1 <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
\r
5 * An open source application development framework for PHP 4.3.2 or newer
\r
7 * @package CodeIgniter
\r
8 * @author ExpressionEngine Dev Team
\r
9 * @copyright Copyright (c) 2008, EllisLab, Inc.
\r
10 * @license http://codeigniter.com/user_guide/license.html
\r
11 * @link http://codeigniter.com
\r
12 * @since Version 1.0
\r
16 // ------------------------------------------------------------------------
\r
21 * @package CodeIgniter
\r
22 * @subpackage Libraries
\r
23 * @category Sessions
\r
24 * @author ExpressionEngine Dev Team
\r
25 * @link http://codeigniter.com/user_guide/libraries/sessions.html
\r
29 var $sess_encrypt_cookie = FALSE;
\r
30 var $sess_use_database = FALSE;
\r
31 var $sess_table_name = '';
\r
32 var $sess_expiration = 7200;
\r
33 var $sess_match_ip = FALSE;
\r
34 var $sess_match_useragent = TRUE;
\r
35 var $sess_cookie_name = 'ci_session';
\r
36 var $cookie_prefix = '';
\r
37 var $cookie_path = '';
\r
38 var $cookie_domain = '';
\r
39 var $sess_time_to_update = 300;
\r
40 var $encryption_key = '';
\r
41 var $flashdata_key = 'flash';
\r
42 var $time_reference = 'time';
\r
43 var $gc_probability = 5;
\r
44 var $userdata = array();
\r
49 * Session Constructor
\r
51 * The constructor runs the session routines automatically
\r
52 * whenever the class is instantiated.
\r
54 function CI_Session($params = array())
\r
56 log_message('debug', "Session Class Initialized");
\r
58 // Set the super object to a local variable for use throughout the class
\r
59 $this->CI =& get_instance();
\r
61 // Set all the session preferences, which can either be set
\r
62 // manually via the $params array above or via the config file
\r
63 foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
\r
65 $this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key);
\r
68 // Load the string helper so we can use the strip_slashes() function
\r
69 $this->CI->load->helper('string');
\r
71 // Do we need encryption? If so, load the encryption class
\r
72 if ($this->sess_encrypt_cookie == TRUE)
\r
74 $this->CI->load->library('encrypt');
\r
77 // Are we using a database? If so, load it
\r
78 if ($this->sess_use_database === TRUE AND $this->sess_table_name != '')
\r
80 $this->CI->load->database();
\r
83 // Set the "now" time. Can either be GMT or server time, based on the
\r
84 // config prefs. We use this to set the "last activity" time
\r
85 $this->now = $this->_get_time();
\r
87 // Set the session length. If the session expiration is
\r
88 // set to zero we'll set the expiration two years from now.
\r
89 if ($this->sess_expiration == 0)
\r
91 $this->sess_expiration = (60*60*24*365*2);
\r
94 // Set the cookie name
\r
95 $this->sess_cookie_name = $this->cookie_prefix.$this->sess_cookie_name;
\r
97 // Run the Session routine. If a session doesn't exist we'll
\r
98 // create a new one. If it does, we'll update it.
\r
99 if ( ! $this->sess_read())
\r
101 $this->sess_create();
\r
105 $this->sess_update();
\r
108 // Delete 'old' flashdata (from last request)
\r
109 $this->_flashdata_sweep();
\r
111 // Mark all new flashdata as old (data will be deleted before next request)
\r
112 $this->_flashdata_mark();
\r
114 // Delete expired sessions if necessary
\r
117 log_message('debug', "Session routines successfully run");
\r
120 // --------------------------------------------------------------------
\r
123 * Fetch the current session data if it exists
\r
128 function sess_read()
\r
130 // Fetch the cookie
\r
131 $session = $this->CI->input->cookie($this->sess_cookie_name);
\r
133 // No cookie? Goodbye cruel world!...
\r
134 if ($session === FALSE)
\r
136 log_message('debug', 'A session cookie was not found.');
\r
140 // Decrypt the cookie data
\r
141 if ($this->sess_encrypt_cookie == TRUE)
\r
143 $session = $this->CI->encrypt->decode($session);
\r
147 // encryption was not used, so we need to check the md5 hash
\r
148 $hash = substr($session, strlen($session)-32); // get last 32 chars
\r
149 $session = substr($session, 0, strlen($session)-32);
\r
151 // Does the md5 hash match? This is to prevent manipulation of session data in userspace
\r
152 if ($hash !== md5($session.$this->encryption_key))
\r
154 log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.');
\r
155 $this->sess_destroy();
\r
160 // Unserialize the session array
\r
161 $session = $this->_unserialize($session);
\r
163 // Is the session data we unserialized an array with the correct format?
\r
164 if ( ! is_array($session) OR ! isset($session['session_id']) OR ! isset($session['ip_address']) OR ! isset($session['user_agent']) OR ! isset($session['last_activity']))
\r
166 $this->sess_destroy();
\r
170 // Is the session current?
\r
171 if (($session['last_activity'] + $this->sess_expiration) < $this->now)
\r
173 $this->sess_destroy();
\r
177 // Does the IP Match?
\r
178 if ($this->sess_match_ip == TRUE AND $session['ip_address'] != $this->CI->input->ip_address())
\r
180 $this->sess_destroy();
\r
184 // Does the User Agent Match?
\r
185 if ($this->sess_match_useragent == TRUE AND trim($session['user_agent']) != trim(substr($this->CI->input->user_agent(), 0, 50)))
\r
187 $this->sess_destroy();
\r
191 // Is there a corresponding session in the DB?
\r
192 if ($this->sess_use_database === TRUE)
\r
194 $this->CI->db->where('session_id', $session['session_id']);
\r
196 if ($this->sess_match_ip == TRUE)
\r
198 $this->CI->db->where('ip_address', $session['ip_address']);
\r
201 if ($this->sess_match_useragent == TRUE)
\r
203 $this->CI->db->where('user_agent', $session['user_agent']);
\r
206 $query = $this->CI->db->get($this->sess_table_name);
\r
208 // No result? Kill it!
\r
209 if ($query->num_rows() == 0)
\r
211 $this->sess_destroy();
\r
215 // Is there custom data? If so, add it to the main session array
\r
216 $row = $query->row();
\r
217 if (isset($row->user_data) AND $row->user_data != '')
\r
219 $custom_data = $this->_unserialize($row->user_data);
\r
221 if (is_array($custom_data))
\r
223 foreach ($custom_data as $key => $val)
\r
225 $session[$key] = $val;
\r
231 // Session is valid!
\r
232 $this->userdata = $session;
\r
238 // --------------------------------------------------------------------
\r
241 * Write the session data
\r
246 function sess_write()
\r
248 // Are we saving custom data to the DB? If not, all we do is update the cookie
\r
249 if ($this->sess_use_database === FALSE)
\r
251 $this->_set_cookie();
\r
255 // set the custom userdata, the session data we will set in a second
\r
256 $custom_userdata = $this->userdata;
\r
257 $cookie_userdata = array();
\r
259 // Before continuing, we need to determine if there is any custom data to deal with.
\r
260 // Let's determine this by removing the default indexes to see if there's anything left in the array
\r
261 // and set the session data while we're at it
\r
262 foreach (array('session_id','ip_address','user_agent','last_activity') as $val)
\r
264 unset($custom_userdata[$val]);
\r
265 $cookie_userdata[$val] = $this->userdata[$val];
\r
268 // Did we find any custom data? If not, we turn the empty array into a string
\r
269 // since there's no reason to serialize and store an empty array in the DB
\r
270 if (count($custom_userdata) === 0)
\r
272 $custom_userdata = '';
\r
276 // Serialize the custom data array so we can store it
\r
277 $custom_userdata = $this->_serialize($custom_userdata);
\r
280 // Run the update query
\r
281 $this->CI->db->where('session_id', $this->userdata['session_id']);
\r
282 $this->CI->db->update($this->sess_table_name, array('last_activity' => $this->userdata['last_activity'], 'user_data' => $custom_userdata));
\r
284 // Write the cookie. Notice that we manually pass the cookie data array to the
\r
285 // _set_cookie() function. Normally that function will store $this->userdata, but
\r
286 // in this case that array contains custom data, which we do not want in the cookie.
\r
287 $this->_set_cookie($cookie_userdata);
\r
290 // --------------------------------------------------------------------
\r
293 * Create a new session
\r
298 function sess_create()
\r
301 while (strlen($sessid) < 32)
\r
303 $sessid .= mt_rand(0, mt_getrandmax());
\r
306 // To make the session ID even more secure we'll combine it with the user's IP
\r
307 $sessid .= $this->CI->input->ip_address();
\r
309 $this->userdata = array(
\r
310 'session_id' => md5(uniqid($sessid, TRUE)),
\r
311 'ip_address' => $this->CI->input->ip_address(),
\r
312 'user_agent' => substr($this->CI->input->user_agent(), 0, 50),
\r
313 'last_activity' => $this->now
\r
317 // Save the data to the DB if needed
\r
318 if ($this->sess_use_database === TRUE)
\r
320 $this->CI->db->query($this->CI->db->insert_string($this->sess_table_name, $this->userdata));
\r
323 // Write the cookie
\r
324 $this->_set_cookie();
\r
327 // --------------------------------------------------------------------
\r
330 * Update an existing session
\r
335 function sess_update()
\r
337 // We only update the session every five minutes by default
\r
338 if (($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now)
\r
343 // Save the old session id so we know which record to
\r
344 // update in the database if we need it
\r
345 $old_sessid = $this->userdata['session_id'];
\r
347 while (strlen($new_sessid) < 32)
\r
349 $new_sessid .= mt_rand(0, mt_getrandmax());
\r
352 // To make the session ID even more secure we'll combine it with the user's IP
\r
353 $new_sessid .= $this->CI->input->ip_address();
\r
355 // Turn it into a hash
\r
356 $new_sessid = md5(uniqid($new_sessid, TRUE));
\r
358 // Update the session data in the session data array
\r
359 $this->userdata['session_id'] = $new_sessid;
\r
360 $this->userdata['last_activity'] = $this->now;
\r
362 // _set_cookie() will handle this for us if we aren't using database sessions
\r
363 // by pushing all userdata to the cookie.
\r
364 $cookie_data = NULL;
\r
366 // Update the session ID and last_activity field in the DB if needed
\r
367 if ($this->sess_use_database === TRUE)
\r
369 // set cookie explicitly to only have our session data
\r
370 $cookie_data = array();
\r
371 foreach (array('session_id','ip_address','user_agent','last_activity') as $val)
\r
373 $cookie_data[$val] = $this->userdata[$val];
\r
376 $this->CI->db->query($this->CI->db->update_string($this->sess_table_name, array('last_activity' => $this->now, 'session_id' => $new_sessid), array('session_id' => $old_sessid)));
\r
379 // Write the cookie
\r
380 $this->_set_cookie($cookie_data);
\r
383 // --------------------------------------------------------------------
\r
386 * Destroy the current session
\r
391 function sess_destroy()
\r
393 // Kill the session DB row
\r
394 if ($this->sess_use_database === TRUE AND isset($this->userdata['session_id']))
\r
396 $this->CI->db->where('session_id', $this->userdata['session_id']);
\r
397 $this->CI->db->delete($this->sess_table_name);
\r
402 $this->sess_cookie_name,
\r
403 addslashes(serialize(array())),
\r
404 ($this->now - 31500000),
\r
405 $this->cookie_path,
\r
406 $this->cookie_domain,
\r
411 // --------------------------------------------------------------------
\r
414 * Fetch a specific item from the session array
\r
420 function userdata($item)
\r
422 return ( ! isset($this->userdata[$item])) ? FALSE : $this->userdata[$item];
\r
425 // --------------------------------------------------------------------
\r
428 * Fetch all session data
\r
433 function all_userdata()
\r
435 return ( ! isset($this->userdata)) ? FALSE : $this->userdata;
\r
438 // --------------------------------------------------------------------
\r
441 * Add or change data in the "userdata" array
\r
448 function set_userdata($newdata = array(), $newval = '')
\r
450 if (is_string($newdata))
\r
452 $newdata = array($newdata => $newval);
\r
455 if (count($newdata) > 0)
\r
457 foreach ($newdata as $key => $val)
\r
459 $this->userdata[$key] = $val;
\r
463 $this->sess_write();
\r
466 // --------------------------------------------------------------------
\r
469 * Delete a session variable from the "userdata" array
\r
474 function unset_userdata($newdata = array())
\r
476 if (is_string($newdata))
\r
478 $newdata = array($newdata => '');
\r
481 if (count($newdata) > 0)
\r
483 foreach ($newdata as $key => $val)
\r
485 unset($this->userdata[$key]);
\r
489 $this->sess_write();
\r
492 // ------------------------------------------------------------------------
\r
495 * Add or change flashdata, only available
\r
496 * until the next request
\r
503 function set_flashdata($newdata = array(), $newval = '')
\r
505 if (is_string($newdata))
\r
507 $newdata = array($newdata => $newval);
\r
510 if (count($newdata) > 0)
\r
512 foreach ($newdata as $key => $val)
\r
514 $flashdata_key = $this->flashdata_key.':new:'.$key;
\r
515 $this->set_userdata($flashdata_key, $val);
\r
520 // ------------------------------------------------------------------------
\r
523 * Keeps existing flashdata available to next request.
\r
529 function keep_flashdata($key)
\r
531 // 'old' flashdata gets removed. Here we mark all
\r
532 // flashdata as 'new' to preserve it from _flashdata_sweep()
\r
533 // Note the function will return FALSE if the $key
\r
534 // provided cannot be found
\r
535 $old_flashdata_key = $this->flashdata_key.':old:'.$key;
\r
536 $value = $this->userdata($old_flashdata_key);
\r
538 $new_flashdata_key = $this->flashdata_key.':new:'.$key;
\r
539 $this->set_userdata($new_flashdata_key, $value);
\r
542 // ------------------------------------------------------------------------
\r
545 * Fetch a specific flashdata item from the session array
\r
551 function flashdata($key)
\r
553 $flashdata_key = $this->flashdata_key.':old:'.$key;
\r
554 return $this->userdata($flashdata_key);
\r
557 // ------------------------------------------------------------------------
\r
560 * Identifies flashdata as 'old' for removal
\r
561 * when _flashdata_sweep() runs.
\r
566 function _flashdata_mark()
\r
568 $userdata = $this->all_userdata();
\r
569 foreach ($userdata as $name => $value)
\r
571 $parts = explode(':new:', $name);
\r
572 if (is_array($parts) && count($parts) === 2)
\r
574 $new_name = $this->flashdata_key.':old:'.$parts[1];
\r
575 $this->set_userdata($new_name, $value);
\r
576 $this->unset_userdata($name);
\r
581 // ------------------------------------------------------------------------
\r
584 * Removes all flashdata marked as 'old'
\r
590 function _flashdata_sweep()
\r
592 $userdata = $this->all_userdata();
\r
593 foreach ($userdata as $key => $value)
\r
595 if (strpos($key, ':old:'))
\r
597 $this->unset_userdata($key);
\r
603 // --------------------------------------------------------------------
\r
606 * Get the "now" time
\r
611 function _get_time()
\r
613 if (strtolower($this->time_reference) == 'gmt')
\r
616 $time = mktime(gmdate("H", $now), gmdate("i", $now), gmdate("s", $now), gmdate("m", $now), gmdate("d", $now), gmdate("Y", $now));
\r
626 // --------------------------------------------------------------------
\r
629 * Write the session cookie
\r
634 function _set_cookie($cookie_data = NULL)
\r
636 if (is_null($cookie_data))
\r
638 $cookie_data = $this->userdata;
\r
641 // Serialize the userdata for the cookie
\r
642 $cookie_data = $this->_serialize($cookie_data);
\r
644 if ($this->sess_encrypt_cookie == TRUE)
\r
646 $cookie_data = $this->CI->encrypt->encode($cookie_data);
\r
650 // if encryption is not used, we provide an md5 hash to prevent userside tampering
\r
651 $cookie_data = $cookie_data.md5($cookie_data.$this->encryption_key);
\r
656 $this->sess_cookie_name,
\r
658 $this->sess_expiration + time(),
\r
659 $this->cookie_path,
\r
660 $this->cookie_domain,
\r
665 // --------------------------------------------------------------------
\r
668 * Serialize an array
\r
670 * This function first converts any slashes found in the array to a temporary
\r
671 * marker, so when it gets unserialized the slashes will be preserved
\r
677 function _serialize($data)
\r
679 if (is_array($data))
\r
681 foreach ($data as $key => $val)
\r
683 $data[$key] = str_replace('\\', '{{slash}}', $val);
\r
688 $data = str_replace('\\', '{{slash}}', $data);
\r
691 return serialize($data);
\r
694 // --------------------------------------------------------------------
\r
699 * This function unserializes a data string, then converts any
\r
700 * temporary slash markers back to actual slashes
\r
706 function _unserialize($data)
\r
708 $data = @unserialize(strip_slashes($data));
\r
710 if (is_array($data))
\r
712 foreach ($data as $key => $val)
\r
714 $data[$key] = str_replace('{{slash}}', '\\', $val);
\r
720 return str_replace('{{slash}}', '\\', $data);
\r
723 // --------------------------------------------------------------------
\r
726 * Garbage collection
\r
728 * This deletes expired session rows from database
\r
729 * if the probability percentage is met
\r
734 function _sess_gc()
\r
736 if ($this->sess_use_database != TRUE)
\r
742 if ((rand() % 100) < $this->gc_probability)
\r
744 $expire = $this->now - $this->sess_expiration;
\r
746 $this->CI->db->where("last_activity < {$expire}");
\r
747 $this->CI->db->delete($this->sess_table_name);
\r
749 log_message('debug', 'Session garbage collection performed.');
\r
755 // END Session Class
\r
757 /* End of file Session.php */
\r
758 /* Location: ./system/libraries/Session.php */