131bc7874SGreg Roach<?php 23976b470SGreg Roach 331bc7874SGreg Roach/** 431bc7874SGreg Roach * webtrees: online genealogy 58fcd0d32SGreg Roach * Copyright (C) 2019 webtrees development team 631bc7874SGreg Roach * This program is free software: you can redistribute it and/or modify 731bc7874SGreg Roach * it under the terms of the GNU General Public License as published by 831bc7874SGreg Roach * the Free Software Foundation, either version 3 of the License, or 931bc7874SGreg Roach * (at your option) any later version. 1031bc7874SGreg Roach * This program is distributed in the hope that it will be useful, 1131bc7874SGreg Roach * but WITHOUT ANY WARRANTY; without even the implied warranty of 1231bc7874SGreg Roach * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 1331bc7874SGreg Roach * GNU General Public License for more details. 1431bc7874SGreg Roach * You should have received a copy of the GNU General Public License 1531bc7874SGreg Roach * along with this program. If not, see <http://www.gnu.org/licenses/>. 1631bc7874SGreg Roach */ 17fcfa147eSGreg Roach 18e7f56f2aSGreg Roachdeclare(strict_types=1); 19e7f56f2aSGreg Roach 2076692c8bSGreg Roachnamespace Fisharebest\Webtrees; 2131bc7874SGreg Roach 22deb4b685SGreg Roachuse Illuminate\Support\Str; 236ccdf4f0SGreg Roachuse Psr\Http\Message\ServerRequestInterface; 243976b470SGreg Roach 254d7dd147SGreg Roachuse function array_map; 264d7dd147SGreg Roachuse function explode; 274d7dd147SGreg Roachuse function implode; 284d7dd147SGreg Roachuse function parse_url; 294d7dd147SGreg Roachuse function session_name; 304d7dd147SGreg Roachuse function session_regenerate_id; 314d7dd147SGreg Roachuse function session_register_shutdown; 324d7dd147SGreg Roachuse function session_set_cookie_params; 334d7dd147SGreg Roachuse function session_set_save_handler; 344d7dd147SGreg Roachuse function session_start; 35fe3a9054SGreg Roachuse function session_status; 36dc6b8e0eSGreg Roachuse function session_write_close; 373976b470SGreg Roach 38dc6b8e0eSGreg Roachuse const PHP_SESSION_ACTIVE; 394d7dd147SGreg Roachuse const PHP_URL_HOST; 404d7dd147SGreg Roachuse const PHP_URL_PATH; 414d7dd147SGreg Roachuse const PHP_URL_SCHEME; 4218c571c3SGreg Roachuse const PHP_VERSION_ID; 434c891c40SGreg Roach 4431bc7874SGreg Roach/** 4542af74e7SGreg Roach * Session handling 4631bc7874SGreg Roach */ 47c1010edaSGreg Roachclass Session 48c1010edaSGreg Roach{ 49*a51e953eSGreg Roach // Use the secure prefix with HTTPS. 509683b471SGreg Roach private const SESSION_NAME = 'WT2_SESSION'; 51*a51e953eSGreg Roach private const SECURE_SESSION_NAME = '__Secure-WT-ID'; 52dc6b8e0eSGreg Roach 5331bc7874SGreg Roach /** 5431bc7874SGreg Roach * Start a session 55c7ff4153SGreg Roach * 564d7dd147SGreg Roach * @param ServerRequestInterface $request 574d7dd147SGreg Roach * 58c7ff4153SGreg Roach * @return void 5931bc7874SGreg Roach */ 604d7dd147SGreg Roach public static function start(ServerRequestInterface $request): void 61c1010edaSGreg Roach { 624d7dd147SGreg Roach // Store sessions in the database 634d7dd147SGreg Roach session_set_save_handler(new SessionDatabaseHandler($request)); 644d7dd147SGreg Roach 659e5d8e6fSGreg Roach $url = $request->getAttribute('base_url'); 664d7dd147SGreg Roach $secure = parse_url($url, PHP_URL_SCHEME) === 'https'; 674831cc24SGreg Roach $domain = (string) parse_url($url, PHP_URL_HOST); 684831cc24SGreg Roach $path = (string) parse_url($url, PHP_URL_PATH); 6908df3d18SGreg Roach 7008df3d18SGreg Roach // Paths containing UTF-8 characters need special handling. 7108df3d18SGreg Roach $path = implode('/', array_map('rawurlencode', explode('/', $path))); 7208df3d18SGreg Roach 73*a51e953eSGreg Roach session_name($secure ? self::SECURE_SESSION_NAME : self::SESSION_NAME); 7431bc7874SGreg Roach session_register_shutdown(); 7518c571c3SGreg Roach // Since PHP 7.3, we can set "SameSite: Lax" to help protect against CSRF attacks. 7618c571c3SGreg Roach if (PHP_VERSION_ID > 70300) { 7718c571c3SGreg Roach session_set_cookie_params([ 7818c571c3SGreg Roach 'lifetime' => 0, 7918c571c3SGreg Roach 'path' => $path . '/', 8018c571c3SGreg Roach 'domain' => $domain, 8118c571c3SGreg Roach 'secure' => $secure, 8218c571c3SGreg Roach 'httponly' => true, 8318c571c3SGreg Roach 'samesite' => 'Lax', 8418c571c3SGreg Roach ]); 8518c571c3SGreg Roach } else { 86cf7dfd3dSGreg Roach session_set_cookie_params(0, $path . '/', $domain, $secure, true); 8718c571c3SGreg Roach } 8831bc7874SGreg Roach session_start(); 8908df3d18SGreg Roach 9008df3d18SGreg Roach // A new session? Prevent session fixation attacks by choosing a new session ID. 91b262b3d3SGreg Roach if (self::get('initiated') !== true) { 9208df3d18SGreg Roach self::regenerate(true); 9308df3d18SGreg Roach self::put('initiated', true); 9408df3d18SGreg Roach } 9531bc7874SGreg Roach } 9631bc7874SGreg Roach 9731bc7874SGreg Roach /** 98dc6b8e0eSGreg Roach * Save/close the session. This releases the session lock. 99dc6b8e0eSGreg Roach * Closing early can help concurrent connections. 100dc6b8e0eSGreg Roach */ 101dc6b8e0eSGreg Roach public static function save(): void 102dc6b8e0eSGreg Roach { 103dc6b8e0eSGreg Roach if (session_status() === PHP_SESSION_ACTIVE) { 104dc6b8e0eSGreg Roach session_write_close(); 105dc6b8e0eSGreg Roach } 106dc6b8e0eSGreg Roach } 107dc6b8e0eSGreg Roach 108dc6b8e0eSGreg Roach /** 1096ccdf4f0SGreg Roach * Read a value from the session 11057514a4fSGreg Roach * 1116ccdf4f0SGreg Roach * @param string $name 1126ccdf4f0SGreg Roach * @param mixed $default 1136ccdf4f0SGreg Roach * 1146ccdf4f0SGreg Roach * @return mixed 11557514a4fSGreg Roach */ 1166ccdf4f0SGreg Roach public static function get(string $name, $default = null) 117c1010edaSGreg Roach { 1186ccdf4f0SGreg Roach return $_SESSION[$name] ?? $default; 11957514a4fSGreg Roach } 12057514a4fSGreg Roach 12157514a4fSGreg Roach /** 122fd8bd3bcSGreg Roach * Read a value from the session and remove it. 123fd8bd3bcSGreg Roach * 124fd8bd3bcSGreg Roach * @param string $name 125fd8bd3bcSGreg Roach * @param mixed $default 126fd8bd3bcSGreg Roach * 127fd8bd3bcSGreg Roach * @return mixed 128fd8bd3bcSGreg Roach */ 129fd8bd3bcSGreg Roach public static function pull(string $name, $default = null) 130fd8bd3bcSGreg Roach { 131fd8bd3bcSGreg Roach $value = self::get($name, $default); 132fd8bd3bcSGreg Roach self::forget($name); 133fd8bd3bcSGreg Roach 134fd8bd3bcSGreg Roach return $value; 135fd8bd3bcSGreg Roach } 136fd8bd3bcSGreg Roach 137fd8bd3bcSGreg Roach /** 1386ccdf4f0SGreg Roach * After any change in authentication level, we should use a new session ID. 13957514a4fSGreg Roach * 1406ccdf4f0SGreg Roach * @param bool $destroy 14157514a4fSGreg Roach * 1426ccdf4f0SGreg Roach * @return void 14357514a4fSGreg Roach */ 1446ccdf4f0SGreg Roach public static function regenerate(bool $destroy = false): void 145c1010edaSGreg Roach { 1466ccdf4f0SGreg Roach if ($destroy) { 1476ccdf4f0SGreg Roach self::clear(); 1486ccdf4f0SGreg Roach } 1496ccdf4f0SGreg Roach 1506ccdf4f0SGreg Roach if (session_status() === PHP_SESSION_ACTIVE) { 1516ccdf4f0SGreg Roach session_regenerate_id($destroy); 1526ccdf4f0SGreg Roach } 15357514a4fSGreg Roach } 15457514a4fSGreg Roach 15557514a4fSGreg Roach /** 1566ccdf4f0SGreg Roach * Remove all stored data from the session. 1576ccdf4f0SGreg Roach * 1586ccdf4f0SGreg Roach * @return void 1596ccdf4f0SGreg Roach */ 1606ccdf4f0SGreg Roach public static function clear(): void 1616ccdf4f0SGreg Roach { 1626ccdf4f0SGreg Roach $_SESSION = []; 1636ccdf4f0SGreg Roach } 1646ccdf4f0SGreg Roach 1656ccdf4f0SGreg Roach /** 1666ccdf4f0SGreg Roach * Write a value to the session 1676ccdf4f0SGreg Roach * 1686ccdf4f0SGreg Roach * @param string $name 1696ccdf4f0SGreg Roach * @param mixed $value 1706ccdf4f0SGreg Roach * 1716ccdf4f0SGreg Roach * @return void 1726ccdf4f0SGreg Roach */ 1736ccdf4f0SGreg Roach public static function put(string $name, $value): void 1746ccdf4f0SGreg Roach { 1756ccdf4f0SGreg Roach $_SESSION[$name] = $value; 1766ccdf4f0SGreg Roach } 1776ccdf4f0SGreg Roach 1786ccdf4f0SGreg Roach /** 1796ccdf4f0SGreg Roach * Remove a value from the session 1806ccdf4f0SGreg Roach * 1816ccdf4f0SGreg Roach * @param string $name 1826ccdf4f0SGreg Roach * 1836ccdf4f0SGreg Roach * @return void 1846ccdf4f0SGreg Roach */ 1856ccdf4f0SGreg Roach public static function forget(string $name): void 1866ccdf4f0SGreg Roach { 1876ccdf4f0SGreg Roach unset($_SESSION[$name]); 1886ccdf4f0SGreg Roach } 1896ccdf4f0SGreg Roach 1906ccdf4f0SGreg Roach /** 191a45f9889SGreg Roach * Cross-Site Request Forgery tokens - ensure that the user is submitting 192a45f9889SGreg Roach * a form that was generated by the current session. 193a45f9889SGreg Roach * 194a45f9889SGreg Roach * @return string 195a45f9889SGreg Roach */ 1968f53f488SRico Sonntag public static function getCsrfToken(): string 197a45f9889SGreg Roach { 198e364afe4SGreg Roach if (!self::has('CSRF_TOKEN')) { 199e364afe4SGreg Roach self::put('CSRF_TOKEN', Str::random(32)); 200a45f9889SGreg Roach } 201a45f9889SGreg Roach 202e364afe4SGreg Roach return self::get('CSRF_TOKEN'); 203a45f9889SGreg Roach } 2046ccdf4f0SGreg Roach 2056ccdf4f0SGreg Roach /** 2066ccdf4f0SGreg Roach * Does a session variable exist? 2076ccdf4f0SGreg Roach * 2086ccdf4f0SGreg Roach * @param string $name 2096ccdf4f0SGreg Roach * 2106ccdf4f0SGreg Roach * @return bool 2116ccdf4f0SGreg Roach */ 2126ccdf4f0SGreg Roach public static function has(string $name): bool 2136ccdf4f0SGreg Roach { 2146ccdf4f0SGreg Roach return isset($_SESSION[$name]); 2156ccdf4f0SGreg Roach } 21631bc7874SGreg Roach} 217