streams/Code/Web/Session.php

<?php

namespace Code\Web;

use Code\Web\SessionHandler;
use Code\Extend\Hook;


/**
 *
 * @brief This file includes session related functions.
 *
 * Session management functions. These provide database storage of PHP
 * session info.
 */


class Session
{

    private $handler = null;
    private $session_started = false;
    private $custom_handler = false;

    public function init()
    {

        $gc_probability = 50;

        ini_set('session.gc_probability', $gc_probability);
        ini_set('session.use_only_cookies', 1);
        ini_set('session.cookie_httponly', 1);

        $this->custom_handler = boolval(get_config('system', 'session_custom', false));

        /*
         * Set our session storage functions.
         */

        if ($this->custom_handler) {
           /* Custom handler (files, memached, redis..) */

            $session_save_handler = strval(get_config('system', 'session_save_handler', null));
            $session_save_path = strval(get_config('system', 'session_save_path', null));
            if ($session_save_handler && $session_save_path) {
                ini_set('session.save_handler', $session_save_handler);
                ini_set('session.save_path', $session_save_path);
            } else {
                logger('Session save handler or path not set.', LOGGER_NORMAL, LOG_ERR);
            }
        } else {
            $handler = new SessionHandler();

            $this->handler = $handler;

            $x = session_set_save_handler($handler, false);
            if (! $x) {
                logger('Session save handler initialisation failed.', LOGGER_NORMAL, LOG_ERR);
            }
        }

        // Force cookies to be secure (https only) if this site is SSL enabled.
        // Must be done before session_start().

        $arr = session_get_cookie_params();

        // Note when setting cookies: set the domain to false which creates a single domain
        // cookie. If you use a hostname it will create a .domain.com wildcard which will
        // have some nasty side effects if you have any other subdomains running the same software.

		session_set_cookie_params([
			'lifetime' => ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0),
			'path' => ((isset($arr['path'])) ? $arr['path'] : '/'),
			'domain' => (($arr['domain']) ? $arr['domain'] : false),
			'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
			'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),
			'samesite' => 'None'
		]);

    
        register_shutdown_function('session_write_close');
    }

    public function start()
    {
        session_start();
        $this->session_started = true;
    }

    /**
     * @brief Resets the current session.
     *
     * @return void
     */

    public function nuke()
    {
        $this->new_cookie(0); // 0 means delete on browser exit
        if ($_SESSION && count($_SESSION)) {
            foreach ($_SESSION as $k => $v) {
                unset($_SESSION[$k]);
            }
        }
    }

    public function new_cookie($xtime)
    {

        $newxtime = (($xtime > 0) ? (time() + $xtime) : 0);

        $old_sid = session_id();

        $arr = session_get_cookie_params();

        if (($this->handler || $this->custom_handler) && $this->session_started) {
            session_regenerate_id(true);

            // force SessionHandler record creation with the new session_id
            // which occurs as a side effect of read()
            if (! $this->custom_handler) {
                $this->handler->read(session_id());
            }
        } else {
            logger('no session handler');
        }

        if (x($_COOKIE, 'jsdisabled')) {
			setcookie(
				'jsdisabled',
				$_COOKIE['jsdisabled'],
				[
					'expires' => $newxtime,
					'path' => '/',
					'domain' => false,
					'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
					'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),
					'samesite' => 'None'
				]
			);
		}    

		setcookie(
			session_name(),
			session_id(),
			[
				'expires' => $newxtime,
				'path' => '/',
				'domain' => false,
				'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
				'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),
				'samesite' => 'None'
			]
		);

        $arr = array('expire' => $xtime);
        Hook::call('new_cookie', $arr);
    }

    public function extend_cookie()
    {

        $arr = session_get_cookie_params();

        // if there's a long-term cookie, extend it

        $xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 );

        if ($xtime) {
			setcookie(
				session_name(),
				session_id(),
				[
					'expires' => time() + $xtime,
					'path' => '/',
					'domain' => false,
					'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
					'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),
					'samesite' => 'None'
				]
			);
		}

        $arr = array('expire' => $xtime);
        Hook::call('extend_cookie', $arr);
    }
}
objectify all the session management stuff 2016-04-08 11:44:10 +00:00			`<?php`

it's done 2022-02-16 04:08:28 +00:00			`namespace Code\Web;`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
it's done 2022-02-16 04:08:28 +00:00			`use Code\Web\SessionHandler;`
			`use Code\Extend\Hook;`
This checkin is surely broken, but I need to commit it because it represents a fair bit of work. 2022-02-12 08:50:48 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00
objectify all the session management stuff 2016-04-08 11:44:10 +00:00			`/**`
			`*`
			`* @brief This file includes session related functions.`
			`*`
			`* Session management functions. These provide database storage of PHP`
			`* session info.`
			`*/`


psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`class Session`
			`{`

			`private $handler = null;`
			`private $session_started = false;`
			`private $custom_handler = false;`

			`public function init()`
			`{`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`$gc_probability = 50;`
cleanup 2019-07-26 00:12:48 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`ini_set('session.gc_probability', $gc_probability);`
			`ini_set('session.use_only_cookies', 1);`
			`ini_set('session.cookie_httponly', 1);`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`$this->custom_handler = boolval(get_config('system', 'session_custom', false));`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`/*`
			`* Set our session storage functions.`
			`*/`
remove unused zot6 'request' verb support 2019-01-26 20:30:18 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`if ($this->custom_handler) {`
			`/* Custom handler (files, memached, redis..) */`
remove unused zot6 'request' verb support 2019-01-26 20:30:18 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`$session_save_handler = strval(get_config('system', 'session_save_handler', null));`
			`$session_save_path = strval(get_config('system', 'session_save_path', null));`
			`if ($session_save_handler && $session_save_path) {`
			`ini_set('session.save_handler', $session_save_handler);`
			`ini_set('session.save_path', $session_save_path);`
			`} else {`
			`logger('Session save handler or path not set.', LOGGER_NORMAL, LOG_ERR);`
			`}`
			`} else {`
			`$handler = new SessionHandler();`
remove unused zot6 'request' verb support 2019-01-26 20:30:18 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`$this->handler = $handler;`
remove unused zot6 'request' verb support 2019-01-26 20:30:18 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`$x = session_set_save_handler($handler, false);`
			`if (! $x) {`
			`logger('Session save handler initialisation failed.', LOGGER_NORMAL, LOG_ERR);`
			`}`
			`}`
initial psr12 conversion 2021-12-02 22:33:36 +00:00
			`// Force cookies to be secure (https only) if this site is SSL enabled.`
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`// Must be done before session_start().`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`$arr = session_get_cookie_params();`
This explains it all. Don't set the domain when creating a cookie. You'll get a wildcard and sessions will break if you have multiple domains running hubzilla (or any php basic session based code). 2016-05-19 04:00:31 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`// Note when setting cookies: set the domain to false which creates a single domain`
			`// cookie. If you use a hostname it will create a .domain.com wildcard which will`
remove brand name 2022-01-27 20:19:23 +00:00			`// have some nasty side effects if you have any other subdomains running the same software.`
try again with shutdown handler, fix issue #373 (live-pubstream div wasn't present 2016-05-10 08:30:22 +00:00
set samesite cookie flag to None 2022-01-10 19:30:55 +00:00			`session_set_cookie_params([`
			`'lifetime' => ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0),`
			`'path' => ((isset($arr['path'])) ? $arr['path'] : '/'),`
			`'domain' => (($arr['domain']) ? $arr['domain'] : false),`
			`'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),`
			`'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),`
			`'samesite' => 'None'`
			`]);`


psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`register_shutdown_function('session_write_close');`
			`}`
objectify all the session management stuff 2016-04-08 11:44:10 +00:00
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`public function start()`
			`{`
			`session_start();`
			`$this->session_started = true;`
			`}`

			`/**`
			`* @brief Resets the current session.`
			`*`
			`* @return void`
			`*/`

			`public function nuke()`
			`{`
			`$this->new_cookie(0); // 0 means delete on browser exit`
			`if ($_SESSION && count($_SESSION)) {`
			`foreach ($_SESSION as $k => $v) {`
			`unset($_SESSION[$k]);`
			`}`
			`}`
			`}`

			`public function new_cookie($xtime)`
			`{`

			`$newxtime = (($xtime > 0) ? (time() + $xtime) : 0);`

			`$old_sid = session_id();`

			`$arr = session_get_cookie_params();`

			`if (($this->handler \|\| $this->custom_handler) && $this->session_started) {`
			`session_regenerate_id(true);`

			`// force SessionHandler record creation with the new session_id`
			`// which occurs as a side effect of read()`
			`if (! $this->custom_handler) {`
			`$this->handler->read(session_id());`
			`}`
			`} else {`
			`logger('no session handler');`
			`}`

			`if (x($_COOKIE, 'jsdisabled')) {`
set samesite cookie flag to None 2022-01-10 19:30:55 +00:00			`setcookie(`
			`'jsdisabled',`
			`$_COOKIE['jsdisabled'],`
			`[`
			`'expires' => $newxtime,`
			`'path' => '/',`
			`'domain' => false,`
			`'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),`
			`'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),`
			`'samesite' => 'None'`
			`]`
			`);`
			`}`

			`setcookie(`
			`session_name(),`
			`session_id(),`
			`[`
			`'expires' => $newxtime,`
			`'path' => '/',`
			`'domain' => false,`
			`'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),`
			`'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),`
			`'samesite' => 'None'`
			`]`
			`);`
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00
			`$arr = array('expire' => $xtime);`
This checkin is surely broken, but I need to commit it because it represents a fair bit of work. 2022-02-12 08:50:48 +00:00			`Hook::call('new_cookie', $arr);`
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`}`

			`public function extend_cookie()`
			`{`

			`$arr = session_get_cookie_params();`

			`// if there's a long-term cookie, extend it`

			`$xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 );`

			`if ($xtime) {`
set samesite cookie flag to None 2022-01-10 19:30:55 +00:00			`setcookie(`
			`session_name(),`
			`session_id(),`
			`[`
			`'expires' => time() + $xtime,`
			`'path' => '/',`
			`'domain' => false,`
			`'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),`
			`'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),`
			`'samesite' => 'None'`
			`]`
			`);`
			`}`

psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`$arr = array('expire' => $xtime);`
This checkin is surely broken, but I need to commit it because it represents a fair bit of work. 2022-02-12 08:50:48 +00:00			`Hook::call('extend_cookie', $arr);`
psr12 rewrites, continued 2021-12-03 03:01:39 +00:00			`}`
whitespace 2016-04-11 09:01:53 +00:00			`}`