131bc7874SGreg Roach<?php 231bc7874SGreg Roach/** 331bc7874SGreg Roach * webtrees: online genealogy 41062a142SGreg Roach * Copyright (C) 2018 webtrees development team 531bc7874SGreg Roach * This program is free software: you can redistribute it and/or modify 631bc7874SGreg Roach * it under the terms of the GNU General Public License as published by 731bc7874SGreg Roach * the Free Software Foundation, either version 3 of the License, or 831bc7874SGreg Roach * (at your option) any later version. 931bc7874SGreg Roach * This program is distributed in the hope that it will be useful, 1031bc7874SGreg Roach * but WITHOUT ANY WARRANTY; without even the implied warranty of 1131bc7874SGreg Roach * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 1231bc7874SGreg Roach * GNU General Public License for more details. 1331bc7874SGreg Roach * You should have received a copy of the GNU General Public License 1431bc7874SGreg Roach * along with this program. If not, see <http://www.gnu.org/licenses/>. 1531bc7874SGreg Roach */ 1676692c8bSGreg Roachnamespace Fisharebest\Webtrees; 1731bc7874SGreg Roach 184c891c40SGreg Roachuse Symfony\Component\HttpFoundation\Request; 194c891c40SGreg Roach 2031bc7874SGreg Roach/** 2142af74e7SGreg Roach * Session handling 2231bc7874SGreg Roach */ 23c1010edaSGreg Roachclass Session 24c1010edaSGreg Roach{ 2531bc7874SGreg Roach /** 2631bc7874SGreg Roach * Start a session 2731bc7874SGreg Roach */ 2808df3d18SGreg Roach public static function start() 29c1010edaSGreg Roach { 3008df3d18SGreg Roach $domain = ''; 3108df3d18SGreg Roach $path = parse_url(WT_BASE_URL, PHP_URL_PATH); 3208df3d18SGreg Roach $secure = parse_url(WT_BASE_URL, PHP_URL_SCHEME) === 'https'; 3308df3d18SGreg Roach $httponly = true; 3408df3d18SGreg Roach 3508df3d18SGreg Roach // Paths containing UTF-8 characters need special handling. 3608df3d18SGreg Roach $path = implode('/', array_map('rawurlencode', explode('/', $path))); 3708df3d18SGreg Roach 3808df3d18SGreg Roach self::setSaveHandler(); 3908df3d18SGreg Roach 4008df3d18SGreg Roach session_name('WT_SESSION'); 4131bc7874SGreg Roach session_register_shutdown(); 42a0dfa978SGreg Roach session_set_cookie_params(0, $path, $domain, $secure, $httponly); 4331bc7874SGreg Roach session_start(); 4408df3d18SGreg Roach 4508df3d18SGreg Roach // A new session? Prevent session fixation attacks by choosing a new session ID. 4608df3d18SGreg Roach if (!self::get('initiated')) { 4708df3d18SGreg Roach self::regenerate(true); 4808df3d18SGreg Roach self::put('initiated', true); 4908df3d18SGreg Roach } 5031bc7874SGreg Roach } 5131bc7874SGreg Roach 5231bc7874SGreg Roach /** 5331bc7874SGreg Roach * Read a value from the session 5431bc7874SGreg Roach * 5531bc7874SGreg Roach * @param string $name 5631bc7874SGreg Roach * @param mixed $default 5731bc7874SGreg Roach * 5831bc7874SGreg Roach * @return mixed 5931bc7874SGreg Roach */ 60c1010edaSGreg Roach public static function get($name, $default = null) 61c1010edaSGreg Roach { 6263485653SRico Sonntag return $_SESSION[$name] ?? $default; 6331bc7874SGreg Roach } 6431bc7874SGreg Roach 6531bc7874SGreg Roach /** 6631bc7874SGreg Roach * Write a value to the session 6731bc7874SGreg Roach * 6831bc7874SGreg Roach * @param string $name 6931bc7874SGreg Roach * @param mixed $value 7031bc7874SGreg Roach */ 71c1010edaSGreg Roach public static function put($name, $value) 72c1010edaSGreg Roach { 7331bc7874SGreg Roach $_SESSION[$name] = $value; 7431bc7874SGreg Roach } 7531bc7874SGreg Roach 7631bc7874SGreg Roach /** 7731bc7874SGreg Roach * Remove a value from the session 7831bc7874SGreg Roach * 7931bc7874SGreg Roach * @param string $name 8031bc7874SGreg Roach */ 81c1010edaSGreg Roach public static function forget($name) 82c1010edaSGreg Roach { 8331bc7874SGreg Roach unset($_SESSION[$name]); 8431bc7874SGreg Roach } 8531bc7874SGreg Roach 8631bc7874SGreg Roach /** 8731bc7874SGreg Roach * Does a session variable exist? 8831bc7874SGreg Roach * 8931bc7874SGreg Roach * @param string $name 9031bc7874SGreg Roach * 91cbc1590aSGreg Roach * @return bool 9231bc7874SGreg Roach */ 93*8f53f488SRico Sonntag public static function has($name): bool 94c1010edaSGreg Roach { 9591fb15f0SGreg Roach return isset($_SESSION[$name]); 9631bc7874SGreg Roach } 9731bc7874SGreg Roach 9831bc7874SGreg Roach /** 99f5004097SGreg Roach * Remove all stored data from the session. 100f5004097SGreg Roach */ 101c1010edaSGreg Roach public static function clear() 102c1010edaSGreg Roach { 10313abd6f3SGreg Roach $_SESSION = []; 104f5004097SGreg Roach } 105f5004097SGreg Roach 106f5004097SGreg Roach /** 10731bc7874SGreg Roach * After any change in authentication level, we should use a new session ID. 10831bc7874SGreg Roach * 10931bc7874SGreg Roach * @param bool $destroy 11031bc7874SGreg Roach */ 111c1010edaSGreg Roach public static function regenerate($destroy = false) 112c1010edaSGreg Roach { 113f5004097SGreg Roach if ($destroy) { 114f5004097SGreg Roach self::clear(); 115f5004097SGreg Roach } 11631bc7874SGreg Roach session_regenerate_id($destroy); 11731bc7874SGreg Roach } 11831bc7874SGreg Roach 11931bc7874SGreg Roach /** 12031bc7874SGreg Roach * Set an explicit session ID. Typically used for search robots. 12131bc7874SGreg Roach * 12231bc7874SGreg Roach * @param string $id 12331bc7874SGreg Roach */ 124c1010edaSGreg Roach public static function setId($id) 125c1010edaSGreg Roach { 12631bc7874SGreg Roach session_id($id); 12731bc7874SGreg Roach } 12857514a4fSGreg Roach 12957514a4fSGreg Roach /** 13057514a4fSGreg Roach * Initialise our session save handler 13157514a4fSGreg Roach */ 13208df3d18SGreg Roach private static function setSaveHandler() 133c1010edaSGreg Roach { 13457514a4fSGreg Roach session_set_save_handler( 13557514a4fSGreg Roach function (): bool { 13657514a4fSGreg Roach return Session::open(); 13757514a4fSGreg Roach }, 13857514a4fSGreg Roach function (): bool { 13957514a4fSGreg Roach return Session::close(); 14057514a4fSGreg Roach }, 14157514a4fSGreg Roach function (string $id): string { 14257514a4fSGreg Roach return Session::read($id); 14357514a4fSGreg Roach }, 14457514a4fSGreg Roach function (string $id, string $data): bool { 14557514a4fSGreg Roach return Session::write($id, $data); 14657514a4fSGreg Roach }, 14757514a4fSGreg Roach function (string $id): bool { 14857514a4fSGreg Roach return Session::destroy($id); 14957514a4fSGreg Roach }, 15057514a4fSGreg Roach function (int $maxlifetime): bool { 15157514a4fSGreg Roach return Session::gc($maxlifetime); 15257514a4fSGreg Roach } 15357514a4fSGreg Roach ); 15457514a4fSGreg Roach } 15557514a4fSGreg Roach 15657514a4fSGreg Roach /** 15757514a4fSGreg Roach * For session_set_save_handler() 15857514a4fSGreg Roach * 15957514a4fSGreg Roach * @return bool 16057514a4fSGreg Roach */ 161*8f53f488SRico Sonntag private static function close(): bool 162c1010edaSGreg Roach { 16357514a4fSGreg Roach return true; 16457514a4fSGreg Roach } 16557514a4fSGreg Roach 16657514a4fSGreg Roach /** 16757514a4fSGreg Roach * For session_set_save_handler() 16857514a4fSGreg Roach * 16957514a4fSGreg Roach * @param string $id 17057514a4fSGreg Roach * 17157514a4fSGreg Roach * @return bool 17257514a4fSGreg Roach */ 173*8f53f488SRico Sonntag private static function destroy(string $id): bool 174c1010edaSGreg Roach { 17557514a4fSGreg Roach Database::prepare( 17657514a4fSGreg Roach "DELETE FROM `##session` WHERE session_id = :session_id" 17757514a4fSGreg Roach )->execute([ 178c1010edaSGreg Roach 'session_id' => $id, 17957514a4fSGreg Roach ]); 18057514a4fSGreg Roach 18157514a4fSGreg Roach return true; 18257514a4fSGreg Roach } 18357514a4fSGreg Roach 18457514a4fSGreg Roach /** 18557514a4fSGreg Roach * For session_set_save_handler() 18657514a4fSGreg Roach * 18757514a4fSGreg Roach * @param int $maxlifetime 18857514a4fSGreg Roach * 18957514a4fSGreg Roach * @return bool 19057514a4fSGreg Roach */ 191*8f53f488SRico Sonntag private static function gc(int $maxlifetime): bool 192c1010edaSGreg Roach { 19357514a4fSGreg Roach Database::prepare( 19457514a4fSGreg Roach "DELETE FROM `##session` WHERE session_time < DATE_SUB(NOW(), INTERVAL :maxlifetime SECOND)" 19557514a4fSGreg Roach )->execute([ 196c1010edaSGreg Roach 'maxlifetime' => $maxlifetime, 19757514a4fSGreg Roach ]); 19857514a4fSGreg Roach 19957514a4fSGreg Roach return true; 20057514a4fSGreg Roach } 20157514a4fSGreg Roach 20257514a4fSGreg Roach /** 20357514a4fSGreg Roach * For session_set_save_handler() 20457514a4fSGreg Roach * 20557514a4fSGreg Roach * @return bool 20657514a4fSGreg Roach */ 207*8f53f488SRico Sonntag private static function open(): bool 208c1010edaSGreg Roach { 20957514a4fSGreg Roach return true; 21057514a4fSGreg Roach } 21157514a4fSGreg Roach 21257514a4fSGreg Roach /** 21357514a4fSGreg Roach * For session_set_save_handler() 21457514a4fSGreg Roach * 21557514a4fSGreg Roach * @param string $id 21657514a4fSGreg Roach * 21757514a4fSGreg Roach * @return string 21857514a4fSGreg Roach */ 219c1010edaSGreg Roach private static function read(string $id): string 220c1010edaSGreg Roach { 22157514a4fSGreg Roach return (string) Database::prepare( 22257514a4fSGreg Roach "SELECT session_data FROM `##session` WHERE session_id = :session_id" 22357514a4fSGreg Roach )->execute([ 224c1010edaSGreg Roach 'session_id' => $id, 22557514a4fSGreg Roach ])->fetchOne(); 22657514a4fSGreg Roach } 22757514a4fSGreg Roach 22857514a4fSGreg Roach /** 22957514a4fSGreg Roach * For session_set_save_handler() 23057514a4fSGreg Roach * 23157514a4fSGreg Roach * @param string $id 23257514a4fSGreg Roach * @param string $data 23357514a4fSGreg Roach * 23457514a4fSGreg Roach * @return bool 23557514a4fSGreg Roach */ 236c1010edaSGreg Roach private static function write(string $id, string $data): bool 237c1010edaSGreg Roach { 2384c891c40SGreg Roach $request = Request::createFromGlobals(); 2394c891c40SGreg Roach 24057514a4fSGreg Roach // Only update the session table once per minute, unless the session data has actually changed. 24157514a4fSGreg Roach Database::prepare( 24257514a4fSGreg Roach "INSERT INTO `##session` (session_id, user_id, ip_address, session_data, session_time)" . 2434c891c40SGreg Roach " VALUES (:session_id, :user_id, :ip_address, :data, CURRENT_TIMESTAMP - SECOND(CURRENT_TIMESTAMP))" . 24457514a4fSGreg Roach " ON DUPLICATE KEY UPDATE" . 24557514a4fSGreg Roach " user_id = VALUES(user_id)," . 24657514a4fSGreg Roach " ip_address = VALUES(ip_address)," . 24757514a4fSGreg Roach " session_data = VALUES(session_data)," . 24857514a4fSGreg Roach " session_time = CURRENT_TIMESTAMP - SECOND(CURRENT_TIMESTAMP)" 24957514a4fSGreg Roach )->execute([ 2504c891c40SGreg Roach 'session_id' => $id, 2514c891c40SGreg Roach 'user_id' => (int) Auth::id(), 2524c891c40SGreg Roach 'ip_address' => $request->getClientIp(), 2534c891c40SGreg Roach 'data' => $data, 2544c891c40SGreg Roach ]); 25557514a4fSGreg Roach 25657514a4fSGreg Roach return true; 25757514a4fSGreg Roach } 258a45f9889SGreg Roach 259a45f9889SGreg Roach 260a45f9889SGreg Roach /** 261a45f9889SGreg Roach * Cross-Site Request Forgery tokens - ensure that the user is submitting 262a45f9889SGreg Roach * a form that was generated by the current session. 263a45f9889SGreg Roach * 264a45f9889SGreg Roach * @return string 265a45f9889SGreg Roach */ 266*8f53f488SRico Sonntag public static function getCsrfToken(): string 267a45f9889SGreg Roach { 268a45f9889SGreg Roach if (!Session::has('CSRF_TOKEN')) { 269a45f9889SGreg Roach $charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz0123456789'; 270a45f9889SGreg Roach $csrf_token = ''; 271a45f9889SGreg Roach for ($n = 0; $n < 32; ++$n) { 272a45f9889SGreg Roach $csrf_token .= substr($charset, random_int(0, 61), 1); 273a45f9889SGreg Roach } 274a45f9889SGreg Roach Session::put('CSRF_TOKEN', $csrf_token); 275a45f9889SGreg Roach } 276a45f9889SGreg Roach 277a45f9889SGreg Roach return Session::get('CSRF_TOKEN'); 278a45f9889SGreg Roach } 27931bc7874SGreg Roach} 280