lib/sessionlib.php

   1 <?php
   2 // This file is part of Moodle - http://moodle.org/
   3 //
   4 // Moodle is free software: you can redistribute it and/or modify
   5 // it under the terms of the GNU General Public License as published by
   6 // the Free Software Foundation, either version 3 of the License, or
   7 // (at your option) any later version.
   8 //
   9 // Moodle is distributed in the hope that it will be useful,
  10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 // GNU General Public License for more details.
  13 //
  14 // You should have received a copy of the GNU General Public License
  15 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16
  17 /**
  18  * @package    core
  19  * @subpackage session
  20  * @copyright  1999 onwards Martin Dougiamas  {@link http://moodle.com}
  21  * @copyright  2008, 2009 Petr Skoda  {@link http://skodak.org}
  22  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  23  */
  24
  25 defined('MOODLE_INTERNAL') || die();
  26
  27
  28 /**
  29  * Makes sure that $USER->sesskey exists, if $USER itself exists. It sets a new sesskey
  30  * if one does not already exist, but does not overwrite existing sesskeys. Returns the
  31  * sesskey string if $USER exists, or boolean false if not.
  32  *
  33  * @uses $USER
  34  * @return string
  35  */
  36 function sesskey() {
  37     // note: do not use $USER because it may not be initialised yet
  38     if (empty($_SESSION['USER']->sesskey)) {
  39         if (!isset($_SESSION['USER'])) {
  40             // This should never happen,
  41             // do not mess with session and globals here,
  42             // let any checks fail instead!
  43             return false;
  44         }
  45         $_SESSION['USER']->sesskey = random_string(10);
  46     }
  47
  48     return $_SESSION['USER']->sesskey;
  49 }
  50
  51
  52 /**
  53  * Check the sesskey and return true of false for whether it is valid.
  54  * (You might like to imagine this function is called sesskey_is_valid().)
  55  *
  56  * Every script that lets the user perform a significant action (that is,
  57  * changes data in the database) should check the sesskey before doing the action.
  58  * Depending on your code flow, you may want to use the {@link require_sesskey()}
  59  * helper function.
  60  *
  61  * @param string $sesskey The sesskey value to check (optional). Normally leave this blank
  62  *      and this function will do required_param('sesskey', ...).
  63  * @return bool whether the sesskey sent in the request matches the one stored in the session.
  64  */
  65 function confirm_sesskey($sesskey=NULL) {
  66     global $USER;
  67
  68     if (!empty($USER->ignoresesskey)) {
  69         return true;
  70     }
  71
  72     if (empty($sesskey)) {
  73         $sesskey = required_param('sesskey', PARAM_RAW);  // Check script parameters
  74     }
  75
  76     return (sesskey() === $sesskey);
  77 }
  78
  79 /**
  80  * Check the session key using {@link confirm_sesskey()},
  81  * and cause a fatal error if it does not match.
  82  */
  83 function require_sesskey() {
  84     if (!confirm_sesskey()) {
  85         print_error('invalidsesskey');
  86     }
  87 }
  88
  89 /**
  90  * Determine wether the secure flag should be set on cookies
  91  * @return bool
  92  */
  93 function is_moodle_cookie_secure() {
  94     global $CFG;
  95
  96     if (!isset($CFG->cookiesecure)) {
  97         return false;
  98     }
  99     if (!empty($CFG->loginhttps)) {
 100         return false;
 101     }
 102     if (!is_https() and empty($CFG->sslproxy)) {
 103         return false;
 104     }
 105     return !empty($CFG->cookiesecure);
 106 }
 107
 108 /**
 109  * Sets a moodle cookie with a weakly encrypted username
 110  *
 111  * @param string $username to encrypt and place in a cookie, '' means delete current cookie
 112  * @return void
 113  */
 114 function set_moodle_cookie($username) {
 115     global $CFG;
 116
 117     if (NO_MOODLE_COOKIES) {
 118         return;
 119     }
 120
 121     if (empty($CFG->rememberusername)) {
 122         // erase current and do not store permanent cookies
 123         $username = '';
 124     }
 125
 126     if ($username === 'guest') {
 127         // keep previous cookie in case of guest account login
 128         return;
 129     }
 130
 131     $cookiename = 'MOODLEID1_'.$CFG->sessioncookie;
 132
 133     $cookiesecure = is_moodle_cookie_secure();
 134
 135     // Delete old cookie.
 136     setcookie($cookiename, '', time() - HOURSECS, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $cookiesecure, $CFG->cookiehttponly);
 137
 138     if ($username !== '') {
 139         // Set username cookie for 60 days.
 140         setcookie($cookiename, rc4encrypt($username), time() + (DAYSECS * 60), $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $cookiesecure, $CFG->cookiehttponly);
 141     }
 142 }
 143
 144 /**
 145  * Gets a moodle cookie with a weakly encrypted username
 146  *
 147  * @return string username
 148  */
 149 function get_moodle_cookie() {
 150     global $CFG;
 151
 152     if (NO_MOODLE_COOKIES) {
 153         return '';
 154     }
 155
 156     if (empty($CFG->rememberusername)) {
 157         return '';
 158     }
 159
 160     $cookiename = 'MOODLEID1_'.$CFG->sessioncookie;
 161
 162     if (empty($_COOKIE[$cookiename])) {
 163         return '';
 164     } else {
 165         $username = rc4decrypt($_COOKIE[$cookiename]);
 166         if ($username === 'guest' or $username === 'nobody') {
 167             // backwards compatibility - we do not set these cookies any more
 168             $username = '';
 169         }
 170         return $username;
 171     }
 172 }
 173
 174 /**
 175  * Sets up current user and course environment (lang, etc.) in cron.
 176  * Do not use outside of cron script!
 177  *
 178  * @param stdClass $user full user object, null means default cron user (admin),
 179  *                 value 'reset' means reset internal static caches.
 180  * @param stdClass $course full course record, null means $SITE
 181  * @return void
 182  */
 183 function cron_setup_user($user = NULL, $course = NULL) {
 184     global $CFG, $SITE, $PAGE;
 185
 186     if (!CLI_SCRIPT) {
 187         throw new coding_exception('Function cron_setup_user() cannot be used in normal requests!');
 188     }
 189
 190     static $cronuser    = NULL;
 191     static $cronsession = NULL;
 192
 193     if ($user === 'reset') {
 194         $cronuser = null;
 195         $cronsession = null;
 196         \core\session\manager::init_empty_session();
 197         return;
 198     }
 199
 200     if (empty($cronuser)) {
 201         /// ignore admins timezone, language and locale - use site default instead!
 202         $cronuser = get_admin();
 203         $cronuser->timezone = $CFG->timezone;
 204         $cronuser->lang     = '';
 205         $cronuser->theme    = '';
 206         unset($cronuser->description);
 207
 208         $cronsession = new stdClass();
 209     }
 210
 211     if (!$user) {
 212         // Cached default cron user (==modified admin for now).
 213         \core\session\manager::init_empty_session();
 214         \core\session\manager::set_user($cronuser);
 215         $GLOBALS['SESSION'] = $cronsession;
 216
 217     } else {
 218         // Emulate real user session - needed for caps in cron.
 219         if ($GLOBALS['USER']->id != $user->id) {
 220             \core\session\manager::init_empty_session();
 221             \core\session\manager::set_user($user);
 222         }
 223     }
 224
 225     // TODO MDL-19774 relying on global $PAGE in cron is a bad idea.
 226     // Temporary hack so that cron does not give fatal errors.
 227     $PAGE = new moodle_page();
 228     if ($course) {
 229         $PAGE->set_course($course);
 230     } else {
 231         $PAGE->set_course($SITE);
 232     }
 233
 234     // TODO: it should be possible to improve perf by caching some limited number of users here ;-)
 235
 236 }