core/session_api.php

   1 <?php
   2 # MantisBT - A PHP based bugtracking system
   3
   4 # MantisBT is free software: you can redistribute it and/or modify
   5 # it under the terms of the GNU General Public License as published by
   6 # the Free Software Foundation, either version 2 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # MantisBT is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU General Public License
  15 # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
  16
  17
  18 /**
  19  * Session API
  20  *
  21  * Handles user/browser sessions in an extendable manner. New session handlers
  22  * can be added and configured without affecting how the API is used. Calls to
  23  * session_*() are appropriately directed at the session handler class as
  24  * chosen in config_inc.php.
  25  *
  26  * @package CoreAPI
  27  * @subpackage SessionAPI
  28  * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
  29  * @copyright Copyright (C) 2002 - 2010  MantisBT Team - mantisbt-dev@lists.sourceforge.net
  30  * @link http://www.mantisbt.org
  31  *
  32  * @uses config_api.php
  33  * @uses constant_inc.php
  34  * @uses error_api.php
  35  * @uses gpc_api.php
  36  * @uses php_api.php
  37  */
  38
  39 require_api( 'config_api.php' );
  40 require_api( 'constant_inc.php' );
  41 require_api( 'error_api.php' );
  42 require_api( 'gpc_api.php' );
  43 require_api( 'php_api.php' );
  44
  45 /**
  46  *
  47  * @global MantisPHPSession $g_session
  48  */
  49 $g_session = null;
  50
  51 /**
  52  * Abstract interface for a MantisBT session handler.
  53  * @package MantisBT
  54  * @subpackage classes
  55  */
  56 abstract class MantisSession {
  57         var $id;
  58
  59         /**
  60          * Constructor
  61          */
  62         abstract function __construct();
  63
  64         /**
  65          * get session data
  66          * @param string $p_name
  67          * @param mixed $p_default
  68          */
  69         abstract function get( $p_name, $p_default = null );
  70
  71         /**
  72          * set session data
  73          * @param string $p_name
  74          * @param mixed $p_value
  75          */
  76         abstract function set( $p_name, $p_value );
  77
  78         /**
  79          * delete session data
  80          * @param string $p_name
  81          */
  82         abstract function delete( $p_name );
  83
  84         /**
  85          * destroy session
  86          */
  87         abstract function destroy();
  88 }
  89
  90 /**
  91  * Implementation of the abstract MantisBT session interface using
  92  * standard PHP sessions stored on the server's filesystem according
  93  * to PHP's session.* settings in 'php.ini'.
  94  * @package MantisBT
  95  * @subpackage classes
  96  */
  97 class MantisPHPSession extends MantisSession {
  98         /**
  99          * Constructor
 100          */
 101         function __construct( $p_session_id=null ) {
 102                 global $g_cookie_secure_flag_enabled;
 103                 global $g_cookie_httponly_flag_enabled;
 104
 105                 $this->key = config_get_global( 'session_key' );
 106
 107                 # Save session information where specified or with PHP's default
 108                 $t_session_save_path = config_get_global( 'session_save_path' );
 109                 if( $t_session_save_path ) {
 110                         session_save_path( $t_session_save_path );
 111                 }
 112
 113                 # Handle session cookie and caching
 114                 session_cache_limiter( 'private_no_expire' );
 115                 if ( $g_cookie_httponly_flag_enabled ) {
 116                         # The HttpOnly cookie flag is only supported in PHP >= 5.2.0
 117                         session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), $g_cookie_secure_flag_enabled, $g_cookie_httponly_flag_enabled );
 118                 } else {
 119                         session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), $g_cookie_secure_flag_enabled );
 120                 }
 121
 122                 # Handle existent session ID
 123                 if ( !is_null( $p_session_id ) ) {
 124                         session_id( $p_session_id );
 125                 }
 126
 127                 # Initialize the session
 128                 session_start();
 129                 $this->id = session_id();
 130
 131                 # Initialize the keyed session store
 132                 if ( !isset( $_SESSION[ $this->key ] ) ) {
 133                         $_SESSION[ $this->key ] = array();
 134                 }
 135         }
 136
 137         /**
 138          * get session data
 139          * @param string $p_name
 140          * @param mixed $p_default
 141          */
 142         function get( $p_name, $p_default=null ) {
 143                 if ( isset( $_SESSION[ $this->key ][ $p_name ] ) ) {
 144                         return unserialize( $_SESSION[ $this->key ][ $p_name ] );
 145                 }
 146
 147                 if( func_num_args() > 1 ) {
 148                         return $p_default;
 149                 }
 150
 151                 error_parameters( $p_name );
 152                 trigger_error( ERROR_SESSION_VAR_NOT_FOUND, ERROR );
 153         }
 154
 155         /**
 156          * set session data
 157          * @param string $p_name
 158          * @param mixed $p_value
 159          */
 160         function set( $p_name, $p_value ) {
 161                 $_SESSION[ $this->key ][ $p_name ] = serialize( $p_value );
 162         }
 163
 164         /**
 165          * delete session data
 166          * @param string $p_name
 167          */
 168         function delete( $p_name ) {
 169                 unset( $_SESSION[ $this->key ][ $p_name ] );
 170         }
 171
 172         /**
 173          * destroy session
 174          */
 175         function destroy() {
 176                 if( isset( $_COOKIE[session_name()] ) && !headers_sent() ) {
 177                         gpc_set_cookie( session_name(), '', time() - 42000 );
 178                 }
 179
 180                 unset( $_SESSION[ $this->key ] );
 181         }
 182 }
 183
 184 /**
 185  * Initialize the appropriate session handler.
 186  * @param string Session ID
 187  */
 188 function session_init( $p_session_id=null ) {
 189         global $g_session, $g_session_handler;
 190
 191         switch( utf8_strtolower( $g_session_handler ) ) {
 192                 case 'php':
 193                         $g_session = new MantisPHPSession( $p_session_id );
 194                         break;
 195
 196                 case 'adodb':
 197
 198                         # Not yet implemented
 199                 case 'memcached':
 200
 201                         # Not yet implemented
 202                 default:
 203                         trigger_error( ERROR_SESSION_HANDLER_INVALID, ERROR );
 204                         break;
 205         }
 206
 207         if ( ON == config_get_global( 'session_validation' ) && session_get( 'secure_session', false ) ) {
 208                 session_validate( $g_session );
 209         }
 210 }
 211
 212 /**
 213  * Validate the legitimacy of a session.
 214  * Checks may include last-known IP address, or more.
 215  * Triggers an error when the session is invalid.
 216  * @param object Session object
 217  */
 218 function session_validate( $p_session ) {
 219         $t_user_ip = '';
 220         if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
 221                 $t_user_ip = trim( $_SERVER['REMOTE_ADDR'] );
 222         }
 223
 224         if ( is_null( $t_last_ip = $p_session->get( 'last_ip', null ) ) ) {
 225                 # First session usage
 226                 $p_session->set( 'last_ip', $t_user_ip );
 227
 228         } else {
 229                 # Check a continued session request
 230                 if ( $t_user_ip != $t_last_ip ) {
 231                         session_clean();
 232
 233                         trigger_error( ERROR_SESSION_NOT_VALID, WARNING );
 234
 235                         $t_url = config_get_global( 'path' ) . config_get_global( 'default_home_page' );
 236                         echo "\t<meta http-equiv=\"Refresh\" content=\"4;URL=$t_url\" />\n";
 237
 238                         die();
 239                 }
 240         }
 241 }
 242
 243 /**
 244  * Get arbitrary data from the session.
 245  * @param string Session variable name
 246  * @param mixed Default value
 247  * @return mixed Session variable
 248  */
 249 function session_get( $p_name, $p_default = null ) {
 250         global $g_session;
 251
 252         $t_args = func_get_args();
 253         return call_user_func_array( array( $g_session, 'get' ), $t_args );
 254 }
 255
 256 /**
 257  * Get an integer from the session.
 258  * @param string Session variable name
 259  * @param mixed Default value
 260  * @return int Session variable
 261  */
 262 function session_get_int( $p_name, $p_default = null ) {
 263         global $g_session;
 264         $t_args = func_get_args();
 265         return (int) call_user_func_array( 'session_get', $t_args );
 266 }
 267
 268 /**
 269  * Get a boolean from the session.
 270  * @param string Session variable name
 271  * @param mixed Default value
 272  * @return boolean Session variable
 273  */
 274 function session_get_bool( $p_name, $p_default = null ) {
 275         global $g_session;
 276         $t_args = func_get_args();
 277         return true && call_user_func_array( 'session_get', $t_args );
 278 }
 279
 280 /**
 281  * Get a string from the session.
 282  * @param string Session variable name
 283  * @param mixed Default value
 284  * @return string Session variable
 285  */
 286 function session_get_string( $p_name, $p_default = null ) {
 287         global $g_session;
 288         $t_args = func_get_args();
 289         return '' . call_user_func_array( 'session_get', $t_args );
 290 }
 291
 292 /**
 293  * Set a session variable.
 294  * @param string Session variable name
 295  * @param mixed Variable value
 296  */
 297 function session_set( $p_name, $p_value ) {
 298         global $g_session;
 299         $g_session->set( $p_name, $p_value );
 300 }
 301
 302 /**
 303  * Delete a session variable.
 304  * @param string Session variable name
 305  */
 306 function session_delete( $p_name ) {
 307         global $g_session;
 308         $g_session->delete( $p_name );
 309 }
 310
 311 /**
 312  * Destroy the session entirely.
 313  */
 314 function session_clean() {
 315         global $g_session;
 316         $g_session->destroy();
 317 }
 318
 319 # Initialize the session
 320 if ( PHP_CGI == php_mode() ) {
 321         $t_session_id = gpc_get_string( 'session_id', '' );
 322
 323         if ( empty( $t_session_id ) ) {
 324                 session_init();
 325         } else {
 326                 session_init( $t_session_id );
 327         }
 328 }
 329