1 |
<?php
|
2 |
//$Header: /hl/cvsroots/gpl01/gpl01/webprojs/fboprime/sw/phplib/sess.inc,v 1.25 2006/11/05 18:26:05 dashley Exp $
|
3 |
//--------------------------------------------------------------------------------------------------------------
|
4 |
//sess.inc--FboPrime Session and Authentication Management Functions and Constants
|
5 |
//Copyright (C) 2006 David T. Ashley
|
6 |
//
|
7 |
//This program is free software; you can redistribute it and/or
|
8 |
//modify it under the terms of the GNU General Public License
|
9 |
//as published by the Free Software Foundation; either version 2
|
10 |
//of the License, or (at your option) any later version.
|
11 |
//
|
12 |
//This program is distributed in the hope that it will be useful,
|
13 |
//but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14 |
//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15 |
//GNU General Public License for more details.
|
16 |
//
|
17 |
//You should have received a copy of the GNU General Public License
|
18 |
//along with this program; if not, write to the Free Software
|
19 |
//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
20 |
//********************************************************************************
|
21 |
//Implement session and authentication functions.
|
22 |
//--------------------------------------------------------------------------------------------------------------
|
23 |
require_once("global.inc");
|
24 |
require_once("log.inc");
|
25 |
require_once("passwd.inc");
|
26 |
require_once("perm.inc");
|
27 |
require_once("sguid.inc");
|
28 |
require_once("sid.inc");
|
29 |
require_once("strfunc.inc");
|
30 |
require_once("usrs.inc");
|
31 |
require_once("utime.inc");
|
32 |
//
|
33 |
//--------------------------------------------------------------------------------------------------------------
|
34 |
//Constants for database storage, software internals, function parameters, and function return values of
|
35 |
//this module.
|
36 |
//
|
37 |
//Session reap time, in seconds. This is how old an inactive session must be in order to reap it by
|
38 |
//nightly cron job.
|
39 |
//
|
40 |
define("SESS_REAP_INACTIVE_TIME", 172800 ); //48 hours, in seconds.
|
41 |
//
|
42 |
//
|
43 |
//Function return values.
|
44 |
define("SESS_RCODE_SUCCESS", 0 ); //Successful action.
|
45 |
define("SESS_RCODE_SUCCESS_TEMP_PASSWORD", 1 ); //Authentication action was successful, but
|
46 |
//authentication was performed based on the
|
47 |
//temporary password. The user should be
|
48 |
//prompted to change their password as soon as
|
49 |
//possible.
|
50 |
define("SESS_RCODE_FAIL_USERID_EXPIRED_INACTIVE", 2 ); //Intended action failed because the userid
|
51 |
//and password specified authenticated
|
52 |
//properly, but the underlying userid is either
|
53 |
//expired or inactive. The user should be
|
54 |
//granted no privileges and instructed to contact
|
55 |
//the FBO.
|
56 |
define("SESS_RCODE_FAIL_USERID_NOEXIST", 3 ); //Intended action failed because specified
|
57 |
//userid does not exist.
|
58 |
define("SESS_RCODE_FAIL_PASSWD", 4 ); //Intended action failed because the password
|
59 |
//supplied was incorrect.
|
60 |
//
|
61 |
//Session constants for the logical page currently being visited.
|
62 |
//
|
63 |
define("SESS_LPAGE_UNDEFINED", 0); //Not yet defined or invalid SQL query
|
64 |
//result.
|
65 |
define("SESS_LPAGE_SCHEDDAYVIEW", 1); //Day view scheduler.
|
66 |
define("SESS_LPAGE_SCHEDWEEKVIEW", 2); //Week view scheduler.
|
67 |
define("SESS_LPAGE_SCHEDMONTHVIEW", 3); //Month view scheduler.
|
68 |
define("SESS_LPAGE_LOGRESOURCESCHEDULER", 4); //Log file viewing.
|
69 |
define("SESS_LPAGE_DBSTATS", 5); //Database statistics.
|
70 |
define("SESS_LPAGE_RESOURCELIST", 6); //Resource list (or all resources).
|
71 |
define("SESS_LPAGE_RESOURCERENUMBER", 7); //Resource list.
|
72 |
define("SESS_LPAGE_RESOURCEVIEW", 8); //Resource view (of individual resource).
|
73 |
define("SESS_LPAGE_RESOURCEEDIT", 9); //Resource edit (of individual resource).
|
74 |
define("SESS_LPAGE_RESOURCEADD", 10); //Resource edit (of individual resource).
|
75 |
define("SESS_LPAGE_USERSACTIVELIST", 11); //Users list (active).
|
76 |
define("SESS_LPAGE_USERSINACTIVELIST", 12); //Users list (active).
|
77 |
define("SESS_LPAGE_USERSVIEW", 13); //User view.
|
78 |
define("SESS_LPAGE_USERSEDIT", 14); //User edit.
|
79 |
define("SESS_LPAGE_USERSADD", 15); //User add.
|
80 |
define("SESS_LPAGE_MYRESERVATIONSLIST", 16); //Self-reservations list.
|
81 |
//
|
82 |
//
|
83 |
//--------------------------------------------------------------------------------------------------------------
|
84 |
//Eats the session identifier cookie, if any exists on the browser side.
|
85 |
//
|
86 |
function SESS_eat_fbopsid_cookie()
|
87 |
{
|
88 |
setcookie("fbopsid", //Cookie name.
|
89 |
FALSE, //Value. FALSE means eat the cookie.
|
90 |
0, //Expire when browser closes. The PHP documentation
|
91 |
//suggests to set this to a time well before the current
|
92 |
//time, but I don't believe this is necessary to eat a cookie.
|
93 |
CONFIG_URL_FSPATH . "/", //Path within the domain.
|
94 |
CONFIG_URL_DOMAIN, //Domain.
|
95 |
0); //Don't require secure connection.
|
96 |
}
|
97 |
//
|
98 |
//--------------------------------------------------------------------------------------------------------------
|
99 |
//Issues the SID to the browser.
|
100 |
//
|
101 |
function SESS_issue_fbopsid_cookie($sid)
|
102 |
{
|
103 |
setcookie("fbopsid", //Cookie name.
|
104 |
$sid, //Value. FALSE means eat the cookie.
|
105 |
0, //Value. 0 (according to the manual) means to keep cookie
|
106 |
//until browser closed.
|
107 |
CONFIG_URL_FSPATH . "/", //Path within the domain.
|
108 |
CONFIG_URL_DOMAIN, //Domain.
|
109 |
0); //Don't require secure connection.
|
110 |
}
|
111 |
//
|
112 |
//--------------------------------------------------------------------------------------------------------------
|
113 |
//Inserts a new record into the SESS database, using the passed associative array to assign the fields.
|
114 |
//Each element of the associative array is indexed by a field name.
|
115 |
//
|
116 |
//The function returns the integer index of the record added.
|
117 |
//
|
118 |
//This operation cannot fail. The autoincrement index is the primary key, so no duplicates or other
|
119 |
//error conditions are meaningful.
|
120 |
//
|
121 |
function SESS_insert($arg)
|
122 |
{
|
123 |
global $GLOBAL_dbhandle;
|
124 |
global $GLOBAL_dblocked;
|
125 |
|
126 |
//Build the query string with each successive parameter.
|
127 |
//
|
128 |
//sguid
|
129 |
//-----
|
130 |
if (! isset($arg["sguid"]))
|
131 |
$pushval = "";
|
132 |
else
|
133 |
$pushval = $arg["sguid"];
|
134 |
$query_string = "INSERT INTO sess SET sguid=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"";
|
135 |
//
|
136 |
//ip
|
137 |
//------
|
138 |
if (! isset($arg["ip"]))
|
139 |
$pushval = "";
|
140 |
else
|
141 |
$pushval = $arg["ip"];
|
142 |
$query_string .= (", ip=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
143 |
//
|
144 |
//sid
|
145 |
//---
|
146 |
if (! isset($arg["sid"]))
|
147 |
$pushval = "";
|
148 |
else
|
149 |
$pushval = $arg["sid"];
|
150 |
$query_string .= (", sid=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
151 |
//
|
152 |
//revaltime
|
153 |
//---------
|
154 |
if (! isset($arg["revaltime"]))
|
155 |
$pushval = "";
|
156 |
else
|
157 |
$pushval = $arg["revaltime"];
|
158 |
$query_string .= (", revaltime=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
159 |
//
|
160 |
//lifetime
|
161 |
//--------
|
162 |
if (! isset($arg["lifetime"]))
|
163 |
$pushval = 0;
|
164 |
else
|
165 |
$pushval = $arg["lifetime"];
|
166 |
$query_string .= (", lifetime=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
167 |
//
|
168 |
//usrsidx
|
169 |
//-------
|
170 |
if (! isset($arg["usrsidx"]))
|
171 |
$pushval = 0;
|
172 |
else
|
173 |
$pushval = $arg["usrsidx"];
|
174 |
$query_string .= (", usrsidx=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
175 |
//
|
176 |
//menulvl
|
177 |
//-------
|
178 |
if (! isset($arg["menulvl"]))
|
179 |
$pushval = 0;
|
180 |
else
|
181 |
$pushval = $arg["menulvl"];
|
182 |
$query_string .= (", menulvl=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
183 |
//
|
184 |
//pagereloadtime
|
185 |
//--------------
|
186 |
if (! isset($arg["pagereloadtime"]))
|
187 |
$pushval = 0;
|
188 |
else
|
189 |
$pushval = $arg["pagereloadtime"];
|
190 |
$query_string .= (", pagereloadtime=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
191 |
//
|
192 |
//sddt
|
193 |
//----
|
194 |
if (! isset($arg["sddt"]))
|
195 |
$pushval = "";
|
196 |
else
|
197 |
$pushval = $arg["sddt"];
|
198 |
$query_string .= (", sddt=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
199 |
//
|
200 |
//sdtim
|
201 |
//-----
|
202 |
if (! isset($arg["sdtim"]))
|
203 |
$pushval = "";
|
204 |
else
|
205 |
$pushval = $arg["sdtim"];
|
206 |
$query_string .= (", sdtim=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
207 |
//
|
208 |
//logicalpage
|
209 |
//-----------
|
210 |
if (! isset($arg["logicalpage"]))
|
211 |
$pushval = 0;
|
212 |
else
|
213 |
$pushval = $arg["logicalpage"];
|
214 |
$query_string .= (", logicalpage=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
215 |
//
|
216 |
//curuser
|
217 |
//-------
|
218 |
if (! isset($arg["curuser"]))
|
219 |
$pushval = 0;
|
220 |
else
|
221 |
$pushval = $arg["curuser"];
|
222 |
$query_string .= (", curuser=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
223 |
//
|
224 |
//curresource
|
225 |
//-----------
|
226 |
if (! isset($arg["curresource"]))
|
227 |
$pushval = 0;
|
228 |
else
|
229 |
$pushval = $arg["curresource"];
|
230 |
$query_string .= (", curresource=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
231 |
//
|
232 |
//curreservation
|
233 |
//--------------
|
234 |
if (! isset($arg["curreservation"]))
|
235 |
$pushval = 0;
|
236 |
else
|
237 |
$pushval = $arg["curreservation"];
|
238 |
$query_string .= (", curreservation=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
|
239 |
//
|
240 |
//Execute the query to insert the record.
|
241 |
$result = mysql_query($query_string, $GLOBAL_dbhandle);
|
242 |
//
|
243 |
//If the insert failed, our caller gets FALSE.
|
244 |
if ($result == FALSE)
|
245 |
{
|
246 |
$rv = FALSE;
|
247 |
}
|
248 |
else
|
249 |
{
|
250 |
//The insert was successful. Figure out the index that was assigned.
|
251 |
$result = mysql_query("SELECT LAST_INSERT_ID()");
|
252 |
|
253 |
//If we have a failure, the caller gets FALSE, otherwise the caller gets the
|
254 |
//index.
|
255 |
if ($result === FALSE)
|
256 |
{
|
257 |
$rv = FALSE;
|
258 |
}
|
259 |
else
|
260 |
{
|
261 |
//Pick apart the result.
|
262 |
$row = mysql_fetch_array($result, MYSQL_NUM);
|
263 |
|
264 |
//Extract the integer.
|
265 |
$rv = $row[0];
|
266 |
|
267 |
//Free the result memory.
|
268 |
mysql_free_result($result);
|
269 |
}
|
270 |
}
|
271 |
|
272 |
//Return the result.
|
273 |
return($rv);
|
274 |
}
|
275 |
//
|
276 |
//--------------------------------------------------------------------------------------------------------------
|
277 |
//Retrieves a two dimensional associative array corresponding to the SESS record with
|
278 |
//the passed SID, or FALSE if the record does not exist.
|
279 |
//
|
280 |
function SESS_retrieve_by_sid($sid)
|
281 |
{
|
282 |
global $GLOBAL_dbhandle;
|
283 |
|
284 |
//Form the query string.
|
285 |
$query_string = "SELECT * FROM sess WHERE sid=\""
|
286 |
.
|
287 |
mysql_real_escape_string($sid, $GLOBAL_dbhandle)
|
288 |
.
|
289 |
"\"";
|
290 |
|
291 |
//Execute the query.
|
292 |
$result = mysql_query($query_string, $GLOBAL_dbhandle);
|
293 |
|
294 |
if ($result === FALSE)
|
295 |
{
|
296 |
//Unknown query failure. Return FALSE to the caller. No need to free,
|
297 |
//as this is not a result.
|
298 |
$rv = FALSE;
|
299 |
}
|
300 |
else
|
301 |
{
|
302 |
//Figure out how many rows in the result.
|
303 |
$nrows = mysql_num_rows($result);
|
304 |
|
305 |
if ($nrows == 0)
|
306 |
{
|
307 |
//No rows in the result. The query failed to give us a record, but still
|
308 |
//we need to free the result set.
|
309 |
|
310 |
//Free the result.
|
311 |
mysql_free_result($result);
|
312 |
|
313 |
//The caller gets FALSE. No record with that SID.
|
314 |
$rv = FALSE;
|
315 |
}
|
316 |
else
|
317 |
{
|
318 |
//We have at least one record. Assume just one, because the SID is supposed
|
319 |
//to be unique.
|
320 |
$rv = mysql_fetch_assoc($result); //Get the associative record.
|
321 |
|
322 |
//Free the result.
|
323 |
mysql_free_result($result);
|
324 |
}
|
325 |
|
326 |
//Return the value to the caller.
|
327 |
return($rv);
|
328 |
}
|
329 |
}
|
330 |
//
|
331 |
//--------------------------------------------------------------------------------------------------------------
|
332 |
//Deletes the server-side session information corresponding to the passed SID, if it exists in the
|
333 |
//SESS table. Returns TRUE if at least one record is deleted, or FALSE otherwise.
|
334 |
//
|
335 |
function SESS_delete_by_sid($sid)
|
336 |
{
|
337 |
global $GLOBAL_dbhandle;
|
338 |
|
339 |
//Form the query string.
|
340 |
$query_string = "DELETE FROM sess WHERE sid=\""
|
341 |
.
|
342 |
mysql_real_escape_string($sid, $GLOBAL_dbhandle)
|
343 |
.
|
344 |
"\"";
|
345 |
|
346 |
//Execute the query.
|
347 |
mysql_query($query_string, $GLOBAL_dbhandle);
|
348 |
|
349 |
//Figure out how many rows were affected.
|
350 |
$ar = mysql_affected_rows($GLOBAL_dbhandle);
|
351 |
|
352 |
//Return the right value to the caller.
|
353 |
if ($ar <= 0)
|
354 |
return(FALSE);
|
355 |
else
|
356 |
return(TRUE);
|
357 |
}
|
358 |
//
|
359 |
//--------------------------------------------------------------------------------------------------------------
|
360 |
//Description:
|
361 |
// Authenticates a supplied password against the non-temporary password hash stored with the supplied
|
362 |
// database record from the user information. There is also a possibility that the non-temporary
|
363 |
// hash field is the empty string, which means that no password will authenticate.
|
364 |
//
|
365 |
// Returns TRUE if the authentication was successful or FALSE otherwise.
|
366 |
//
|
367 |
function SESS_nontemppwauth($userinfo, $password)
|
368 |
{
|
369 |
if (PASSWD_pwd_hash_auth($userinfo["pwhash"], $password) == 1)
|
370 |
return(TRUE);
|
371 |
else
|
372 |
return(FALSE);
|
373 |
}
|
374 |
//
|
375 |
//--------------------------------------------------------------------------------------------------------------
|
376 |
//Description:
|
377 |
// Authenticates a supplied password against the temporary password hash stored with the supplied
|
378 |
// database record from the user information. In order to authenticate, the the temporary
|
379 |
// password also must not be expired.
|
380 |
//
|
381 |
// Returns TRUE if the authentication was successful or FALSE otherwise.
|
382 |
//
|
383 |
function SESS_temppwauth($userinfo, $password)
|
384 |
{
|
385 |
global $GLOBAL_utime_ut;
|
386 |
|
387 |
if (!strlen($userinfo["lostpwgentime"]) || !strlen($userinfo["lostpwhash"]))
|
388 |
{
|
389 |
return(FALSE);
|
390 |
}
|
391 |
else
|
392 |
{
|
393 |
if (
|
394 |
UTIME_time_diff_coarse_28($GLOBAL_utime_ut, $userinfo["lostpwgentime"])
|
395 |
> //Waiting time elapsed.
|
396 |
(CONFIG_LOGIN_REC_TEMP_PW_LIFETIME * 60) //*60 because constant in minutes.
|
397 |
)
|
398 |
{
|
399 |
return(FALSE); //Temporary password has expired, so can't authenticate.
|
400 |
}
|
401 |
else
|
402 |
{
|
403 |
if (PASSWD_pwd_hash_auth($userinfo["lostpwhash"], $password) == 1)
|
404 |
return(TRUE);
|
405 |
}
|
406 |
}
|
407 |
|
408 |
//If we're lost and get here, authentication failed.
|
409 |
return(FALSE);
|
410 |
}
|
411 |
//
|
412 |
//--------------------------------------------------------------------------------------------------------------
|
413 |
//Description:
|
414 |
// Opens a new session on the server based on the passed user information and returns the
|
415 |
// SID.
|
416 |
//
|
417 |
function SESS_open_new_uinfo($userinfo)
|
418 |
{
|
419 |
global $GLOBAL_client_ip;
|
420 |
global $GLOBAL_utime_ut;
|
421 |
|
422 |
//Populate the SGUID.
|
423 |
$sess["sguid"] = SGUID_sguid();
|
424 |
|
425 |
//Populate the IP address.
|
426 |
$sess["ip"] = $GLOBAL_client_ip;
|
427 |
|
428 |
//Populate the session identifier.
|
429 |
$sid = SID_sid();
|
430 |
$sess["sid"] = $sid;
|
431 |
|
432 |
//Populate the revalidation time.
|
433 |
$sess["revaltime"] = $GLOBAL_utime_ut;
|
434 |
|
435 |
//Populate the lifetime. The lifetime is either the value stored in the permission string (if it
|
436 |
//exists there), or else the default value.
|
437 |
$sess["lifetime"] = PERM_get_val_from_string($userinfo["perm"], "sesslifetimedefault");
|
438 |
if ($sess["lifetime"] === FALSE) //If that permission/attribute does not exist.
|
439 |
$sess["lifetime"] = CONFIG_SESS_LIFETIME_DEFAULT;
|
440 |
|
441 |
//Populate the index of the relevant user.
|
442 |
$sess["usrsidx"] = $userinfo["idx"];
|
443 |
|
444 |
//Insert the record into the database.
|
445 |
SESS_insert($sess);
|
446 |
|
447 |
//Return the session ID to the caller.
|
448 |
return($sid);
|
449 |
}
|
450 |
//
|
451 |
//--------------------------------------------------------------------------------------------------------------
|
452 |
//Description:
|
453 |
// Authenticates a supplied userid and password, and returns result information to the caller.
|
454 |
// If the userid/password authenticate, retract the old cookie, open a new session on the server side,
|
455 |
// and issue a new cookie.
|
456 |
//
|
457 |
// This function is called from the main scheduling page when a userid/password is entered.
|
458 |
//
|
459 |
// If the userid supplied corresponds to a non-existent account:
|
460 |
//
|
461 |
// a)Destroy any existing server-side session information based on the current SID cookie.
|
462 |
// b)Eat the current SID cookie, if any, on the client side.
|
463 |
// c)Set the $curuserinfo to FALSE.
|
464 |
// d)Set the $cursessioninfo to FALSE.
|
465 |
// e)Set the $rcode to SESS_RCODE_FAIL_USERID_NOEXIST.
|
466 |
//
|
467 |
// Else if the userid exists and the password authenticates:
|
468 |
//
|
469 |
// If the account is inactive or expired:
|
470 |
//
|
471 |
// a)Destroy any existing server-side session information based on the current SID
|
472 |
// cookie.
|
473 |
// b)Eat the current SID cookie, if any, on the client side.
|
474 |
// c)Set the $curuserinfo to FALSE.
|
475 |
// d)Set the $cursessioninfo to FALSE.
|
476 |
// e)Set the $rcode to SESS_RCODE_FAIL_USERID_EXPIRED_INACTIVE.
|
477 |
//
|
478 |
// Else if authentication was successful based on a temporary password:
|
479 |
//
|
480 |
// a)Destroy any existing server-side session information based on the current SID
|
481 |
// cookie.
|
482 |
// b)Open a new session on the server side.
|
483 |
// c)Issue a new SID cookie to the client.
|
484 |
// d)Set the $curuserinfo to the user specified.
|
485 |
// e)Set the $cursessioninfo to the newly-created session.
|
486 |
// f)Set the $rcode to SESS_RCODE_SUCCESS_TEMP_PASSWORD.
|
487 |
//
|
488 |
// Else if authentication was successful:
|
489 |
//
|
490 |
// a)Destroy any existing server-side session information based on the current SID
|
491 |
// cookie.
|
492 |
// b)Open a new session on the server side.
|
493 |
// c)Issue a new SID cookie to the client.
|
494 |
// d)Set the $curuserinfo to the user specified.
|
495 |
// e)Set the $cursessioninfo to the newly-created session.
|
496 |
// f)Set the $rcode to SESS_RCODE_SUCCESS.
|
497 |
//
|
498 |
// Else if the userid exists but the password does not authenticate:
|
499 |
//
|
500 |
// a)Destroy any existing server-side session information based on the current SID
|
501 |
// cookie.
|
502 |
// b)Eat the current SID cookie, if any, on the client side.
|
503 |
// c)Set the $curuserinfo to FALSE.
|
504 |
// d)Set the $cursessioninfo to FALSE.
|
505 |
// e)Set the $rcode to SESS_RCODE_FAIL_PASSWD.
|
506 |
//
|
507 |
//Return Value:
|
508 |
// $rcode : Set to a constant defined at the start of this file to indicate
|
509 |
// what occurred.
|
510 |
// $curuserinfo : Set to an associative array containing full user information
|
511 |
// about a user who logs in, or FALSE if no user has successfully
|
512 |
// authenticated.
|
513 |
// $cursessioninfo : An associative array containing the complete record for the now
|
514 |
// active session, or FALSE if no session is active.
|
515 |
//
|
516 |
function SESS_userid_pwd_authenticate_open_session($userid, $password, &$rcode, &$curuserinfo, &$cursessioninfo)
|
517 |
{
|
518 |
global $PAR_fbopsid;
|
519 |
global $GLOBAL_stime_string;
|
520 |
global $GLOBAL_client_ip;
|
521 |
|
522 |
//Condition the userid to exclude forbidden characters.
|
523 |
$userid = STRFUNC_force_into_subset($userid, "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ");
|
524 |
|
525 |
//Convert the userid to all lower-case. This is the canonical form for userids.
|
526 |
$userid = StrToLower($userid);
|
527 |
|
528 |
//Remove all invalid characters from the password. However, don't convert it to lower-case. Passwords are
|
529 |
//case-sensitive.
|
530 |
$password = STRFUNC_force_into_subset($password, "-0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ");
|
531 |
|
532 |
//Try to obtain the user information from the database corresponding to the userid.
|
533 |
$curuserinfo = USRS_retrieve_by_userid($userid);
|
534 |
|
535 |
//print_r($curuserinfo);
|
536 |
//return;
|
537 |
|
538 |
//If the userid does not exist, return the correct error code.
|
539 |
if ($curuserinfo === FALSE)
|
540 |
{
|
541 |
//Log the authentication failure.
|
542 |
LOG_log(LOG_ET_LOGIN_FAIL,
|
543 |
$GLOBAL_stime_string,
|
544 |
$GLOBAL_client_ip,
|
545 |
"",
|
546 |
($PAR_fbopsid === FALSE) ? ("") : ($PAR_fbopsid),
|
547 |
$_SERVER["PHP_SELF"],
|
548 |
"",
|
549 |
__FILE__,
|
550 |
__LINE__,
|
551 |
"Password authentication failure, non-existent userid=\"" . $userid . "\".");
|
552 |
|
553 |
//Destroy any existing server-side session information based on the current SID cookie.
|
554 |
if ($PAR_fbopsid !== FALSE)
|
555 |
SESS_delete_by_sid($PAR_fbopsid);
|
556 |
|
557 |
//Eat the client-side cookie.
|
558 |
SESS_eat_fbopsid_cookie();
|
559 |
|
560 |
//Set the $curuserinfo to FALSE.
|
561 |
$curuserinfo = FALSE;
|
562 |
|
563 |
//Set the $cursessioninfo to FALSE.
|
564 |
$cursessioninfo = FALSE;
|
565 |
|
566 |
//Set the $rcode to SESS_RCODE_FAIL_USERID_NOEXIST.
|
567 |
$rcode = SESS_RCODE_FAIL_USERID_NOEXIST;
|
568 |
|
569 |
return;
|
570 |
}
|
571 |
|
572 |
//If the userid exists but is not active, refuse the authentication.
|
573 |
if ($curuserinfo["status"] != USRS_STATUS_ACTIVE)
|
574 |
{
|
575 |
//Log the authentication failure.
|
576 |
LOG_log(LOG_ET_LOGIN_FAIL,
|
577 |
$GLOBAL_stime_string,
|
578 |
$GLOBAL_client_ip,
|
579 |
"",
|
580 |
($PAR_fbopsid === FALSE) ? ("") : ($PAR_fbopsid),
|
581 |
$_SERVER["PHP_SELF"],
|
582 |
"",
|
583 |
__FILE__,
|
584 |
__LINE__,
|
585 |
"Password authentication failure, expired or inactive userid=\"" . $userid . "\".");
|
586 |
|
587 |
//Destroy any existing server-side session information based on the current SID cookie.
|
588 |
if ($PAR_fbopsid !== FALSE)
|
589 |
SESS_delete_by_sid($PAR_fbopsid);
|
590 |
|
591 |
//Eat the client-side cookie.
|
592 |
SESS_eat_fbopsid_cookie();
|
593 |
|
594 |
//Set the $curuserinfo to FALSE.
|
595 |
$curuserinfo = FALSE;
|
596 |
|
597 |
//Set the $cursessioninfo to FALSE.
|
598 |
$cursessioninfo = FALSE;
|
599 |
|
600 |
//Set the $rcode to SESS_RCODE_FAIL_USERID_EXPIRED_INACTIVE.
|
601 |
$rcode = SESS_RCODE_FAIL_USERID_EXPIRED_INACTIVE;
|
602 |
|
603 |
return;
|
604 |
}
|
605 |
|
606 |
//The user exists and the user's status is active. Figure out if the password is consistent
|
607 |
//with the stored non-temporary password.
|
608 |
//
|
609 |
if (SESS_nontemppwauth($curuserinfo, $password))
|
610 |
{
|
611 |
//The password supplied matches the non-temporary password hash in the database.
|
612 |
//
|
613 |
//Open a new session on the server side.
|
614 |
$sid = SESS_open_new_uinfo($curuserinfo);
|
615 |
//
|
616 |
//Log the authentication success.
|
617 |
LOG_log(LOG_ET_LOGIN_OK,
|
618 |
$GLOBAL_stime_string,
|
619 |
$GLOBAL_client_ip,
|
620 |
$userid,
|
621 |
$sid,
|
622 |
$_SERVER["PHP_SELF"],
|
623 |
"",
|
624 |
__FILE__,
|
625 |
__LINE__,
|
626 |
"Password authentication.");
|
627 |
//
|
628 |
//Issue the new cookie to the browser. It isn't necessary to replace any existing old,
|
629 |
//as this one will just replace it.
|
630 |
SESS_issue_fbopsid_cookie($sid);
|
631 |
//
|
632 |
//The current user information has already been obtained. Pull the
|
633 |
//session information.
|
634 |
$cursessioninfo = SESS_retrieve_by_sid($sid);
|
635 |
//
|
636 |
//Set the return code.
|
637 |
$rcode = SESS_RCODE_SUCCESS;
|
638 |
//
|
639 |
return;
|
640 |
}
|
641 |
|
642 |
|
643 |
//The user exists and the user's status is active. Figure out if the password is consistent
|
644 |
//with the stored temporary password.
|
645 |
//
|
646 |
if (SESS_temppwauth($curuserinfo, $password))
|
647 |
{
|
648 |
//The password supplied matches the temporary password hash in the database.
|
649 |
//
|
650 |
//Open a new session on the server side.
|
651 |
$sid = SESS_open_new_uinfo($curuserinfo);
|
652 |
//
|
653 |
//Log the authentication success.
|
654 |
LOG_log(LOG_ET_LOGIN_OK,
|
655 |
$GLOBAL_stime_string,
|
656 |
$GLOBAL_client_ip,
|
657 |
$userid,
|
658 |
$sid,
|
659 |
$_SERVER["PHP_SELF"],
|
660 |
"",
|
661 |
__FILE__,
|
662 |
__LINE__,
|
663 |
"Temporary password authentication.");
|
664 |
//
|
665 |
//Issue the new cookie to the browser. It isn't necessary to replace any existing old,
|
666 |
//as this one will just replace it.
|
667 |
SESS_issue_fbopsid_cookie($sid);
|
668 |
//
|
669 |
//The current user information has already been obtained. Pull the
|
670 |
//session information.
|
671 |
$cursessioninfo = SESS_retrieve_by_sid($sid);
|
672 |
//
|
673 |
//Set the return code.
|
674 |
$rcode = SESS_RCODE_SUCCESS_TEMP_PASSWORD;
|
675 |
//
|
676 |
return;
|
677 |
}
|
678 |
|
679 |
//If we're here, the userid was OK, but the password was wrong.
|
680 |
//Log the authentication failure.
|
681 |
LOG_log(LOG_ET_LOGIN_FAIL,
|
682 |
$GLOBAL_stime_string,
|
683 |
$GLOBAL_client_ip,
|
684 |
$userid,
|
685 |
($PAR_fbopsid === FALSE) ? ("") : ($PAR_fbopsid),
|
686 |
$_SERVER["PHP_SELF"],
|
687 |
"",
|
688 |
__FILE__,
|
689 |
__LINE__,
|
690 |
"Password authentication failure, bad password.");
|
691 |
|
692 |
//Destroy any existing server-side session information based on the current SID cookie.
|
693 |
if ($PAR_fbopsid !== FALSE)
|
694 |
SESS_delete_by_sid($PAR_fbopsid);
|
695 |
|
696 |
//Eat the client-side cookie.
|
697 |
SESS_eat_fbopsid_cookie();
|
698 |
|
699 |
//Set the $curuserinfo to FALSE.
|
700 |
$curuserinfo = FALSE;
|
701 |
|
702 |
//Set the $cursessioninfo to FALSE.
|
703 |
$cursessioninfo = FALSE;
|
704 |
|
705 |
//Set the $rcode to indicate simple password failure.
|
706 |
$rcode = SESS_RCODE_FAIL_PASSWD;
|
707 |
}
|
708 |
//
|
709 |
//--------------------------------------------------------------------------------------------------------------
|
710 |
//Logs out the user implied by the current SID cookie. The specific actions are:
|
711 |
// a)Destroy any existing server-side session information.
|
712 |
// b)Eat the client side SID cookie.
|
713 |
//
|
714 |
//Return Values:
|
715 |
// $curuserinfo : By the definition of this what this function does, FALSE.
|
716 |
// $cursessioninfo : By the definition of this what this function does, FALSE.
|
717 |
//
|
718 |
function SESS_logout(&$curuserinfo, &$cursessioninfo)
|
719 |
{
|
720 |
global $PAR_fbopsid;
|
721 |
global $GLOBAL_stime_string;
|
722 |
global $GLOBAL_client_ip;
|
723 |
|
724 |
//Save the $sid cookie, so we can log it.
|
725 |
$log_sid = $PAR_fbopsid;
|
726 |
|
727 |
//Look up the session table entry.
|
728 |
$cursessioninfo = SESS_retrieve_by_sid($log_sid);
|
729 |
|
730 |
//Look up the user information based on the index stored with
|
731 |
//the session.
|
732 |
if ($cursessioninfo !== FALSE)
|
733 |
{
|
734 |
$curuserinfo = USRS_retrieve_by_idx($cursessioninfo["usrsidx"]);
|
735 |
}
|
736 |
else
|
737 |
{
|
738 |
$curuserinfo = FALSE;
|
739 |
}
|
740 |
|
741 |
//Swallow any session cookie.
|
742 |
SESS_eat_fbopsid_cookie();
|
743 |
|
744 |
//Destroy the server-side session state, if any.
|
745 |
if ($PAR_fbopsid !== FALSE)
|
746 |
SESS_delete_by_sid($PAR_fbopsid);
|
747 |
|
748 |
//Log the voluntary logout.
|
749 |
LOG_log(LOG_ET_LOGOUT_VOL,
|
750 |
$GLOBAL_stime_string,
|
751 |
$GLOBAL_client_ip,
|
752 |
($curuserinfo !== FALSE) ? ($curuserinfo["userid"]) : (""),
|
753 |
($log_sid === FALSE) ? ("") : ($log_sid),
|
754 |
$_SERVER["PHP_SELF"],
|
755 |
"",
|
756 |
__FILE__,
|
757 |
__LINE__,
|
758 |
"Logout.");
|
759 |
|
760 |
|
761 |
//Return values are, by definition, FALSE.
|
762 |
$curuserinfo = FALSE;
|
763 |
$cursessioninfo = FALSE;
|
764 |
}
|
765 |
//
|
766 |
//--------------------------------------------------------------------------------------------------------------
|
767 |
//Revalidates the session using the current SID cookie. The specific actions are:
|
768 |
//
|
769 |
// If the SID does not exist on the server side:
|
770 |
// a)Eat the current client SID cookie.
|
771 |
// Else if the session has expired due to inactivity:
|
772 |
// a)Destroy the server-side session state.
|
773 |
// b)Eat the client-side SID cookie.
|
774 |
// Else [if the session is still active]:
|
775 |
// Obtain the user information.
|
776 |
// If the user does not exist or is inactive:
|
777 |
// a)Destroy the server-side session state.
|
778 |
// b)Eat the client-side SID cookie.
|
779 |
// Else
|
780 |
// If the privilege escalation period has expired
|
781 |
// Lower the privelege escalation level.
|
782 |
// Update the revalidation time.
|
783 |
//
|
784 |
//Return Values:
|
785 |
// $curuserinfo : An associative array containing the complete record for the currently
|
786 |
// authenticated user, or FALSE if no user is authenticated.
|
787 |
// $cursessioninfo : An associative array containing the complete record for the currently
|
788 |
// active session, or FALSE if no session is active.
|
789 |
//
|
790 |
function SESS_revalidate(&$curuserinfo, &$cursessioninfo)
|
791 |
{
|
792 |
global $GLOBAL_dbhandle;
|
793 |
global $GLOBAL_dblocked;
|
794 |
global $PAR_fbopsid;
|
795 |
global $GLOBAL_stime_string;
|
796 |
global $GLOBAL_client_ip;
|
797 |
global $GLOBAL_utime_ut;
|
798 |
|
799 |
$cursessioninfo = FALSE;
|
800 |
$curuserinfo = FALSE;
|
801 |
|
802 |
//If the SID isn't defined, no user and no session.
|
803 |
if ($PAR_fbopsid === FALSE)
|
804 |
{
|
805 |
$curuserinfo = FALSE;
|
806 |
$cursessioninfo = FALSE;
|
807 |
return;
|
808 |
}
|
809 |
|
810 |
//Try to look up the session in the database. If it does not exist
|
811 |
//in the database, this is a bit suspicious but not impossible. The database
|
812 |
//could have been reaped while somebody left their browser open for a long time.
|
813 |
//If this is the case, no session and no user.
|
814 |
//
|
815 |
$cursessioninfo = SESS_retrieve_by_sid($PAR_fbopsid);
|
816 |
//
|
817 |
if ($cursessioninfo === FALSE)
|
818 |
{
|
819 |
//It is suspicious. Log it.
|
820 |
LOG_log(LOG_ET_SEC_SID_FORGED,
|
821 |
$GLOBAL_stime_string,
|
822 |
$GLOBAL_client_ip,
|
823 |
"",
|
824 |
$PAR_fbopsid,
|
825 |
$_SERVER["PHP_SELF"],
|
826 |
"",
|
827 |
__FILE__,
|
828 |
__LINE__,
|
829 |
"SID cookie value does not exist in server database, and was possibly forged.");
|
830 |
|
831 |
//Return value is no session and no user.
|
832 |
$curuserinfo = FALSE;
|
833 |
$cursessioninfo = FALSE;
|
834 |
return;
|
835 |
}
|
836 |
|
837 |
//Session exists. Try to look up the user identified in the session. If the user does not
|
838 |
//exist, this is also suspicious. The only scenario under which this might happen is if a
|
839 |
//user is expired or deleted during a session.
|
840 |
//
|
841 |
$curuserinfo = USRS_retrieve_by_idx($cursessioninfo["usrsidx"]);
|
842 |
//
|
843 |
if ($curuserinfo === FALSE)
|
844 |
{
|
845 |
//It is suspicious. Log it.
|
846 |
LOG_log(LOG_ET_SEC_SID_FORGED,
|
847 |
$GLOBAL_stime_string,
|
848 |
$GLOBAL_client_ip,
|
849 |
"",
|
850 |
$PAR_fbopsid,
|
851 |
$_SERVER["PHP_SELF"],
|
852 |
"",
|
853 |
__FILE__,
|
854 |
__LINE__,
|
855 |
"User index pointed to by SID record does not exist (idx=" . (string)$cursessioninfo["usrsidx"] . ").");
|
856 |
|
857 |
//Return value is no session and no user.
|
858 |
$curuserinfo = FALSE;
|
859 |
$cursessioninfo = FALSE;
|
860 |
return;
|
861 |
}
|
862 |
|
863 |
//If the user pointed to by the session isn't active, this probably means that
|
864 |
//the user was expired or had the status changed manually during a session.
|
865 |
//Destroy the server-side and client side session state, log it, and indicate
|
866 |
//to the caller no user and no session.
|
867 |
//If the userid exists but is not active, refuse the authentication.
|
868 |
if ($curuserinfo["status"] != USRS_STATUS_ACTIVE)
|
869 |
{
|
870 |
//It is suspicious. Log it.
|
871 |
LOG_log(LOG_ET_SEC_SID_FORGED,
|
872 |
$GLOBAL_stime_string,
|
873 |
$GLOBAL_client_ip,
|
874 |
"",
|
875 |
$PAR_fbopsid,
|
876 |
$_SERVER["PHP_SELF"],
|
877 |
"",
|
878 |
__FILE__,
|
879 |
__LINE__,
|
880 |
"User pointed to by SID record has inactive status (idx=" . (string)$cursessioninfo["usrsidx"] . ").");
|
881 |
|
882 |
//Destroy any existing server-side session information based on the current SID cookie.
|
883 |
if ($PAR_fbopsid !== FALSE)
|
884 |
SESS_delete_by_sid($PAR_fbopsid);
|
885 |
|
886 |
//Eat the client-side cookie.
|
887 |
SESS_eat_fbopsid_cookie();
|
888 |
|
889 |
//Return value is no session and no user.
|
890 |
$curuserinfo = FALSE;
|
891 |
$cursessioninfo = FALSE;
|
892 |
return;
|
893 |
}
|
894 |
|
895 |
//If the session has expired due to time, then log it and force the user out.
|
896 |
//
|
897 |
if (UTIME_time_diff_coarse_28($GLOBAL_utime_ut, $cursessioninfo["revaltime"]) > (int)$cursessioninfo["lifetime"])
|
898 |
{
|
899 |
//Log it.
|
900 |
LOG_log(LOG_ET_LOGOUT_TIME,
|
901 |
$GLOBAL_stime_string,
|
902 |
$GLOBAL_client_ip,
|
903 |
$curuserinfo["userid"],
|
904 |
$PAR_fbopsid,
|
905 |
$_SERVER["PHP_SELF"],
|
906 |
"",
|
907 |
__FILE__,
|
908 |
__LINE__,
|
909 |
"Session expired due to inactive time.");
|
910 |
|
911 |
//Destroy any existing server-side session information based on the current SID cookie.
|
912 |
if ($PAR_fbopsid !== FALSE)
|
913 |
SESS_delete_by_sid($PAR_fbopsid);
|
914 |
|
915 |
//Eat the client-side cookie.
|
916 |
SESS_eat_fbopsid_cookie();
|
917 |
|
918 |
//Return value is no session and no user.
|
919 |
$curuserinfo = FALSE;
|
920 |
$cursessioninfo = FALSE;
|
921 |
return;
|
922 |
}
|
923 |
|
924 |
//If the connecting IP of the session has changed, this is bad news and probably some type of
|
925 |
//security issue.
|
926 |
//
|
927 |
if ($cursessioninfo["ip"] != $GLOBAL_client_ip)
|
928 |
{
|
929 |
//Log it.
|
930 |
LOG_log(LOG_ET_SEC_LOGOUT_IP,
|
931 |
$GLOBAL_stime_string,
|
932 |
$GLOBAL_client_ip,
|
933 |
$curuserinfo["userid"],
|
934 |
$PAR_fbopsid,
|
935 |
$_SERVER["PHP_SELF"],
|
936 |
"",
|
937 |
__FILE__,
|
938 |
__LINE__,
|
939 |
"Stored session IP:" . $cursessioninfo["ip"] . " Current connection IP:" . $GLOBAL_client_ip . ".");
|
940 |
|
941 |
//Destroy any existing server-side session information based on the current SID cookie.
|
942 |
if ($PAR_fbopsid !== FALSE)
|
943 |
SESS_delete_by_sid($PAR_fbopsid);
|
944 |
|
945 |
//Eat the client-side cookie.
|
946 |
SESS_eat_fbopsid_cookie();
|
947 |
|
948 |
//Return value is no session and no user.
|
949 |
$curuserinfo = FALSE;
|
950 |
$cursessioninfo = FALSE;
|
951 |
return;
|
952 |
}
|
953 |
|
954 |
//All the error conditions have been ruled out. Give the session a newer timestamp, log it, and return the
|
955 |
//correct user and session information.
|
956 |
mysql_query("UPDATE sess SET revaltime=\""
|
957 |
. mysql_real_escape_string($GLOBAL_utime_ut, $GLOBAL_dbhandle)
|
958 |
. "\" WHERE sid=\""
|
959 |
. mysql_real_escape_string($PAR_fbopsid, $GLOBAL_dbhandle)
|
960 |
. "\"",
|
961 |
$GLOBAL_dbhandle);
|
962 |
//
|
963 |
LOG_log(LOG_ET_REVAL_OK,
|
964 |
$GLOBAL_stime_string,
|
965 |
$GLOBAL_client_ip,
|
966 |
$curuserinfo["userid"],
|
967 |
$PAR_fbopsid,
|
968 |
$_SERVER["PHP_SELF"],
|
969 |
"",
|
970 |
__FILE__,
|
971 |
__LINE__,
|
972 |
"Session revalidation.");
|
973 |
|
974 |
//The $curuserinfo and $cursessioninfo values are OK for return.
|
975 |
}
|
976 |
//
|
977 |
//--------------------------------------------------------------------------------------------------------------
|
978 |
//Decrements the current menu level, stores it in the correct session record of the database,
|
979 |
//and returns the new level, clipped to [0, 2].
|
980 |
//
|
981 |
//No mutual exclusion should be necessary, as a session is tied to one terminal IP--unless a user
|
982 |
//has multiple browsers open and is doing something unusual, there should be nothing noticeable.
|
983 |
//Even then it is iffy and there will be no ill effects.
|
984 |
//
|
985 |
function SESS_menulevel_decrement($sid_in, $menulevel_current)
|
986 |
{
|
987 |
global $GLOBAL_dbhandle;
|
988 |
|
989 |
//Adjust the menulevel to be one smaller.
|
990 |
if ($menulevel_current == 2)
|
991 |
$menulevel_new = 1;
|
992 |
else if ($menulevel_current == 1)
|
993 |
$menulevel_new = 0;
|
994 |
else
|
995 |
$menulevel_new = 0;
|
996 |
|
997 |
//Form a query to reflect assigning the new menu level to the session ID
|
998 |
//record.
|
999 |
$query_string = "UPDATE sess SET menulvl=\"" . (string)$menulevel_new . "\" WHERE sid=\"" . $sid_in . "\"";
|
1000 |
|
1001 |
//Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
|
1002 |
mysql_query($query_string, $GLOBAL_dbhandle);
|
1003 |
|
1004 |
//Return the new value.
|
1005 |
return($menulevel_new);
|
1006 |
}
|
1007 |
//
|
1008 |
//--------------------------------------------------------------------------------------------------------------
|
1009 |
//Increments the current menu level, stores it in the correct session record of the database,
|
1010 |
//and returns the new level, clipped to [0, 2].
|
1011 |
//
|
1012 |
//No mutual exclusion should be necessary, as a session is tied to one terminal IP--unless a user
|
1013 |
//has multiple browsers open and is doing something unusual, there should be nothing noticeable.
|
1014 |
//Even then it is iffy and there will be no ill effects.
|
1015 |
//
|
1016 |
function SESS_menulevel_increment($sid_in, $menulevel_current)
|
1017 |
{
|
1018 |
global $GLOBAL_dbhandle;
|
1019 |
|
1020 |
//Adjust the menulevel to be one larger.
|
1021 |
if ($menulevel_current == 0)
|
1022 |
$menulevel_new = 1;
|
1023 |
else if ($menulevel_current == 1)
|
1024 |
$menulevel_new = 2;
|
1025 |
else
|
1026 |
$menulevel_new = 2;
|
1027 |
|
1028 |
//Form a query to reflect assigning the new menu level to the session ID
|
1029 |
//record.
|
1030 |
$query_string = "UPDATE sess SET menulvl=\"" . (string)$menulevel_new . "\" WHERE sid=\"" . $sid_in . "\"";
|
1031 |
|
1032 |
//Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
|
1033 |
mysql_query($query_string, $GLOBAL_dbhandle);
|
1034 |
|
1035 |
//Return the new value.
|
1036 |
return($menulevel_new);
|
1037 |
}
|
1038 |
//
|
1039 |
//--------------------------------------------------------------------------------------------------------------
|
1040 |
//Updates the SDDT and SDTIM associated with the session, session identifier passed.
|
1041 |
//
|
1042 |
//To update only SDDT or SDTIM, set the other parameter FALSE.
|
1043 |
//
|
1044 |
//If both parameters are FALSE, nothing will be updated.
|
1045 |
//
|
1046 |
function SESS_update_sddt_sdtim($sid_in, $sddt_in, $sdtim_in)
|
1047 |
{
|
1048 |
global $GLOBAL_dbhandle;
|
1049 |
|
1050 |
//echo "<pre>\n";
|
1051 |
//print_r($sid_in);
|
1052 |
//print_r($sddt_in);
|
1053 |
//print_r($sdtim_in);
|
1054 |
//echo "</pre>\n";
|
1055 |
|
1056 |
if (($sddt_in !== FALSE) && ($sdtim_in !== FALSE))
|
1057 |
{
|
1058 |
//Both parameters are specified, the most common case.
|
1059 |
$query_string = "UPDATE sess SET sddt=\""
|
1060 |
.
|
1061 |
mysql_real_escape_string ((string)$sddt_in, $GLOBAL_dbhandle)
|
1062 |
.
|
1063 |
"\", sdtim=\""
|
1064 |
.
|
1065 |
mysql_real_escape_string ((string)$sdtim_in, $GLOBAL_dbhandle)
|
1066 |
.
|
1067 |
"\" WHERE sid=\""
|
1068 |
.
|
1069 |
$sid_in
|
1070 |
.
|
1071 |
"\"";
|
1072 |
|
1073 |
//Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
|
1074 |
mysql_query($query_string, $GLOBAL_dbhandle);
|
1075 |
}
|
1076 |
else if (($sddt_in === FALSE) && ($sdtim_in !== FALSE))
|
1077 |
{
|
1078 |
//Only time is specified.
|
1079 |
$query_string = "UPDATE sess SET sdtim=\""
|
1080 |
.
|
1081 |
mysql_real_escape_string ((string)$sdtim_in, $GLOBAL_dbhandle)
|
1082 |
.
|
1083 |
"\" WHERE sid=\""
|
1084 |
.
|
1085 |
$sid_in
|
1086 |
.
|
1087 |
"\"";
|
1088 |
|
1089 |
//Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
|
1090 |
mysql_query($query_string, $GLOBAL_dbhandle);
|
1091 |
}
|
1092 |
else if (($sddt_in !== FALSE) && ($sdtim_in === FALSE))
|
1093 |
{
|
1094 |
//Only date is specified.
|
1095 |
$query_string = "UPDATE sess SET sddt=\""
|
1096 |
.
|
1097 |
mysql_real_escape_string ((string)$sddt_in, $GLOBAL_dbhandle)
|
1098 |
.
|
1099 |
"\" WHERE sid=\""
|
1100 |
.
|
1101 |
$sid_in
|
1102 |
.
|
1103 |
"\"";
|
1104 |
|
1105 |
//Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
|
1106 |
mysql_query($query_string, $GLOBAL_dbhandle);
|
1107 |
}
|
1108 |
else
|
1109 |
{
|
1110 |
//Do nothing. Neither parameter is specified.
|
1111 |
}
|
1112 |
}
|
1113 |
//
|
1114 |
//--------------------------------------------------------------------------------------------------------------
|
1115 |
//Updates the logicalpage associated with a session.
|
1116 |
//
|
1117 |
function SESS_logicalpage_set($sid_in, $logicalpage_in)
|
1118 |
{
|
1119 |
global $GLOBAL_dbhandle;
|
1120 |
|
1121 |
$query_string = "UPDATE sess SET logicalpage=\""
|
1122 |
.
|
1123 |
mysql_real_escape_string ((string)$logicalpage_in, $GLOBAL_dbhandle)
|
1124 |
.
|
1125 |
"\" WHERE sid=\""
|
1126 |
.
|
1127 |
$sid_in
|
1128 |
.
|
1129 |
"\"";
|
1130 |
|
1131 |
//Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
|
1132 |
mysql_query($query_string, $GLOBAL_dbhandle);
|
1133 |
}
|
1134 |
//
|
1135 |
//--------------------------------------------------------------------------------------------------------------
|
1136 |
//Gets the logicalpage integer associated with a session. Returns SESS_LPAGE_UNDEFINED if can't figure
|
1137 |
//out what that is.
|
1138 |
//
|
1139 |
function SESS_logicalpage_get($sid_in)
|
1140 |
{
|
1141 |
global $GLOBAL_dbhandle;
|
1142 |
|
1143 |
//Form the query string.
|
1144 |
$query_string = "SELECT logicalpage FROM sess WHERE sid=\""
|
1145 |
.
|
1146 |
mysql_real_escape_string($sid_in, $GLOBAL_dbhandle)
|
1147 |
.
|
1148 |
"\"";
|
1149 |
|
1150 |
//Execute the query.
|
1151 |
$result = mysql_query($query_string, $GLOBAL_dbhandle);
|
1152 |
|
1153 |
if ($result === FALSE)
|
1154 |
{
|
1155 |
//Unknown query failure. Return a result code to the caller indicating
|
1156 |
//don't know.
|
1157 |
return(SESS_LPAGE_UNDEFINED);
|
1158 |
}
|
1159 |
else
|
1160 |
{
|
1161 |
//Get the integer result.
|
1162 |
$row = mysql_fetch_array($result, MYSQL_NUM);
|
1163 |
|
1164 |
$rv = $row[0];
|
1165 |
|
1166 |
//Free the result.
|
1167 |
mysql_free_result($result);
|
1168 |
|
1169 |
//Return the appropriate.
|
1170 |
if($rv > 0)
|
1171 |
return($rv);
|
1172 |
else
|
1173 |
return(SESS_LPAGE_UNDEFINED);
|
1174 |
}
|
1175 |
}
|
1176 |
//
|
1177 |
//--------------------------------------------------------------------------------------------------------------
|
1178 |
//End of $RCSfile: sess.inc,v $.
|
1179 |
//--------------------------------------------------------------------------------------------------------------
|
1180 |
?>
|