function phorum_user_check_session( $cookie = PHORUM_SESSION_LONG_TERM )
{
$PHORUM = $GLOBALS["PHORUM"];
// If we do URI based authentication, we will only look at the
// PHORUM_SESSION_LONG_TERM session (which is the session key that is
// stored in the URI). Here we rewrite requests for
// PHORUM_SESSION_SHORT_TERM so we will handle tighter security correctly.
if ( isset($PHORUM["use_cookies"]) && ! $PHORUM["use_cookies"] &&
$cookie == PHORUM_SESSION_SHORT_TERM) {
$cookie = PHORUM_SESSION_LONG_TERM;
}
if ( ( $cookie != PHORUM_SESSION_LONG_TERM || ( isset( $PHORUM["use_cookies"] ) && $PHORUM["use_cookies"] ) ) && isset( $_COOKIE[$cookie] ) ) { // REAL cookies ;)
$sessid = $_COOKIE[$cookie];
$GLOBALS["PHORUM"]["use_cookies"]=true;
} elseif ( isset( $PHORUM["args"][$cookie] ) ) { // in the p5-urls
$sessid = $PHORUM["args"][$cookie];
$GLOBALS["PHORUM"]["use_cookies"]=false;
} elseif ( isset( $_POST[$cookie] ) ) { // from post-forms
$sessid = $_POST[$cookie];
$GLOBALS["PHORUM"]["use_cookies"]=false;
} elseif ( isset( $_GET[$cookie] ) ) { // should rarely happen but helps in some cases
$sessid = $_GET[$cookie];
$GLOBALS["PHORUM"]["use_cookies"]=false;
}
$success = false;
if ( !empty( $sessid ) && $GLOBALS["PHORUM"]["use_cookies"]) {
// this part is for cookie-authentication where we have username and password
list( $userid, $md5session ) = explode( ":", $sessid, 2 );
if(!is_numeric($userid)) {
phorum_user_clear_session( $cookie );
return false;
}
$user=phorum_user_get($userid, true, true);
if (empty($user)) {
phorum_user_clear_session( $cookie );
return false;
}
if ( ($cookie==PHORUM_SESSION_LONG_TERM && !empty($user['cookie_sessid_lt']) && $user['cookie_sessid_lt'] == $md5session) ||
($cookie==PHORUM_SESSION_SHORT_TERM && !empty($user['sessid_st']) && $user['sessid_st'] == $md5session) ||
($cookie==PHORUM_SESSION_ADMIN && !empty($user['cookie_sessid_lt']) && md5($user['cookie_sessid_lt'].$PHORUM["admin_session_salt"]) == $md5session) ) {
if ( $user["active"] ) {
// write access is false by default, need to check the st-cookie too
$user['write_access']=false;
$GLOBALS["PHORUM"]["user"] = $user;
$success = true;
phorum_user_create_session( $cookie );
} else {
phorum_user_clear_session( $cookie );
}
}
} elseif( !empty( $sessid ) && !$GLOBALS["PHORUM"]["use_cookies"]) {
// this part is for uri-authentication where we only have a session-id
$uri_session_id = urldecode( $sessid );
if ( $user_id = phorum_db_user_check_field('sessid_st',$uri_session_id,'=')) {
$user = phorum_user_get( $user_id, true, true );
if ( $user["active"] ) {
// write access is enabled for uri-authentication as thats requiring login at every visit
$user['write_access']=true;
$GLOBALS["PHORUM"]["user"] = $user;
$success = true;
phorum_user_create_session( $cookie, false, $user['sessid_st'] );
} else {
phorum_user_clear_session( $cookie );
}
}
}
// track user activity
if($success && $PHORUM["track_user_activity"] && $GLOBALS["PHORUM"]["user"]["date_last_active"] < time() - $PHORUM["track_user_activity"] ) {
$tmp_user["user_id"] = $GLOBALS["PHORUM"]["user"]["user_id"];
$tmp_user["date_last_active"] = time();
if(isset($PHORUM['forum_id'])) {
$tmp_user["last_active_forum"]= $PHORUM['forum_id'];
} else {
$tmp_user["last_active_forum"]= 0;
}
phorum_user_save_simple( $tmp_user);
}
return $success;
}
define('phorum_page','login');
include_once( "./common.php" );
include_once( "./include/users.php" );
include_once( "./include/email_functions.php" );
// ----------------------------------------------------------------------------
// Handle logout
// ----------------------------------------------------------------------------
if ($PHORUM['DATA']['LOGGEDIN'] && !empty($PHORUM["args"]["logout"])) {
// killing long-term cookie
phorum_user_clear_session(PHORUM_SESSION_LONG_TERM);
// killing short-term (write) cookie
phorum_user_clear_session(PHORUM_SESSION_SHORT_TERM);
// reset the sessid if not using cookies
if(!$PHORUM['use_cookies']) {
$new_sessid=md5($_POST['username'].microtime().$_POST['password']);
$user=array(
'user_id'=>$PHORUM['user']['user_id'],
'sessid_st'=>$new_sessid
);
phorum_user_save_simple($user);
}
// Determine the URL to redirect the user to. The hook "after_logout"
<?php
////////////////////////////////////////////////////////////////////////////////
// //
// Copyright (C) 2006 Phorum Development Team //
// http://www.phorum.org //
// //
// This program is free software. You can redistribute it and/or modify //
// it under the terms of either the current Phorum License (viewable at //
// phorum.org) or the Phorum License that was distributed with this file //
// //
// This program is distributed in the hope that it will be useful, //
// but WITHOUT ANY WARRANTY, without even the implied warranty of //
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. //
// //
// You should have received a copy of the Phorum License //
// along with this program. //
////////////////////////////////////////////////////////////////////////////////
if(!defined("PHORUM_ADMIN")) return;
phorum_user_clear_session("phorum_admin_session");
phorum_redirect_by_url($_SERVER['PHP_SELF']);
exit();
?>