xref: /webtrees/app/Session.php (revision a45f98897789fc9ff88705eb09ae5f037bf49c10)
131bc7874SGreg Roach<?php
231bc7874SGreg Roach/**
331bc7874SGreg Roach * webtrees: online genealogy
41062a142SGreg Roach * Copyright (C) 2018 webtrees development team
531bc7874SGreg Roach * This program is free software: you can redistribute it and/or modify
631bc7874SGreg Roach * it under the terms of the GNU General Public License as published by
731bc7874SGreg Roach * the Free Software Foundation, either version 3 of the License, or
831bc7874SGreg Roach * (at your option) any later version.
931bc7874SGreg Roach * This program is distributed in the hope that it will be useful,
1031bc7874SGreg Roach * but WITHOUT ANY WARRANTY; without even the implied warranty of
1131bc7874SGreg Roach * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1231bc7874SGreg Roach * GNU General Public License for more details.
1331bc7874SGreg Roach * You should have received a copy of the GNU General Public License
1431bc7874SGreg Roach * along with this program. If not, see <http://www.gnu.org/licenses/>.
1531bc7874SGreg Roach */
1676692c8bSGreg Roachnamespace Fisharebest\Webtrees;
1731bc7874SGreg Roach
184c891c40SGreg Roachuse Symfony\Component\HttpFoundation\Request;
194c891c40SGreg Roach
2031bc7874SGreg Roach/**
2142af74e7SGreg Roach * Session handling
2231bc7874SGreg Roach */
23c1010edaSGreg Roachclass Session
24c1010edaSGreg Roach{
2531bc7874SGreg Roach    /**
2631bc7874SGreg Roach     * Start a session
2731bc7874SGreg Roach     */
2808df3d18SGreg Roach    public static function start()
29c1010edaSGreg Roach    {
3008df3d18SGreg Roach        $domain   = '';
3108df3d18SGreg Roach        $path     = parse_url(WT_BASE_URL, PHP_URL_PATH);
3208df3d18SGreg Roach        $secure   = parse_url(WT_BASE_URL, PHP_URL_SCHEME) === 'https';
3308df3d18SGreg Roach        $httponly = true;
3408df3d18SGreg Roach
3508df3d18SGreg Roach        // Paths containing UTF-8 characters need special handling.
3608df3d18SGreg Roach        $path = implode('/', array_map('rawurlencode', explode('/', $path)));
3708df3d18SGreg Roach
3808df3d18SGreg Roach        self::setSaveHandler();
3908df3d18SGreg Roach
4008df3d18SGreg Roach        session_name('WT_SESSION');
4131bc7874SGreg Roach        session_register_shutdown();
42a0dfa978SGreg Roach        session_set_cookie_params(0, $path, $domain, $secure, $httponly);
4331bc7874SGreg Roach        session_start();
4408df3d18SGreg Roach
4508df3d18SGreg Roach        // A new session? Prevent session fixation attacks by choosing a new session ID.
4608df3d18SGreg Roach        if (!self::get('initiated')) {
4708df3d18SGreg Roach            self::regenerate(true);
4808df3d18SGreg Roach            self::put('initiated', true);
4908df3d18SGreg Roach        }
5031bc7874SGreg Roach    }
5131bc7874SGreg Roach
5231bc7874SGreg Roach    /**
5331bc7874SGreg Roach     * Read a value from the session
5431bc7874SGreg Roach     *
5531bc7874SGreg Roach     * @param string $name
5631bc7874SGreg Roach     * @param mixed  $default
5731bc7874SGreg Roach     *
5831bc7874SGreg Roach     * @return mixed
5931bc7874SGreg Roach     */
60c1010edaSGreg Roach    public static function get($name, $default = null)
61c1010edaSGreg Roach    {
6263485653SRico Sonntag        return $_SESSION[$name] ?? $default;
6331bc7874SGreg Roach    }
6431bc7874SGreg Roach
6531bc7874SGreg Roach    /**
6631bc7874SGreg Roach     * Write a value to the session
6731bc7874SGreg Roach     *
6831bc7874SGreg Roach     * @param string $name
6931bc7874SGreg Roach     * @param mixed  $value
7031bc7874SGreg Roach     */
71c1010edaSGreg Roach    public static function put($name, $value)
72c1010edaSGreg Roach    {
7331bc7874SGreg Roach        $_SESSION[$name] = $value;
7431bc7874SGreg Roach    }
7531bc7874SGreg Roach
7631bc7874SGreg Roach    /**
7731bc7874SGreg Roach     * Remove a value from the session
7831bc7874SGreg Roach     *
7931bc7874SGreg Roach     * @param string $name
8031bc7874SGreg Roach     */
81c1010edaSGreg Roach    public static function forget($name)
82c1010edaSGreg Roach    {
8331bc7874SGreg Roach        unset($_SESSION[$name]);
8431bc7874SGreg Roach    }
8531bc7874SGreg Roach
8631bc7874SGreg Roach    /**
8731bc7874SGreg Roach     * Does a session variable exist?
8831bc7874SGreg Roach     *
8931bc7874SGreg Roach     * @param string $name
9031bc7874SGreg Roach     *
91cbc1590aSGreg Roach     * @return bool
9231bc7874SGreg Roach     */
93c1010edaSGreg Roach    public static function has($name)
94c1010edaSGreg Roach    {
9591fb15f0SGreg Roach        return isset($_SESSION[$name]);
9631bc7874SGreg Roach    }
9731bc7874SGreg Roach
9831bc7874SGreg Roach    /**
99f5004097SGreg Roach     * Remove all stored data from the session.
100f5004097SGreg Roach     */
101c1010edaSGreg Roach    public static function clear()
102c1010edaSGreg Roach    {
10313abd6f3SGreg Roach        $_SESSION = [];
104f5004097SGreg Roach    }
105f5004097SGreg Roach
106f5004097SGreg Roach    /**
10731bc7874SGreg Roach     * After any change in authentication level, we should use a new session ID.
10831bc7874SGreg Roach     *
10931bc7874SGreg Roach     * @param bool $destroy
11031bc7874SGreg Roach     */
111c1010edaSGreg Roach    public static function regenerate($destroy = false)
112c1010edaSGreg Roach    {
113f5004097SGreg Roach        if ($destroy) {
114f5004097SGreg Roach            self::clear();
115f5004097SGreg Roach        }
11631bc7874SGreg Roach        session_regenerate_id($destroy);
11731bc7874SGreg Roach    }
11831bc7874SGreg Roach
11931bc7874SGreg Roach    /**
12031bc7874SGreg Roach     * Set an explicit session ID. Typically used for search robots.
12131bc7874SGreg Roach     *
12231bc7874SGreg Roach     * @param string $id
12331bc7874SGreg Roach     */
124c1010edaSGreg Roach    public static function setId($id)
125c1010edaSGreg Roach    {
12631bc7874SGreg Roach        session_id($id);
12731bc7874SGreg Roach    }
12857514a4fSGreg Roach
12957514a4fSGreg Roach    /**
13057514a4fSGreg Roach     * Initialise our session save handler
13157514a4fSGreg Roach     */
13208df3d18SGreg Roach    private static function setSaveHandler()
133c1010edaSGreg Roach    {
13457514a4fSGreg Roach        session_set_save_handler(
13557514a4fSGreg Roach            function (): bool {
13657514a4fSGreg Roach                return Session::open();
13757514a4fSGreg Roach            },
13857514a4fSGreg Roach            function (): bool {
13957514a4fSGreg Roach                return Session::close();
14057514a4fSGreg Roach            },
14157514a4fSGreg Roach            function (string $id): string {
14257514a4fSGreg Roach                return Session::read($id);
14357514a4fSGreg Roach            },
14457514a4fSGreg Roach            function (string $id, string $data): bool {
14557514a4fSGreg Roach                return Session::write($id, $data);
14657514a4fSGreg Roach            },
14757514a4fSGreg Roach            function (string $id): bool {
14857514a4fSGreg Roach                return Session::destroy($id);
14957514a4fSGreg Roach            },
15057514a4fSGreg Roach            function (int $maxlifetime): bool {
15157514a4fSGreg Roach                return Session::gc($maxlifetime);
15257514a4fSGreg Roach            }
15357514a4fSGreg Roach        );
15457514a4fSGreg Roach    }
15557514a4fSGreg Roach
15657514a4fSGreg Roach    /**
15757514a4fSGreg Roach     * For session_set_save_handler()
15857514a4fSGreg Roach     *
15957514a4fSGreg Roach     * @return bool
16057514a4fSGreg Roach     */
161c1010edaSGreg Roach    private static function close()
162c1010edaSGreg Roach    {
16357514a4fSGreg Roach        return true;
16457514a4fSGreg Roach    }
16557514a4fSGreg Roach
16657514a4fSGreg Roach    /**
16757514a4fSGreg Roach     * For session_set_save_handler()
16857514a4fSGreg Roach     *
16957514a4fSGreg Roach     * @param string $id
17057514a4fSGreg Roach     *
17157514a4fSGreg Roach     * @return bool
17257514a4fSGreg Roach     */
173c1010edaSGreg Roach    private static function destroy(string $id)
174c1010edaSGreg Roach    {
17557514a4fSGreg Roach        Database::prepare(
17657514a4fSGreg Roach            "DELETE FROM `##session` WHERE session_id = :session_id"
17757514a4fSGreg Roach        )->execute([
178c1010edaSGreg Roach            'session_id' => $id,
17957514a4fSGreg Roach        ]);
18057514a4fSGreg Roach
18157514a4fSGreg Roach        return true;
18257514a4fSGreg Roach    }
18357514a4fSGreg Roach
18457514a4fSGreg Roach    /**
18557514a4fSGreg Roach     * For session_set_save_handler()
18657514a4fSGreg Roach     *
18757514a4fSGreg Roach     * @param int $maxlifetime
18857514a4fSGreg Roach     *
18957514a4fSGreg Roach     * @return bool
19057514a4fSGreg Roach     */
191c1010edaSGreg Roach    private static function gc(int $maxlifetime)
192c1010edaSGreg Roach    {
19357514a4fSGreg Roach        Database::prepare(
19457514a4fSGreg Roach            "DELETE FROM `##session` WHERE session_time < DATE_SUB(NOW(), INTERVAL :maxlifetime SECOND)"
19557514a4fSGreg Roach        )->execute([
196c1010edaSGreg Roach            'maxlifetime' => $maxlifetime,
19757514a4fSGreg Roach        ]);
19857514a4fSGreg Roach
19957514a4fSGreg Roach        return true;
20057514a4fSGreg Roach    }
20157514a4fSGreg Roach
20257514a4fSGreg Roach    /**
20357514a4fSGreg Roach     * For session_set_save_handler()
20457514a4fSGreg Roach     *
20557514a4fSGreg Roach     * @return bool
20657514a4fSGreg Roach     */
207c1010edaSGreg Roach    private static function open()
208c1010edaSGreg Roach    {
20957514a4fSGreg Roach        return true;
21057514a4fSGreg Roach    }
21157514a4fSGreg Roach
21257514a4fSGreg Roach    /**
21357514a4fSGreg Roach     * For session_set_save_handler()
21457514a4fSGreg Roach     *
21557514a4fSGreg Roach     * @param string $id
21657514a4fSGreg Roach     *
21757514a4fSGreg Roach     * @return string
21857514a4fSGreg Roach     */
219c1010edaSGreg Roach    private static function read(string $id): string
220c1010edaSGreg Roach    {
22157514a4fSGreg Roach        return (string) Database::prepare(
22257514a4fSGreg Roach            "SELECT session_data FROM `##session` WHERE session_id = :session_id"
22357514a4fSGreg Roach        )->execute([
224c1010edaSGreg Roach            'session_id' => $id,
22557514a4fSGreg Roach        ])->fetchOne();
22657514a4fSGreg Roach    }
22757514a4fSGreg Roach
22857514a4fSGreg Roach    /**
22957514a4fSGreg Roach     * For session_set_save_handler()
23057514a4fSGreg Roach     *
23157514a4fSGreg Roach     * @param string $id
23257514a4fSGreg Roach     * @param string $data
23357514a4fSGreg Roach     *
23457514a4fSGreg Roach     * @return bool
23557514a4fSGreg Roach     */
236c1010edaSGreg Roach    private static function write(string $id, string $data): bool
237c1010edaSGreg Roach    {
2384c891c40SGreg Roach        $request = Request::createFromGlobals();
2394c891c40SGreg Roach
24057514a4fSGreg Roach        // Only update the session table once per minute, unless the session data has actually changed.
24157514a4fSGreg Roach        Database::prepare(
24257514a4fSGreg Roach            "INSERT INTO `##session` (session_id, user_id, ip_address, session_data, session_time)" .
2434c891c40SGreg Roach            " VALUES (:session_id, :user_id, :ip_address, :data, CURRENT_TIMESTAMP - SECOND(CURRENT_TIMESTAMP))" .
24457514a4fSGreg Roach            " ON DUPLICATE KEY UPDATE" .
24557514a4fSGreg Roach            " user_id      = VALUES(user_id)," .
24657514a4fSGreg Roach            " ip_address   = VALUES(ip_address)," .
24757514a4fSGreg Roach            " session_data = VALUES(session_data)," .
24857514a4fSGreg Roach            " session_time = CURRENT_TIMESTAMP - SECOND(CURRENT_TIMESTAMP)"
24957514a4fSGreg Roach        )->execute([
2504c891c40SGreg Roach            'session_id' => $id,
2514c891c40SGreg Roach            'user_id'    => (int) Auth::id(),
2524c891c40SGreg Roach            'ip_address' => $request->getClientIp(),
2534c891c40SGreg Roach            'data'       => $data,
2544c891c40SGreg Roach        ]);
25557514a4fSGreg Roach
25657514a4fSGreg Roach        return true;
25757514a4fSGreg Roach    }
258*a45f9889SGreg Roach
259*a45f9889SGreg Roach
260*a45f9889SGreg Roach    /**
261*a45f9889SGreg Roach     * Cross-Site Request Forgery tokens - ensure that the user is submitting
262*a45f9889SGreg Roach     * a form that was generated by the current session.
263*a45f9889SGreg Roach     *
264*a45f9889SGreg Roach     * @return string
265*a45f9889SGreg Roach     */
266*a45f9889SGreg Roach    public static function getCsrfToken()
267*a45f9889SGreg Roach    {
268*a45f9889SGreg Roach        if (!Session::has('CSRF_TOKEN')) {
269*a45f9889SGreg Roach            $charset    = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz0123456789';
270*a45f9889SGreg Roach            $csrf_token = '';
271*a45f9889SGreg Roach            for ($n = 0; $n < 32; ++$n) {
272*a45f9889SGreg Roach                $csrf_token .= substr($charset, random_int(0, 61), 1);
273*a45f9889SGreg Roach            }
274*a45f9889SGreg Roach            Session::put('CSRF_TOKEN', $csrf_token);
275*a45f9889SGreg Roach        }
276*a45f9889SGreg Roach
277*a45f9889SGreg Roach        return Session::get('CSRF_TOKEN');
278*a45f9889SGreg Roach    }
27931bc7874SGreg Roach}
280