xref: /webtrees/app/Session.php (revision 3976b4703df669696105ed6b024b96d433c8fbdb)
131bc7874SGreg Roach<?php
2*3976b470SGreg Roach
331bc7874SGreg Roach/**
431bc7874SGreg Roach * webtrees: online genealogy
58fcd0d32SGreg Roach * Copyright (C) 2019 webtrees development team
631bc7874SGreg Roach * This program is free software: you can redistribute it and/or modify
731bc7874SGreg Roach * it under the terms of the GNU General Public License as published by
831bc7874SGreg Roach * the Free Software Foundation, either version 3 of the License, or
931bc7874SGreg Roach * (at your option) any later version.
1031bc7874SGreg Roach * This program is distributed in the hope that it will be useful,
1131bc7874SGreg Roach * but WITHOUT ANY WARRANTY; without even the implied warranty of
1231bc7874SGreg Roach * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1331bc7874SGreg Roach * GNU General Public License for more details.
1431bc7874SGreg Roach * You should have received a copy of the GNU General Public License
1531bc7874SGreg Roach * along with this program. If not, see <http://www.gnu.org/licenses/>.
1631bc7874SGreg Roach */
17e7f56f2aSGreg Roachdeclare(strict_types=1);
18e7f56f2aSGreg Roach
1976692c8bSGreg Roachnamespace Fisharebest\Webtrees;
2031bc7874SGreg Roach
21deb4b685SGreg Roachuse Illuminate\Support\Str;
226ccdf4f0SGreg Roachuse Psr\Http\Message\ServerRequestInterface;
23*3976b470SGreg Roach
244d7dd147SGreg Roachuse function array_map;
254d7dd147SGreg Roachuse function explode;
264d7dd147SGreg Roachuse function implode;
274d7dd147SGreg Roachuse function parse_url;
284d7dd147SGreg Roachuse function session_name;
294d7dd147SGreg Roachuse function session_regenerate_id;
304d7dd147SGreg Roachuse function session_register_shutdown;
314d7dd147SGreg Roachuse function session_set_cookie_params;
324d7dd147SGreg Roachuse function session_set_save_handler;
334d7dd147SGreg Roachuse function session_start;
34fe3a9054SGreg Roachuse function session_status;
35*3976b470SGreg Roach
364d7dd147SGreg Roachuse const PHP_URL_HOST;
374d7dd147SGreg Roachuse const PHP_URL_PATH;
384d7dd147SGreg Roachuse const PHP_URL_SCHEME;
394c891c40SGreg Roach
4031bc7874SGreg Roach/**
4142af74e7SGreg Roach * Session handling
4231bc7874SGreg Roach */
43c1010edaSGreg Roachclass Session
44c1010edaSGreg Roach{
4531bc7874SGreg Roach    /**
4631bc7874SGreg Roach     * Start a session
47c7ff4153SGreg Roach     *
484d7dd147SGreg Roach     * @param ServerRequestInterface $request
494d7dd147SGreg Roach     *
50c7ff4153SGreg Roach     * @return void
5131bc7874SGreg Roach     */
524d7dd147SGreg Roach    public static function start(ServerRequestInterface $request): void
53c1010edaSGreg Roach    {
544d7dd147SGreg Roach        // Store sessions in the database
554d7dd147SGreg Roach        session_set_save_handler(new SessionDatabaseHandler($request));
564d7dd147SGreg Roach
57add3fa41SGreg Roach        $url    = $request->getAttribute('request_uri');
584d7dd147SGreg Roach        $secure = parse_url($url, PHP_URL_SCHEME) === 'https';
594d7dd147SGreg Roach        $domain = parse_url($url, PHP_URL_HOST);
604d7dd147SGreg Roach        $path   = parse_url($url, PHP_URL_PATH);
61e6a43769SGreg Roach        $path   = explode('index.php', $path)[0];
6208df3d18SGreg Roach
6308df3d18SGreg Roach        // Paths containing UTF-8 characters need special handling.
6408df3d18SGreg Roach        $path = implode('/', array_map('rawurlencode', explode('/', $path)));
6508df3d18SGreg Roach
6608df3d18SGreg Roach        session_name('WT_SESSION');
6731bc7874SGreg Roach        session_register_shutdown();
684d7dd147SGreg Roach        session_set_cookie_params(0, $path, $domain, $secure, true);
6931bc7874SGreg Roach        session_start();
7008df3d18SGreg Roach
7108df3d18SGreg Roach        // A new session? Prevent session fixation attacks by choosing a new session ID.
7208df3d18SGreg Roach        if (!self::get('initiated')) {
7308df3d18SGreg Roach            self::regenerate(true);
7408df3d18SGreg Roach            self::put('initiated', true);
7508df3d18SGreg Roach        }
7631bc7874SGreg Roach    }
7731bc7874SGreg Roach
7831bc7874SGreg Roach    /**
796ccdf4f0SGreg Roach     * Read a value from the session
8057514a4fSGreg Roach     *
816ccdf4f0SGreg Roach     * @param string $name
826ccdf4f0SGreg Roach     * @param mixed  $default
836ccdf4f0SGreg Roach     *
846ccdf4f0SGreg Roach     * @return mixed
8557514a4fSGreg Roach     */
866ccdf4f0SGreg Roach    public static function get(string $name, $default = null)
87c1010edaSGreg Roach    {
886ccdf4f0SGreg Roach        return $_SESSION[$name] ?? $default;
8957514a4fSGreg Roach    }
9057514a4fSGreg Roach
9157514a4fSGreg Roach    /**
926ccdf4f0SGreg Roach     * After any change in authentication level, we should use a new session ID.
9357514a4fSGreg Roach     *
946ccdf4f0SGreg Roach     * @param bool $destroy
9557514a4fSGreg Roach     *
966ccdf4f0SGreg Roach     * @return void
9757514a4fSGreg Roach     */
986ccdf4f0SGreg Roach    public static function regenerate(bool $destroy = false): void
99c1010edaSGreg Roach    {
1006ccdf4f0SGreg Roach        if ($destroy) {
1016ccdf4f0SGreg Roach            self::clear();
1026ccdf4f0SGreg Roach        }
1036ccdf4f0SGreg Roach
1046ccdf4f0SGreg Roach        if (session_status() === PHP_SESSION_ACTIVE) {
1056ccdf4f0SGreg Roach            session_regenerate_id($destroy);
1066ccdf4f0SGreg Roach        }
10757514a4fSGreg Roach    }
10857514a4fSGreg Roach
10957514a4fSGreg Roach    /**
1106ccdf4f0SGreg Roach     * Remove all stored data from the session.
1116ccdf4f0SGreg Roach     *
1126ccdf4f0SGreg Roach     * @return void
1136ccdf4f0SGreg Roach     */
1146ccdf4f0SGreg Roach    public static function clear(): void
1156ccdf4f0SGreg Roach    {
1166ccdf4f0SGreg Roach        $_SESSION = [];
1176ccdf4f0SGreg Roach    }
1186ccdf4f0SGreg Roach
1196ccdf4f0SGreg Roach    /**
1206ccdf4f0SGreg Roach     * Write a value to the session
1216ccdf4f0SGreg Roach     *
1226ccdf4f0SGreg Roach     * @param string $name
1236ccdf4f0SGreg Roach     * @param mixed  $value
1246ccdf4f0SGreg Roach     *
1256ccdf4f0SGreg Roach     * @return void
1266ccdf4f0SGreg Roach     */
1276ccdf4f0SGreg Roach    public static function put(string $name, $value): void
1286ccdf4f0SGreg Roach    {
1296ccdf4f0SGreg Roach        $_SESSION[$name] = $value;
1306ccdf4f0SGreg Roach    }
1316ccdf4f0SGreg Roach
1326ccdf4f0SGreg Roach    /**
1336ccdf4f0SGreg Roach     * Remove a value from the session
1346ccdf4f0SGreg Roach     *
1356ccdf4f0SGreg Roach     * @param string $name
1366ccdf4f0SGreg Roach     *
1376ccdf4f0SGreg Roach     * @return void
1386ccdf4f0SGreg Roach     */
1396ccdf4f0SGreg Roach    public static function forget(string $name): void
1406ccdf4f0SGreg Roach    {
1416ccdf4f0SGreg Roach        unset($_SESSION[$name]);
1426ccdf4f0SGreg Roach    }
1436ccdf4f0SGreg Roach
1446ccdf4f0SGreg Roach    /**
145a45f9889SGreg Roach     * Cross-Site Request Forgery tokens - ensure that the user is submitting
146a45f9889SGreg Roach     * a form that was generated by the current session.
147a45f9889SGreg Roach     *
148a45f9889SGreg Roach     * @return string
149a45f9889SGreg Roach     */
1508f53f488SRico Sonntag    public static function getCsrfToken(): string
151a45f9889SGreg Roach    {
152e364afe4SGreg Roach        if (!self::has('CSRF_TOKEN')) {
153e364afe4SGreg Roach            self::put('CSRF_TOKEN', Str::random(32));
154a45f9889SGreg Roach        }
155a45f9889SGreg Roach
156e364afe4SGreg Roach        return self::get('CSRF_TOKEN');
157a45f9889SGreg Roach    }
1586ccdf4f0SGreg Roach
1596ccdf4f0SGreg Roach    /**
1606ccdf4f0SGreg Roach     * Does a session variable exist?
1616ccdf4f0SGreg Roach     *
1626ccdf4f0SGreg Roach     * @param string $name
1636ccdf4f0SGreg Roach     *
1646ccdf4f0SGreg Roach     * @return bool
1656ccdf4f0SGreg Roach     */
1666ccdf4f0SGreg Roach    public static function has(string $name): bool
1676ccdf4f0SGreg Roach    {
1686ccdf4f0SGreg Roach        return isset($_SESSION[$name]);
1696ccdf4f0SGreg Roach    }
17031bc7874SGreg Roach}
171