lib/sessionlib.php

   1 <?php
   2 // This file is part of Moodle - http://moodle.org/
   3 //
   4 // Moodle is free software: you can redistribute it and/or modify
   5 // it under the terms of the GNU General Public License as published by
   6 // the Free Software Foundation, either version 3 of the License, or
   7 // (at your option) any later version.
   8 //
   9 // Moodle is distributed in the hope that it will be useful,
  10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 // GNU General Public License for more details.
  13 //
  14 // You should have received a copy of the GNU General Public License
  15 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16
  17 /**
  18  * @package    core
  19  * @subpackage session
  20  * @copyright  1999 onwards Martin Dougiamas  {@link http://moodle.com}
  21  * @copyright  2008, 2009 Petr Skoda  {@link http://skodak.org}
  22  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  23  */
  24
  25 defined('MOODLE_INTERNAL') || die();
  26
  27
  28 /**
  29  * Makes sure that $USER->sesskey exists, if $USER itself exists. It sets a new sesskey
  30  * if one does not already exist, but does not overwrite existing sesskeys. Returns the
  31  * sesskey string if $USER exists, or boolean false if not.
  32  *
  33  * @uses $USER
  34  * @return string
  35  */
  36 function sesskey() {
  37     // note: do not use $USER because it may not be initialised yet
  38     if (empty($_SESSION['USER']->sesskey)) {
  39         if (!isset($_SESSION['USER'])) {
  40             $_SESSION['USER'] = new stdClass;
  41         }
  42         $_SESSION['USER']->sesskey = random_string(10);
  43     }
  44
  45     return $_SESSION['USER']->sesskey;
  46 }
  47
  48
  49 /**
  50  * Check the sesskey and return true of false for whether it is valid.
  51  * (You might like to imagine this function is called sesskey_is_valid().)
  52  *
  53  * Every script that lets the user perform a significant action (that is,
  54  * changes data in the database) should check the sesskey before doing the action.
  55  * Depending on your code flow, you may want to use the {@link require_sesskey()}
  56  * helper function.
  57  *
  58  * @param string $sesskey The sesskey value to check (optional). Normally leave this blank
  59  *      and this function will do required_param('sesskey', ...).
  60  * @return bool whether the sesskey sent in the request matches the one stored in the session.
  61  */
  62 function confirm_sesskey($sesskey=NULL) {
  63     global $USER;
  64
  65     if (!empty($USER->ignoresesskey)) {
  66         return true;
  67     }
  68
  69     if (empty($sesskey)) {
  70         $sesskey = required_param('sesskey', PARAM_RAW);  // Check script parameters
  71     }
  72
  73     return (sesskey() === $sesskey);
  74 }
  75
  76 /**
  77  * Check the session key using {@link confirm_sesskey()},
  78  * and cause a fatal error if it does not match.
  79  */
  80 function require_sesskey() {
  81     if (!confirm_sesskey()) {
  82         print_error('invalidsesskey');
  83     }
  84 }
  85
  86 /**
  87  * Sets a moodle cookie with a weakly encrypted username
  88  *
  89  * @param string $username to encrypt and place in a cookie, '' means delete current cookie
  90  * @return void
  91  */
  92 function set_moodle_cookie($username) {
  93     global $CFG;
  94
  95     if (NO_MOODLE_COOKIES) {
  96         return;
  97     }
  98
  99     if (empty($CFG->rememberusername)) {
 100         // erase current and do not store permanent cookies
 101         $username = '';
 102     }
 103
 104     if ($username === 'guest') {
 105         // keep previous cookie in case of guest account login
 106         return;
 107     }
 108
 109     $cookiename = 'MOODLEID1_'.$CFG->sessioncookie;
 110
 111     // delete old cookie
 112     setcookie($cookiename, '', time() - HOURSECS, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
 113
 114     if ($username !== '') {
 115         // set username cookie for 60 days
 116         setcookie($cookiename, rc4encrypt($username), time()+(DAYSECS*60), $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
 117     }
 118 }
 119
 120 /**
 121  * Gets a moodle cookie with a weakly encrypted username
 122  *
 123  * @return string username
 124  */
 125 function get_moodle_cookie() {
 126     global $CFG;
 127
 128     if (NO_MOODLE_COOKIES) {
 129         return '';
 130     }
 131
 132     if (empty($CFG->rememberusername)) {
 133         return '';
 134     }
 135
 136     $cookiename = 'MOODLEID1_'.$CFG->sessioncookie;
 137
 138     if (empty($_COOKIE[$cookiename])) {
 139         return '';
 140     } else {
 141         $username = rc4decrypt($_COOKIE[$cookiename]);
 142         if ($username === 'guest' or $username === 'nobody') {
 143             // backwards compatibility - we do not set these cookies any more
 144             $username = '';
 145         }
 146         return $username;
 147     }
 148 }
 149
 150 /**
 151  * Sets up current user and course environment (lang, etc.) in cron.
 152  * Do not use outside of cron script!
 153  *
 154  * @param stdClass $user full user object, null means default cron user (admin)
 155  * @param $course full course record, null means $SITE
 156  * @return void
 157  */
 158 function cron_setup_user($user = NULL, $course = NULL) {
 159     global $CFG, $SITE, $PAGE;
 160
 161     static $cronuser    = NULL;
 162     static $cronsession = NULL;
 163
 164     if (empty($cronuser)) {
 165         /// ignore admins timezone, language and locale - use site default instead!
 166         $cronuser = get_admin();
 167         $cronuser->timezone = $CFG->timezone;
 168         $cronuser->lang     = '';
 169         $cronuser->theme    = '';
 170         unset($cronuser->description);
 171
 172         $cronsession = new stdClass();
 173     }
 174
 175     if (!$user) {
 176         // cached default cron user (==modified admin for now)
 177         \core\session\manager::set_user($cronuser);
 178         $_SESSION['SESSION'] = $cronsession;
 179
 180     } else {
 181         // emulate real user session - needed for caps in cron
 182         if ($_SESSION['USER']->id != $user->id) {
 183             \core\session\manager::set_user($user);
 184             $_SESSION['SESSION'] = new stdClass();
 185         }
 186     }
 187
 188     // TODO MDL-19774 relying on global $PAGE in cron is a bad idea.
 189     // Temporary hack so that cron does not give fatal errors.
 190     $PAGE = new moodle_page();
 191     if ($course) {
 192         $PAGE->set_course($course);
 193     } else {
 194         $PAGE->set_course($SITE);
 195     }
 196
 197     // TODO: it should be possible to improve perf by caching some limited number of users here ;-)
 198
 199 }