search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
baseline
[omp.pkp.sfu.ca.git] / lib / pkp / classes / session / SessionManager.inc.php
blobac87e545d819e0b44f5780b3fc0b1f84b5c4aca1
1 <?php
2
3 /**
4 * @file classes/session/SessionManager.inc.php
5 *
6 * Copyright (c) 2000-2009 John Willinsky
7 * Distributed under the GNU GPL v2. For full terms see the file docs/COPYING.
8 *
9 * @class SessionManager
10 * @ingroup session
11 *
12 * @brief Implements PHP methods for a custom session storage handler (see http://php.net/session).
13 */
14
15 // $Id: SessionManager.inc.php,v 1.7 2009/05/13 16:35:48 asmecher Exp $
16
17
18 class SessionManager {
19
20 /** The DAO for accessing Session objects */
21 var $sessionDao;
22
23 /** The Session associated with the current request */
24 var $userSession;
25
26 /**
27 * Constructor.
28 * Initialize session configuration and set PHP session handlers.
29 * Attempts to rejoin a user's session if it exists, or create a new session otherwise.
30 */
31 function SessionManager(&$sessionDao) {
32 $this->sessionDao =& $sessionDao;
33
34 // Configure PHP session parameters
35 ini_set('session.use_trans_sid', 0);
36 ini_set('session.save_handler', 'user');
37 ini_set('session.serialize_handler', 'php');
38 ini_set('session.use_cookies', 1);
39 ini_set('session.name', Config::getVar('general', 'session_cookie_name')); // Cookie name
40 ini_set('session.cookie_lifetime', 0);
41 ini_set('session.cookie_path', PKPRequest::getBasePath() . '/');
42 ini_set('session.gc_probability', 1);
43 ini_set('session.gc_maxlifetime', 60 * 60);
44 ini_set('session.auto_start', 1);
45 ini_set('session.cache_limiter', 'none');
46
47 session_set_save_handler(
48 array(&$this, 'open'),
49 array(&$this, 'close'),
50 array(&$this, 'read'),
51 array(&$this, 'write'),
52 array(&$this, 'destroy'),
53 array(&$this, 'gc')
54 );
55
56 // Initialize the session
57 session_start();
58 $sessionId = session_id();
59
60 $ip = PKPRequest::getRemoteAddr();
61 $userAgent = PKPRequest::getUserAgent();
62 $now = time();
63
64 if (!isset($this->userSession) || (Config::getVar('security', 'session_check_ip') && $this->userSession->getIpAddress() != $ip) || $this->userSession->getUserAgent() != $userAgent) {
65 if (isset($this->userSession)) {
66 // Destroy old session
67 session_destroy();
68 }
69
70 // Create new session
71 $this->userSession = new Session();
72 $this->userSession->setId($sessionId);
73 $this->userSession->setIpAddress($ip);
74 $this->userSession->setUserAgent($userAgent);
75 $this->userSession->setSecondsCreated($now);
76 $this->userSession->setSecondsLastUsed($now);
77 $this->userSession->setSessionData('');
78
79 $this->sessionDao->insertSession($this->userSession);
80
81 } else {
82 if ($this->userSession->getRemember()) {
83 // Update session timestamp for remembered sessions so it doesn't expire in the middle of a browser session
84 if (Config::getVar('general', 'session_lifetime') > 0) {
85 $this->updateSessionLifetime(time() + Config::getVar('general', 'session_lifetime') * 86400);
86 } else {
87 $this->userSession->setRemember(0);
88 $this->updateSessionLifetime(0);
89 }
90 }
91
92 // Update existing session's timestamp
93 $this->userSession->setSecondsLastUsed($now);
94 $this->sessionDao->updateObject($this->userSession);
95 }
96 }
97
98 /**
99 * Return an instance of the session manager.
100 * @return SessionManager
101 */
102 function &getManager() {
103 $instance =& Registry::get('sessionManager', true, null);
104
105 if ($instance === null) {
106 $instance = new SessionManager(DAORegistry::getDAO('SessionDAO'));
107 }
108 return $instance;
109 }
110
111 /**
112 * Get the session associated with the current request.
113 * @return Session
114 */
115 function &getUserSession() {
116 return $this->userSession;
117 }
118
119 /**
120 * Open a session.
121 * Does nothing; only here to satisfy PHP session handler requirements.
122 * @return boolean
123 */
124 function open() {
125 return true;
126 }
127
128 /**
129 * Close a session.
130 * Does nothing; only here to satisfy PHP session handler requirements.
131 * @return boolean
132 */
133 function close() {
134 return true;
135 }
136
137 /**
138 * Read session data from database.
139 * @param $sessionId string
140 * @return boolean
141 */
142 function read($sessionId) {
143 if (!isset($this->userSession)) {
144 $this->userSession =& $this->sessionDao->getSession($sessionId);
145 if (isset($this->userSession)) {
146 $data = $this->userSession->getSessionData();
147 }
148 }
149 return isset($data) ? $data : '';
150 }
151
152 /**
153 * Save session data to database.
154 * @param $sessionId string
155 * @param $data array
156 * @return boolean
157 */
158 function write($sessionId, $data) {
159 if (isset($this->userSession)) {
160 $this->userSession->setSessionData($data);
161 return $this->sessionDao->updateObject($this->userSession);
162
163 } else {
164 return true;
165 }
166 }
167
168 /**
169 * Destroy (delete) a session.
170 * @param $sessionId string
171 * @return boolean
172 */
173 function destroy($sessionId) {
174 return $this->sessionDao->deleteSessionById($sessionId);
175 }
176
177 /**
178 * Garbage collect unused session data.
179 * TODO: Use $maxlifetime instead of assuming 24 hours?
180 * @param $maxlifetime int the number of seconds after which data will be seen as "garbage" and cleaned up
181 * @return boolean
182 */
183 function gc($maxlifetime) {
184 return $this->sessionDao->deleteSessionByLastUsed(time() - 86400, Config::getVar('general', 'session_lifetime') <= 0 ? 0 : time() - Config::getVar('general', 'session_lifetime') * 86400);
185 }
186
187 /**
188 * Resubmit the session cookie.
189 * @param $sessionId string new session ID (or false to keep current ID)
190 * @param $expireTime int new expiration time in seconds (0 = current session)
191 * @return boolean
192 */
193 function updateSessionCookie($sessionId = false, $expireTime = 0) {
194 return setcookie(session_name(), ($sessionId === false) ? session_id() : $sessionId, $expireTime, ini_get('session.cookie_path'));
195 }
196
197 /**
198 * Regenerate the session ID for the current user session.
199 * This is useful to guard against the "session fixation" form of hijacking
200 * by changing the user's session ID after they have logged in (in case the
201 * original session ID had been pre-populated).
202 * @return boolean
203 */
204 function regenerateSessionId() {
205 $success = false;
206 $currentSessionId = session_id();
207
208 if (function_exists('session_regenerate_id')) {
209 // session_regenerate_id is only available on PHP >= 4.3.2
210 if (session_regenerate_id() && isset($this->userSession)) {
211 // Delete old session and insert new session
212 $this->sessionDao->deleteSessionById($currentSessionId);
213 $this->userSession->setId(session_id());
214 $this->sessionDao->insertSession($this->userSession);
215 $this->updateSessionCookie(); // TODO: this might not be needed on >= 4.3.3
216 $success = true;
217 }
218
219 } else {
220 // Regenerate session ID (for PHP < 4.3.2)
221 do {
222 // Generate new session ID -- should be random enough to typically execute only once
223 $newSessionId = md5(mt_rand());
224 } while ($this->sessionDao->sessionExistsById($newSessionId));
225
226 if (isset($this->userSession)) {
227 // Delete old session and insert new session
228 $this->sessionDao->deleteSessionById($currentSessionId);
229 $this->userSession->setId($newSessionId);
230 $this->sessionDao->insertSession($this->userSession);
231 $this->updateSessionCookie($newSessionId);
232 $success = true;
233 }
234 }
235
236 return $success;
237 }
238
239 /**
240 * Change the lifetime of the current session cookie.
241 * @param $expireTime int new expiration time in seconds (0 = current session)
242 * @return boolean
243 */
244 function updateSessionLifetime($expireTime = 0) {
245 return $this->updateSessionCookie(false, $expireTime);
246 }
247 }
248
249 ?>
Florian's public PKP OMP repository