phpBB

Code Changes

File: phpbb/session.php

  Unmodified   Added   Modified   Removed
Line 219Line 219
	function session_begin($update_session_page = true)
{
global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path;

	function session_begin($update_session_page = true)
{
global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path;

		global $request, $phpbb_container;

		global $request, $phpbb_container, $phpbb_dispatcher;


// Give us some basic information
$this->time_now = time();


// Give us some basic information
$this->time_now = time();

Line 281Line 281

// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.


// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.

		$this->ip = htmlspecialchars_decode($request->server('REMOTE_ADDR'));
$this->ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->ip));











		$ip = htmlspecialchars_decode($request->server('REMOTE_ADDR'));
$ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $ip));

/**
* Event to alter user IP address
*
* @event core.session_ip_after
* @var string ip REMOTE_ADDR
* @since 3.1.10-RC1
*/
$vars = array('ip');
extract($phpbb_dispatcher->trigger_event('core.session_ip_after', compact($vars)));


// split the list of IPs


// split the list of IPs

		$ips = explode(' ', trim($this->ip));

		$ips = explode(' ', trim($ip));


// Default IP if REMOTE_ADDR is invalid
$this->ip = '127.0.0.1';


// Default IP if REMOTE_ADDR is invalid
$this->ip = '127.0.0.1';

Line 446Line 456

if (!$session_expired)
{


if (!$session_expired)
{

						// Only update session DB a minute or so after last update or if page changes
if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
{
$sql_ary = array('session_time' => $this->time_now);

// Do not update the session page for ajax requests, so the view online still works as intended
if ($this->update_session_page && !$request->is_ajax())
{
$sql_ary['session_page'] = substr($this->page['page'], 0, 199);
$sql_ary['session_forum_id'] = $this->page['forum'];
}

$db->sql_return_on_error(true);

$this->update_session($sql_ary);

$db->sql_return_on_error(false);

// If the database is not yet updated, there will be an error due to the session_forum_id
// @todo REMOVE for 3.0.2
if ($result === false)
{
unset($sql_ary['session_forum_id']);

$this->update_session($sql_ary);
}

if ($this->data['user_id'] != ANONYMOUS && !empty($config['new_member_post_limit']) && $this->data['user_new'] && $config['new_member_post_limit'] <= $this->data['user_posts'])
{
$this->leave_newly_registered();
}
}


 
						$this->data['is_registered'] = ($this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
$this->data['is_bot'] = (!$this->data['is_registered'] && $this->data['user_id'] != ANONYMOUS) ? true : false;
$this->data['user_lang'] = basename($this->data['user_lang']);

						$this->data['is_registered'] = ($this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
$this->data['is_bot'] = (!$this->data['is_registered'] && $this->data['user_id'] != ANONYMOUS) ? true : false;
$this->data['user_lang'] = basename($this->data['user_lang']);

 

// Is user banned? Are they excluded? Won't return on ban, exists within method
$this->check_ban_for_current_session($config);


return true;
}


return true;
}

Line 519Line 499
	*/
function session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)
{

	*/
function session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)
{

		global $SID, $_SID, $db, $config, $cache, $phpbb_root_path, $phpEx, $phpbb_container;

		global $SID, $_SID, $db, $config, $cache, $phpbb_root_path, $phpEx, $phpbb_container, $phpbb_dispatcher;


$this->data = array();



$this->data = array();


Line 689Line 669
		// session exists in which case session_id will also be set

// Is user banned? Are they excluded? Won't return on ban, exists within method

		// session exists in which case session_id will also be set

// Is user banned? Are they excluded? Won't return on ban, exists within method

		if ($this->data['user_type'] != USER_FOUNDER)
{
if (!$config['forwarded_for_check'])
{
$this->check_ban($this->data['user_id'], $this->ip);
}
else
{
$ips = explode(' ', $this->forwarded_for);
$ips[] = $this->ip;
$this->check_ban($this->data['user_id'], $ips);
}
}

		$this->check_ban_for_current_session($config);














$this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
$this->data['is_bot'] = ($bot) ? true : false;


$this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
$this->data['is_bot'] = ($bot) ? true : false;

Line 734Line 702
				// Only update session DB a minute or so after last update or if page changes
if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
{

				// Only update session DB a minute or so after last update or if page changes
if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
{

					$this->data['session_time'] = $this->data['session_last_visit'] = $this->time_now;

$sql_ary = array('session_time' => $this->time_now, 'session_last_visit' => $this->time_now, 'session_admin' => 0);

if ($this->update_session_page)
{
$sql_ary['session_page'] = substr($this->page['page'], 0, 199);
$sql_ary['session_forum_id'] = $this->page['forum'];
}

$this->update_session($sql_ary);


 
					// Update the last visit time
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_lastvisit = ' . (int) $this->data['session_time'] . '

					// Update the last visit time
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_lastvisit = ' . (int) $this->data['session_time'] . '

Line 892Line 848
			$SID = '?sid=';
$_SID = '';
}

			$SID = '?sid=';
$_SID = '';
}

 

$session_data = $sql_ary;
/**
* Event to send new session data to extension
* Read-only event
*
* @event core.session_create_after
* @var array session_data Associative array of session keys to be updated
* @since 3.1.6-RC1
*/
$vars = array('session_data');
extract($phpbb_dispatcher->trigger_event('core.session_create_after', compact($vars)));
unset($session_data);


return true;
}


return true;
}

Line 906Line 875
	*/
function session_kill($new_session = true)
{

	*/
function session_kill($new_session = true)
{

		global $SID, $_SID, $db, $config, $phpbb_root_path, $phpEx, $phpbb_container;

		global $SID, $_SID, $db, $config, $phpbb_root_path, $phpEx, $phpbb_container, $phpbb_dispatcher;


$sql = 'DELETE FROM ' . SESSIONS_TABLE . "
WHERE session_id = '" . $db->sql_escape($this->session_id) . "'
AND session_user_id = " . (int) $this->data['user_id'];
$db->sql_query($sql);


$sql = 'DELETE FROM ' . SESSIONS_TABLE . "
WHERE session_id = '" . $db->sql_escape($this->session_id) . "'
AND session_user_id = " . (int) $this->data['user_id'];
$db->sql_query($sql);

 

$user_id = (int) $this->data['user_id'];
$session_id = $this->session_id;
/**
* Event to send session kill information to extension
* Read-only event
*
* @event core.session_kill_after
* @var int user_id user_id of the session user.
* @var string session_id current user's session_id
* @var bool new_session should we create new session for user
* @since 3.1.6-RC1
*/
$vars = array('user_id', 'session_id', 'new_session');
extract($phpbb_dispatcher->trigger_event('core.session_kill_after', compact($vars)));
unset($user_id);
unset($session_id);


// Allow connecting logout with external auth method logout
$provider_collection = $phpbb_container->get('auth.provider_collection');


// Allow connecting logout with external auth method logout
$provider_collection = $phpbb_container->get('auth.provider_collection');

Line 980Line 966
	*/
function session_gc()
{

	*/
function session_gc()
{

		global $db, $config, $phpbb_root_path, $phpEx, $phpbb_container;

		global $db, $config, $phpbb_root_path, $phpEx, $phpbb_container, $phpbb_dispatcher;


$batch_size = 10;



$batch_size = 10;


Line 1047Line 1033
				WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']);
$db->sql_query($sql);
}

				WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']);
$db->sql_query($sql);
}

 

/**
* Event to trigger extension on session_gc
*
* @event core.session_gc_after
* @since 3.1.6-RC1
*/
$phpbb_dispatcher->dispatch('core.session_gc_after');


return;
}


return;
}

Line 1264Line 1258
			$message = sprintf($this->lang[$message], $till_date, '<a href="' . $contact_link . '">', '</a>');
$message .= ($ban_row['ban_give_reason']) ? '<br /><br />' . sprintf($this->lang['BOARD_BAN_REASON'], $ban_row['ban_give_reason']) : '';
$message .= '<br /><br /><em>' . $this->lang['BAN_TRIGGERED_BY_' . strtoupper($ban_triggered_by)] . '</em>';

			$message = sprintf($this->lang[$message], $till_date, '<a href="' . $contact_link . '">', '</a>');
$message .= ($ban_row['ban_give_reason']) ? '<br /><br />' . sprintf($this->lang['BOARD_BAN_REASON'], $ban_row['ban_give_reason']) : '';
$message .= '<br /><br /><em>' . $this->lang['BAN_TRIGGERED_BY_' . strtoupper($ban_triggered_by)] . '</em>';


// To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again
$this->session_kill(false);

 

// A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page
if (defined('IN_CRON'))


// A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page
if (defined('IN_CRON'))

Line 1275Line 1266
				exit_handler();
exit;
}

				exit_handler();
exit;
}

 

// To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again
$this->session_kill(false);


trigger_error($message);
}

return ($banned && $ban_row['ban_give_reason']) ? $ban_row['ban_give_reason'] : $banned;


trigger_error($message);
}

return ($banned && $ban_row['ban_give_reason']) ? $ban_row['ban_give_reason'] : $banned;

 
	}

/**
* Check the current session for bans
*
* @return true if session user is banned.
*/
protected function check_ban_for_current_session($config)
{
if (!defined('SKIP_CHECK_BAN') && $this->data['user_type'] != USER_FOUNDER)
{
if (!$config['forwarded_for_check'])
{
$this->check_ban($this->data['user_id'], $this->ip);
}
else
{
$ips = explode(' ', $this->forwarded_for);
$ips[] = $this->ip;
$this->check_ban($this->data['user_id'], $ips);
}
}

	}

/**

	}

/**

Line 1541Line 1557
	*/
public function update_session($session_data, $session_id = null)
{

	*/
public function update_session($session_data, $session_id = null)
{

		global $db;

		global $db, $phpbb_dispatcher;


$session_id = ($session_id) ? $session_id : $this->session_id;

$sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $session_data) . "
WHERE session_id = '" . $db->sql_escape($session_id) . "'";
$db->sql_query($sql);


$session_id = ($session_id) ? $session_id : $this->session_id;

$sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $session_data) . "
WHERE session_id = '" . $db->sql_escape($session_id) . "'";
$db->sql_query($sql);

 

/**
* Event to send update session information to extension
* Read-only event
*
* @event core.update_session_after
* @var array session_data Associative array of session keys to be updated
* @var string session_id current user's session_id
* @since 3.1.6-RC1
*/
$vars = array('session_data', 'session_id');
extract($phpbb_dispatcher->trigger_event('core.update_session_after', compact($vars)));
}

public function update_session_infos()
{
global $config, $db, $request;

// No need to update if it's a new session. Informations are already inserted by session_create()
if (isset($this->data['session_created']) && $this->data['session_created'])
{
return;
}

// Only update session DB a minute or so after last update or if page changes
if ($this->time_now - ((isset($this->data['session_time'])) ? $this->data['session_time'] : 0) > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
{
$sql_ary = array('session_time' => $this->time_now);

// Do not update the session page for ajax requests, so the view online still works as intended
if ($this->update_session_page && !$request->is_ajax())
{
$sql_ary['session_page'] = substr($this->page['page'], 0, 199);
$sql_ary['session_forum_id'] = $this->page['forum'];
}

$db->sql_return_on_error(true);

$this->update_session($sql_ary);

$db->sql_return_on_error(false);

$this->data = array_merge($this->data, $sql_ary);

if ($this->data['user_id'] != ANONYMOUS && isset($config['new_member_post_limit']) && $this->data['user_new'] && $config['new_member_post_limit'] <= $this->data['user_posts'])
{
$this->leave_newly_registered();
}
}

	}
}


	}
}