File vendor/icanboogie/icanboogie/lib/session.php

  1 <?php
  2 
  3 /*
  4  * This file is part of the ICanBoogie package.
  5  *
  6  * (c) Olivier Laviale <olivier.laviale@gmail.com>
  7  *
  8  * For the full copyright and license information, please view the LICENSE
  9  * file that was distributed with this source code.
 10  */
 11 
 12 namespace ICanBoogie;
 13 
 14 /**
 15  * Session.
 16  *
 17  * @property string $remote_ip The remote IP of the request that created the session.
 18  * @property string $remote_agent_hash The remote user agent hash of the request that created the
 19  * session.
 20  * @property string $token A token that can be used to prevent cross-site request forgeries.
 21  */
 22 class Session
 23 {
 24     /**
 25      * Checks if a session identifier can be found to retrieve a session.
 26      *
 27      * @return bool true if the session identifier exists in the cookie, false otherwise.
 28      */
 29     static public function exists()
 30     {
 31         global $core;
 32 
 33         return !empty($_COOKIE[$core->config['session']['name']]);
 34     }
 35 
 36     /**
 37      * Returns a Session instance.
 38      *
 39      * The session is initialized when the session object is created.
 40      *
 41      * Once the session is created the `start` event is fired with the session as sender.
 42      *
 43      * @return Session.
 44      */
 45     static function get_session(Core $core)
 46     {
 47         $options = $core->config['session'];
 48 
 49         unset($options['id']);
 50 
 51         return new static($options);
 52     }
 53 
 54     /**
 55      * Constructor.
 56      *
 57      * In order to circumvent session fixation and session hijacking, the remote IP and the user
 58      * agent hash are attached to the session. A previous session can only be restored if the
 59      * remote address and the user agent hash match those attached to that previous session.
 60      *
 61      * Although the user agent is easily forgeable, the IP address (fetched from
 62      * $_SERVER['REMOTE_ADDR']) is not forgeable without compromising the server itself. The
 63      * values are stored independently in order to prevent a collision attack.
 64      *
 65      * The session is destroyed when the values don't match and the "location" header is set to
 66      * request a reload.
 67      *
 68      * @param array $options
 69      */
 70     public function __construct(array $options=[])
 71     {
 72         if (session_id())
 73         {
 74             return;
 75         }
 76 
 77         $options += [
 78 
 79             'id' => null,
 80             'name' => 'ICanBoogie',
 81             'use_cookies' => true,
 82             'use_only_cookies' => true,
 83             'use_trans_sid' => false,
 84             'cache_limiter' => null,
 85             'module_name' => 'files'
 86 
 87         ] + session_get_cookie_params();
 88 
 89         $id = $options['id'];
 90 
 91         if ($id)
 92         {
 93             session_id($id);
 94         }
 95 
 96         session_name($options['name']);
 97         session_set_cookie_params($options['lifetime'], $options['path'], $options['domain'], $options['secure'], $options['httponly']);
 98 
 99         if ($options['cache_limiter'] !== null)
100         {
101             session_cache_limiter($options['cache_limiter']);
102         }
103 
104         if ($options['module_name'] != session_module_name())
105         {
106             session_module_name($options['module_name']);
107         }
108 
109         $use_trans_sid = $options['use_trans_sid'];
110         ini_set('session.use_trans_sid', $use_trans_sid);
111 
112         if ($use_trans_sid)
113         {
114             output_add_rewrite_var(session_name(), session_id());
115         }
116         else
117         {
118             output_reset_rewrite_vars();
119         }
120 
121         if (PHP_SAPI != 'cli')
122         {
123             session_start();
124         }
125 
126         #
127         # The following line are meant to circumvent session fixation.
128         #
129 
130         $remote_ip = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '::1';
131         $remote_agent_hash = isset($_SERVER['HTTP_USER_AGENT']) ? md5($_SERVER['HTTP_USER_AGENT']) : null;
132 
133         if (empty($this->remote_ip))
134         {
135             $this->remote_ip = $remote_ip;
136             $this->remote_agent_hash = $remote_agent_hash;
137             $this->regenerate_token();
138         }
139         else if ($this->remote_ip != $remote_ip || $this->remote_agent_hash != $remote_agent_hash)
140         {
141             session_destroy();
142 
143             header('Location: ' . $_SERVER['REQUEST_URI']);
144 
145             if ($options['use_cookies'])
146             {
147                 setcookie(session_name(), '', time() - 42000, $options['path'], $options['domain'], $options['secure'], $options['httponly']);
148             }
149 
150             exit;
151         }
152 
153         new Session\StartEvent($this);
154     }
155 
156     /**
157      * Regenerates the id of the session.
158      */
159     public function regenerate_id($delete_old_session=false)
160     {
161         if (PHP_SAPI == 'cli')
162         {
163             return;
164         }
165 
166         return session_regenerate_id($delete_old_session);
167     }
168 
169     /**
170      * Regenerates the session token.
171      *
172      * The `token_time` property is updated to the current time.
173      *
174      * @return string The new session token.
175      */
176     public function regenerate_token()
177     {
178         $_SESSION['token'] = $token = md5(uniqid());
179         $_SESSION['token_time'] = time();
180 
181         return $token;
182     }
183 
184     public function &__get($property)
185     {
186         return $_SESSION[$property];
187     }
188 
189     public function __set($property, $value)
190     {
191         $_SESSION[$property] = $value;
192     }
193 
194     public function __isset($property)
195     {
196         return isset($_SESSION, $property);
197     }
198 
199     public function __unset($property)
200     {
201         unset($_SESSION[$property]);
202     }
203 }
204 
205 namespace ICanBoogie\Session;
206 
207 /**
208  * Event class for the `ICanBoogie\Session::start` event.
209  */
210 class StartEvent extends \ICanBoogie\Event
211 {
212     /**
213      * The event is constructed with the type `start`.
214      *
215      * @param \ICanBoogie\Session $target
216      * @param array $payload
217      */
218     public function __construct(\ICanBoogie\Session $target, array $payload=[])
219     {
220         parent::__construct($target, 'start', $payload);
221     }
222 }
Namespaces

Classes

Interfaces

Traits

Exceptions

Constants

Functions
