phpBB API Documentation
Class

phpbb\session

class session

Session class

Properties

$cookie_data
$page
$data
$browser
$forwarded_for
$host
$session_id
$ip
$load
$time_now
$update_session_page

Methods

extract_current_hostname()

Get valid hostname/port.

session_begin(bool $update_session_page = true)

Start session management

session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)

Create a new session

session_kill($new_session = true)

Kills a session

session_gc()

Session garbage collection

set_cookie(string $name, string $cookiedata, int $cookietime, bool $httponly = true)

Sets a cookie

check_ban(int|false $user_id = false, mixed $user_ips = false, string|false $user_email = false, bool $return = false)

Check for banned user

false check_dnsbl(string $mode, string|false $ip = false)

Check if ip is blacklisted This should be called only where absolutely necessary

set_login_key($user_id = false, $key = false, $user_ip = false)

Set/Update a persistent login key

reset_login_keys($user_id = false)

Reset all login keys for the specified user

validate_referer(bool $check_script_path = false)

Check if the request originated from the same page.

unset_admin()

update_session(array $session_data, string $session_id = null)

Update the session data

update_session_infos()

Details

at line 164
public extract_current_hostname()

Get valid hostname/port.

HTTPHOST is used, SERVERNAME if HTTP_HOST not present.

at line 228
public session_begin(bool $update_session_page = true)

Start session management

This is where all session activity begins. We gather various pieces of information from the client and server. We test to see if a session already exists. If it does, fine and dandy. If it doesn't we'll go on to create a new one ... pretty logical heh? We also examine the system load (if we're running on a system which makes such information readily available) and halt if it's above an admin definable limit.

Parameters

bool $update_session_page if true the session page gets updated. This can be set to circumvent certain scripts to update the users last visited page.

at line 517
public session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)

Create a new session

If upon trying to start a session we discover there is nothing existing we jump here. Additionally this method is called directly during login to regenerate the session for the specific user. In this method we carry out a number of tasks; garbage collection, (search)bot checking, banned user comparison. Basically though this method will result in a new session for a specific user.

Parameters

$user_id
$set_admin
$persist_login
$viewonline

at line 894
public session_kill($new_session = true)

Kills a session

This method does what it says on the tin. It will delete a pre-existing session. It resets cookie information (destroying any autologin key within that cookie data) and update the users information from the relevant session data. It will then grab guest user information.

Parameters

$new_session

at line 986
public session_gc()

Session garbage collection

This looks a lot more complex than it really is. Effectively we are deleting any sessions older than an admin definable limit. Due to the way in which we maintain session data we have to ensure we update user data before those sessions are destroyed. In addition this method removes autologin key information that is older than an admin defined limit.

Sets a cookie

Sets a cookie of the given name with the specified data for the given length of time. If no time is specified, a session cookie will be set.

Parameters

string $name Name of the cookie, will be automatically prefixed with the phpBB cookie name. track becomes [cookiename]track then.
string $cookiedata The data to hold within the cookie
int $cookietime The expiration time as UNIX timestamp. If 0 is provided, a session cookie is set.
bool $httponly Use HttpOnly. Defaults to true. Use false to make cookie accessible by client-side scripts.

at line 1107
public check_ban(int|false $user_id = false, mixed $user_ips = false, string|false $user_email = false, bool $return = false)

Check for banned user

Checks whether the supplied user is banned by id, ip or email. If no parameters are passed to the method pre-existing session data is used.

Parameters

int|false $user_id The user id
mixed $user_ips Can contain a string with one IP or an array of multiple IPs
string|false $user_email The user email
bool $return If $return is false this routine does not return on finding a banned user, it outputs a relevant message and stops execution.

at line 1339
public false check_dnsbl(string $mode, string|false $ip = false)

Check if ip is blacklisted This should be called only where absolutely necessary

Only IPv4 (rbldns does not support AAAA records/IPv6 lookups)

Parameters

string $mode register/post - spamcop for example is ommitted for posting
string|false $ip the IPv4 address to check

Return Value

false if ip is not blacklisted, else an array([checked server], [lookup])

at line 1436
public set_login_key($user_id = false, $key = false, $user_ip = false)

Set/Update a persistent login key

This method creates or updates a persistent session key. When a user makes use of persistent (formerly auto-) logins a key is generated and stored in the DB. When they revisit with the same key it's automatically updated in both the DB and cookie. Multiple keys may exist for each user representing different browsers or locations. As with any non-secure-socket no passphrase login this remains vulnerable to exploit.

Parameters

$user_id
$key
$user_ip

at line 1483
public reset_login_keys($user_id = false)

Reset all login keys for the specified user

This method removes all current login keys for a specified (or the current) user. It will be called on password change to render old keys unusable

Parameters

$user_id

at line 1532
public validate_referer(bool $check_script_path = false)

Check if the request originated from the same page.

Parameters

bool $check_script_path If true, the path will be checked as well

at line 1569
public unset_admin()

at line 1584
public update_session(array $session_data, string $session_id = null)

Update the session data

Parameters

array $session_data associative array of session keys to be updated
string $session_id optional sessionid, defaults to current user's sessionid

at line 1607
public update_session_infos()