Commit eec7280f authored by Imran Hussain's avatar Imran Hussain

set the cookie prefix to the dbname instead of sucssite so you can be logged...

set the cookie prefix to the dbname instead of sucssite so you can be logged into multipule versions of the sucssite without errors
parent 76af36b2
......@@ -2,7 +2,7 @@
// To use:
// include_once "session.php"
// $mysession = new Session;
//
//
// $mysession->loggedin is TRUE if they have logged in
//
// other attributes are :
......@@ -11,7 +11,6 @@
// lastseen - unix timestamp for their previous page access
// data - var/array for persistant data, commit by calling the 'save' method
// Session management and authentication mechanism.
class Session {
public $loggedin=FALSE; // Is this a valid logged in user ?
......@@ -23,7 +22,7 @@ public $groups =array(); // users groups
public $printbalance; // printer balance
public $data=''; // Var/array for session persistant data
public $token=''; // session identifier
public $logintime=''; // Time which user last gave us credentials
public $logintime=''; // Time which user last gave us credentials
public $lastseen=''; // Time of last page request
private $timeout = 2880; // Idle timeout limit in minutes (session deleted), 2880 == 48 hours
private $anonymous_timeout = 120; // Idle timeout limit for sessions which aren't logged in (set lower to stop the session table getting swamped)
......@@ -32,19 +31,17 @@ private $max_session_length = 11520; // maximum length of a session, 11520 == 8
private $table = "session"; // session storage table (const)
private $datahash=''; // hash of data field
// Create a new (insecure) session
private function newsession()
{
global $DB, $preferred_hostname;
global $DB, $preferred_hostname, $dbname;
$token = $this->genSessionID();
$token = $this->genSessionID();
$DB->Execute("insert into {$this->table} (hash, lastseen, ip) values (?,NOW(),?)", array($token, $_SERVER['REMOTE_ADDR']));
setcookie("sucssite_session", $token, NULL, "/", $preferred_hostname);
setcookie($dbname."_session", $token, NULL, "/", $preferred_hostname);
// delete loggedin cookie if it exists
setcookie("sucssite_loggedin", FALSE, time(), "/");
setcookie($dbname."_loggedin", FALSE, time(), "/");
$this->token = $token;
return;
}
......@@ -65,11 +62,11 @@ private $datahash=''; // hash of data field
// Public Object constructor
function __construct()
{
global $DB, $preferred_hostname, $baseurl;
global $DB, $preferred_hostname, $baseurl, $dbname;
unset($token);
// if user requests a page via HTTP and claims to be logged in, bump them to HTTPS
if (!isset($_SERVER['HTTPS']) && (@$_COOKIE['sucssite_loggedin'] == "true")) {
if (!isset($_SERVER['HTTPS']) && (@$_COOKIE[$dbname.'_loggedin'] == "true")) {
header("HTTP/1.0 307 Temporary redirect");
header("Location: https://{$preferred_hostname}{$baseurl}{$_SERVER['PATH_INFO']}");
return;
......@@ -93,13 +90,13 @@ private $datahash=''; // hash of data field
// the possible token data passed from a form
if (isset($_REQUEST['token']))
if (isset($_REQUEST['token']))
$token = $_REQUEST['token'];
// Check if we were handed a specific token identifier
// Otherwise use the value from the cookie we gave out
if (!isset($token) && isset($_COOKIE['sucssite_session']))
$token=@$_COOKIE['sucssite_session'];
if (!isset($token) && isset($_COOKIE[$dbname.'_session']))
$token=@$_COOKIE[$dbname.'_session'];
if (isset($token)) $this->token = $token;
......@@ -111,7 +108,7 @@ private $datahash=''; // hash of data field
// Okay, so we still dont have a session id
// so issue a new one and go back to core
if (!isset($token))
if (!isset($token))
{
$this->newsession();
return;
......@@ -159,7 +156,7 @@ private $datahash=''; // hash of data field
if (isset($this->data['messages'])) {
global $messages;
if (is_array($messages)) {
$messages += $this->data['messages'];
$messages += $this->data['messages'];
} else {
$messages = $this->data['messages'];
}
......@@ -167,9 +164,9 @@ private $datahash=''; // hash of data field
$this->save();
}
}
// generate a string suitable to be used as a session ID
private function genSessionID()
private function genSessionID()
{
global $DB;
$try = 0;
......@@ -203,11 +200,11 @@ private $datahash=''; // hash of data field
// Public function: force a logout of the session
public function logout( )
{
global $DB;
global $DB, $dbname;
$DB->Execute("delete from {$this->table} where hash=?", array($this->token));
$this->newsession();
$this->loggedin = FALSE;
setcookie("sucssite_loggedin", FALSE, time(), "/");
setcookie($dbname."_loggedin", FALSE, time(), "/");
}
// Fill out any extra details we know about the user
......@@ -246,7 +243,7 @@ private $datahash=''; // hash of data field
}
/* check using mod_auth_externals helper
/* check using mod_auth_externals helper
private function check_pass($user, $pass)
{
......@@ -322,7 +319,7 @@ private $datahash=''; // hash of data field
// Private function: process login form
private function session_init($user, $pass)
{
global $DB, $preferred_hostname;
global $DB, $preferred_hostname, $dbname;
// Check that this is a valid session start
// This prevents replay attacks
$sess = $DB->GetAll("select * from {$this->table} where hash=? and username is NULL", array($this->token));
......@@ -338,11 +335,11 @@ private $datahash=''; // hash of data field
// so generate a new one with the secure flag set
$oldtoken = $this->token;
$this->token = $this->genSessionID();
setcookie("sucssite_session", $this->token, time() + $this->max_session_length * 60, "/", $preferred_hostname, TRUE);
setcookie($dbname."_session", $this->token, time() + $this->max_session_length * 60, "/", $preferred_hostname, TRUE);
// set a cookie as a hint that we're logged in
// this can be checked for to allow redirecting to SSL to get the secure cookie
setcookie("sucssite_loggedin", "true", time() + $this->max_session_length * 60, "/");
setcookie($dbname."_loggedin", "true", time() + $this->max_session_length * 60, "/");
// Update the session, filling in the blanks
$DB->Execute("update {$this->table} set hash=?, username=?, logintime='NOW()', lastseen='NOW()', ip=? where hash=?",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment