1 <?php

     2 // $Id: session.inc,v 1.44.2.6 2008/12/11 00:29:34 goba Exp $

     3 

     4 /**

     5  * @file

     6  * User session handling functions.

     7  */

     8 

     9 function sess_open($save_path, $session_name) {

    10   return TRUE;

    11 }

    12 

    13 function sess_close() {

    14   return TRUE;

    15 }

    16 

    17 function sess_read($key) {

    18   global $user;

    19 

    20   // Write and Close handlers are called after destructing objects since PHP 5.0.5

    21   // Thus destructors can use sessions but session handler can't use objects.

    22   // So we are moving session closure before destructing objects.

    23   register_shutdown_function('session_write_close');

    24 

    25   // Handle the case of first time visitors and clients that don't store cookies (eg. web crawlers).

    26   if (!isset($_COOKIE[session_name()])) {

    27     $user = drupal_anonymous_user();

    28     return '';

    29   }

    30 

    31   // Otherwise, if the session is still active, we have a record of the client's session in the database.

    32   $user = db_fetch_object(db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s'", $key));

    33 

    34   // We found the client's session record and they are an authenticated user

    35   if ($user && $user->uid > 0) {

    36     // This is done to unserialize the data member of $user

    37     $user = drupal_unpack($user);

    38 

    39     // Add roles element to $user

    40     $user->roles = array();

    41     $user->roles[DRUPAL_AUTHENTICATED_RID] = 'authenticated user';

    42     $result = db_query("SELECT r.rid, r.name FROM {role} r INNER JOIN {users_roles} ur ON ur.rid = r.rid WHERE ur.uid = %d", $user->uid);

    43     while ($role = db_fetch_object($result)) {

    44       $user->roles[$role->rid] = $role->name;

    45     }

    46   }

    47   // We didn't find the client's record (session has expired), or they are an anonymous user.

    48   else {

    49     $session = isset($user->session) ? $user->session : '';

    50     $user = drupal_anonymous_user($session);

    51   }

    52 

    53   return $user->session;

    54 }

    55 

    56 function sess_write($key, $value) {

    57   global $user;

    58 

    59   // If saving of session data is disabled or if the client doesn't have a session,

    60   // and one isn't being created ($value), do nothing. This keeps crawlers out of

    61   // the session table. This reduces memory and server load, and gives more useful

    62   // statistics. We can't eliminate anonymous session table rows without breaking

    63   // the throttle module and the "Who's Online" block.

    64   if (!session_save_session() || ($user->uid == 0 && empty($_COOKIE[session_name()]) && empty($value))) {

    65     return TRUE;

    66   }

    67 

    68   db_query("UPDATE {sessions} SET uid = %d, cache = %d, hostname = '%s', session = '%s', timestamp = %d WHERE sid = '%s'", $user->uid, isset($user->cache) ? $user->cache : '', ip_address(), $value, time(), $key);

    69   if (db_affected_rows()) {

    70     // Last access time is updated no more frequently than once every 180 seconds.

    71     // This reduces contention in the users table.

    72     if ($user->uid && time() - $user->access > variable_get('session_write_interval', 180)) {

    73       db_query("UPDATE {users} SET access = %d WHERE uid = %d", time(), $user->uid);

    74     }

    75   }

    76   else {

    77     // If this query fails, another parallel request probably got here first.

    78     // In that case, any session data generated in this request is discarded.

    79     @db_query("INSERT INTO {sessions} (sid, uid, cache, hostname, session, timestamp) VALUES ('%s', %d, %d, '%s', '%s', %d)", $key, $user->uid, isset($user->cache) ? $user->cache : '', ip_address(), $value, time());

    80   }

    81 

    82   return TRUE;

    83 }

    84 

    85 /**

    86  * Called when an anonymous user becomes authenticated or vice-versa.

    87  */

    88 function sess_regenerate() {

    89   $old_session_id = session_id();

    90 

    91   // We code around http://bugs.php.net/bug.php?id=32802 by destroying

    92   // the session cookie by setting expiration in the past (a negative

    93   // value).  This issue only arises in PHP versions before 4.4.0,

    94   // regardless of the Drupal configuration.

    95   // TODO: remove this when we require at least PHP 4.4.0

    96   if (isset($_COOKIE[session_name()])) {

    97     setcookie(session_name(), '', time() - 42000, '/');

    98   }

    99 

   100   session_regenerate_id();

   101 

   102   db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);

   103 }

   104 

   105 /**

   106  * Counts how many users have sessions. Can count either anonymous sessions or authenticated sessions.

   107  *

   108  * @param int $timestamp

   109  *   A Unix timestamp representing a point of time in the past.

   110  *   The default is 0, which counts all existing sessions.

   111  * @param boolean $anonymous

   112  *   TRUE counts only anonymous users.

   113  *   FALSE counts only authenticated users.

   114  * @return  int

   115  *   The number of users with sessions.

   116  */

   117 function sess_count($timestamp = 0, $anonymous = true) {

   118   $query = $anonymous ? ' AND uid = 0' : ' AND uid > 0';

   119   return db_result(db_query('SELECT COUNT(sid) AS count FROM {sessions} WHERE timestamp >= %d'. $query, $timestamp));

   120 }

   121 

   122 /**

   123  * Called by PHP session handling with the PHP session ID to end a user's session.

   124  *

   125  * @param  string $sid

   126  *   the session id

   127  */

   128 function sess_destroy_sid($sid) {

   129   db_query("DELETE FROM {sessions} WHERE sid = '%s'", $sid);

   130 }

   131 

   132 /**

   133  * End a specific user's session

   134  *

   135  * @param  string $uid

   136  *   the user id

   137  */

   138 function sess_destroy_uid($uid) {

   139   db_query('DELETE FROM {sessions} WHERE uid = %d', $uid);

   140 }

   141 

   142 function sess_gc($lifetime) {

   143   // Be sure to adjust 'php_value session.gc_maxlifetime' to a large enough

   144   // value. For example, if you want user sessions to stay in your database

   145   // for three weeks before deleting them, you need to set gc_maxlifetime

   146   // to '1814400'. At that value, only after a user doesn't log in after

   147   // three weeks (1814400 seconds) will his/her session be removed.

   148   db_query("DELETE FROM {sessions} WHERE timestamp < %d", time() - $lifetime);

   149 

   150   return TRUE;

   151 }

   152 

   153 /**

   154  * Determine whether to save session data of the current request.

   155  *

   156  * This function allows the caller to temporarily disable writing of session data,

   157  * should the request end while performing potentially dangerous operations, such as

   158  * manipulating the global $user object.  See http://drupal.org/node/218104 for usage

   159  *

   160  * @param $status

   161  *   Disables writing of session data when FALSE, (re-)enables writing when TRUE.

   162  * @return

   163  *   FALSE if writing session data has been disabled. Otherwise, TRUE.

   164  */

   165 function session_save_session($status = NULL) {

   166   static $save_session = TRUE;

   167   if (isset($status)) {

   168     $save_session = $status;

   169   }

   170   return ($save_session);

   171 }