[project/fb.git] / fb_session.inc

<?php
/**
 * @file
 * This file is a replacement for Drupal's session.inc.  Although not
 * truly a replacement, as we include the default session.inc to do the heavy
 * lifting.
 *
 * In this file we handle some special cases for iframe canvas pages by faking
 * cookies in cases where browsers do not accept them.  We do this here
 * because we must set session_id early in the bootstrap process, and Drupal
 * gives us no way to easily do that.
 */

// Default session handler functions.
require('includes/session.inc');

// When Drupal's bootstrap includes this file, we have a chance to spoof a
// session cookie.
if (isset($_COOKIE[session_name()])) {
  // Forget anything we thought we knew about session.
  fb_settings(FB_SETTINGS_CB_SESSION, FALSE);
}
elseif (fb_settings(FB_SETTINGS_TYPE) &&
        fb_settings(FB_SETTINGS_TYPE) != 'connect') {
  $session_id = NULL;
  if ($token = fb_settings(FB_SETTINGS_TOKEN)) {
    // Learned token from signed_request or session.
    $session_id = md5($token);
    fb_settings(FB_SETTINGS_CB_SESSION, FALSE);
  }
  elseif (isset($_REQUEST['signed_request']) || isset($_REQUEST['session'])) {
    // Signed request, but no token means not logged in.

    // Parse session from URL.
    if ($session_id === NULL && function_exists('_fb_settings_parse')) {
      $session_id = _fb_settings_parse(FB_SETTINGS_CB_SESSION);
    }

    if (!$session_id) {
      // Generating an id and embedding in the URL will make a session where there would otherwise be none.
      $session_id = uniqid(mt_rand(), TRUE);
      // Embed session in URL.
      fb_settings(FB_SETTINGS_CB_SESSION, $session_id);
    }
  }


  // Spoof a cookie so Drupal's session.inc works as expected.
  if ($session_id) {
    session_id($session_id);
    $_COOKIE[session_name()] = session_id();
    $_COOKIE['_fb_session_cookie_fake'] = TRUE;
    $GLOBALS['_fb_session_id'] = $session_id;
  }
}

/**
 * When spoofing cookies, sess_regenerate causes problems when it changes the
 * session id.  Here we undo that change.  Called from fb_user.module.
 */
function fb_sess_regenerate_hack() {
  if (isset($GLOBALS['_fb_session_id'])) {
    $session_id = $GLOBALS['_fb_session_id'];
    db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", $session_id, session_id());
    session_id($session_id);
  }
}
Commit	Line	Data
549aa675	1	<?php
72dcacc7	2	/**
456be90c	3	* @file
626faa71 DC	4	* This file is a replacement for Drupal's session.inc. Although not
	5	* truly a replacement, as we include the default session.inc to do the heavy
	6	* lifting.
	7	*
	8	* In this file we handle some special cases for iframe canvas pages by faking
	9	* cookies in cases where browsers do not accept them. We do this here
	10	* because we must set session_id early in the bootstrap process, and Drupal
	11	* gives us no way to easily do that.
72dcacc7	12	*/
549aa675	13
f54b3a2b DC	14	// Default session handler functions.
f54b3a2b DC	15	require('includes/session.inc');
72dcacc7	16
626faa71 DC	17	// When Drupal's bootstrap includes this file, we have a chance to spoof a
626faa71 DC	18	// session cookie.
68c6fdc9	19	if (isset($_COOKIE[session_name()])) {
626faa71 DC	20	// Forget anything we thought we knew about session.
	21	fb_settings(FB_SETTINGS_CB_SESSION, FALSE);
	22	}
	23	elseif (fb_settings(FB_SETTINGS_TYPE) &&
	24	fb_settings(FB_SETTINGS_TYPE) != 'connect') {
	25	$session_id = NULL;
	26	if ($token = fb_settings(FB_SETTINGS_TOKEN)) {
	27	// Learned token from signed_request or session.
	28	$session_id = md5($token);
875843a4	29	fb_settings(FB_SETTINGS_CB_SESSION, FALSE);
626faa71 DC	30	}
	31	elseif (isset($_REQUEST['signed_request']) \|\| isset($_REQUEST['session'])) {
	32	// Signed request, but no token means not logged in.
626faa71	33
875843a4 DC	34	// Parse session from URL.
	35	if ($session_id === NULL && function_exists('_fb_settings_parse')) {
	36	$session_id = _fb_settings_parse(FB_SETTINGS_CB_SESSION);
	37	}
	38
	39	if (!$session_id) {
	40	// Generating an id and embedding in the URL will make a session where there would otherwise be none.
	41	$session_id = uniqid(mt_rand(), TRUE);
	42	// Embed session in URL.
	43	fb_settings(FB_SETTINGS_CB_SESSION, $session_id);
	44	}
626faa71 DC	45	}
626faa71 DC	46
875843a4	47
626faa71 DC	48	// Spoof a cookie so Drupal's session.inc works as expected.
	49	if ($session_id) {
	50	session_id($session_id);
626faa71 DC	51	$_COOKIE[session_name()] = session_id();
626faa71 DC	52	$_COOKIE['_fb_session_cookie_fake'] = TRUE;
875843a4	53	$GLOBALS['_fb_session_id'] = $session_id;
626faa71	54	}
f54b3a2b	55	}
72dcacc7	56
f54b3a2b	57	/**
626faa71 DC	58	* When spoofing cookies, sess_regenerate causes problems when it changes the
626faa71 DC	59	* session id. Here we undo that change. Called from fb_user.module.
f54b3a2b	60	*/
626faa71	61	function fb_sess_regenerate_hack() {
875843a4 DC	62	if (isset($GLOBALS['_fb_session_id'])) {
875843a4 DC	63	$session_id = $GLOBALS['_fb_session_id'];
626faa71 DC	64	db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", $session_id, session_id());
	65	session_id($session_id);
	66	}
a24a1868	67	}