Docs For Class session

Description

Session class

Located in /includes/session.php (line 23)

Direct descendents

Class	Description
user	Base user class

Variable Summary

mixed $browser

mixed $cookie_data

mixed $data

mixed $forwarded_for

mixed $host

mixed $ip

mixed $load

mixed $page

mixed $session_id

mixed $time_now

mixed $update_session_page

Method Summary

void check_ban ([ $user_id = false], [string|array $user_ips = false], [ $user_email = false], [ $return = false])

false check_dnsbl (string $mode, [ $ip = false])

void confirm_gc ([ $type = 0])

void extract_current_page (string $root_path)

void reset_login_keys ([ $user_id = false])

void session_begin ([bool $update_session_page = true])

void session_create ([ $user_id = false], [ $set_admin = false], [ $persist_login = false], [ $viewonline = true])

void session_gc ()

void session_kill ([ $new_session = true])

void set_cookie (string $name, string $cookiedata, int $cookietime)

void set_login_key ([ $user_id = false], [ $key = false], [ $user_ip = false])

void unset_admin ()

void validate_referer ([bool $check_script_path = false])

Variables

mixed $browser = '' (line 28)

mixed $cookie_data = array() (line 25)

mixed $data = array() (line 27)

mixed $forwarded_for = '' (line 29)

mixed $host = '' (line 30)

mixed $ip = '' (line 32)

mixed $load = 0 (line 33)

mixed $page = array() (line 26)

mixed $session_id = '' (line 31)

mixed $time_now = 0 (line 34)

mixed $update_session_page = true (line 35)

Methods

check_ban (line 955)

Check for banned user

Checks whether the supplied user is banned by id, ip or email. If no parameters are passed to the method pre-existing session data is used. If $return is false this routine does not return on finding a banned user, it outputs a relevant message and stops execution.

void check_ban ([ $user_id = false], [string|array $user_ips = false], [ $user_email = false], [ $return = false])

string|array $user_ips: Can contain a string with one IP or an array of multiple IPs
$user_id
$user_email
$return

check_dnsbl (line 1151)

Check if ip is blacklisted This should be called only where absolutly necessary

Only IPv4 (rbldns does not support AAAA records/IPv6 lookups)

return: if ip is not blacklisted, else an array([checked server], [lookup])
author: satmd (from the php manual)

false check_dnsbl (string $mode, [ $ip = false])

string $mode: register/post - spamcop for example is ommitted for posting
$ip

confirm_gc (line 894)

void confirm_gc ([ $type = 0])

$type

extract_current_page (line 42)

Extract current session page

void extract_current_page (string $root_path)

string $root_path: current root path (phpbb_root_path)

reset_login_keys (line 1290)

Reset all login keys for the specified user

This method removes all current login keys for a specified (or the current) user. It will be called on password change to render old keys unusable

void reset_login_keys ([ $user_id = false])

$user_id

session_begin (line 152)

Start session management

This is where all session activity begins. We gather various pieces of information from the client and server. We test to see if a session already exists. If it does, fine and dandy. If it doesn't we'll go on to create a new one ... pretty logical heh? We also examine the system load (if we're running on a system which makes such information readily available) and halt if it's above an admin definable limit.

void session_begin ([bool $update_session_page = true])

bool $update_session_page: if true the session page gets updated. This can be set to circumvent certain scripts to update the users last visited page.

session_create (line 391)

Create a new session

If upon trying to start a session we discover there is nothing existing we jump here. Additionally this method is called directly during login to regenerate the session for the specific user. In this method we carry out a number of tasks; garbage collection, (search)bot checking, banned user comparison. Basically though this method will result in a new session for a specific user.

void session_create ([ $user_id = false], [ $set_admin = false], [ $persist_login = false], [ $viewonline = true])

$user_id
$set_admin
$persist_login
$viewonline

session_gc (line 828)

Session garbage collection

This looks a lot more complex than it really is. Effectively we are deleting any sessions older than an admin definable limit. Due to the way in which we maintain session data we have to ensure we update user data before those sessions are destroyed. In addition this method removes autologin key information that is older than an admin defined limit.

void session_gc ()

session_kill (line 749)

Kills a session

This method does what it says on the tin. It will delete a pre-existing session. It resets cookie information (destroying any autologin key within that cookie data) and update the users information from the relevant session data. It will then grab guest user information.

void session_kill ([ $new_session = true])

$new_session

set_cookie (line 934)

Sets a cookie

Sets a cookie of the given name with the specified data for the given length of time. If no time is specified, a session cookie will be set.

void set_cookie (string $name, string $cookiedata, int $cookietime)

string $name: Name of the cookie, will be automatically prefixed with the phpBB cookie name. track becomes [cookie_name]_track then.
string $cookiedata: The data to hold within the cookie
int $cookietime: The expiration time as UNIX timestamp. If 0 is provided, a session cookie is set.

set_login_key (line 1243)

Set/Update a persistent login key

This method creates or updates a persistent session key. When a user makes use of persistent (formerly auto-) logins a key is generated and stored in the DB. When they revisit with the same key it's automatically updated in both the DB and cookie. Multiple keys may exist for each user representing different browsers or locations. As with _any_ non-secure-socket no passphrase login this remains vulnerable to exploit.

void set_login_key ([ $user_id = false], [ $key = false], [ $user_ip = false])

$user_id
$key
$user_ip

unset_admin (line 1357)

void unset_admin ()

validate_referer (line 1322)

Check if the request originated from the same page.

void validate_referer ([bool $check_script_path = false])

bool $check_script_path: If true, the path will be checked as well