<?php
/**
* Simple Session Solution.
*
* <p>Propagates session ID's via GET and POST strings to ensure access
* to <em>all</em> website users.</p>
*
* <p>Complete usage information is in the initializeSession()
* function.</p>
*
* <p>Simple Session Solution is a trademark of The Analysis and Solutions
* Company.</p>
*
* <pre>
* ======================================================================
* SIMPLE PUBLIC LICENSE VERSION 1.1 2003-01-21
*
* Copyright (c) The Analysis and Solutions Company
* http://www.analysisandsolutions.com/
*
* 1. Permission to use, copy, modify, and distribute this software and
* its documentation, with or without modification, for any purpose and
* without fee or royalty is hereby granted, provided that you include
* the following on ALL copies of the software and documentation or
* portions thereof, including modifications, that you make:
*
* a. The full text of this license in a location viewable to users
* of the redistributed or derivative work.
*
* b. Notice of any changes or modifications to the files,
* including the date changes were made.
*
* 2. The name, servicemarks and trademarks of the copyright holders
* may NOT be used in advertising or publicity pertaining to the
* software without specific, written prior permission.
*
* 3. Title to copyright in this software and any associated
* documentation will at all times remain with copyright holders.
*
* 4. THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND
* COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY
* OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE
* OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS,
* COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
*
* 5. COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DAMAGES, INCLUDING
* BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL,
* ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION.
* ======================================================================
* </pre>
*
* @see initializeSession()
* @package SimpleSessionSolution
* @author Daniel Convissor <hide@address.com>
* @copyright The Analysis and Solutions Company, 2003-2006
* @version $Name: rel-5-5 $ $Id: session-simple.inc,v 1.5 2006/03/18 18:06:08 danielc Exp $
* @link http://www.analysisandsolutions.com/software/session-simple/session-simple.htm
*/
/**
* Propagates session ID's via GET and POST strings to ensure universal
* access.
*
* <p>This system uses GET and POST because cookies are suboptimal due to
* some browsers inability to handle them, various browsers handle them
* differently, plus some users have them turned off.</p>
*
* <p>If no session id is presented via GET or POST in the present page
* request, no sessions are started and the session ID won't be put into
* the HTML about to be generated.</p>
*
* <p>If a session ID is submitted and the session is valid, the session ID
* is available for use in the HTML. But, if the session ID isn't valid or
* the session exists but has timed out, the old session data is destroyed
* and a new session is started with a new session ID.</p>
*
* <p>Do note, Simple Session Solution does not manage security. You need to
* create your own access privilege procedures. You then use Simple Session
* Solution to track your access permissions between page hits. So, in the
* case where a session has timed out, Simple Session Solution destroys the
* old session data -- hence the old access permissions and identity -- and
* the user will wind up with a brand new session. So, if the present page
* should only be seen by authorized persons, you would be able to notice the
* current session doesn't have any permission data set, therefore you should
* display an access denied message and exit.</p>
*
* <p>The session ID's can get put into the HTML in two ways: automatically
* via PHP's "transparent sid support" and/or manually via constants defined
* by this procedure.</p>
*
* <p>PHP's transparent session id support places the session name and ID into
* all <em>relative</em> URI's contained in all element/attribute combinations
* specified by this function's <var>$Rewrite</var> parameter.</p>
*
* <p>Transparent sid support requires one of the following settings:
* <br />in <kbd>php.ini</kbd> set <kbd>session.use_trans_sid = 1</kbd> or in
* <br /><kbd>.htaccess</kbd> set <kbd>php_flag session.use_trans_sid on</kbd>
* <br />If using the <kbd>.htaccess</kbd> method, PHP must be running as an
* Apache module.</p>
*
* <p>If transparent sid support is undesirable/unavailable, or if you need
* to inject session ID's into fully qualified (non-relative) URI's, or you
* want XHTML compliant form elements, this script produces the two helpful
* constants: <var>SESSION_URI_QUERY</var> for use in URI query strings and
* <var>SESSION_FORM_HIDDEN</var> for use in forms.</p>
*
* <p>To start a session, submit a bogus session ID via GET or POST. The
* name of the session ID variable is determined by the <var>$Name</var>
* argument supplied to this function, the default is <var>SessionID</var>.
* The value can be whatever you want. So, for example...
* <kbd><a href="shop.php?SessionID=1">Shop</a></kbd>.</p>
*
* <p>To end session tracking, you similarly submit variable named after
* the <var>$Name</var> parameter, but this variable has "End" tacked on
* to the end of the name. Thus, the default is <var>SessionIDEnd</var>.
* The value can be anything. Again, to demonstrate...
* <kbd><a href="index.php?SessionIDEnd=1">Log Out</a></kbd>.
* Doing this also deletes all server side data associated with the
* session.</p>
*
* <p>These procedures of sensing the star and end of sessions rely on PHP's
* <var>$_REQUEST</var> superglobal. So, on most server configurations,
* you're able to submit the starting/ending calls through either GET or POST.
* If problems arise, check the value of your server's
* <var>variables_order</var> configuration directive.</p>
*
* <p>Session life is managed via <var>$_SESSION['LastTime']</var> for
* several reasons:</p><ul>
* <li>To see if the session id is really from this site.</li>
* <li>PHP's garbage collection is buggy.</li>
* <li>Cookie expiration times are unreliable.</li>
* </ul>
*
* <p>Assumes PHP is at version 4.2.0 or later.</p>
*
* @param integer $Timeout how many seconds a session can remain inactive
* before being considered invalid. Doesn't
* impact cookie lifetimes.
* @param string $Rewrite element/attribute combinations which session
* ID's should be inserted into by PHP's
* transparent session id support. To turn this
* feature off, use an empty string.
* @param string $Name the name given to the session identifier.
* @return void
*
* @package SimpleSessionSolution
* @author Daniel Convissor <hide@address.com>
* @copyright The Analysis and Solutions Company, 2003-2006
* @version $Name: rel-5-5 $
* @link http://www.analysisandsolutions.com/software/session-simple/session-simple.htm
* @link http://php.net/ref.session
* @link http://php.net/language.variables.predefined.php
* @link http://php.net/configuration.directives#ini.variables-order
* @license http://www.analysisandsolutions.com/software/license.htm Simple Public License
*/
function initializeSession($Timeout = 600,
$Rewrite = 'a=href,img=src,area=href,frame=src,input=src',
$Name = 'SessionID') {
if (empty($_REQUEST[$Name])) {
$SID = '';
} else {
// A session id is set somewhere.
// Force sessions to use HTML based methods.
ini_set('session.use_cookies', 0);
// Set time when PHP's garbage collection _should_ kick in.
ini_set('session.gc_maxlifetime', $Timeout);
// Which element/attribute combinations should PHP automatically
// tack session ID's onto.
ini_set('url_rewriter.tags', $Rewrite);
// XHTML compliance.
ini_set('arg_seperator.output', '&');
session_name($Name);
session_start();
if (!empty($_REQUEST["{$Name}End"])) {
/*
* Delete session data already loaded for this page,
* regardless of how prior scripts stored it.
*/
$_SESSION = array();
session_unset();
// Delete session data stored in the back end.
session_destroy();
// Stop session id's from propagating into the HTML.
ini_set('url_rewriter.tags', '');
$SID = '';
} else {
$Time = mktime();
if (empty($_SESSION['LastTime'])
|| $_SESSION['LastTime'] < $Time - $Timeout
|| $_SESSION['HTTP_USER_AGENT']
!= substr($_SERVER['HTTP_USER_AGENT'], 0, 100)) {
// The session is either bogus or expired.
/*
* Delete session data already loaded for this page,
* regardless of how prior scripts stored it.
*/
$_SESSION = array();
session_unset();
// Delete session data stored in the back end.
session_destroy();
// Start fresh.
session_start();
session_regenerate_id();
$_SESSION['HTTP_USER_AGENT']
= substr($_SERVER['HTTP_USER_AGENT'], 0, 100);
}
$_SESSION['LastTime'] = $Time;
$SID = session_id();
}
}
/**
* String containing the current session identifier.
*
* <p>String is blank if no session exists.</p>
*
* <p>Sample value: <code>ccc902a174a4f</code></p>
*/
define('SESSION_ID', (($SID) ? $SID : ''));
/**
* URI query string for the current session.
*
* <p>String is blank if no session exists.</p>
*
* <p>Used because PHP's <var>SID</var> constant isn't always
* defined, even though the manual says it should be.</p>
*
* <p>Sample value: <code>?SessionID=ccc902a174a4f</code></p>
*/
define('SESSION_URI_QUERY', (($SID) ? "?$Name=$SID" : ''));
/**
* XHTML compliant hidden form input element that holds the current
* session ID.
*
* <p>String is blank if no session exists.</p>
*
* <p>Necessary because the <kbd>form=fakeentry</kbd> setting for
* <var>url_rewriter.tags</var> doesn't produce XHTML ready output.</p>
*
* <p>Sample value: <br /><code>
* <input type="hidden" name="SessionID" value="ccc902a174a4f" />
* </code></p>
*/
define('SESSION_FORM_HIDDEN', (($SID) ? '<input type="hidden" '
. "name=\"$Name\" value=\"$SID\" />" : ''));
/**
* Integer saying how many seconds a session can remain inactive.
*
* <p>The value used is determined by the <var>$Timeout</var> parameter
* of the <kbd>initializeSession()</kbd> function.</p>
*/
define('SESSION_TIMEOUT', $Timeout);
}