131bc7874SGreg Roach<?php 23976b470SGreg Roach 331bc7874SGreg Roach/** 431bc7874SGreg Roach * webtrees: online genealogy 58fcd0d32SGreg Roach * Copyright (C) 2019 webtrees development team 631bc7874SGreg Roach * This program is free software: you can redistribute it and/or modify 731bc7874SGreg Roach * it under the terms of the GNU General Public License as published by 831bc7874SGreg Roach * the Free Software Foundation, either version 3 of the License, or 931bc7874SGreg Roach * (at your option) any later version. 1031bc7874SGreg Roach * This program is distributed in the hope that it will be useful, 1131bc7874SGreg Roach * but WITHOUT ANY WARRANTY; without even the implied warranty of 1231bc7874SGreg Roach * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 1331bc7874SGreg Roach * GNU General Public License for more details. 1431bc7874SGreg Roach * You should have received a copy of the GNU General Public License 1531bc7874SGreg Roach * along with this program. If not, see <http://www.gnu.org/licenses/>. 1631bc7874SGreg Roach */ 17fcfa147eSGreg Roach 18e7f56f2aSGreg Roachdeclare(strict_types=1); 19e7f56f2aSGreg Roach 2076692c8bSGreg Roachnamespace Fisharebest\Webtrees; 2131bc7874SGreg Roach 22deb4b685SGreg Roachuse Illuminate\Support\Str; 236ccdf4f0SGreg Roachuse Psr\Http\Message\ServerRequestInterface; 243976b470SGreg Roach 254d7dd147SGreg Roachuse function array_map; 264d7dd147SGreg Roachuse function explode; 274d7dd147SGreg Roachuse function implode; 284d7dd147SGreg Roachuse function parse_url; 294d7dd147SGreg Roachuse function session_name; 304d7dd147SGreg Roachuse function session_regenerate_id; 314d7dd147SGreg Roachuse function session_register_shutdown; 324d7dd147SGreg Roachuse function session_set_cookie_params; 334d7dd147SGreg Roachuse function session_set_save_handler; 344d7dd147SGreg Roachuse function session_start; 35fe3a9054SGreg Roachuse function session_status; 363976b470SGreg Roach 374d7dd147SGreg Roachuse const PHP_URL_HOST; 384d7dd147SGreg Roachuse const PHP_URL_PATH; 394d7dd147SGreg Roachuse const PHP_URL_SCHEME; 404c891c40SGreg Roach 4131bc7874SGreg Roach/** 4242af74e7SGreg Roach * Session handling 4331bc7874SGreg Roach */ 44c1010edaSGreg Roachclass Session 45c1010edaSGreg Roach{ 469683b471SGreg Roach private const SESSION_NAME = 'WT2_SESSION'; 4731bc7874SGreg Roach /** 4831bc7874SGreg Roach * Start a session 49c7ff4153SGreg Roach * 504d7dd147SGreg Roach * @param ServerRequestInterface $request 514d7dd147SGreg Roach * 52c7ff4153SGreg Roach * @return void 5331bc7874SGreg Roach */ 544d7dd147SGreg Roach public static function start(ServerRequestInterface $request): void 55c1010edaSGreg Roach { 564d7dd147SGreg Roach // Store sessions in the database 574d7dd147SGreg Roach session_set_save_handler(new SessionDatabaseHandler($request)); 584d7dd147SGreg Roach 599e5d8e6fSGreg Roach $url = $request->getAttribute('base_url'); 604d7dd147SGreg Roach $secure = parse_url($url, PHP_URL_SCHEME) === 'https'; 614d7dd147SGreg Roach $domain = parse_url($url, PHP_URL_HOST); 629e5d8e6fSGreg Roach $path = parse_url($url, PHP_URL_PATH) ?? ''; 6308df3d18SGreg Roach 6408df3d18SGreg Roach // Paths containing UTF-8 characters need special handling. 6508df3d18SGreg Roach $path = implode('/', array_map('rawurlencode', explode('/', $path))); 6608df3d18SGreg Roach 679683b471SGreg Roach session_name(self::SESSION_NAME); 6831bc7874SGreg Roach session_register_shutdown(); 69cf7dfd3dSGreg Roach session_set_cookie_params(0, $path . '/', $domain, $secure, true); 7031bc7874SGreg Roach session_start(); 7108df3d18SGreg Roach 7208df3d18SGreg Roach // A new session? Prevent session fixation attacks by choosing a new session ID. 73b262b3d3SGreg Roach if (self::get('initiated') !== true) { 7408df3d18SGreg Roach self::regenerate(true); 7508df3d18SGreg Roach self::put('initiated', true); 7608df3d18SGreg Roach } 7731bc7874SGreg Roach } 7831bc7874SGreg Roach 7931bc7874SGreg Roach /** 806ccdf4f0SGreg Roach * Read a value from the session 8157514a4fSGreg Roach * 826ccdf4f0SGreg Roach * @param string $name 836ccdf4f0SGreg Roach * @param mixed $default 846ccdf4f0SGreg Roach * 856ccdf4f0SGreg Roach * @return mixed 8657514a4fSGreg Roach */ 876ccdf4f0SGreg Roach public static function get(string $name, $default = null) 88c1010edaSGreg Roach { 896ccdf4f0SGreg Roach return $_SESSION[$name] ?? $default; 9057514a4fSGreg Roach } 9157514a4fSGreg Roach 9257514a4fSGreg Roach /** 93*fd8bd3bcSGreg Roach * Read a value from the session and remove it. 94*fd8bd3bcSGreg Roach * 95*fd8bd3bcSGreg Roach * @param string $name 96*fd8bd3bcSGreg Roach * @param mixed $default 97*fd8bd3bcSGreg Roach * 98*fd8bd3bcSGreg Roach * @return mixed 99*fd8bd3bcSGreg Roach */ 100*fd8bd3bcSGreg Roach public static function pull(string $name, $default = null) 101*fd8bd3bcSGreg Roach { 102*fd8bd3bcSGreg Roach $value = self::get($name, $default); 103*fd8bd3bcSGreg Roach self::forget($name); 104*fd8bd3bcSGreg Roach 105*fd8bd3bcSGreg Roach return $value; 106*fd8bd3bcSGreg Roach } 107*fd8bd3bcSGreg Roach 108*fd8bd3bcSGreg Roach /** 1096ccdf4f0SGreg Roach * After any change in authentication level, we should use a new session ID. 11057514a4fSGreg Roach * 1116ccdf4f0SGreg Roach * @param bool $destroy 11257514a4fSGreg Roach * 1136ccdf4f0SGreg Roach * @return void 11457514a4fSGreg Roach */ 1156ccdf4f0SGreg Roach public static function regenerate(bool $destroy = false): void 116c1010edaSGreg Roach { 1176ccdf4f0SGreg Roach if ($destroy) { 1186ccdf4f0SGreg Roach self::clear(); 1196ccdf4f0SGreg Roach } 1206ccdf4f0SGreg Roach 1216ccdf4f0SGreg Roach if (session_status() === PHP_SESSION_ACTIVE) { 1226ccdf4f0SGreg Roach session_regenerate_id($destroy); 1236ccdf4f0SGreg Roach } 12457514a4fSGreg Roach } 12557514a4fSGreg Roach 12657514a4fSGreg Roach /** 1276ccdf4f0SGreg Roach * Remove all stored data from the session. 1286ccdf4f0SGreg Roach * 1296ccdf4f0SGreg Roach * @return void 1306ccdf4f0SGreg Roach */ 1316ccdf4f0SGreg Roach public static function clear(): void 1326ccdf4f0SGreg Roach { 1336ccdf4f0SGreg Roach $_SESSION = []; 1346ccdf4f0SGreg Roach } 1356ccdf4f0SGreg Roach 1366ccdf4f0SGreg Roach /** 1376ccdf4f0SGreg Roach * Write a value to the session 1386ccdf4f0SGreg Roach * 1396ccdf4f0SGreg Roach * @param string $name 1406ccdf4f0SGreg Roach * @param mixed $value 1416ccdf4f0SGreg Roach * 1426ccdf4f0SGreg Roach * @return void 1436ccdf4f0SGreg Roach */ 1446ccdf4f0SGreg Roach public static function put(string $name, $value): void 1456ccdf4f0SGreg Roach { 1466ccdf4f0SGreg Roach $_SESSION[$name] = $value; 1476ccdf4f0SGreg Roach } 1486ccdf4f0SGreg Roach 1496ccdf4f0SGreg Roach /** 1506ccdf4f0SGreg Roach * Remove a value from the session 1516ccdf4f0SGreg Roach * 1526ccdf4f0SGreg Roach * @param string $name 1536ccdf4f0SGreg Roach * 1546ccdf4f0SGreg Roach * @return void 1556ccdf4f0SGreg Roach */ 1566ccdf4f0SGreg Roach public static function forget(string $name): void 1576ccdf4f0SGreg Roach { 1586ccdf4f0SGreg Roach unset($_SESSION[$name]); 1596ccdf4f0SGreg Roach } 1606ccdf4f0SGreg Roach 1616ccdf4f0SGreg Roach /** 162a45f9889SGreg Roach * Cross-Site Request Forgery tokens - ensure that the user is submitting 163a45f9889SGreg Roach * a form that was generated by the current session. 164a45f9889SGreg Roach * 165a45f9889SGreg Roach * @return string 166a45f9889SGreg Roach */ 1678f53f488SRico Sonntag public static function getCsrfToken(): string 168a45f9889SGreg Roach { 169e364afe4SGreg Roach if (!self::has('CSRF_TOKEN')) { 170e364afe4SGreg Roach self::put('CSRF_TOKEN', Str::random(32)); 171a45f9889SGreg Roach } 172a45f9889SGreg Roach 173e364afe4SGreg Roach return self::get('CSRF_TOKEN'); 174a45f9889SGreg Roach } 1756ccdf4f0SGreg Roach 1766ccdf4f0SGreg Roach /** 1776ccdf4f0SGreg Roach * Does a session variable exist? 1786ccdf4f0SGreg Roach * 1796ccdf4f0SGreg Roach * @param string $name 1806ccdf4f0SGreg Roach * 1816ccdf4f0SGreg Roach * @return bool 1826ccdf4f0SGreg Roach */ 1836ccdf4f0SGreg Roach public static function has(string $name): bool 1846ccdf4f0SGreg Roach { 1856ccdf4f0SGreg Roach return isset($_SESSION[$name]); 1866ccdf4f0SGreg Roach } 18731bc7874SGreg Roach} 188