PageRenderTime 52ms CodeModel.GetById 15ms RepoModel.GetById 1ms app.codeStats 0ms

/html/AppCode/expressionengine/libraries/Session.php

https://github.com/w3bg/www.hsifin.com
PHP | 1217 lines | 705 code | 226 blank | 286 comment | 159 complexity | f1ce7d9cdaf65a6d5f48a4e545d537f9 MD5 | raw file
Possible License(s): AGPL-3.0 
    

  1. <?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');
    2. 

  2. /**
    3. 

  3.  * ExpressionEngine - by EllisLab
    4. 

  4.  *
    5. 

  5.  * @package		ExpressionEngine
    6. 

  6.  * @author		ExpressionEngine Dev Team
    7. 

  7.  * @copyright	Copyright (c) 2003 - 2010, EllisLab, Inc.
    8. 

  8.  * @license		http://expressionengine.com/user_guide/license.html
    9. 

  9.  * @link		http://expressionengine.com
    10. 

  10.  * @since		Version 2.0
    11. 

  11.  * @filesource
    12. 

  12.  */
    13. 

  13.  
    14. 

  14. // ------------------------------------------------------------------------
    15. 

  15. 

  16. /**
    17. 

  17.  * ExpressionEngine Core Session Class
    18. 

  18.  *
    19. 

  19.  * @package		ExpressionEngine
    20. 

  20.  * @subpackage	Core
    21. 

  21.  * @category	Core
    22. 

  22.  * @author		ExpressionEngine Dev Team
    23. 

  23.  * @link		http://expressionengine.com
    24. 

  24.  */
    25. 

  25.  
    26. 

  26. // ------------------------------------------------------------------------
    27. 

  27. 

  28. 

  29. /*
    30. 

  30. There are three validation types, set in the config file: 
    31. 

  31.  
    32. 

  32.   1. User cookies AND session ID (cs)
    33. 

  33. 		
    34. 

  34. 	This is the most secure way to run a site.  Three cookies are set:
    35. 

  35. 	1. Session ID - This is a unique hash that is randomly generated when someone logs in.
    36. 

  36. 	2. Password hash - The encrypted password of the current user
    37. 

  37. 	3. Unique ID - The permanent unique ID hash associated with the account.
    38. 

  38. 	
    39. 

  39. 	All three cookies expire when you close your browser OR when you have been 
    40. 

  40. 	inactive longer than two hours (one hour in the control panel).
    41. 

  41. 	
    42. 

  42. 	Using this setting does NOT allow 'stay logged-in' capability, as each session has a finite lifespan.
    43. 

    44. 

  44.   2. Cookies only - no session ID (c)
    45. 

  45. 	
    46. 

  46. 	With this validation type, a session is not generated, therefore
    47. 

  47. 	users can remain permanently logged in.
    48. 

  48. 	
    49. 

  49. 	This setting is obviously less secure because it does not provide a safety net
    50. 

  50. 	if you share your computer or access your site from a public computer.  It relies
    51. 

  51. 	solely on the password/unique_id cookies.
    52. 

    53. 

  53.   3. Session ID only (s).  
    54. 

  54. 	
    55. 

  55. 	Most compatible as it does not rely on cookies at all.  Instead, a URL query string ID 
    56. 

  56. 	is used.
    57. 

  57. 	
    58. 

  58. 	No stay-logged in capability.  The session will expire after one hour of inactivity, so
    59. 

  59. 	in terms of security, it is preferable to number 2.
    60. 

  60. 	
    61. 

  61. 	
    62. 

  62. 	NOTE: The control panel and public pages can each have their own session preference.
    63. 

  63. */
    64. 

  64. class EE_Session {
    65. 

  65. 	
    66. 

  66. 	var $user_session_len = 7200;  // User sessions expire in two hours
    67. 

  67. 	var $cpan_session_len = 3600;  // Admin sessions expire in one hour
    68. 

  68. 

  69. 	var $c_session			= 'sessionid';
    70. 

  70. 	var $c_uniqueid			= 'uniqueid';
    71. 

  71. 	var $c_password			= 'userhash';
    72. 

  72. 	var $c_expire			= 'expiration';
    73. 

  73. 	var $c_anon				= 'anon';
    74. 

  74. 	var $c_prefix			= '';
    75. 

  75. 	
    76. 

  76. 	var $sdata				= array();
    77. 

  77. 	var $userdata		 	= array();
    78. 

  78. 	var $tracker			= array();
    79. 

  79. 	var $flashdata			= array();
    80. 

  80. 	
    81. 

  81. 	var $sess_crypt_key		= '';
    82. 

  82. 	
    83. 

  83. 	var $validation_type  	= '';
    84. 

  84. 	var $session_length		= '';
    85. 

  85. 	
    86. 

  86. 	var $cookies_exist		= FALSE;
    87. 

  87. 	var $session_exists		= FALSE;
    88. 

  88. 	var $access_cp			= FALSE;
    89. 

  89. 	
    90. 

  90. 	var $gc_probability		= 5;  // Garbage collection probability.  Used to kill expired sessions.
    91. 

  91. 	
    92. 

  92. 	var $cache				= array();  // Store data for just this page load.  Multi-dimensional array with module/class name, e.g. $SESS->cache['module']['var_name']
    93. 

  93. 

  94. 

  95. 	/**
    96. 

  96. 	 * Session Class Constructor
    97. 

  97. 	 */
    98. 

  98. 	function EE_Session()
    99. 

  99. 	{
    100. 

  100. 		// Make a local reference to the ExpressionEngine super object
    101. 

  101. 		$this->EE =& get_instance();
    102. 

  102. 		
    103. 

  103. 		// Is the user banned?
    104. 

  104. 		// We only look for banned IPs if it's not a control panel request.
    105. 

  105. 		// We test for banned admins separately in the front controller
    106. 

  106. 		$ban_status = FALSE;
    107. 

  107. 		
    108. 

  108. 		if (REQ != 'CP')
    109. 

  109. 		{
    110. 

  110. 			if ($this->ban_check('ip'))
    111. 

  111. 			{
    112. 

  112. 				switch ($this->EE->config->item('ban_action'))
    113. 

  113. 				{
    114. 

  114. 					case 'message' : return $this->EE->output->fatal_error($this->EE->config->item('ban_message'), 0);
    115. 

  115. 						break;
    116. 

  116. 					case 'bounce'  : $this->EE->functions->redirect($this->EE->config->item('ban_destination')); exit;
    117. 

  117. 						break;
    118. 

  118. 					default		: $ban_status = TRUE;
    119. 

  119. 						break;		
    120. 

  120. 				}
    121. 

  121. 			}
    122. 

  122. 		}
    123. 

  123. 

  124. 		
    125. 

  125. 		/** --------------------------------------
    126. 

  126. 		/**  Set session length.
    127. 

  127. 		/** --------------------------------------*/
    128. 

  128. 		
    129. 

  129. 		$this->session_length = (REQ == 'CP') ? $this->cpan_session_len : $this->user_session_len;
    130. 

  130.  
    131. 

  131. 		/** --------------------------------------
    132. 

  132. 		/**  Set Default Session Values
    133. 

  133. 		/** --------------------------------------*/
    134. 

  134.  
    135. 

  135. 		// Set USER-DATA as GUEST until proven otherwise	
    136. 

  136. 			 
    137. 

  137. 		$this->userdata = array(
    138. 

  138. 								'username'			=> $this->EE->input->cookie('my_name'),
    139. 

  139. 								'screen_name'		=> '',
    140. 

  140. 								'email'				=> $this->EE->input->cookie('my_email'),
    141. 

  141. 								'url'				=> $this->EE->input->cookie('my_url'),
    142. 

  142. 								'location'			=> $this->EE->input->cookie('my_location'),
    143. 

  143. 								'language'			=> '',
    144. 

  144. 								'timezone'			=> ($this->EE->config->item('default_site_timezone') && $this->EE->config->item('default_site_timezone') != '') ? $this->EE->config->item('default_site_timezone') : $this->EE->config->item('server_timezone'),
    145. 

  145. 								'daylight_savings'  => ($this->EE->config->item('default_site_dst') && $this->EE->config->item('default_site_dst') != '') ? $this->EE->config->item('default_site_dst') : $this->EE->config->item('daylight_savings'),
    146. 

  146. 								'time_format'		=> ($this->EE->config->item('time_format') && $this->EE->config->item('time_format') != '') ? $this->EE->config->item('time_format') : 'us',
    147. 

  147. 								'group_id'			=> '3',
    148. 

  148. 								'access_cp'			=>  0,
    149. 

  149. 								'last_visit'		=>  0,
    150. 

  150. 								'is_banned'			=>  $ban_status,
    151. 

  151. 								'ignore_list'		=>  array()
    152. 

  152. 								);
    153. 

  153. 		
    154. 

  154. 

  155. 		// Set SESSION data as GUEST until proven otherwise
    156. 

  156. 				
    157. 

  157. 		$this->sdata = array(
    158. 

  158. 								'session_id' 	=>  0,
    159. 

  159. 								'member_id'  	=>  0,
    160. 

  160. 								'admin_sess' 	=>  0,
    161. 

  161. 								'ip_address' 	=>  $this->EE->input->ip_address(),
    162. 

  162. 								'user_agent' 	=>  substr($this->EE->input->user_agent(), 0, 50),
    163. 

  163. 								'last_activity'	=>  0
    164. 

  164. 							);
    165. 

  165. 							
    166. 

  166. 		// -------------------------------------------
    167. 

  167. 		// 'sessions_start' hook.
    168. 

  168. 		//  - Reset any session class variable
    169. 

  169. 		//  - Override the whole session check
    170. 

  170. 		//  - Modify default/guest settings
    171. 

  171. 		//
    172. 

  172. 			$edata = $this->EE->extensions->universal_call('sessions_start', $this);
    173. 

  173. 			if ($this->EE->extensions->end_script === TRUE) return;
    174. 

  174. 		//
    175. 

  175. 		// -------------------------------------------
    176. 

  176. 							
    177. 

  177. 		/** --------------------------------------
    178. 

  178. 		/**  Fetch the Session ID
    179. 

  179. 		/** --------------------------------------*/
    180. 

  180. 		
    181. 

  181. 		// A session ID can either come from a cookie or GET data
    182. 

  182. 		
    183. 

  183. 		if ( ! $this->EE->input->cookie($this->c_session))
    184. 

  184. 		{ 
    185. 

  185. 			if ( ! $this->EE->input->get('S'))
    186. 

  186. 			{
    187. 

  187. 				// If session IDs are being used in public pages the session will be found here
    188. 

  188. 			
    189. 

  189. 				if ($this->EE->input->SID != '')
    190. 

  190. 				{
    191. 

  191. 					$this->sdata['session_id'] = $this->EE->input->SID;				
    192. 

  192. 				}
    193. 

  193. 			}
    194. 

  194. 			else
    195. 

  195. 			{
    196. 

  196. 				$this->sdata['session_id'] = $this->EE->input->get('S');
    197. 

  197. 			}
    198. 

  198. 		}
    199. 

  199. 		else
    200. 

  200. 		{
    201. 

  201. 			$this->sdata['session_id'] = $this->EE->input->cookie($this->c_session);
    202. 

  202. 		}
    203. 

  203. 		
    204. 

  204. 		/** --------------------------------------
    205. 

  205. 		/**  Fetch password and unique_id cookies
    206. 

  206. 		/** --------------------------------------*/
    207. 

  207. 				
    208. 

  208. 		if ($this->EE->input->cookie($this->c_uniqueid)  AND  $this->EE->input->cookie($this->c_password))
    209. 

  209. 		{
    210. 

  210. 			$this->cookies_exist = TRUE;
    211. 

  211. 		}
    212. 

  212. 		
    213. 

  213. 		/** --------------------------------------
    214. 

  214. 		/**  Set the Validation Type
    215. 

  215. 		/** --------------------------------------*/
    216. 

  216. 		if (REQ == 'CP')
    217. 

  217. 		{
    218. 

  218. 			$this->validation = ( ! in_array($this->EE->config->item('admin_session_type'), array('cs', 'c', 's'))) ? 'cs' : $this->EE->config->item('admin_session_type');
    219. 

  219. 		}
    220. 

  220. 		else
    221. 

  221. 		{
    222. 

  222. 			$this->validation = ( ! in_array($this->EE->config->item('user_session_type'), array('cs', 'c', 's'))) ? 'cs' : $this->EE->config->item('user_session_type');
    223. 

  223. 		}
    224. 

  224. 				
    225. 

  225. 		/** --------------------------------------
    226. 

  226. 		/**  Do session IDs exist?
    227. 

  227. 		/** --------------------------------------*/
    228. 

  228. 		
    229. 

  229. 		switch ($this->validation)
    230. 

  230. 		{
    231. 

  231. 			case 'cs'	: $session_id = ($this->sdata['session_id'] != '0' AND $this->cookies_exist == TRUE) ? TRUE : FALSE;
    232. 

  232. 				break;
    233. 

  233. 			case 'c'	: $session_id = ($this->cookies_exist) ? TRUE : FALSE;
    234. 

  234. 				break;
    235. 

  235. 			case 's'	: $session_id = ($this->sdata['session_id'] != '0') ? TRUE : FALSE;
    236. 

  236. 				break;
    237. 

  237. 		}
    238. 

  238. 		
    239. 

  239. 		/** --------------------------------------
    240. 

  240. 		/**  Fetch Session Data
    241. 

  241. 		/** --------------------------------------*/
    242. 

  242. 		
    243. 

  243. 		// IMPORTANT: The session data must be fetched before the member data so don't move this.
    244. 

  244. 

  245. 		if ($session_id  === TRUE)
    246. 

  246. 		{
    247. 

  247. 			if ($this->fetch_session_data() === TRUE) 
    248. 

  248. 			{
    249. 

  249. 				$this->session_exists = TRUE;
    250. 

  250. 			}
    251. 

  251. 		}
    252. 

  252. 

  253. 		/** --------------------------------------
    254. 

  254. 		/**  Fetch Member Data
    255. 

  255. 		/** --------------------------------------*/
    256. 

  256. 		$member_data_exists = ($this->fetch_member_data() === TRUE) ? TRUE : FALSE;
    257. 

  257. 

  258. 		/** --------------------------------------
    259. 

  259. 		/**  Update/Create Session
    260. 

  260. 		/** --------------------------------------*/
    261. 

  261. 						
    262. 

  262. 		if ($session_id === FALSE OR $member_data_exists === FALSE)
    263. 

  263. 		{ 
    264. 

  264. 			$this->fetch_guest_data();
    265. 

  265. 		}
    266. 

  266. 		else
    267. 

  267. 		{
    268. 

  268. 			if ($this->session_exists === TRUE)
    269. 

  269. 			{
    270. 

  270. 				$this->update_session();
    271. 

  271. 			}
    272. 

  272. 			else
    273. 

  273. 			{
    274. 

  274. 				if ($this->validation == 'c')
    275. 

  275. 				{
    276. 

  276. 					$this->create_new_session($this->userdata['member_id']);
    277. 

  277. 				}
    278. 

  278. 				else
    279. 

  279. 				{
    280. 

  280. 					$this->fetch_guest_data();
    281. 

  281. 				}
    282. 

  282. 			}
    283. 

  283. 		}
    284. 

  284. 		
    285. 

  285. 		/** --------------------------------------
    286. 

  286. 		/**  Update cookies
    287. 

  287. 		/** --------------------------------------*/
    288. 

  288. 		
    289. 

  289. 		$this->update_cookies();
    290. 

  290. 		$this->_prep_flashdata();
    291. 

  291. 		
    292. 

  292. 		// Fetch "tracker" cookie
    293. 

  293. 		
    294. 

  294. 		if (REQ != 'CP')
    295. 

  295. 		{					 
    296. 

  296. 			$this->tracker = $this->tracker();
    297. 

  297. 		}
    298. 

  298. 		
    299. 

  299. 		/** --------------------------------------
    300. 

  300. 		/**  Kill old sessions
    301. 

  301. 		/** --------------------------------------*/
    302. 

  302. 		$this->delete_old_sessions(); 
    303. 

  303. 		
    304. 

  304. 		/** --------------------------------------
    305. 

  305. 		/**  Merge Session and User Data Arrays
    306. 

  306. 		/** --------------------------------------*/
    307. 

  307. 		
    308. 

  308. 		// We merge these into into one array for portability
    309. 

  309. 	
    310. 

  310. 		$this->userdata = array_merge($this->userdata, $this->sdata);
    311. 

  311. 		
    312. 

  312. 		// -------------------------------------------
    313. 

  313. 		// 'sessions_end' hook.
    314. 

  314. 		//  - Modify the user's session/member data.
    315. 

  315. 		//  - Additional Session or Login methods (ex: log in to other system)
    316. 

  316. 		//
    317. 

  317. 			$edata = $this->EE->extensions->universal_call('sessions_end', $this);
    318. 

  318. 			if ($this->EE->extensions->end_script === TRUE) return;
    319. 

  319. 		//
    320. 

  320. 		// -------------------------------------------
    321. 

  321. 		
    322. 

  322. 		// Garbage collection
    323. 

  323. 		
    324. 

  324. 		unset($this->sdata);
    325. 

  325. 		unset($session_id);
    326. 

  326. 		unset($ban_status);
    327. 

  327. 		unset($member_data_exists);
    328. 

  328. 	}
    329. 

  329. 

  330. 	// --------------------------------------------------------------------				
    331. 

  331. 		 
    332. 

  332. 	/**
    333. 

  333. 	 * Fetch session data
    334. 

  334. 	 *
    335. 

  335. 	 * @return 	boolean
    336. 

  336. 	 */
    337. 

  337. 	function fetch_session_data()
    338. 

  338. 	{
    339. 

  339. 		// Look for session.  Match the user's IP address and browser for added security.
    340. 

  340. 		$this->EE->db->select('member_id, admin_sess, last_activity');
    341. 

  341. 		$this->EE->db->where('session_id', $this->sdata['session_id']);
    342. 

  342. 		$this->EE->db->where('ip_address', $this->sdata['ip_address']);
    343. 

  343. 		$this->EE->db->where('user_agent', $this->sdata['user_agent']);
    344. 

  344. 

  345. 		if (REQ != 'CP') // Each 'Site' has own Sessions
    346. 

  346. 		{
    347. 

  347. 			$this->EE->db->where('site_id', $this->EE->config->item('site_id'));
    348. 

  348. 		}
    349. 

  349. 		
    350. 

  350. 		$query = $this->EE->db->get('sessions');
    351. 

  351. 		
    352. 

  352. 		if ($query->num_rows() == 0 OR $query->row('member_id')  == 0)
    353. 

  353. 		{
    354. 

  354. 			$this->initialize_session();
    355. 

  355. 		
    356. 

  356. 			return FALSE;				
    357. 

  357. 		}
    358. 

  358. 		
    359. 

  359. 		// Assign member ID to session array
    360. 

  360. 		$this->sdata['member_id'] = $query->row('member_id') ;
    361. 

  361. 		
    362. 

  362. 		// Is this an admin session?		
    363. 

  363. 		$this->sdata['admin_sess'] 	= ($query->row('admin_sess')  == 1) ? 1 : 0;
    364. 

  364. 		
    365. 

  365. 		// Log last activity
    366. 

  366. 		$this->sdata['last_activity'] = $query->row('last_activity') ;
    367. 

  367. 		
    368. 

  368. 		// If session has expired, delete it and set session data to GUEST
    369. 

  369. 		if ($this->validation != 'c')
    370. 

  370. 		{
    371. 

  371. 			if ($query->row('last_activity')  < ($this->EE->localize->now - $this->session_length))
    372. 

  372. 			{
    373. 

  373. 				$this->EE->db->delete('sessions', array(
    374. 

  374. 							'session_id' => $this->sdata['session_id']));
    375. 

  375. 				
    376. 

  376. 				$this->initialize_session();
    377. 

  377. 				
    378. 

  378. 				return FALSE;
    379. 

  379. 			}
    380. 

  380. 		}
    381. 

  381. 			
    382. 

  382. 		return TRUE;		
    383. 

  383. 	}
    384. 

  384. 

  385. 	// --------------------------------------------------------------------	
    386. 

  386. 	
    387. 

  387. 	/**
    388. 

  388. 	 * Fetch guest data
    389. 

  389. 	 */
    390. 

  390. 	function fetch_guest_data()
    391. 

  391. 	{
    392. 

  392. 		$this->EE->db->where('site_id', $this->EE->config->item('site_id'));
    393. 

  393. 		$this->EE->db->where('group_id', '3');
    394. 

  394. 		$query = $this->EE->db->get('member_groups');
    395. 

  395. 			
    396. 

  396. 		foreach ($query->row_array() as $key => $val)
    397. 

  397. 		{			
    398. 

  398. 			$this->userdata[$key] = $val;				 
    399. 

  399. 		}
    400. 

  400. 

  401. 		$this->userdata['total_comments']		= 0;				 
    402. 

  402. 		$this->userdata['total_entries']		= 0;	 
    403. 

  403. 		$this->userdata['private_messages']		= 0;
    404. 

  404. 		$this->userdata['total_forum_posts']	= 0;
    405. 

  405. 		$this->userdata['total_forum_topics']	= 0;
    406. 

  406. 		$this->userdata['total_forum_replies']	= 0;
    407. 

  407. 		$this->userdata['display_signatures']	= 'y';	  
    408. 

  408. 		$this->userdata['display_avatars']		= 'y'; 
    409. 

  409. 		$this->userdata['display_photos']		= 'y'; 
    410. 

  410. 		$this->userdata['parse_smileys']		= 'y'; 
    411. 

  411. 

  412. 		// The following cookie info is only used with the forum module.
    413. 

  413. 		// It enables us to track "read topics" with users who are not
    414. 

  414. 		// logged in.
    415. 

  415. 		
    416. 

  416. 		// Cookie expiration:  One year
    417. 

  417. 		$expire = (60*60*24*365);
    418. 

  418. 		
    419. 

  419. 		// Has the user been active before? If not we set the "last_activity" to the current time.
    420. 

  420. 		$this->sdata['last_activity'] = ( ! $this->EE->input->cookie('last_activity')) ? $this->EE->localize->now : $this->EE->input->cookie('last_activity');
    421. 

  421. 		
    422. 

  422. 		// Is the "last_visit" cookie set?  If not, we set the last visit date to ten years ago. 
    423. 

  423. 		// This is a kind of funky thing to do but it enables the forum to show all topics as unread.
    424. 

  424. 		// Since the last_visit stats are only available for logged-in members it doesn't hurt anything to set it this way for guests.
    425. 

  425. 		
    426. 

  426. 		if ( ! $this->EE->input->cookie('last_visit'))
    427. 

  427. 		{
    428. 

  428. 			$this->userdata['last_visit'] = $this->EE->localize->now-($expire*10);
    429. 

  429. 			$this->EE->functions->set_cookie('last_visit', $this->userdata['last_visit'], $expire);		
    430. 

  430. 		}
    431. 

  431. 		else
    432. 

  432. 		{
    433. 

  433. 			$this->userdata['last_visit'] = $this->EE->input->cookie('last_visit');
    434. 

  434. 		}
    435. 

  435. 

  436. 		// If the user has been inactive longer than the session length we'll
    437. 

  437. 		// set the "last_visit" cooke with the "last_activity" date.
    438. 

  438. 				
    439. 

  439. 		if (($this->sdata['last_activity'] + $this->session_length) < $this->EE->localize->now) 
    440. 

  440. 		{
    441. 

  441. 			$this->userdata['last_visit'] = $this->sdata['last_activity'];
    442. 

  442. 			$this->EE->functions->set_cookie('last_visit', $this->userdata['last_visit'], $expire);	
    443. 

  443. 		}
    444. 

  444. 		
    445. 

  445. 		// Update the last activity with each page load
    446. 

  446. 		$this->EE->functions->set_cookie('last_activity', $this->EE->localize->now, $expire);			
    447. 

  447. 	}
    448. 

  448. 

  449. 	// --------------------------------------------------------------------		
    450. 

  450. 

  451. 	/**
    452. 

  452. 	 * Fetch member data
    453. 

  453. 	 */
    454. 

  454. 	function fetch_member_data()
    455. 

  455. 	{
    456. 

  456. 		if ($this->EE->config->item('enable_db_caching') == 'y' AND REQ == 'PAGE')
    457. 

  457. 		{
    458. 

  458. 			$this->EE->db->cache_off();
    459. 

  459. 		}
    460. 

  460. 

  461. 		// Query DB for member data.  Depending on the validation type we'll
    462. 

  462. 		// either use the cookie data or the member ID gathered with the session query.
    463. 

  463. 		$select = 'm.username, m.screen_name, m.member_id, m.email, m.url, m.location, m.join_date, m.last_visit,
    464. 

  464. 		 			m.last_activity, m.total_entries, m.total_comments, m.total_forum_posts, m.total_forum_topics, 
    465. 

  465. 					m.last_forum_post_date, m.language, m.timezone, m.daylight_savings, m.time_format, 
    466. 

  466. 					m.profile_theme, m.forum_theme, m.private_messages, m.accept_messages, m.last_view_bulletins, 
    467. 

  467. 					m.last_bulletin_date, m.display_signatures, m.display_avatars, m.parse_smileys, 
    468. 

  468. 					m.last_email_date, m.notify_by_default, m.ignore_list, m.crypt_key';
    469. 

  469. 		
    470. 

  470. 		if (REQ == 'CP')
    471. 

  471. 		{			
    472. 

  472. 			$select .= ', m.cp_theme, m.quick_links, m.quick_tabs, m.template_size';
    473. 

  473. 		}
    474. 

  474. 		
    475. 

  475. 		$select .= ', g.*';
    476. 

  476. 		
    477. 

  477. 		$this->EE->db->select($select);
    478. 

  478. 		$this->EE->db->from(array('members m', 'member_groups g'));
    479. 

  479. 

  480. 		if ($this->validation == 'c' OR $this->validation == 'cs')
    481. 

  481. 		{
    482. 

  482. 			$this->EE->db->where('g.site_id', $this->EE->config->item('site_id'));
    483. 

  483. 			$this->EE->db->where('unique_id', (string) $this->EE->input->cookie($this->c_uniqueid));
    484. 

  484. 			$this->EE->db->where('password', (string) $this->EE->input->cookie($this->c_password));
    485. 

  485. 			$this->EE->db->where('m.group_id', ' g.group_id', FALSE);
    486. 

  486. 		}
    487. 

  487. 		else
    488. 

  488. 		{
    489. 

  489. 			$this->EE->db->where('g.site_id', $this->EE->config->item('site_id'));
    490. 

  490. 			$this->EE->db->where('member_id', $this->sdata['member_id']);
    491. 

  491. 			$this->EE->db->where('m.group_id', ' g.group_id', FALSE);
    492. 

  492. 		}
    493. 

  493. 

  494. 		$query = $this->EE->db->get();
    495. 

  495. 		
    496. 

  496. 		if ($query->num_rows() == 0)
    497. 

  497. 		{
    498. 

  498. 			$this->initialize_session();
    499. 

  499. 			return FALSE;
    500. 

  500. 		}
    501. 

  501. 		
    502. 

  502. 		// Turn the query rows into array values
    503. 

  503. 

  504. 		foreach ($query->row_array() as $key => $val)
    505. 

  505. 		{
    506. 

  506. 			if ($key != 'crypt_key')
    507. 

  507. 			{
    508. 

  508. 				$this->userdata[$key] = $val;
    509. 

  509. 			}
    510. 

  510. 			else
    511. 

  511. 			{
    512. 

  512. 				// we don't add the session encryption key to userdata, to avoid accidental disclosure
    513. 

  513. 				if ($val == '')
    514. 

  514. 				{
    515. 

  515. 					// not set yet, so let's create one and udpate it for this user
    516. 

  516. 					$this->sess_crypt_key = $this->EE->functions->random('encrypt', 16);
    517. 

  517. 					$this->EE->db->update('members', array('crypt_key' => $this->sess_crypt_key), array('member_id' => $query->row('member_id')));
    518. 

  518. 				}
    519. 

  519. 				else
    520. 

  520. 				{
    521. 

  521. 					$this->sess_crypt_key = $val;
    522. 

  522. 				}
    523. 

  523. 			}
    524. 

  524. 		}
    525. 

  525. 		
    526. 

  526. 		// Create the array for the Ignore List
    527. 

  527. 		$this->userdata['ignore_list'] = ($this->userdata['ignore_list'] == '') ? array() : explode('|', $this->userdata['ignore_list']);
    528. 

  528. 		
    529. 

  529. 		// Fix the values for forum posts and replies
    530. 

  530. 		$this->userdata['total_forum_posts'] = $query->row('total_forum_topics')  + $query->row('total_forum_posts') ;
    531. 

  531. 		$this->userdata['total_forum_replies'] = $query->row('total_forum_posts') ;
    532. 

  532. 		
    533. 

  533. 		$this->userdata['display_photos'] = $this->userdata['display_avatars'];
    534. 

  534. 		
    535. 

  535. 		/** -----------------------------------------------------
    536. 

  536. 		/**  Are users allowed to localize?
    537. 

  537. 		/** -----------------------------------------------------*/
    538. 

  538. 		
    539. 

  539. 		if ($this->EE->config->item('allow_member_localization') == 'n')
    540. 

  540. 		{
    541. 

  541. 			$this->userdata['timezone'] = ($this->EE->config->item('default_site_timezone') && $this->EE->config->item('default_site_timezone') != '') ? $this->EE->config->item('default_site_timezone') : $this->EE->config->item('server_timezone');
    542. 

  542. 			$this->userdata['daylight_savings'] = ($this->EE->config->item('default_site_dst') && $this->EE->config->item('default_site_dst') != '') ? $this->EE->config->item('default_site_dst') : $this->EE->config->item('daylight_savings');
    543. 

  543. 			$this->userdata['time_format'] = ($this->EE->config->item('time_format') && $this->EE->config->item('time_format') != '') ? $this->EE->config->item('time_format') : 'us';
    544. 

  544.  		}
    545. 

  545. 						
    546. 

  546. 		/** -----------------------------------------------------
    547. 

  547. 		/**  Assign Sites, Channel, Template, and Module Access Privs
    548. 

  548. 		/** -----------------------------------------------------*/
    549. 

  549. 							
    550. 

  550. 		if (REQ == 'CP')
    551. 

  551. 		{
    552. 

  552. 			// Fetch channel privileges
    553. 

  553. 			
    554. 

  554. 			$assigned_channels = array();
    555. 

  555. 		 
    556. 

  556. 			if ($this->userdata['group_id'] == 1)
    557. 

  557. 			{
    558. 

  558. 				$this->EE->db->select('channel_id, channel_title');
    559. 

  559. 				$this->EE->db->order_by('channel_title');
    560. 

  560. 				$result = $this->EE->db->get_where('channels', 
    561. 

  561. 												array('site_id' => $this->EE->config->item('site_id')));
    562. 

  562. 			}
    563. 

  563. 			else
    564. 

  564. 			{
    565. 

  565. 				$result = $this->EE->db->query("SELECT ew.channel_id, ew.channel_title FROM exp_channel_member_groups ewmg, exp_channels ew
    566. 

  566. 									  WHERE ew.channel_id = ewmg.channel_id
    567. 

  567. 									  AND ewmg.group_id = '".$this->EE->db->escape_str($this->userdata['group_id'])."'
    568. 

  568. 									  AND site_id = '".$this->EE->db->escape_str($this->EE->config->item('site_id'))."'
    569. 

  569. 									  ORDER BY ew.channel_title");
    570. 

    571. 

  571. 			}
    572. 

  572. 			
    573. 

  573. 			if ($result->num_rows() > 0)
    574. 

  574. 			{
    575. 

  575. 				foreach ($result->result_array() as $row)
    576. 

  576. 				{
    577. 

  577. 					$assigned_channels[$row['channel_id']] = $row['channel_title'];
    578. 

  578. 				}
    579. 

  579. 			}
    580. 

  580. 			
    581. 

  581. 			$this->userdata['assigned_channels'] = $assigned_channels;
    582. 

  582. 

  583. 			// Fetch module privileges
    584. 

  584. 			
    585. 

  585. 			$assigned_modules = array();
    586. 

  586. 			
    587. 

  587. 			$this->EE->db->select('module_id');
    588. 

  588. 			$result = $this->EE->db->get_where('module_member_groups',
    589. 

  589. 												array('group_id' => $this->userdata['group_id']));
    590. 

  590. 			
    591. 

  591. 			if ($result->num_rows() > 0)
    592. 

  592. 			{
    593. 

  593. 				foreach ($result->result_array() as $row)
    594. 

  594. 				{
    595. 

  595. 					$assigned_modules[$row['module_id']] = TRUE;
    596. 

  596. 				}
    597. 

  597. 			}
    598. 

  598. 				
    599. 

  599. 			$this->userdata['assigned_modules'] = $assigned_modules;
    600. 

  600. 			
    601. 

  601. 			
    602. 

  602. 			// Fetch template group privileges
    603. 

  603. 			
    604. 

  604. 			$assigned_template_groups = array();
    605. 

  605. 			
    606. 

  606. 			$this->EE->db->select('template_group_id');
    607. 

  607. 			$result = $this->EE->db->get_where('template_member_groups',
    608. 

  608. 											array('group_id' => $this->userdata['group_id']));
    609. 

  609. 

  610. 			
    611. 

  611. 			if ($result->num_rows() > 0)
    612. 

  612. 			{
    613. 

  613. 				foreach ($result->result_array() as $row)
    614. 

  614. 				{
    615. 

  615. 					$assigned_template_groups[$row['template_group_id']] = TRUE;
    616. 

  616. 				}
    617. 

  617. 			}
    618. 

  618. 				
    619. 

  619. 			$this->userdata['assigned_template_groups'] = $assigned_template_groups;
    620. 

  620. 			
    621. 

  621. 			// Fetch Assigned Sites Available to User
    622. 

  622. 			
    623. 

  623. 			$assigned_sites = array();
    624. 

  624. 			
    625. 

  625. 			if ($this->userdata['group_id'] == 1)
    626. 

  626. 			{
    627. 

  627. 				$this->EE->db->select('site_id, site_label');
    628. 

  628. 				$this->EE->db->order_by('site_label');
    629. 

  629. 				$result = $this->EE->db->get('sites');
    630. 

  630. 			}
    631. 

  631. 			else
    632. 

  632. 			{
    633. 

  633. 				// Those groups that can access the Site's CP, see the site in the 'Sites' pulldown
    634. 

  634. 				$this->EE->db->select('es.site_id, es.site_label');
    635. 

  635. 				$this->EE->db->from(array('sites es', 'member_groups mg'));
    636. 

  636. 				$this->EE->db->where('mg.site_id', ' es.site_id', FALSE);
    637. 

  637. 				$this->EE->db->where('mg.group_id', $this->userdata['group_id']);
    638. 

  638. 				$this->EE->db->where('mg.can_access_cp', 'y');
    639. 

  639. 				$this->EE->db->order_by('es.site_label');
    640. 

  640. 

  641. 				$result = $this->EE->db->get();
    642. 

  642. 			}
    643. 

  643. 			
    644. 

  644. 			if ($result->num_rows() > 0)
    645. 

  645. 			{
    646. 

  646. 				foreach ($result->result_array() as $row)
    647. 

  647. 				{
    648. 

  648. 					$assigned_sites[$row['site_id']] = $row['site_label'];
    649. 

  649. 				}
    650. 

  650. 			}
    651. 

  651. 			
    652. 

  652. 			$this->userdata['assigned_sites'] = $assigned_sites;
    653. 

  653. 		}
    654. 

  654. 		
    655. 

  655. 		
    656. 

  656. 		// Does the member have admin privileges?
    657. 

  657. 		
    658. 

  658. 		if ($query->row('can_access_cp')  == 'y')
    659. 

  659. 		{
    660. 

  660. 			$this->access_cp = TRUE;
    661. 

  661. 		}
    662. 

  662. 		else
    663. 

  663. 		{
    664. 

  664. 			$this->sdata['admin_sess'] = 0; 
    665. 

  665. 		}
    666. 

  666. 		
    667. 

  667. 		// Update the session array with the member_id
    668. 

  668. 		
    669. 

  669. 		if ($this->validation == 'c')
    670. 

  670. 		{
    671. 

  671. 			$this->sdata['member_id'] = $query->row('member_id') ;  
    672. 

  672. 		}
    673. 

  673. 			 
    674. 

  674. 		// If the user has been inactive for longer than the session length
    675. 

  675. 		// we'll update their last_visit item so that it contains the last_activity
    676. 

  676. 		// date.  That way, we can show the exact time they were last visitng the site.
    677. 

  677. 

  678. 		if (($this->userdata['last_visit'] == 0) OR
    679. 

  679. 			(($query->row('last_activity')  + $this->session_length) < $this->EE->localize->now))
    680. 

  680. 		{	
    681. 

  681. 			$last_act = ($query->row('last_activity')  > 0) ? $query->row('last_activity')  : $this->EE->localize->now;
    682. 

  682. 		
    683. 

  683. 			$this->EE->db->where('member_id', $this->sdata['member_id']);
    684. 

  684. 			$this->EE->db->update('members', array('last_visit' 	=> $last_act,
    685. 

  685. 													'last_activity' => $this->EE->localize->now));
    686. 

  686. 		
    687. 

  687. 			$this->userdata['last_visit'] = $query->row('last_activity') ;
    688. 

  688. 		}		
    689. 

  689. 						
    690. 

  690. 		// Update member 'last activity' date field for this member.
    691. 

  691. 		// We update this ever 5 minutes.  It's used with the session table
    692. 

  692. 		// so we can update sessions
    693. 

  693. 		
    694. 

  694. 		if (($query->row('last_activity')  + 300) < $this->EE->localize->now)	 
    695. 

  695. 		{
    696. 

  696. 			$this->EE->db->where('member_id', $this->sdata['member_id']);
    697. 

  697. 			$this->EE->db->update('members', array('last_activity' => $this->EE->localize->now));
    698. 

  698. 		}		
    699. 

  699. 

  700. 		if ($this->EE->config->item('enable_db_caching') == 'y' AND REQ == 'PAGE')
    701. 

  701. 		{
    702. 

  702. 			$this->EE->db->cache_on();
    703. 

  703. 		}
    704. 

  704. 

  705. 		return TRUE;  
    706. 

  706. 	}
    707. 

  707. 

  708. 	// --------------------------------------------------------------------
    709. 

  709. 

  710. 	/**
    711. 

  711. 	 * Update Member session
    712. 

  712. 	 */
    713. 

  713. 	function update_session()
    714. 

  714. 	{
    715. 

  715. 		$this->sdata['last_activity'] = $this->EE->localize->now;
    716. 

  716. 		
    717. 

  717. 		$this->EE->db->query($this->EE->db->update_string('exp_sessions', $this->sdata, "session_id ='".$this->EE->db->escape_str($this->sdata['session_id'])."'")); 
    718. 

  718. 

  719. 		// Update session ID cookie
    720. 

  720. 		
    721. 

  721. 		if ($this->validation == 'cs')
    722. 

  722. 		{
    723. 

  723. 			$this->EE->functions->set_cookie($this->c_session , $this->sdata['session_id'],  $this->session_length);	
    724. 

  724. 		}
    725. 

  725. 			
    726. 

  726. 		// If we only require cookies for validation, set admin session.	
    727. 

  727. 			
    728. 

  728. 		if ($this->validation == 'c'  AND  $this->access_cp == TRUE)
    729. 

  729. 		{			
    730. 

  730. 			$this->sdata['admin_sess'] = 1;
    731. 

  731. 		}	
    732. 

  732. 		
    733. 

  733. 			// We'll unset the "last activity" item from the session data array.
    734. 

  734. 			// We do this to avoid a conflict with the "last_activity" item in the
    735. 

  735. 			// userdata array since we'll be merging the two arrays in a later step
    736. 

  736. 		
    737. 

  737. 		unset($this->sdata['last_activity']);
    738. 

  738. 	}  
    739. 

  739. 

  740. 	// --------------------------------------------------------------------
    741. 

  741. 	
    742. 

  742. 	/**
    743. 

  743. 	 * Create New Session
    744. 

  744. 	 */
    745. 

  745. 	function create_new_session($member_id, $admin_session = FALSE)
    746. 

  746. 	{
    747. 

  747. 		if ($this->validation == 'c' AND $this->access_cp == TRUE)
    748. 

  748. 		{
    749. 

  749. 			$this->sdata['admin_sess'] = 1;
    750. 

  750. 		}
    751. 

  751. 		else
    752. 

  752. 		{
    753. 

  753. 			$this->sdata['admin_sess'] 	= ($admin_session == FALSE) ? 0 : 1;  
    754. 

  754. 		}
    755. 

  755. 				
    756. 

  756. 		$this->sdata['session_id'] 		= $this->EE->functions->random();  
    757. 

  757. 		$this->sdata['last_activity']	= $this->EE->localize->now;  
    758. 

  758. 		$this->sdata['user_agent']		= substr($this->EE->input->user_agent(), 0, 50);
    759. 

  759. 		$this->sdata['ip_address']  	= $this->EE->input->ip_address();  
    760. 

  760. 		$this->sdata['member_id']  		= $member_id; 
    761. 

  761. 		$this->sdata['site_id']  		= $this->EE->config->item('site_id'); 
    762. 

  762. 		$this->userdata['member_id']	= $member_id;  
    763. 

  763. 		$this->userdata['session_id']	= $this->sdata['session_id'];
    764. 

  764. 		$this->userdata['site_id']		= $this->EE->config->item('site_id');
    765. 

  765. 		
    766. 

  766. 		if ($this->validation != 's')
    767. 

  767. 		{
    768. 

  768. 			$this->EE->functions->set_cookie($this->c_session , $this->sdata['session_id'], $this->session_length);	
    769. 

  769. 		}
    770. 

  770. 					
    771. 

  771. 		$this->EE->db->query($this->EE->db->insert_string('exp_sessions', $this->sdata));	
    772. 

  772. 		
    773. 

  773. 		return $this->sdata['session_id'];
    774. 

  774. 	}  
    775. 

  775. 

  776. 	// -------------------------------------------------------------------- 
    777. 

  777. 	
    778. 

  778. 	/**
    779. 

  779. 	 * Reset session data as GUEST
    780. 

  780. 	 */
    781. 

  781. 	function initialize_session()
    782. 

  782. 	{  
    783. 

  783. 		$this->sdata['session_id'] = 0;	
    784. 

  784. 		$this->sdata['admin_sess'] = 0;
    785. 

  785. 		$this->sdata['member_id']  = 0;
    786. 

  786. 	}
    787. 

  787. 	
    788. 

  788. 	// -------------------------------------------------------------------- 
    789. 

  789. 	
    790. 

  790. 	/**
    791. 

  791. 	 * Update Cookies
    792. 

  792. 	 */  
    793. 

  793. 	function update_cookies()
    794. 

  794. 	{
    795. 

  795. 		if ($this->cookies_exist == TRUE AND $this->EE->input->cookie($this->c_expire))
    796. 

  796. 		{
    797. 

  797. 			$now 	= time() + 300;
    798. 

  798. 			$expire = 60*60*24*365;
    799. 

  799. 			
    800. 

  800. 			if ($this->EE->input->cookie($this->c_expire) > $now)
    801. 

  801. 			{ 
    802. 

  802. 				$this->EE->functions->set_cookie($this->c_expire , time()+$expire, $expire);
    803. 

  803. 				$this->EE->functions->set_cookie($this->c_uniqueid , $this->EE->input->cookie($this->c_uniqueid), $expire);		
    804. 

  804. 				$this->EE->functions->set_cookie($this->c_password , $this->EE->input->cookie($this->c_password), $expire); 		
    805. 

  805. 

  806. 			}
    807. 

  807. 		}
    808. 

  808. 	}
    809. 

  809. 	
    810. 

  810. 	// --------------------------------------------------------------------
    811. 

  811. 	
    812. 

  812. 	/**
    813. 

  813. 	 * Fetch a session item
    814. 

  814. 	 */	
    815. 

  815. 	function userdata($which)
    816. 

  816. 	{  
    817. 

  817. 		return ( ! isset($this->userdata[$which])) ? FALSE : $this->userdata[$which];
    818. 

  818. 	}
    819. 

  819. 

  820. 	// --------------------------------------------------------------------		 
    821. 

  821. 

  822. 	/**
    823. 

  823. 	 * Tracker
    824. 

  824. 	 *
    825. 

  825. 	 * This functions lets us store the visitor's last five pages viewed
    826. 

  826. 	 * in a cookie.  We use this to facilitate redirection after logging-in,
    827. 

  827. 	 * or other form submissions
    828. 

  828. 	 */
    829. 

  829. 	function tracker()
    830. 

  830. 	{	
    831. 

  831. 		$tracker = $this->EE->input->cookie('tracker');
    832. 

  832. 

  833. 		if ($tracker != FALSE)
    834. 

  834. 		{
    835. 

  835. 			if (preg_match("#(http:\/\/|https:\/\/|www\.|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})#i", $tracker))
    836. 

  836. 			{
    837. 

  837. 				return array();
    838. 

  838. 			}
    839. 

  839. 				
    840. 

  840. 			if (stristr($tracker, ':') !== FALSE)
    841. 

  841. 			{
    842. 

  842. 				$tracker_parts = explode(':', $tracker);
    843. 

  843. 				
    844. 

  844. 				if (current($tracker_parts) != 'a' OR count($tracker_parts) < 3 OR ! is_numeric(next($tracker_parts)))
    845. 

  845. 				{
    846. 

  846. 					return array();
    847. 

  847. 				}
    848. 

  848. 			}
    849. 

  849. 			
    850. 

  850. 			$tracker = unserialize(stripslashes($tracker));
    851. 

  851. 		}
    852. 

  852. 		
    853. 

  853. 		if ( ! is_array($tracker))
    854. 

  854. 		{
    855. 

  855. 			$tracker = array();
    856. 

  856. 		}
    857. 

  857. 				
    858. 

  858. 		$URI = ($this->EE->uri->uri_string == '') ? 'index' : $this->EE->uri->uri_string;
    859. 

  859. 		
    860. 

  860. 		$URI = str_replace("\\", "/", $URI); 
    861. 

  861. 		
    862. 

  862. 		// If someone is messing with the URI we won't set the cookie
    863. 

  863. 	
    864. 

  864. 		if ( ! isset($_GET['ACT']) && preg_match('/[^a-z0-9\%\_\/\-]/i', $URI))
    865. 

  865. 		{
    866. 

  866. 			return array();
    867. 

  867. 		}
    868. 

  868. 		
    869. 

  869. 		if ( ! isset($_GET['ACT']))
    870. 

  870. 		{
    871. 

  871. 			if ( ! isset($tracker['0']))
    872. 

  872. 			{
    873. 

  873. 				$tracker[] = $URI;
    874. 

  874. 			}
    875. 

  875. 			else
    876. 

  876. 			{
    877. 

  877. 				if (count($tracker) == 5)
    878. 

  878. 				{
    879. 

  879. 					array_pop($tracker);
    880. 

  880. 				}
    881. 

  881. 

  882. 				if ($tracker['0'] != $URI)
    883. 

  883. 				{
    884. 

  884. 					array_unshift($tracker, $URI);
    885. 

  885. 				}
    886. 

  886. 			}
    887. 

  887. 		}
    888. 

  888. 		
    889. 

  889. 		if (REQ == 'PAGE')
    890. 

  890. 		{		
    891. 

  891. 			$this->EE->functions->set_cookie('tracker', serialize($tracker), '0'); 
    892. 

  892. 		}
    893. 

  893. 		
    894. 

  894. 		return $tracker;
    895. 

  895. 	}
    896. 

  896. 

  897. 	// --------------------------------------------------------------------
    898. 

  898. 

  899. 	/**
    900. 

  900. 	 * Get flashdata by key
    901. 

  901. 	 *
    902. 

  902. 	 * @access	private
    903. 

  903. 	 * @param	string
    904. 

  904. 	 * @return	mixed
    905. 

  905. 	 */
    906. 

  906. 	function flashdata($key = '')
    907. 

  907. 	{
    908. 

  908. 		return isset($this->flashdata[$key]) ? $this->flashdata[$key] : FALSE;
    909. 

  909. 	}
    910. 

  910. 	
    911. 

  911. 	// --------------------------------------------------------------------
    912. 

  912. 

  913. 	/**
    914. 

  914. 	 * Set flashdata
    915. 

  915. 	 *
    916. 

  916. 	 * @access	private
    917. 

  917. 	 * @param	mixed
    918. 

  918. 	 * @return	mixed
    919. 

  919. 	 */
    920. 

  920. 	function set_flashdata($key, $val = '')
    921. 

  921. 	{
    922. 

  922. 		if ( ! is_array($key))
    923. 

  923. 		{
    924. 

  924. 			$key = array($key => $val);
    925. 

  925. 		}
    926. 

  926. 		
    927. 

  927. 		foreach($key as $k => $v)
    928. 

  928. 		{
    929. 

  929. 			$this->flashdata[':new:'.$k] = $v;
    930. 

  930. 		}
    931. 

  931. 

  932. 		$this->_set_flash_cookie();
    933. 

  933. 	}
    934. 

  934. 	
    935. 

  935. 	// --------------------------------------------------------------------
    936. 

  936. 

  937. 	/**
    938. 

  938. 	 * Prep flashdata
    939. 

  939. 	 *
    940. 

  940. 	 * Grabs the cookie and validates the signature
    941. 

  941. 	 *
    942. 

  942. 	 * @access	private
    943. 

  943. 	 * @return	void
    944. 

  944. 	 */
    945. 

  945. 	function _prep_flashdata()
    946. 

  946. 	{		
    947. 

  947. 		if ($cookie = $this->EE->input->cookie('flash'))
    948. 

  948. 		{
    949. 

  949. 			if (strlen($cookie) > 32)
    950. 

  950. 			{
    951. 

  951. 				$signature = substr($cookie, -32);
    952. 

  952. 				$payload = substr($cookie, 0, -32);
    953. 

  953. 

  954. 				if (md5($payload.$this->sess_crypt_key) == $signature)
    955. 

  955. 				{
    956. 

  956. 					$this->flashdata = unserialize(stripslashes($payload));
    957. 

  957. 					$this->_age_flashdata();
    958. 

  958. 					
    959. 

  959. 					return;
    960. 

  960. 				}
    961. 

  961. 			}
    962. 

  962. 		}
    963. 

  963. 		
    964. 

  964. 		$this->flashdata = array();
    965. 

  965. 	}
    966. 

  966. 	
    967. 

  967. 	// --------------------------------------------------------------------
    968. 

  968. 

  969. 	/**
    970. 

  970. 	 * Age flashdata
    971. 

  971. 	 * 
    972. 

  972. 	 * Removes old, marks current as old, etc
    973. 

  973. 	 *
    974. 

  974. 	 * @access	private
    975. 

  975. 	 * @return	void
    976. 

  976. 	 */
    977. 

  977. 	function _age_flashdata()
    978. 

  978. 	{
    979. 

  979. 		foreach($this->flashdata as $key => $val)
    980. 

  980. 		{
    981. 

  981. 			if (strpos($key, ':old:') !== 0)
    982. 

  982. 			{
    983. 

  983. 				if (strpos($key, ':new:') === 0)
    984. 

  984. 				{
    985. 

  985. 					$this->flashdata[substr($key, 5)] = $val;
    986. 

  986. 				}
    987. 

  987. 				else
    988. 

  988. 				{
    989. 

  989. 					$this->flashdata[':old:'.$key] = $val;
    990. 

  990. 				}
    991. 

  991. 			}
    992. 

  992. 			
    993. 

  993. 			unset($this->flashdata[$key]);
    994. 

  994. 		}
    995. 

  995. 		
    996. 

  996. 		$this->_set_flash_cookie();
    997. 

  997. 	}
    998. 

  998. 	
    999. 

  999. 	// --------------------------------------------------------------------
    1000. 

  1000. 

  1001. 	/**
    1002. 

  1002. 	 * Set signed flashdata cookie
    1003. 

  1003. 	 *
    1004. 

  1004. 	 * @access	private
    1005. 

  1005. 	 * @return	void
    1006. 

  1006. 	 */
    1007. 

  1007. 	function _set_flash_cookie()
    1008. 

  1008. 	{
    1009. 

  1009. 		// Don't want to hash the crypt key by itself
    1010. 

  1010. 		$payload = '';
    1011. 

  1011. 

  1012. 		if (count($this->flashdata) > 0)
    1013. 

  1013. 		{
    1014. 

  1014. 			$payload = serialize($this->flashdata);
    1015. 

  1015. 			$payload = $payload.md5($payload.$this->sess_crypt_key);
    1016. 

  1016. 		}
    1017. 

  1017. 

  1018. 		$this->EE->functions->set_cookie('flash' , $payload, 86500);
    1019. 

  1019. 	}
    1020. 

  1020. 

  1021. 	// --------------------------------------------------------------------	
    1022. 

  1022. 	
    1023. 

  1023. 	/**
    1024. 

  1024. 	 * Check for banned data
    1025. 

  1025. 	 */  
    1026. 

  1026. 	function ban_check($type = 'ip', $match = '')
    1027. 

  1027. 	{
    1028. 

  1028. 		switch ($type)
    1029. 

  1029. 		{
    1030. 

  1030. 			case 'ip'			: $ban = $this->EE->config->item('banned_ips');
    1031. 

  1031. 								  $match = $this->EE->input->ip_address();
    1032. 

  1032. 				break;
    1033. 

  1033. 			case 'email'		: $ban = $this->EE->config->item('banned_emails');
    1034. 

  1034. 				break;
    1035. 

  1035. 			case 'username'		: $ban = $this->EE->config->item('banned_usernames');
    1036. 

  1036. 				break;
    1037. 

  1037. 			case 'screen_name'	: $ban = $this->EE->config->item('banned_screen_names');
    1038. 

  1038. 				break;
    1039. 

  1039. 		}
    1040. 

  1040. 		
    1041. 

  1041. 		if ($ban == '')
    1042. 

  1042. 		{
    1043. 

  1043. 			return FALSE;
    1044. 

  1044. 		}
    1045. 

  1045. 		
    1046. 

  1046. 		foreach (explode('|', $ban) as $val)
    1047. 

  1047. 		{
    1048. 

  1048. 			if ($val == '*') continue;
    1049. 

  1049. 			
    1050. 

  1050. 			if (substr($val, -1 == '*'))
    1051. 

  1051. 			{
    1052. 

  1052. 				$val = str_replace('*', '', $val);
    1053. 

  1053. 				
    1054. 

  1054. 				if (strncmp($match, $val, strlen($val)) == 0)
    1055. 

  1055. 				{
    1056. 

  1056. 					return TRUE;
    1057. 

  1057. 				}
    1058. 

  1058. 			}
    1059. 

  1059. 			elseif (strncmp($val, '*', 1) == 0)
    1060. 

  1060. 			{ 
    1061. 

  1061. 				$val = str_replace('*', '', $val);
    1062. 

  1062. 			
    1063. 

  1063. 				if (substr($match, - strlen($val)) == $val)
    1064. 

  1064. 				{
    1065. 

  1065. 					return TRUE;
    1066. 

  1066. 				}
    1067. 

  1067. 			}
    1068. 

  1068. 			elseif ($val == $match)
    1069. 

  1069. 			{
    1070. 

  1070. 				return TRUE;
    1071. 

  1071. 			}
    1072. 

  1072. 		}
    1073. 

  1073. 

  1074. 		return FALSE;
    1075. 

  1075. 	}
    1076. 

  1076. 

  1077. 	// --------------------------------------------------------------------	
    1078. 

  1078. 	
    1079. 

  1079. 	/** 
    1080. 

  1080. 	 * Is the nation banned?
    1081. 

  1081. 	 */
    1082. 

  1082. 	function nation_ban_check($show_error = TRUE)
    1083. 

  1083. 	{
    1084. 

  1084. 		if ($this->EE->config->item('require_ip_for_posting') != 'y' OR $this->EE->config->item('ip2nation') != 'y')
    1085. 

  1085. 		{
    1086. 

  1086. 			return;
    1087. 

  1087. 		}
    1088. 

  1088. 		
    1089. 

  1089. 		$query = $this->EE->db->query("SELECT country FROM exp_ip2nation WHERE ip < INET_ATON('".$this->EE->db->escape_str($this->EE->input->ip_address())."') ORDER BY ip DESC LIMIT 0,1");
    1090. 

  1090. 				
    1091. 

  1091. 		if ($query->num_rows() == 1)
    1092. 

  1092. 		{
    1093. 

  1093. 			$result = $this->EE->db->query("SELECT COUNT(*) AS count FROM exp_ip2nation_countries WHERE code = '".$query->row('country') ."' AND banned = 'y'");
    1094. 

  1094. 			
    1095. 

  1095. 			if ($result->row('count')  > 0)
    1096. 

  1096. 			{
    1097. 

  1097. 				if ($show_error == TRUE)
    1098. 

  1098. 					return $this->EE->output->fatal_error($this->EE->config->item('ban_message'), 0);
    1099. 

  1099. 				else
    1100. 

  1100. 					return FALSE;
    1101. 

  1101. 			}
    1102. 

  1102. 		}
    1103. 

  1103. 	}
    1104. 

  1104. 

  1105. 	// --------------------------------------------------------------------
    1106. 

  1106. 	 
    1107. 

  1107. 	/**
    1108. 

  1108. 	 * Delete old sessions if probability is met
    1109. 

  1109. 	 *
    1110. 

  1110. 	 * By default, the probablility is set to 10 percent.
    1111. 

  1111. 	 * That means sessions will only be deleted one
    1112. 

  1112. 	 * out of ten times a page is loaded.
    1113. 

  1113. 	 */
    1114. 

  1114. 	function delete_old_sessions()
    1115. 

  1115. 	{
    1116. 

  1116. 		$expire = $this->EE->localize->now - $this->session_length;
    1117. 

  1117.   
    1118. 

  1118. 		srand(time());
    1119. 

  1119.   
    1120. 

  1120. 		if ((rand() % 100) < $this->gc_probability) 
    1121. 

  1121. 		{
    1122. 

  1122. 			$this->EE->db->query("DELETE FROM exp_sessions WHERE last_activity < $expire");			 
    1123. 

  1123. 		}	
    1124. 

  1124. 	}
    1125. 

  1125. 

  1126. 	// --------------------------------------------------------------------	
    1127. 

  1127. 	
    1128. 

  1128. 	/**
    1129. 

  1129. 	 * Save password lockout
    1130. 

  1130. 	 */
    1131. 

  1131. 	function save_password_lockout($username = '')
    1132. 

  1132. 	{
    1133. 

  1133. 		if ($this->EE->config->item('password_lockout') == 'n')
    1134. 

  1134. 		{
    1135. 

  1135. 		 	return; 
    1136. 

  1136. 		} 
    1137. 

  1137. 

  1138. 		$data = array(
    1139. 

  1139. 						'login_date'	=> time(),
    1140. 

  1140. 						'ip_address'	=> $this->EE->input->ip_address(),
    1141. 

  1141. 						'user_agent'	=> $this->userdata['user_agent'],
    1142. 

  1142. 						'username'		=> $username
    1143. 

  1143. 					);
    1144. 

  1144. 					
    1145. 

  1145. 		$this->EE->db->insert('password_lockout', $data);
    1146. 

  1146. 	}
    1147. 

  1147. 

  1148. 	// --------------------------------------------------------------------		
    1149. 

  1149. 

  1150. 	/**
    1151. 

  1151. 	 * Check password lockout
    1152. 

  1152. 	 */
    1153. 

  1153. 	function check_password_lockout($username = '')
    1154. 

  1154. 	{
    1155. 

  1155. 		if ($this->EE->config->item('password_lockout') == 'n')
    1156. 

  1156. 		{
    1157. 

  1157. 		 	return FALSE; 
    1158. 

  1158. 		} 
    1159. 

  1159. 		
    1160. 

  1160. 		if ($this->EE->config->item('password_lockout_interval') == '')
    1161. 

  1161. 		{
    1162. 

  1162. 		 	return FALSE; 
    1163. 

  1163. 		}
    1164. 

  1164. 		
    1165. 

  1165. 		$interval = $this->EE->config->item('password_lockout_interval') * 60;
    1166. 

  1166. 		
    1167. 

  1167. 		$expire = time() - $interval;
    1168. 

  1168. 

  1169.   		$sql = "SELECT count(*) AS count 
    1170. 

  1170.   				FROM exp_password_lockout 
    1171. 

  1171.   				WHERE login_date > $expire 
    1172. 

  1172.   				AND ip_address = '".$this->EE->db->escape_str($this->EE->input->ip_address())."'
    1173. 

  1173.   				AND (user_agent = '".$this->EE->db->escape_str($this->userdata['user_agent'])."'
    1174. 

  1174. 					OR username = '".$this->EE->db->escape_str($username)."'
    1175. 

  1175. 					)";
    1176. 

  1176.   
    1177. 

  1177. 		$query = $this->EE->db->query($sql);
    1178. 

  1178. 		
    1179. 

  1179. 		if ($query->row('count')  >= 4)
    1180. 

  1180. 		{
    1181. 

  1181. 			return TRUE;
    1182. 

  1182. 		}
    1183. 

  1183. 		else
    1184. 

  1184. 		{
    1185. 

  1185. 			return FALSE;
    1186. 

  1186. 		}
    1187. 

  1187. 	}
    1188. 

  1188. 

  1189. 	// --------------------------------------------------------------------		
    1190. 

  1190. 	
    1191. 

  1191. 	/**
    1192. 

  1192. 	 * Delete old password lockout data
    1193. 

  1193. 	 */		
    1194. 

  1194. 	function delete_password_lockout()
    1195. 

  1195. 	{
    1196. 

  1196. 		if ($this->EE->config->item('password_lockout') == 'n')
    1197. 

  1197. 		{
    1198. 

  1198. 		 	return FALSE; 
    1199. 

  1199. 		} 
    1200. 

  1200. 				
    1201. 

  1201. 		$interval = $this->EE->config->item('password_lockout_interval') * 60;
    1202. 

  1202. 		
    1203. 

  1203. 		$expire = time() - $interval;
    1204. 

  1204.   
    1205. 

  1205. 		srand(time());
    1206. 

  1206.   
    1207. 

  1207. 		if ((rand() % 100) < $this->gc_probability) 
    1208. 

  1208. 		{				 
    1209. 

  1209. 			$this->EE->db->query("DELETE FROM exp_password_lockout WHERE login_date < $expire");			 
    1210. 

  1210. 		}	
    1211. 

  1211. 	}
    1212. 

  1212. 

  1213. }
    1214. 

  1214. // END CLASS
    1215. 

  1215. 

  1216. /* End of file Session.php */
    1217. 

  1217. /* Location: ./system/expressionengine/libraries/Session.php */
    1218.