summaryrefslogtreecommitdiff
path: root/include/sessions.php
blob: 00a0db081bf0bc694d973bb66618cace5f05030b (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

<?php
	namespace Sessions;

	use UserHelper;

	require_once "autoload.php";
	require_once "errorhandler.php";
	require_once "lib/gettext/gettext.inc.php";

	$session_expire = min(2147483647 - time() - 1, max(\Config::get(\Config::SESSION_COOKIE_LIFETIME), 86400));
	$session_name = \Config::get(\Config::SESSION_NAME);

	if (\Config::is_server_https()) {
		ini_set("session.cookie_secure", "true");
	}

	ini_set("session.gc_probability", "75");
	ini_set("session.name", $session_name);
	ini_set("session.use_only_cookies", "true");
	ini_set("session.gc_maxlifetime", $session_expire);
	ini_set("session.cookie_lifetime", "0");

	// prolong PHP session cookie
	if (isset($_COOKIE[$session_name]))
		setcookie($session_name,
			$_COOKIE[$session_name],
			time() + $session_expire,
			ini_get("session.cookie_path"),
			ini_get("session.cookie_domain"),
			ini_get("session.cookie_secure"),
			ini_get("session.cookie_httponly"));

	function validate_session(): bool {
		if (\Config::get(\Config::SINGLE_USER_MODE)) return true;

		$pdo = \Db::pdo();

		if (!empty($_SESSION["uid"])) {
			$user = \ORM::for_table('ttrss_users')->find_one($_SESSION["uid"]);

			if ($user) {
				if ($user->pwd_hash != $_SESSION["pwd_hash"]) {
					$_SESSION["login_error_msg"] = __("Session failed to validate (password changed)");
					return false;
				}

				if ($user->access_level == UserHelper::ACCESS_LEVEL_DISABLED) {
					$_SESSION["login_error_msg"] = __("Session failed to validate (account is disabled)");
					return false;
				}

				// default to true because there might not be any hooks and this is our last check
				$hook_result = true;

				\PluginHost::getInstance()->chain_hooks_callback(\PluginHost::HOOK_VALIDATE_SESSION,
					function ($result) use (&$hook_result) {
						$hook_result = $result;

						if (!$result) {
							return true;
						}
					});

				return $hook_result;

			} else {
				$_SESSION["login_error_msg"] = __("Session failed to validate (user not found)");
				return false;
			}
		}

		return true;
	}

	if (\Config::get_schema_version() >= 0) {
		// TODO: look into making these behave closer to what SessionHandlerInterface intends
		session_set_save_handler(new class() implements \SessionHandlerInterface {
			public function open(string $path, string $name): bool {
				return true;
			}

			public function close(): bool {
				return true;
			}

			/**
			 * @todo set return type to string|false, and remove ReturnTypeWillChange, when min supported is PHP 8
			 * @return string|false
			 */
			#[\ReturnTypeWillChange]
			public function read(string $id) {
				global $session_expire;

				$sth = \Db::pdo()->prepare('SELECT data FROM ttrss_sessions WHERE id=?');
				$sth->execute([$id]);

				if ($row = $sth->fetch()) {
					return base64_decode($row['data']);
				}

				$expire = time() + $session_expire;

				$sth = \Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
					VALUES (?, '', ?)");
				return $sth->execute([$id, $expire]) ? '' : false;
			}

			public function write(string $id, string $data): bool {
				global $session_expire;

				$data = base64_encode($data);
				$expire = time() + $session_expire;

				$sth = \Db::pdo()->prepare('SELECT id FROM ttrss_sessions WHERE id=?');
				$sth->execute([$id]);

				if ($sth->fetch()) {
					$sth = \Db::pdo()->prepare('UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?');
					return $sth->execute([$data, $expire, $id]);
				}

				$sth = \Db::pdo()->prepare('INSERT INTO ttrss_sessions (id, data, expire) VALUES (?, ?, ?)');
				return $sth->execute([$id, $data, $expire]);
			}

			public function destroy(string $id): bool {
				$sth = \Db::pdo()->prepare('DELETE FROM ttrss_sessions WHERE id = ?');
				return $sth->execute([$id]);
			}

			/**
			 * @todo set return type to int|false, and remove ReturnTypeWillChange, when min supported is PHP 8
			 * @return int|false the number of deleted sessions on success, or false on failure
			 */
			#[\ReturnTypeWillChange]
			public function gc(int $max_lifetime) {
				$result = \Db::pdo()->query('DELETE FROM ttrss_sessions WHERE expire < ' . time());
				return $result === false ? false : $result->rowCount();
			}
		});

		if (!defined('NO_SESSION_AUTOSTART')) {
			if (isset($_COOKIE[session_name()])) {
				if (session_status() != PHP_SESSION_ACTIVE)
						session_start();
			}
		}
	}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-11-14 13:51:41 +0000