<%

  ' This lovely class was ported over from PHP by Andrew Freiday.
  ' It originated from the WROX Professional PHP 5 book as a
  ' simple class to store sessions and session variables in a database,
  ' which is more secure than using native ASP sessions
  
  ' To use:
  ' Set objUS = new clsUserSession
  ' objUS.Impress
  ' objUS.Login("email", "password")
  ' objUS.set_var("var name", "var value")
  ' Response.Write objUS.get_var("var name")
  ' objUS.Logout
  
  ' That's about it
  
  ' Most of this is commented in Javadoc-like format! Weee!
  ' (http://en.wikipedia.org/wiki/Javadoc)
  
  Class clsUserSession
  
    Private asp_session_id
    Private native_session_id
    Private logged_in
    Private account_id
    Private company_id
    Private session_timeout
    Private session_lifespan
    
    ' **
    ' * Class constructor. Starts the session and detects if the session
    ' * is expired. If it is expired, it does a little garbage collection
    ' * on the database
    ' *
    Private Sub Class_Initialize()
      ' Session times (in minutes)
      session_timeout = 30
      session_lifespan = 300
    
      strUserAgent = Request.ServerVariables("HTTP_USER_AGENT")
      asp_session_id = Session.SessionID
      
      Session_OnStart
      
      If (asp_session_id) Then
        sql = "SELECT id FROM tblUserSessions WHERE ascii_id='" & asp_session_id & "' AND (DATEDIFF(MINUTE, created, GETDATE()) < " & session_lifespan & ") AND user_agent='" & Replace(strUserAgent, "'", "''") & "' AND (DATEDIFF(MINUTE, last_impression, GETDATE()) <= " & session_timeout & " OR last_impression IS NULL)"
        Set rsSess = objConn.Execute(sql)
        If rsSess.EOF Then
          failed = 1
          ' Delete from database
          sql = "DELETE FROM tblUserSessions WHERE (ascii_id='" & asp_session_id & "') OR (DATEDIFF(MINUTE, created, GETDATE()) > " & session_lifespan & ")"
          objConn.Execute(sql)
          ' Clean up old variables
          sql = "DELETE FROM tblSessionVariables WHERE session_id NOT IN (SELECT id FROM tblUserSessions)"
          objConn.Execute(sql)
          ' Get rid of the session
          Session.Abandon
        End If
        Set rsSess = Nothing
      End If
      Session.Timeout = session_lifespan
    End Sub
    
    ' **
    ' * Starts a new page impression. User this on every necessary page
    ' * to indicate the user's last impression and not have their session
    ' * timeout. It seems unnecessary, but it's really not.
    ' *
    Public Sub Impress()
      If (native_session_id) Then
        sql = "UPDATE tblUserSessions SET last_impression = GETDATE() WHERE id = " & native_session_id
        objConn.Execute(sql)
      End If
    End Sub
    
    ' **
    ' * Whether the user is logged in or not
    ' *
    ' * @return True if they are logged in, or false if not
    Public Function IsLoggedIn()
      IsLoggedIn = logged_in
    End Function
    
    ' **
    ' * Returns the approriate account ID for this session
    ' *
    ' * @return Integer of the account ID if they are logged in, or
    ' *         false otherwise
    Public Function GetUserID()
      If (logged_in) Then
        GetUserID = account_id
      Else
        GetUserID = False
      End If
    End Function

    ' **
    ' * Returns the approriate company ID for this session
    ' *
    ' * @return Integer of the company ID if they are logged in, or
    ' *         false otherwise
    Public Function GetCompanyID()
      If (logged_in) Then
        GetCompanyID = company_id
      Else
        GetCompanyID = False
      End If
    End Function
    
    ' **
    ' * Gets the session identifier as indicated normally by Session.SessionID
    ' *
    ' * @return asp_session_id
    Public Function GetSesssionIdentifier()
      GetSessionIdentifier = asp_session_id
    End Function
    
    ' **
    ' * Logs the user in using the standard email and password, and updates
    ' * their session (in the database) if it is successful
    ' *
    ' * @return True if they were logged in, false if they weren't
    Public Function Login(stremail, strPassword)
      sql = "SELECT id, company_id FROM tblAccounts WHERE email='" & stremail & "' AND password='" & strPassword & "'"
      Set rsLogin = objConn.Execute(sql)
      If Not rsLogin.EOF Then
        account_id = rsLogin("id")
        company_id = rsLogin("company_id")
        logged_in = True
        sql = "UPDATE tblUserSessions SET logged_in='1', account_id = " & account_id & ", company_id = " & company_id & " WHERE id=" & native_session_id
        objConn.Execute(sql)
        Set rsLogin = Nothing
        Login = True
      Else
        Set rsLogin = Nothing
        Login = False
      End If
    End Function
    
    ' **
    ' * Logs the user out from the database sessions and likewise in the object
    ' *
    ' * @author True if they were logged out, false if they weren't
    Public Function Logout()
      If (logged_in = True) Then
        sql = "UPDATE tblUserSessions SET logged_in='0', account_id='0', company_id='0' WHERE id='" & native_session_id & "'"
        objConn.Execute(sql)
        logged_in = False
        account_id = 0
        company_id = 0
        Logout = True
      Else
        Logout = False
      End If
    End Function
    
    ' **
    ' * Fetches a session_variable from the database corresponding to this
    ' * user's session
    ' *
    ' * @return A string containing the variable value if it exists, or
    ' *         false if it doesn't
    Public Function var_get(nm)
      sql = "SELECT variable_value FROM tblSessionVariables WHERE session_id='" & native_session_id & "' AND variable_name='" & nm & "'"
      Set rsGet = objConn.Execute(sql)
      If Not rsGet.EOF Then
        strVal = rsGet("variable_value")
        Set rsGet = Nothing
      Else
        strVal = False
      End If
      
      var_get = strVal
    End Function
    
    ' **
    ' * Saves a session variable to the database under the user's proper
    ' * session identifiers
    ' *
    Public Sub var_set(nm, val)    
      If CStr(var_get(nm)) = "False" Then
        ' Variable doesn't exist, create it
        sql = "INSERT INTO tblSessionVariables (session_id, variable_name, variable_value) VALUES ('" & native_session_id & "', '" & nm & "', '" & val & "')"
      Else
        ' Already exists, so just update it
        sql = "UPDATE tblSessionVariables SET variable_value='" & val & "' WHERE session_id='" & native_session_id & "' AND variable_name='" & nm & "'"
      End If
      objConn.Execute(sql)
    End Sub
    
    ' **
    ' * Just a pseudofunction that is called in the class constructor.
    ' * Starts the session each time and gets the appropriate account
    ' * information from the database and determines whether they are
    ' * logged in or not. If they are not logged in then it creates
    ' * a new session entry in the database table
    ' *
    Public Sub Session_OnStart()
      strUserAgent = Request.ServerVariables("HTTP_USER_AGENT")
      asp_session_id = Session.SessionID
    
      ' Starting the session      
      sql = "SELECT id, logged_in, account_id, company_id FROM tblUserSessions WHERE ascii_id='" & asp_session_id & "'"
      Set rsSess = objConn.Execute(sql)
      If Not rsSess.EOF Then      
        native_session_id = rsSess("id")
        If rsSess("logged_in") = True Then
          logged_in = True
          account_id = rsSess("account_id")
          company_id = rsSess("company_id")
        Else
          logged_in = False
        End If
      Else
        logged_in = False
        ' create entry in database
        sql = "INSERT INTO tblUserSessions (ascii_id, logged_in, account_id, company_id, created, user_agent) VALUES ('" & asp_session_id & "', '0', 0, 0, GETDATE(), '" & Replace(strUserAgent, "'", "''") & "')"
        objConn.Execute(sql)
        sql = "SELECT id FROM tblUserSessions WHERE ascii_id='" & asp_session_id & "'"
        Set rsSess = objConn.Execute(sql)
        native_session_id = rsSess("id")
      End If
    End Sub
  End Class

%>