streams/Zotlabs/Web/Session.php

<?php

namespace Zotlabs\Web;

/**
 *
 * @brief This file includes session related functions.
 *
 * Session management functions. These provide database storage of PHP
 * session info.
 */


class Session {

	private static $handler = null;
	private static $session_started = false;

	public function init() {

		$gc_probability = 50;

		ini_set('session.gc_probability', $gc_probability);
		ini_set('session.use_only_cookies', 1);
		ini_set('session.cookie_httponly', 1);
	
		/*
		 * Set our session storage functions.
		 */

		$handler = new \Zotlabs\Web\SessionHandler();
		self::$handler = $handler;

		$x = session_set_save_handler($handler,false);
		if(! $x)
			logger('Session save handler initialisation failed.',LOGGER_NORMAL,LOG_ERR);

		// Force cookies to be secure (https only) if this site is SSL enabled. 
		// Must be done before session_start().

		$arr = session_get_cookie_params();
		session_set_cookie_params(
			((isset($arr['lifetime']))   ? $arr['lifetime'] : 0),
			((isset($arr['path']))      ? $arr['path']     : '/'),
			((isset($arr['domain']))    ? $arr['domain']   : App::get_hostname()),
			((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
			((isset($arr['httponly']))  ? $arr['httponly'] : true)
		);

		register_shutdown_function('session_write_close');

	}

	public function start() {
		session_start();
		self::$session_started = true;
	}

	/**
	 * @brief Resets the current session.
	 *
	 * @return void
	 */

	static public function nuke() {
		self::new_cookie(0); // 0 means delete on browser exit
		if($_SESSION && count($_SESSION)) {
			foreach($_SESSION as $k => $v) {
				unset($_SESSION[$k]);
			}
		}
	}

	public function new_cookie($xtime) {

		$newxtime = (($xtime> 0) ? (time() + $xtime) : 0);

		$old_sid = session_id();

		if(self::$handler && self::$session_started) {
			session_regenerate_id(true);

			// force SessionHandler record creation with the new session_id
			// which occurs as a side effect of read()

			self::$handler->read(session_id());
		}
		else 
			logger('no session handler');

		if (x($_COOKIE, 'jsdisabled')) {
			setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime);
		}
		setcookie(session_name(),session_id(),$newxtime);

		$arr = array('expire' => $xtime);
		call_hooks('new_cookie', $arr);

	}

	public function extend_cookie() {

		// if there's a long-term cookie, extend it

		$xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 );

		if($xtime)
			setcookie(session_name(),session_id(),(time() + $xtime));
		$arr = array('expire' => $xtime);
		call_hooks('extend_cookie', $arr);

	}


	public function return_check() {

		// check a returning visitor against IP changes.
		// If the change results in being blocked from re-entry with the current cookie
		// nuke the session and logout.
		// Returning at all indicates the session is still valid.

		// first check if we're enforcing that sessions can't change IP address
		// @todo what to do with IPv6 addresses

		if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
			logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);

			$partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.')); 
			$partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.')); 

			$paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia'));

			if(! $paranoia)
				$paranoia = intval(get_config('system', 'paranoia'));

			switch($paranoia) {
				case 0:
					// no IP checking
					break;
				case 2:
					// check 2 octets
					$partial1 = substr($partial1, 0, strrpos($partial1, '.'));
					$partial2 = substr($partial2, 0, strrpos($partial2, '.'));
					if($partial1 == $partial2)
						break;
				case 1:
					// check 3 octets
					if($partial1 == $partial2)
						break;
				case 3:
				default:
					// check any difference at all
					logger('Session address changed. Paranoid setting in effect, blocking session. '
					. $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
					self::nuke();
					goaway(z_root());
					break;
			}
		}
		return true;
	}

}
objectify all the session management stuff 2016-04-08 11:44:10 +00:00			`<?php`

			`namespace Zotlabs\Web;`

			`/**`
			`*`
			`* @brief This file includes session related functions.`
			`*`
			`* Session management functions. These provide database storage of PHP`
			`* session info.`
			`*/`


			`class Session {`

a few issues: block public not blocking mod_cal, typo in sql for one clone file sync operation, fix_system_urls not catching cached contact photos, extend sessionhandler expiration when remember_me is enabled as the stored session is expiring long before the browser session. 2016-04-10 23:56:08 +00:00			`private static $handler = null;`
Important work on the sessionhandler to maintain compatibility with php7 and php5x (x > 4) Merge branch 'master' into dev 2016-04-13 02:40:19 +00:00			`private static $session_started = false;`
a few issues: block public not blocking mod_cal, typo in sql for one clone file sync operation, fix_system_urls not catching cached contact photos, extend sessionhandler expiration when remember_me is enabled as the stored session is expiring long before the browser session. 2016-04-10 23:56:08 +00:00
restrict static to the one function that requires it 2016-05-16 20:46:35 +00:00			`public function init() {`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
			`$gc_probability = 50;`

			`ini_set('session.gc_probability', $gc_probability);`
			`ini_set('session.use_only_cookies', 1);`
			`ini_set('session.cookie_httponly', 1);`

			`/*`
			`* Set our session storage functions.`
			`*/`

			`$handler = new \Zotlabs\Web\SessionHandler();`
a few issues: block public not blocking mod_cal, typo in sql for one clone file sync operation, fix_system_urls not catching cached contact photos, extend sessionhandler expiration when remember_me is enabled as the stored session is expiring long before the browser session. 2016-04-10 23:56:08 +00:00			`self::$handler = $handler;`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
try again with shutdown handler, fix issue #373 (live-pubstream div wasn't present 2016-05-10 08:30:22 +00:00			`$x = session_set_save_handler($handler,false);`
log if the session handler fails and surface the ssl_cookie config setting 2016-04-08 12:10:36 +00:00			`if(! $x)`
			`logger('Session save handler initialisation failed.',LOGGER_NORMAL,LOG_ERR);`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
			`// Force cookies to be secure (https only) if this site is SSL enabled.`
			`// Must be done before session_start().`

Important work on the sessionhandler to maintain compatibility with php7 and php5x (x > 4) Merge branch 'master' into dev 2016-04-13 02:40:19 +00:00			`$arr = session_get_cookie_params();`
			`session_set_cookie_params(`
			`((isset($arr['lifetime'])) ? $arr['lifetime'] : 0),`
			`((isset($arr['path'])) ? $arr['path'] : '/'),`
			`((isset($arr['domain'])) ? $arr['domain'] : App::get_hostname()),`
			`((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),`
			`((isset($arr['httponly'])) ? $arr['httponly'] : true)`
			`);`
try again with shutdown handler, fix issue #373 (live-pubstream div wasn't present 2016-05-10 08:30:22 +00:00
			`register_shutdown_function('session_write_close');`

objectify all the session management stuff 2016-04-08 11:44:10 +00:00			`}`

restrict static to the one function that requires it 2016-05-16 20:46:35 +00:00			`public function start() {`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00			`session_start();`
Important work on the sessionhandler to maintain compatibility with php7 and php5x (x > 4) Merge branch 'master' into dev 2016-04-13 02:40:19 +00:00			`self::$session_started = true;`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00			`}`

			`/**`
			`* @brief Resets the current session.`
			`*`
			`* @return void`
			`*/`

changes to session for cdev compatibility 2016-05-16 09:03:15 +00:00			`static public function nuke() {`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00			`self::new_cookie(0); // 0 means delete on browser exit`
			`if($_SESSION && count($_SESSION)) {`
			`foreach($_SESSION as $k => $v) {`
			`unset($_SESSION[$k]);`
			`}`
			`}`
			`}`

restrict static to the one function that requires it 2016-05-16 20:46:35 +00:00			`public function new_cookie($xtime) {`
a few issues: block public not blocking mod_cal, typo in sql for one clone file sync operation, fix_system_urls not catching cached contact photos, extend sessionhandler expiration when remember_me is enabled as the stored session is expiring long before the browser session. 2016-04-10 23:56:08 +00:00
			`$newxtime = (($xtime> 0) ? (time() + $xtime) : 0);`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
			`$old_sid = session_id();`

Important work on the sessionhandler to maintain compatibility with php7 and php5x (x > 4) Merge branch 'master' into dev 2016-04-13 02:40:19 +00:00			`if(self::$handler && self::$session_started) {`
			`session_regenerate_id(true);`

			`// force SessionHandler record creation with the new session_id`
			`// which occurs as a side effect of read()`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
Important work on the sessionhandler to maintain compatibility with php7 and php5x (x > 4) Merge branch 'master' into dev 2016-04-13 02:40:19 +00:00			`self::$handler->read(session_id());`
a few issues: block public not blocking mod_cal, typo in sql for one clone file sync operation, fix_system_urls not catching cached contact photos, extend sessionhandler expiration when remember_me is enabled as the stored session is expiring long before the browser session. 2016-04-10 23:56:08 +00:00			`}`
			`else`
			`logger('no session handler');`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
reverse the logic of the jsenabled setting so that sessions without js are performance penalised instead of regular sessions. 2016-04-13 05:55:26 +00:00			`if (x($_COOKIE, 'jsdisabled')) {`
			`setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime);`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00			`}`
a few issues: block public not blocking mod_cal, typo in sql for one clone file sync operation, fix_system_urls not catching cached contact photos, extend sessionhandler expiration when remember_me is enabled as the stored session is expiring long before the browser session. 2016-04-10 23:56:08 +00:00			`setcookie(session_name(),session_id(),$newxtime);`

Important work on the sessionhandler to maintain compatibility with php7 and php5x (x > 4) Merge branch 'master' into dev 2016-04-13 02:40:19 +00:00			`$arr = array('expire' => $xtime);`
			`call_hooks('new_cookie', $arr);`

objectify all the session management stuff 2016-04-08 11:44:10 +00:00			`}`

restrict static to the one function that requires it 2016-05-16 20:46:35 +00:00			`public function extend_cookie() {`
move more session related stuff such as paranoia handling (IP address changes) into the session object and extend remember_me cookies once a day so that they will never expire (theoretically). The DB session driver will extend its expiration on every session write (in the case of persistent sessions). 2016-04-11 02:20:41 +00:00
			`// if there's a long-term cookie, extend it`

Important work on the sessionhandler to maintain compatibility with php7 and php5x (x > 4) Merge branch 'master' into dev 2016-04-13 02:40:19 +00:00			`$xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 );`

			`if($xtime)`
			`setcookie(session_name(),session_id(),(time() + $xtime));`
			`$arr = array('expire' => $xtime);`
			`call_hooks('extend_cookie', $arr);`
move more session related stuff such as paranoia handling (IP address changes) into the session object and extend remember_me cookies once a day so that they will never expire (theoretically). The DB session driver will extend its expiration on every session write (in the case of persistent sessions). 2016-04-11 02:20:41 +00:00
			`}`


restrict static to the one function that requires it 2016-05-16 20:46:35 +00:00			`public function return_check() {`
move more session related stuff such as paranoia handling (IP address changes) into the session object and extend remember_me cookies once a day so that they will never expire (theoretically). The DB session driver will extend its expiration on every session write (in the case of persistent sessions). 2016-04-11 02:20:41 +00:00
			`// check a returning visitor against IP changes.`
			`// If the change results in being blocked from re-entry with the current cookie`
			`// nuke the session and logout.`
			`// Returning at all indicates the session is still valid.`

			`// first check if we're enforcing that sessions can't change IP address`
			`// @todo what to do with IPv6 addresses`

			`if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {`
			`logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);`

			`$partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.'));`
			`$partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.'));`

			`$paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia'));`

			`if(! $paranoia)`
			`$paranoia = intval(get_config('system', 'paranoia'));`

			`switch($paranoia) {`
			`case 0:`
			`// no IP checking`
			`break;`
			`case 2:`
			`// check 2 octets`
			`$partial1 = substr($partial1, 0, strrpos($partial1, '.'));`
			`$partial2 = substr($partial2, 0, strrpos($partial2, '.'));`
			`if($partial1 == $partial2)`
			`break;`
			`case 1:`
			`// check 3 octets`
			`if($partial1 == $partial2)`
			`break;`
			`case 3:`
			`default:`
			`// check any difference at all`
			`logger('Session address changed. Paranoid setting in effect, blocking session. '`
			`. $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);`
			`self::nuke();`
			`goaway(z_root());`
			`break;`
			`}`
			`}`
			`return true;`
			`}`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
whitespace 2016-04-11 09:01:53 +00:00			`}`