phpBB API Documentation
Class

session

class session

Session class

Properties

$cookie_data
$page
$data
$browser
$forwarded_for
$host
$session_id
$ip
$load
$time_now
$update_session_page

Methods

extract_current_page(string $root_path)

Extract current session page
extract_current_hostname()

Get valid hostname/port.
session_begin(bool $update_session_page = true)

Start session management
session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)

Create a new session
session_kill($new_session = true)

Kills a session
session_gc()

Session garbage collection
set_cookie(string $name, string $cookiedata, int $cookietime)

Sets a cookie
check_ban($user_id = false, $user_ips = false, $user_email = false, $return = false)

Check for banned user
false check_dnsbl($mode, $ip = false)

Check if ip is blacklisted This should be called only where absolutly necessary
set_login_key($user_id = false, $key = false, $user_ip = false)

Set/Update a persistent login key
reset_login_keys($user_id = false)

Reset all login keys for the specified user
validate_referer(bool $check_script_path = false)

Check if the request originated from the same page.
unset_admin()

Details

at line 42
public extract_current_page(string $root_path)

Extract current session page

Parameters

string $root_path current root path (phpbbrootpath)

at line 144
public extract_current_hostname()

Get valid hostname/port.

HTTPHOST is used, SERVERNAME if HTTP_HOST not present.

at line 208
public session_begin(bool $update_session_page = true)

Start session management

This is where all session activity begins. We gather various pieces of information from the client and server. We test to see if a session already exists. If it does, fine and dandy. If it doesn't we'll go on to create a new one ... pretty logical heh? We also examine the system load (if we're running on a system which makes such information readily available) and halt if it's above an admin definable limit.

Parameters

bool $update_session_page if true the session page gets updated. This can be set to circumvent certain scripts to update the users last visited page.

at line 490
public session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)

Create a new session

If upon trying to start a session we discover there is nothing existing we jump here. Additionally this method is called directly during login to regenerate the session for the specific user. In this method we carry out a number of tasks; garbage collection, (search)bot checking, banned user comparison. Basically though this method will result in a new session for a specific user.

Parameters

$user_id
$set_admin
$persist_login
$viewonline

at line 884
public session_kill($new_session = true)

Kills a session

This method does what it says on the tin. It will delete a pre-existing session. It resets cookie information (destroying any autologin key within that cookie data) and update the users information from the relevant session data. It will then grab guest user information.

Parameters

$new_session

at line 963
public session_gc()

Session garbage collection

This looks a lot more complex than it really is. Effectively we are deleting any sessions older than an admin definable limit. Due to the way in which we maintain session data we have to ensure we update user data before those sessions are destroyed. In addition this method removes autologin key information that is older than an admin defined limit.

Sets a cookie

Sets a cookie of the given name with the specified data for the given length of time. If no time is specified, a session cookie will be set.

Parameters

string $name Name of the cookie, will be automatically prefixed with the phpBB cookie name. track becomes [cookiename]track then.
string $cookiedata The data to hold within the cookie
int $cookietime The expiration time as UNIX timestamp. If 0 is provided, a session cookie is set.

at line 1069
public check_ban($user_id = false, $user_ips = false, $user_email = false, $return = false)

Check for banned user

Checks whether the supplied user is banned by id, ip or email. If no parameters are passed to the method pre-existing session data is used. If $return is false this routine does not return on finding a banned user, it outputs a relevant message and stops execution.

Parameters

$user_id
$user_ips
$user_email
$return

at line 1265
public false check_dnsbl($mode, $ip = false)

Check if ip is blacklisted This should be called only where absolutly necessary

Only IPv4 (rbldns does not support AAAA records/IPv6 lookups)

Parameters

$mode
$ip

Return Value

false if ip is not blacklisted, else an array([checked server], [lookup])

at line 1362
public set_login_key($user_id = false, $key = false, $user_ip = false)

Set/Update a persistent login key

This method creates or updates a persistent session key. When a user makes use of persistent (formerly auto-) logins a key is generated and stored in the DB. When they revisit with the same key it's automatically updated in both the DB and cookie. Multiple keys may exist for each user representing different browsers or locations. As with any non-secure-socket no passphrase login this remains vulnerable to exploit.

Parameters

$user_id
$key
$user_ip

at line 1409
public reset_login_keys($user_id = false)

Reset all login keys for the specified user

This method removes all current login keys for a specified (or the current) user. It will be called on password change to render old keys unusable

Parameters

$user_id

at line 1458
public validate_referer(bool $check_script_path = false)

Check if the request originated from the same page.

Parameters

bool $check_script_path If true, the path will be checked as well

at line 1495
public unset_admin()