2013-06-07 17:28:06 +02:00
|
|
|
<?php
|
2016-02-08 15:41:00 +01:00
|
|
|
/* Icinga Web 2 | (c) 2013 Icinga Development Team | GPLv2+ */
|
2013-06-07 17:28:06 +02:00
|
|
|
|
2014-03-25 11:12:55 +01:00
|
|
|
namespace Icinga\Web\Session;
|
2013-06-07 17:28:06 +02:00
|
|
|
|
2014-10-31 10:27:17 +01:00
|
|
|
use Icinga\Application\Logger;
|
2014-07-16 09:33:49 +02:00
|
|
|
use Icinga\Exception\ConfigurationError;
|
2016-02-27 22:24:01 +01:00
|
|
|
use Icinga\Web\Cookie;
|
2013-06-07 17:28:06 +02:00
|
|
|
|
2013-06-10 14:21:17 +02:00
|
|
|
/**
|
2013-08-30 10:35:41 +02:00
|
|
|
* Session implementation in PHP
|
2013-06-11 13:53:42 +02:00
|
|
|
*/
|
2013-06-07 17:28:06 +02:00
|
|
|
class PhpSession extends Session
|
|
|
|
{
|
2014-01-23 14:40:59 +01:00
|
|
|
/**
|
|
|
|
* The namespace prefix
|
|
|
|
*
|
|
|
|
* Used to differentiate between standard session keys and namespace identifiers
|
|
|
|
*/
|
|
|
|
const NAMESPACE_PREFIX = 'ns.';
|
|
|
|
|
2014-01-23 17:21:39 +01:00
|
|
|
/**
|
|
|
|
* Whether the session has already been closed
|
|
|
|
*
|
|
|
|
* @var bool
|
|
|
|
*/
|
2014-07-16 09:33:49 +02:00
|
|
|
protected $hasBeenTouched = false;
|
2014-01-23 17:21:39 +01:00
|
|
|
|
2013-08-28 10:16:18 +02:00
|
|
|
/**
|
|
|
|
* Name of the session
|
|
|
|
*
|
|
|
|
* @var string
|
|
|
|
*/
|
2014-07-16 09:33:49 +02:00
|
|
|
protected $sessionName = 'Icingaweb2';
|
2013-08-28 10:16:18 +02:00
|
|
|
|
2018-01-24 17:38:20 +01:00
|
|
|
/**
|
|
|
|
* Create a new PHPSession object using the provided options (if any)
|
|
|
|
*
|
|
|
|
* @param array $options An optional array of ini options to set
|
|
|
|
*
|
|
|
|
* @return static
|
|
|
|
*
|
|
|
|
* @throws ConfigurationError
|
|
|
|
* @see http://php.net/manual/en/session.configuration.php
|
|
|
|
*/
|
|
|
|
public static function create(array $options = null)
|
|
|
|
{
|
|
|
|
return version_compare(PHP_VERSION, '7.2.0') < 0 ? new self($options) : new Php72Session($options);
|
|
|
|
}
|
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2013-08-30 10:35:41 +02:00
|
|
|
* Create a new PHPSession object using the provided options (if any)
|
2013-08-28 10:16:18 +02:00
|
|
|
*
|
2014-01-23 12:09:48 +01:00
|
|
|
* @param array $options An optional array of ini options to set
|
2013-08-28 10:16:18 +02:00
|
|
|
*
|
|
|
|
* @throws ConfigurationError
|
|
|
|
* @see http://php.net/manual/en/session.configuration.php
|
|
|
|
*/
|
2013-06-07 17:28:06 +02:00
|
|
|
public function __construct(array $options = null)
|
|
|
|
{
|
2017-12-13 13:38:51 +01:00
|
|
|
$defaultCookieOptions = array(
|
|
|
|
'use_trans_sid' => false,
|
|
|
|
'use_cookies' => true,
|
|
|
|
'cookie_httponly' => true,
|
|
|
|
'use_only_cookies' => true
|
|
|
|
);
|
|
|
|
|
|
|
|
if (version_compare(PHP_VERSION, '7.1.0') < 0) {
|
|
|
|
$defaultCookieOptions['hash_function'] = true;
|
|
|
|
$defaultCookieOptions['hash_bits_per_character'] = 5;
|
|
|
|
} else {
|
|
|
|
$defaultCookieOptions['sid_bits_per_character'] = 5;
|
|
|
|
}
|
|
|
|
|
2013-06-07 17:28:06 +02:00
|
|
|
if ($options !== null) {
|
2017-12-13 13:38:51 +01:00
|
|
|
$options = array_merge($defaultCookieOptions, $options);
|
2013-06-10 14:21:17 +02:00
|
|
|
} else {
|
2017-12-13 13:38:51 +01:00
|
|
|
$options = $defaultCookieOptions;
|
2013-06-07 17:28:06 +02:00
|
|
|
}
|
2014-01-23 12:09:48 +01:00
|
|
|
|
2013-11-20 12:01:40 +01:00
|
|
|
if (array_key_exists('test_session_name', $options)) {
|
|
|
|
$this->sessionName = $options['test_session_name'];
|
|
|
|
unset($options['test_session_name']);
|
|
|
|
}
|
2014-01-23 12:09:48 +01:00
|
|
|
|
2013-06-07 17:28:06 +02:00
|
|
|
foreach ($options as $sessionVar => $value) {
|
2013-11-20 12:01:40 +01:00
|
|
|
if (ini_set("session." . $sessionVar, $value) === false) {
|
2014-02-26 11:19:52 +01:00
|
|
|
Logger::warning(
|
2013-08-28 10:16:18 +02:00
|
|
|
'Could not set php.ini setting %s = %s. This might affect your sessions behaviour.',
|
2013-06-10 13:28:54 +02:00
|
|
|
$sessionVar,
|
|
|
|
$value
|
|
|
|
);
|
2013-06-07 17:28:06 +02:00
|
|
|
}
|
|
|
|
}
|
2014-01-23 12:09:48 +01:00
|
|
|
|
2015-04-22 17:25:51 +02:00
|
|
|
$sessionSavePath = session_save_path() ?: sys_get_temp_dir();
|
2014-12-15 03:24:18 +01:00
|
|
|
if (session_module_name() === 'files' && !is_writable($sessionSavePath)) {
|
|
|
|
throw new ConfigurationError("Can't save session, path '$sessionSavePath' is not writable.");
|
2013-06-24 18:46:45 +02:00
|
|
|
}
|
2014-01-23 12:09:48 +01:00
|
|
|
|
2014-07-16 09:33:49 +02:00
|
|
|
if ($this->exists()) {
|
|
|
|
// We do not want to start a new session here if there is not any
|
|
|
|
$this->read();
|
|
|
|
}
|
2013-06-07 17:28:06 +02:00
|
|
|
}
|
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2013-11-20 12:01:40 +01:00
|
|
|
* Open a PHP session
|
2013-08-28 10:16:18 +02:00
|
|
|
*/
|
2014-07-16 09:33:49 +02:00
|
|
|
protected function open()
|
2013-06-07 17:28:06 +02:00
|
|
|
{
|
2013-11-20 12:01:40 +01:00
|
|
|
session_name($this->sessionName);
|
2014-01-23 17:21:39 +01:00
|
|
|
|
|
|
|
if ($this->hasBeenTouched) {
|
|
|
|
$cacheLimiter = ini_get('session.cache_limiter');
|
|
|
|
ini_set('session.use_cookies', false);
|
|
|
|
ini_set('session.use_only_cookies', false);
|
|
|
|
ini_set('session.cache_limiter', null);
|
|
|
|
}
|
|
|
|
|
2016-02-27 22:24:01 +01:00
|
|
|
$cookie = new Cookie('bogus');
|
|
|
|
session_set_cookie_params(
|
|
|
|
0,
|
|
|
|
$cookie->getPath(),
|
|
|
|
$cookie->getDomain(),
|
|
|
|
$cookie->isSecure(),
|
|
|
|
true
|
|
|
|
);
|
|
|
|
|
2013-06-24 18:46:45 +02:00
|
|
|
session_start();
|
2014-01-23 17:21:39 +01:00
|
|
|
|
|
|
|
if ($this->hasBeenTouched) {
|
|
|
|
ini_set('session.use_cookies', true);
|
|
|
|
ini_set('session.use_only_cookies', true);
|
2016-02-27 22:24:01 +01:00
|
|
|
/** @noinspection PhpUndefinedVariableInspection */
|
2014-01-23 17:21:39 +01:00
|
|
|
ini_set('session.cache_limiter', $cacheLimiter);
|
|
|
|
}
|
2013-06-07 17:28:06 +02:00
|
|
|
}
|
2013-08-28 10:16:18 +02:00
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2013-11-20 12:01:40 +01:00
|
|
|
* Read all values written to the underling session and make them accessible.
|
2013-08-28 10:16:18 +02:00
|
|
|
*/
|
2013-11-20 12:01:40 +01:00
|
|
|
public function read()
|
2013-06-07 17:28:06 +02:00
|
|
|
{
|
2014-04-04 11:10:45 +02:00
|
|
|
$this->clear();
|
2013-11-20 12:01:40 +01:00
|
|
|
$this->open();
|
2014-01-23 14:40:59 +01:00
|
|
|
|
|
|
|
foreach ($_SESSION as $key => $value) {
|
|
|
|
if (strpos($key, self::NAMESPACE_PREFIX) === 0) {
|
2014-09-17 10:43:52 +02:00
|
|
|
$namespace = new SessionNamespace();
|
2014-01-23 14:40:59 +01:00
|
|
|
$namespace->setAll($value);
|
|
|
|
$this->namespaces[substr($key, strlen(self::NAMESPACE_PREFIX))] = $namespace;
|
|
|
|
} else {
|
|
|
|
$this->set($key, $value);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-11-20 12:01:40 +01:00
|
|
|
session_write_close();
|
2014-01-23 17:21:39 +01:00
|
|
|
$this->hasBeenTouched = true;
|
2013-06-07 17:28:06 +02:00
|
|
|
}
|
2013-08-28 10:16:18 +02:00
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2013-08-30 10:35:41 +02:00
|
|
|
* Write all values of this session object to the underlying session implementation
|
2013-08-28 10:16:18 +02:00
|
|
|
*/
|
2013-11-20 12:01:40 +01:00
|
|
|
public function write()
|
2013-06-07 17:28:06 +02:00
|
|
|
{
|
2013-11-20 12:01:40 +01:00
|
|
|
$this->open();
|
2014-01-23 14:40:59 +01:00
|
|
|
|
2014-04-04 11:10:45 +02:00
|
|
|
foreach ($this->removed as $key) {
|
|
|
|
unset($_SESSION[$key]);
|
|
|
|
}
|
2014-01-23 14:40:59 +01:00
|
|
|
foreach ($this->values as $key => $value) {
|
2013-06-07 17:28:06 +02:00
|
|
|
$_SESSION[$key] = $value;
|
|
|
|
}
|
2014-04-04 11:10:45 +02:00
|
|
|
foreach ($this->removedNamespaces as $identifier) {
|
|
|
|
unset($_SESSION[self::NAMESPACE_PREFIX . $identifier]);
|
|
|
|
}
|
2014-01-23 14:40:59 +01:00
|
|
|
foreach ($this->namespaces as $identifier => $namespace) {
|
|
|
|
$_SESSION[self::NAMESPACE_PREFIX . $identifier] = $namespace->getAll();
|
|
|
|
}
|
|
|
|
|
2013-11-20 12:01:40 +01:00
|
|
|
session_write_close();
|
2014-01-23 17:21:39 +01:00
|
|
|
$this->hasBeenTouched = true;
|
2013-06-07 17:28:06 +02:00
|
|
|
}
|
2013-08-28 10:16:18 +02:00
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2013-08-30 10:35:41 +02:00
|
|
|
* Delete the current session, causing all session information to be lost
|
2013-08-28 10:16:18 +02:00
|
|
|
*/
|
2013-06-07 17:28:06 +02:00
|
|
|
public function purge()
|
|
|
|
{
|
2013-11-20 12:01:40 +01:00
|
|
|
$this->open();
|
|
|
|
$_SESSION = array();
|
2014-01-23 12:09:48 +01:00
|
|
|
$this->clear();
|
2013-11-20 12:01:40 +01:00
|
|
|
session_destroy();
|
|
|
|
$this->clearCookies();
|
|
|
|
session_write_close();
|
2014-01-23 17:21:39 +01:00
|
|
|
$this->hasBeenTouched = true;
|
2013-06-07 17:28:06 +02:00
|
|
|
}
|
2013-06-10 14:21:17 +02:00
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2013-08-30 10:35:41 +02:00
|
|
|
* Remove session cookies
|
2013-08-28 10:16:18 +02:00
|
|
|
*/
|
2014-07-16 09:33:49 +02:00
|
|
|
protected function clearCookies()
|
2013-06-10 14:21:17 +02:00
|
|
|
{
|
2013-08-28 10:16:18 +02:00
|
|
|
if (ini_get('session.use_cookies')) {
|
|
|
|
Logger::debug('Clear session cookie');
|
2013-06-10 14:21:17 +02:00
|
|
|
$params = session_get_cookie_params();
|
|
|
|
setcookie(
|
|
|
|
session_name(),
|
|
|
|
'',
|
|
|
|
time() - 42000,
|
2013-08-28 10:16:18 +02:00
|
|
|
$params['path'],
|
|
|
|
$params['domain'],
|
|
|
|
$params['secure'],
|
|
|
|
$params['httponly']
|
2013-06-10 14:21:17 +02:00
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
2014-02-26 19:23:34 +01:00
|
|
|
|
2014-07-16 09:54:58 +02:00
|
|
|
/**
|
|
|
|
* @see Session::getId()
|
|
|
|
*/
|
|
|
|
public function getId()
|
|
|
|
{
|
2014-07-16 15:38:39 +02:00
|
|
|
if (($id = session_id()) === '') {
|
|
|
|
// Make sure we actually get a id
|
|
|
|
$this->open();
|
|
|
|
session_write_close();
|
|
|
|
$this->hasBeenTouched = true;
|
|
|
|
$id = session_id();
|
|
|
|
}
|
|
|
|
|
|
|
|
return $id;
|
2014-07-16 09:54:58 +02:00
|
|
|
}
|
|
|
|
|
2014-02-26 19:23:34 +01:00
|
|
|
/**
|
|
|
|
* Assign a new sessionId to the currently active session
|
|
|
|
*/
|
|
|
|
public function refreshId()
|
|
|
|
{
|
|
|
|
$this->open();
|
2016-02-15 11:14:37 +01:00
|
|
|
if ($this->exists()) {
|
|
|
|
session_regenerate_id();
|
|
|
|
}
|
2014-02-26 19:23:34 +01:00
|
|
|
session_write_close();
|
2014-07-16 09:33:49 +02:00
|
|
|
$this->hasBeenTouched = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @see Session::exists()
|
|
|
|
*/
|
|
|
|
public function exists()
|
|
|
|
{
|
|
|
|
return isset($_COOKIE[$this->sessionName]);
|
2014-02-26 19:23:34 +01:00
|
|
|
}
|
2013-06-07 17:28:06 +02:00
|
|
|
}
|