/**
* This gets the state for the user
*
* Much of this code if from phpBB (www.phpbb.org). This checks the session
* cookie and long term cookie to get the users state.
*
* @return array returns $_USER array
*
*/
function SESS_sessionCheck()
{
global $_CONF, $_TABLES, $_USER, $_SESS_VERBOSE;
if ($_SESS_VERBOSE) {
COM_errorLog("***Inside SESS_sessionCheck***", 1);
}
unset($_USER);
// We MUST do this up here, so it's set even if the cookie's not present.
$user_logged_in = 0;
$logged_in = 0;
$userdata = array();
// Check for a cookie on the users's machine. If the cookie exists, build
// an array of the users info and setup the theme.
if (isset($_COOKIE[$_CONF['cookie_session']])) {
$sessid = COM_applyFilter($_COOKIE[$_CONF['cookie_session']]);
if ($_SESS_VERBOSE) {
COM_errorLog("got {$sessid} as the session id from lib-sessions.php", 1);
}
$userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']);
if ($_SESS_VERBOSE) {
COM_errorLog("Got {$userid} as User ID from the session ID", 1);
}
if ($userid > 1) {
// Check user status
$status = SEC_checkUserStatus($userid);
if ($status == USER_ACCOUNT_ACTIVE || $status == USER_ACCOUNT_AWAITING_ACTIVATION) {
$user_logged_in = 1;
SESS_updateSessionTime($sessid, $_CONF['cookie_ip']);
$userdata = SESS_getUserDataFromId($userid);
if ($_SESS_VERBOSE) {
COM_errorLog("Got " . count($userdata) . " pieces of data from userdata", 1);
COM_errorLog(COM_debug($userdata), 1);
}
$_USER = $userdata;
$_USER['auto_login'] = false;
}
} else {
// Session probably expired, now check permanent cookie
if (isset($_COOKIE[$_CONF['cookie_name']])) {
$userid = $_COOKIE[$_CONF['cookie_name']];
if (empty($userid) || $userid == 'deleted') {
unset($userid);
} else {
$userid = COM_applyFilter($userid, true);
$cookie_password = '';
$userpass = '';
if ($userid > 1 && isset($_COOKIE[$_CONF['cookie_password']])) {
$cookie_password = $_COOKIE[$_CONF['cookie_password']];
$userpass = DB_getItem($_TABLES['users'], 'passwd', "uid = {$userid}");
}
if (empty($cookie_password) || $cookie_password != $userpass) {
// User may have modified their UID in cookie, ignore them
} else {
if ($userid > 1) {
// Check user status
$status = SEC_checkUserStatus($userid);
if ($status == USER_ACCOUNT_ACTIVE || $status == USER_ACCOUNT_AWAITING_ACTIVATION) {
$user_logged_in = 1;
$sessid = SESS_newSession($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
$userdata = SESS_getUserDataFromId($userid);
$_USER = $userdata;
$_USER['auto_login'] = true;
}
}
}
}
}
}
} else {
if ($_SESS_VERBOSE) {
COM_errorLog('session cookie not found from lib-sessions.php', 1);
}
// Check if the persistent cookie exists
if (isset($_COOKIE[$_CONF['cookie_name']])) {
// Session cookie doesn't exist but a permanent cookie does.
// Start a new session cookie;
if ($_SESS_VERBOSE) {
COM_errorLog('perm cookie found from lib-sessions.php', 1);
}
$userid = $_COOKIE[$_CONF['cookie_name']];
if (empty($userid) || $userid == 'deleted') {
unset($userid);
} else {
$userid = COM_applyFilter($userid, true);
$cookie_password = '';
$userpass = '';
if ($userid > 1 && isset($_COOKIE[$_CONF['cookie_password']])) {
$userpass = DB_getItem($_TABLES['users'], 'passwd', "uid = {$userid}");
$cookie_password = $_COOKIE[$_CONF['cookie_password']];
}
if (empty($cookie_password) || $cookie_password != $userpass) {
// User could have modified UID in cookie, don't do shit
} else {
if ($userid > 1) {
// Check user status
$status = SEC_checkUserStatus($userid);
if ($status == USER_ACCOUNT_ACTIVE || $status == USER_ACCOUNT_AWAITING_ACTIVATION) {
$user_logged_in = 1;
// Create new session and write cookie
$sessid = SESS_newSession($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
$userdata = SESS_getUserDataFromId($userid);
$_USER = $userdata;
$_USER['auto_login'] = true;
}
}
}
}
}
}
if ($_SESS_VERBOSE) {
COM_errorLog("***Leaving SESS_sessionCheck***", 1);
}
// Ensure $_USER is set to avoid warnings (path exposure...)
if (isset($_USER)) {
return $_USER;
} else {
return NULL;
}
}
/**
* Complete the login process - setup new session
*
* Complete the login process - create new session for user
*
* @param int $uid User ID of logged in user
* @return none
*
*/
function SESS_completeLogin($uid)
{
global $_TABLES, $_CONF, $_SYSTEM, $_USER;
$request_ip = !empty($_SERVER['REMOTE_ADDR']) ? htmlspecialchars($_SERVER['REMOTE_ADDR']) : '';
// build the $_USER array
$userdata = SESS_getUserDataFromId($uid);
$_USER = $userdata;
// save old session data
$savedSessionData = json_encode($_SESSION);
// create the session
$sessid = SESS_newSession($_USER['uid'], $request_ip, $_CONF['session_cookie_timeout']);
if (isset($_COOKIE[$_CONF['cookie_session']])) {
$cookie_domain = $_CONF['cookiedomain'];
$cookie_path = $_CONF['cookie_path'];
setcookie($_COOKIE[$_CONF['cookie_session']], '', time() - 42000, $cookie_path, $cookie_domain, $_CONF['cookiesecure'], true);
}
session_id($sessid);
session_start();
$_SESSION = json_decode($savedSessionData, true);
// initialize session counter
SESS_setVar('session.counter', 1);
if (!isset($_USER['tzid']) || empty($_USER['tzid'])) {
$_USER['tzid'] = $_CONF['timezone'];
}
// Let plugins act on login event
PLG_loginUser($_USER['uid']);
// check and see if they have remember me set
$cooktime = (int) $_USER['cookietimeout'];
if ($cooktime > 0) {
$cookieTimeout = time() + $cooktime;
$token_ttl = $cooktime;
// set userid cookie
SEC_setCookie($_CONF['cookie_name'], $_USER['uid'], $cookieTimeout, $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure'], true);
$ltToken = SEC_createTokenGeneral('ltc', $token_ttl);
// set long term cookie
SEC_setCookie($_CONF['cookie_password'], $ltToken, $cookieTimeout, $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure'], true);
}
DB_query("UPDATE {$_TABLES['users']} set remote_ip='" . DB_escapeString($request_ip) . "' WHERE uid=" . (int) $_USER['uid'], 1);
if ($_CONF['allow_user_themes']) {
// set theme cookie (or update it )
SEC_setcookie($_CONF['cookie_theme'], $_USER['theme'], time() + 31536000, $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure'], true);
}
}
$consumer->doAction($oauth_userinfo);
}
} else {
$status = -2;
// User just visited login page no error. -1 = error
}
if ($status == USER_ACCOUNT_ACTIVE) {
// logged in AOK.
if ($mode === 'tokenexpired') {
resend_request();
// won't come back
}
DB_change($_TABLES['users'], 'pwrequestid', "NULL", 'uid', $uid);
$userdata = SESS_getUserDataFromId($uid);
$_USER = $userdata;
$sessid = SESS_newSession($_USER['uid'], $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
PLG_loginUser($_USER['uid']);
// Now that we handled session cookies, handle longterm cookie
if (!isset($_COOKIE[$_CONF['cookie_name']]) || !isset($_COOKIE['cookie_password'])) {
// Either their cookie expired or they are new
$cooktime = COM_getUserCookieTimeout();
if ($VERBOSE) {
COM_errorLog("Trying to set permanent cookie with time of {$cooktime}", 1);
}
if ($cooktime > 0) {
// They want their cookie to persist for some amount of time so set it now
if ($VERBOSE) {
COM_errorLog('Trying to set permanent cookie', 1);
}
SEC_setCookie($_CONF['cookie_name'], $_USER['uid'], time() + $cooktime);
/**
* This gets the state for the user
*
* Much of this code if from phpBB (www.phpbb.org). This checks the session
* cookie and long term cookie to get the users state.
*
* @return void
*
*/
function SESS_sessionCheck()
{
global $_CONF, $_TABLES, $_USER, $_SESS_VERBOSE;
if ($_SESS_VERBOSE) {
COM_errorLog("*** Inside SESS_sessionCheck ***", 1);
}
$_USER = array();
// Check for a cookie on the users's machine. If the cookie exists, build
// an array of the users info and setup the theme.
// Flag indicates if session cookie and session data exist
$session_exists = true;
if (isset($_COOKIE[$_CONF['cookie_session']])) {
$sessid = COM_applyFilter($_COOKIE[$_CONF['cookie_session']]);
if ($_SESS_VERBOSE) {
COM_errorLog("Got {$sessid} as the session ID", 1);
}
$userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']);
if ($_SESS_VERBOSE) {
COM_errorLog("Got {$userid} as User ID from the session ID", 1);
}
if ($userid > 1) {
// Check user status
$status = SEC_checkUserStatus($userid);
if ($status == USER_ACCOUNT_ACTIVE || $status == USER_ACCOUNT_AWAITING_ACTIVATION) {
SESS_updateSessionTime($sessid, $_CONF['cookie_ip']);
$_USER = SESS_getUserDataFromId($userid);
if ($_SESS_VERBOSE) {
$str = "Got " . count($_USER) . " pieces of data from userdata \n";
foreach ($_USER as $k => $v) {
$str .= sprintf("%15s [%s] \n", $k, $v);
}
COM_errorLog($str, 1);
}
$_USER['auto_login'] = false;
}
} elseif ($userid == 1) {
// Anonymous User has session so update any information
SESS_updateSessionTime($sessid, $_CONF['cookie_ip']);
} else {
// Session probably expired
$session_exists = false;
}
} else {
if ($_SESS_VERBOSE) {
COM_errorLog("Session cookie not found", 1);
}
$session_exists = false;
}
if ($session_exists === false) {
// Check if the permanent cookie exists
$userid = '';
if (isset($_COOKIE[$_CONF['cookie_name']])) {
$userid = COM_applyFilter($_COOKIE[$_CONF['cookie_name']], true);
}
if (!empty($userid)) {
// Session cookie or session data don't exist, but a permanent cookie does.
// Start a new session cookie and session data;
if ($_SESS_VERBOSE) {
COM_errorLog("Got {$userid} as User ID from the permanent cookie", 1);
}
$cookie_password = '';
$userpass = '';
if ($userid > 1 && isset($_COOKIE[$_CONF['cookie_password']])) {
$cookie_password = $_COOKIE[$_CONF['cookie_password']];
$userpass = DB_getItem($_TABLES['users'], 'passwd', "uid = {$userid}");
}
if (empty($cookie_password) || $cookie_password != $userpass) {
if ($_SESS_VERBOSE) {
COM_errorLog("Password comparison failed or cookie password missing", 1);
}
// Invalid or manipulated cookie data
$ctime = time() - 10000;
SEC_setCookie($_CONF['cookie_session'], '', $ctime);
SEC_setCookie($_CONF['cookie_password'], '', $ctime);
SEC_setCookie($_CONF['cookie_name'], '', $ctime);
COM_clearSpeedlimit($_CONF['login_speedlimit'], 'login');
if (COM_checkSpeedlimit('login', $_CONF['login_attempts']) > 0) {
if (!defined('XHTML')) {
define('XHTML', '');
}
COM_displayMessageAndAbort(82, '', 403, 'Access denied');
}
COM_updateSpeedlimit('login');
} elseif ($userid > 1) {
if ($_SESS_VERBOSE) {
COM_errorLog("Password comparison passed", 1);
}
// Check user status
$status = SEC_checkUserStatus($userid);
if ($status == USER_ACCOUNT_ACTIVE || $status == USER_ACCOUNT_AWAITING_ACTIVATION) {
if ($_SESS_VERBOSE) {
COM_errorLog("Create new session and write cookie", 1);
}
// Create new session and write cookie
$sessid = SESS_newSession($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
$_USER = SESS_getUserDataFromId($userid);
$_USER['auto_login'] = true;
}
}
} else {
if ($_SESS_VERBOSE) {
COM_errorLog("Permanent cookie not found", 1);
}
// Anonymous user has session id but it has been expired and wiped from the db so reset.
// Or new anonymous user so create new session and write cookie.
$userid = 1;
$sessid = SESS_newSession($userid, $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
}
}
if ($_SESS_VERBOSE) {
COM_errorLog("*** Leaving SESS_sessionCheck ***", 1);
}
$_USER['session_id'] = $sessid;
}
