Consolidate session store, using only $_SESSION

Eliminates the use of imas_sessions

Squashed commit of the following:

commit edf1021
Author: drlippman <drlippman@yahoo.com>
Date:   Fri Mar 20 18:39:12 2020 -0700

    eliminate "global $_SESSION" declarations

commit 296f04a
Author: drlippman <drlippman@yahoo.com>
Date:   Thu Mar 19 18:39:58 2020 -0700

    Restore altered graphdisp/mathdisp settings after action

commit 4369f0f
Author: drlippman <drlippman@yahoo.com>
Date:   Thu Mar 19 01:04:41 2020 -0700

    Remove outdated functions: importmacros, importqimages, importcoursefiles

commit 8f65969
Author: drlippman <drlippman@yahoo.com>
Date:   Thu Mar 19 01:02:55 2020 -0700

    Store import files on S3

commit 192c0af
Author: drlippman <drlippman@yahoo.com>
Date:   Thu Mar 12 22:32:33 2020 -0700

    Consolidate all session store into $_SESSION

    Eliminates the need for imas_sessions table and $sessiondata variable
    User is logged in when $_SESSION['userid'] is set

DEembedq.php

@@ -16,9 +16,9 @@
 require("./assessment/displayq2.php");
 $GLOBALS['assessver'] = 1;
 
-$sessiondata = array();
-$sessiondata['graphdisp'] = 1;
-$sessiondata['mathdisp'] = 3;
+$_SESSION = array();
+$_SESSION['graphdisp'] = 1;
+$_SESSION['mathdisp'] = 3;
 $showtips = 2;
 $useeqnhelper = 4;
 $courseUIver = 1;
@@ -35,7 +35,7 @@
 }
 
 $qsetid=intval($_GET['id']);
-$sessiondata['coursetheme'] = $coursetheme;
+$_SESSION['coursetheme'] = $coursetheme;
 
 $page_formAction = "DEembedq.php?id=$qsetid";
 

OEAembedq.php

@@ -16,7 +16,7 @@
 require("./assessment/displayq2.php");
 $GLOBALS['assessver'] = 2;
 
-$sessiondata = array();
+$_SESSION = array();
 
 $prefdefaults = array(
 	'mathdisp'=>6,
@@ -26,27 +26,27 @@
 	'livepreview'=>1);
 
 $prefcookie = json_decode($_COOKIE["OEAembeduserprefs"], true);
-$sessiondata['userprefs'] = array();
+$_SESSION['userprefs'] = array();
 foreach($prefdefaults as $key=>$def) {
 	if ($prefcookie!==null && isset($prefcookie[$key])) {
-		$sessiondata['userprefs'][$key] = filter_var($prefcookie[$key], FILTER_SANITIZE_NUMBER_INT);
+		$_SESSION['userprefs'][$key] = filter_var($prefcookie[$key], FILTER_SANITIZE_NUMBER_INT);
 	} else {
-		$sessiondata['userprefs'][$key] = $def;
+		$_SESSION['userprefs'][$key] = $def;
 	}
 }
 if (isset($_GET['graphdisp'])) { //currently same is used for graphdisp and drawentry
-	$sessiondata['userprefs']['graphdisp'] = filter_var($_GET['graphdisp'], FILTER_SANITIZE_NUMBER_INT);
-	$sessiondata['userprefs']['drawentry'] = filter_var($_GET['graphdisp'], FILTER_SANITIZE_NUMBER_INT);
+	$_SESSION['userprefs']['graphdisp'] = filter_var($_GET['graphdisp'], FILTER_SANITIZE_NUMBER_INT);
+	$_SESSION['userprefs']['drawentry'] = filter_var($_GET['graphdisp'], FILTER_SANITIZE_NUMBER_INT);
 	setcookie("OEAembeduserprefs", json_encode(array(
-		'graphdisp'=>$sessiondata['userprefs']['graphdisp'],
-		'drawentry'=>$sessiondata['userprefs']['drawentry']
+		'graphdisp'=>$_SESSION['userprefs']['graphdisp'],
+		'drawentry'=>$_SESSION['userprefs']['drawentry']
 		)),0,'','',false,true);
 }
 foreach(array('graphdisp','mathdisp','useed') as $key) {
-	$sessiondata[$key] = $sessiondata['userprefs'][$key];
+	$_SESSION[$key] = $_SESSION['userprefs'][$key];
 }
 
-$sessiondata['secsalt'] = "12345";
+$_SESSION['secsalt'] = "12345";
 $cid = "embedq";
 $showtips = 2;
 $useeqnhelper = 4;
@@ -94,7 +94,7 @@
 if (isset($_REQUEST['theme'])) {
 	$theme = preg_replace('/\W/','',$_REQUEST['theme']);
 	$page_formAction .= '&theme='.$theme;
-	$sessiondata['coursetheme'] = $theme.'.css';
+	$_SESSION['coursetheme'] = $theme.'.css';
 }
 
 
@@ -129,7 +129,7 @@ function sendresizemsg() {
 		});
 	}
 	</script>';
-if ($sessiondata['mathdisp']==1 || $sessiondata['mathdisp']==3) {
+if ($_SESSION['mathdisp']==1 || $_SESSION['mathdisp']==3) {
 	//in case MathJax isn't loaded yet
 	$placeinhead .= '<script type="text/x-mathjax-config">
 		MathJax.Hub.Queue(function () {
@@ -140,7 +140,7 @@ function sendresizemsg() {
 $useeditor = 1;
 require("./assessment/header.php");
 
-if ($sessiondata['graphdisp'] == 1) {
+if ($_SESSION['graphdisp'] == 1) {
 	echo '<div style="position:absolute;width:1px;height:1px;left:0px:top:-1px;overflow:hidden;"><a href="OEAembedq.php?'.Sanitize::encodeStringForDisplay($_SERVER['QUERY_STRING']).'&graphdisp=0">Enable text based alternatives for graph display and drawing entry</a></div>';
 } else {
 	echo '<div style="float:right;"><a href="OEAembedq.php?'.Sanitize::encodeStringForDisplay($_SERVER['QUERY_STRING']).'&graphdisp=1">Enable visual graph display and drawing entry</a></div>';

actions.php

@@ -388,9 +388,6 @@
 
 	require("init.php");
 	if ($_GET['action']=="logout") {
-		$sessionid = session_id();
-		$stm = $DBH->prepare("DELETE FROM imas_sessions WHERE sessionid=?");
-		$stm->execute(array($sessionid));
 		$_SESSION = array();
 		if (isset($_COOKIE[session_name()])) {
 			setcookie(session_name(), '', time()-42000, '/', null, false, true);
@@ -783,15 +780,6 @@
 
 		}
 
-
-		/* moved above
-		if (isset($_POST['settimezone'])) {
-			if (date_default_timezone_set($_POST['settimezone'])) {
-				$tzname = $_POST['settimezone'];
-				$stm = $DBH->prepare("UPDATE imas_sessions SET tzname=:tzname WHERE sessionid=:sessionid");
-				$stm->execute(array(':tzname'=>$tzname, ':sessionid'=>$sessionid));
-			}
-		}*/
 	} else if ($_GET['action']=="forumwidgetsettings") {
 		$checked = $_POST['checked'];
 		$all = explode(',',$_POST['allcourses']);
@@ -810,14 +798,14 @@
 	}
 	if ($isgb) {
 		echo '<html><body>Changes Recorded.  <input type="button" onclick="parent.GB_hide()" value="Done" /></body></html>';
-	} else if (isset($sessiondata['ltiitemtype']) && $sessiondata['ltiitemtype']==0) {
+	} else if (isset($_SESSION['ltiitemtype']) && $_SESSION['ltiitemtype']==0) {
 		$stm = $DBH->prepare("SELECT courseid FROM imas_assessments WHERE id=:id");
-		$stm->execute(array(':id'=>$sessiondata['ltiitemid']));
+		$stm->execute(array(':id'=>$_SESSION['ltiitemid']));
 		$cid = Sanitize::courseId($stm->fetchColumn(0));
-		if (isset($sessiondata['ltiitemver']) && $sessiondata['ltiitemver'] > 1) {
-			header('Location: ' . $GLOBALS['basesiteurl'] . "/assess2/?cid=$cid&aid={$sessiondata['ltiitemid']}&r=".Sanitize::randomQueryStringParam());
+		if (isset($_SESSION['ltiitemver']) && $_SESSION['ltiitemver'] > 1) {
+			header('Location: ' . $GLOBALS['basesiteurl'] . "/assess2/?cid=$cid&aid={$_SESSION['ltiitemid']}&r=".Sanitize::randomQueryStringParam());
 		} else {
-			header('Location: ' . $GLOBALS['basesiteurl'] . "/assessment/showtest.php?cid=$cid&id={$sessiondata['ltiitemid']}&r=".Sanitize::randomQueryStringParam());
+			header('Location: ' . $GLOBALS['basesiteurl'] . "/assessment/showtest.php?cid=$cid&id={$_SESSION['ltiitemid']}&r=".Sanitize::randomQueryStringParam());
 		}
 	} else {
 		header('Location: ' . $GLOBALS['basesiteurl'] . "/index.php?r=" . Sanitize::randomQueryStringParam());

admin/actions.php

@@ -43,8 +43,7 @@
 	case "emulateuser":
 		if ($myrights < 100 ) { break;}
 		$be = $_REQUEST['uid'];
-		$stm = $DBH->prepare("UPDATE imas_sessions SET userid=:userid WHERE sessionid=:sessionid");
-		$stm->execute(array(':userid'=>$be, ':sessionid'=>$sessionid));
+		$_SESSION['userid'] = $be;
 		break;
 	case "chgrights":
 		if ($myrights < 75 && ($myspecialrights&16)!=16 && ($myspecialrights&32)!=32) { echo "You don't have the authority for this action"; break;}
@@ -403,9 +402,6 @@
 		}
 		break;
 	case "logout":
-		$sessionid = session_id();
-		$stm = $DBH->prepare("DELETE FROM imas_sessions WHERE sessionid=:sessionid");
-		$stm->execute(array(':sessionid'=>$sessionid));
 		$_SESSION = array();
 		if (isset($_COOKIE[session_name()])) {
 			setcookie(session_name(), '', time()-42000, '/', '',false ,true );
@@ -985,143 +981,6 @@ function updateoutcomes(&$arr) {
 			}
 		}
 		break;
-	/*
-	removed from production code - security risk
-	case "importmacros":
-		if ($myrights < 100 || !$allowmacroinstall) { echo "You don't have the authority for this action"; break;}
-		$uploaddir = rtrim(dirname("../config.php"), '/\\') .'/assessment/libs/';
-		$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
-		if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
-			if (strpos($uploadfile,'.php')!==FALSE) {
-				$handle = fopen($uploadfile, "r");
-				$atstart = true;
-				if ($handle) {
-					while (!feof($handle)) {
-						$buffer = fgets($handle, 4096);
-						if (strpos($buffer,"//")===0) {
-							$trimmed = trim(substr($buffer,2));
-							if ($trimmed{0}!='<' && substr($trimmed,-1)!='>') {
-								$numspaces = strlen(substr($buffer,2)) - strlen(ltrim(substr($buffer,2)));
-								$comments .= str_repeat('&nbsp;', $numspaces);
-								$comments .= $trimmed . '<br/>';
-							} else {
-								$comments .= $trimmed;
-							}
-						} else if (strpos($buffer,"function")===0) {
-							$func = substr($buffer,9,strpos($buffer,"(")-9);
-							if ($comments!='') {
-								$outlines .= "<h2><a name=\"$func\">$func</a></h2>\n";
-								$funcs[] = $func;
-								$outlines .= $comments;
-								$comments = '';
-							}
-						} else if ($atstart && trim($buffer)=='') {
-							$startcomments = $comments;
-							$atstart = false;
-							$comments = '';
-						} else {
-							$comments = '';
-						}
-					}
-				}
-				fclose($handle);
-				$lib = basename($uploadfile,".php");
-				$outfile = fopen($uploaddir . $lib.".html", "w");
-				fwrite($outfile,"<html><body>\n<h1>Macro Library $lib</h1>\n");
-				fwrite($outfile,$startcomments);
-				fwrite($outfile,"<ul>\n");
-				foreach($funcs as $func) {
-					fwrite($outfile,"<li><a href=\"#$func\">$func</a></li>\n");
-				}
-				fwrite($outfile,"</ul>\n");
-				fwrite($outfile, $outlines);
-				fclose($outfile);
-			}
-			break;
-		} else {
-			require("../header.php");
-			echo "<p>Error uploading file!</p>\n";
-			require("../footer.php");
-			exit;
-		}
-	*/
-	case "importqimages":
-		if ($myrights < 100 || !$allowmacroinstall) { echo "You don't have the authority for this action"; break;}
-		$uploaddir = rtrim(dirname(__FILE__), '/\\') .'/import/';
-		$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
-		if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
-			if (strpos($uploadfile,'.tar.gz')!==FALSE) {
-				include("../includes/tar.class.php");
-				require_once("../includes/filehandler.php");
-				$tar = new tar();
-				$tar->openTAR($uploadfile);
-				if ($tar->hasFiles()) {
-					if (getfilehandlertype('filehandlertypecfiles') == 's3') {
-						$n = $tar->extractToS3("qimages","public");
-					} else {
-						$n = $tar->extractToDir("../assessment/qimages/");
-					}
-					require("../header.php");
-					echo "<p>Extracted $n files.  <a href=\"admin2.php\">Continue</a></p>\n";
-					require("../footer.php");
-					exit;
-				} else {
-					require("../header.php");
-					echo "<p>File appears to contain nothing</p>\n";
-					require("../footer.php");
-					exit;
-				}
-
-			}
-			unlink($uploadfile);
-			break;
-		} else {
-			require("../header.php");
-			echo "<p>Error uploading file!</p>\n";
-			require("../footer.php");
-			exit;
-		}
-	case "importcoursefiles":
-		if ($myrights < 100 || !$allowmacroinstall) { echo "You don't have the authority for this action"; break;}
-		$uploaddir = rtrim(dirname(__FILE__), '/\\') .'/import/';
-		$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
-		if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
-			if (strpos($uploadfile,'.zip')!==FALSE && class_exists('ZipArchive')) {
-				require_once("../includes/filehandler.php");
-				$zip = new ZipArchive();
-				$res = $zip->open($uploadfile);
-				$ne = 0;  $ns = 0;
-				if ($res===true) {
-					for($i = 0; $i < $zip->numFiles; $i++) {
-						//if (file_exists("../course/files/".$zip->getNameIndex($i))) {
-						if (doesfileexist('cfile',$zip->getNameIndex($i))) {
-							$ns++;
-						} else {
-							$zip->extractTo("../course/files/", array($zip->getNameIndex($i)));
-							relocatecoursefileifneeded("../course/files/".$zip->getNameIndex($i),$zip->getNameIndex($i));
-							$ne++;
-						}
-					}
-					require("../header.php");
-					echo "<p>Extracted $ne files.  Skipped $ns files.  <a href=\"admin2.php\">Continue</a></p>\n";
-					require("../footer.php");
-					exit;
-				} else {
-					require("../header.php");
-					echo "<p>File appears to contain nothing</p>\n";
-					require("../footer.php");
-					exit;
-				}
-
-			}
-			unlink($uploadfile);
-			break;
-		} else {
-			require("../header.php");
-			echo "<p>Error uploading file!</p>\n";
-			require("../footer.php");
-			exit;
-		}
 	case "removeself":
 		if ($myrights < 20) {
 			echo 'Error: Unauthorized';
@@ -1301,8 +1160,7 @@ function updateoutcomes(&$arr) {
 			//check that code is valid and not a replay
 			if ($MFA->verifyCode($mfadata['secret'], $_POST['mfatoken']) &&
 			   ($_POST['mfatoken'] != $mfadata['last'] || time() - $mfadata['laston'] > 600)) {
-				$sessiondata['mfaverified'] = true;
-				writesessiondata();
+				$_SESSION['mfaverified'] = true;
 				$mfadata['last'] = $_POST['mfatoken'];
 				$mfadata['laston'] = time();
 				if (isset($_POST['mfatrust'])) {

admin/forms.php

@@ -1213,44 +1213,6 @@ function setCourse(course) {
 			echo '<p class=small>'._('Course Ancestors').': '.Sanitize::encodeStringForDisplay($line['ancestors']).'</p>';
 		}
 		break;
-	case "importmacros":
-		if ($myrights < 100) { echo "You don't have the authority for this action"; break;}
-
-		echo "<h2>Install Macro File</h2>\n";
-		echo "<p><b>Warning:</b> Macro Files have a large security risk.  <b>Only install macro files from a trusted source</b></p>\n";
-		echo "<p><b>Warning:</b> Install will overwrite any existing macro file of the same name</p>\n";
-		echo "<form enctype=\"multipart/form-data\" method=post action=\"actions.php?from=".Sanitize::encodeUrlParam($from)."\">\n";
-		echo '<input type=hidden name=action value="importmacros" />';
-		echo "<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"300000\" />\n";
-		echo "<span class=form>Import file: </span><span class=formright><input name=\"userfile\" type=\"file\" /></span><br class=form>\n";
-		echo "<div class=submit><input type=submit value=\"Submit\"></div>\n";
-		echo "</form>\n";
-		break;
-
-	case "importqimages":
-		if ($myrights < 100) { echo "You don't have the authority for this action"; break;}
-		echo "<h2>Install Question Images</h2>\n";
-		echo "<p><b>Warning:</b> This has a large security risk.  <b>Only install question images from a trusted source</b>, and where you've verified the archive only contains images.</p>\n";
-		echo "<p><b>Warning:</b> Install will ignore files with the same filename as existing files.</p>\n";
-		echo "<form enctype=\"multipart/form-data\" method=post action=\"actions.php?from=".Sanitize::encodeUrlParam($from)."\">\n";
-		echo '<input type=hidden name=action value="importqimages" />';
-		echo "<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"5000000\" />\n";
-		echo "<span class=form>Import file: </span><span class=formright><input name=\"userfile\" type=\"file\" /></span><br class=form>\n";
-		echo "<div class=submit><input type=submit value=\"Submit\"></div>\n";
-		echo "</form>\n";
-		break;
-	case "importcoursefiles":
-		if ($myrights < 100) { echo "You don't have the authority for this action"; break;}
-		echo "<h2>Install Course files</h2>\n";
-		echo "<p><b>Warning:</b> This has a large security risk.  <b>Only install course files from a trusted source</b>, and where you've verified the archive only contains regular files (no PHP files).</p>\n";
-		echo "<p><b>Warning:</b> Install will ignore files with the same filename as existing files.</p>\n";
-		echo "<form enctype=\"multipart/form-data\" method=post action=\"actions.php?from=".Sanitize::encodeUrlParam($from)."\">\n";
-		echo '<input type=hidden name=action value="importcoursefiles" />';
-		echo "<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"10000000\" />\n";
-		echo "<span class=form>Import file: </span><span class=formright><input name=\"userfile\" type=\"file\" /></span><br class=form>\n";
-		echo "<div class=submit><input type=submit value=\"Submit\"></div>\n";
-		echo "</form>\n";
-		break;
 	case "deloldusers":
 		if ($myrights < 100) { echo "You don't have the authority for this action"; break;}
 		echo "<h2>Delete Old Users</h2>\n";