1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
<?php
namespace Sessions;
use UserHelper;
require_once "autoload.php";
require_once "errorhandler.php";
require_once "lib/gettext/gettext.inc.php";
$session_expire = min(2147483647 - time() - 1, max(\Config::get(\Config::SESSION_COOKIE_LIFETIME), 86400));
$session_name = \Config::get(\Config::SESSION_NAME);
if (\Config::is_server_https()) {
ini_set("session.cookie_secure", "true");
}
ini_set("session.gc_probability", "75");
ini_set("session.name", $session_name);
ini_set("session.use_only_cookies", "true");
ini_set("session.gc_maxlifetime", $session_expire);
ini_set("session.cookie_lifetime", "0");
// prolong PHP session cookie
if (isset($_COOKIE[$session_name]))
setcookie($session_name,
$_COOKIE[$session_name],
time() + $session_expire,
ini_get("session.cookie_path"),
ini_get("session.cookie_domain"),
ini_get("session.cookie_secure"),
ini_get("session.cookie_httponly"));
function validate_session(): bool {
if (\Config::get(\Config::SINGLE_USER_MODE)) return true;
$pdo = \Db::pdo();
if (!empty($_SESSION["uid"])) {
$user = \ORM::for_table('ttrss_users')->find_one($_SESSION["uid"]);
if ($user) {
if ($user->pwd_hash != $_SESSION["pwd_hash"]) {
$_SESSION["login_error_msg"] = __("Session failed to validate (password changed)");
return false;
}
if ($user->access_level == UserHelper::ACCESS_LEVEL_DISABLED) {
$_SESSION["login_error_msg"] = __("Session failed to validate (account is disabled)");
return false;
}
// default to true because there might not be any hooks and this is our last check
$hook_result = true;
\PluginHost::getInstance()->chain_hooks_callback(\PluginHost::HOOK_VALIDATE_SESSION,
function ($result) use (&$hook_result) {
$hook_result = $result;
if (!$result) {
return true;
}
});
return $hook_result;
} else {
$_SESSION["login_error_msg"] = __("Session failed to validate (user not found)");
return false;
}
}
return true;
}
function ttrss_open(string $savePath, string $sessionName): bool {
return true;
}
function ttrss_read(string $id): string {
global $session_expire;
$sth = \Db::pdo()->prepare("SELECT data FROM ttrss_sessions WHERE id=?");
$sth->execute([$id]);
if ($row = $sth->fetch()) {
return base64_decode($row["data"]);
} else {
$expire = time() + $session_expire;
$sth = \Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
VALUES (?, '', ?)");
$sth->execute([$id, $expire]);
return "";
}
}
function ttrss_write(string $id, string $data): bool {
global $session_expire;
$data = base64_encode($data);
$expire = time() + $session_expire;
$sth = \Db::pdo()->prepare("SELECT id FROM ttrss_sessions WHERE id=?");
$sth->execute([$id]);
if ($sth->fetch()) {
$sth = \Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
$sth->execute([$data, $expire, $id]);
} else {
$sth = \Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
VALUES (?, ?, ?)");
$sth->execute([$id, $data, $expire]);
}
return true;
}
function ttrss_close(): bool {
return true;
}
function ttrss_destroy(string $id): bool {
$sth = \Db::pdo()->prepare("DELETE FROM ttrss_sessions WHERE id = ?");
$sth->execute([$id]);
return true;
}
function ttrss_gc(int $lifetime): bool {
\Db::pdo()->query("DELETE FROM ttrss_sessions WHERE expire < " . time());
return true;
}
if (\Config::get_schema_version() >= 0) {
session_set_save_handler('\Sessions\ttrss_open',
'\Sessions\ttrss_close', '\Sessions\ttrss_read',
'\Sessions\ttrss_write', '\Sessions\ttrss_destroy',
'\Sessions\ttrss_gc'); // @phpstan-ignore-line
// PHPStan complains about '\Sessions\ttrss_gc' if its $lifetime param isn't marked as string,
// but the docs say it's an int. If it is actually a string it'll get coerced to an int.
register_shutdown_function('session_write_close');
if (!defined('NO_SESSION_AUTOSTART')) {
if (isset($_COOKIE[session_name()])) {
if (session_status() != PHP_SESSION_ACTIVE)
session_start();
}
}
}
|
