Location: PHPKode > scripts > Simple Session Solution > session-simple-5-5/session-simple/session-simple.inc
<?php

/**
 * Simple Session Solution.
 *
 * <p>Propagates session ID's via GET and POST strings to ensure access
 * to <em>all</em> website users.</p>
 *
 * <p>Complete usage information is in the initializeSession()
 * function.</p>
 *
 * <p>Simple Session Solution is a trademark of The Analysis and Solutions
 * Company.</p>
 *
 * <pre>
 * ======================================================================
 * SIMPLE PUBLIC LICENSE                        VERSION 1.1   2003-01-21
 *
 * Copyright (c) The Analysis and Solutions Company
 * http://www.analysisandsolutions.com/
 *
 * 1.  Permission to use, copy, modify, and distribute this software and
 * its documentation, with or without modification, for any purpose and
 * without fee or royalty is hereby granted, provided that you include
 * the following on ALL copies of the software and documentation or
 * portions thereof, including modifications, that you make:
 *
 *     a.  The full text of this license in a location viewable to users
 *     of the redistributed or derivative work.
 *
 *     b.  Notice of any changes or modifications to the files,
 *     including the date changes were made.
 *
 * 2.  The name, servicemarks and trademarks of the copyright holders
 * may NOT be used in advertising or publicity pertaining to the
 * software without specific, written prior permission.
 *
 * 3.  Title to copyright in this software and any associated
 * documentation will at all times remain with copyright holders.
 *
 * 4.  THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND
 * COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY
 * OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE
 * OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS,
 * COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
 *
 * 5.  COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DAMAGES, INCLUDING
 * BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL,
 * ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION.
 * ======================================================================
 * </pre>
 *
 * @see        initializeSession()
 * @package    SimpleSessionSolution
 * @author     Daniel Convissor <hide@address.com>
 * @copyright  The Analysis and Solutions Company, 2003-2006
 * @version    $Name: rel-5-5 $  $Id: session-simple.inc,v 1.5 2006/03/18 18:06:08 danielc Exp $
 * @link       http://www.analysisandsolutions.com/software/session-simple/session-simple.htm
 */

/**
 * Propagates session ID's via GET and POST strings to ensure universal
 * access.
 *
 * <p>This system uses GET and POST because cookies are suboptimal due to
 * some browsers inability to handle them, various browsers handle them
 * differently, plus some users have them turned off.</p>
 *
 * <p>If no session id is presented via GET or POST in the present page
 * request, no sessions are started and the session ID won't be put into
 * the HTML about to be generated.</p>
 *
 * <p>If a session ID is submitted and the session is valid, the session ID
 * is available for use in the HTML.  But, if the session ID isn't valid or
 * the session exists but has timed out, the old session data is destroyed
 * and a new session is started with a new session ID.</p>
 *
 * <p>Do note, Simple Session Solution does not manage security.  You need to
 * create your own access privilege procedures.  You then use Simple Session
 * Solution to track your access permissions between page hits.  So, in the
 * case where a session has timed out, Simple Session Solution destroys the
 * old session data -- hence the old access permissions and identity -- and
 * the user will wind up with a brand new session.  So, if the present page
 * should only be seen by authorized persons, you would be able to notice the
 * current session doesn't have any permission data set, therefore you should
 * display an access denied message and exit.</p>
 *
 * <p>The session ID's can get put into the HTML in two ways: automatically
 * via PHP's "transparent sid support" and/or manually via constants defined
 * by this procedure.</p>
 *
 * <p>PHP's transparent session id support places the session name and ID into
 * all <em>relative</em> URI's contained in all element/attribute combinations
 * specified by this function's <var>$Rewrite</var> parameter.</p>
 *
 * <p>Transparent sid support requires one of the following settings:
 * <br />in <kbd>php.ini</kbd> set <kbd>session.use_trans_sid = 1</kbd> or in
 * <br /><kbd>.htaccess</kbd> set <kbd>php_flag session.use_trans_sid on</kbd>
 * <br />If using the <kbd>.htaccess</kbd> method, PHP must be running as an
 * Apache module.</p>
 *
 * <p>If transparent sid support is undesirable/unavailable, or if you need
 * to inject session ID's into fully qualified (non-relative) URI's, or you
 * want XHTML compliant form elements, this script produces the two helpful
 * constants: <var>SESSION_URI_QUERY</var> for use in URI query strings and
 * <var>SESSION_FORM_HIDDEN</var> for use in forms.</p>
 *
 * <p>To start a session, submit a bogus session ID via GET or POST.  The
 * name of the session ID variable is determined by the <var>$Name</var>
 * argument supplied to this function, the default is <var>SessionID</var>.
 * The value can be whatever you want.  So, for example...
 * <kbd><a href="shop.php?SessionID=1">Shop</a></kbd>.</p>
 *
 * <p>To end session tracking, you similarly submit variable named after
 * the <var>$Name</var> parameter, but this variable has "End" tacked on
 * to the end of the name.  Thus, the default is <var>SessionIDEnd</var>.
 * The value can be anything.  Again, to demonstrate...
 * <kbd><a href="index.php?SessionIDEnd=1">Log Out</a></kbd>.
 * Doing this also deletes all server side data associated with the
 * session.</p>
 *
 * <p>These procedures of sensing the star and end of sessions rely on PHP's
 * <var>$_REQUEST</var> superglobal.  So, on most server configurations,
 * you're able to submit the starting/ending calls through either GET or POST.
 * If problems arise, check the value of your server's
 * <var>variables_order</var> configuration directive.</p>
 *
 * <p>Session life is managed via <var>$_SESSION['LastTime']</var> for
 * several reasons:</p><ul>
 * <li>To see if the session id is really from this site.</li>
 * <li>PHP's garbage collection is buggy.</li>
 * <li>Cookie expiration times are unreliable.</li>
 * </ul>
 *
 * <p>Assumes PHP is at version 4.2.0 or later.</p>
 *
 * @param   integer  $Timeout  how many seconds a session can remain inactive
 *                               before being considered invalid.  Doesn't
 *                               impact cookie lifetimes.
 * @param   string   $Rewrite  element/attribute combinations which session
 *                               ID's should be inserted into by PHP's
 *                               transparent session id support.  To turn this
 *                               feature off, use an empty string.
 * @param   string   $Name     the name given to the session identifier.
 * @return  void
 *
 * @package    SimpleSessionSolution
 * @author     Daniel Convissor <hide@address.com>
 * @copyright  The Analysis and Solutions Company, 2003-2006
 * @version    $Name: rel-5-5 $
 * @link       http://www.analysisandsolutions.com/software/session-simple/session-simple.htm
 * @link       http://php.net/ref.session
 * @link       http://php.net/language.variables.predefined.php
 * @link       http://php.net/configuration.directives#ini.variables-order
 * @license    http://www.analysisandsolutions.com/software/license.htm Simple Public License
 */
function initializeSession($Timeout = 600,
        $Rewrite = 'a=href,img=src,area=href,frame=src,input=src',
        $Name = 'SessionID') {

    if (empty($_REQUEST[$Name])) {
        $SID = '';
    } else {
        // A session id is set somewhere.

        // Force sessions to use HTML based methods.
        ini_set('session.use_cookies', 0);

        // Set time when PHP's garbage collection _should_ kick in.
        ini_set('session.gc_maxlifetime', $Timeout);

        // Which element/attribute combinations should PHP automatically
        // tack session ID's onto.
        ini_set('url_rewriter.tags', $Rewrite);

        // XHTML compliance.
        ini_set('arg_seperator.output', '&amp;');

        session_name($Name);
        session_start();

        if (!empty($_REQUEST["{$Name}End"])) {
            /*
             * Delete session data already loaded for this page,
             * regardless of how prior scripts stored it.
             */
            $_SESSION = array();
            session_unset();

            // Delete session data stored in the back end.
            session_destroy();

            // Stop session id's from propagating into the HTML.
            ini_set('url_rewriter.tags', '');
            $SID = '';

        } else {
            $Time = mktime();

            if (empty($_SESSION['LastTime'])
                    || $_SESSION['LastTime'] < $Time - $Timeout
                    || $_SESSION['HTTP_USER_AGENT']
                            != substr($_SERVER['HTTP_USER_AGENT'], 0, 100)) {

                // The session is either bogus or expired.

                /*
                 * Delete session data already loaded for this page,
                 * regardless of how prior scripts stored it.
                 */
                $_SESSION = array();
                session_unset();

                // Delete session data stored in the back end.
                session_destroy();

                // Start fresh.
                session_start();
                session_regenerate_id();

                $_SESSION['HTTP_USER_AGENT']
                        = substr($_SERVER['HTTP_USER_AGENT'], 0, 100);

            }

            $_SESSION['LastTime'] = $Time;

            $SID = session_id();
        }
    }

    /**
     * String containing the current session identifier.
     *
     * <p>String is blank if no session exists.</p>
     *
     * <p>Sample value: <code>ccc902a174a4f</code></p>
     */
    define('SESSION_ID', (($SID) ? $SID : ''));

    /**
     * URI query string for the current session.
     *
     * <p>String is blank if no session exists.</p>
     *
     * <p>Used because PHP's <var>SID</var> constant isn't always
     * defined, even though the manual says it should be.</p>
     *
     * <p>Sample value: <code>?SessionID=ccc902a174a4f</code></p>
     */
    define('SESSION_URI_QUERY', (($SID) ? "?$Name=$SID" : ''));

    /**
     * XHTML compliant hidden form input element that holds the current
     * session ID.
     *
     * <p>String is blank if no session exists.</p>
     *
     * <p>Necessary because the <kbd>form=fakeentry</kbd> setting for
     * <var>url_rewriter.tags</var> doesn't produce XHTML ready output.</p>
     *
     * <p>Sample value: <br /><code>
     * <input type="hidden" name="SessionID" value="ccc902a174a4f" />
     * </code></p>
     */
    define('SESSION_FORM_HIDDEN', (($SID) ? '<input type="hidden" '
            . "name=\"$Name\" value=\"$SID\" />" : ''));

    /**
     * Integer saying how many seconds a session can remain inactive.
     *
     * <p>The value used is determined by the <var>$Timeout</var> parameter
     * of the <kbd>initializeSession()</kbd> function.</p>
     */
    define('SESSION_TIMEOUT', $Timeout);
}
Return current item: Simple Session Solution