object - * @param boolean $persistent Should this be a persistent login? - * @return true|false Whether login was successful + * + * @param ElggUser $user A valid Elgg user object + * @param boolean $persistent Should this be a persistent login? + * + * @return bool Whether login was successful */ function login(ElggUser $user, $persistent = false) { global $CONFIG; @@ -295,7 +309,7 @@ function login(ElggUser $user, $persistent = false) { $code = (md5($user->name . $user->username . time() . rand())); $_SESSION['code'] = $code; $user->code = md5($code); - setcookie("elggperm", $code, (time()+(86400 * 30)), "/"); + setcookie("elggperm", $code, (time() + (86400 * 30)), "/"); } if (!$user->save() || !trigger_elgg_event('login', 'user', $user)) { @@ -305,7 +319,7 @@ function login(ElggUser $user, $persistent = false) { unset($_SESSION['guid']); unset($_SESSION['id']); unset($_SESSION['user']); - setcookie("elggperm", "", (time()-(86400 * 30)), "/"); + setcookie("elggperm", "", (time() - (86400 * 30)), "/"); return false; } @@ -322,13 +336,13 @@ function login(ElggUser $user, $persistent = false) { /** * Log the current user out * - * @return true|false + * @return bool */ function logout() { global $CONFIG; if (isset($_SESSION['user'])) { - if (!trigger_elgg_event('logout','user',$_SESSION['user'])) { + if (!trigger_elgg_event('logout', 'user', $_SESSION['user'])) { return false; } $_SESSION['user']->code = ""; @@ -342,7 +356,7 @@ function logout() { unset($_SESSION['id']); unset($_SESSION['user']); - setcookie("elggperm", "", (time()-(86400 * 30)),"/"); + setcookie("elggperm", "", (time() - (86400 * 30)), "/"); // pass along any messages $old_msg = $_SESSION['msg']; @@ -362,12 +376,16 @@ function logout() { * This function looks for: * * 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0 - * 2. The cookie 'elggperm' - if present, checks it for an authentication token, validates it, and potentially logs the user in + * 2. The cookie 'elggperm' - if present, checks it for an authentication + * token, validates it, and potentially logs the user in * * @uses $_SESSION - * @param unknown_type $event - * @param unknown_type $object_type - * @param unknown_type $object + * + * @param string $event Event name + * @param string $object_type Object type + * @param mixed $object Object + * + * @return bool */ function session_init($event, $object_type, $object) { global $DB_PREFIX, $CONFIG; @@ -380,12 +398,12 @@ function session_init($event, $object_type, $object) { // HACK to allow access to prefix after object destruction $DB_PREFIX = $CONFIG->dbprefix; if ((!isset($CONFIG->use_file_sessions))) { - session_set_save_handler("__elgg_session_open", - "__elgg_session_close", - "__elgg_session_read", - "__elgg_session_write", - "__elgg_session_destroy", - "__elgg_session_gc"); + session_set_save_handler("_elgg_session_open", + "_elgg_session_close", + "_elgg_session_read", + "_elgg_session_write", + "_elgg_session_destroy", + "_elgg_session_gc"); } session_name('Elgg'); @@ -393,7 +411,7 @@ function session_init($event, $object_type, $object) { // Generate a simple token (private from potentially public session id) if (!isset($_SESSION['__elgg_session'])) { - $_SESSION['__elgg_session'] = md5(microtime().rand()); + $_SESSION['__elgg_session'] = md5(microtime() . rand()); } // test whether we have a user session @@ -438,7 +456,7 @@ function session_init($event, $object_type, $object) { set_last_action($_SESSION['guid']); } - register_action("login",true); + register_action("login", true); register_action("logout"); // Register a default PAM handler @@ -463,6 +481,7 @@ function session_init($event, $object_type, $object) { /** * Used at the top of a page to mark it as logged in users only. * + * @return void */ function gatekeeper() { if (!isloggedin()) { @@ -475,6 +494,7 @@ function gatekeeper() { /** * Used at the top of a page to mark it as logged in admin or siteadmin only. * + * @return void */ function admin_gatekeeper() { gatekeeper(); @@ -487,9 +507,15 @@ function admin_gatekeeper() { } /** - * DB Based session handling code. + * Handles opening a session in the DB + * + * @param string $save_path The path to save the sessions + * @param string $session_name The name of the session + * + * @return true + * @todo Document */ -function __elgg_session_open($save_path, $session_name) { +function _elgg_session_open($save_path, $session_name) { global $sess_save_path; $sess_save_path = $save_path; @@ -497,16 +523,25 @@ function __elgg_session_open($save_path, $session_name) { } /** - * DB Based session handling code. + * Closes a session + * + * @todo implement + * @todo document + * + * @return true */ -function __elgg_session_close() { +function _elgg_session_close() { return true; } /** - * DB Based session handling code. + * Read the session data from DB failing back to file. + * + * @param string $id The session ID + * + * @return string */ -function __elgg_session_read($id) { +function _elgg_session_read($id) { global $DB_PREFIX; $id = sanitise_string($id); @@ -532,9 +567,14 @@ function __elgg_session_read($id) { } /** - * DB Based session handling code. + * Write session data to the DB falling back to file. + * + * @param string $id The session ID + * @param mixed $sess_data Session data + * + * @return bool */ -function __elgg_session_write($id, $sess_data) { +function _elgg_session_write($id, $sess_data) { global $DB_PREFIX; $id = sanitise_string($id); @@ -547,7 +587,7 @@ function __elgg_session_write($id, $sess_data) { (session, ts, data) VALUES ('$id', '$time', '$sess_data_sanitised')"; - if (insert_data($q)!==false) { + if (insert_data($q) !== false) { return true; } } catch (DatabaseException $e) { @@ -567,9 +607,13 @@ function __elgg_session_write($id, $sess_data) { } /** - * DB Based session handling code. + * Destroy a DB session, falling back to file. + * + * @param string $id Session ID + * + * @return bool */ -function __elgg_session_destroy($id) { +function _elgg_session_destroy($id) { global $DB_PREFIX; $id = sanitise_string($id); @@ -589,17 +633,22 @@ function __elgg_session_destroy($id) { } /** - * DB Based session handling code. + * Perform garbage collection on session table / files + * + * @param int $maxlifetime Max age of a session + * + * @return bool */ -function __elgg_session_gc($maxlifetime) { +function _elgg_session_gc($maxlifetime) { global $DB_PREFIX; - $life = time()-$maxlifetime; + $life = time() - $maxlifetime; try { return (bool)delete_data("DELETE from {$DB_PREFIX}users_sessions where ts<'$life'"); } catch (DatabaseException $e) { - // Fall back to file store in this case, since this likely means that the database hasn't been upgraded + // Fall back to file store in this case, since this likely means that the database + // hasn't been upgraded global $sess_save_path; foreach (glob("$sess_save_path/sess_*") as $filename) { @@ -612,4 +661,4 @@ function __elgg_session_gc($maxlifetime) { return true; } -register_elgg_event_handler("boot","system","session_init",20); +register_elgg_event_handler("boot", "system", "session_init", 20); |