ttrss/include/sessions.php

<?php
	namespace Sessions;

	use UserHelper;

	require_once "autoload.php";
	require_once "functions.php";
	require_once "errorhandler.php";
	require_once "lib/gettext/gettext.inc.php";

	$session_expire = min(2147483647 - time() - 1, max(\Config::get(\Config::SESSION_COOKIE_LIFETIME), 86400));
	$session_name = \Config::get(\Config::SESSION_NAME);

	if (\Config::is_server_https()) {
		ini_set("session.cookie_secure", "true");
	}

	ini_set("session.gc_probability", "75");
	ini_set("session.name", $session_name);
	ini_set("session.use_only_cookies", "true");
	ini_set("session.gc_maxlifetime", $session_expire);
	ini_set("session.cookie_lifetime", "0");

	// prolong PHP session cookie
	if (isset($_COOKIE[$session_name]))
		setcookie($session_name,
			$_COOKIE[$session_name],
			time() + $session_expire,
			ini_get("session.cookie_path"),
			ini_get("session.cookie_domain"),
			ini_get("session.cookie_secure"),
			ini_get("session.cookie_httponly"));

	function validate_session(): bool {
		if (\Config::get(\Config::SINGLE_USER_MODE)) return true;

		$pdo = \Db::pdo();

		if (!empty($_SESSION["uid"])) {
			$user = \ORM::for_table('ttrss_users')->find_one($_SESSION["uid"]);

			if ($user) {
				if ($user->pwd_hash != $_SESSION["pwd_hash"]) {
					$_SESSION["login_error_msg"] = __("Session failed to validate (password changed)");
					return false;
				}

				if ($user->access_level == UserHelper::ACCESS_LEVEL_DISABLED) {
					$_SESSION["login_error_msg"] = __("Session failed to validate (account is disabled)");
					return false;
				}
			} else {
				$_SESSION["login_error_msg"] = __("Session failed to validate (user not found)");
				return false;
			}
		}

		return true;
	}

	function ttrss_open(string $savePath, string $sessionName): bool {
		return true;
	}

	function ttrss_read(string $id): string {
		global $session_expire;

		$sth = \Db::pdo()->prepare("SELECT data FROM ttrss_sessions WHERE id=?");
		$sth->execute([$id]);

		if ($row = $sth->fetch()) {
				return base64_decode($row["data"]);

		} else {
				$expire = time() + $session_expire;

				$sth = \Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
					VALUES (?, '', ?)");
				$sth->execute([$id, $expire]);

				return "";

		}

	}

	function ttrss_write(string $id, string $data): bool {
		global $session_expire;

		$data = base64_encode($data);
		$expire = time() + $session_expire;

		$sth = \Db::pdo()->prepare("SELECT id FROM ttrss_sessions WHERE id=?");
		$sth->execute([$id]);

		if ($sth->fetch()) {
			$sth = \Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
			$sth->execute([$data, $expire, $id]);
		} else {
			$sth = \Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
				VALUES (?, ?, ?)");
			$sth->execute([$id, $data, $expire]);
		}

		return true;
	}

	function ttrss_close(): bool {
		return true;
	}

	function ttrss_destroy(string $id): bool {
		$sth = \Db::pdo()->prepare("DELETE FROM ttrss_sessions WHERE id = ?");
		$sth->execute([$id]);

		return true;
	}

	function ttrss_gc(int $lifetime): bool {
		\Db::pdo()->query("DELETE FROM ttrss_sessions WHERE expire < " . time());

		return true;
	}

	if (\Config::get_schema_version() >= 0) {
		session_set_save_handler('\Sessions\ttrss_open',
			'\Sessions\ttrss_close', '\Sessions\ttrss_read',
			'\Sessions\ttrss_write', '\Sessions\ttrss_destroy',
			'\Sessions\ttrss_gc'); // @phpstan-ignore-line
			// PHPStan complains about '\Sessions\ttrss_gc' if its $lifetime param isn't marked as string,
			// but the docs say it's an int.  If it is actually a string it'll get coerced to an int.

		register_shutdown_function('session_write_close');

		if (!defined('NO_SESSION_AUTOSTART')) {
			if (isset($_COOKIE[session_name()])) {
				if (session_status() != PHP_SESSION_ACTIVE)
						session_start();
			}
		}
	}
change short php tags to long ones 2006-08-19 07:04:45 +00:00			`<?php`
move session-related functions to their own namespace 2021-02-16 14:13:16 +00:00			`namespace Sessions;`

Address PHPStan warnings in 'include/sessions.php'. 2021-11-11 15:57:03 +00:00			`use UserHelper;`
add two helper account access levels: - read only - can't subscribe to more feeds, feed updates are skipped - disabled - can't login define used access levels as UserHelper constants and refactor code to use them instead of hardcoded numbers 2021-11-10 17:44:51 +00:00
Address PHPStan warnings in 'include/sessions.php'. 2021-11-11 15:57:03 +00:00			`require_once "autoload.php";`
wip: initial for config object 2021-02-22 18:47:48 +00:00			`require_once "functions.php";`
experimental SQL-based error logger 2013-04-16 15:41:31 +00:00			`require_once "errorhandler.php";`
rename gettext.inc to gettext.inc.php (cosmetic) 2020-09-17 15:56:29 +00:00			`require_once "lib/gettext/gettext.inc.php";`
database backed sessions 2006-03-02 08:10:43 +00:00
wip: initial for config object 2021-02-22 18:47:48 +00:00			`$session_expire = min(2147483647 - time() - 1, max(\Config::get(\Config::SESSION_COOKIE_LIFETIME), 86400));`
rename TTRSS_SESSION_NAME to SESSION_NAME 2021-02-23 14:01:25 +00:00			`$session_name = \Config::get(\Config::SESSION_NAME);`
database backed sessions 2006-03-02 08:10:43 +00:00
move startup checks to Config, set a bunch of @deprecated annotations 2021-03-01 07:20:21 +00:00			`if (\Config::is_server_https()) {`
fix several issues reported by phpstan 2021-02-22 11:41:09 +00:00			`ini_set("session.cookie_secure", "true");`
use SSL serial to bind certificate to user; implement autologin using SSL certificate; set a separate session cookie for SSL connections (refs #324) 2011-03-28 04:30:00 +00:00			`}`

fix several issues reported by phpstan 2021-02-22 11:41:09 +00:00			`ini_set("session.gc_probability", "75");`
mobile version uses separate sid 2006-05-23 05:07:38 +00:00			`ini_set("session.name", $session_name);`
fix several issues reported by phpstan 2021-02-22 11:41:09 +00:00			`ini_set("session.use_only_cookies", "true");`
remove SESSION_EXPIRE_TIME 2013-03-28 06:06:16 +00:00			`ini_set("session.gc_maxlifetime", $session_expire);`
fix several issues reported by phpstan 2021-02-22 11:41:09 +00:00			`ini_set("session.cookie_lifetime", "0");`
database backed sessions 2006-03-02 08:10:43 +00:00
prolong PHP session cookie automatically to stop hard logouts after SESSION_COOKIE_LIFETIME expires 2021-06-25 09:12:05 +00:00			`// prolong PHP session cookie`
			`if (isset($_COOKIE[$session_name]))`
			`setcookie($session_name,`
			`$_COOKIE[$session_name],`
			`time() + $session_expire,`
			`ini_get("session.cookie_path"),`
			`ini_get("session.cookie_domain"),`
			`ini_get("session.cookie_secure"),`
			`ini_get("session.cookie_httponly"));`

Address PHPStan warnings in 'include/sessions.php'. 2021-11-11 15:57:03 +00:00			`function validate_session(): bool {`
wip: initial for config object 2021-02-22 18:47:48 +00:00			`if (\Config::get(\Config::SINGLE_USER_MODE)) return true;`
validate session on startup 2013-03-31 09:10:46 +00:00
sessions: don't check schema version 2021-03-04 05:32:19 +00:00			`$pdo = \Db::pdo();`
validate session on startup 2013-03-31 09:10:46 +00:00
more php8 fixes mostly related to login 2021-02-05 21:12:15 +00:00			`if (!empty($_SESSION["uid"])) {`
userhelper: use orm for a few more user-related things 2021-03-01 16:32:27 +00:00			`$user = \ORM::for_table('ttrss_users')->find_one($_SESSION["uid"]);`
validate session on startup 2013-03-31 09:10:46 +00:00
userhelper: use orm for a few more user-related things 2021-03-01 16:32:27 +00:00			`if ($user) {`
			`if ($user->pwd_hash != $_SESSION["pwd_hash"]) {`
sessions: stop validating against hash of user agent because chromium is sending different agent headers for whatever reason, example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36 seems to be related, at least, to App.postOpenWindow() hack. 2021-03-05 09:27:23 +00:00			`$_SESSION["login_error_msg"] = __("Session failed to validate (password changed)");`
userhelper: use orm for a few more user-related things 2021-03-01 16:32:27 +00:00			`return false;`
			`}`
add two helper account access levels: - read only - can't subscribe to more feeds, feed updates are skipped - disabled - can't login define used access levels as UserHelper constants and refactor code to use them instead of hardcoded numbers 2021-11-10 17:44:51 +00:00
			`if ($user->access_level == UserHelper::ACCESS_LEVEL_DISABLED) {`
			`$_SESSION["login_error_msg"] = __("Session failed to validate (account is disabled)");`
			`return false;`
			`}`
validate session on startup 2013-03-31 09:10:46 +00:00			`} else {`
sessions: stop validating against hash of user agent because chromium is sending different agent headers for whatever reason, example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36 seems to be related, at least, to App.postOpenWindow() hack. 2021-03-05 09:27:23 +00:00			`$_SESSION["login_error_msg"] = __("Session failed to validate (user not found)");`
userhelper: use orm for a few more user-related things 2021-03-01 16:32:27 +00:00			`return false;`
validate session on startup 2013-03-31 09:10:46 +00:00			`}`
			`}`

			`return true;`
			`}`

Address PHPStan warnings in 'include/sessions.php'. 2021-11-11 15:57:03 +00:00			`function ttrss_open(string $savePath, string $sessionName): bool {`
database backed sessions 2006-03-02 08:10:43 +00:00			`return true;`
			`}`

Address PHPStan warnings in 'include/sessions.php'. 2021-11-11 15:57:03 +00:00			`function ttrss_read(string $id): string {`
more work on singleton-based DB 2013-04-17 11:36:34 +00:00			`global $session_expire;`

move session-related functions to their own namespace 2021-02-16 14:13:16 +00:00			`$sth = \Db::pdo()->prepare("SELECT data FROM ttrss_sessions WHERE id=?");`
sessions: PDO 2017-12-01 11:48:23 +00:00			`$sth->execute([$id]);`
use SSL serial to bind certificate to user; implement autologin using SSL certificate; set a separate session cookie for SSL connections (refs #324) 2011-03-28 04:30:00 +00:00
sessions: PDO 2017-12-01 11:48:23 +00:00			`if ($row = $sth->fetch()) {`
fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks 2018-10-16 11:07:42 +00:00			`return base64_decode($row["data"]);`
database backed sessions 2006-03-02 08:10:43 +00:00
sessions: PDO 2017-12-01 11:48:23 +00:00			`} else {`
fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks 2018-10-16 11:07:42 +00:00			`$expire = time() + $session_expire;`
database backed sessions 2006-03-02 08:10:43 +00:00
move session-related functions to their own namespace 2021-02-16 14:13:16 +00:00			`$sth = \Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)`
sessions: PDO 2017-12-01 11:48:23 +00:00			`VALUES (?, '', ?)");`
fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks 2018-10-16 11:07:42 +00:00			`$sth->execute([$id, $expire]);`
sessions: PDO 2017-12-01 11:48:23 +00:00
fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks 2018-10-16 11:07:42 +00:00			`return "";`
use SSL serial to bind certificate to user; implement autologin using SSL certificate; set a separate session cookie for SSL connections (refs #324) 2011-03-28 04:30:00 +00:00
database backed sessions 2006-03-02 08:10:43 +00:00			`}`
more work on singleton-based DB 2013-04-17 11:36:34 +00:00
database backed sessions 2006-03-02 08:10:43 +00:00			`}`

Address PHPStan warnings in 'include/sessions.php'. 2021-11-11 15:57:03 +00:00			`function ttrss_write(string $id, string $data): bool {`
more work on singleton-based DB 2013-04-17 11:36:34 +00:00			`global $session_expire;`
use SSL serial to bind certificate to user; implement autologin using SSL certificate; set a separate session cookie for SSL connections (refs #324) 2011-03-28 04:30:00 +00:00
more work on singleton-based DB 2013-04-17 11:36:34 +00:00			`$data = base64_encode($data);`
database backed sessions 2006-03-02 08:10:43 +00:00			`$expire = time() + $session_expire;`
use SSL serial to bind certificate to user; implement autologin using SSL certificate; set a separate session cookie for SSL connections (refs #324) 2011-03-28 04:30:00 +00:00
move session-related functions to their own namespace 2021-02-16 14:13:16 +00:00			`$sth = \Db::pdo()->prepare("SELECT id FROM ttrss_sessions WHERE id=?");`
fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks 2018-10-16 11:07:42 +00:00			`$sth->execute([$id]);`

Clean up some unused variables. This is essentially https://gitlab.tt-rss.org/wn/tt-rss/-/commit/1ccc0c8c1af04dd9654b585c6d07e3a75d944a0c without the renames and some other things related to Psalm. 2024-01-08 22:46:13 +00:00			`if ($sth->fetch()) {`
move session-related functions to their own namespace 2021-02-16 14:13:16 +00:00			`$sth = \Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");`
fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks 2018-10-16 11:07:42 +00:00			`$sth->execute([$data, $expire, $id]);`
			`} else {`
move session-related functions to their own namespace 2021-02-16 14:13:16 +00:00			`$sth = \Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)`
fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks 2018-10-16 11:07:42 +00:00			`VALUES (?, ?, ?)");`
			`$sth->execute([$id, $data, $expire]);`
			`}`
use SSL serial to bind certificate to user; implement autologin using SSL certificate; set a separate session cookie for SSL connections (refs #324) 2011-03-28 04:30:00 +00:00
database backed sessions 2006-03-02 08:10:43 +00:00			`return true;`
			`}`

Address PHPStan warnings in 'include/sessions.php'. 2021-11-11 15:57:03 +00:00			`function ttrss_close(): bool {`
database backed sessions 2006-03-02 08:10:43 +00:00			`return true;`
			`}`

Address PHPStan warnings in 'include/sessions.php'. 2021-11-11 15:57:03 +00:00			`function ttrss_destroy(string $id): bool {`
move session-related functions to their own namespace 2021-02-16 14:13:16 +00:00			`$sth = \Db::pdo()->prepare("DELETE FROM ttrss_sessions WHERE id = ?");`
sessions: PDO 2017-12-01 11:48:23 +00:00			`$sth->execute([$id]);`
use SSL serial to bind certificate to user; implement autologin using SSL certificate; set a separate session cookie for SSL connections (refs #324) 2011-03-28 04:30:00 +00:00
database backed sessions 2006-03-02 08:10:43 +00:00			`return true;`
			`}`

Address PHPStan warnings in 'include/sessions.php'. 2021-11-11 15:57:03 +00:00			`function ttrss_gc(int $lifetime): bool {`
move session-related functions to their own namespace 2021-02-16 14:13:16 +00:00			`\Db::pdo()->query("DELETE FROM ttrss_sessions WHERE expire < " . time());`
ttrss_gc: return true 2015-12-07 12:25:31 +00:00
			`return true;`
database backed sessions 2006-03-02 08:10:43 +00:00			`}`

bring back web dbupdate using new migrations system 2021-03-04 06:22:24 +00:00			`if (\Config::get_schema_version() >= 0) {`
use database-backed sessions in single user mode 2021-05-11 16:21:53 +00:00			`session_set_save_handler('\Sessions\ttrss_open',`
			`'\Sessions\ttrss_close', '\Sessions\ttrss_read',`
			`'\Sessions\ttrss_write', '\Sessions\ttrss_destroy',`
Address PHPStan warnings in 'include/sessions.php'. 2021-11-11 15:57:03 +00:00			`'\Sessions\ttrss_gc'); // @phpstan-ignore-line`
			`// PHPStan complains about '\Sessions\ttrss_gc' if its $lifetime param isn't marked as string,`
			`// but the docs say it's an int. If it is actually a string it'll get coerced to an int.`

use database-backed sessions in single user mode 2021-05-11 16:21:53 +00:00			`register_shutdown_function('session_write_close');`
login system fixes 2007-03-01 12:09:05 +00:00
bring back web dbupdate using new migrations system 2021-03-04 06:22:24 +00:00			`if (!defined('NO_SESSION_AUTOSTART')) {`
			`if (isset($_COOKIE[session_name()])) {`
			`if (session_status() != PHP_SESSION_ACTIVE)`
			`session_start();`
			`}`
only autostart session if login cookie exists 2013-03-28 04:06:21 +00:00			`}`
api: use tt-rss session storage 2012-09-19 08:45:01 +00:00			`}`