streams/include/session.php

<?php

/**
 * @file include/session.php
 *
 * @brief This file includes session related functions.
 *
 * Session management functions. These provide database storage of PHP
 * session info.
 */

$session_exists = 0;
$session_expire = 180000;


/**
 * @brief Resets the current session.
 *
 * @return void
 */

function nuke_session() {
	new_cookie(0); // 0 means delete on browser exit

	unset($_SESSION['authenticated']);
	unset($_SESSION['account_id']);
	unset($_SESSION['uid']);
	unset($_SESSION['visitor_id']);
	unset($_SESSION['administrator']);
	unset($_SESSION['cid']);
	unset($_SESSION['theme']);
	unset($_SESSION['mobile_theme']);
	unset($_SESSION['show_mobile']);
	unset($_SESSION['page_flags']);
	unset($_SESSION['delegate']);
	unset($_SESSION['delegate_channel']);
	unset($_SESSION['my_url']);
	unset($_SESSION['my_address']);
	unset($_SESSION['addr']);
	unset($_SESSION['return_url']);
	unset($_SESSION['remote_service_class']);
	unset($_SESSION['remote_hub']);
}



function new_cookie($time) {
	$old_sid = session_id();

	// ??? This shouldn't have any effect if called after session_start()
	// We probably need to set the session expiration and change the PHPSESSID cookie.

	session_set_cookie_params($time);
	session_regenerate_id(false);

	q("UPDATE session SET sid = '%s' WHERE sid = '%s'",
			dbesc(session_id()),
			dbesc($old_sid)
	);

	if (x($_COOKIE, 'jsAvailable')) {
		if ($time) {
			$expires = time() + $time;
		} else {
			$expires = 0;
		}
		setcookie('jsAvailable', $_COOKIE['jsAvailable'], $expires);
	}
}


function ref_session_open ($s, $n) {
	return true;
}


function ref_session_read ($id) {
	global $session_exists;
	if(x($id))
		$r = q("SELECT `data` FROM `session` WHERE `sid`= '%s'", dbesc($id));

	if(count($r)) {
		$session_exists = true;
		return $r[0]['data'];
	}

	return '';
}


function ref_session_write ($id, $data) {
	global $session_exists, $session_expire;

	if(! $id || ! $data) {
		return false;
	}

	$expire = time() + $session_expire;
	$default_expire = time() + 300;

	if($session_exists) {
		q("UPDATE `session`
				SET `data` = '%s', `expire` = '%s' WHERE `sid` = '%s'",
				dbesc($data),
				dbesc($expire),
				dbesc($id)
		);
	} else {
		q("INSERT INTO `session` (sid, expire, data) values ('%s', '%s', '%s')",
				//SET `sid` = '%s', `expire` = '%s', `data` = '%s'",
				dbesc($id),
				dbesc($default_expire),
				dbesc($data)
		);
	}

	return true;
}


function ref_session_close() {
	return true;
}


function ref_session_destroy ($id) {
	q("DELETE FROM `session` WHERE `sid` = '%s'", dbesc($id));
	return true;
}


function ref_session_gc($expire) {
	q("DELETE FROM session WHERE expire < %d", dbesc(time()));
	return true;
}

$gc_probability = 50;

ini_set('session.gc_probability', $gc_probability);
ini_set('session.use_only_cookies', 1);
ini_set('session.cookie_httponly', 1);

/*
 * Set our session storage functions.
 */

session_set_save_handler(
		'ref_session_open',
		'ref_session_close',
		'ref_session_read',
		'ref_session_write',
		'ref_session_destroy',
		'ref_session_gc'
);


   // Force cookies to be secure (https only) if this site is SSL enabled. Must be done before session_start().

    if(intval(App::$config['system']['ssl_cookie_protection'])) {
        $arr = session_get_cookie_params();
        session_set_cookie_params(
            ((isset($arr['lifetime']))  ? $arr['lifetime'] : 0),
            ((isset($arr['path']))      ? $arr['path']     : '/'),
            ((isset($arr['domain']))    ? $arr['domain']   : App::get_hostname()),
            ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
            ((isset($arr['httponly']))  ? $arr['httponly'] : true));
    }