<?php
/*
 * Session Management Class
 * This class encapsulates PHP's session managment functions, enabling sessions to
 * be saved to a MySql database. The Session Managment class also uses a simple hash
 * mechanism, fixing the clients IP address to the current session ID and a more robust
 * session expiration facility.
 *
 * Use this SQL to create the required table in your MySql Database:
 *
   CREATE TABLE session (
       SessionId CHAR(32) PRIMARY KEY,
       Expire INTEGER UNSIGNED NOT NULL,
       Hash CHAR(32) NOT NULL,
       Data BLOB);

 * Copyright All Rights Reserved
 * Adam Delves (adam @ sccode . com)
 *
 * To see full documentation goto:
 * http://www.sccode.com/projects/filemanager/src/session_management.html
 */
 
class session_handler 
{
// PUBLIC PROPERTIES

    /* mysql link identifier - only used if set */
    var $db_link;

    /* 
     * name of the database to use
     * if not set then the current database is used
     */
    var $dbname;     

    /*
     * the amount of time after the session has expired - the session can remain
     * in the database - set 0 forever
     */
    var $database_ttl = 0;
    
    /* the maximum time between a request before the session has expired */
    var $ttl = 0;

    var $hash_text;

// PUBLIC METHODS

    function session_handler()
    {
        $this->hash_text = $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'];

        /* set the session handlers - as defined above */
        session_set_save_handler (Array (&$this, '_open'),
                                  Array (&$this, '_close'),
                                  Array (&$this, '_read'),
                                  Array (&$this, '_write'),
                                  Array (&$this, '_delete'),
                                  Array (&$this, '_garbage'));
    }
    
    function un_expire()
    {
        if ($this->_started) {
            $expire = time() + ($this->ttl * 60);
            $sid = session_id();

            $this->_query("UPDATE session SET Expire='$expire' WHERE SessionId='$sid' LIMIT 1");
            $this->_expired = false;
        } else {
            trigger_error('CLASS session->un_expire: Session has not started.', E_USER_WARNING);
        }
        
    }
    /*
     * returns true if this session has expired
     */
    function is_expired() 
    {
        if ($this->_started) {
            return $this->_expired;
        } else {
            trigger_error('CLASS session->is_expired: Session has not started.', E_USER_WARNING);
            return false;
        }       
    }
    
    /*
     * returns true if the client making the request has not a previously established session
     * and this is a newly generated session
     */
    function is_new()
    {
        if ($this->_started) {
            return $this->_new;
        } else {
            trigger_error('CLASS session->is_new: Session has not started.', E_USER_WARNING);
            return false;
        }
    }
    
    /*
     * returns true if the request made by the client generated a bad session hash
     * this will only occur if the clients IP address changes during a browsing session
     * or a malicous user attempts to spoof the session
     */
    function is_bad_hash()
    {
        if ($this->_started) {
            return $this->_badhash;
        } else {
            trigger_error('CLASS session->is_bad_hash: Session has not started.', E_USER_WARNING);
            return false;
        }
    }
    

// PRIVATE PROPERTIES

    var $_started = false; /* flag set to true when the session has started */
    var $_badhash = false; /* flag set to true if the session hash is invlaid */
    var $_expired = false; /* flag set to true if the session has expired */
    var $_new = false; /* flag set to true if this is a new session */
    
    var $_session; /* stores internal variables relating to session management */


// PRIVATE METHODS

    /*
     * this is a callback function executed by PHP when the session_open() function is
     * invoked
     */
    function _open() 
    {
        if (! $this->dbname) {
            $query = 'SELECT DATABASE()';
            $result = $this->_query($query);
            
            $row = mysql_fetch_row($result);
            $this->dbname = $row[0];
        }

        /* 
         * check and set the session name - this will be the name of the cookie or
         * get variable sent to between requests
         */
        $sname = session_name();

        /*
         * check the variable containing the session ID is an md5 hash and if not
         * generate a new one
         */
        if (! $this->_is_md5(session_id())) {
            session_id(md5(time()));
        }

        $this->_started = true;
        return true;        
    }

    /*
     * this is a callback function executed by PHP when the session is closed and / or
     * the script terminates
     */
    function _close()
    {
        return true;
    }
        
    /* 
     * this function is called by PHP when collecting the session data and
     * retireves the session data from the database
     */
    function _read($sid) 
    {
        if ($this->ttl) {
            $expire = ($this->ttl * 60) + time ();
        } else {
            $expire = 0;
        }
        
        $hash = md5($this->hash_text);
        
        $this->_select_db();
        
        /*
         * execute SQL query - exclude out of date sessions, they may still exist in the 
         * database if the garbage collection hasn't been done
         */
        $query = "SELECT Data col_data, Expire col_expire, Hash col_hash FROM session WHERE SessionId='$sid' LIMIT 1;";
        $result = $this->_query($query);	

        if (mysql_num_rows($result) == 0) {
            /* this is a new session - insert it into the database */        
            $this->_query("REPLACE INTO session (SessionId, Expire, Hash) VALUES ('$sid','$expire','$hash')");
            $this->_new = true;
            $data = '';
        } else {
            $row = mysql_fetch_assoc($result);
            $data = $row['col_data'];

            if ($row['col_expire'] && $row['col_expire'] < time()) {
                $this->_expired = true;
            } else {
                if ($row['col_hash'] != $hash) {
                    $this->_badhash = true;
                }

                $this->_query("UPDATE session SET Expire='$expire' WHERE SessionId='$sid' LIMIT 1");
            }
        }
        return $data;			
    }

    /* this function is called by PHP when saving session data
     * REMEMBER: function executed after STDOUT pipe has been closed
     * REMEMBER: function not executed if session contains no data
     */ 
    function _write($sid, $data) 
    {
        $data = addslashes($data);
        $this->_select_db();
        
        $query = "UPDATE session SET Data='$data' WHERE SessionId='$sid' LIMIT 1;";
        $this->_query($query);

        return true;
    }

    /* 
     * this function is called by PHP when a request is made to destroy a session
     * this function removes the session and session data from the database
     */
    function _delete($sid) 
    {
        $this->_select_db();
        
        /* query - remove related records from requests table too */
        $query = "DELETE FROM session WHERE SessionId='$sid';";
        $this->_query($query);

        return true;
    }

    /* 
     * this function is called by PHP to clean up old sessions from the database
     * REMEBER: this function is executed after the STDOUT pipe is closed
     */
    function _garbage() 
    {
        $this->_select_db();
        
        if ($this->database_ttl > 0) {
            $ttl = 60 * ($this->database_ttl + $this->ttl);

            $query = "DELETE FROM session WHERE UNIX_TIMESTAMP() - Expire > $ttl";
            $this->_query($query); 
        }
    }
    
    /* returns true if the supplied argument is an md5 hash */
    function _is_md5($hash)
    {
        return preg_match("/^[A-F0-9]{32}$/i", $hash);
    }

    /* selects the mysql database specified by the dbname property */
    function _select_db()
    {
        if (is_resource($this->db_link)) {
            $result = mysql_select_db($this->dbname, $this->db_link);
        } else {
            $result = mysql_select_db($this->dbname);
        }        
            
        if (! $result) trigger_error('CLASS session: Error Changing MySql database.', E_USER_ERROR);
    }
    
    /* executes a query in the mysql database - uses the db_link property if set */    
    function _query($query)
    {
        if (is_resource($this->db_link)) {
            $result = mysql_query($query, $this->db_link);
        } else {
            $result = mysql_query($query);
        }

        if (! $result) {
            $this->_query_error("CLASS request: Error executing query: \"$query\".");
        } else {
            return $result;
        }
    }

    /* outputs information on a query error */
    function _query_error($text)
    {
        if (is_resource($this->db_link)) {
            $errtext = mysql_error($this->db_link);
            $errno = mysql_errno($this->db_linl);
        } else {
            $errtext =  mysql_error();
            $errno = mysql_errno();
        }
        
        trigger_error("$text MYSQL ERROR: ($errno) $errtext", E_USER_ERROR);
    }
}
?>