<?/** * Session.php * * The Session class is meant to simplify the task

1. <?
2. /**
3. * Session.php
4. *
5. * The Session class is meant to simplify the task of keeping
6. * track of logged in users and also guests.
7. *
8. * Written by: Jpmaster77 a.k.a. The Grandmaster of C++ (GMC)
9. * Last Updated: August 19, 2004
10. */
11. include("database.php");
12. include("mailer.php");
13. include("form.php");
14.  
15. class Session
16. {
17. var $username; //Username given on sign-up
18. var $userid; //Random value generated on current login
19. var $userlevel; //The level to which the user pertains
20. var $time; //Time user was last active (page loaded)
21. var $logged_in; //True if user is logged in, false otherwise
22. var $userinfo = array(); //The array holding all user info
23. var $url; //The page url current being viewed
24. var $referrer; //Last recorded site page viewed
25. /**
26. * Note: referrer should really only be considered the actual
27. * page referrer in process.php, any other time it may be
28. * inaccurate.
29. */
30.  
31. /* Class constructor */
32. function Session(){
33. $this->time = time();
34. $this->startSession();
35. }
36.  
37. /**
38. * startSession - Performs all the actions necessary to
39. * initialize this session object. Tries to determine if the
40. * the user has logged in already, and sets the variables
41. * accordingly. Also takes advantage of this page load to
42. * update the active visitors tables.
43. */
44. function startSession(){
45. global $database; //The database connection
46. session_start(); //Tell PHP to start the session
47.  
48. /* Determine if user is logged in */
49. $this->logged_in = $this->checkLogin();
50.  
51. /**
52. * Set guest value to users not logged in, and update
53. * active guests table accordingly.
54. */
55. if(!$this->logged_in){
56. $this->username = $_SESSION['username'] = GUEST_NAME;
57. $this->userlevel = GUEST_LEVEL;
58. $database->addActiveGuest($_SERVER['REMOTE_ADDR'], $this->time);
59. }
60. /* Update users last active timestamp */
61. else{
62. $database->addActiveUser($this->username, $this->time);
63. }
64.  
65. /* Remove inactive visitors from database */
66. $database->removeInactiveUsers();
67. $database->removeInactiveGuests();
68.  
69. /* Set referrer page */
70. if(isset($_SESSION['url'])){
71. $this->referrer = $_SESSION['url'];
72. }else{
73. $this->referrer = "/";
74. }
75.  
76. /* Set current url */
77. $this->url = $_SESSION['url'] = $_SERVER['PHP_SELF'];
78. }
79.  
80. /**
81. * checkLogin - Checks if the user has already previously
82. * logged in, and a session with the user has already been
83. * established. Also checks to see if user has been remembered.
84. * If so, the database is queried to make sure of the user's
85. * authenticity. Returns true if the user has logged in.
86. */
87. function checkLogin(){
88. global $database; //The database connection
89. /* Check if user has been remembered */
90. if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookid'])){
91. $this->username = $_SESSION['username'] = $_COOKIE['cookname'];
92. $this->userid = $_SESSION['userid'] = $_COOKIE['cookid'];
93. }
94.  
95. /* Username and userid have been set and not guest */
96. if(isset($_SESSION['username']) && isset($_SESSION['userid']) &&
97. $_SESSION['username'] != GUEST_NAME){
98. /* Confirm that username and userid are valid */
99. if($database->confirmUserID($_SESSION['username'], $_SESSION['userid']) != 0){
100. /* Variables are incorrect, user not logged in */
101. unset($_SESSION['username']);
102. unset($_SESSION['userid']);
103. return false;
104. }
105.  
106. /* User is logged in, set class variables */
107. $this->userinfo = $database->getUserInfo($_SESSION['username']);
108. $this->username = $this->userinfo['username'];
109. $this->userid = $this->userinfo['userid'];
110. $this->userlevel = $this->userinfo['userlevel'];
111. return true;
112. }
113. /* User not logged in */
114. else{
115. return false;
116. }
117. }
118.  
119. /**
120. * login - The user has submitted his username and password
121. * through the login form, this function checks the authenticity
122. * of that information in the database and creates the session.
123. * Effectively logging in the user if all goes well.
124. */
125. function login($subuser, $subpass, $subremember){
126. global $database, $form; //The database and form object
127.  
128. /* Username error checking */
129. $field = "user"; //Use field name for username
130. if(!$subuser || strlen($subuser = trim($subuser)) == 0){
131. $form->setError($field, "* Username not entered");
132. }
133. else{
134. /* Check if username is not alphanumeric */
135. if(!eregi("^([0-9a-z])*$", $subuser)){
136. $form->setError($field, "* Username not alphanumeric");
137. }
138. }
139.  
140. /* Password error checking */
141. $field = "pass"; //Use field name for password
142. if(!$subpass){
143. $form->setError($field, "* Password not entered");
144. }
145.  
146. /* Return if form errors exist */
147. if($form->num_errors > 0){
148. return false;
149. }
150.  
151. /* Checks that username is in database and password is correct */
152. $subuser = stripslashes($subuser);
153. $result = $database->confirmUserPass($subuser, md5($subpass));
154.  
155. /* Check error codes */
156. if($result == 1){
157. $field = "user";
158. $form->setError($field, "* Username not found");
159. }
160. else if($result == 2){
161. $field = "pass";
162. $form->setError($field, "* Invalid password");
163. }
164.  
165. /* Return if form errors exist */
166. if($form->num_errors > 0){
167. return false;
168. }
169.  
170. /* Username and password correct, register session variables */
171. $this->userinfo = $database->getUserInfo($subuser);
172. $this->username = $_SESSION['username'] = $this->userinfo['username'];
173. $this->userid = $_SESSION['userid'] = $this->generateRandID();
174. $this->userlevel = $this->userinfo['userlevel'];
175.  
176. /* Insert userid into database and update active users table */
177. $database->updateUserField($this->username, "userid", $this->userid);
178. $database->addActiveUser($this->username, $this->time);
179. $database->removeActiveGuest($_SERVER['REMOTE_ADDR']);
180.  
181. /**
182. * This is the cool part: the user has requested that we remember that
183. * he's logged in, so we set two cookies. One to hold his username,
184. * and one to hold his random value userid. It expires by the time
185. * specified in constants.php. Now, next time he comes to our site, we will
186. * log him in automatically, but only if he didn't log out before he left.
187. */
188. if($subremember){
189. setcookie("cookname", $this->username, time()+COOKIE_EXPIRE, COOKIE_PATH);
190. setcookie("cookid", $this->userid, time()+COOKIE_EXPIRE, COOKIE_PATH);
191. }
192.  
193. /* Login completed successfully */
194. return true;
195. }
196.  
197. /**
198. * logout - Gets called when the user wants to be logged out of the
199. * website. It deletes any cookies that were stored on the users
200. * computer as a result of him wanting to be remembered, and also
201. * unsets session variables and demotes his user level to guest.
202. */
203. function logout(){
204. global $database; //The database connection
205. /**
206. * Delete cookies - the time must be in the past,
207. * so just negate what you added when creating the
208. * cookie.
209. */
210. if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookid'])){
211. setcookie("cookname", "", time()-COOKIE_EXPIRE, COOKIE_PATH);
212. setcookie("cookid", "", time()-COOKIE_EXPIRE, COOKIE_PATH);
213. }
214.  
215. /* Unset PHP session variables */
216. unset($_SESSION['username']);
217. unset($_SESSION['userid']);
218.  
219. /* Reflect fact that user has logged out */
220. $this->logged_in = false;
221.  
222. /**
223. * Remove from active users table and add to
224. * active guests tables.
225. */
226. $database->removeActiveUser($this->username);
227. $database->addActiveGuest($_SERVER['REMOTE_ADDR'], $this->time);
228.  
229. /* Set user level to guest */
230. $this->username = GUEST_NAME;
231. $this->userlevel = GUEST_LEVEL;
232. }
233.  
234. /**
235. * register - Gets called when the user has just submitted the
236. * registration form. Determines if there were any errors with
237. * the entry fields, if so, it records the errors and returns
238. * 1. If no errors were found, it registers the new user and
239. * returns 0. Returns 2 if registration failed.
240. */
241. function register($subuser, $subpass, $subemail){
242. global $database, $form, $mailer; //The database, form and mailer object
243.  
244. /* Username error checking */
245. $field = "user"; //Use field name for username
246. if(!$subuser || strlen($subuser = trim($subuser)) == 0){
247. $form->setError($field, "* Username not entered");
248. }
249. else{
250. /* Spruce up username, check length */
251. $subuser = stripslashes($subuser);
252. if(strlen($subuser) < 5){
253. $form->setError($field, "* Username below 5 characters");
254. }
255. else if(strlen($subuser) > 30){
256. $form->setError($field, "* Username above 30 characters");
257. }
258. /* Check if username is not alphanumeric */
259. else if(!eregi("^([0-9a-z])+$", $subuser)){
260. $form->setError($field, "* Username not alphanumeric");
261. }
262. /* Check if username is reserved */
263. else if(strcasecmp($subuser, GUEST_NAME) == 0){
264. $form->setError($field, "* Username reserved word");
265. }
266. /* Check if username is already in use */
267. else if($database->usernameTaken($subuser)){
268. $form->setError($field, "* Username already in use");
269. }
270. /* Check if username is banned */
271. else if($database->usernameBanned($subuser)){
272. $form->setError($field, "* Username banned");
273. }
274. }
275.  
276. /* Password error checking */
277. $field = "pass"; //Use field name for password
278. if(!$subpass){
279. $form->setError($field, "* Password not entered");
280. }
281. else{
282. /* Spruce up password and check length*/
283. $subpass = stripslashes($subpass);
284. if(strlen($subpass) < 4){
285. $form->setError($field, "* Password too short");
286. }
287. /* Check if password is not alphanumeric */
288. else if(!eregi("^([0-9a-z])+$", ($subpass = trim($subpass)))){
289. $form->setError($field, "* Password not alphanumeric");
290. }
291. /**
292. * Note: I trimmed the password only after I checked the length
293. * because if you fill the password field up with spaces
294. * it looks like a lot more characters than 4, so it looks
295. * kind of stupid to report "password too short".
296. */
297. }
298.  
299. /* Email error checking */
300. $field = "email"; //Use field name for email
301. if(!$subemail || strlen($subemail = trim($subemail)) == 0){
302. $form->setError($field, "* Email not entered");
303. }
304. else{
305. /* Check if valid email address */
306. $regex = "^[_+a-z0-9-]+(\.[_+a-z0-9-]+)*"
307. ."@[a-z0-9-]+(\.[a-z0-9-]{1,})*"
308. ."\.([a-z]{2,}){1}$";
309. if(!eregi($regex,$subemail)){
310. $form->setError($field, "* Email invalid");
311. }
312. $subemail = stripslashes($subemail);
313. }
314.  
315. /* Errors exist, have user correct them */
316. if($form->num_errors > 0){
317. return 1; //Errors with form
318. }
319. /* No errors, add the new account to the */
320. else{
321. if($database->addNewUser($subuser, md5($subpass), $subemail)){
322. if(EMAIL_WELCOME){
323. $mailer->sendWelcome($subuser,$subemail,$subpass);
324. }
325. return 0; //New user added succesfully
326. }else{
327. return 2; //Registration attempt failed
328. }
329. }
330. }
331.  
332. /**
333. * editAccount - Attempts to edit the user's account information
334. * including the password, which it first makes sure is correct
335. * if entered, if so and the new password is in the right
336. * format, the change is made. All other fields are changed
337. * automatically.
338. */
339. function editAccount($subcurpass, $subnewpass, $subemail){
340. global $database, $form; //The database and form object
341. /* New password entered */
342. if($subnewpass){
343. /* Current Password error checking */
344. $field = "curpass"; //Use field name for current password
345. if(!$subcurpass){
346. $form->setError($field, "* Current Password not entered");
347. }
348. else{
349. /* Check if password too short or is not alphanumeric */
350. $subcurpass = stripslashes($subcurpass);
351. if(strlen($subcurpass) < 4 ||
352. !eregi("^([0-9a-z])+$", ($subcurpass = trim($subcurpass)))){
353. $form->setError($field, "* Current Password incorrect");
354. }
355. /* Password entered is incorrect */
356. if($database->confirmUserPass($this->username,md5($subcurpass)) != 0){
357. $form->setError($field, "* Current Password incorrect");
358. }
359. }
360.  
361. /* New Password error checking */
362. $field = "newpass"; //Use field name for new password
363. /* Spruce up password and check length*/
364. $subpass = stripslashes($subnewpass);
365. if(strlen($subnewpass) < 6){
366. $form->setError($field, "* New Password too short (Type i");
367. }
368. /* Check if password is not alphanumeric */
369. else if(!eregi("^([0-9a-z])+$", ($subnewpass = trim($subnewpass)))){
370. $form->setError($field, "* New Password not alphanumeric");
371. }
372. }
373. /* Change password attempted */
374. else if($subcurpass){
375. /* New Password error reporting */
376. $field = "newpass"; //Use field name for new password
377. $form->setError($field, "* New Password not entered");
378. }
379.  
380. /* Email error checking */
381. $field = "email"; //Use field name for email
382. if($subemail && strlen($subemail = trim($subemail)) > 0){
383. /* Check if valid email address */
384. $regex = "^[_+a-z0-9-]+(\.[_+a-z0-9-]+)*"
385. ."@[a-z0-9-]+(\.[a-z0-9-]{1,})*"
386. ."\.([a-z]{2,}){1}$";
387. if(!eregi($regex,$subemail)){
388. $form->setError($field, "* Email invalid");
389. }
390. $subemail = stripslashes($subemail);
391. }
392.  
393. /* Errors exist, have user correct them */
394. if($form->num_errors > 0){
395. return false; //Errors with form
396. }
397.  
398. /* Update password since there were no errors */
399. if($subcurpass && $subnewpass){
400. $database->updateUserField($this->username,"password",md5($subnewpass));
401. }
402.  
403. /* Change Email */
404. if($subemail){
405. $database->updateUserField($this->username,"email",$subemail);
406. }
407.  
408. /* Success! */
409. return true;
410. }
411.  
412. /**
413. * isAdmin - Returns true if currently logged in user is
414. * an administrator, false otherwise.
415. */
416. function isAdmin(){
417. return ($this->userlevel == ADMIN_LEVEL ||
418. $this->username == ADMIN_NAME);
419. }
420.  
421. /**
422. * generateRandID - Generates a string made up of randomized
423. * letters (lower and upper case) and digits and returns
424. * the md5 hash of it to be used as a userid.
425. */
426. function generateRandID(){
427. return md5($this->generateRandStr(16));
428. }
429.  
430. /**
431. * generateRandStr - Generates a string made up of randomized
432. * letters (lower and upper case) and digits, the length
433. * is a specified parameter.
434. */
435. function generateRandStr($length){
436. $randstr = "";
437. for($i=0; $i<$length; $i++){
438. $randnum = mt_rand(0,61);
439. if($randnum < 10){
440. $randstr .= chr($randnum+48);
441. }else if($randnum < 36){
442. $randstr .= chr($randnum+55);
443. }else{
444. $randstr .= chr($randnum+61);
445. }
446. }
447. return $randstr;
448. }
449. };
450.  
451.  
452. /**
453. * Initialize session object - This must be initialized before
454. * the form object because the form uses session variables,
455. * which cannot be accessed unless the session has started.
456. */
457. $session = new Session;
458.  
459. /* Initialize form object */
460. $form = new Form;
461.  
462. ?>