diff options
Diffstat (limited to 'system/libraries/Session.php')
| -rw-r--r-- | system/libraries/Session.php | 43 |
1 files changed, 22 insertions, 21 deletions
diff --git a/system/libraries/Session.php b/system/libraries/Session.php index 53ff4f5d3..76525dbb8 100644 --- a/system/libraries/Session.php +++ b/system/libraries/Session.php @@ -1,4 +1,4 @@ -<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); +<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); /** * CodeIgniter * @@ -37,6 +37,7 @@ class CI_Session { var $cookie_prefix = ''; var $cookie_path = ''; var $cookie_domain = ''; + var $cookie_secure = FALSE; var $sess_time_to_update = 300; var $encryption_key = ''; var $flashdata_key = 'flash'; @@ -61,7 +62,7 @@ class CI_Session { // Set all the session preferences, which can either be set // manually via the $params array above or via the config file - foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key) + foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key) { $this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key); } @@ -80,14 +81,14 @@ class CI_Session { $this->CI->load->library('encrypt'); } - // Are we using a database? If so, load it + // Are we using a database? If so, load it if ($this->sess_use_database === TRUE AND $this->sess_table_name != '') { $this->CI->load->database(); } - // Set the "now" time. Can either be GMT or server time, based on the - // config prefs. We use this to set the "last activity" time + // Set the "now" time. Can either be GMT or server time, based on the + // config prefs. We use this to set the "last activity" time $this->now = $this->_get_time(); // Set the session length. If the session expiration is @@ -96,12 +97,12 @@ class CI_Session { { $this->sess_expiration = (60*60*24*365*2); } - + // Set the cookie name $this->sess_cookie_name = $this->cookie_prefix.$this->sess_cookie_name; // Run the Session routine. If a session doesn't exist we'll - // create a new one. If it does, we'll update it. + // create a new one. If it does, we'll update it. if ( ! $this->sess_read()) { $this->sess_create(); @@ -136,7 +137,7 @@ class CI_Session { // Fetch the cookie $session = $this->CI->input->cookie($this->sess_cookie_name); - // No cookie? Goodbye cruel world!... + // No cookie? Goodbye cruel world!... if ($session === FALSE) { log_message('debug', 'A session cookie was not found.'); @@ -154,8 +155,8 @@ class CI_Session { $hash = substr($session, strlen($session)-32); // get last 32 chars $session = substr($session, 0, strlen($session)-32); - // Does the md5 hash match? This is to prevent manipulation of session data in userspace - if ($hash !== md5($session.$this->encryption_key)) + // Does the md5 hash match? This is to prevent manipulation of session data in userspace + if ($hash !== md5($session.$this->encryption_key)) { log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.'); $this->sess_destroy(); @@ -188,7 +189,7 @@ class CI_Session { } // Does the User Agent Match? - if ($this->sess_match_useragent == TRUE AND trim($session['user_agent']) != trim(substr($this->CI->input->user_agent(), 0, 50))) + if ($this->sess_match_useragent == TRUE AND trim($session['user_agent']) != trim(substr($this->CI->input->user_agent(), 0, 120))) { $this->sess_destroy(); return FALSE; @@ -211,14 +212,14 @@ class CI_Session { $query = $this->CI->db->get($this->sess_table_name); - // No result? Kill it! + // No result? Kill it! if ($query->num_rows() == 0) { $this->sess_destroy(); return FALSE; } - // Is there custom data? If so, add it to the main session array + // Is there custom data? If so, add it to the main session array $row = $query->row(); if (isset($row->user_data) AND $row->user_data != '') { @@ -251,7 +252,7 @@ class CI_Session { */ function sess_write() { - // Are we saving custom data to the DB? If not, all we do is update the cookie + // Are we saving custom data to the DB? If not, all we do is update the cookie if ($this->sess_use_database === FALSE) { $this->_set_cookie(); @@ -271,7 +272,7 @@ class CI_Session { $cookie_userdata[$val] = $this->userdata[$val]; } - // Did we find any custom data? If not, we turn the empty array into a string + // Did we find any custom data? If not, we turn the empty array into a string // since there's no reason to serialize and store an empty array in the DB if (count($custom_userdata) === 0) { @@ -287,7 +288,7 @@ class CI_Session { $this->CI->db->where('session_id', $this->userdata['session_id']); $this->CI->db->update($this->sess_table_name, array('last_activity' => $this->userdata['last_activity'], 'user_data' => $custom_userdata)); - // Write the cookie. Notice that we manually pass the cookie data array to the + // Write the cookie. Notice that we manually pass the cookie data array to the // _set_cookie() function. Normally that function will store $this->userdata, but // in this case that array contains custom data, which we do not want in the cookie. $this->_set_cookie($cookie_userdata); @@ -315,7 +316,7 @@ class CI_Session { $this->userdata = array( 'session_id' => md5(uniqid($sessid, TRUE)), 'ip_address' => $this->CI->input->ip_address(), - 'user_agent' => substr($this->CI->input->user_agent(), 0, 50), + 'user_agent' => substr($this->CI->input->user_agent(), 0, 120), 'last_activity' => $this->now ); @@ -434,11 +435,11 @@ class CI_Session { * Fetch all session data * * @access public - * @return mixed + * @return array */ function all_userdata() { - return ( ! isset($this->userdata)) ? FALSE : $this->userdata; + return $this->userdata; } // -------------------------------------------------------------------- @@ -534,7 +535,7 @@ class CI_Session { */ function keep_flashdata($key) { - // 'old' flashdata gets removed. Here we mark all + // 'old' flashdata gets removed. Here we mark all // flashdata as 'new' to preserve it from _flashdata_sweep() // Note the function will return FALSE if the $key // provided cannot be found @@ -666,7 +667,7 @@ class CI_Session { $expire, $this->cookie_path, $this->cookie_domain, - 0 + $this->cookie_secure ); } |