search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MDL-27588 Fixed up several bugs with the formal_white theme
[moodle.git] / lib / sessionlib.php
blobf52808249b773b1c0d374271847e789a21e774da
1 <?php
2
3 // This file is part of Moodle - http://moodle.org/
4 //
5 // Moodle is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, either version 3 of the License, or
8 // (at your option) any later version.
9 //
10 // Moodle is distributed in the hope that it will be useful,
11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 // GNU General Public License for more details.
14 //
15 // You should have received a copy of the GNU General Public License
16 // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
17
18 /**
19 * @package core
20 * @subpackage session
21 * @copyright 1999 onwards Martin Dougiamas {@link http://moodle.com}
22 * @copyright 2008, 2009 Petr Skoda {@link http://skodak.org}
23 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
24 */
25
26 defined('MOODLE_INTERNAL') || die();
27
28 /**
29 * Factory method returning moodle_session object.
30 * @return moodle_session
31 */
32 function session_get_instance() {
33 global $CFG, $DB;
34
35 static $session = null;
36
37 if (is_null($session)) {
38 if (empty($CFG->sessiontimeout)) {
39 $CFG->sessiontimeout = 7200;
40 }
41
42 if (defined('SESSION_CUSTOM_CLASS')) {
43 // this is a hook for webservices, key based login, etc.
44 if (defined('SESSION_CUSTOM_FILE')) {
45 require_once($CFG->dirroot.SESSION_CUSTOM_FILE);
46 }
47 $session_class = SESSION_CUSTOM_CLASS;
48 $session = new $session_class();
49
50 } else if ((!isset($CFG->dbsessions) or $CFG->dbsessions) and $DB->session_lock_supported()) {
51 // default recommended session type
52 $session = new database_session();
53
54 } else {
55 // legacy limited file based storage - some features and auth plugins will not work, sorry
56 $session = new legacy_file_session();
57 }
58 }
59
60 return $session;
61 }
62
63 /**
64 * Moodle session abstraction
65 *
66 * @package core
67 * @subpackage session
68 * @copyright 2008 Petr Skoda {@link http://skodak.org}
69 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
70 */
71 interface moodle_session {
72 /**
73 * Terminate current session
74 * @return void
75 */
76 public function terminate_current();
77
78 /**
79 * No more changes in session expected.
80 * Unblocks the sessions, other scripts may start executing in parallel.
81 * @return void
82 */
83 public function write_close();
84
85 /**
86 * Check for existing session with id $sid
87 * @param unknown_type $sid
88 * @return boolean true if session found.
89 */
90 public function session_exists($sid);
91 }
92
93 /**
94 * Class handling all session and cookies related stuff.
95 *
96 * @package core
97 * @subpackage session
98 * @copyright 2009 Petr Skoda {@link http://skodak.org}
99 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
100 */
101 abstract class session_stub implements moodle_session {
102 protected $justloggedout;
103
104 public function __construct() {
105 global $CFG;
106
107 if (NO_MOODLE_COOKIES) {
108 // session not used at all
109 $CFG->usesid = 0;
110
111 $_SESSION = array();
112 $_SESSION['SESSION'] = new stdClass();
113 $_SESSION['USER'] = new stdClass();
114
115 } else {
116 $this->prepare_cookies();
117 $this->init_session_storage();
118
119 $newsession = empty($_COOKIE['MoodleSession'.$CFG->sessioncookie]);
120
121 if (!empty($CFG->usesid) && $newsession) {
122 sid_start_ob();
123 } else {
124 $CFG->usesid = 0;
125 ini_set('session.use_trans_sid', '0');
126 }
127
128 session_name('MoodleSession'.$CFG->sessioncookie);
129 session_set_cookie_params(0, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
130 session_start();
131 if (!isset($_SESSION['SESSION'])) {
132 $_SESSION['SESSION'] = new stdClass();
133 if (!$newsession and !$this->justloggedout) {
134 $_SESSION['SESSION']->has_timed_out = true;
135 }
136 }
137 if (!isset($_SESSION['USER'])) {
138 $_SESSION['USER'] = new stdClass();
139 }
140 }
141
142 $this->check_user_initialised();
143
144 $this->check_security();
145 }
146
147 /**
148 * Terminates active moodle session
149 */
150 public function terminate_current() {
151 global $CFG, $SESSION, $USER, $DB;
152
153 try {
154 $DB->delete_records('external_tokens', array('sid'=>session_id(), 'tokentype'=>EXTERNAL_TOKEN_EMBEDDED));
155 } catch (Exception $ignored) {
156 // probably install/upgrade - ignore this problem
157 }
158
159 if (NO_MOODLE_COOKIES) {
160 return;
161 }
162
163 // Initialize variable to pass-by-reference to headers_sent(&$file, &$line)
164 $_SESSION = array();
165 $_SESSION['SESSION'] = new stdClass();
166 $_SESSION['USER'] = new stdClass();
167 $_SESSION['USER']->id = 0;
168 if (isset($CFG->mnet_localhost_id)) {
169 $_SESSION['USER']->mnethostid = $CFG->mnet_localhost_id;
170 }
171 $SESSION = $_SESSION['SESSION']; // this may not work properly
172 $USER = $_SESSION['USER']; // this may not work properly
173
174 $file = null;
175 $line = null;
176 if (headers_sent($file, $line)) {
177 error_log('Can not terminate session properly - headers were already sent in file: '.$file.' on line '.$line);
178 }
179
180 // now let's try to get a new session id and delete the old one
181 $this->justloggedout = true;
182 session_regenerate_id(true);
183 $this->justloggedout = false;
184
185 // write the new session
186 session_write_close();
187 }
188
189 /**
190 * No more changes in session expected.
191 * Unblocks the sessions, other scripts may start executing in parallel.
192 * @return void
193 */
194 public function write_close() {
195 if (NO_MOODLE_COOKIES) {
196 return;
197 }
198
199 session_write_close();
200 }
201
202 /**
203 * Initialise $USER object, handles google access
204 * and sets up not logged in user properly.
205 *
206 * @return void
207 */
208 protected function check_user_initialised() {
209 global $CFG;
210
211 if (isset($_SESSION['USER']->id)) {
212 // already set up $USER
213 return;
214 }
215
216 $user = null;
217
218 if (!empty($CFG->opentogoogle) and !NO_MOODLE_COOKIES) {
219 if (is_web_crawler()) {
220 $user = guest_user();
221 }
222 if (!empty($CFG->guestloginbutton) and !$user and !empty($_SERVER['HTTP_REFERER'])) {
223 // automaticaly log in users coming from search engine results
224 if (strpos($_SERVER['HTTP_REFERER'], 'google') !== false ) {
225 $user = guest_user();
226 } else if (strpos($_SERVER['HTTP_REFERER'], 'altavista') !== false ) {
227 $user = guest_user();
228 }
229 }
230 }
231
232 if (!$user) {
233 $user = new stdClass();
234 $user->id = 0; // to enable proper function of $CFG->notloggedinroleid hack
235 if (isset($CFG->mnet_localhost_id)) {
236 $user->mnethostid = $CFG->mnet_localhost_id;
237 } else {
238 $user->mnethostid = 1;
239 }
240 }
241 session_set_user($user);
242 }
243
244 /**
245 * Does various session security checks
246 * @global void
247 */
248 protected function check_security() {
249 global $CFG;
250
251 if (NO_MOODLE_COOKIES) {
252 return;
253 }
254
255 if (!empty($_SESSION['USER']->id) and !empty($CFG->tracksessionip)) {
256 /// Make sure current IP matches the one for this session
257 $remoteaddr = getremoteaddr();
258
259 if (empty($_SESSION['USER']->sessionip)) {
260 $_SESSION['USER']->sessionip = $remoteaddr;
261 }
262
263 if ($_SESSION['USER']->sessionip != $remoteaddr) {
264 // this is a security feature - terminate the session in case of any doubt
265 $this->terminate_current();
266 print_error('sessionipnomatch2', 'error');
267 }
268 }
269 }
270
271 /**
272 * Prepare cookies and various system settings
273 */
274 protected function prepare_cookies() {
275 global $CFG;
276
277 if (!isset($CFG->cookiesecure) or (strpos($CFG->wwwroot, 'https://') !== 0 and empty($CFG->sslproxy))) {
278 $CFG->cookiesecure = 0;
279 }
280
281 if (!isset($CFG->cookiehttponly)) {
282 $CFG->cookiehttponly = 0;
283 }
284
285 /// Set sessioncookie and sessioncookiepath variable if it isn't already
286 if (!isset($CFG->sessioncookie)) {
287 $CFG->sessioncookie = '';
288 }
289 if (!isset($CFG->sessioncookiedomain)) {
290 $CFG->sessioncookiedomain = '';
291 }
292 if (!isset($CFG->sessioncookiepath)) {
293 $CFG->sessioncookiepath = '/';
294 }
295
296 //discard session ID from POST, GET and globals to tighten security,
297 //this session fixation prevention can not be used in cookieless mode
298 if (empty($CFG->usesid)) {
299 unset(${'MoodleSession'.$CFG->sessioncookie});
300 unset($_GET['MoodleSession'.$CFG->sessioncookie]);
301 unset($_POST['MoodleSession'.$CFG->sessioncookie]);
302 unset($_REQUEST['MoodleSession'.$CFG->sessioncookie]);
303 }
304 //compatibility hack for Moodle Cron, cookies not deleted, but set to "deleted" - should not be needed with NO_MOODLE_COOKIES in cron.php now
305 if (!empty($_COOKIE['MoodleSession'.$CFG->sessioncookie]) && $_COOKIE['MoodleSession'.$CFG->sessioncookie] == "deleted") {
306 unset($_COOKIE['MoodleSession'.$CFG->sessioncookie]);
307 }
308 }
309
310 /**
311 * Inits session storage.
312 */
313 protected abstract function init_session_storage();
314 }
315
316 /**
317 * Legacy moodle sessions stored in files, not recommended any more.
318 *
319 * @package core
320 * @subpackage session
321 * @copyright 2009 Petr Skoda {@link http://skodak.org}
322 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
323 */
324 class legacy_file_session extends session_stub {
325 protected function init_session_storage() {
326 global $CFG;
327
328 ini_set('session.save_handler', 'files');
329
330 // Some distros disable GC by setting probability to 0
331 // overriding the PHP default of 1
332 // (gc_probability is divided by gc_divisor, which defaults to 1000)
333 if (ini_get('session.gc_probability') == 0) {
334 ini_set('session.gc_probability', 1);
335 }
336
337 ini_set('session.gc_maxlifetime', $CFG->sessiontimeout);
338
339 // make sure sessions dir exists and is writable, throws exception if not
340 make_upload_directory('sessions');
341
342 // Need to disable debugging since disk_free_space()
343 // will fail on very large partitions (see MDL-19222)
344 $freespace = @disk_free_space($CFG->dataroot.'/sessions');
345 if (!($freespace > 2048) and $freespace !== false) {
346 print_error('sessiondiskfull', 'error');
347 }
348 ini_set('session.save_path', $CFG->dataroot .'/sessions');
349 }
350 /**
351 * Check for existing session with id $sid
352 * @param unknown_type $sid
353 * @return boolean true if session found.
354 */
355 public function session_exists($sid){
356 global $CFG;
357
358 $sid = clean_param($sid, PARAM_FILE);
359 $sessionfile = "$CFG->dataroot/sessions/sess_$sid";
360 return file_exists($sessionfile);
361 }
362 }
363
364 /**
365 * Recommended moodle session storage.
366 *
367 * @package core
368 * @subpackage session
369 * @copyright 2009 Petr Skoda {@link http://skodak.org}
370 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
371 */
372 class database_session extends session_stub {
373 protected $record = null;
374 protected $database = null;
375
376 public function __construct() {
377 global $DB;
378 $this->database = $DB;
379 parent::__construct();
380
381 if (!empty($this->record->state)) {
382 // something is very wrong
383 session_kill($this->record->sid);
384
385 if ($this->record->state == 9) {
386 print_error('dbsessionmysqlpacketsize', 'error');
387 }
388 }
389 }
390
391 public function session_exists($sid){
392 global $CFG;
393 try {
394 $sql = "SELECT * FROM {sessions} WHERE timemodified < ? AND sid=? AND state=?";
395 $params = array(time() + $CFG->sessiontimeout, $sid, 0);
396
397 return $this->database->record_exists_sql($sql, $params);
398 } catch (dml_exception $ex) {
399 error_log('Error checking existance of database session');
400 return false;
401 }
402 }
403
404 protected function init_session_storage() {
405 global $CFG;
406
407 // gc only from CRON - individual user timeouts now checked during each access
408 ini_set('session.gc_probability', 0);
409
410 ini_set('session.gc_maxlifetime', $CFG->sessiontimeout);
411
412 $result = session_set_save_handler(array($this, 'handler_open'),
413 array($this, 'handler_close'),
414 array($this, 'handler_read'),
415 array($this, 'handler_write'),
416 array($this, 'handler_destroy'),
417 array($this, 'handler_gc'));
418 if (!$result) {
419 print_error('dbsessionhandlerproblem', 'error');
420 }
421 }
422
423 public function handler_open($save_path, $session_name) {
424 return true;
425 }
426
427 public function handler_close() {
428 if (isset($this->record->id)) {
429 $this->database->release_session_lock($this->record->id);
430 }
431 $this->record = null;
432 return true;
433 }
434
435 public function handler_read($sid) {
436 global $CFG;
437
438 if ($this->record and $this->record->sid != $sid) {
439 error_log('Weird error reading database session - mismatched sid');
440 return '';
441 }
442
443 try {
444 if ($record = $this->database->get_record('sessions', array('sid'=>$sid))) {
445 $this->database->get_session_lock($record->id);
446
447 } else {
448 $record = new stdClass();
449 $record->state = 0;
450 $record->sid = $sid;
451 $record->sessdata = null;
452 $record->userid = 0;
453 $record->timecreated = $record->timemodified = time();
454 $record->firstip = $record->lastip = getremoteaddr();
455 $record->id = $this->database->insert_record_raw('sessions', $record);
456
457 $this->database->get_session_lock($record->id);
458 }
459 } catch (dml_exception $ex) {
460 error_log('Can not read or insert database sessions');
461 return '';
462 }
463
464 // verify timeout
465 if ($record->timemodified + $CFG->sessiontimeout < time()) {
466 $ignoretimeout = false;
467 if (!empty($record->userid)) { // skips not logged in
468 if ($user = $this->database->get_record('user', array('id'=>$record->userid))) {
469 if (!isguestuser($user)) {
470 $authsequence = get_enabled_auth_plugins(); // auths, in sequence
471 foreach($authsequence as $authname) {
472 $authplugin = get_auth_plugin($authname);
473 if ($authplugin->ignore_timeout_hook($user, $record->sid, $record->timecreated, $record->timemodified)) {
474 $ignoretimeout = true;
475 break;
476 }
477 }
478 }
479 }
480 }
481 if ($ignoretimeout) {
482 //refresh session
483 $record->timemodified = time();
484 try {
485 $this->database->update_record('sessions', $record);
486 } catch (dml_exception $ex) {
487 error_log('Can not refresh database session');
488 return '';
489 }
490 } else {
491 //time out session
492 $record->state = 0;
493 $record->sessdata = null;
494 $record->userid = 0;
495 $record->timecreated = $record->timemodified = time();
496 $record->firstip = $record->lastip = getremoteaddr();
497 try {
498 $this->database->update_record('sessions', $record);
499 } catch (dml_exception $ex) {
500 error_log('Can not time out database session');
501 return '';
502 }
503 }
504 }
505
506 $data = is_null($record->sessdata) ? '' : base64_decode($record->sessdata);
507
508 unset($record->sessdata); // conserve memory
509 $this->record = $record;
510
511 return $data;
512 }
513
514 public function handler_write($sid, $session_data) {
515 global $USER;
516
517 // TODO: MDL-20625 we need to rollback all active transactions and log error if any open needed
518
519 $userid = 0;
520 if (!empty($USER->realuser)) {
521 $userid = $USER->realuser;
522 } else if (!empty($USER->id)) {
523 $userid = $USER->id;
524 }
525
526 if (isset($this->record->id)) {
527 $record = new stdClass();
528 $record->state = 0;
529 $record->sid = $sid; // might be regenerating sid
530 $this->record->sessdata = base64_encode($session_data); // there might be some binary mess :-(
531 $this->record->userid = $userid;
532 $this->record->timemodified = time();
533 $this->record->lastip = getremoteaddr();
534
535 // TODO: verify session changed before doing update,
536 // also make sure the timemodified field is changed only every 10s if nothing else changes MDL-20462
537
538 try {
539 $this->database->update_record_raw('sessions', $this->record);
540 } catch (dml_exception $ex) {
541 if ($this->database->get_dbfamily() === 'mysql') {
542 try {
543 $this->database->set_field('sessions', 'state', 9, array('id'=>$this->record->id));
544 } catch (Exception $ignored) {
545
546 }
547 error_log('Can not write database session - please verify max_allowed_packet is at least 4M!');
548 } else {
549 error_log('Can not write database session');
550 }
551 }
552
553 } else {
554 // session already destroyed
555 $record = new stdClass();
556 $record->state = 0;
557 $record->sid = $sid;
558 $record->sessdata = base64_encode($session_data); // there might be some binary mess :-(
559 $record->userid = $userid;
560 $record->timecreated = $record->timemodified = time();
561 $record->firstip = $record->lastip = getremoteaddr();
562 $record->id = $this->database->insert_record_raw('sessions', $record);
563 $this->record = $record;
564
565 try {
566 $this->database->get_session_lock($this->record->id);
567 } catch (dml_exception $ex) {
568 error_log('Can not write new database session');
569 }
570 }
571
572 return true;
573 }
574
575 public function handler_destroy($sid) {
576 session_kill($sid);
577
578 if (isset($this->record->id) and $this->record->sid === $sid) {
579 $this->database->release_session_lock($this->record->id);
580 $this->record = null;
581 }
582
583 return true;
584 }
585
586 public function handler_gc($ignored_maxlifetime) {
587 session_gc();
588 return true;
589 }
590 }
591
592 /**
593 * returns true if legacy session used.
594 * @return bool true if legacy(==file) based session used
595 */
596 function session_is_legacy() {
597 global $CFG, $DB;
598 return ((isset($CFG->dbsessions) and !$CFG->dbsessions) or !$DB->session_lock_supported());
599 }
600
601 /**
602 * Terminates all sessions, auth hooks are not executed.
603 * Useful in upgrade scripts.
604 */
605 function session_kill_all() {
606 global $CFG, $DB;
607
608 // always check db table - custom session classes use sessions table
609 try {
610 $DB->delete_records('sessions');
611 } catch (dml_exception $ignored) {
612 // do not show any warnings - might be during upgrade/installation
613 }
614
615 if (session_is_legacy()) {
616 $sessiondir = "$CFG->dataroot/sessions";
617 if (is_dir($sessiondir)) {
618 foreach (glob("$sessiondir/sess_*") as $filename) {
619 @unlink($filename);
620 }
621 }
622 }
623 }
624
625 /**
626 * Mark session as accessed, prevents timeouts.
627 * @param string $sid
628 */
629 function session_touch($sid) {
630 global $CFG, $DB;
631
632 // always check db table - custom session classes use sessions table
633 try {
634 $sql = "UPDATE {sessions} SET timemodified=? WHERE sid=?";
635 $params = array(time(), $sid);
636 $DB->execute($sql, $params);
637 } catch (dml_exception $ignored) {
638 // do not show any warnings - might be during upgrade/installation
639 }
640
641 if (session_is_legacy()) {
642 $sid = clean_param($sid, PARAM_FILE);
643 $sessionfile = clean_param("$CFG->dataroot/sessions/sess_$sid", PARAM_FILE);
644 if (file_exists($sessionfile)) {
645 // if the file is locked it means that it will be updated anyway
646 @touch($sessionfile);
647 }
648 }
649 }
650
651 /**
652 * Terminates one sessions, auth hooks are not executed.
653 *
654 * @param string $sid session id
655 */
656 function session_kill($sid) {
657 global $CFG, $DB;
658
659 // always check db table - custom session classes use sessions table
660 try {
661 $DB->delete_records('sessions', array('sid'=>$sid));
662 } catch (dml_exception $ignored) {
663 // do not show any warnings - might be during upgrade/installation
664 }
665
666 if (session_is_legacy()) {
667 $sid = clean_param($sid, PARAM_FILE);
668 $sessionfile = "$CFG->dataroot/sessions/sess_$sid";
669 if (file_exists($sessionfile)) {
670 @unlink($sessionfile);
671 }
672 }
673 }
674
675 /**
676 * Terminates all sessions of one user, auth hooks are not executed.
677 * NOTE: This can not work for file based sessions!
678 *
679 * @param int $userid user id
680 */
681 function session_kill_user($userid) {
682 global $CFG, $DB;
683
684 // always check db table - custom session classes use sessions table
685 try {
686 $DB->delete_records('sessions', array('userid'=>$userid));
687 } catch (dml_exception $ignored) {
688 // do not show any warnings - might be during upgrade/installation
689 }
690
691 if (session_is_legacy()) {
692 // log error?
693 }
694 }
695
696 /**
697 * Session garbage collection
698 * - verify timeout for all users
699 * - kill sessions of all deleted users
700 * - kill sessions of users with disabled plugins or 'nologin' plugin
701 *
702 * NOTE: this can not work when legacy file sessions used!
703 */
704 function session_gc() {
705 global $CFG, $DB;
706
707 $maxlifetime = $CFG->sessiontimeout;
708
709 try {
710 /// kill all sessions of deleted users
711 $DB->delete_records_select('sessions', "userid IN (SELECT id FROM {user} WHERE deleted <> 0)");
712
713 /// kill sessions of users with disabled plugins
714 $auth_sequence = get_enabled_auth_plugins(true);
715 $auth_sequence = array_flip($auth_sequence);
716 unset($auth_sequence['nologin']); // no login allowed
717 $auth_sequence = array_flip($auth_sequence);
718 $notplugins = null;
719 list($notplugins, $params) = $DB->get_in_or_equal($auth_sequence, SQL_PARAMS_QM, '', false);
720 $DB->delete_records_select('sessions', "userid IN (SELECT id FROM {user} WHERE auth $notplugins)", $params);
721
722 /// now get a list of time-out candidates
723 $sql = "SELECT u.*, s.sid, s.timecreated AS s_timecreated, s.timemodified AS s_timemodified
724 FROM {user} u
725 JOIN {sessions} s ON s.userid = u.id
726 WHERE s.timemodified + ? < ? AND u.id <> ?";
727 $params = array($maxlifetime, time(), $CFG->siteguest);
728
729 $authplugins = array();
730 foreach($auth_sequence as $authname) {
731 $authplugins[$authname] = get_auth_plugin($authname);
732 }
733 $rs = $DB->get_recordset_sql($sql, $params);
734 foreach ($rs as $user) {
735 foreach ($authplugins as $authplugin) {
736 if ($authplugin->ignore_timeout_hook($user, $user->sid, $user->s_timecreated, $user->s_timemodified)) {
737 continue;
738 }
739 }
740 $DB->delete_records('sessions', array('sid'=>$user->sid));
741 }
742 $rs->close();
743
744 $purgebefore = time() - $maxlifetime;
745 // delete expired sessions for guest user account
746 $DB->delete_records_select('sessions', 'userid = ? AND timemodified < ?', array($CFG->siteguest, $purgebefore));
747 // delete expired sessions for userid = 0 (not logged in)
748 $DB->delete_records_select('sessions', 'userid = 0 AND timemodified < ?', array($purgebefore));
749 } catch (dml_exception $ex) {
750 error_log('Error gc-ing sessions');
751 }
752 }
753
754 /**
755 * Makes sure that $USER->sesskey exists, if $USER itself exists. It sets a new sesskey
756 * if one does not already exist, but does not overwrite existing sesskeys. Returns the
757 * sesskey string if $USER exists, or boolean false if not.
758 *
759 * @uses $USER
760 * @return string
761 */
762 function sesskey() {
763 // note: do not use $USER because it may not be initialised yet
764 if (empty($_SESSION['USER']->sesskey)) {
765 $_SESSION['USER']->sesskey = random_string(10);
766 }
767
768 return $_SESSION['USER']->sesskey;
769 }
770
771
772 /**
773 * Check the sesskey and return true of false for whether it is valid.
774 * (You might like to imagine this function is called sesskey_is_valid().)
775 *
776 * Every script that lets the user perform a significant action (that is,
777 * changes data in the database) should check the sesskey before doing the action.
778 * Depending on your code flow, you may want to use the {@link require_sesskey()}
779 * helper function.
780 *
781 * @param string $sesskey The sesskey value to check (optional). Normally leave this blank
782 * and this function will do required_param('sesskey', ...).
783 * @return bool whether the sesskey sent in the request matches the one stored in the session.
784 */
785 function confirm_sesskey($sesskey=NULL) {
786 global $USER;
787
788 if (!empty($USER->ignoresesskey)) {
789 return true;
790 }
791
792 if (empty($sesskey)) {
793 $sesskey = required_param('sesskey', PARAM_RAW); // Check script parameters
794 }
795
796 return (sesskey() === $sesskey);
797 }
798
799 /**
800 * Check the session key using {@link confirm_sesskey()},
801 * and cause a fatal error if it does not match.
802 */
803 function require_sesskey() {
804 if (!confirm_sesskey()) {
805 print_error('invalidsesskey');
806 }
807 }
808
809 /**
810 * Sets a moodle cookie with a weakly encrypted username
811 *
812 * @param string $username to encrypt and place in a cookie, '' means delete current cookie
813 * @return void
814 */
815 function set_moodle_cookie($username) {
816 global $CFG;
817
818 if (NO_MOODLE_COOKIES) {
819 return;
820 }
821
822 if ($username === 'guest') {
823 // keep previous cookie in case of guest account login
824 return;
825 }
826
827 $cookiename = 'MOODLEID_'.$CFG->sessioncookie;
828
829 // delete old cookie
830 setcookie($cookiename, '', time() - HOURSECS, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
831
832 if ($username !== '') {
833 // set username cookie for 60 days
834 setcookie($cookiename, rc4encrypt($username), time()+(DAYSECS*60), $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
835 }
836 }
837
838 /**
839 * Gets a moodle cookie with a weakly encrypted username
840 *
841 * @return string username
842 */
843 function get_moodle_cookie() {
844 global $CFG;
845
846 if (NO_MOODLE_COOKIES) {
847 return '';
848 }
849
850 $cookiename = 'MOODLEID_'.$CFG->sessioncookie;
851
852 if (empty($_COOKIE[$cookiename])) {
853 return '';
854 } else {
855 $username = rc4decrypt($_COOKIE[$cookiename]);
856 if ($username === 'guest' or $username === 'nobody') {
857 // backwards compatibility - we do not set these cookies any more
858 return '';
859 }
860 return $username;
861 }
862 }
863
864
865 /**
866 * Setup $USER object - called during login, loginas, etc.
867 * Preloads capabilities and checks enrolment plugins
868 *
869 * @param stdClass $user full user record object
870 * @return void
871 */
872 function session_set_user($user) {
873 $_SESSION['USER'] = $user;
874 unset($_SESSION['USER']->description); // conserve memory
875 if (!isset($_SESSION['USER']->access)) {
876 // check enrolments and load caps only once
877 enrol_check_plugins($_SESSION['USER']);
878 load_all_capabilities();
879 }
880 sesskey(); // init session key
881 }
882
883 /**
884 * Is current $USER logged-in-as somebody else?
885 * @return bool
886 */
887 function session_is_loggedinas() {
888 return !empty($_SESSION['USER']->realuser);
889 }
890
891 /**
892 * Returns the $USER object ignoring current login-as session
893 * @return stdClass user object
894 */
895 function session_get_realuser() {
896 if (session_is_loggedinas()) {
897 return $_SESSION['REALUSER'];
898 } else {
899 return $_SESSION['USER'];
900 }
901 }
902
903 /**
904 * Login as another user - no security checks here.
905 * @param int $userid
906 * @param stdClass $context
907 * @return void
908 */
909 function session_loginas($userid, $context) {
910 if (session_is_loggedinas()) {
911 return;
912 }
913
914 // switch to fresh new $SESSION
915 $_SESSION['REALSESSION'] = $_SESSION['SESSION'];
916 $_SESSION['SESSION'] = new stdClass();
917
918 /// Create the new $USER object with all details and reload needed capabilities
919 $_SESSION['REALUSER'] = $_SESSION['USER'];
920 $user = get_complete_user_data('id', $userid);
921 $user->realuser = $_SESSION['REALUSER']->id;
922 $user->loginascontext = $context;
923 session_set_user($user);
924 }
925
926 /**
927 * Sets up current user and course environment (lang, etc.) in cron.
928 * Do not use outside of cron script!
929 *
930 * @param stdClass $user full user object, null means default cron user (admin)
931 * @param $course full course record, null means $SITE
932 * @return void
933 */
934 function cron_setup_user($user = NULL, $course = NULL) {
935 global $CFG, $SITE, $PAGE;
936
937 static $cronuser = NULL;
938 static $cronsession = NULL;
939
940 if (empty($cronuser)) {
941 /// ignore admins timezone, language and locale - use site default instead!
942 $cronuser = get_admin();
943 $cronuser->timezone = $CFG->timezone;
944 $cronuser->lang = '';
945 $cronuser->theme = '';
946 unset($cronuser->description);
947
948 $cronsession = new stdClass();
949 }
950
951 if (!$user) {
952 // cached default cron user (==modified admin for now)
953 session_set_user($cronuser);
954 $_SESSION['SESSION'] = $cronsession;
955
956 } else {
957 // emulate real user session - needed for caps in cron
958 if ($_SESSION['USER']->id != $user->id) {
959 session_set_user($user);
960 $_SESSION['SESSION'] = new stdClass();
961 }
962 }
963
964 // TODO MDL-19774 relying on global $PAGE in cron is a bad idea.
965 // Temporary hack so that cron does not give fatal errors.
966 $PAGE = new moodle_page();
967 if ($course) {
968 $PAGE->set_course($course);
969 } else {
970 $PAGE->set_course($SITE);
971 }
972
973 // TODO: it should be possible to improve perf by caching some limited number of users here ;-)
974
975 }
976
977 /**
978 * Enable cookieless sessions by including $CFG->usesid=true;
979 * in config.php.
980 * Based on code from php manual by Richard at postamble.co.uk
981 * Attempts to use cookies if cookies not present then uses session ids attached to all urls and forms to pass session id from page to page.
982 * If site is open to google, google is given guest access as usual and there are no sessions. No session ids will be attached to urls for googlebot.
983 * This doesn't require trans_sid to be turned on but this is recommended for better performance
984 * you should put :
985 * session.use_trans_sid = 1
986 * in your php.ini file and make sure that you don't have a line like this in your php.ini
987 * session.use_only_cookies = 1
988 * @author Richard at postamble.co.uk and Jamie Pratt
989 * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
990 */
991 /**
992 * You won't call this function directly. This function is used to process
993 * text buffered by php in an output buffer. All output is run through this function
994 * before it is ouput.
995 * @param string $buffer is the output sent from php
996 * @return string the output sent to the browser
997 */
998 function sid_ob_rewrite($buffer){
999 $replacements = array(
1000 '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*")([^"]*)(")/i',
1001 '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*\')([^\']*)(\')/i');
1002
1003 $buffer = preg_replace_callback($replacements, 'sid_rewrite_link_tag', $buffer);
1004 $buffer = preg_replace('/<form\s[^>]*>/i',
1005 '\0<input type="hidden" name="' . session_name() . '" value="' . session_id() . '"/>', $buffer);
1006
1007 return $buffer;
1008 }
1009 /**
1010 * You won't call this function directly. This function is used to process
1011 * text buffered by php in an output buffer. All output is run through this function
1012 * before it is ouput.
1013 * This function only processes absolute urls, it is used when we decide that
1014 * php is processing other urls itself but needs some help with internal absolute urls still.
1015 * @param string $buffer is the output sent from php
1016 * @return string the output sent to the browser
1017 */
1018 function sid_ob_rewrite_absolute($buffer){
1019 $replacements = array(
1020 '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*")((?:http|https)[^"]*)(")/i',
1021 '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*\')((?:http|https)[^\']*)(\')/i');
1022
1023 $buffer = preg_replace_callback($replacements, 'sid_rewrite_link_tag', $buffer);
1024 $buffer = preg_replace('/<form\s[^>]*>/i',
1025 '\0<input type="hidden" name="' . session_name() . '" value="' . session_id() . '"/>', $buffer);
1026 return $buffer;
1027 }
1028
1029 /**
1030 * A function to process link, a and script tags found
1031 * by preg_replace_callback in {@link sid_ob_rewrite($buffer)}.
1032 */
1033 function sid_rewrite_link_tag($matches){
1034 $url = $matches[4];
1035 $url = sid_process_url($url);
1036 return $matches[1].$url.$matches[5];
1037 }
1038
1039 /**
1040 * You can call this function directly. This function is used to process
1041 * urls to add a moodle session id to the url for internal links.
1042 * @param string $url is a url
1043 * @return string the processed url
1044 */
1045 function sid_process_url($url) {
1046 global $CFG;
1047
1048 if ((preg_match('/^(http|https):/i', $url)) // absolute url
1049 && ((stripos($url, $CFG->wwwroot)!==0) && stripos($url, $CFG->httpswwwroot)!==0)) { // and not local one
1050 return $url; //don't attach sessid to non local urls
1051 }
1052 if ($url[0]=='#' || (stripos($url, 'javascript:')===0)) {
1053 return $url; //don't attach sessid to anchors
1054 }
1055 if (strpos($url, session_name())!==FALSE) {
1056 return $url; //don't attach sessid to url that already has one sessid
1057 }
1058 if (strpos($url, "?")===FALSE) {
1059 $append = "?".strip_tags(session_name() . '=' . session_id());
1060 } else {
1061 $append = "&amp;".strip_tags(session_name() . '=' . session_id());
1062 }
1063 //put sessid before any anchor
1064 $p = strpos($url, "#");
1065 if ($p!==FALSE){
1066 $anch = substr($url, $p);
1067 $url = substr($url, 0, $p).$append.$anch ;
1068 } else {
1069 $url .= $append ;
1070 }
1071 return $url;
1072 }
1073
1074 /**
1075 * Call this function before there has been any output to the browser to
1076 * buffer output and add session ids to all internal links.
1077 */
1078 function sid_start_ob(){
1079 global $CFG;
1080 //don't attach sess id for bots
1081
1082 if (!empty($_SERVER['HTTP_USER_AGENT'])) {
1083 if (!empty($CFG->opentogoogle)) {
1084 if (strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') !== false) {
1085 @ini_set('session.use_trans_sid', '0'); // try and turn off trans_sid
1086 $CFG->usesid=false;
1087 return;
1088 }
1089 if (strpos($_SERVER['HTTP_USER_AGENT'], 'google.com') !== false) {
1090 @ini_set('session.use_trans_sid', '0'); // try and turn off trans_sid
1091 $CFG->usesid=false;
1092 return;
1093 }
1094 }
1095 if (strpos($_SERVER['HTTP_USER_AGENT'], 'W3C_Validator') !== false) {
1096 @ini_set('session.use_trans_sid', '0'); // try and turn off trans_sid
1097 $CFG->usesid=false;
1098 return;
1099 }
1100 }
1101
1102 @ini_set('session.use_trans_sid', '1'); // try and turn on trans_sid
1103
1104 if (ini_get('session.use_trans_sid') != 0) {
1105 // use trans sid as its available
1106 ini_set('url_rewriter.tags', 'a=href,area=href,script=src,link=href,frame=src,form=fakeentry');
1107 ob_start('sid_ob_rewrite_absolute');
1108 } else {
1109 //rewrite all links ourselves
1110 ob_start('sid_ob_rewrite');
1111 }
1112 }
1113
Read-only mirror of the Moodle CVS