session.php

1. <?
2.  
3. /**
4.  
5. * Session.php
6.  
7. *
8.  
9. * The Session class is meant to simplify the task of keeping
10.  
11. * track of logged in users and also guests.
12.  
13. *
14.  
15. * Written by: Jpmaster77 a.k.a. The Grandmaster of C++ (GMC)
16.  
17. * Last Updated: August 19, 2004
18.  
19. */
20.  
21. include("database.php");
22.  
23. include("mailer.php");
24.  
25. include("form.php");
26.  
27.  
28.  
29. class Session
30.  
31. {
32.  
33. var $username; //Username given on sign-up
34.  
35. var $userid; //Random value generated on current login
36.  
37. var $userlevel; //The level to which the user pertains
38.  
39. var $time; //Time user was last active (page loaded)
40.  
41. var $logged_in; //True if user is logged in, false otherwise
42.  
43. var $userinfo = array(); //The array holding all user info
44.  
45. var $url; //The page url current being viewed
46.  
47. var $referrer; //Last recorded site page viewed
48.  
49. /**
50.  
51. * Note: referrer should really only be considered the actual
52.  
53. * page referrer in process.php, any other time it may be
54.  
55. * inaccurate.
56.  
57. */
58.  
59.  
60.  
61. /* Class constructor */
62.  
63. function Session(){
64.  
65. $this->time = time();
66.  
67. $this->startSession();
68.  
69. }
70.  
71.  
72.  
73. /**
74.  
75. * startSession - Performs all the actions necessary to
76.  
77. * initialize this session object. Tries to determine if the
78.  
79. * the user has logged in already, and sets the variables
80.  
81. * accordingly. Also takes advantage of this page load to
82.  
83. * update the active visitors tables.
84.  
85. */
86.  
87. function startSession(){
88.  
89. global $database; //The database connection
90.  
91. session_start(); //Tell PHP to start the session
92.  
93.  
94.  
95. /* Determine if user is logged in */
96.  
97. $this->logged_in = $this->checkLogin();
98.  
99.  
100.  
101. /**
102.  
103. * Set guest value to users not logged in, and update
104.  
105. * active guests table accordingly.
106.  
107. */
108.  
109. if(!$this->logged_in){
110.  
111. $this->username = $_SESSION['username'] = GUEST_NAME;
112.  
113. $this->userlevel = GUEST_LEVEL;
114.  
115. $database->addActiveGuest($_SERVER['REMOTE_ADDR'], $this->time);
116.  
117. }
118.  
119. /* Update users last active timestamp */
120.  
121. else{
122.  
123. $database->addActiveUser($this->username, $this->time);
124.  
125. }
126.  
127.  
128.  
129. /* Remove inactive visitors from database */
130.  
131. $database->removeInactiveUsers();
132.  
133. $database->removeInactiveGuests();
134.  
135.  
136.  
137. /* Set referrer page */
138.  
139. if(isset($_SESSION['url'])){
140.  
141. $this->referrer = $_SESSION['url'];
142.  
143. }else{
144.  
145. $this->referrer = "/";
146.  
147. }
148.  
149.  
150.  
151. /* Set current url */
152.  
153. $this->url = $_SESSION['url'] = $_SERVER['PHP_SELF'];
154.  
155. }
156.  
157.  
158.  
159. /**
160.  
161. * checkLogin - Checks if the user has already previously
162.  
163. * logged in, and a session with the user has already been
164.  
165. * established. Also checks to see if user has been remembered.
166.  
167. * If so, the database is queried to make sure of the user's
168.  
169. * authenticity. Returns true if the user has logged in.
170.  
171. */
172.  
173. function checkLogin(){
174.  
175. global $database; //The database connection
176.  
177. /* Check if user has been remembered */
178.  
179. if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookid'])){
180.  
181. $this->username = $_SESSION['username'] = $_COOKIE['cookname'];
182.  
183. $this->userid = $_SESSION['userid'] = $_COOKIE['cookid'];
184.  
185. }
186.  
187.  
188.  
189. /* Username and userid have been set and not guest */
190.  
191. if(isset($_SESSION['username']) && isset($_SESSION['userid']) &&
192.  
193. $_SESSION['username'] != GUEST_NAME){
194.  
195. /* Confirm that username and userid are valid */
196.  
197. if($database->confirmUserID($_SESSION['username'], $_SESSION['userid']) != 0){
198.  
199. /* Variables are incorrect, user not logged in */
200.  
201. unset($_SESSION['username']);
202.  
203. unset($_SESSION['userid']);
204.  
205. return false;
206.  
207. }
208.  
209.  
210.  
211. /* User is logged in, set class variables */
212.  
213. $this->userinfo = $database->getUserInfo($_SESSION['username']);
214.  
215. $this->username = $this->userinfo['username'];
216.  
217. $this->userid = $this->userinfo['userid'];
218.  
219. $this->userlevel = $this->userinfo['userlevel'];
220.  
221. return true;
222.  
223. }
224.  
225. /* User not logged in */
226.  
227. else{
228.  
229. return false;
230.  
231. }
232.  
233. }
234.  
235.  
236.  
237. /**
238.  
239. * login - The user has submitted his username and password
240.  
241. * through the login form, this function checks the authenticity
242.  
243. * of that information in the database and creates the session.
244.  
245. * Effectively logging in the user if all goes well.
246.  
247. */
248.  
249. function login($subuser, $subpass, $subremember){
250.  
251. global $database, $form; //The database and form object
252.  
253.  
254.  
255. /* Username error checking */
256.  
257. $field = "user"; //Use field name for username
258.  
259. if(!$subuser || strlen($subuser = trim($subuser)) == 0){
260.  
261. $form->setError($field, "* Username not entered");
262.  
263. }
264.  
265. else{
266.  
267. /* Check if username is not alphanumeric */
268.  
269. if(!eregi("^([0-9a-z])*$", $subuser)){
270.  
271. $form->setError($field, "* Username not alphanumeric");
272.  
273. }
274.  
275. }
276.  
277.  
278.  
279. /* Password error checking */
280.  
281. $field = "pass"; //Use field name for password
282.  
283. if(!$subpass){
284.  
285. $form->setError($field, "* Password not entered");
286.  
287. }
288.  
289.  
290.  
291. /* Return if form errors exist */
292.  
293. if($form->num_errors > 0){
294.  
295. return false;
296.  
297. }
298.  
299.  
300.  
301. /* Checks that username is in database and password is correct */
302.  
303. $subuser = stripslashes($subuser);
304.  
305. $result = $database->confirmUserPass($subuser, md5($subpass));
306.  
307.  
308.  
309. /* Check error codes */
310.  
311. if($result == 1){
312.  
313. $field = "user";
314.  
315. $form->setError($field, "* Username not found");
316.  
317. }
318.  
319. else if($result == 2){
320.  
321. $field = "pass";
322.  
323. $form->setError($field, "* Invalid password");
324.  
325. }
326.  
327.  
328.  
329. /* Return if form errors exist */
330.  
331. if($form->num_errors > 0){
332.  
333. return false;
334.  
335. }
336.  
337.  
338.  
339. /* Username and password correct, register session variables */
340.  
341. $this->userinfo = $database->getUserInfo($subuser);
342.  
343. $this->username = $_SESSION['username'] = $this->userinfo['username'];
344.  
345. $this->userid = $_SESSION['userid'] = $this->generateRandID();
346.  
347. $this->userlevel = $this->userinfo['userlevel'];
348.  
349.  
350.  
351. /* Insert userid into database and update active users table */
352.  
353. $database->updateUserField($this->username, "userid", $this->userid);
354.  
355. $database->addActiveUser($this->username, $this->time);
356.  
357. $database->removeActiveGuest($_SERVER['REMOTE_ADDR']);
358.  
359.  
360.  
361. /**
362.  
363. * This is the cool part: the user has requested that we remember that
364.  
365. * he's logged in, so we set two cookies. One to hold his username,
366.  
367. * and one to hold his random value userid. It expires by the time
368.  
369. * specified in constants.php. Now, next time he comes to our site, we will
370.  
371. * log him in automatically, but only if he didn't log out before he left.
372.  
373. */
374.  
375. if($subremember){
376.  
377. setcookie("cookname", $this->username, time()+COOKIE_EXPIRE, COOKIE_PATH);
378.  
379. setcookie("cookid", $this->userid, time()+COOKIE_EXPIRE, COOKIE_PATH);
380.  
381. }
382.  
383.  
384.  
385. /* Login completed successfully */
386.  
387. return true;
388.  
389. }
390.  
391.  
392.  
393. /**
394.  
395. * logout - Gets called when the user wants to be logged out of the
396.  
397. * website. It deletes any cookies that were stored on the users
398.  
399. * computer as a result of him wanting to be remembered, and also
400.  
401. * unsets session variables and demotes his user level to guest.
402.  
403. */
404.  
405. function logout(){
406.  
407. global $database; //The database connection
408.  
409. /**
410.  
411. * Delete cookies - the time must be in the past,
412.  
413. * so just negate what you added when creating the
414.  
415. * cookie.
416.  
417. */
418.  
419. if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookid'])){
420.  
421. setcookie("cookname", "", time()-COOKIE_EXPIRE, COOKIE_PATH);
422.  
423. setcookie("cookid", "", time()-COOKIE_EXPIRE, COOKIE_PATH);
424.  
425. }
426.  
427.  
428.  
429. /* Unset PHP session variables */
430.  
431. unset($_SESSION['username']);
432.  
433. unset($_SESSION['userid']);
434.  
435.  
436.  
437. /* Reflect fact that user has logged out */
438.  
439. $this->logged_in = false;
440.  
441.  
442.  
443. /**
444.  
445. * Remove from active users table and add to
446.  
447. * active guests tables.
448.  
449. */
450.  
451. $database->removeActiveUser($this->username);
452.  
453. $database->addActiveGuest($_SERVER['REMOTE_ADDR'], $this->time);
454.  
455.  
456.  
457. /* Set user level to guest */
458.  
459. $this->username = GUEST_NAME;
460.  
461. $this->userlevel = GUEST_LEVEL;
462.  
463. }
464.  
465.  
466.  
467. /**
468.  
469. * register - Gets called when the user has just submitted the
470.  
471. * registration form. Determines if there were any errors with
472.  
473. * the entry fields, if so, it records the errors and returns
474.  
475. * 1. If no errors were found, it registers the new user and
476.  
477. * returns 0. Returns 2 if registration failed.
478.  
479. */
480.  
481. function register($subuser, $subpass, $subemail, $description, $game, $name, $age, $quote){
482.  
483. global $database, $form, $mailer; //The database, form and mailer object
484.  
485.  
486.  
487. /* Username error checking */
488.  
489. $field = "user"; //Use field name for username
490.  
491. if(!$subuser || strlen($subuser = trim($subuser)) == 0){
492.  
493. $form->setError($field, "<td class='error'>* Username not entered</td>");
494.  
495. }
496.  
497. else{
498.  
499. /* Spruce up username, check length */
500.  
501. $subuser = stripslashes($subuser);
502.  
503. if(strlen($subuser) < 5){
504.  
505. $form->setError($field, "<td class='error'>* Username below 5 characters</td>");
506.  
507. }
508.  
509. else if(strlen($subuser) > 30){
510.  
511. $form->setError($field, "<td class='error'>* Username above 30 characters</td>");
512.  
513. }
514.  
515. /* Check if username is not alphanumeric */
516.  
517. else if(!eregi("^([0-9a-z])+$", $subuser)){
518.  
519. $form->setError($field, "<td class='error'>* Username not alphanumeric</td>");
520.  
521. }
522.  
523. /* Check if username is reserved */
524.  
525. else if(strcasecmp($subuser, GUEST_NAME) == 0){
526.  
527. $form->setError($field, "<td class='error'>* Username reserved word</td>");
528.  
529. }
530.  
531. /* Check if username is already in use */
532.  
533. else if($database->usernameTaken($subuser)){
534.  
535. $form->setError($field, "<td class='error'>* Username already in use</td>");
536.  
537. }
538.  
539. /* Check if username is banned */
540.  
541. else if($database->usernameBanned($subuser)){
542.  
543. $form->setError($field, "<td class='error'>* Username banned</td>");
544.  
545. }
546.  
547. }
548.  
549.  
550.  
551. /* Password error checking */
552.  
553. $field = "pass"; //Use field name for password
554.  
555. if(!$subpass){
556.  
557. $form->setError($field, "<td class='error'>* Password not entered</td>");
558.  
559. }
560.  
561. else{
562.  
563. /* Spruce up password and check length*/
564.  
565. $subpass = stripslashes($subpass);
566.  
567. if(strlen($subpass) < 4){
568.  
569. $form->setError($field, "<td class='error'>* Password too short</td>");
570.  
571. }
572.  
573. /* Check if password is not alphanumeric */
574.  
575. else if(!eregi("^([0-9a-z])+$", ($subpass = trim($subpass)))){
576.  
577. $form->setError($field, "<td class='error'>* Password not alphanumeric</td>");
578.  
579. }
580.  
581. /**
582.  
583. * Note: I trimmed the password only after I checked the length
584.  
585. * because if you fill the password field up with spaces
586.  
587. * it looks like a lot more characters than 4, so it looks
588.  
589. * kind of stupid to report "password too short".
590.  
591. */
592.  
593. }
594.  
595.  
596.  
597. /* Email error checking */
598.  
599. $field = "email"; //Use field name for email
600.  
601. if(!$subemail || strlen($subemail = trim($subemail)) == 0){
602.  
603. $form->setError($field, "<td class='error'>* Email not entered</td>");
604.  
605. }
606.  
607. else{
608.  
609. /* Check if valid email address */
610.  
611. $regex = "^[_+a-z0-9-]+(\.[_+a-z0-9-]+)*"
612.  
613. ."@[a-z0-9-]+(\.[a-z0-9-]{1,})*"
614.  
615. ."\.([a-z]{2,}){1}$";
616.  
617. if(!eregi($regex,$subemail)){
618.  
619. $form->setError($field, "<td class='error'>* Email invalid</td>");
620.  
621. }
622.  
623. $subemail = stripslashes($subemail);
624.  
625. }
626.  
627.  
628.  
629. /* Errors exist, have user correct them */
630.  
631. if($form->num_errors > 0){
632.  
633. return 1; //Errors with form
634.  
635. }
636.  
637. /* No errors, add the new account to the */
638.  
639. else{
640.  
641. if($database->addNewUser($subuser, md5($subpass), $subemail, $description, $game, $name, $age, $quote)){
642.  
643. if(EMAIL_WELCOME){
644.  
645. $mailer->sendWelcome($subuser,$subemail,$subpass);
646.  
647. }
648.  
649. return 0; //New user added succesfully
650.  
651. }else{
652.  
653. return 2; //Registration attempt failed
654.  
655. }
656.  
657. }
658.  
659. }
660.  
661.  
662.  
663. /**
664.  
665. * editAccount - Attempts to edit the user's account information
666.  
667. * including the password, which it first makes sure is correct
668.  
669. * if entered, if so and the new password is in the right
670.  
671. * format, the change is made. All other fields are changed
672.  
673. * automatically.
674.  
675. */
676.  
677. function editAccount($description, $game, $name, $age, $quote, $subcurpass, $subnewpass, $subemail){
678.  
679.  
680.  
681. global $database, $form; //The database and form object
682.  
683. /* New password entered */
684.  
685. if($subnewpass){
686.  
687. /* Current Password error checking */
688.  
689. $field = "curpass"; //Use field name for current password
690.  
691. if(!$subcurpass){
692.  
693. $form->setError($field, "* Current Password not entered");
694.  
695. }
696.  
697. else{
698.  
699. /* Check if password too short or is not alphanumeric */
700.  
701. $subcurpass = stripslashes($subcurpass);
702.  
703. if(strlen($subcurpass) < 4 ||
704.  
705. !eregi("^([0-9a-z])+$", ($subcurpass = trim($subcurpass)))){
706.  
707. $form->setError($field, "* Current Password incorrect");
708.  
709. }
710.  
711. /* Password entered is incorrect */
712.  
713. if($database->confirmUserPass($this->username,md5($subcurpass)) != 0){
714.  
715. $form->setError($field, "* Current Password incorrect");
716.  
717. }
718.  
719. }
720.  
721.  
722.  
723. /* New Password error checking */
724.  
725. $field = "newpass"; //Use field name for new password
726.  
727. /* Spruce up password and check length*/
728.  
729. $subpass = stripslashes($subnewpass);
730.  
731. if(strlen($subnewpass) < 4){
732.  
733. $form->setError($field, "* New Password too short");
734.  
735. }
736.  
737. /* Check if password is not alphanumeric */
738.  
739. else if(!eregi("^([0-9a-z])+$", ($subnewpass = trim($subnewpass)))){
740.  
741. $form->setError($field, "* New Password not alphanumeric");
742.  
743. }
744.  
745. }
746.  
747. /* Change password attempted */
748.  
749. else if($subcurpass){
750.  
751. /* New Password error reporting */
752.  
753. $field = "newpass"; //Use field name for new password
754.  
755. $form->setError($field, "* New Password not entered");
756.  
757. }
758.  
759.  
760.  
761. /* Email error checking */
762.  
763. $field = "email"; //Use field name for email
764.  
765. if($subemail && strlen($subemail = trim($subemail)) > 0){
766.  
767. /* Check if valid email address */
768.  
769. $regex = "^[_+a-z0-9-]+(\.[_+a-z0-9-]+)*"
770.  
771. ."@[a-z0-9-]+(\.[a-z0-9-]{1,})*"
772.  
773. ."\.([a-z]{2,}){1}$";
774.  
775. if(!eregi($regex,$subemail)){
776.  
777. $form->setError($field, "* Email invalid");
778.  
779. }
780.  
781. $subemail = stripslashes($subemail);
782.  
783. }
784.  
785.  
786.  
787. /* Errors exist, have user correct them */
788.  
789. if($form->num_errors > 0){
790.  
791. return false; //Errors with form
792.  
793. }
794.  
795. if($quote){
796.  
797. $database->updateUserField($this->username,"quote",$quote);
798.  
799. }
800.  
801. if($age){
802.  
803. $database->updateUserField($this->username,"age",$age);
804.  
805. }
806.  
807. if($name){
808.  
809. $database->updateUserField($this->username,"name",$name);
810.  
811. }
812.  
813. if($game){
814.  
815. $database->updateUserField($this->username,"game",$game);
816.  
817. }
818.  
819. if($description){
820.  
821. $database->updateUserField($this->username,"description",$description);
822.  
823. }
824.  
825.  
826.  
827.  
828.  
829. /* Update password since there were no errors */
830.  
831. if($subcurpass && $subnewpass){
832.  
833. $database->updateUserField($this->username,"password",md5($subnewpass));
834.  
835. }
836.  
837.  
838.  
839. /* Change Email */
840.  
841. if($subemail){
842.  
843. $database->updateUserField($this->username,"email",$subemail);
844.  
845. }
846.  
847.  
848.  
849. /* Success! */
850.  
851. return true;
852.  
853.  
854.  
855. }
856.  
857.  
858.  
859.  
860.  
861. /**
862.  
863. * isAdmin - Returns true if currently logged in user is
864.  
865. * an administrator, false otherwise.
866.  
867. */
868.  
869. function isAdmin(){
870.  
871. return ($this->userlevel == ADMIN_LEVEL ||
872.  
873. $this->username == ADMIN_NAME);
874.  
875. }
876.  
877.  
878.  
879. /**
880.  
881. * generateRandID - Generates a string made up of randomized
882.  
883. * letters (lower and upper case) and digits and returns
884.  
885. * the md5 hash of it to be used as a userid.
886.  
887. */
888.  
889. function generateRandID(){
890.  
891. return md5($this->generateRandStr(16));
892.  
893. }
894.  
895.  
896.  
897. /**
898.  
899. * generateRandStr - Generates a string made up of randomized
900.  
901. * letters (lower and upper case) and digits, the length
902.  
903. * is a specified parameter.
904.  
905. */
906.  
907. function generateRandStr($length){
908.  
909. $randstr = "";
910.  
911. for($i=0; $i<$length; $i++){
912.  
913. $randnum = mt_rand(0,61);
914.  
915. if($randnum < 10){
916.  
917. $randstr .= chr($randnum+48);
918.  
919. }else if($randnum < 36){
920.  
921. $randstr .= chr($randnum+55);
922.  
923. }else{
924.  
925. $randstr .= chr($randnum+61);
926.  
927. }
928.  
929. }
930.  
931. return $randstr;
932.  
933. }
934.  
935. };
936.  
937.  
938.  
939.  
940.  
941. /**
942.  
943. * Initialize session object - This must be initialized before
944.  
945. * the form object because the form uses session variables,
946.  
947. * which cannot be accessed unless the session has started.
948.  
949. */
950.  
951. $session = new Session;
952.  
953.  
954.  
955. /* Initialize form object */
956.  
957. $form = new Form;
958.  
959.  
960.  
961. ?>