Code Coverage for /data/phpBB/phpbb/session.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	61.85% covered (warning)	61.85%	415 / 671	22.73% covered (danger)	22.73%	5 / 22	CRAP	0.00% covered (danger)	0.00%	0 / 1
session	61.85% covered (warning)	61.85%	415 / 671	22.73% covered (danger)	22.73%	5 / 22	4506.29	0.00% covered (danger)	0.00%	0 / 1
extract_current_page	100.00% covered (success)	100.00%	57 / 57	100.00% covered (success)	100.00%	1 / 1	20
extract_current_hostname	94.12% covered (success)	94.12%	16 / 17	0.00% covered (danger)	0.00%	0 / 1	12.03
setup	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
session_begin	72.64% covered (warning)	72.64%	77 / 106	0.00% covered (danger)	0.00%	0 / 1	98.17
session_create	81.40% covered (warning)	81.40%	140 / 172	0.00% covered (danger)	0.00%	0 / 1	121.21
session_kill	0.00% covered (danger)	0.00%	0 / 43	0.00% covered (danger)	0.00%	0 / 1	30
session_gc	54.00% covered (warning)	54.00%	27 / 50	0.00% covered (danger)	0.00%	0 / 1	16.88
set_cookie	0.00% covered (danger)	0.00%	0 / 18	0.00% covered (danger)	0.00%	0 / 1	90
check_ban	41.67% covered (danger)	41.67%	15 / 36	0.00% covered (danger)	0.00%	0 / 1	66.81
check_ban_for_current_session	83.33% covered (warning)	83.33%	5 / 6	0.00% covered (danger)	0.00%	0 / 1	4.07
check_dnsbl_spamhaus	0.00% covered (danger)	0.00%	0 / 24	0.00% covered (danger)	0.00%	0 / 1	90
check_dnsbl_ipv4_generic	0.00% covered (danger)	0.00%	0 / 9	0.00% covered (danger)	0.00%	0 / 1	20
check_dnsbl	0.00% covered (danger)	0.00%	0 / 19	0.00% covered (danger)	0.00%	0 / 1	72
set_login_key	87.50% covered (warning)	87.50%	28 / 32	0.00% covered (danger)	0.00%	0 / 1	7.10
reset_login_keys	100.00% covered (success)	100.00%	24 / 24	100.00% covered (success)	100.00%	1 / 1	6
validate_referer	93.33% covered (success)	93.33%	14 / 15	0.00% covered (danger)	0.00%	0 / 1	12.04
unset_admin	100.00% covered (success)	100.00%	4 / 4	100.00% covered (success)	100.00%	1 / 1	1
update_session	0.00% covered (danger)	0.00%	0 / 7	0.00% covered (danger)	0.00%	0 / 1	6
update_session_infos	0.00% covered (danger)	0.00%	0 / 17	0.00% covered (danger)	0.00%	0 / 1	272
id	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	2
update_user_lastvisit	100.00% covered (success)	100.00%	7 / 7	100.00% covered (success)	100.00%	1 / 1	2
update_last_active_time	0.00% covered (danger)	0.00%	0 / 6	0.00% covered (danger)	0.00%	0 / 1	6

1	<?php
2	/**
3	*
4	* This file is part of the phpBB Forum Software package.
5	*
6	* @copyright (c) phpBB Limited <https://www.phpbb.com>
7	* @license GNU General Public License, version 2 (GPL-2.0)
8	*
9	* For full copyright and license information, please see
10	* the docs/CREDITS.txt file.
11	*
12	*/
13
14	namespace phpbb;
15
16	use phpbb\filesystem\helper as filesystem_helper;
17
18	/**
19	* Session class
20	*/
21	class session
22	{
23	public $cookie_data = array();
24	public $page = array();
25	public $data = array();
26	public $browser = '';
27	public $referer = '';
28	public $forwarded_for = '';
29	public $host = '';
30	public $session_id = '';
31	public $ip = '';
32	public $load = 0;
33	public $time_now = 0;
34	public $update_session_page = true;
35
36	/**
37	* Extract current session page
38	*
39	* @param string $root_path current root path (phpbb_root_path)
40	* @return array
41	*/
42	static function extract_current_page($root_path)
43	{
44	global $request, $symfony_request;
45
46	$page_array = array();
47
48	// First of all, get the request uri...
49	$script_name = $request->escape($symfony_request->getScriptName(), true);
50	$args = $request->escape(explode('&', $symfony_request->getQueryString() ?? ''), true);
51
52	// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
53	if (!$script_name)
54	{
55	$script_name = html_entity_decode($request->server('REQUEST_URI'), ENT_COMPAT);
56	$script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name;
57	$page_array['failover'] = 1;
58	}
59
60	// Replace backslashes and doubled slashes (could happen on some proxy setups)
61	$script_name = str_replace(array('\\', '//'), '/', $script_name);
62
63	// Now, remove the sid and let us get a clean query string...
64	$use_args = [];
65
66	// Since some browser do not encode correctly we need to do this with some "special" characters...
67	// " -> %22, ' => %27, < -> %3C, > -> %3E
68	$find = ['"', "'", '<', '>', '"', '<', '>'];
69	$replace = ['%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E'];
70
71	foreach ($args as $argument)
72	{
73	if (strpos($argument, 'sid=') === 0)
74	{
75	continue;
76	}
77
78	$use_args[] = (string) str_replace($find, $replace, $argument);
79	}
80	unset($args);
81
82	// The following examples given are for an request uri of {path to the phpbb directory}/adm/index.php?i=10&b=2
83
84	// The current query string
85	$query_string = trim(implode('&', $use_args));
86
87	// basenamed page name (for example: index.php)
88	$page_name = (substr($script_name, -1, 1) == '/') ? '' : basename($script_name);
89	$page_name = urlencode(htmlspecialchars($page_name, ENT_COMPAT));
90
91	$symfony_request_path = filesystem_helper::clean_path($symfony_request->getPathInfo());
92	if ($symfony_request_path !== '/')
93	{
94	$page_name .= str_replace('%2F', '/', urlencode($symfony_request_path));
95	}
96
97	if (substr($root_path, 0, 2) === './' && strpos($root_path, '..') === false)
98	{
99	$root_dirs = explode('/', str_replace('\\', '/', rtrim($root_path, '/')));
100	$page_dirs = explode('/', str_replace('\\', '/', '.'));
101	}
102	else
103	{
104	// current directory within the phpBB root (for example: adm)
105	$root_dirs = explode('/', str_replace('\\', '/', filesystem_helper::realpath($root_path)));
106	$page_dirs = explode('/', str_replace('\\', '/', filesystem_helper::realpath('./')));
107	}
108
109	$intersection = array_intersect_assoc($root_dirs, $page_dirs);
110
111	$root_dirs = array_diff_assoc($root_dirs, $intersection);
112	$page_dirs = array_diff_assoc($page_dirs, $intersection);
113
114	$page_dir = str_repeat('../', count($root_dirs)) . implode('/', $page_dirs);
115
116	if ($page_dir && substr($page_dir, -1, 1) == '/')
117	{
118	$page_dir = substr($page_dir, 0, -1);
119	}
120
121	// Current page from phpBB root (for example: adm/index.php?i=10&b=2)
122	$page = (($page_dir) ? $page_dir . '/' : '') . $page_name;
123	if ($query_string)
124	{
125	$page .= '?' . $query_string;
126	}
127
128	// The script path from the webroot to the current directory (for example: /phpBB3/adm/) : always prefixed with / and ends in /
129	$script_path = $symfony_request->getBasePath();
130
131	// The script path from the webroot to the phpBB root (for example: /phpBB3/)
132	$script_dirs = explode('/', $script_path);
133	array_splice($script_dirs, -count($page_dirs));
134	$root_script_path = implode('/', $script_dirs) . (count($root_dirs) ? '/' . implode('/', $root_dirs) : '');
135
136	// We are on the base level (phpBB root == webroot), lets adjust the variables a bit...
137	if (!$root_script_path)
138	{
139	$root_script_path = ($page_dir) ? str_replace($page_dir, '', $script_path) : $script_path;
140	}
141
142	$script_path .= (substr($script_path, -1, 1) == '/') ? '' : '/';
143	$root_script_path .= (substr($root_script_path, -1, 1) == '/') ? '' : '/';
144
145	$forum_id = $request->variable('f', 0);
146	// maximum forum id value is maximum value of mediumint unsigned column
147	$forum_id = ($forum_id > 0 && $forum_id < 16777215) ? $forum_id : 0;
148
149	$page_array += array(
150	'page_name' => $page_name,
151	'page_dir' => $page_dir,
152
153	'query_string' => $query_string,
154	'script_path' => str_replace(' ', '%20', htmlspecialchars($script_path, ENT_COMPAT)),
155	'root_script_path' => str_replace(' ', '%20', htmlspecialchars($root_script_path, ENT_COMPAT)),
156
157	'page' => $page,
158	'forum' => $forum_id,
159	);
160
161	return $page_array;
162	}
163
164	/**
165	* Get valid hostname/port. HTTP_HOST is used, SERVER_NAME if HTTP_HOST not present.
166	*/
167	function extract_current_hostname()
168	{
169	global $config, $request;
170
171	// Get hostname
172	$host = html_entity_decode($request->header('Host', $request->server('SERVER_NAME')), ENT_COMPAT);
173
174	// Should be a string and lowered
175	$host = (string) strtolower($host);
176
177	// If host is equal the cookie domain or the server name (if config is set), then we assume it is valid
178	if ((isset($config['cookie_domain']) && $host === $config['cookie_domain']) \|\| (isset($config['server_name']) && $host === $config['server_name']))
179	{
180	return $host;
181	}
182
183	// Is the host actually a IP? If so, we use the IP... (IPv4)
184	if (long2ip(ip2long($host)) === $host)
185	{
186	return $host;
187	}
188
189	// Now return the hostname (this also removes any port definition). The http:// is prepended to construct a valid URL, hosts never have a scheme assigned
190	$host = @parse_url('http://' . $host);
191	$host = (!empty($host['host'])) ? $host['host'] : '';
192
193	// Remove any portions not removed by parse_url (#)
194	$host = str_replace('#', '', $host);
195
196	// If, by any means, the host is now empty, we will use a "best approach" way to guess one
197	if (empty($host))
198	{
199	if (!empty($config['server_name']))
200	{
201	$host = $config['server_name'];
202	}
203	else if (!empty($config['cookie_domain']))
204	{
205	$host = (strpos($config['cookie_domain'], '.') === 0) ? substr($config['cookie_domain'], 1) : $config['cookie_domain'];
206	}
207	else
208	{
209	// Set to OS hostname or localhost
210	$host = (function_exists('php_uname')) ? php_uname('n') : 'localhost';
211	}
212	}
213
214	// It may be still no valid host, but for sure only a hostname (we may further expand on the cookie domain... if set)
215	return $host;
216	}
217
218	/**
219	* Setup basic user-specific items (style, language, ...)
220	*
221	* @param array\|string\|false $lang_set Lang set(s) to include, false if none shall be included
222	* @param int\|false $style_id Style ID to load, false to load default style
223	*
224	* @throws \RuntimeException When called on session and not user instance
225	*
226	* @return void
227	*/
228	public function setup($lang_set = false, $style_id = false)
229	{
230	throw new \RuntimeException('Calling setup on session class is not supported.');
231	}
232
233	/**
234	* Start session management
235	*
236	* This is where all session activity begins. We gather various pieces of
237	* information from the client and server. We test to see if a session already
238	* exists. If it does, fine and dandy. If it doesn't we'll go on to create a
239	* new one ... pretty logical heh? We also examine the system load (if we're
240	* running on a system which makes such information readily available) and
241	* halt if it's above an admin definable limit.
242	*
243	* @param bool $update_session_page if true the session page gets updated.
244	* This can be set to circumvent certain scripts to update the users last visited page.
245	*/
246	function session_begin($update_session_page = true)
247	{
248	global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path;
249	global $request, $phpbb_container, $user, $phpbb_log, $phpbb_dispatcher;
250
251	// Give us some basic information
252	$this->time_now = time();
253	$this->cookie_data = array('u' => 0, 'k' => '');
254	$this->update_session_page = $update_session_page;
255	$this->browser = $request->header('User-Agent');
256	$this->referer = $request->header('Referer');
257	$this->forwarded_for = $request->header('X-Forwarded-For');
258
259	$this->host = $this->extract_current_hostname();
260	$this->page = $this->extract_current_page($phpbb_root_path);
261
262	// if the forwarded for header shall be checked we have to validate its contents
263	if ($config['forwarded_for_check'])
264	{
265	$this->forwarded_for = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->forwarded_for));
266
267	// split the list of IPs
268	$ips = explode(' ', $this->forwarded_for);
269	foreach ($ips as $ip)
270	{
271	if (!filter_var($ip, FILTER_VALIDATE_IP))
272	{
273	// contains invalid data, don't use the forwarded for header
274	$this->forwarded_for = '';
275	break;
276	}
277	}
278	}
279	else
280	{
281	$this->forwarded_for = '';
282	}
283
284	if ($request->is_set($config['cookie_name'] . '_sid', \phpbb\request\request_interface::COOKIE) \|\| $request->is_set($config['cookie_name'] . '_u', \phpbb\request\request_interface::COOKIE))
285	{
286	$this->cookie_data['u'] = $request->variable($config['cookie_name'] . '_u', 0, false, \phpbb\request\request_interface::COOKIE);
287	$this->cookie_data['k'] = $request->variable($config['cookie_name'] . '_k', '', false, \phpbb\request\request_interface::COOKIE);
288	$this->session_id = $request->variable($config['cookie_name'] . '_sid', '', false, \phpbb\request\request_interface::COOKIE);
289
290	$SID = '?sid=';
291	$_SID = '';
292
293	if (empty($this->session_id) && $phpbb_container->getParameter('session.force_sid'))
294	{
295	$this->session_id = $_SID = $request->variable('sid', '');
296	$SID = '?sid=' . $this->session_id;
297	$this->cookie_data = array('u' => 0, 'k' => '');
298	}
299	}
300	else
301	{
302	$this->session_id = $_SID = $phpbb_container->getParameter('session.force_sid') ? $request->variable('sid', '') : '';
303	$SID = '?sid=' . $this->session_id;
304	}
305
306	$_EXTRA_URL = array();
307
308	// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
309	// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
310	$ip = html_entity_decode($request->server('REMOTE_ADDR'), ENT_COMPAT);
311	$ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $ip));
312
313	/**
314	* Event to alter user IP address
315	*
316	* @event core.session_ip_after
317	* @var string ip REMOTE_ADDR
318	* @since 3.1.10-RC1
319	*/
320	$vars = array('ip');
321	extract($phpbb_dispatcher->trigger_event('core.session_ip_after', compact($vars)));
322
323	// split the list of IPs
324	$ips = explode(' ', trim($ip));
325
326	// Default IP if REMOTE_ADDR is invalid
327	$this->ip = '127.0.0.1';
328
329	foreach ($ips as $ip)
330	{
331	// Normalise IP address
332	$ip = phpbb_ip_normalise($ip);
333
334	if ($ip === false)
335	{
336	// IP address is invalid.
337	break;
338	}
339
340	// IP address is valid.
341	$this->ip = $ip;
342	}
343
344	$this->load = false;
345
346	// Load limit check (if applicable)
347	if ($config['limit_load'] \|\| $config['limit_search_load'])
348	{
349	if ((function_exists('sys_getloadavg') && $load = sys_getloadavg()) \|\| ($load = explode(' ', @file_get_contents('/proc/loadavg'))))
350	{
351	$this->load = array_slice($load, 0, 1);
352	$this->load = floatval($this->load[0]);
353	}
354	else
355	{
356	$config->set('limit_load', '0');
357	$config->set('limit_search_load', '0');
358	}
359	}
360
361	// if session id is set
362	if (!empty($this->session_id))
363	{
364	$sql = 'SELECT u., s.
365	FROM ' . SESSIONS_TABLE . ' s, ' . USERS_TABLE . " u
366	WHERE s.session_id = '" . $db->sql_escape($this->session_id) . "'
367	AND u.user_id = s.session_user_id";
368	$result = $db->sql_query($sql);
369	$this->data = $db->sql_fetchrow($result);
370	$db->sql_freeresult($result);
371
372	// Did the session exist in the DB?
373	if (isset($this->data['user_id']))
374	{
375	// Validate IP length according to admin ... enforces an IP
376	// check on bots if admin requires this
377	// $quadcheck = ($config['ip_check_bot'] && $this->data['user_type'] & USER_BOT) ? 4 : $config['ip_check'];
378
379	if (strpos($this->ip, ':') !== false && strpos($this->data['session_ip'], ':') !== false)
380	{
381	$s_ip = short_ipv6($this->data['session_ip'], $config['ip_check']);
382	$u_ip = short_ipv6($this->ip, $config['ip_check']);
383	}
384	else
385	{
386	$s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check']));
387	$u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check']));
388	}
389
390	$s_browser = ($config['browser_check']) ? trim(strtolower(substr($this->data['session_browser'], 0, 149))) : '';
391	$u_browser = ($config['browser_check']) ? trim(strtolower(substr($this->browser, 0, 149))) : '';
392
393	$s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : '';
394	$u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : '';
395
396	// referer checks
397	// The @ before $config['referer_validation'] suppresses notices present while running the updater
398	$check_referer_path = (@$config['referer_validation'] == REFERER_VALIDATE_PATH);
399	$referer_valid = true;
400
401	// we assume HEAD and TRACE to be foul play and thus only whitelist GET
402	if (@$config['referer_validation'] && strtolower($request->server('REQUEST_METHOD')) !== 'get')
403	{
404	$referer_valid = $this->validate_referer($check_referer_path);
405	}
406
407	if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for && $referer_valid)
408	{
409	$session_expired = false;
410
411	// Check whether the session is still valid if we have one
412	/* @var $provider_collection \phpbb\auth\provider_collection */
413	$provider_collection = $phpbb_container->get('auth.provider_collection');
414	$provider = $provider_collection->get_provider();
415
416	if (!($provider instanceof \phpbb\auth\provider\provider_interface))
417	{
418	throw new \RuntimeException($provider . ' must implement \phpbb\auth\provider\provider_interface');
419	}
420
421	$ret = $provider->validate_session($this->data);
422	if ($ret !== null && !$ret)
423	{
424	$session_expired = true;
425	}
426
427	if (!$session_expired)
428	{
429	// Check the session length timeframe if autologin is not enabled.
430	// Else check the autologin length... and also removing those having autologin enabled but no longer allowed board-wide.
431	if (!$this->data['session_autologin'])
432	{
433	if ($this->data['session_time'] < $this->time_now - ((int) $config['session_length'] + 60))
434	{
435	$session_expired = true;
436	}
437	}
438	else if (!$config['allow_autologin'] \|\| ($config['max_autologin_time'] && $this->data['session_time'] < $this->time_now - (86400 * (int) $config['max_autologin_time']) + 60))
439	{
440	$session_expired = true;
441	}
442	}
443
444	if (!$session_expired)
445	{
446	$this->data['is_registered'] = ($this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL \|\| $this->data['user_type'] == USER_FOUNDER)) ? true : false;
447	$this->data['is_bot'] = (!$this->data['is_registered'] && $this->data['user_id'] != ANONYMOUS) ? true : false;
448	$this->data['user_lang'] = basename($this->data['user_lang']);
449
450	// Is user banned? Are they excluded? Won't return on ban, exists within method
451	$this->check_ban_for_current_session($config);
452
453	// Update user last active time accordingly, but in a minute or so
454	if ((int) $this->data['session_time'] - (int) $this->data['user_last_active'] > 60)
455	{
456	$this->update_last_active_time();
457	}
458
459	return true;
460	}
461	}
462	else
463	{
464	// Added logging temporarily to help debug bugs...
465	if ($phpbb_container->getParameter('session.log_errors') && $this->data['user_id'] != ANONYMOUS)
466	{
467	if ($referer_valid)
468	{
469	$phpbb_log->add('critical', $user->data['user_id'], $user->ip, 'LOG_IP_BROWSER_FORWARDED_CHECK', false, array(
470	$u_ip,
471	$s_ip,
472	$u_browser,
473	$s_browser,
474	htmlspecialchars($u_forwarded_for, ENT_COMPAT),
475	htmlspecialchars($s_forwarded_for, ENT_COMPAT)
476	));
477	}
478	else
479	{
480	$phpbb_log->add('critical', $user->data['user_id'], $user->ip, 'LOG_REFERER_INVALID', false, array($this->referer));
481	}
482	}
483	}
484	}
485	}
486
487	// If we reach here then no (valid) session exists. So we'll create a new one
488	return $this->session_create();
489	}
490
491	/**
492	* Create a new session
493	*
494	* If upon trying to start a session we discover there is nothing existing we
495	* jump here. Additionally this method is called directly during login to regenerate
496	* the session for the specific user. In this method we carry out a number of tasks;
497	* garbage collection, (search)bot checking, banned user comparison. Basically
498	* though this method will result in a new session for a specific user.
499	*/
500	function session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)
501	{
502	global $SID, $_SID, $db, $config, $cache, $phpbb_container, $phpbb_dispatcher;
503
504	$this->data = array();
505
506	/* Garbage collection ... remove old sessions updating user information
507	// if necessary. It means (potentially) 11 queries but only infrequently
508	if ($this->time_now > $config['session_last_gc'] + $config['session_gc'])
509	{
510	$this->session_gc();
511	}*/
512
513	// Do we allow autologin on this board? No? Then override anything
514	// that may be requested here
515	if (!$config['allow_autologin'])
516	{
517	$this->cookie_data['k'] = $persist_login = false;
518	}
519
520	/**
521	* Here we do a bot check, oh er saucy! No, not that kind of bot
522	* check. We loop through the list of bots defined by the admin and
523	* see if we have any useragent and/or IP matches. If we do, this is a
524	* bot, act accordingly
525	*/
526	$bot = false;
527	$active_bots = $cache->obtain_bots();
528
529	foreach ($active_bots as $row)
530	{
531	if ($row['bot_agent'] && preg_match('#' . str_replace('\', '.?', preg_quote($row['bot_agent'], '#')) . '#i', $this->browser))
532	{
533	$bot = (int) $row['user_id'];
534	}
535
536	// If ip is supplied, we will make sure the ip is matching too...
537	if ($row['bot_ip'] && ($bot \|\| !$row['bot_agent']))
538	{
539	// Set bot to false, then we only have to set it to true if it is matching
540	$bot = false;
541
542	foreach (explode(',', $row['bot_ip']) as $bot_ip)
543	{
544	$bot_ip = trim($bot_ip);
545
546	if (!$bot_ip)
547	{
548	continue;
549	}
550
551	if (strpos($this->ip, $bot_ip) === 0)
552	{
553	$bot = (int) $row['user_id'];
554	break;
555	}
556	}
557	}
558
559	if ($bot)
560	{
561	break;
562	}
563	}
564
565	/* @var $provider_collection \phpbb\auth\provider_collection */
566	$provider_collection = $phpbb_container->get('auth.provider_collection');
567	$provider = $provider_collection->get_provider();
568	$this->data = $provider->autologin();
569
570	if ($user_id !== false && isset($this->data['user_id']) && $this->data['user_id'] != $user_id)
571	{
572	$this->data = array();
573	}
574
575	if (isset($this->data['user_id']))
576	{
577	$this->cookie_data['k'] = '';
578	$this->cookie_data['u'] = $this->data['user_id'];
579	}
580
581	// If we're presented with an autologin key we'll join against it.
582	// Else if we've been passed a user_id we'll grab data based on that
583	if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && empty($this->data))
584	{
585	$sql = 'SELECT u.*
586	FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k
587	WHERE u.user_id = ' . (int) $this->cookie_data['u'] . '
588	AND u.user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ")
589	AND k.user_id = u.user_id
590	AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
591	$result = $db->sql_query($sql);
592	$user_data = $db->sql_fetchrow($result);
593
594	if ($user_id === false \|\| (isset($user_data['user_id']) && $user_id == $user_data['user_id']))
595	{
596	$this->data = $user_data;
597	$bot = false;
598	}
599
600	$db->sql_freeresult($result);
601	}
602
603	if ($user_id !== false && empty($this->data))
604	{
605	$this->cookie_data['k'] = '';
606	$this->cookie_data['u'] = $user_id;
607
608	$sql = 'SELECT *
609	FROM ' . USERS_TABLE . '
610	WHERE user_id = ' . (int) $this->cookie_data['u'] . '
611	AND user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ')';
612	$result = $db->sql_query($sql);
613	$this->data = $db->sql_fetchrow($result);
614	$db->sql_freeresult($result);
615	$bot = false;
616	}
617
618	// Bot user, if they have a SID in the Request URI we need to get rid of it
619	// otherwise they'll index this page with the SID, duplicate content oh my!
620	if ($bot && isset($_GET['sid']))
621	{
622	send_status_line(301, 'Moved Permanently');
623	redirect(build_url(array('sid')));
624	}
625
626	// If no data was returned one or more of the following occurred:
627	// Key didn't match one in the DB
628	// User does not exist
629	// User is inactive
630	// User is bot
631	if (!is_array($this->data) \|\| !count($this->data))
632	{
633	$this->cookie_data['k'] = '';
634	$this->cookie_data['u'] = ($bot) ? $bot : ANONYMOUS;
635
636	if (!$bot)
637	{
638	$sql = 'SELECT *
639	FROM ' . USERS_TABLE . '
640	WHERE user_id = ' . (int) $this->cookie_data['u'];
641	}
642	else
643	{
644	// We give bots always the same session if it is not yet expired.
645	$sql = 'SELECT u., s.
646	FROM ' . USERS_TABLE . ' u
647	LEFT JOIN ' . SESSIONS_TABLE . ' s ON (s.session_user_id = u.user_id)
648	WHERE u.user_id = ' . (int) $bot;
649	}
650
651	$result = $db->sql_query($sql);
652	$this->data = $db->sql_fetchrow($result);
653	$db->sql_freeresult($result);
654	}
655
656	if ($this->data['user_id'] != ANONYMOUS && !$bot)
657	{
658	$this->data['session_last_visit'] = (isset($this->data['session_time']) && $this->data['session_time']) ? $this->data['session_time'] : (($this->data['user_lastvisit']) ? $this->data['user_lastvisit'] : time());
659	}
660	else
661	{
662	$this->data['session_last_visit'] = $this->time_now;
663	}
664
665	// Force user id to be integer...
666	$this->data['user_id'] = (int) $this->data['user_id'];
667
668	// At this stage we should have a filled data array, defined cookie u and k data.
669	// data array should contain recent session info if we're a real user and a recent
670	// session exists in which case session_id will also be set
671
672	// Is user banned? Are they excluded? Won't return on ban, exists within method
673	$this->check_ban_for_current_session($config);
674
675	$this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL \|\| $this->data['user_type'] == USER_FOUNDER)) ? true : false;
676	$this->data['is_bot'] = ($bot) ? true : false;
677
678	// If our friend is a bot, we re-assign a previously assigned session
679	if ($this->data['is_bot'] && $bot == $this->data['user_id'] && $this->data['session_id'])
680	{
681	// Only assign the current session if the ip, browser and forwarded_for match...
682	if (strpos($this->ip, ':') !== false && strpos($this->data['session_ip'], ':') !== false)
683	{
684	$s_ip = short_ipv6($this->data['session_ip'], $config['ip_check']);
685	$u_ip = short_ipv6($this->ip, $config['ip_check']);
686	}
687	else
688	{
689	$s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check']));
690	$u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check']));
691	}
692
693	$s_browser = ($config['browser_check']) ? trim(strtolower(substr($this->data['session_browser'], 0, 149))) : '';
694	$u_browser = ($config['browser_check']) ? trim(strtolower(substr($this->browser, 0, 149))) : '';
695
696	$s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : '';
697	$u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : '';
698
699	if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for)
700	{
701	$this->session_id = $this->data['session_id'];
702
703	// Only update session DB a minute or so after last update or if page changes
704	if ($this->time_now - $this->data['session_time'] > 60 \|\| ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
705	{
706	// Update the last visit time
707	$this->update_user_lastvisit();
708	}
709
710	$SID = '?sid=';
711	$_SID = '';
712	return true;
713	}
714	else
715	{
716	// If the ip and browser does not match make sure we only have one bot assigned to one session
717	$db->sql_query('DELETE FROM ' . SESSIONS_TABLE . ' WHERE session_user_id = ' . $this->data['user_id']);
718	}
719	}
720
721	$session_autologin = (($this->cookie_data['k'] \|\| $persist_login) && $this->data['is_registered']) ? true : false;
722	$set_admin = ($set_admin && $this->data['is_registered']) ? true : false;
723
724	// Create or update the session
725	$sql_ary = array(
726	'session_user_id' => (int) $this->data['user_id'],
727	'session_start' => (int) $this->time_now,
728	'session_last_visit' => (int) $this->data['session_last_visit'],
729	'session_time' => (int) $this->time_now,
730	'session_browser' => (string) trim(substr($this->browser, 0, 149)),
731	'session_forwarded_for' => (string) $this->forwarded_for,
732	'session_ip' => (string) $this->ip,
733	'session_autologin' => ($session_autologin) ? 1 : 0,
734	'session_admin' => ($set_admin) ? 1 : 0,
735	'session_viewonline' => ($viewonline) ? 1 : 0,
736	);
737
738	if ($this->update_session_page)
739	{
740	$sql_ary['session_page'] = (string) substr($this->page['page'], 0, 199);
741	$sql_ary['session_forum_id'] = $this->page['forum'];
742	}
743
744	$db->sql_return_on_error(true);
745
746	$sql = 'DELETE
747	FROM ' . SESSIONS_TABLE . '
748	WHERE session_id = \'' . $db->sql_escape($this->session_id) . '\'
749	AND session_user_id = ' . ANONYMOUS;
750
751	if (!defined('IN_ERROR_HANDLER') && (!$this->session_id \|\| !$db->sql_query($sql) \|\| !$db->sql_affectedrows()))
752	{
753	// Limit new sessions in 1 minute period (if required)
754	if (empty($this->data['session_time']) && $config['active_sessions'])
755	{
756	// $db->sql_return_on_error(false);
757
758	$sql = 'SELECT COUNT(session_id) AS sessions
759	FROM ' . SESSIONS_TABLE . '
760	WHERE session_time >= ' . ($this->time_now - 60);
761	$result = $db->sql_query($sql);
762	$row = $db->sql_fetchrow($result);
763	$db->sql_freeresult($result);
764
765	if ((int) $row['sessions'] > (int) $config['active_sessions'])
766	{
767	send_status_line(503, 'Service Unavailable');
768	trigger_error('BOARD_UNAVAILABLE');
769	}
770	}
771	}
772
773	// Since we re-create the session id here, the inserted row must be unique. Therefore, we display potential errors.
774	// Commented out because it will not allow forums to update correctly
775	// $db->sql_return_on_error(false);
776
777	// Something quite important: session_page always holds the last page visited, except for the first visit.
778	// We are not able to simply have an empty session_page btw, therefore we need to tell phpBB how to detect this special case.
779	// If the session id is empty, we have a completely new one and will set an "identifier" here. This identifier is able to be checked later.
780	if (empty($this->data['session_id']))
781	{
782	// This is a temporary variable, only set for the very first visit
783	$this->data['session_created'] = true;
784	}
785
786	$this->session_id = $this->data['session_id'] = md5(unique_id());
787
788	$sql_ary['session_id'] = (string) $this->session_id;
789	$sql_ary['session_page'] = (string) substr($this->page['page'], 0, 199);
790	$sql_ary['session_forum_id'] = $this->page['forum'];
791
792	$sql = 'INSERT INTO ' . SESSIONS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
793	$db->sql_query($sql);
794
795	$db->sql_return_on_error(false);
796
797	// Regenerate autologin/persistent login key
798	if ($session_autologin)
799	{
800	$this->set_login_key();
801	}
802
803	// refresh data
804	if ($phpbb_container->getParameter('session.force_sid'))
805	{
806	$SID = '?sid=' . $this->session_id;
807	$_SID = $this->session_id;
808	}
809	$this->data = array_merge($this->data, $sql_ary);
810
811	if (!$bot)
812	{
813	$cookie_expire = $this->time_now + (($config['max_autologin_time']) ? 86400 * (int) $config['max_autologin_time'] : 31536000);
814
815	$this->set_cookie('u', $this->cookie_data['u'], $cookie_expire);
816	$this->set_cookie('k', $this->cookie_data['k'], $cookie_expire);
817	$this->set_cookie('sid', $this->session_id, $cookie_expire);
818
819	unset($cookie_expire);
820
821	$sql = 'SELECT COUNT(session_id) AS sessions
822	FROM ' . SESSIONS_TABLE . '
823	WHERE session_user_id = ' . (int) $this->data['user_id'] . '
824	AND session_time >= ' . (int) ($this->time_now - (max((int) $config['session_length'], (int) $config['form_token_lifetime'])));
825	$result = $db->sql_query($sql);
826	$row = $db->sql_fetchrow($result);
827	$db->sql_freeresult($result);
828
829	if ((int) $row['sessions'] <= 1 \|\| empty($this->data['user_form_salt']))
830	{
831	$this->data['user_form_salt'] = unique_id();
832	// Update the form key
833	$sql = 'UPDATE ' . USERS_TABLE . '
834	SET user_form_salt = \'' . $db->sql_escape($this->data['user_form_salt']) . '\',
835	user_last_active = ' . (int) $this->data['session_time'] . '
836	WHERE user_id = ' . (int) $this->data['user_id'];
837	$db->sql_query($sql);
838	}
839	else
840	{
841	$this->update_last_active_time();
842	}
843	}
844	else
845	{
846	$this->data['session_time'] = $this->data['session_last_visit'] = $this->time_now;
847
848	$this->update_user_lastvisit();
849
850	if ($phpbb_container->getParameter('session.force_sid'))
851	{
852	$SID = '?sid=';
853	$_SID = '';
854	}
855	}
856
857	$session_data = $sql_ary;
858	/**
859	* Event to send new session data to extension
860	* Read-only event
861	*
862	* @event core.session_create_after
863	* @var array session_data Associative array of session keys to be updated
864	* @since 3.1.6-RC1
865	*/
866	$vars = array('session_data');
867	extract($phpbb_dispatcher->trigger_event('core.session_create_after', compact($vars)));
868	unset($session_data);
869
870	return true;
871	}
872
873	/**
874	* Kills a session
875	*
876	* This method does what it says on the tin. It will delete a pre-existing session.
877	* It resets cookie information (destroying any autologin key within that cookie data)
878	* and update the users information from the relevant session data. It will then
879	* grab guest user information.
880	*/
881	function session_kill($new_session = true)
882	{
883	global $SID, $_SID, $db, $phpbb_container, $phpbb_dispatcher;
884
885	$sql = 'DELETE FROM ' . SESSIONS_TABLE . "
886	WHERE session_id = '" . $db->sql_escape($this->session_id) . "'
887	AND session_user_id = " . (int) $this->data['user_id'];
888	$db->sql_query($sql);
889
890	$user_id = (int) $this->data['user_id'];
891	$session_id = $this->session_id;
892	/**
893	* Event to send session kill information to extension
894	* Read-only event
895	*
896	* @event core.session_kill_after
897	* @var int user_id user_id of the session user.
898	* @var string session_id current user's session_id
899	* @var bool new_session should we create new session for user
900	* @since 3.1.6-RC1
901	*/
902	$vars = array('user_id', 'session_id', 'new_session');
903	extract($phpbb_dispatcher->trigger_event('core.session_kill_after', compact($vars)));
904	unset($user_id);
905	unset($session_id);
906
907	// Allow connecting logout with external auth method logout
908	/* @var $provider_collection \phpbb\auth\provider_collection */
909	$provider_collection = $phpbb_container->get('auth.provider_collection');
910	$provider = $provider_collection->get_provider();
911	$provider->logout($this->data, $new_session);
912
913	if ($this->data['user_id'] != ANONYMOUS)
914	{
915	// Delete existing session, update last visit info first!
916	if (!isset($this->data['session_time']))
917	{
918	$this->data['session_time'] = time();
919	}
920
921	$sql = 'UPDATE ' . USERS_TABLE . '
922	SET user_lastvisit = ' . (int) $this->data['session_time'] . '
923	WHERE user_id = ' . (int) $this->data['user_id'];
924	$db->sql_query($sql);
925
926	if ($this->cookie_data['k'])
927	{
928	$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
929	WHERE user_id = ' . (int) $this->data['user_id'] . "
930	AND key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
931	$db->sql_query($sql);
932	}
933
934	// Reset the data array
935	$this->data = array();
936
937	$sql = 'SELECT *
938	FROM ' . USERS_TABLE . '
939	WHERE user_id = ' . ANONYMOUS;
940	$result = $db->sql_query($sql);
941	$this->data = $db->sql_fetchrow($result);
942	$db->sql_freeresult($result);
943	}
944
945	$cookie_expire = $this->time_now - 31536000;
946	$this->set_cookie('u', '', $cookie_expire);
947	$this->set_cookie('k', '', $cookie_expire);
948	$this->set_cookie('sid', '', $cookie_expire);
949	unset($cookie_expire);
950
951	$SID = '?sid=';
952	$this->session_id = $_SID = '';
953
954	// To make sure a valid session is created we create one for the anonymous user
955	if ($new_session)
956	{
957	$this->session_create(ANONYMOUS);
958	}
959
960	return true;
961	}
962
963	/**
964	* Session garbage collection
965	*
966	* This looks a lot more complex than it really is. Effectively we are
967	* deleting any sessions older than an admin definable limit. Due to the
968	* way in which we maintain session data we have to ensure we update user
969	* data before those sessions are destroyed. In addition this method
970	* removes autologin key information that is older than an admin defined
971	* limit.
972	*/
973	function session_gc()
974	{
975	global $db, $config, $phpbb_container, $phpbb_dispatcher;
976
977	if (!$this->time_now)
978	{
979	$this->time_now = time();
980	}
981
982	/**
983	* Get most recent session for each registered user to sync user last visit with it
984	* Inner SELECT gets most recent sessions for each unique session_user_id
985	* Outer SELECT gets data for them
986	*/
987	$sql_select = 'SELECT s1.session_page, s1.session_user_id, s1.session_time AS recent_time
988	FROM ' . SESSIONS_TABLE . ' AS s1
989	INNER JOIN (
990	SELECT session_user_id, MAX(session_time) AS recent_time
991	FROM ' . SESSIONS_TABLE . '
992	WHERE session_user_id <> ' . ANONYMOUS . '
993	GROUP BY session_user_id
994	) AS s2
995	ON s1.session_user_id = s2.session_user_id
996	AND s1.session_time = s2.recent_time';
997
998	switch ($db->get_sql_layer())
999	{
1000	case 'sqlite3':
1001	if (phpbb_version_compare($db->sql_server_info(true), '3.8.3', '>='))
1002	{
1003	// For SQLite versions 3.8.3+ which support Common Table Expressions (CTE)
1004	$sql = "WITH s3 (session_page, session_user_id, session_time) AS ($sql_select)
1005	UPDATE " . USERS_TABLE . '
1006	SET (user_lastpage, user_lastvisit) = (SELECT session_page, session_time FROM s3 WHERE session_user_id = user_id)
1007	WHERE EXISTS (SELECT session_user_id FROM s3 WHERE session_user_id = user_id)';
1008	$db->sql_query($sql);
1009
1010	break;
1011	}
1012
1013	// No break, for SQLite versions prior to 3.8.3 and Oracle
1014	case 'oracle':
1015	$result = $db->sql_query($sql_select);
1016	while ($row = $db->sql_fetchrow($result))
1017	{
1018	$sql = 'UPDATE ' . USERS_TABLE . '
1019	SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
1020	WHERE user_id = " . (int) $row['session_user_id'];
1021	$db->sql_query($sql);
1022	}
1023	$db->sql_freeresult($result);
1024	break;
1025
1026	case 'mysqli':
1027	$sql = 'UPDATE ' . USERS_TABLE . " u,
1028	($sql_select) s3
1029	SET u.user_lastvisit = s3.recent_time, u.user_lastpage = s3.session_page
1030	WHERE u.user_id = s3.session_user_id";
1031	$db->sql_query($sql);
1032	break;
1033
1034	default:
1035	$sql = 'UPDATE ' . USERS_TABLE . "
1036	SET user_lastvisit = s3.recent_time, user_lastpage = s3.session_page
1037	FROM ($sql_select) s3
1038	WHERE user_id = s3.session_user_id";
1039	$db->sql_query($sql);
1040	break;
1041	}
1042
1043	// Delete all expired sessions
1044	$sql = 'DELETE FROM ' . SESSIONS_TABLE . '
1045	WHERE session_time < ' . ($this->time_now - (int) $config['session_length']);
1046	$db->sql_query($sql);
1047
1048	// Update gc timer
1049	$config->set('session_last_gc', $this->time_now, false);
1050
1051	if ($config['max_autologin_time'])
1052	{
1053	$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
1054	WHERE last_login < ' . (time() - (86400 * (int) $config['max_autologin_time']));
1055	$db->sql_query($sql);
1056	}
1057
1058	// only called from CRON; should be a safe workaround until the infrastructure gets going
1059	/* @var \phpbb\captcha\factory $captcha_factory */
1060	$captcha_factory = $phpbb_container->get('captcha.factory');
1061	$captcha_factory->garbage_collect($config['captcha_plugin']);
1062
1063	$sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
1064	WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']);
1065	$db->sql_query($sql);
1066
1067	/**
1068	* Event to trigger extension on session_gc
1069	*
1070	* @event core.session_gc_after
1071	* @since 3.1.6-RC1
1072	*/
1073	$phpbb_dispatcher->trigger_event('core.session_gc_after');
1074	}
1075
1076	/**
1077	* Sets a cookie
1078	*
1079	* Sets a cookie of the given name with the specified data for the given length of time. If no time is specified, a session cookie will be set.
1080	*
1081	* @param string $name Name of the cookie, will be automatically prefixed with the phpBB cookie name. track becomes [cookie_name]_track then.
1082	* @param string $cookiedata The data to hold within the cookie
1083	* @param int $cookietime The expiration time as UNIX timestamp. If 0 is provided, a session cookie is set.
1084	* @param bool $httponly Use HttpOnly. Defaults to true. Use false to make cookie accessible by client-side scripts.
1085	*/
1086	function set_cookie($name, $cookiedata, $cookietime, $httponly = true)
1087	{
1088	global $config, $phpbb_dispatcher;
1089
1090	// If headers are already set, we just return
1091	if (headers_sent())
1092	{
1093	return;
1094	}
1095
1096	$disable_cookie = false;
1097	/**
1098	* Event to modify or disable setting cookies
1099	*
1100	* @event core.set_cookie
1101	* @var bool disable_cookie Set to true to disable setting this cookie
1102	* @var string name Name of the cookie
1103	* @var string cookiedata The data to hold within the cookie
1104	* @var int cookietime The expiration time as UNIX timestamp
1105	* @var bool httponly Use HttpOnly?
1106	* @since 3.2.9-RC1
1107	*/
1108	$vars = array(
1109	'disable_cookie',
1110	'name',
1111	'cookiedata',
1112	'cookietime',
1113	'httponly',
1114	);
1115	extract($phpbb_dispatcher->trigger_event('core.set_cookie', compact($vars)));
1116
1117	if ($disable_cookie)
1118	{
1119	return;
1120	}
1121
1122	$name_data = rawurlencode($config['cookie_name'] . '_' . $name) . '=' . rawurlencode($cookiedata);
1123	$expire = gmdate('D, d-M-Y H:i:s \\G\\M\\T', $cookietime);
1124	$domain = (!$config['cookie_domain'] \|\| $config['cookie_domain'] == '127.0.0.1' \|\| strpos($config['cookie_domain'], '.') === false) ? '' : '; domain=' . $config['cookie_domain'];
1125
1126	header('Set-Cookie: ' . $name_data . (($cookietime) ? '; expires=' . $expire : '') . '; path=' . $config['cookie_path'] . $domain . ((!$config['cookie_secure']) ? '' : '; secure') . ';' . (($httponly) ? ' HttpOnly' : ''), false);
1127	}
1128
1129	/**
1130	* Check for banned user
1131	*
1132	* Checks whether the supplied user is banned by id, ip or email. If no parameters
1133	* are passed to the method pre-existing session data is used.
1134	*
1135	* @param int\|false $user_id The user id
1136	* @param mixed $user_ips Can contain a string with one IP or an array of multiple IPs
1137	* @param string\|false $user_email The user email
1138	* @param bool $return If $return is false this routine does not return on finding a banned user,
1139	* it outputs a relevant message and stops execution.
1140	*/
1141	function check_ban($user_id = false, $user_ips = false, $user_email = false, $return = false)
1142	{
1143	global $phpbb_container, $phpbb_dispatcher;
1144
1145	if (defined('IN_CHECK_BAN') \|\| defined('SKIP_CHECK_BAN'))
1146	{
1147	return false;
1148	}
1149
1150	/** @var \phpbb\ban\manager $ban_manager */
1151	$ban_manager = $phpbb_container->get('ban.manager');
1152	$ban_row = $ban_manager->check(['user_id' => $user_id, 'user_email' => $user_email]);
1153	if (empty($ban_row))
1154	{
1155	return false;
1156	}
1157
1158	$banned = true;
1159	$ban_triggered_by = $ban_row['mode'];
1160
1161	/**
1162	* Event to set custom ban type
1163	*
1164	* @event core.session_set_custom_ban
1165	* @var bool return If $return is false this routine does not return on finding a banned user, it outputs a relevant message and stops execution
1166	* @var bool banned Check if user already banned
1167	* @var array\|false ban_row Ban data
1168	* @var string ban_triggered_by Method that caused ban, can be your custom method
1169	* @since 3.1.3-RC1
1170	*/
1171	$ban_row = isset($ban_row) ? $ban_row : false;
1172	$vars = array('return', 'banned', 'ban_row', 'ban_triggered_by');
1173	extract($phpbb_dispatcher->trigger_event('core.session_set_custom_ban', compact($vars)));
1174
1175	if ($banned && !$return)
1176	{
1177	global $config, $phpbb_root_path, $phpEx;
1178
1179	// Initiate environment ... since it won't be set at this stage
1180	$this->setup();
1181
1182	// Logout the user, banned users are unable to use the normal 'logout' link
1183	if ($this->data['user_id'] != ANONYMOUS)
1184	{
1185	$this->session_kill();
1186	}
1187
1188	// We show a login box here to allow founders accessing the board if banned by IP
1189	if (defined('IN_LOGIN') && $this->data['user_id'] == ANONYMOUS)
1190	{
1191	$this->setup('ucp');
1192	$this->data['is_registered'] = $this->data['is_bot'] = false;
1193
1194	// Set as a precaution to allow login_box() handling this case correctly as well as this function not being executed again.
1195	define('IN_CHECK_BAN', 1);
1196
1197	login_box("index.$phpEx");
1198
1199	// The false here is needed, else the user is able to circumvent the ban.
1200	$this->session_kill(false);
1201	}
1202
1203	// Ok, we catch the case of an empty session id for the anonymous user...
1204	// This can happen if the user is logging in, banned by username and the login_box() being called "again".
1205	if (empty($this->session_id) && defined('IN_CHECK_BAN'))
1206	{
1207	$this->session_create(ANONYMOUS);
1208	}
1209
1210	// Determine which message to output
1211	$contact_link = phpbb_get_board_contact_link($config, $phpbb_root_path, $phpEx);
1212	$message = $ban_manager->get_ban_message($ban_row, $ban_triggered_by, $contact_link);
1213
1214	// A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page
1215	if (defined('IN_CRON'))
1216	{
1217	garbage_collection();
1218	exit_handler();
1219	exit;
1220	}
1221
1222	// To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again
1223	$this->session_kill(false);
1224
1225	trigger_error($message);
1226	}
1227
1228	if (!empty($ban_row))
1229	{
1230	$ban_row['ban_triggered_by'] = $ban_triggered_by;
1231	}
1232
1233	return ($banned && $ban_row) ? $ban_row : $banned;
1234	}
1235
1236	/**
1237	* Check the current session for bans
1238	*/
1239	protected function check_ban_for_current_session($config)
1240	{
1241	if (!defined('SKIP_CHECK_BAN') && $this->data['user_type'] != USER_FOUNDER)
1242	{
1243	if (!$config['forwarded_for_check'])
1244	{
1245	$this->check_ban($this->data['user_id'], $this->ip);
1246	}
1247	else
1248	{
1249	$ips = explode(' ', $this->forwarded_for);
1250	$ips[] = $this->ip;
1251	$this->check_ban($this->data['user_id'], $ips);
1252	}
1253	}
1254	}
1255
1256	/**
1257	* Check if ip is blacklisted by Spamhaus SBL
1258	*
1259	* Disables DNSBL setting if errors are returned by Spamhaus due to a policy violation.
1260	* https://www.spamhaus.com/product/help-for-spamhaus-public-mirror-users/
1261	*
1262	* @param string $dnsbl the blacklist to check against
1263	* @param string\|false $ip the IPv4 address to check
1264	*
1265	* @return bool true if listed in spamhaus database, false if not
1266	*/
1267	function check_dnsbl_spamhaus($dnsbl, $ip = false)
1268	{
1269	global $config, $phpbb_log;
1270
1271	if ($ip === false)
1272	{
1273	$ip = $this->ip;
1274	}
1275
1276	// Spamhaus does not support IPv6 addresses.
1277	if (strpos($ip, ':') !== false)
1278	{
1279	return false;
1280	}
1281
1282	if ($ip)
1283	{
1284	$quads = explode('.', $ip);
1285	$reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0];
1286
1287	$records = dns_get_record($reverse_ip . '.' . $dnsbl . '.', DNS_A);
1288	if (empty($records))
1289	{
1290	return false;
1291	}
1292	else
1293	{
1294	$error = false;
1295	foreach ($records as $record)
1296	{
1297	if ($record['ip'] == '127.255.255.254')
1298	{
1299	$error = 'LOG_SPAMHAUS_OPEN_RESOLVER';
1300	break;
1301	}
1302	else if ($record['ip'] == '127.255.255.255')
1303	{
1304	$error = 'LOG_SPAMHAUS_VOLUME_LIMIT';
1305	break;
1306	}
1307	}
1308
1309	if ($error !== false)
1310	{
1311	$config->set('check_dnsbl', 0);
1312	$phpbb_log->add('critical', $this->data['user_id'], $ip, $error);
1313	}
1314	else
1315	{
1316	// The existence of a non-error A record means it's a hit
1317	return true;
1318	}
1319	}
1320	}
1321
1322	return false;
1323	}
1324
1325	/**
1326	* Checks if an IPv4 address is in a specified DNS blacklist
1327	*
1328	* Only checks if a record is returned or not.
1329	*
1330	* @param string $dnsbl the blacklist to check against
1331	* @param string\|false $ip the IPv4 address to check
1332	*
1333	* @return bool true if record is returned, false if not
1334	*/
1335	function check_dnsbl_ipv4_generic($dnsbl, $ip = false)
1336	{
1337	if ($ip === false)
1338	{
1339	$ip = $this->ip;
1340	}
1341
1342	// This function does not support IPv6 addresses.
1343	if (strpos($ip, ':') !== false)
1344	{
1345	return false;
1346	}
1347
1348	$quads = explode('.', $ip);
1349	$reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0];
1350
1351	if (checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true)
1352	{
1353	return true;
1354	}
1355
1356	return false;
1357	}
1358
1359	/**
1360	* Check if ip is blacklisted
1361	* This should be called only where absolutely necessary
1362	*
1363	* Only IPv4 (rbldns does not support AAAA records/IPv6 lookups)
1364	*
1365	* @author satmd (from the php manual)
1366	* @param string $mode register/post - spamcop for example is omitted for posting
1367	* @param string\|false $ip the IPv4 address to check
1368	*
1369	* @return array\|false false if ip is not blacklisted, else an array([checked server], [lookup])
1370	*/
1371	function check_dnsbl($mode, $ip = false)
1372	{
1373	if ($ip === false)
1374	{
1375	$ip = $this->ip;
1376	}
1377
1378	// Neither Spamhaus nor Spamcop supports IPv6 addresses.
1379	if (strpos($ip, ':') !== false)
1380	{
1381	return false;
1382	}
1383
1384	$dnsbl_check = array(
1385	'sbl.spamhaus.org' => ['https://check.spamhaus.org/listed/?searchterm=', 'check_dnsbl_spamhaus'],
1386	);
1387
1388	if ($mode == 'register')
1389	{
1390	$dnsbl_check['bl.spamcop.net'] = ['https://www.spamcop.net/bl.shtml?', 'check_dnsbl_ipv4_generic'];
1391	}
1392
1393	if ($ip)
1394	{
1395	// Need to be listed on all servers...
1396	$listed = true;
1397	$info = array();
1398
1399	foreach ($dnsbl_check as $dnsbl => $lookup)
1400	{
1401	if (call_user_func(array($this, $lookup[1]), $dnsbl, $ip) === true)
1402	{
1403	$info = array($dnsbl, $lookup[0] . $ip);
1404	}
1405	else
1406	{
1407	$listed = false;
1408	}
1409	}
1410
1411	if ($listed)
1412	{
1413	return $info;
1414	}
1415	}
1416
1417	return false;
1418	}
1419
1420	/**
1421	* Check if URI is blacklisted
1422	* This should be called only where absolutely necessary, for example on the submitted website field
1423	* This function is not in use at the moment and is only included for testing purposes, it may not work at all!
1424	* This means it is untested at the moment and therefore commented out
1425	*
1426	* @param string $uri URI to check
1427	* @return true if uri is on blacklist, else false. Only blacklist is checked (~zero FP), no grey lists
1428	function check_uribl($uri)
1429	{
1430	// Normally parse_url() is not intended to parse uris
1431	// We need to get the top-level domain name anyway... change.
1432	$uri = parse_url($uri);
1433
1434	if ($uri === false \|\| empty($uri['host']))
1435	{
1436	return false;
1437	}
1438
1439	$uri = trim($uri['host']);
1440
1441	if ($uri)
1442	{
1443	// One problem here... the return parameter for the "windows" method is different from what
1444	// we expect... this may render this check useless...
1445	if (checkdnsrr($uri . '.multi.uribl.com.', 'A') === true)
1446	{
1447	return true;
1448	}
1449	}
1450
1451	return false;
1452	}
1453	*/
1454
1455	/**
1456	* Set/Update a persistent login key
1457	*
1458	* This method creates or updates a persistent session key. When a user makes
1459	* use of persistent (formerly auto-) logins a key is generated and stored in the
1460	* DB. When they revisit with the same key it's automatically updated in both the
1461	* DB and cookie. Multiple keys may exist for each user representing different
1462	* browsers or locations. As with _any_ non-secure-socket no passphrase login this
1463	* remains vulnerable to exploit.
1464	*/
1465	function set_login_key($user_id = false, $key = false, $user_ip = false)
1466	{
1467	global $db, $phpbb_dispatcher;
1468
1469	$user_id = ($user_id === false) ? $this->data['user_id'] : $user_id;
1470	$user_ip = ($user_ip === false) ? $this->ip : $user_ip;
1471	$key = ($key === false) ? (($this->cookie_data['k']) ? $this->cookie_data['k'] : false) : $key;
1472
1473	$key_id = unique_id();
1474
1475	$sql_ary = array(
1476	'key_id' => (string) md5($key_id),
1477	'last_ip' => (string) $user_ip,
1478	'last_login' => (int) time()
1479	);
1480
1481	if (!$key)
1482	{
1483	$sql_ary += array(
1484	'user_id' => (int) $user_id
1485	);
1486	}
1487
1488	if ($key)
1489	{
1490	$sql = 'UPDATE ' . SESSIONS_KEYS_TABLE . '
1491	SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
1492	WHERE user_id = ' . (int) $user_id . "
1493	AND key_id = '" . $db->sql_escape(md5($key)) . "'";
1494	}
1495	else
1496	{
1497	$sql = 'INSERT INTO ' . SESSIONS_KEYS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
1498	}
1499
1500	/**
1501	* Event to adjust autologin keys process
1502	*
1503	* @event core.set_login_key
1504	* @var string\|false key Current autologin key if exists, false otherwise
1505	* @var string key_id New autologin key
1506	* @var string sql SQL query to update/insert autologin key
1507	* @var array sql_ary Aray with autologin key data
1508	* @var int user_id Current user's ID
1509	* @var string user_ip Current user's IP address
1510	* @since 3.3.2-RC1
1511	*/
1512	$vars = [
1513	'key',
1514	'key_id',
1515	'sql',
1516	'sql_ary',
1517	'user_id',
1518	'user_ip',
1519	];
1520	extract($phpbb_dispatcher->trigger_event('core.set_login_key', compact($vars)));
1521
1522	$db->sql_query($sql);
1523
1524	$this->cookie_data['k'] = $key_id;
1525
1526	return false;
1527	}
1528
1529	/**
1530	* Reset all login keys for the specified user
1531	*
1532	* This method removes all current login keys for a specified (or the current)
1533	* user. It will be called on password change to render old keys unusable
1534	*/
1535	function reset_login_keys($user_id = false)
1536	{
1537	global $db;
1538
1539	$user_id = ($user_id === false) ? (int) $this->data['user_id'] : (int) $user_id;
1540
1541	$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
1542	WHERE user_id = ' . (int) $user_id;
1543	$db->sql_query($sql);
1544
1545	// If the user is logged in, update last visit info first before deleting sessions
1546	$sql = 'SELECT session_time, session_page
1547	FROM ' . SESSIONS_TABLE . '
1548	WHERE session_user_id = ' . (int) $user_id . '
1549	ORDER BY session_time DESC';
1550	$result = $db->sql_query_limit($sql, 1);
1551	$row = $db->sql_fetchrow($result);
1552	$db->sql_freeresult($result);
1553
1554	if ($row)
1555	{
1556	$sql = 'UPDATE ' . USERS_TABLE . '
1557	SET user_lastvisit = ' . (int) $row['session_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
1558	WHERE user_id = " . (int) $user_id;
1559	$db->sql_query($sql);
1560	}
1561
1562	// Let's also clear any current sessions for the specified user_id
1563	// If it's the current user then we'll leave this session intact
1564	$sql_where = 'session_user_id = ' . (int) $user_id;
1565	$sql_where .= ($user_id === (int) $this->data['user_id']) ? " AND session_id <> '" . $db->sql_escape($this->session_id) . "'" : '';
1566
1567	$sql = 'DELETE FROM ' . SESSIONS_TABLE . "
1568	WHERE $sql_where";
1569	$db->sql_query($sql);
1570
1571	// We're changing the password of the current user and they have a key
1572	// Lets regenerate it to be safe
1573	if ($user_id === (int) $this->data['user_id'] && $this->cookie_data['k'])
1574	{
1575	$this->set_login_key($user_id);
1576	}
1577	}
1578
1579
1580	/**
1581	* Check if the request originated from the same page.
1582	* @param bool $check_script_path If true, the path will be checked as well
1583	*/
1584	function validate_referer($check_script_path = false)
1585	{
1586	global $config, $request;
1587
1588	// no referer - nothing to validate, user's fault for turning it off (we only check on POST; so meta can't be the reason)
1589	if (empty($this->referer) \|\| empty($this->host))
1590	{
1591	return true;
1592	}
1593
1594	$host = htmlspecialchars($this->host, ENT_COMPAT);
1595	$ref = substr($this->referer, strpos($this->referer, '://') + 3);
1596
1597	if (!(stripos($ref, $host) === 0) && (!$config['force_server_vars'] \|\| !(stripos($ref, $config['server_name']) === 0)))
1598	{
1599	return false;
1600	}
1601	else if ($check_script_path && rtrim($this->page['root_script_path'], '/') !== '')
1602	{
1603	$ref = substr($ref, strlen($host));
1604	$server_port = $request->server('SERVER_PORT', 0);
1605
1606	if ($server_port !== 80 && $server_port !== 443 && stripos($ref, ":$server_port") === 0)
1607	{
1608	$ref = substr($ref, strlen(":$server_port"));
1609	}
1610
1611	if (!(stripos(rtrim($ref, '/'), rtrim($this->page['root_script_path'], '/')) === 0))
1612	{
1613	return false;
1614	}
1615	}
1616
1617	return true;
1618	}
1619
1620
1621	function unset_admin()
1622	{
1623	global $db;
1624	$sql = 'UPDATE ' . SESSIONS_TABLE . '
1625	SET session_admin = 0
1626	WHERE session_id = \'' . $db->sql_escape($this->session_id) . '\'';
1627	$db->sql_query($sql);
1628	}
1629
1630	/**
1631	* Update the session data
1632	*
1633	* @param array $session_data associative array of session keys to be updated
1634	* @param string $session_id optional session_id, defaults to current user's session_id
1635	*/
1636	public function update_session($session_data, $session_id = null)
1637	{
1638	global $db, $phpbb_dispatcher;
1639
1640	$session_id = ($session_id) ? $session_id : $this->session_id;
1641
1642	$sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $session_data) . "
1643	WHERE session_id = '" . $db->sql_escape($session_id) . "'";
1644	$db->sql_query($sql);
1645
1646	/**
1647	* Event to send update session information to extension
1648	* Read-only event
1649	*
1650	* @event core.update_session_after
1651	* @var array session_data Associative array of session keys to be updated
1652	* @var string session_id current user's session_id
1653	* @since 3.1.6-RC1
1654	*/
1655	$vars = array('session_data', 'session_id');
1656	extract($phpbb_dispatcher->trigger_event('core.update_session_after', compact($vars)));
1657	}
1658
1659	public function update_session_infos()
1660	{
1661	global $config, $db, $request;
1662
1663	// No need to update if it's a new session. Informations are already inserted by session_create()
1664	if (isset($this->data['session_created']) && $this->data['session_created'])
1665	{
1666	return;
1667	}
1668
1669	// Do not update the session page for ajax requests, so the view online still works as intended
1670	$page_changed = $this->update_session_page && (!isset($this->data['session_page']) \|\| $this->data['session_page'] != $this->page['page'] \|\| $this->data['session_forum_id'] != $this->page['forum']) && !$request->is_ajax();
1671
1672	// Only update session DB a minute or so after last update or if page changes
1673	if ($this->time_now - (isset($this->data['session_time']) ? $this->data['session_time'] : 0) > 60 \|\| $page_changed)
1674	{
1675	$sql_ary = array('session_time' => $this->time_now);
1676
1677	if ($page_changed)
1678	{
1679	$sql_ary['session_page'] = substr($this->page['page'], 0, 199);
1680	$sql_ary['session_forum_id'] = $this->page['forum'];
1681	}
1682
1683	$db->sql_return_on_error(true);
1684
1685	$this->update_session($sql_ary);
1686
1687	$db->sql_return_on_error(false);
1688
1689	$this->data = array_merge($this->data, $sql_ary);
1690
1691	if ($this->data['user_id'] != ANONYMOUS && isset($config['new_member_post_limit'])
1692	&& $this->data['user_new'] && $config['new_member_post_limit'] <= $this->data['user_posts']
1693	&& $this instanceof user)
1694	{
1695	$this->leave_newly_registered();
1696	}
1697	}
1698	}
1699
1700	/**
1701	* Get user ID
1702	*
1703	* @return int User ID
1704	*/
1705	public function id() : int
1706	{
1707	return isset($this->data['user_id']) ? (int) $this->data['user_id'] : ANONYMOUS;
1708	}
1709
1710	/**
1711	* Update user last visit time
1712	*/
1713	public function update_user_lastvisit()
1714	{
1715	global $db;
1716
1717	if (isset($this->data['session_time'], $this->data['user_id']))
1718	{
1719	$sql = 'UPDATE ' . USERS_TABLE . '
1720	SET user_lastvisit = ' . (int) $this->data['session_time'] . ',
1721	user_last_active = ' . (int) $this->data['session_time'] . '
1722	WHERE user_id = ' . (int) $this->data['user_id'];
1723	$db->sql_query($sql);
1724	}
1725	}
1726
1727	/**
1728	* Update user's last active time
1729	*
1730	* @return void
1731	*/
1732	public function update_last_active_time()
1733	{
1734	global $db;
1735
1736	if (isset($this->data['session_time'], $this->data['user_id']))
1737	{
1738	$sql = 'UPDATE ' . USERS_TABLE . '
1739	SET user_last_active = ' . (int) $this->data['session_time'] . '
1740	WHERE user_id = ' . (int) $this->data['user_id'];
1741	$db->sql_query($sql);
1742	}
1743	}
1744	}