Overhauled session code ... in a big way

git-svn-id: file:///svn/phpbb/trunk@208 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-10 13:28:55 +00:00 · 2001-04-28 17:54:22 +00:00 · 2001-04-28 17:54:22 +00:00 · ec21217a2a
commit ec21217a2a
parent 9a155b4870
7 changed files with 175 additions and 142 deletions
--- a/phpBB/db/mysql_basic.sql
+++ b/phpBB/db/mysql_basic.sql
@ -16,9 +16,9 @@ INSERT INTO phpbb_forums VALUES (1,'Test Forum 1','This is just a test forum, no
 INSERT INTO phpbb_forum_mods VALUES (1,1,0);
 # -- Users
-INSERT INTO phpbb_users VALUES (1,'admin',NOW(),'21232f297a57a5a743894a0e4a801fc3','admin@yourdomain.com','','','','','','This is just a stupid sig',1,1,'','','',0,1,0,0,0,0,'',4,'','','',0,'-8',1, '');
+INSERT INTO phpbb_users VALUES (1,'admin',NOW(),'21232f297a57a5a743894a0e4a801fc3','admin@yourdomain.com','','','','','','','This is just a stupid sig',1,1,'','','',0,1,0,0,0,0,'',4,'','','',0,'-8',1, '');
-INSERT INTO phpbb_users VALUES (-1,'Anonymous',NOW(),'','','','','','','','',0,0,'','','',0,0,0,0,0,0,'',0,'','','',0,'-8',1,'Default');
+INSERT INTO phpbb_users VALUES (-1,'Anonymous',NOW(),'','','','','','','','','',0,0,'','','',0,0,0,0,0,0,'',0,'','','',0,'-8',1,'Default');
 # -- Themes
-INSERT INTO phpbb_themes VALUES ( '1', 'Default', '', 'FFFFFF', '000000', '', '', '', '', '', '', '', '495FA8', '', '', '000000', 'CCCCCC', 'DDDDDD', 'sans-serif', '', '', '2', '0', '0', 'FFFFFF', '000000', '', '', '', '', '');
+INSERT INTO phpbb_themes VALUES ( '1', 'Default', '', '', 'FFFFFF', '000000', '', '', '', '', '', '', '', '495FA8', '', '', '000000', 'CCCCCC', 'DDDDDD', 'sans-serif', '', '', '2', '0', '0', 'FFFFFF', '000000', '', '', '', '', '');
-INSERT INTO phpbb_themes_name VALUES ( '1', '', '', '', 'Table Header', '', '', 'Table background', 'Row Color 1', 'Row Color 2', '', '', '', 'Titles', '', '', 'Titles', 'General Text', '', '', '', '', '');
+INSERT INTO phpbb_themes_name VALUES ( '1', '', '', '', '', 'Table Header', '', '', 'Table background', 'Row Color 1', 'Row Color 2', '', '', '', 'Titles', '', '', 'Titles', 'General Text', '', '', '', '', '');
--- a/phpBB/db/mysql_schema.sql
+++ b/phpBB/db/mysql_schema.sql
@ -200,13 +200,16 @@ CREATE TABLE phpbb_ranks (
 #
 CREATE TABLE phpbb_session (
-   session_id int(11) unsigned NOT NULL,
+   session_id int(11) NOT NULL,
   session_user_id int(11) NOT NULL,
-   session_time int(11) unsigned NOT NULL,
+   session_start int(11) NOT NULL,
   session_time int(11) NOT NULL,
   session_ip char(8) NOT NULL,
   session_page int(11),
   session_logged_in tinyint(1) NOT NULL,
-   PRIMARY KEY (session_id)
+   PRIMARY KEY (session_id),
   KEY session_ip (session_ip),
   KEY session_user_id (session_user_id)
 );
@ -232,6 +235,7 @@ CREATE TABLE phpbb_smilies (
 CREATE TABLE phpbb_themes (
   themes_id int(11) NOT NULL auto_increment,
   themes_name varchar(30),
   head_stylesheet varchar(100),
   body_background varchar(100),
   body_bgcolor varchar(6),
   body_text varchar(6),
@ -331,6 +335,7 @@ CREATE TABLE phpbb_users (
   username varchar(40) NOT NULL,
   user_regdate varchar(20) NOT NULL,
   user_password varchar(32) NOT NULL,
   user_autologin_key varchar(32),
   user_hint varchar(25) NOT NULL,
   user_email varchar(255),
   user_icq varchar(15),
--- a/phpBB/includes/page_header.php
+++ b/phpBB/includes/page_header.php
@ -67,6 +67,7 @@ $template->assign_vars(array(
 	"L_USERNAME" => $l_username,
 	"L_PASSWORD" => $l_password,
 	"L_LOG_ME_IN" => $l_log_me_in,
 	"L_WELCOMETO" => $l_welcometo,
 	"L_REGISTER" => $l_register,
 	"L_PROFILE" => $l_profile,
@ -97,6 +98,7 @@ $template->assign_vars(array(
 	"S_TOPICS_URL" => POST_TOPIC_URL,
 	"S_USERS_URL" => POST_USERS_URL,
 	"T_HEAD_STYLESHEET" => $theme['head_stylesheet'],
 	"T_BODY_BACKGROUND" => $theme['body_background'],
 	"T_BODY_BGCOLOR" => "#".$theme['body_bgcolor'],
 	"T_BODY_TEXT" => "#".$theme['body_text'],
@ -114,8 +116,8 @@ $template->assign_vars(array(
 	"T_TD_COLOR2" => "#".$theme['td_color2'],
 	"T_TD_COLOR3" => "#".$theme['td_color3'],
 	"T_FONTFACE1" => $theme['fontface1'],
-	"T_FONTFACE2" => $theme['fontface1'],
+	"T_FONTFACE2" => $theme['fontface2'],
-	"T_FONTFACE3" => $theme['fontface1'],
+	"T_FONTFACE3" => $theme['fontface3'],
 	"T_FONTSIZE1" => $theme['fontsize1'],
 	"T_FONTSIZE2" => $theme['fontsize2'],
 	"T_FONTSIZE3" => $theme['fontsize3'],
--- a/phpBB/includes/sessions.php
+++ b/phpBB/includes/sessions.php
@ -27,13 +27,14 @@
 // Adds/updates a new session to the database for the given userid.
 // Returns the new session ID on success.
 //
-function session_begin($user_id, $user_ip, $page_id, $session_length, $login = 0, $password = "") 
+function session_begin($user_id, $user_ip, $page_id, $session_length, $login = FALSE, $autologin = FALSE) 
 {
 	global $db;
 	global $cookiename, $cookiedomain, $cookiepath, $cookiesecure, $cookielife;
 	global $HTTP_COOKIE_VARS;
 	$cookiedata = unserialize($HTTP_COOKIE_VARS[$cookiename]);
 	$current_time = time();
 	$expiry_time = $current_time - $session_length;
 	$int_ip = encode_ip($user_ip);
@ -67,8 +68,8 @@ function session_begin($user_id, $user_ip, $page_id, $session_length, $login = 0
 		}
 		$sql_update = "UPDATE ".SESSIONS_TABLE."
-			SET session_user_id = $user_id, session_time = $current_time, session_page = $page_id, session_logged_in = $login
+			SET session_user_id = '$user_id', session_start = '$current_time', session_time = '$current_time', session_page = '$page_id', session_logged_in = '$login'
-			WHERE (session_id = ".$HTTP_COOKIE_VARS[$cookiename]['sessionid'].")
+			WHERE (session_id = '".$cookiedata['sessionid']."')
 				AND (session_ip = '$int_ip')";
 		$result = $db->sql_query($sql_update);
@ -79,9 +80,9 @@ function session_begin($user_id, $user_ip, $page_id, $session_length, $login = 0
 			$session_id = mt_rand();
 			$sql_insert = "INSERT INTO ".SESSIONS_TABLE."
-					(session_id, session_user_id, session_time, session_ip, session_page, session_logged_in)
+				(session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in)
-					VALUES
+				VALUES
-					($session_id, $user_id, $current_time, '$int_ip', $page_id, $login)";
+				('$session_id', '$user_id', '$current_time', '$current_time', '$int_ip', '$page_id', '$login')";
 			$result = $db->sql_query($sql_insert);
 			if(!$result)
 			{
@ -95,23 +96,41 @@ function session_begin($user_id, $user_ip, $page_id, $session_length, $login = 0
 				}
 			}
-			setcookie($cookiename."[sessionid]", $session_id, $session_length, $cookiepath, $cookiedomain, $cookiesecure);
+			$cookiedata['sessionid'] = $session_id;
 		}
 		else
 		{
-			$session_id = $HTTP_COOKIE_VARS[$cookiename]['sessionid'];
+			$session_id = $cookiedata['sessionid'];
 		}
-		if(!empty($password) && AUTOLOGON)
+		if($autologin)
 		{
-			setcookie($cookiename."[useridref]", $password, $cookielife, $cookiepath, $cookiedomain, $cookiesecure);
+			$autologin_key = md5(uniqid(mt_rand()));
 			$sql_update = "UPDATE ".USERS_TABLE."
 				SET user_autologin_key = '$autologin_key'
 				WHERE user_id = '$user_id'";
 			$result = $db->sql_query($sql_update);
 			if(!$result)
 			{
 				if(DEBUG)
 				{
 					error_die(GENERAL_ERROR, "Couldn't update users autologin key : session_begin", __LINE__, __FILE__);
 				}
 				else
 				{
 					error_die(SQL_QUERY, "Error creating new session", __LINE__ , __FILE__);
 				}
 			}
 			$cookiedata['autologinid'] = $autologin_key;
 		}
 		setcookie($cookiename."[userid]", $user_id, $cookielife, $cookiepath, $cookiedomain, $cookiesecure);
 		setcookie($cookiename."[sessionstart]", $current_time, $cookielife, $cookiepath, $cookiedomain, $cookiesecure);
 		setcookie($cookiename."[sessiontime]", $current_time, $session_length, $cookiepath, $cookiedomain, $cookiesecure);
-//		echo $sql_update."<BR><BR>".$sql_insert."<BR><BR>";
+		$cookiedata['userid'] = $user_id;
 		$cookiedata['sessionstart'] = $current_time;
 		$cookiedata['sessiontime'] = $current_time;
 		$serialised_cookiedata = serialize($cookiedata);
 		setcookie($cookiename, $serialised_cookiedata, $session_length, $cookiepath, $cookiedomain, $cookiesecure);
 	}
 	return $session_id;
@ -129,9 +148,10 @@ function session_pagestart($user_ip, $thispage_id, $session_length)
 	global $cookiename, $cookiedomain, $cookiepath, $cookiesecure, $cookielife;
 	global $HTTP_COOKIE_VARS;
-	unset($userdata);
+	$cookiedata = unserialize($HTTP_COOKIE_VARS[$cookiename]);
 	$current_time = time();
 	$int_ip = encode_ip($user_ip);
 	unset($userdata);
 	//
 	// Delete expired sessions
@ -152,19 +172,23 @@ function session_pagestart($user_ip, $thispage_id, $session_length)
 		}
 	}
-	if(isset($HTTP_COOKIE_VARS[$cookiename]['userid'])) 
+	//
 	// Does a session exist?
 	//
 	if(isset($cookiedata['sessionid']) && isset($cookiedata['userid']))
 	{
 		//
-		// userid exists so go ahead and grab all
+		// session_id & and userid exist so go ahead and attempt
-		// data in preparation
+		// to grab all data in preparation
 		//
-		$userid = $HTTP_COOKIE_VARS[$cookiename]['userid'];
+		$sql = "SELECT u.*, s.*, b.ban_ip, b.ban_userid
-		$sql = "SELECT u.*, s.session_id, s.session_time, s.session_logged_in, b.ban_ip, b.ban_userid
+			FROM ".SESSIONS_TABLE." s
 			FROM ".USERS_TABLE." u
 			LEFT JOIN ".BANLIST_TABLE." b ON ( (b.ban_ip = '$int_ip' OR b.ban_userid = u.user_id)
 				AND ( b.ban_start < $current_time AND b.ban_end > $current_time ) )
-			LEFT JOIN ".SESSIONS_TABLE." s ON ( u.user_id = s.session_user_id  AND s.session_ip = '$int_ip' )
+			LEFT JOIN ".USERS_TABLE." u ON ( u.user_id = s.session_user_id)
-			WHERE u.user_id = $userid";
+			WHERE s.session_id = '".$cookiedata['sessionid']."'
 				AND s.session_user_id = '".$cookiedata['userid']."'
 				AND s.session_ip = '$int_ip'";
 		$result = $db->sql_query($sql);
 		if (!$result) 
 		{
@ -178,144 +202,124 @@ function session_pagestart($user_ip, $thispage_id, $session_length)
 			}
 		}
 		$userdata = $db->sql_fetchrow($result);
 	}
 	if($userdata['user_id'] != ''){  // The ID in the cookie was really in the DB.
 		//
 		// Check for user and ip ban ...
 		// 
 		if($userdata['ban_ip'] || $userdata['ban_userid'])
 		{
 			error_die(BANNED);
 		}
 		//
-		// Now, check to see if a session exists.
+		// Did the session exist in the DB?
-		// If it does then update it, if it doesn't
+		// 
-		// then create one.
+		if(isset($userdata['user_id']))
 		//
 		if(isset($HTTP_COOKIE_VARS[$cookiename]['sessionid'])) 
 		{
 			//
-			// Is the id the same as that in the cookie?
+			// Only update session DB a minute or so after last update
 			// If it is then we see if it needs updating
 			//
-			if($HTTP_COOKIE_VARS[$cookiename]['sessionid'] == $userdata['session_id'])
+			if($current_time - $userdata['session_time'] > 60)
 			{
-
+				$sql = "UPDATE ".SESSIONS_TABLE."
-				//
+					SET session_time = '$current_time', session_page = '$thispage_id'
-				// Only update session DB a minute or so after last update
+					WHERE (session_id = ".$userdata['session_id'].")
-				//
+						AND (session_ip = '$int_ip')
-				if($current_time - $userdata['session_time'] > 60)
+						AND (session_user_id = ".$userdata['user_id'].")";
 				$result = $db->sql_query($sql);
 				if(!$result)
 				{
-
+					if(DEBUG)
 					$sql = "UPDATE ".SESSIONS_TABLE."
 						SET session_time = '$current_time', session_page = '$thispage_id'
 						WHERE (session_id = ".$userdata['session_id'].")
 							AND (session_ip = '$int_ip')
 							AND (session_user_id = ".$userdata['user_id'].")";
 					$result = $db->sql_query($sql);
 					if(!$result)
 					{
-						if(DEBUG)
+						error_die(SQL_QUERY, "Error updating sessions table : session_pagestart", __LINE__, __FILE__);
 						{
 							error_die(SQL_QUERY, "Error updating sessions table : session_pagestart", __LINE__, __FILE__);
 						}
 						else
 						{
 							error_die(SESSION_CREATE);
 						}
 					}
 					else
 					{
-						//
+						error_die(SESSION_CREATE);
-						// Update was success, send current time to cookie
+					}
-						// and return userdata
+				}
-						//
+				else
-						setcookie($cookiename."[sessiontime]", $current_time, $session_length, $cookiepath, $cookiedomain, $cookiesecure);
+				{
 					//
 					// Update was success, send current time to cookie
 					// and return userdata
 					//
 					$cookiedata['sessiontime'] = $current_time;
 					$serialised_cookiedata = serialize($cookiedata);
 					setcookie($cookiename, $serialised_cookiedata, $session_length, $cookiepath, $cookiedomain, $cookiesecure);
-						return $userdata;
+					return $userdata;
-					} // if (affectedrows)
+				}
 				} // if (current_time)
 				//
 				// We didn't need to update session
 				// so just return userdata
 				//
 				return $userdata;
 			} // if (cookie session_id = DB session id)
 		} // if session_id cookie set
 		//
 		// If we reach here then we have a valid
 		// user_id set in the cookie but no
 		// active session. So, try and create
 		// new session (uses AUTOLOGON to determine
 		// if user should be logged back on automatically)
 		//
 		if(AUTOLOGON && isset($HTTP_COOKIE_VARS[$cookiename]['useridref']))
 		{
 			if($HTTP_COOKIE_VARS[$cookiename]['useridref'] == $userdata['user_password'])
 			{
 				$autologon = 1;
 				$password = $userdata['user_password'];
 				$userdata['session_logged_in'] = 1;
 			}
 			else
 			{
 				$autologon = 0;
 				$password = "";
 				$userdata['session_logged_in'] = 0;
 			}
 			//
 			// We didn't need to update session
 			// so just return userdata
 			//
 			return $userdata;
 		}
-		else
+	}
-		{
+	//
-			$autologon = 0;
+	// If we reach here then no (valid) session
-			$password = "";
+	// exists. So we'll create a new one,
-			$userdata['session_logged_in'] = 0;
+	// using the cookie user_id if available to
-		}
+	// pull basic user prefs.
-		$result = session_begin($userdata['user_id'], $user_ip, $thispage_id, $session_length, $autologon, $password);
+	//
-		if(!$result)
+
 	$login = FALSE;
 	$autologin = FALSE;
 	$userdata['session_logged_in'] = 0;
 	if(isset($cookiedata['userid']))
 	{
 		$sql = "SELECT u.*
 			FROM ".USERS_TABLE." u
 			WHERE u.user_id = '".$cookiedata['userid']."'";
 		$result = $db->sql_query($sql);
 		if (!$result) 
 		{
 			if(DEBUG)
 			{
-				error_die(SQL_QUERY, "Error creating ".$userdata['user_id']." session : session_pagestart", __LINE__, __FILE__);
+				error_die(SQL_QUERY, "Error doing DB query userdata row fetch (non-session) : session_pagestart", __LINE__, __FILE__);
 			}
 			else
 			{
 				error_die(SESSION_CREATE);
 			}
 		}
-		$userdata['session_id'] = $result;
+		$userdata = $db->sql_fetchrow($result);
 		if($userdata['user_autologin_key'] && isset($cookiedata['autologinid']))
 		{
 			if($userdata['user_autologin_key'] == $cookiedata['autologinid'])
 			{
 				//
 				// We have a match, and not the kind you light ... 
 				//
 				$userdata['session_logged_in'] = 1;
 				$login = TRUE;
 				$autologin = TRUE;
 			}
 		}
 		$userdata['user_id'] = $cookiedata['userid'];
 	}
 	else
 	{
-
+		$userdata['user_id'] = ANONYMOUS;
 		//
 		// No userid cookie exists so we'll
 		// set up a new anonymous session
 		//
 		$result = session_begin(ANONYMOUS, $user_ip, $thispage_id, $session_length, 0);
 		if(!$result)
 		{
 			if(DEBUG)
 			{
 				error_die(SQL_QUERY, "Error creating anonymous session : session_pagestart", __LINE__, __FILE__);
 			}
 			else
 			{
 				error_die(SESSION_CREATE);
 			}
 		}
 		$userdata['session_id'] = $result;
 		$userdata['session_logged_in'] = 0;
 	}
 	$result = session_begin($userdata['user_id'], $user_ip, $thispage_id, $session_length, $login, $autologin);
 	if(!$result)
 	{
 		if(DEBUG)
 		{
 			error_die(SQL_QUERY, "Error creating ".$userdata['user_id']." session : session_pagestart", __LINE__, __FILE__);
 		}
 		else
 		{
 			error_die(SESSION_CREATE);
 		}
 	}
 	$userdata['session_id'] = $result;
 	$userdata['session_ip'] = $user_ip;
 	return $userdata;
 } // session_check()
@ -330,10 +334,13 @@ function session_end($session_id, $user_id)
 	global $db;
 	global $cookiename, $cookiedomain, $cookiepath, $cookiesecure, $cookielife;
 	global $HTTP_COOKIE_VARS;
 	$cookiedata = unserialize($HTTP_COOKIE_VARS[$cookiename]);
 	$current_time = time();
-	$sql = "DELETE FROM ".SESSIONS_TABLE."
+	$sql = "UPDATE  ".SESSIONS_TABLE."
 		SET session_logged_in = '0'
 		WHERE (session_user_id = $user_id)
 			AND (session_id = $session_id)";
 	$result = $db->sql_query($sql, $db);
@ -349,8 +356,23 @@ function session_end($session_id, $user_id)
 		}
 	}
-	setcookie($cookiename."[sessionid]", "");
+	if($cookiedata['autologinid'])
-	setcookie($cookiename."[sessionend]", $current_time, $cookielife, $cookiepath, $cookiedomain, $cookiesecure);
+	{
 		$sql = "UPDATE ".USERS_TABLE."
 			SET user_autologin_key = ''
 			WHERE user_id = '$user_id'";
 		$result = $db->sql_query($sql, $db);
 		if (!$result) 
 		{
 			die("Couldn't reset autologin info : session_end<br/>". __LINE__ ."<br/>". __FILE__);
 		}
 	}
 	$cookiedata['sessionend'] = $current_time;
 	$cookiedata['autologinid'] = "";
 	$serialised_cookiedata = serialize($cookiedata);
 	setcookie($cookiename, $serialised_cookiedata, $cookielife, $cookiepath, $cookiedomain, $cookiesecure);
 	return true;
--- a/phpBB/language/lang_english.php
+++ b/phpBB/language/lang_english.php
@ -42,6 +42,8 @@ $l_emailaddress	= "Email Address";
 $l_preferences	= "Preferences";
 $l_welcometo    = "Welcome to";
 $l_log_me_in = "Log me in automatically";
 $l_all_times = "All times are";
 $l_hours = "hours";
--- a/phpBB/login.php
+++ b/phpBB/login.php
@ -53,8 +53,10 @@ if(isset($HTTP_POST_VARS['submit']) || isset($HTTP_GET_VARS['submit']))
 		if(count($rowresult))
 		{
 			if(md5($password) == $rowresult["user_password"])
-			{
+			{	
-				$session_id = session_begin($rowresult["user_id"], $user_ip, PAGE_INDEX, $session_length, 1, $rowresult["user_password"]);
+				$autologin = (isset($HTTP_POST_VARS['autologin'])) ? TRUE : FALSE;
 				$session_id = session_begin($rowresult["user_id"], $user_ip, PAGE_INDEX, $session_length, TRUE, $autologin);
 				if($session_id)
 				{
 					header("Location: index.$phpEx");
--- a/phpBB/templates/Default/overall_header.tpl
+++ b/phpBB/templates/Default/overall_header.tpl
@ -45,7 +45,7 @@ A:Hover {
 				<td bgcolor="#CCCCCC"><table width="100%" cellspacing="1" cellpadding="3" border="0">
 					<tr class="tablebody"><form method="POST" action="login.{PHPEX}">
 						<td align="left" valign="top"><a href="index.php"><img src="images/title.jpg" height="55" width="450" border="0"></a></td>
-						<td align="right">{L_USERNAME} : <input type="text" name="username"><br>{L_PASSWORD} : <input type="password" name="password"><br><input type="submit" name="submit" value="Login"></td>
+						<td align="right">{L_USERNAME} : <input type="text" name="username"><br>{L_PASSWORD} : <input type="password" name="password"><br>{L_LOG_ME_IN}<input type="checkbox" name="autologin">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="submit" name="submit" value="Login"></td>
 					</tr></form>
 					<tr class="tablebody">
 						<td colspan="2"><table width="100%" cellspacing="0" cellpadding="0" border="0">