Code Coverage for /data/phpBB/phpbb/session.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	62.95% covered (warning)	62.95%	423 / 672	27.27% covered (danger)	27.27%	6 / 22	CRAP	0.00% covered (danger)	0.00%	0 / 1
session	62.95% covered (warning)	62.95%	423 / 672	27.27% covered (danger)	27.27%	6 / 22	4151.33	0.00% covered (danger)	0.00%	0 / 1
extract_current_page	100.00% covered (success)	100.00%	57 / 57	100.00% covered (success)	100.00%	1 / 1	20
extract_current_hostname	94.12% covered (success)	94.12%	16 / 17	0.00% covered (danger)	0.00%	0 / 1	12.03
setup	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
session_begin	73.58% covered (warning)	73.58%	78 / 106	0.00% covered (danger)	0.00%	0 / 1	93.25
session_create	81.40% covered (warning)	81.40%	140 / 172	0.00% covered (danger)	0.00%	0 / 1	121.21
session_kill	0.00% covered (danger)	0.00%	0 / 43	0.00% covered (danger)	0.00%	0 / 1	30
session_gc	54.90% covered (warning)	54.90%	28 / 51	0.00% covered (danger)	0.00%	0 / 1	16.43
set_cookie	0.00% covered (danger)	0.00%	0 / 18	0.00% covered (danger)	0.00%	0 / 1	90
check_ban	41.67% covered (danger)	41.67%	15 / 36	0.00% covered (danger)	0.00%	0 / 1	66.81
check_ban_for_current_session	83.33% covered (warning)	83.33%	5 / 6	0.00% covered (danger)	0.00%	0 / 1	4.07
check_dnsbl_spamhaus	0.00% covered (danger)	0.00%	0 / 24	0.00% covered (danger)	0.00%	0 / 1	90
check_dnsbl_ipv4_generic	0.00% covered (danger)	0.00%	0 / 9	0.00% covered (danger)	0.00%	0 / 1	20
check_dnsbl	0.00% covered (danger)	0.00%	0 / 19	0.00% covered (danger)	0.00%	0 / 1	72
set_login_key	87.50% covered (warning)	87.50%	28 / 32	0.00% covered (danger)	0.00%	0 / 1	7.10
reset_login_keys	100.00% covered (success)	100.00%	24 / 24	100.00% covered (success)	100.00%	1 / 1	6
validate_referer	93.33% covered (success)	93.33%	14 / 15	0.00% covered (danger)	0.00%	0 / 1	12.04
unset_admin	100.00% covered (success)	100.00%	4 / 4	100.00% covered (success)	100.00%	1 / 1	1
update_session	0.00% covered (danger)	0.00%	0 / 7	0.00% covered (danger)	0.00%	0 / 1	6
update_session_infos	0.00% covered (danger)	0.00%	0 / 17	0.00% covered (danger)	0.00%	0 / 1	272
id	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	2
update_user_lastvisit	100.00% covered (success)	100.00%	7 / 7	100.00% covered (success)	100.00%	1 / 1	2
update_last_active_time	100.00% covered (success)	100.00%	6 / 6	100.00% covered (success)	100.00%	1 / 1	2

1	<?php
2	/**
3	*
4	* This file is part of the phpBB Forum Software package.
5	*
6	* @copyright (c) phpBB Limited <https://www.phpbb.com>
7	* @license GNU General Public License, version 2 (GPL-2.0)
8	*
9	* For full copyright and license information, please see
10	* the docs/CREDITS.txt file.
11	*
12	*/
13
14	namespace phpbb;
15
16	use phpbb\filesystem\helper as filesystem_helper;
17
18	/**
19	* Session class
20	*/
21	class session
22	{
23	public $cookie_data = array();
24	public $page = array();
25	public $data = array();
26	public $browser = '';
27	public $referer = '';
28	public $forwarded_for = '';
29	public $host = '';
30	public $session_id = '';
31	public $ip = '';
32	public $load = 0;
33	public $time_now = 0;
34	public $update_session_page = true;
35
36	/**
37	* Extract current session page
38	*
39	* @param string $root_path current root path (phpbb_root_path)
40	* @return array
41	*/
42	static function extract_current_page($root_path)
43	{
44	global $request, $symfony_request;
45
46	$page_array = array();
47
48	// First of all, get the request uri...
49	$script_name = $request->escape($symfony_request->getScriptName(), true);
50	$args = $request->escape(explode('&', $symfony_request->getQueryString() ?? ''), true);
51
52	// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
53	if (!$script_name)
54	{
55	$script_name = html_entity_decode($request->server('REQUEST_URI'), ENT_COMPAT);
56	$script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name;
57	$page_array['failover'] = 1;
58	}
59
60	// Replace backslashes and doubled slashes (could happen on some proxy setups)
61	$script_name = str_replace(array('\\', '//'), '/', $script_name);
62
63	// Now, remove the sid and let us get a clean query string...
64	$use_args = [];
65
66	// Since some browser do not encode correctly we need to do this with some "special" characters...
67	// " -> %22, ' => %27, < -> %3C, > -> %3E
68	$find = ['"', "'", '<', '>', '"', '<', '>'];
69	$replace = ['%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E'];
70
71	foreach ($args as $argument)
72	{
73	if (strpos($argument, 'sid=') === 0)
74	{
75	continue;
76	}
77
78	$use_args[] = (string) str_replace($find, $replace, $argument);
79	}
80	unset($args);
81
82	// The following examples given are for an request uri of {path to the phpbb directory}/adm/index.php?i=10&b=2
83
84	// The current query string
85	$query_string = trim(implode('&', $use_args));
86
87	// basenamed page name (for example: index.php)
88	$page_name = (substr($script_name, -1, 1) == '/') ? '' : basename($script_name);
89	$page_name = urlencode(htmlspecialchars($page_name, ENT_COMPAT));
90
91	$symfony_request_path = filesystem_helper::clean_path($symfony_request->getPathInfo());
92	if ($symfony_request_path !== '/')
93	{
94	$page_name .= str_replace('%2F', '/', urlencode($symfony_request_path));
95	}
96
97	if (substr($root_path, 0, 2) === './' && strpos($root_path, '..') === false)
98	{
99	$root_dirs = explode('/', str_replace('\\', '/', rtrim($root_path, '/')));
100	$page_dirs = explode('/', str_replace('\\', '/', '.'));
101	}
102	else
103	{
104	// current directory within the phpBB root (for example: adm)
105	$root_dirs = explode('/', str_replace('\\', '/', filesystem_helper::realpath($root_path)));
106	$page_dirs = explode('/', str_replace('\\', '/', filesystem_helper::realpath('./')));
107	}
108
109	$intersection = array_intersect_assoc($root_dirs, $page_dirs);
110
111	$root_dirs = array_diff_assoc($root_dirs, $intersection);
112	$page_dirs = array_diff_assoc($page_dirs, $intersection);
113
114	$page_dir = str_repeat('../', count($root_dirs)) . implode('/', $page_dirs);
115
116	if ($page_dir && substr($page_dir, -1, 1) == '/')
117	{
118	$page_dir = substr($page_dir, 0, -1);
119	}
120
121	// Current page from phpBB root (for example: adm/index.php?i=10&b=2)
122	$page = (($page_dir) ? $page_dir . '/' : '') . $page_name;
123	if ($query_string)
124	{
125	$page .= '?' . $query_string;
126	}
127
128	// The script path from the webroot to the current directory (for example: /phpBB3/adm/) : always prefixed with / and ends in /
129	$script_path = $symfony_request->getBasePath();
130
131	// The script path from the webroot to the phpBB root (for example: /phpBB3/)
132	$script_dirs = explode('/', $script_path);
133	array_splice($script_dirs, -count($page_dirs));
134	$root_script_path = implode('/', $script_dirs) . (count($root_dirs) ? '/' . implode('/', $root_dirs) : '');
135
136	// We are on the base level (phpBB root == webroot), lets adjust the variables a bit...
137	if (!$root_script_path)
138	{
139	$root_script_path = ($page_dir) ? str_replace($page_dir, '', $script_path) : $script_path;
140	}
141
142	$script_path .= (substr($script_path, -1, 1) == '/') ? '' : '/';
143	$root_script_path .= (substr($root_script_path, -1, 1) == '/') ? '' : '/';
144
145	$forum_id = $request->variable('f', 0);
146	// maximum forum id value is maximum value of mediumint unsigned column
147	$forum_id = ($forum_id > 0 && $forum_id < 16777215) ? $forum_id : 0;
148
149	$page_array += array(
150	'page_name' => $page_name,
151	'page_dir' => $page_dir,
152
153	'query_string' => $query_string,
154	'script_path' => str_replace(' ', '%20', htmlspecialchars($script_path, ENT_COMPAT)),
155	'root_script_path' => str_replace(' ', '%20', htmlspecialchars($root_script_path, ENT_COMPAT)),
156
157	'page' => $page,
158	'forum' => $forum_id,
159	);
160
161	return $page_array;
162	}
163
164	/**
165	* Get valid hostname/port. HTTP_HOST is used, SERVER_NAME if HTTP_HOST not present.
166	*/
167	function extract_current_hostname()
168	{
169	global $config, $request;
170
171	// Get hostname
172	$host = html_entity_decode($request->header('Host', $request->server('SERVER_NAME')), ENT_COMPAT);
173
174	// Should be a string and lowered
175	$host = (string) strtolower($host);
176
177	// If host is equal the cookie domain or the server name (if config is set), then we assume it is valid
178	if ((isset($config['cookie_domain']) && $host === $config['cookie_domain']) \|\| (isset($config['server_name']) && $host === $config['server_name']))
179	{
180	return $host;
181	}
182
183	// Is the host actually a IP? If so, we use the IP... (IPv4)
184	if (long2ip(ip2long($host)) === $host)
185	{
186	return $host;
187	}
188
189	// Now return the hostname (this also removes any port definition). The http:// is prepended to construct a valid URL, hosts never have a scheme assigned
190	$host = @parse_url('http://' . $host);
191	$host = (!empty($host['host'])) ? $host['host'] : '';
192
193	// Remove any portions not removed by parse_url (#)
194	$host = str_replace('#', '', $host);
195
196	// If, by any means, the host is now empty, we will use a "best approach" way to guess one
197	if (empty($host))
198	{
199	if (!empty($config['server_name']))
200	{
201	$host = $config['server_name'];
202	}
203	else if (!empty($config['cookie_domain']))
204	{
205	$host = (strpos($config['cookie_domain'], '.') === 0) ? substr($config['cookie_domain'], 1) : $config['cookie_domain'];
206	}
207	else
208	{
209	// Set to OS hostname or localhost
210	$host = (function_exists('php_uname')) ? php_uname('n') : 'localhost';
211	}
212	}
213
214	// It may be still no valid host, but for sure only a hostname (we may further expand on the cookie domain... if set)
215	return $host;
216	}
217
218	/**
219	* Setup basic user-specific items (style, language, ...)
220	*
221	* @param array\|string\|false $lang_set Lang set(s) to include, false if none shall be included
222	* @param int\|false $style_id Style ID to load, false to load default style
223	*
224	* @throws \RuntimeException When called on session and not user instance
225	*
226	* @return void
227	*/
228	public function setup($lang_set = false, $style_id = false)
229	{
230	throw new \RuntimeException('Calling setup on session class is not supported.');
231	}
232
233	/**
234	* Start session management
235	*
236	* This is where all session activity begins. We gather various pieces of
237	* information from the client and server. We test to see if a session already
238	* exists. If it does, fine and dandy. If it doesn't we'll go on to create a
239	* new one ... pretty logical heh? We also examine the system load (if we're
240	* running on a system which makes such information readily available) and
241	* halt if it's above an admin definable limit.
242	*
243	* @param bool $update_session_page if true the session page gets updated.
244	* This can be set to circumvent certain scripts to update the users last visited page.
245	*/
246	function session_begin($update_session_page = true)
247	{
248	global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path;
249	global $request, $phpbb_container, $user, $phpbb_log, $phpbb_dispatcher;
250
251	// Give us some basic information
252	$this->time_now = time();
253	$this->cookie_data = array('u' => 0, 'k' => '');
254	$this->update_session_page = $update_session_page;
255	$this->browser = $request->header('User-Agent');
256	$this->referer = $request->header('Referer');
257	$this->forwarded_for = $request->header('X-Forwarded-For');
258
259	$this->host = $this->extract_current_hostname();
260	$this->page = $this->extract_current_page($phpbb_root_path);
261
262	// if the forwarded for header shall be checked we have to validate its contents
263	if ($config['forwarded_for_check'])
264	{
265	$this->forwarded_for = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->forwarded_for));
266
267	// split the list of IPs
268	$ips = explode(' ', $this->forwarded_for);
269	foreach ($ips as $ip)
270	{
271	if (!filter_var($ip, FILTER_VALIDATE_IP))
272	{
273	// contains invalid data, don't use the forwarded for header
274	$this->forwarded_for = '';
275	break;
276	}
277	}
278	}
279	else
280	{
281	$this->forwarded_for = '';
282	}
283
284	if ($request->is_set($config['cookie_name'] . '_sid', \phpbb\request\request_interface::COOKIE) \|\| $request->is_set($config['cookie_name'] . '_u', \phpbb\request\request_interface::COOKIE))
285	{
286	$this->cookie_data['u'] = $request->variable($config['cookie_name'] . '_u', 0, false, \phpbb\request\request_interface::COOKIE);
287	$this->cookie_data['k'] = $request->variable($config['cookie_name'] . '_k', '', false, \phpbb\request\request_interface::COOKIE);
288	$this->session_id = $request->variable($config['cookie_name'] . '_sid', '', false, \phpbb\request\request_interface::COOKIE);
289
290	$SID = '?sid=';
291	$_SID = '';
292
293	if (empty($this->session_id) && $phpbb_container->getParameter('session.force_sid'))
294	{
295	$this->session_id = $_SID = $request->variable('sid', '');
296	$SID = '?sid=' . $this->session_id;
297	$this->cookie_data = array('u' => 0, 'k' => '');
298	}
299	}
300	else
301	{
302	$this->session_id = $_SID = $phpbb_container->getParameter('session.force_sid') ? $request->variable('sid', '') : '';
303	$SID = '?sid=' . $this->session_id;
304	}
305
306	$_EXTRA_URL = array();
307
308	// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
309	// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
310	$ip = html_entity_decode($request->server('REMOTE_ADDR'), ENT_COMPAT);
311	$ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $ip));
312
313	/**
314	* Event to alter user IP address
315	*
316	* @event core.session_ip_after
317	* @var string ip REMOTE_ADDR
318	* @since 3.1.10-RC1
319	*/
320	$vars = array('ip');
321	extract($phpbb_dispatcher->trigger_event('core.session_ip_after', compact($vars)));
322
323	// split the list of IPs
324	$ips = explode(' ', trim($ip));
325
326	// Default IP if REMOTE_ADDR is invalid
327	$this->ip = '127.0.0.1';
328
329	foreach ($ips as $ip)
330	{
331	// Normalise IP address
332	$ip = phpbb_ip_normalise($ip);
333
334	if ($ip === false)
335	{
336	// IP address is invalid.
337	break;
338	}
339
340	// IP address is valid.
341	$this->ip = $ip;
342	}
343
344	$this->load = false;
345
346	// Load limit check (if applicable)
347	if ($config['limit_load'] \|\| $config['limit_search_load'])
348	{
349	if ((function_exists('sys_getloadavg') && $load = sys_getloadavg()) \|\| ($load = explode(' ', @file_get_contents('/proc/loadavg'))))
350	{
351	$this->load = array_slice($load, 0, 1);
352	$this->load = floatval($this->load[0]);
353	}
354	else
355	{
356	$config->set('limit_load', '0');
357	$config->set('limit_search_load', '0');
358	}
359	}
360
361	// if session id is set
362	if (!empty($this->session_id))
363	{
364	$sql = 'SELECT u., s.
365	FROM ' . SESSIONS_TABLE . ' s, ' . USERS_TABLE . " u
366	WHERE s.session_id = '" . $db->sql_escape($this->session_id) . "'
367	AND u.user_id = s.session_user_id";
368	$result = $db->sql_query($sql);
369	$this->data = $db->sql_fetchrow($result);
370	$db->sql_freeresult($result);
371
372	// Did the session exist in the DB?
373	if (isset($this->data['user_id']))
374	{
375	// Validate IP length according to admin ... enforces an IP
376	// check on bots if admin requires this
377	// $quadcheck = ($config['ip_check_bot'] && $this->data['user_type'] & USER_BOT) ? 4 : $config['ip_check'];
378
379	if (strpos($this->ip, ':') !== false && strpos($this->data['session_ip'], ':') !== false)
380	{
381	$s_ip = short_ipv6($this->data['session_ip'], $config['ip_check']);
382	$u_ip = short_ipv6($this->ip, $config['ip_check']);
383	}
384	else
385	{
386	$s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check']));
387	$u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check']));
388	}
389
390	$s_browser = ($config['browser_check']) ? trim(strtolower(substr($this->data['session_browser'], 0, 149))) : '';
391	$u_browser = ($config['browser_check']) ? trim(strtolower(substr($this->browser, 0, 149))) : '';
392
393	$s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : '';
394	$u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : '';
395
396	// referer checks
397	// The @ before $config['referer_validation'] suppresses notices present while running the updater
398	$check_referer_path = (@$config['referer_validation'] == REFERER_VALIDATE_PATH);
399	$referer_valid = true;
400
401	// we assume HEAD and TRACE to be foul play and thus only whitelist GET
402	if (@$config['referer_validation'] && strtolower($request->server('REQUEST_METHOD')) !== 'get')
403	{
404	$referer_valid = $this->validate_referer($check_referer_path);
405	}
406
407	if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for && $referer_valid)
408	{
409	$session_expired = false;
410
411	// Check whether the session is still valid if we have one
412	/* @var $provider_collection \phpbb\auth\provider_collection */
413	$provider_collection = $phpbb_container->get('auth.provider_collection');
414	$provider = $provider_collection->get_provider();
415
416	if (!($provider instanceof \phpbb\auth\provider\provider_interface))
417	{
418	throw new \RuntimeException($provider . ' must implement \phpbb\auth\provider\provider_interface');
419	}
420
421	$ret = $provider->validate_session($this->data);
422	if ($ret !== null && !$ret)
423	{
424	$session_expired = true;
425	}
426
427	if (!$session_expired)
428	{
429	// Check the session length timeframe if autologin is not enabled.
430	// Else check the autologin length... and also removing those having autologin enabled but no longer allowed board-wide.
431	if (!$this->data['session_autologin'])
432	{
433	if ($this->data['session_time'] < $this->time_now - ((int) $config['session_length'] + 60))
434	{
435	$session_expired = true;
436	}
437	}
438	else if (!$config['allow_autologin'] \|\| ($config['max_autologin_time'] && $this->data['session_time'] < $this->time_now - (86400 * (int) $config['max_autologin_time']) + 60))
439	{
440	$session_expired = true;
441	}
442	}
443
444	if (!$session_expired)
445	{
446	$this->data['is_registered'] = ($this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL \|\| $this->data['user_type'] == USER_FOUNDER)) ? true : false;
447	$this->data['is_bot'] = (!$this->data['is_registered'] && $this->data['user_id'] != ANONYMOUS) ? true : false;
448	$this->data['user_lang'] = basename($this->data['user_lang']);
449
450	// Is user banned? Are they excluded? Won't return on ban, exists within method
451	$this->check_ban_for_current_session($config);
452
453	// Update user last active time accordingly, but in a minute or so
454	if ($this->time_now - (int) $this->data['user_last_active'] > 60)
455	{
456	$this->update_last_active_time();
457	}
458
459	return true;
460	}
461	}
462	else
463	{
464	// Added logging temporarily to help debug bugs...
465	if ($phpbb_container->getParameter('session.log_errors') && $this->data['user_id'] != ANONYMOUS)
466	{
467	if ($referer_valid)
468	{
469	$phpbb_log->add('critical', $user->data['user_id'], $user->ip, 'LOG_IP_BROWSER_FORWARDED_CHECK', false, array(
470	$u_ip,
471	$s_ip,
472	$u_browser,
473	$s_browser,
474	htmlspecialchars($u_forwarded_for, ENT_COMPAT),
475	htmlspecialchars($s_forwarded_for, ENT_COMPAT)
476	));
477	}
478	else
479	{
480	$phpbb_log->add('critical', $user->data['user_id'], $user->ip, 'LOG_REFERER_INVALID', false, array($this->referer));
481	}
482	}
483	}
484	}
485	}
486
487	// If we reach here then no (valid) session exists. So we'll create a new one
488	return $this->session_create();
489	}
490
491	/**
492	* Create a new session
493	*
494	* If upon trying to start a session we discover there is nothing existing we
495	* jump here. Additionally this method is called directly during login to regenerate
496	* the session for the specific user. In this method we carry out a number of tasks;
497	* garbage collection, (search)bot checking, banned user comparison. Basically
498	* though this method will result in a new session for a specific user.
499	*/
500	function session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)
501	{
502	global $SID, $_SID, $db, $config, $cache, $phpbb_container, $phpbb_dispatcher;
503
504	$this->data = array();
505
506	/* Garbage collection ... remove old sessions updating user information
507	// if necessary. It means (potentially) 11 queries but only infrequently
508	if ($this->time_now > $config['session_last_gc'] + $config['session_gc'])
509	{
510	$this->session_gc();
511	}*/
512
513	// Do we allow autologin on this board? No? Then override anything
514	// that may be requested here
515	if (!$config['allow_autologin'])
516	{
517	$this->cookie_data['k'] = $persist_login = false;
518	}
519
520	/**
521	* Here we do a bot check, oh er saucy! No, not that kind of bot
522	* check. We loop through the list of bots defined by the admin and
523	* see if we have any useragent and/or IP matches. If we do, this is a
524	* bot, act accordingly
525	*/
526	$bot = false;
527	$active_bots = $cache->obtain_bots();
528
529	foreach ($active_bots as $row)
530	{
531	if ($row['bot_agent'] && preg_match('#' . str_replace('\', '.?', preg_quote($row['bot_agent'], '#')) . '#i', $this->browser))
532	{
533	$bot = (int) $row['user_id'];
534	}
535
536	// If ip is supplied, we will make sure the ip is matching too...
537	if ($row['bot_ip'] && ($bot \|\| !$row['bot_agent']))
538	{
539	// Set bot to false, then we only have to set it to true if it is matching
540	$bot = false;
541
542	foreach (explode(',', $row['bot_ip']) as $bot_ip)
543	{
544	$bot_ip = trim($bot_ip);
545
546	if (!$bot_ip)
547	{
548	continue;
549	}
550
551	if (strpos($this->ip, $bot_ip) === 0)
552	{
553	$bot = (int) $row['user_id'];
554	break;
555	}
556	}
557	}
558
559	if ($bot)
560	{
561	break;
562	}
563	}
564
565	/* @var $provider_collection \phpbb\auth\provider_collection */
566	$provider_collection = $phpbb_container->get('auth.provider_collection');
567	$provider = $provider_collection->get_provider();
568	$this->data = $provider->autologin();
569
570	if ($user_id !== false && isset($this->data['user_id']) && $this->data['user_id'] != $user_id)
571	{
572	$this->data = array();
573	}
574
575	if (isset($this->data['user_id']))
576	{
577	$this->cookie_data['k'] = '';
578	$this->cookie_data['u'] = $this->data['user_id'];
579	}
580
581	// If we're presented with an autologin key we'll join against it.
582	// Else if we've been passed a user_id we'll grab data based on that
583	if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && empty($this->data))
584	{
585	$sql = 'SELECT u.*
586	FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k
587	WHERE u.user_id = ' . (int) $this->cookie_data['u'] . '
588	AND u.user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ")
589	AND k.user_id = u.user_id
590	AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
591	$result = $db->sql_query($sql);
592	$user_data = $db->sql_fetchrow($result);
593
594	if ($user_id === false \|\| (isset($user_data['user_id']) && $user_id == $user_data['user_id']))
595	{
596	$this->data = $user_data;
597	$bot = false;
598	}
599
600	$db->sql_freeresult($result);
601	}
602
603	if ($user_id !== false && empty($this->data))
604	{
605	$this->cookie_data['k'] = '';
606	$this->cookie_data['u'] = $user_id;
607
608	$sql = 'SELECT *
609	FROM ' . USERS_TABLE . '
610	WHERE user_id = ' . (int) $this->cookie_data['u'] . '
611	AND user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ')';
612	$result = $db->sql_query($sql);
613	$this->data = $db->sql_fetchrow($result);
614	$db->sql_freeresult($result);
615	$bot = false;
616	}
617
618	// Bot user, if they have a SID in the Request URI we need to get rid of it
619	// otherwise they'll index this page with the SID, duplicate content oh my!
620	if ($bot && isset($_GET['sid']))
621	{
622	send_status_line(301, 'Moved Permanently');
623	redirect(build_url(array('sid')));
624	}
625
626	// If no data was returned one or more of the following occurred:
627	// Key didn't match one in the DB
628	// User does not exist
629	// User is inactive
630	// User is bot
631	if (!is_array($this->data) \|\| !count($this->data))
632	{
633	$this->cookie_data['k'] = '';
634	$this->cookie_data['u'] = ($bot) ? $bot : ANONYMOUS;
635
636	if (!$bot)
637	{
638	$sql = 'SELECT *
639	FROM ' . USERS_TABLE . '
640	WHERE user_id = ' . (int) $this->cookie_data['u'];
641	}
642	else
643	{
644	// We give bots always the same session if it is not yet expired.
645	$sql = 'SELECT u., s.
646	FROM ' . USERS_TABLE . ' u
647	LEFT JOIN ' . SESSIONS_TABLE . ' s ON (s.session_user_id = u.user_id)
648	WHERE u.user_id = ' . (int) $bot;
649	}
650
651	$result = $db->sql_query($sql);
652	$this->data = $db->sql_fetchrow($result);
653	$db->sql_freeresult($result);
654	}
655
656	if ($this->data['user_id'] != ANONYMOUS && !$bot)
657	{
658	$this->data['session_last_visit'] = (isset($this->data['session_time']) && $this->data['session_time']) ? $this->data['session_time'] : (($this->data['user_lastvisit']) ? $this->data['user_lastvisit'] : time());
659	}
660	else
661	{
662	$this->data['session_last_visit'] = $this->time_now;
663	}
664
665	// Force user id to be integer...
666	$this->data['user_id'] = (int) $this->data['user_id'];
667
668	// At this stage we should have a filled data array, defined cookie u and k data.
669	// data array should contain recent session info if we're a real user and a recent
670	// session exists in which case session_id will also be set
671
672	// Is user banned? Are they excluded? Won't return on ban, exists within method
673	$this->check_ban_for_current_session($config);
674
675	$this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL \|\| $this->data['user_type'] == USER_FOUNDER)) ? true : false;
676	$this->data['is_bot'] = ($bot) ? true : false;
677
678	// If our friend is a bot, we re-assign a previously assigned session
679	if ($this->data['is_bot'] && $bot == $this->data['user_id'] && $this->data['session_id'])
680	{
681	// Only assign the current session if the ip, browser and forwarded_for match...
682	if (strpos($this->ip, ':') !== false && strpos($this->data['session_ip'], ':') !== false)
683	{
684	$s_ip = short_ipv6($this->data['session_ip'], $config['ip_check']);
685	$u_ip = short_ipv6($this->ip, $config['ip_check']);
686	}
687	else
688	{
689	$s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check']));
690	$u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check']));
691	}
692
693	$s_browser = ($config['browser_check']) ? trim(strtolower(substr($this->data['session_browser'], 0, 149))) : '';
694	$u_browser = ($config['browser_check']) ? trim(strtolower(substr($this->browser, 0, 149))) : '';
695
696	$s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : '';
697	$u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : '';
698
699	if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for)
700	{
701	$this->session_id = $this->data['session_id'];
702
703	// Only update session DB a minute or so after last update or if page changes
704	if ($this->time_now - $this->data['session_time'] > 60 \|\| ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
705	{
706	// Update the last visit time
707	$this->update_user_lastvisit();
708	}
709
710	$SID = '?sid=';
711	$_SID = '';
712	return true;
713	}
714	else
715	{
716	// If the ip and browser does not match make sure we only have one bot assigned to one session
717	$db->sql_query('DELETE FROM ' . SESSIONS_TABLE . ' WHERE session_user_id = ' . $this->data['user_id']);
718	}
719	}
720
721	$session_autologin = (($this->cookie_data['k'] \|\| $persist_login) && $this->data['is_registered']) ? true : false;
722	$set_admin = ($set_admin && $this->data['is_registered']) ? true : false;
723
724	// Create or update the session
725	$sql_ary = array(
726	'session_user_id' => (int) $this->data['user_id'],
727	'session_start' => (int) $this->time_now,
728	'session_last_visit' => (int) $this->data['session_last_visit'],
729	'session_time' => (int) $this->time_now,
730	'session_browser' => (string) trim(substr($this->browser, 0, 149)),
731	'session_forwarded_for' => (string) $this->forwarded_for,
732	'session_ip' => (string) $this->ip,
733	'session_autologin' => ($session_autologin) ? 1 : 0,
734	'session_admin' => ($set_admin) ? 1 : 0,
735	'session_viewonline' => ($viewonline) ? 1 : 0,
736	);
737
738	if ($this->update_session_page)
739	{
740	$sql_ary['session_page'] = (string) substr($this->page['page'], 0, 199);
741	$sql_ary['session_forum_id'] = $this->page['forum'];
742	}
743
744	$db->sql_return_on_error(true);
745
746	$sql = 'DELETE
747	FROM ' . SESSIONS_TABLE . '
748	WHERE session_id = \'' . $db->sql_escape($this->session_id) . '\'
749	AND session_user_id = ' . ANONYMOUS;
750
751	if (!defined('IN_ERROR_HANDLER') && (!$this->session_id \|\| !$db->sql_query($sql) \|\| !$db->sql_affectedrows()))
752	{
753	// Limit new sessions in 1 minute period (if required)
754	if (empty($this->data['session_time']) && $config['active_sessions'])
755	{
756	// $db->sql_return_on_error(false);
757
758	$sql = 'SELECT COUNT(session_id) AS sessions
759	FROM ' . SESSIONS_TABLE . '
760	WHERE session_time >= ' . ($this->time_now - 60);
761	$result = $db->sql_query($sql);
762	$row = $db->sql_fetchrow($result);
763	$db->sql_freeresult($result);
764
765	if ((int) $row['sessions'] > (int) $config['active_sessions'])
766	{
767	send_status_line(503, 'Service Unavailable');
768	trigger_error('BOARD_UNAVAILABLE');
769	}
770	}
771	}
772
773	// Since we re-create the session id here, the inserted row must be unique. Therefore, we display potential errors.
774	// Commented out because it will not allow forums to update correctly
775	// $db->sql_return_on_error(false);
776
777	// Something quite important: session_page always holds the last page visited, except for the first visit.
778	// We are not able to simply have an empty session_page btw, therefore we need to tell phpBB how to detect this special case.
779	// If the session id is empty, we have a completely new one and will set an "identifier" here. This identifier is able to be checked later.
780	if (empty($this->data['session_id']))
781	{
782	// This is a temporary variable, only set for the very first visit
783	$this->data['session_created'] = true;
784	}
785
786	$this->session_id = $this->data['session_id'] = md5(unique_id());
787
788	$sql_ary['session_id'] = (string) $this->session_id;
789	$sql_ary['session_page'] = (string) substr($this->page['page'], 0, 199);
790	$sql_ary['session_forum_id'] = $this->page['forum'];
791
792	$sql = 'INSERT INTO ' . SESSIONS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
793	$db->sql_query($sql);
794
795	$db->sql_return_on_error(false);
796
797	// Regenerate autologin/persistent login key
798	if ($session_autologin)
799	{
800	$this->set_login_key();
801	}
802
803	// refresh data
804	if ($phpbb_container->getParameter('session.force_sid'))
805	{
806	$SID = '?sid=' . $this->session_id;
807	$_SID = $this->session_id;
808	}
809	$this->data = array_merge($this->data, $sql_ary);
810
811	if (!$bot)
812	{
813	$cookie_expire = $this->time_now + (($config['max_autologin_time']) ? 86400 * (int) $config['max_autologin_time'] : 31536000);
814
815	$this->set_cookie('u', $this->cookie_data['u'], $cookie_expire);
816	$this->set_cookie('k', $this->cookie_data['k'], $cookie_expire);
817	$this->set_cookie('sid', $this->session_id, $cookie_expire);
818
819	unset($cookie_expire);
820
821	$sql = 'SELECT COUNT(session_id) AS sessions
822	FROM ' . SESSIONS_TABLE . '
823	WHERE session_user_id = ' . (int) $this->data['user_id'] . '
824	AND session_time >= ' . (int) ($this->time_now - (max((int) $config['session_length'], (int) $config['form_token_lifetime'])));
825	$result = $db->sql_query($sql);
826	$row = $db->sql_fetchrow($result);
827	$db->sql_freeresult($result);
828
829	if ((int) $row['sessions'] <= 1 \|\| empty($this->data['user_form_salt']))
830	{
831	$this->data['user_form_salt'] = unique_id();
832	// Update the form key
833	$sql = 'UPDATE ' . USERS_TABLE . '
834	SET user_form_salt = \'' . $db->sql_escape($this->data['user_form_salt']) . '\',
835	user_last_active = ' . (int) $this->time_now . '
836	WHERE user_id = ' . (int) $this->data['user_id'];
837	$db->sql_query($sql);
838	}
839	else
840	{
841	$this->update_last_active_time();
842	}
843	}
844	else
845	{
846	$this->data['session_time'] = $this->data['session_last_visit'] = $this->time_now;
847
848	$this->update_user_lastvisit();
849
850	if ($phpbb_container->getParameter('session.force_sid'))
851	{
852	$SID = '?sid=';
853	$_SID = '';
854	}
855	}
856
857	$session_data = $sql_ary;
858	/**
859	* Event to send new session data to extension
860	* Read-only event
861	*
862	* @event core.session_create_after
863	* @var array session_data Associative array of session keys to be updated
864	* @since 3.1.6-RC1
865	*/
866	$vars = array('session_data');
867	extract($phpbb_dispatcher->trigger_event('core.session_create_after', compact($vars)));
868	unset($session_data);
869
870	return true;
871	}
872
873	/**
874	* Kills a session
875	*
876	* This method does what it says on the tin. It will delete a pre-existing session.
877	* It resets cookie information (destroying any autologin key within that cookie data)
878	* and update the users information from the relevant session data. It will then
879	* grab guest user information.
880	*/
881	function session_kill($new_session = true)
882	{
883	global $SID, $_SID, $db, $phpbb_container, $phpbb_dispatcher;
884
885	$sql = 'DELETE FROM ' . SESSIONS_TABLE . "
886	WHERE session_id = '" . $db->sql_escape($this->session_id) . "'
887	AND session_user_id = " . (int) $this->data['user_id'];
888	$db->sql_query($sql);
889
890	$user_id = (int) $this->data['user_id'];
891	$session_id = $this->session_id;
892	/**
893	* Event to send session kill information to extension
894	* Read-only event
895	*
896	* @event core.session_kill_after
897	* @var int user_id user_id of the session user.
898	* @var string session_id current user's session_id
899	* @var bool new_session should we create new session for user
900	* @since 3.1.6-RC1
901	*/
902	$vars = array('user_id', 'session_id', 'new_session');
903	extract($phpbb_dispatcher->trigger_event('core.session_kill_after', compact($vars)));
904	unset($user_id);
905	unset($session_id);
906
907	// Allow connecting logout with external auth method logout
908	/* @var $provider_collection \phpbb\auth\provider_collection */
909	$provider_collection = $phpbb_container->get('auth.provider_collection');
910	$provider = $provider_collection->get_provider();
911	$provider->logout($this->data, $new_session);
912
913	if ($this->data['user_id'] != ANONYMOUS)
914	{
915	// Delete existing session, update last visit info first!
916	if (!isset($this->data['session_time']))
917	{
918	$this->data['session_time'] = time();
919	}
920
921	$sql = 'UPDATE ' . USERS_TABLE . '
922	SET user_lastvisit = ' . (int) $this->data['session_time'] . '
923	WHERE user_id = ' . (int) $this->data['user_id'];
924	$db->sql_query($sql);
925
926	if ($this->cookie_data['k'])
927	{
928	$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
929	WHERE user_id = ' . (int) $this->data['user_id'] . "
930	AND key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
931	$db->sql_query($sql);
932	}
933
934	// Reset the data array
935	$this->data = array();
936
937	$sql = 'SELECT *
938	FROM ' . USERS_TABLE . '
939	WHERE user_id = ' . ANONYMOUS;
940	$result = $db->sql_query($sql);
941	$this->data = $db->sql_fetchrow($result);
942	$db->sql_freeresult($result);
943	}
944
945	$cookie_expire = $this->time_now - 31536000;
946	$this->set_cookie('u', '', $cookie_expire);
947	$this->set_cookie('k', '', $cookie_expire);
948	$this->set_cookie('sid', '', $cookie_expire);
949	unset($cookie_expire);
950
951	$SID = '?sid=';
952	$this->session_id = $_SID = '';
953
954	// To make sure a valid session is created we create one for the anonymous user
955	if ($new_session)
956	{
957	$this->session_create(ANONYMOUS);
958	}
959
960	return true;
961	}
962
963	/**
964	* Session garbage collection
965	*
966	* This looks a lot more complex than it really is. Effectively we are
967	* deleting any sessions older than an admin definable limit. Due to the
968	* way in which we maintain session data we have to ensure we update user
969	* data before those sessions are destroyed. In addition this method
970	* removes autologin key information that is older than an admin defined
971	* limit.
972	*/
973	function session_gc()
974	{
975	global $db, $config, $phpbb_container, $phpbb_dispatcher;
976
977	if (!$this->time_now)
978	{
979	$this->time_now = time();
980	}
981
982	/**
983	* Get expired sessions for registered users, only most recent for each user
984	* Inner SELECT gets most recent expired sessions for unique session_user_id
985	* Outer SELECT gets data for them
986	*/
987	$sql_select = 'SELECT s1.session_page, s1.session_user_id, s1.session_time AS recent_time
988	FROM ' . SESSIONS_TABLE . ' AS s1
989	INNER JOIN (
990	SELECT session_user_id, MAX(session_time) AS recent_time
991	FROM ' . SESSIONS_TABLE . '
992	WHERE session_time < ' . ($this->time_now - (int) $config['session_length']) . '
993	AND session_user_id <> ' . ANONYMOUS . '
994	GROUP BY session_user_id
995	) AS s2
996	ON s1.session_user_id = s2.session_user_id
997	AND s1.session_time = s2.recent_time';
998
999	switch ($db->get_sql_layer())
1000	{
1001	case 'sqlite3':
1002	if (phpbb_version_compare($db->sql_server_info(true), '3.8.3', '>='))
1003	{
1004	// For SQLite versions 3.8.3+ which support Common Table Expressions (CTE)
1005	$sql = "WITH s3 (session_page, session_user_id, session_time) AS ($sql_select)
1006	UPDATE " . USERS_TABLE . '
1007	SET (user_lastpage, user_lastvisit) = (SELECT session_page, session_time FROM s3 WHERE session_user_id = user_id)
1008	WHERE EXISTS (SELECT session_user_id FROM s3 WHERE session_user_id = user_id)';
1009	$db->sql_query($sql);
1010
1011	break;
1012	}
1013
1014	// No break, for SQLite versions prior to 3.8.3 and Oracle
1015	case 'oracle':
1016	$result = $db->sql_query($sql_select);
1017	while ($row = $db->sql_fetchrow($result))
1018	{
1019	$sql = 'UPDATE ' . USERS_TABLE . '
1020	SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
1021	WHERE user_id = " . (int) $row['session_user_id'];
1022	$db->sql_query($sql);
1023	}
1024	$db->sql_freeresult($result);
1025	break;
1026
1027	case 'mysqli':
1028	$sql = 'UPDATE ' . USERS_TABLE . " u,
1029	($sql_select) s3
1030	SET u.user_lastvisit = s3.recent_time, u.user_lastpage = s3.session_page
1031	WHERE u.user_id = s3.session_user_id";
1032	$db->sql_query($sql);
1033	break;
1034
1035	default:
1036	$sql = 'UPDATE ' . USERS_TABLE . "
1037	SET user_lastvisit = s3.recent_time, user_lastpage = s3.session_page
1038	FROM ($sql_select) s3
1039	WHERE user_id = s3.session_user_id";
1040	$db->sql_query($sql);
1041	break;
1042	}
1043
1044	// Delete all expired sessions
1045	$sql = 'DELETE FROM ' . SESSIONS_TABLE . '
1046	WHERE session_time < ' . ($this->time_now - (int) $config['session_length']);
1047	$db->sql_query($sql);
1048
1049	// Update gc timer
1050	$config->set('session_last_gc', $this->time_now, false);
1051
1052	if ($config['max_autologin_time'])
1053	{
1054	$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
1055	WHERE last_login < ' . (time() - (86400 * (int) $config['max_autologin_time']));
1056	$db->sql_query($sql);
1057	}
1058
1059	// only called from CRON; should be a safe workaround until the infrastructure gets going
1060	/* @var \phpbb\captcha\factory $captcha_factory */
1061	$captcha_factory = $phpbb_container->get('captcha.factory');
1062	$captcha_factory->garbage_collect($config['captcha_plugin']);
1063
1064	$sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
1065	WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']);
1066	$db->sql_query($sql);
1067
1068	/**
1069	* Event to trigger extension on session_gc
1070	*
1071	* @event core.session_gc_after
1072	* @since 3.1.6-RC1
1073	*/
1074	$phpbb_dispatcher->trigger_event('core.session_gc_after');
1075	}
1076
1077	/**
1078	* Sets a cookie
1079	*
1080	* Sets a cookie of the given name with the specified data for the given length of time. If no time is specified, a session cookie will be set.
1081	*
1082	* @param string $name Name of the cookie, will be automatically prefixed with the phpBB cookie name. track becomes [cookie_name]_track then.
1083	* @param string $cookiedata The data to hold within the cookie
1084	* @param int $cookietime The expiration time as UNIX timestamp. If 0 is provided, a session cookie is set.
1085	* @param bool $httponly Use HttpOnly. Defaults to true. Use false to make cookie accessible by client-side scripts.
1086	*/
1087	function set_cookie($name, $cookiedata, $cookietime, $httponly = true)
1088	{
1089	global $config, $phpbb_dispatcher;
1090
1091	// If headers are already set, we just return
1092	if (headers_sent())
1093	{
1094	return;
1095	}
1096
1097	$disable_cookie = false;
1098	/**
1099	* Event to modify or disable setting cookies
1100	*
1101	* @event core.set_cookie
1102	* @var bool disable_cookie Set to true to disable setting this cookie
1103	* @var string name Name of the cookie
1104	* @var string cookiedata The data to hold within the cookie
1105	* @var int cookietime The expiration time as UNIX timestamp
1106	* @var bool httponly Use HttpOnly?
1107	* @since 3.2.9-RC1
1108	*/
1109	$vars = array(
1110	'disable_cookie',
1111	'name',
1112	'cookiedata',
1113	'cookietime',
1114	'httponly',
1115	);
1116	extract($phpbb_dispatcher->trigger_event('core.set_cookie', compact($vars)));
1117
1118	if ($disable_cookie)
1119	{
1120	return;
1121	}
1122
1123	$name_data = rawurlencode($config['cookie_name'] . '_' . $name) . '=' . rawurlencode($cookiedata);
1124	$expire = gmdate('D, d-M-Y H:i:s \\G\\M\\T', $cookietime);
1125	$domain = (!$config['cookie_domain'] \|\| $config['cookie_domain'] == '127.0.0.1' \|\| strpos($config['cookie_domain'], '.') === false) ? '' : '; domain=' . $config['cookie_domain'];
1126
1127	header('Set-Cookie: ' . $name_data . (($cookietime) ? '; expires=' . $expire : '') . '; path=' . $config['cookie_path'] . $domain . ((!$config['cookie_secure']) ? '' : '; secure') . ';' . (($httponly) ? ' HttpOnly' : ''), false);
1128	}
1129
1130	/**
1131	* Check for banned user
1132	*
1133	* Checks whether the supplied user is banned by id, ip or email. If no parameters
1134	* are passed to the method pre-existing session data is used.
1135	*
1136	* @param int\|false $user_id The user id
1137	* @param mixed $user_ips Can contain a string with one IP or an array of multiple IPs
1138	* @param string\|false $user_email The user email
1139	* @param bool $return If $return is false this routine does not return on finding a banned user,
1140	* it outputs a relevant message and stops execution.
1141	*/
1142	function check_ban($user_id = false, $user_ips = false, $user_email = false, $return = false)
1143	{
1144	global $phpbb_container, $phpbb_dispatcher;
1145
1146	if (defined('IN_CHECK_BAN') \|\| defined('SKIP_CHECK_BAN'))
1147	{
1148	return false;
1149	}
1150
1151	/** @var \phpbb\ban\manager $ban_manager */
1152	$ban_manager = $phpbb_container->get('ban.manager');
1153	$ban_row = $ban_manager->check(['user_id' => $user_id, 'user_email' => $user_email]);
1154	if (empty($ban_row))
1155	{
1156	return false;
1157	}
1158
1159	$banned = true;
1160	$ban_triggered_by = $ban_row['mode'];
1161
1162	/**
1163	* Event to set custom ban type
1164	*
1165	* @event core.session_set_custom_ban
1166	* @var bool return If $return is false this routine does not return on finding a banned user, it outputs a relevant message and stops execution
1167	* @var bool banned Check if user already banned
1168	* @var array\|false ban_row Ban data
1169	* @var string ban_triggered_by Method that caused ban, can be your custom method
1170	* @since 3.1.3-RC1
1171	*/
1172	$ban_row = isset($ban_row) ? $ban_row : false;
1173	$vars = array('return', 'banned', 'ban_row', 'ban_triggered_by');
1174	extract($phpbb_dispatcher->trigger_event('core.session_set_custom_ban', compact($vars)));
1175
1176	if ($banned && !$return)
1177	{
1178	global $config, $phpbb_root_path, $phpEx;
1179
1180	// Initiate environment ... since it won't be set at this stage
1181	$this->setup();
1182
1183	// Logout the user, banned users are unable to use the normal 'logout' link
1184	if ($this->data['user_id'] != ANONYMOUS)
1185	{
1186	$this->session_kill();
1187	}
1188
1189	// We show a login box here to allow founders accessing the board if banned by IP
1190	if (defined('IN_LOGIN') && $this->data['user_id'] == ANONYMOUS)
1191	{
1192	$this->setup('ucp');
1193	$this->data['is_registered'] = $this->data['is_bot'] = false;
1194
1195	// Set as a precaution to allow login_box() handling this case correctly as well as this function not being executed again.
1196	define('IN_CHECK_BAN', 1);
1197
1198	login_box("index.$phpEx");
1199
1200	// The false here is needed, else the user is able to circumvent the ban.
1201	$this->session_kill(false);
1202	}
1203
1204	// Ok, we catch the case of an empty session id for the anonymous user...
1205	// This can happen if the user is logging in, banned by username and the login_box() being called "again".
1206	if (empty($this->session_id) && defined('IN_CHECK_BAN'))
1207	{
1208	$this->session_create(ANONYMOUS);
1209	}
1210
1211	// Determine which message to output
1212	$contact_link = phpbb_get_board_contact_link($config, $phpbb_root_path, $phpEx);
1213	$message = $ban_manager->get_ban_message($ban_row, $ban_triggered_by, $contact_link);
1214
1215	// A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page
1216	if (defined('IN_CRON'))
1217	{
1218	garbage_collection();
1219	exit_handler();
1220	exit;
1221	}
1222
1223	// To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again
1224	$this->session_kill(false);
1225
1226	trigger_error($message);
1227	}
1228
1229	if (!empty($ban_row))
1230	{
1231	$ban_row['ban_triggered_by'] = $ban_triggered_by;
1232	}
1233
1234	return ($banned && $ban_row) ? $ban_row : $banned;
1235	}
1236
1237	/**
1238	* Check the current session for bans
1239	*/
1240	protected function check_ban_for_current_session($config)
1241	{
1242	if (!defined('SKIP_CHECK_BAN') && $this->data['user_type'] != USER_FOUNDER)
1243	{
1244	if (!$config['forwarded_for_check'])
1245	{
1246	$this->check_ban($this->data['user_id'], $this->ip);
1247	}
1248	else
1249	{
1250	$ips = explode(' ', $this->forwarded_for);
1251	$ips[] = $this->ip;
1252	$this->check_ban($this->data['user_id'], $ips);
1253	}
1254	}
1255	}
1256
1257	/**
1258	* Check if ip is blacklisted by Spamhaus SBL
1259	*
1260	* Disables DNSBL setting if errors are returned by Spamhaus due to a policy violation.
1261	* https://www.spamhaus.com/product/help-for-spamhaus-public-mirror-users/
1262	*
1263	* @param string $dnsbl the blacklist to check against
1264	* @param string\|false $ip the IPv4 address to check
1265	*
1266	* @return bool true if listed in spamhaus database, false if not
1267	*/
1268	function check_dnsbl_spamhaus($dnsbl, $ip = false)
1269	{
1270	global $config, $phpbb_log;
1271
1272	if ($ip === false)
1273	{
1274	$ip = $this->ip;
1275	}
1276
1277	// Spamhaus does not support IPv6 addresses.
1278	if (strpos($ip, ':') !== false)
1279	{
1280	return false;
1281	}
1282
1283	if ($ip)
1284	{
1285	$quads = explode('.', $ip);
1286	$reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0];
1287
1288	$records = dns_get_record($reverse_ip . '.' . $dnsbl . '.', DNS_A);
1289	if (empty($records))
1290	{
1291	return false;
1292	}
1293	else
1294	{
1295	$error = false;
1296	foreach ($records as $record)
1297	{
1298	if ($record['ip'] == '127.255.255.254')
1299	{
1300	$error = 'LOG_SPAMHAUS_OPEN_RESOLVER';
1301	break;
1302	}
1303	else if ($record['ip'] == '127.255.255.255')
1304	{
1305	$error = 'LOG_SPAMHAUS_VOLUME_LIMIT';
1306	break;
1307	}
1308	}
1309
1310	if ($error !== false)
1311	{
1312	$config->set('check_dnsbl', 0);
1313	$phpbb_log->add('critical', $this->data['user_id'], $ip, $error);
1314	}
1315	else
1316	{
1317	// The existence of a non-error A record means it's a hit
1318	return true;
1319	}
1320	}
1321	}
1322
1323	return false;
1324	}
1325
1326	/**
1327	* Checks if an IPv4 address is in a specified DNS blacklist
1328	*
1329	* Only checks if a record is returned or not.
1330	*
1331	* @param string $dnsbl the blacklist to check against
1332	* @param string\|false $ip the IPv4 address to check
1333	*
1334	* @return bool true if record is returned, false if not
1335	*/
1336	function check_dnsbl_ipv4_generic($dnsbl, $ip = false)
1337	{
1338	if ($ip === false)
1339	{
1340	$ip = $this->ip;
1341	}
1342
1343	// This function does not support IPv6 addresses.
1344	if (strpos($ip, ':') !== false)
1345	{
1346	return false;
1347	}
1348
1349	$quads = explode('.', $ip);
1350	$reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0];
1351
1352	if (checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true)
1353	{
1354	return true;
1355	}
1356
1357	return false;
1358	}
1359
1360	/**
1361	* Check if ip is blacklisted
1362	* This should be called only where absolutely necessary
1363	*
1364	* Only IPv4 (rbldns does not support AAAA records/IPv6 lookups)
1365	*
1366	* @author satmd (from the php manual)
1367	* @param string $mode register/post - spamcop for example is omitted for posting
1368	* @param string\|false $ip the IPv4 address to check
1369	*
1370	* @return array\|false false if ip is not blacklisted, else an array([checked server], [lookup])
1371	*/
1372	function check_dnsbl($mode, $ip = false)
1373	{
1374	if ($ip === false)
1375	{
1376	$ip = $this->ip;
1377	}
1378
1379	// Neither Spamhaus nor Spamcop supports IPv6 addresses.
1380	if (strpos($ip, ':') !== false)
1381	{
1382	return false;
1383	}
1384
1385	$dnsbl_check = array(
1386	'sbl.spamhaus.org' => ['https://check.spamhaus.org/listed/?searchterm=', 'check_dnsbl_spamhaus'],
1387	);
1388
1389	if ($mode == 'register')
1390	{
1391	$dnsbl_check['bl.spamcop.net'] = ['https://www.spamcop.net/bl.shtml?', 'check_dnsbl_ipv4_generic'];
1392	}
1393
1394	if ($ip)
1395	{
1396	// Need to be listed on all servers...
1397	$listed = true;
1398	$info = array();
1399
1400	foreach ($dnsbl_check as $dnsbl => $lookup)
1401	{
1402	if (call_user_func(array($this, $lookup[1]), $dnsbl, $ip) === true)
1403	{
1404	$info = array($dnsbl, $lookup[0] . $ip);
1405	}
1406	else
1407	{
1408	$listed = false;
1409	}
1410	}
1411
1412	if ($listed)
1413	{
1414	return $info;
1415	}
1416	}
1417
1418	return false;
1419	}
1420
1421	/**
1422	* Check if URI is blacklisted
1423	* This should be called only where absolutely necessary, for example on the submitted website field
1424	* This function is not in use at the moment and is only included for testing purposes, it may not work at all!
1425	* This means it is untested at the moment and therefore commented out
1426	*
1427	* @param string $uri URI to check
1428	* @return true if uri is on blacklist, else false. Only blacklist is checked (~zero FP), no grey lists
1429	function check_uribl($uri)
1430	{
1431	// Normally parse_url() is not intended to parse uris
1432	// We need to get the top-level domain name anyway... change.
1433	$uri = parse_url($uri);
1434
1435	if ($uri === false \|\| empty($uri['host']))
1436	{
1437	return false;
1438	}
1439
1440	$uri = trim($uri['host']);
1441
1442	if ($uri)
1443	{
1444	// One problem here... the return parameter for the "windows" method is different from what
1445	// we expect... this may render this check useless...
1446	if (checkdnsrr($uri . '.multi.uribl.com.', 'A') === true)
1447	{
1448	return true;
1449	}
1450	}
1451
1452	return false;
1453	}
1454	*/
1455
1456	/**
1457	* Set/Update a persistent login key
1458	*
1459	* This method creates or updates a persistent session key. When a user makes
1460	* use of persistent (formerly auto-) logins a key is generated and stored in the
1461	* DB. When they revisit with the same key it's automatically updated in both the
1462	* DB and cookie. Multiple keys may exist for each user representing different
1463	* browsers or locations. As with _any_ non-secure-socket no passphrase login this
1464	* remains vulnerable to exploit.
1465	*/
1466	function set_login_key($user_id = false, $key = false, $user_ip = false)
1467	{
1468	global $db, $phpbb_dispatcher;
1469
1470	$user_id = ($user_id === false) ? $this->data['user_id'] : $user_id;
1471	$user_ip = ($user_ip === false) ? $this->ip : $user_ip;
1472	$key = ($key === false) ? (($this->cookie_data['k']) ? $this->cookie_data['k'] : false) : $key;
1473
1474	$key_id = unique_id();
1475
1476	$sql_ary = array(
1477	'key_id' => (string) md5($key_id),
1478	'last_ip' => (string) $user_ip,
1479	'last_login' => (int) time()
1480	);
1481
1482	if (!$key)
1483	{
1484	$sql_ary += array(
1485	'user_id' => (int) $user_id
1486	);
1487	}
1488
1489	if ($key)
1490	{
1491	$sql = 'UPDATE ' . SESSIONS_KEYS_TABLE . '
1492	SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
1493	WHERE user_id = ' . (int) $user_id . "
1494	AND key_id = '" . $db->sql_escape(md5($key)) . "'";
1495	}
1496	else
1497	{
1498	$sql = 'INSERT INTO ' . SESSIONS_KEYS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
1499	}
1500
1501	/**
1502	* Event to adjust autologin keys process
1503	*
1504	* @event core.set_login_key
1505	* @var string\|false key Current autologin key if exists, false otherwise
1506	* @var string key_id New autologin key
1507	* @var string sql SQL query to update/insert autologin key
1508	* @var array sql_ary Aray with autologin key data
1509	* @var int user_id Current user's ID
1510	* @var string user_ip Current user's IP address
1511	* @since 3.3.2-RC1
1512	*/
1513	$vars = [
1514	'key',
1515	'key_id',
1516	'sql',
1517	'sql_ary',
1518	'user_id',
1519	'user_ip',
1520	];
1521	extract($phpbb_dispatcher->trigger_event('core.set_login_key', compact($vars)));
1522
1523	$db->sql_query($sql);
1524
1525	$this->cookie_data['k'] = $key_id;
1526
1527	return false;
1528	}
1529
1530	/**
1531	* Reset all login keys for the specified user
1532	*
1533	* This method removes all current login keys for a specified (or the current)
1534	* user. It will be called on password change to render old keys unusable
1535	*/
1536	function reset_login_keys($user_id = false)
1537	{
1538	global $db;
1539
1540	$user_id = ($user_id === false) ? (int) $this->data['user_id'] : (int) $user_id;
1541
1542	$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
1543	WHERE user_id = ' . (int) $user_id;
1544	$db->sql_query($sql);
1545
1546	// If the user is logged in, update last visit info first before deleting sessions
1547	$sql = 'SELECT session_time, session_page
1548	FROM ' . SESSIONS_TABLE . '
1549	WHERE session_user_id = ' . (int) $user_id . '
1550	ORDER BY session_time DESC';
1551	$result = $db->sql_query_limit($sql, 1);
1552	$row = $db->sql_fetchrow($result);
1553	$db->sql_freeresult($result);
1554
1555	if ($row)
1556	{
1557	$sql = 'UPDATE ' . USERS_TABLE . '
1558	SET user_lastvisit = ' . (int) $row['session_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
1559	WHERE user_id = " . (int) $user_id;
1560	$db->sql_query($sql);
1561	}
1562
1563	// Let's also clear any current sessions for the specified user_id
1564	// If it's the current user then we'll leave this session intact
1565	$sql_where = 'session_user_id = ' . (int) $user_id;
1566	$sql_where .= ($user_id === (int) $this->data['user_id']) ? " AND session_id <> '" . $db->sql_escape($this->session_id) . "'" : '';
1567
1568	$sql = 'DELETE FROM ' . SESSIONS_TABLE . "
1569	WHERE $sql_where";
1570	$db->sql_query($sql);
1571
1572	// We're changing the password of the current user and they have a key
1573	// Lets regenerate it to be safe
1574	if ($user_id === (int) $this->data['user_id'] && $this->cookie_data['k'])
1575	{
1576	$this->set_login_key($user_id);
1577	}
1578	}
1579
1580
1581	/**
1582	* Check if the request originated from the same page.
1583	* @param bool $check_script_path If true, the path will be checked as well
1584	*/
1585	function validate_referer($check_script_path = false)
1586	{
1587	global $config, $request;
1588
1589	// no referer - nothing to validate, user's fault for turning it off (we only check on POST; so meta can't be the reason)
1590	if (empty($this->referer) \|\| empty($this->host))
1591	{
1592	return true;
1593	}
1594
1595	$host = htmlspecialchars($this->host, ENT_COMPAT);
1596	$ref = substr($this->referer, strpos($this->referer, '://') + 3);
1597
1598	if (!(stripos($ref, $host) === 0) && (!$config['force_server_vars'] \|\| !(stripos($ref, $config['server_name']) === 0)))
1599	{
1600	return false;
1601	}
1602	else if ($check_script_path && rtrim($this->page['root_script_path'], '/') !== '')
1603	{
1604	$ref = substr($ref, strlen($host));
1605	$server_port = $request->server('SERVER_PORT', 0);
1606
1607	if ($server_port !== 80 && $server_port !== 443 && stripos($ref, ":$server_port") === 0)
1608	{
1609	$ref = substr($ref, strlen(":$server_port"));
1610	}
1611
1612	if (!(stripos(rtrim($ref, '/'), rtrim($this->page['root_script_path'], '/')) === 0))
1613	{
1614	return false;
1615	}
1616	}
1617
1618	return true;
1619	}
1620
1621
1622	function unset_admin()
1623	{
1624	global $db;
1625	$sql = 'UPDATE ' . SESSIONS_TABLE . '
1626	SET session_admin = 0
1627	WHERE session_id = \'' . $db->sql_escape($this->session_id) . '\'';
1628	$db->sql_query($sql);
1629	}
1630
1631	/**
1632	* Update the session data
1633	*
1634	* @param array $session_data associative array of session keys to be updated
1635	* @param string $session_id optional session_id, defaults to current user's session_id
1636	*/
1637	public function update_session($session_data, $session_id = null)
1638	{
1639	global $db, $phpbb_dispatcher;
1640
1641	$session_id = ($session_id) ? $session_id : $this->session_id;
1642
1643	$sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $session_data) . "
1644	WHERE session_id = '" . $db->sql_escape($session_id) . "'";
1645	$db->sql_query($sql);
1646
1647	/**
1648	* Event to send update session information to extension
1649	* Read-only event
1650	*
1651	* @event core.update_session_after
1652	* @var array session_data Associative array of session keys to be updated
1653	* @var string session_id current user's session_id
1654	* @since 3.1.6-RC1
1655	*/
1656	$vars = array('session_data', 'session_id');
1657	extract($phpbb_dispatcher->trigger_event('core.update_session_after', compact($vars)));
1658	}
1659
1660	public function update_session_infos()
1661	{
1662	global $config, $db, $request;
1663
1664	// No need to update if it's a new session. Informations are already inserted by session_create()
1665	if (isset($this->data['session_created']) && $this->data['session_created'])
1666	{
1667	return;
1668	}
1669
1670	// Do not update the session page for ajax requests, so the view online still works as intended
1671	$page_changed = $this->update_session_page && (!isset($this->data['session_page']) \|\| $this->data['session_page'] != $this->page['page'] \|\| $this->data['session_forum_id'] != $this->page['forum']) && !$request->is_ajax();
1672
1673	// Only update session DB a minute or so after last update or if page changes
1674	if ($this->time_now - (isset($this->data['session_time']) ? $this->data['session_time'] : 0) > 60 \|\| $page_changed)
1675	{
1676	$sql_ary = array('session_time' => $this->time_now);
1677
1678	if ($page_changed)
1679	{
1680	$sql_ary['session_page'] = substr($this->page['page'], 0, 199);
1681	$sql_ary['session_forum_id'] = $this->page['forum'];
1682	}
1683
1684	$db->sql_return_on_error(true);
1685
1686	$this->update_session($sql_ary);
1687
1688	$db->sql_return_on_error(false);
1689
1690	$this->data = array_merge($this->data, $sql_ary);
1691
1692	if ($this->data['user_id'] != ANONYMOUS && isset($config['new_member_post_limit'])
1693	&& $this->data['user_new'] && $config['new_member_post_limit'] <= $this->data['user_posts']
1694	&& $this instanceof user)
1695	{
1696	$this->leave_newly_registered();
1697	}
1698	}
1699	}
1700
1701	/**
1702	* Get user ID
1703	*
1704	* @return int User ID
1705	*/
1706	public function id() : int
1707	{
1708	return isset($this->data['user_id']) ? (int) $this->data['user_id'] : ANONYMOUS;
1709	}
1710
1711	/**
1712	* Update user last visit time
1713	*/
1714	public function update_user_lastvisit()
1715	{
1716	global $db;
1717
1718	if (isset($this->data['session_time'], $this->data['user_id']))
1719	{
1720	$sql = 'UPDATE ' . USERS_TABLE . '
1721	SET user_lastvisit = ' . (int) $this->data['session_time'] . ',
1722	user_last_active = ' . $this->time_now . '
1723	WHERE user_id = ' . (int) $this->data['user_id'];
1724	$db->sql_query($sql);
1725	}
1726	}
1727
1728	/**
1729	* Update user's last active time
1730	*
1731	* @return void
1732	*/
1733	public function update_last_active_time()
1734	{
1735	global $db;
1736
1737	if (isset($this->time_now, $this->data['user_id']))
1738	{
1739	$sql = 'UPDATE ' . USERS_TABLE . '
1740	SET user_last_active = ' . $this->time_now . '
1741	WHERE user_id = ' . (int) $this->data['user_id'];
1742	$db->sql_query($sql);
1743	}
1744	}
1745	}