Fixed #11430: Performance improvement: use $GLOBALS['EXEC_TIME'] instead of time...
[Packages/TYPO3.CMS.git] / t3lib / class.t3lib_userauth.php
index e11338a..12a7ae8 100644 (file)
@@ -199,7 +199,13 @@ class t3lib_userAuth {
                $this->loginType = ($this->name=='fe_typo_user') ? 'FE' : 'BE';
 
                        // set level to normal if not already set
-               $this->security_level = $this->security_level ? $this->security_level : 'normal';
+               if (!$this->security_level) {
+                       // Notice: cannot use TYPO3_MODE here because BE user can be logged in and operate inside FE!
+                       $this->security_level = trim($TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel']);
+                       if (!$this->security_level) {
+                               $this->security_level = 'normal';
+                       }
+               }
 
                        // enable dev logging if set
                if ($TYPO3_CONF_VARS['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['writeDevLog']) $this->writeDevLog = TRUE;
@@ -213,9 +219,12 @@ class t3lib_userAuth {
                $this->newSessionID = FALSE;
                        // $id is set to ses_id if cookie is present. Else set to false, which will start a new session
                $id = isset($_COOKIE[$this->name]) ? stripslashes($_COOKIE[$this->name]) : '';
-               $this->hash_length = t3lib_div::intInRange($this->hash_length,6,32);
                $this->svConfig = $TYPO3_CONF_VARS['SVCONF']['auth'];
 
+                       // if we have a flash client, take the ID from the GP
+               if (!$id && $GLOBALS['CLIENT']['BROWSER'] == 'flash') {
+                       $id = t3lib_div::_GP($this->name);
+               }
 
                        // If fallback to get mode....
                if (!$id && $this->getFallBack && $this->get_name)      {
@@ -228,7 +237,7 @@ class t3lib_userAuth {
                        // If new session or client tries to fix session...
                if (!$id || !$this->isExistingSessionRecord($id))       {
                                // New random session-$id is made
-                       $id = substr(md5(uniqid('').getmypid()),0,$this->hash_length);
+                       $id = $this->createSessionId();
                                // New session
                        $this->newSessionID = TRUE;
                }
@@ -284,7 +293,7 @@ class t3lib_userAuth {
                                if ($cookieDomain)      {
                                        SetCookie($this->name, $id, 0, '/', $cookieDomain);
                                } else {
-                                       SetCookie($this->name, $id, 0, '/');
+                                       SetCookie($this->name, $id, 0, t3lib_div::getIndpEnv('TYPO3_SITE_PATH'));
                                }
                                if ($this->writeDevLog)         t3lib_div::devLog('Set new Cookie: '.$id.($cookieDomain ? ', '.$cookieDomain : ''), 't3lib_userAuth');
                        }
@@ -294,9 +303,9 @@ class t3lib_userAuth {
                if ($this->isRefreshTimeBasedCookie())  {
                        if (!$this->dontSetCookie)      {
                                if ($cookieDomain)      {
-                                       SetCookie($this->name, $id, time()+$this->lifetime, '/', $cookieDomain);
+                                       SetCookie($this->name, $id, $GLOBALS['EXEC_TIME'] + $this->lifetime, '/', $cookieDomain);
                                } else {
-                                       SetCookie($this->name, $id, time()+$this->lifetime, '/');
+                                       SetCookie($this->name, $id, $GLOBALS['EXEC_TIME'] + $this->lifetime, t3lib_div::getIndpEnv('TYPO3_SITE_PATH'));
                                }
                                if ($this->writeDevLog)         t3lib_div::devLog('Update Cookie: '.$id.($cookieDomain ? ', '.$cookieDomain : ''), 't3lib_userAuth');
                        }
@@ -332,6 +341,7 @@ class t3lib_userAuth {
                if ((rand()%100) <= $this->gc_probability)      {
                        $this->gc();
                }
+
        }
 
        /**
@@ -599,6 +609,14 @@ class t3lib_userAuth {
                }
        }
 
+       /**
+        * Creates a new session ID.
+        * 
+        * @return      string          The new session ID
+        */
+       public function createSessionId() {
+               return substr(md5(uniqid('') . getmypid()), 0, $this->hash_length);
+       }
 
 
 
@@ -676,20 +694,10 @@ class t3lib_userAuth {
 
                if ($this->writeDevLog)         t3lib_div::devLog('Fetch session ses_id = '.$this->id, 't3lib_userAuth');
 
-                       // The session_id is used to find user in the database. Two tables are joined: The session-table with user_id of the session and the usertable with its primary key
-               $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
-                                               '*',
-                                               $this->session_table.','.$this->user_table,
-                                               $this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
-                                                       AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
-                                                       AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
-                                                       '.$this->ipLockClause().'
-                                                       '.$this->hashLockClause().'
-                                                       '.$this->user_where_clause()
-                                       );
-
+                       // fetch the user session from the DB
+               $dbres = $this->fetchUserSessionFromDB();
 
-               if ($user = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres))      {
+               if ($dbres && $user = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
                                // A user was found
                        if (is_string($this->auth_timeout_field))       {
                                $timeout = intval($user[$this->auth_timeout_field]);            // Get timeout-time from usertable
@@ -791,6 +799,27 @@ class t3lib_userAuth {
         *************************/
 
        /**
+        * The session_id is used to find user in the database.
+        * Two tables are joined: The session-table with user_id of the session and the usertable with its primary key
+        * @return DB result object or false on error
+        * @access private
+        */
+       protected function fetchUserSessionFromDB() {
+               $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
+                                       '*',
+                                       $this->session_table.','.$this->user_table,
+                                       $this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
+                                               AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
+                                               AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
+                                               '.$this->ipLockClause().'
+                                               '.$this->hashLockClause().'
+                                               '.$this->user_where_clause()
+               );
+               return $dbres;
+       }
+
+
+       /**
         * This returns the where-clause needed to select the user with respect flags like deleted, hidden, starttime, endtime
         *
         * @return      string
@@ -800,8 +829,8 @@ class t3lib_userAuth {
                return  (($this->enablecolumns['rootLevel']) ? 'AND '.$this->user_table.'.pid=0 ' : '').
                                (($this->enablecolumns['disabled']) ? ' AND '.$this->user_table.'.'.$this->enablecolumns['disabled'].'=0' : '').
                                (($this->enablecolumns['deleted']) ? ' AND '.$this->user_table.'.'.$this->enablecolumns['deleted'].'=0' : '').
-                               (($this->enablecolumns['starttime']) ? ' AND ('.$this->user_table.'.'.$this->enablecolumns['starttime'].'<='.time().')' : '').
-                               (($this->enablecolumns['endtime']) ? ' AND ('.$this->user_table.'.'.$this->enablecolumns['endtime'].'=0 OR '.$this->user_table.'.'.$this->enablecolumns['endtime'].'>'.time().')' : '');
+                               (($this->enablecolumns['starttime']) ? ' AND (' . $this->user_table . '.' . $this->enablecolumns['starttime'] . '<=' . $GLOBALS['EXEC_TIME'] . ')' : '') .
+                               (($this->enablecolumns['endtime']) ? ' AND (' . $this->user_table . '.' . $this->enablecolumns['endtime'] . '=0 OR ' . $this->user_table . '.' . $this->enablecolumns['endtime'] . '>' . $GLOBALS['EXEC_TIME'] . ')' : '');
        }
 
        /**
@@ -1136,8 +1165,8 @@ class t3lib_userAuth {
        function gc() {
                $GLOBALS['TYPO3_DB']->exec_DELETEquery(
                                        $this->session_table,
-                                       'ses_tstamp < '.intval(time()-($this->gc_time)).'
-                                               AND ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table)
+                                       'ses_tstamp < ' . intval($GLOBALS['EXEC_TIME'] - ($this->gc_time)) .
+                                               ' AND ses_name = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table)
                                );
        }