PageRenderTime 48ms CodeModel.GetById 20ms RepoModel.GetById 0ms app.codeStats 0ms

/program/include/rcube_session.php

https://github.com/netconstructor/roundcubemail
PHP | 632 lines | 371 code | 100 blank | 161 comment | 88 complexity | 339e105576ff9ad699d3401c9a6ff262 MD5 | raw file
Possible License(s): GPL-3.0, LGPL-2.1 
    

  1. <?php
    2. 

  2. 

  3. /*
    4. 

  4.  +-----------------------------------------------------------------------+
    5. 

  5.  | program/include/rcube_session.php                                     |
    6. 

  6.  |                                                                       |
    7. 

  7.  | This file is part of the Roundcube Webmail client                     |
    8. 

  8.  | Copyright (C) 2005-2012, The Roundcube Dev Team                       |
    9. 

  9.  | Copyright (C) 2011, Kolab Systems AG                                  |
    10. 

  10.  |                                                                       |
    11. 

  11.  | Licensed under the GNU General Public License version 3 or            |
    12. 

  12.  | any later version with exceptions for skins & plugins.                |
    13. 

  13.  | See the README file for a full license statement.                     |
    14. 

  14.  |                                                                       |
    15. 

  15.  | PURPOSE:                                                              |
    16. 

  16.  |   Provide database supported session management                       |
    17. 

  17.  |                                                                       |
    18. 

  18.  +-----------------------------------------------------------------------+
    19. 

  19.  | Author: Thomas Bruederli <roundcube@gmail.com>                        |
    20. 

  20.  | Author: Aleksander Machniak <alec@alec.pl>                            |
    21. 

  21.  +-----------------------------------------------------------------------+
    22. 

  22. */
    23. 

  23. 

  24. /**
    25. 

  25.  * Class to provide database supported session storage
    26. 

  26.  *
    27. 

  27.  * @package    Framework
    28. 

  28.  * @subpackage Core
    29. 

  29.  * @author     Thomas Bruederli <roundcube@gmail.com>
    30. 

  30.  * @author     Aleksander Machniak <alec@alec.pl>
    31. 

  31.  */
    32. 

  32. class rcube_session
    33. 

  33. {
    34. 

  34.   private $db;
    35. 

  35.   private $ip;
    36. 

  36.   private $start;
    37. 

  37.   private $changed;
    38. 

  38.   private $unsets = array();
    39. 

  39.   private $gc_handlers = array();
    40. 

  40.   private $cookiename = 'roundcube_sessauth';
    41. 

  41.   private $vars;
    42. 

  42.   private $key;
    43. 

  43.   private $now;
    44. 

  44.   private $secret = '';
    45. 

  45.   private $ip_check = false;
    46. 

  46.   private $logging = false;
    47. 

  47.   private $memcache;
    48. 

  48. 

  49.   /**
    50. 

  50.    * Default constructor
    51. 

  51.    */
    52. 

  52.   public function __construct($db, $config)
    53. 

  53.   {
    54. 

  54.     $this->db      = $db;
    55. 

  55.     $this->start   = microtime(true);
    56. 

  56.     $this->ip      = $_SERVER['REMOTE_ADDR'];
    57. 

  57.     $this->logging = $config->get('log_session', false);
    58. 

  58. 

  59.     $lifetime = $config->get('session_lifetime', 1) * 60;
    60. 

  60.     $this->set_lifetime($lifetime);
    61. 

  61. 

  62.     // use memcache backend
    63. 

  63.     if ($config->get('session_storage', 'db') == 'memcache') {
    64. 

  64.       $this->memcache = rcube::get_instance()->get_memcache();
    65. 

  65. 

  66.       // set custom functions for PHP session management if memcache is available
    67. 

  67.       if ($this->memcache) {
    68. 

  68.         session_set_save_handler(
    69. 

  69.           array($this, 'open'),
    70. 

  70.           array($this, 'close'),
    71. 

  71.           array($this, 'mc_read'),
    72. 

  72.           array($this, 'mc_write'),
    73. 

  73.           array($this, 'mc_destroy'),
    74. 

  74.           array($this, 'gc'));
    75. 

  75.       }
    76. 

  76.       else {
    77. 

  77.         rcube::raise_error(array('code' => 604, 'type' => 'db',
    78. 

  78.           'line' => __LINE__, 'file' => __FILE__,
    79. 

  79.           'message' => "Failed to connect to memcached. Please check configuration"),
    80. 

  80.           true, true);
    81. 

  81.       }
    82. 

  82.     }
    83. 

  83.     else {
    84. 

  84.       // set custom functions for PHP session management
    85. 

  85.       session_set_save_handler(
    86. 

  86.         array($this, 'open'),
    87. 

  87.         array($this, 'close'),
    88. 

  88.         array($this, 'db_read'),
    89. 

  89.         array($this, 'db_write'),
    90. 

  90.         array($this, 'db_destroy'),
    91. 

  91.         array($this, 'db_gc'));
    92. 

  92.       }
    93. 

  93.   }
    94. 

  94. 

  95. 

  96.   public function open($save_path, $session_name)
    97. 

  97.   {
    98. 

  98.     return true;
    99. 

  99.   }
    100. 

  100. 

  101. 

  102.   public function close()
    103. 

  103.   {
    104. 

  104.     return true;
    105. 

  105.   }
    106. 

  106. 

  107. 

  108.   /**
    109. 

  109.    * Delete session data for the given key
    110. 

  110.    *
    111. 

  111.    * @param string Session ID
    112. 

  112.    */
    113. 

  113.   public function destroy($key)
    114. 

  114.   {
    115. 

  115.     return $this->memcache ? $this->mc_destroy($key) : $this->db_destroy($key);
    116. 

  116.   }
    117. 

  117. 

  118. 

  119.   /**
    120. 

  120.    * Read session data from database
    121. 

  121.    *
    122. 

  122.    * @param string Session ID
    123. 

  123.    * @return string Session vars
    124. 

  124.    */
    125. 

  125.   public function db_read($key)
    126. 

  126.   {
    127. 

  127.     $sql_result = $this->db->query(
    128. 

  128.       "SELECT vars, ip, changed FROM ".$this->db->table_name('session')
    129. 

  129.       ." WHERE sess_id = ?", $key);
    130. 

  130. 

  131.     if ($sql_result && ($sql_arr = $this->db->fetch_assoc($sql_result))) {
    132. 

  132.       $this->changed = strtotime($sql_arr['changed']);
    133. 

  133.       $this->ip      = $sql_arr['ip'];
    134. 

  134.       $this->vars    = base64_decode($sql_arr['vars']);
    135. 

  135.       $this->key     = $key;
    136. 

  136. 

  137.       return !empty($this->vars) ? (string) $this->vars : '';
    138. 

  138.     }
    139. 

  139. 

  140.     return null;
    141. 

  141.   }
    142. 

  142. 

  143. 

  144.   /**
    145. 

  145.    * Save session data.
    146. 

  146.    * handler for session_read()
    147. 

  147.    *
    148. 

  148.    * @param string Session ID
    149. 

  149.    * @param string Serialized session vars
    150. 

  150.    * @return boolean True on success
    151. 

  151.    */
    152. 

  152.   public function db_write($key, $vars)
    153. 

  153.   {
    154. 

  154.     $ts = microtime(true);
    155. 

  155.     $now = $this->db->fromunixtime((int)$ts);
    156. 

  156. 

  157.     // no session row in DB (db_read() returns false)
    158. 

  158.     if (!$this->key) {
    159. 

  159.       $oldvars = null;
    160. 

  160.     }
    161. 

  161.     // use internal data from read() for fast requests (up to 0.5 sec.)
    162. 

  162.     else if ($key == $this->key && (!$this->vars || $ts - $this->start < 0.5)) {
    163. 

  163.       $oldvars = $this->vars;
    164. 

  164.     }
    165. 

  165.     else { // else read data again from DB
    166. 

  166.       $oldvars = $this->db_read($key);
    167. 

  167.     }
    168. 

  168. 

  169.     if ($oldvars !== null) {
    170. 

  170.       $newvars = $this->_fixvars($vars, $oldvars);
    171. 

  171. 

  172.       if ($newvars !== $oldvars) {
    173. 

  173.         $this->db->query(
    174. 

  174.           sprintf("UPDATE %s SET vars=?, changed=%s WHERE sess_id=?",
    175. 

  175.             $this->db->table_name('session'), $now),
    176. 

  176.           base64_encode($newvars), $key);
    177. 

  177.       }
    178. 

  178.       else if ($ts - $this->changed > $this->lifetime / 2) {
    179. 

  179.         $this->db->query("UPDATE ".$this->db->table_name('session')." SET changed=$now WHERE sess_id=?", $key);
    180. 

  180.       }
    181. 

  181.     }
    182. 

  182.     else {
    183. 

  183.       $this->db->query(
    184. 

  184.         sprintf("INSERT INTO %s (sess_id, vars, ip, created, changed) ".
    185. 

  185.           "VALUES (?, ?, ?, %s, %s)",
    186. 

  186.           $this->db->table_name('session'), $now, $now),
    187. 

  187.         $key, base64_encode($vars), (string)$this->ip);
    188. 

  188.     }
    189. 

  189. 

  190.     return true;
    191. 

  191.   }
    192. 

  192. 

  193. 

  194.   /**
    195. 

  195.    * Merge vars with old vars and apply unsets
    196. 

  196.    */
    197. 

  197.   private function _fixvars($vars, $oldvars)
    198. 

  198.   {
    199. 

  199.     if ($oldvars !== null) {
    200. 

  200.       $a_oldvars = $this->unserialize($oldvars);
    201. 

  201.       if (is_array($a_oldvars)) {
    202. 

  202.         foreach ((array)$this->unsets as $k)
    203. 

  203.           unset($a_oldvars[$k]);
    204. 

  204. 

  205.         $newvars = $this->serialize(array_merge(
    206. 

  206.           (array)$a_oldvars, (array)$this->unserialize($vars)));
    207. 

  207.       }
    208. 

  208.       else
    209. 

  209.         $newvars = $vars;
    210. 

  210.     }
    211. 

  211. 

  212.     $this->unsets = array();
    213. 

  213.     return $newvars;
    214. 

  214.   }
    215. 

  215. 

  216. 

  217.   /**
    218. 

  218.    * Handler for session_destroy()
    219. 

  219.    *
    220. 

  220.    * @param string Session ID
    221. 

  221.    *
    222. 

  222.    * @return boolean True on success
    223. 

  223.    */
    224. 

  224.   public function db_destroy($key)
    225. 

  225.   {
    226. 

  226.     if ($key) {
    227. 

  227.       $this->db->query(sprintf("DELETE FROM %s WHERE sess_id = ?", $this->db->table_name('session')), $key);
    228. 

  228.     }
    229. 

  229. 

  230.     return true;
    231. 

  231.   }
    232. 

  232. 

  233. 

  234.   /**
    235. 

  235.    * Garbage collecting function
    236. 

  236.    *
    237. 

  237.    * @param string Session lifetime in seconds
    238. 

  238.    * @return boolean True on success
    239. 

  239.    */
    240. 

  240.   public function db_gc($maxlifetime)
    241. 

  241.   {
    242. 

  242.     // just delete all expired sessions
    243. 

  243.     $this->db->query(
    244. 

  244.       sprintf("DELETE FROM %s WHERE changed < %s",
    245. 

  245.         $this->db->table_name('session'), $this->db->fromunixtime(time() - $maxlifetime)));
    246. 

  246. 

  247.     $this->gc();
    248. 

  248. 

  249.     return true;
    250. 

  250.   }
    251. 

  251. 

  252. 

  253.   /**
    254. 

  254.    * Read session data from memcache
    255. 

  255.    *
    256. 

  256.    * @param string Session ID
    257. 

  257.    * @return string Session vars
    258. 

  258.    */
    259. 

  259.   public function mc_read($key)
    260. 

  260.   {
    261. 

  261.     if ($value = $this->memcache->get($key)) {
    262. 

  262.       $arr = unserialize($value);
    263. 

  263.       $this->changed = $arr['changed'];
    264. 

  264.       $this->ip      = $arr['ip'];
    265. 

  265.       $this->vars    = $arr['vars'];
    266. 

  266.       $this->key     = $key;
    267. 

  267. 

  268.       return !empty($this->vars) ? (string) $this->vars : '';
    269. 

  269.     }
    270. 

  270. 

  271.     return null;
    272. 

  272.   }
    273. 

  273. 

  274. 

  275.   /**
    276. 

  276.    * Save session data.
    277. 

  277.    * handler for session_read()
    278. 

  278.    *
    279. 

  279.    * @param string Session ID
    280. 

  280.    * @param string Serialized session vars
    281. 

  281.    * @return boolean True on success
    282. 

  282.    */
    283. 

  283.   public function mc_write($key, $vars)
    284. 

  284.   {
    285. 

  285.     $ts = microtime(true);
    286. 

  286. 

  287.     // no session data in cache (mc_read() returns false)
    288. 

  288.     if (!$this->key)
    289. 

  289.       $oldvars = null;
    290. 

  290.     // use internal data for fast requests (up to 0.5 sec.)
    291. 

  291.     else if ($key == $this->key && (!$this->vars || $ts - $this->start < 0.5))
    292. 

  292.       $oldvars = $this->vars;
    293. 

  293.     else // else read data again
    294. 

  294.       $oldvars = $this->mc_read($key);
    295. 

  295. 

  296.     $newvars = $oldvars !== null ? $this->_fixvars($vars, $oldvars) : $vars;
    297. 

  297. 

  298.     if ($newvars !== $oldvars || $ts - $this->changed > $this->lifetime / 2)
    299. 

  299.       return $this->memcache->set($key, serialize(array('changed' => time(), 'ip' => $this->ip, 'vars' => $newvars)), MEMCACHE_COMPRESSED, $this->lifetime);
    300. 

  300. 

  301.     return true;
    302. 

  302.   }
    303. 

  303. 

  304. 

  305.   /**
    306. 

  306.    * Handler for session_destroy() with memcache backend
    307. 

  307.    *
    308. 

  308.    * @param string Session ID
    309. 

  309.    *
    310. 

  310.    * @return boolean True on success
    311. 

  311.    */
    312. 

  312.   public function mc_destroy($key)
    313. 

  313.   {
    314. 

  314.     if ($key) {
    315. 

  315.       // #1488592: use 2nd argument
    316. 

  316.       $this->memcache->delete($key, 0);
    317. 

  317.     }
    318. 

  318. 

  319.     return true;
    320. 

  320.   }
    321. 

  321. 

  322. 

  323.   /**
    324. 

  324.    * Execute registered garbage collector routines
    325. 

  325.    */
    326. 

  326.   public function gc()
    327. 

  327.   {
    328. 

  328.     foreach ($this->gc_handlers as $fct) {
    329. 

  329.       call_user_func($fct);
    330. 

  330.     }
    331. 

  331.   }
    332. 

  332. 

  333. 

  334.   /**
    335. 

  335.    * Register additional garbage collector functions
    336. 

  336.    *
    337. 

  337.    * @param mixed Callback function
    338. 

  338.    */
    339. 

  339.   public function register_gc_handler($func)
    340. 

  340.   {
    341. 

  341.     foreach ($this->gc_handlers as $handler) {
    342. 

  342.       if ($handler == $func) {
    343. 

  343.         return;
    344. 

  344.       }
    345. 

  345.     }
    346. 

  346. 

  347.     $this->gc_handlers[] = $func;
    348. 

  348.   }
    349. 

  349. 

  350. 

  351.   /**
    352. 

  352.    * Generate and set new session id
    353. 

  353.    *
    354. 

  354.    * @param boolean $destroy If enabled the current session will be destroyed
    355. 

  355.    */
    356. 

  356.   public function regenerate_id($destroy=true)
    357. 

  357.   {
    358. 

  358.     session_regenerate_id($destroy);
    359. 

  359. 

  360.     $this->vars = null;
    361. 

  361.     $this->key  = session_id();
    362. 

  362. 

  363.     return true;
    364. 

  364.   }
    365. 

  365. 

  366. 

  367.   /**
    368. 

  368.    * Unset a session variable
    369. 

  369.    *
    370. 

  370.    * @param string Varibale name
    371. 

  371.    * @return boolean True on success
    372. 

  372.    */
    373. 

  373.   public function remove($var=null)
    374. 

  374.   {
    375. 

  375.     if (empty($var))
    376. 

  376.       return $this->destroy(session_id());
    377. 

  377. 

  378.     $this->unsets[] = $var;
    379. 

  379.     unset($_SESSION[$var]);
    380. 

  380. 

  381.     return true;
    382. 

  382.   }
    383. 

  383. 

  384. 

  385.   /**
    386. 

  386.    * Kill this session
    387. 

  387.    */
    388. 

  388.   public function kill()
    389. 

  389.   {
    390. 

  390.     $this->vars = null;
    391. 

  391.     $this->ip = $_SERVER['REMOTE_ADDR']; // update IP (might have changed)
    392. 

  392.     $this->destroy(session_id());
    393. 

  393.     rcube_utils::setcookie($this->cookiename, '-del-', time() - 60);
    394. 

  394.   }
    395. 

  395. 

  396. 

  397.   /**
    398. 

  398.    * Re-read session data from storage backend
    399. 

  399.    */
    400. 

  400.   public function reload()
    401. 

  401.   {
    402. 

  402.     if ($this->key && $this->memcache)
    403. 

  403.       $data = $this->mc_read($this->key);
    404. 

  404.     else if ($this->key)
    405. 

  405.       $data = $this->db_read($this->key);
    406. 

  406. 

  407.     if ($data)
    408. 

  408.      session_decode($data);
    409. 

  409.   }
    410. 

  410. 

  411. 

  412.   /**
    413. 

  413.    * Serialize session data
    414. 

  414.    */
    415. 

  415.   private function serialize($vars)
    416. 

  416.   {
    417. 

  417.     $data = '';
    418. 

  418.     if (is_array($vars))
    419. 

  419.       foreach ($vars as $var=>$value)
    420. 

  420.         $data .= $var.'|'.serialize($value);
    421. 

  421.     else
    422. 

  422.       $data = 'b:0;';
    423. 

  423.     return $data;
    424. 

  424.   }
    425. 

  425. 

  426. 

  427.   /**
    428. 

  428.    * Unserialize session data
    429. 

  429.    * http://www.php.net/manual/en/function.session-decode.php#56106
    430. 

  430.    */
    431. 

  431.   private function unserialize($str)
    432. 

  432.   {
    433. 

  433.     $str = (string)$str;
    434. 

  434.     $endptr = strlen($str);
    435. 

  435.     $p = 0;
    436. 

  436. 

  437.     $serialized = '';
    438. 

  438.     $items = 0;
    439. 

  439.     $level = 0;
    440. 

  440. 

  441.     while ($p < $endptr) {
    442. 

  442.       $q = $p;
    443. 

  443.       while ($str[$q] != '|')
    444. 

  444.         if (++$q >= $endptr) break 2;
    445. 

  445. 

  446.       if ($str[$p] == '!') {
    447. 

  447.         $p++;
    448. 

  448.         $has_value = false;
    449. 

  449.       } else {
    450. 

  450.         $has_value = true;
    451. 

  451.       }
    452. 

  452. 

  453.       $name = substr($str, $p, $q - $p);
    454. 

  454.       $q++;
    455. 

  455. 

  456.       $serialized .= 's:' . strlen($name) . ':"' . $name . '";';
    457. 

  457. 

  458.       if ($has_value) {
    459. 

  459.         for (;;) {
    460. 

  460.           $p = $q;
    461. 

  461.           switch (strtolower($str[$q])) {
    462. 

  462.             case 'n': /* null */
    463. 

  463.             case 'b': /* boolean */
    464. 

  464.             case 'i': /* integer */
    465. 

  465.             case 'd': /* decimal */
    466. 

  466.               do $q++;
    467. 

  467.               while ( ($q < $endptr) && ($str[$q] != ';') );
    468. 

  468.               $q++;
    469. 

  469.               $serialized .= substr($str, $p, $q - $p);
    470. 

  470.               if ($level == 0) break 2;
    471. 

  471.               break;
    472. 

  472.             case 'r': /* reference  */
    473. 

  473.               $q+= 2;
    474. 

  474.               for ($id = ''; ($q < $endptr) && ($str[$q] != ';'); $q++) $id .= $str[$q];
    475. 

  475.               $q++;
    476. 

  476.               $serialized .= 'R:' . ($id + 1) . ';'; /* increment pointer because of outer array */
    477. 

  477.               if ($level == 0) break 2;
    478. 

  478.               break;
    479. 

  479.             case 's': /* string */
    480. 

  480.               $q+=2;
    481. 

  481.               for ($length=''; ($q < $endptr) && ($str[$q] != ':'); $q++) $length .= $str[$q];
    482. 

  482.               $q+=2;
    483. 

  483.               $q+= (int)$length + 2;
    484. 

  484.               $serialized .= substr($str, $p, $q - $p);
    485. 

  485.               if ($level == 0) break 2;
    486. 

  486.               break;
    487. 

  487.             case 'a': /* array */
    488. 

  488.             case 'o': /* object */
    489. 

  489.               do $q++;
    490. 

  490.               while ( ($q < $endptr) && ($str[$q] != '{') );
    491. 

  491.               $q++;
    492. 

  492.               $level++;
    493. 

  493.               $serialized .= substr($str, $p, $q - $p);
    494. 

  494.               break;
    495. 

  495.             case '}': /* end of array|object */
    496. 

  496.               $q++;
    497. 

  497.               $serialized .= substr($str, $p, $q - $p);
    498. 

  498.               if (--$level == 0) break 2;
    499. 

  499.               break;
    500. 

  500.             default:
    501. 

  501.               return false;
    502. 

  502.           }
    503. 

  503.         }
    504. 

  504.       } else {
    505. 

  505.         $serialized .= 'N;';
    506. 

  506.         $q += 2;
    507. 

  507.       }
    508. 

  508.       $items++;
    509. 

  509.       $p = $q;
    510. 

  510.     }
    511. 

  511. 

  512.     return unserialize( 'a:' . $items . ':{' . $serialized . '}' );
    513. 

  513.   }
    514. 

  514. 

  515. 

  516.   /**
    517. 

  517.    * Setter for session lifetime
    518. 

  518.    */
    519. 

  519.   public function set_lifetime($lifetime)
    520. 

  520.   {
    521. 

  521.       $this->lifetime = max(120, $lifetime);
    522. 

  522. 

  523.       // valid time range is now - 1/2 lifetime to now + 1/2 lifetime
    524. 

  524.       $now = time();
    525. 

  525.       $this->now = $now - ($now % ($this->lifetime / 2));
    526. 

  526.   }
    527. 

  527. 

  528. 

  529.   /**
    530. 

  530.    * Getter for remote IP saved with this session
    531. 

  531.    */
    532. 

  532.   public function get_ip()
    533. 

  533.   {
    534. 

  534.     return $this->ip;
    535. 

  535.   }
    536. 

  536. 

  537. 

  538.   /**
    539. 

  539.    * Setter for cookie encryption secret
    540. 

  540.    */
    541. 

  541.   function set_secret($secret)
    542. 

  542.   {
    543. 

  543.     $this->secret = $secret;
    544. 

  544.   }
    545. 

  545. 

  546. 

  547.   /**
    548. 

  548.    * Enable/disable IP check
    549. 

  549.    */
    550. 

  550.   function set_ip_check($check)
    551. 

  551.   {
    552. 

  552.     $this->ip_check = $check;
    553. 

  553.   }
    554. 

  554. 

  555. 

  556.   /**
    557. 

  557.    * Setter for the cookie name used for session cookie
    558. 

  558.    */
    559. 

  559.   function set_cookiename($cookiename)
    560. 

  560.   {
    561. 

  561.     if ($cookiename)
    562. 

  562.       $this->cookiename = $cookiename;
    563. 

  563.   }
    564. 

  564. 

  565. 

  566.   /**
    567. 

  567.    * Check session authentication cookie
    568. 

  568.    *
    569. 

  569.    * @return boolean True if valid, False if not
    570. 

  570.    */
    571. 

  571.   function check_auth()
    572. 

  572.   {
    573. 

  573.     $this->cookie = $_COOKIE[$this->cookiename];
    574. 

  574.     $result = $this->ip_check ? $_SERVER['REMOTE_ADDR'] == $this->ip : true;
    575. 

  575. 

  576.     if (!$result)
    577. 

  577.       $this->log("IP check failed for " . $this->key . "; expected " . $this->ip . "; got " . $_SERVER['REMOTE_ADDR']);
    578. 

  578. 

  579.     if ($result && $this->_mkcookie($this->now) != $this->cookie) {
    580. 

  580.       $this->log("Session auth check failed for " . $this->key . "; timeslot = " . date('Y-m-d H:i:s', $this->now));
    581. 

  581.       $result = false;
    582. 

  582. 

  583.       // Check if using id from a previous time slot
    584. 

  584.       for ($i = 1; $i <= 2; $i++) {
    585. 

  585.         $prev = $this->now - ($this->lifetime / 2) * $i;
    586. 

  586.         if ($this->_mkcookie($prev) == $this->cookie) {
    587. 

  587.           $this->log("Send new auth cookie for " . $this->key . ": " . $this->cookie);
    588. 

  588.           $this->set_auth_cookie();
    589. 

  589.           $result = true;
    590. 

  590.         }
    591. 

  591.       }
    592. 

  592.     }
    593. 

  593. 

  594.     if (!$result)
    595. 

  595.       $this->log("Session authentication failed for " . $this->key . "; invalid auth cookie sent; timeslot = " . date('Y-m-d H:i:s', $prev));
    596. 

  596. 

  597.     return $result;
    598. 

  598.   }
    599. 

  599. 

  600. 

  601.   /**
    602. 

  602.    * Set session authentication cookie
    603. 

  603.    */
    604. 

  604.   function set_auth_cookie()
    605. 

  605.   {
    606. 

  606.     $this->cookie = $this->_mkcookie($this->now);
    607. 

  607.     rcube_utils::setcookie($this->cookiename, $this->cookie, 0);
    608. 

  608.     $_COOKIE[$this->cookiename] = $this->cookie;
    609. 

  609.   }
    610. 

  610. 

  611. 

  612.   /**
    613. 

  613.    * Create session cookie from session data
    614. 

  614.    *
    615. 

  615.    * @param int Time slot to use
    616. 

  616.    */
    617. 

  617.   function _mkcookie($timeslot)
    618. 

  618.   {
    619. 

  619.     $auth_string = "$this->key,$this->secret,$timeslot";
    620. 

  620.     return "S" . (function_exists('sha1') ? sha1($auth_string) : md5($auth_string));
    621. 

  621.   }
    622. 

  622. 

  623.   /**
    624. 

  624.    * Writes debug information to the log
    625. 

  625.    */
    626. 

  626.   function log($line)
    627. 

  627.   {
    628. 

  628.     if ($this->logging)
    629. 

  629.       rcube::write_log('session', $line);
    630. 

  630.   }
    631. 

  631. 

  632. }
    633. 

  633.