XOOPS  2.6.0
Manager.php
Go to the documentation of this file.
1 <?php
2 /*
3  You may not change or alter any portion of this comment or credits
4  of supporting developers from this source code or any supporting source code
5  which is considered copyrighted (c) material of the original comment or credit authors.
6 
7  This program is distributed in the hope that it will be useful,
8  but WITHOUT ANY WARRANTY; without even the implied warranty of
9  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
10 */
11 
12 namespace Xoops\Core\Session;
13 
14 use Xoops\Core\AttributeInterface;
15 use Xoops\Core\HttpRequest;
16 
30 class Manager implements AttributeInterface
31 {
35  protected $xoops = null;
36 
40  protected $httpRequest = null;
41 
45  protected $fingerprint = null;
46 
50  protected $sessionUser = null;
51 
55  public function __construct()
56  {
57  $this->xoops = \Xoops::getInstance();
58  $this->httpRequest = HttpRequest::getInstance();
59  $this->sessionUser = new SessionUser($this);
60  $this->fingerprint = new Fingerprint;
61  }
62 
68  public function sessionStart()
69  {
83  $name = $this->xoops->getConfig('session_name');
84  $name = (empty($name)) ? 'xoops_session' : $name;
85  $expire = intval($this->xoops->getConfig('session_expire'));
86  $expire = ($expire>0) ? $expire : 300;
87 
88  $path = \XoopsBaseConfig::get('cookie-path');
89  $domain = \XoopsBaseConfig::get('cookie-domain');
90  $secure = $this->httpRequest->is('ssl');
91  session_name($name);
92  session_cache_expire($expire);
93 
94  session_set_cookie_params(0, $path, $domain, $secure, true);
95 
96  $sessionHandler = new Handler;
97  session_set_save_handler($sessionHandler);
98 
99  session_register_shutdown();
100 
101  session_start();
102 
103  // if session is empty, make sure it isn't using a passed in id
104  if (empty($_SESSION)) {
105  $this->regenerateSession();
106  }
107 
108  // Make sure the session hasn't expired, and destroy it if it has
109  if (!$this->validateSession()) {
110  $this->clearSession();
111  return;
112  }
113 
114  // Check to see if the session shows sign of hijacking attempt
115  if (!$this->fingerprint->checkSessionPrint($this)) {
116  $this->regenerateSession(); // session data already cleared, just needs new id
117  return;
118  }
119 
120  // establish valid user data in session, possibly clearing or adding from
121  // RememberMe mechanism as needed
122  $this->sessionUser->establish();
123 
124  // Give a 5% chance of the session id changing on any authenticated request
125  //if ($this->has('xoopsUserId') && (rand(1, 100) <= 5)) {
126  if ((rand(1, 100) <= 5)) {
127  $this->expireSession();
128  }
129  }
130 
136  public function clearSession()
137  {
138  $this->clear();
139  $this->fingerprint->checkSessionPrint($this);
140  $this->regenerateSession();
141  }
142 
148  public function expireSession()
149  {
150  // If this session is obsolete it means there already is a new id
151  if ($this->has('SESSION_MANAGER_OBSOLETE')) {
152  return;
153  }
154 
155  // Set current session to expire in 10 seconds
156  $this->set('SESSION_MANAGER_OBSOLETE', true);
157  $this->set('SESSION_MANAGER_EXPIRES', time() + 10);
158 
159  // Grab current session ID and close it
160  $sessionId = session_id();
161  session_write_close();
162 
163  // reopen the old session
164  session_id($sessionId);
165  session_start();
166 
167  // Create new session without destroying the old one
168  session_regenerate_id(false);
169 
170  // Now we unset the obsolete and expiration values since we ant to keep this one
171  $this->remove('SESSION_MANAGER_OBSOLETE');
172  $this->remove('SESSION_MANAGER_EXPIRES');
173  }
174 
182  public function regenerateSession()
183  {
184  session_regenerate_id(true);
185  }
186 
192  protected function validateSession()
193  {
194  // invalid to have obsolete and not expires
195  if ($this->has('SESSION_MANAGER_OBSOLETE') && !$this->has('SESSION_MANAGER_EXPIRES')) {
196  return false;
197  }
198 
199  // if we don't have the expires key, use a future value for test
200  if ($this->get('SESSION_MANAGER_EXPIRES', time()+10) < time()) {
201  return false;
202  }
203 
204  return true;
205  }
206 
212  public function user()
213  {
214  return $this->sessionUser;
215  }
216 
217  // access session variables as attribute object
218 
228  public function get($name, $default = null)
229  {
230  return (isset($_SESSION[$name])) ? $_SESSION[$name] : $default;
231  }
232 
241  public function set($name, $value)
242  {
243  $_SESSION[$name] = $value;
244  }
245 
253  public function has($name)
254  {
255  return isset($_SESSION[$name]);
256  }
257 
266  public function remove($name)
267  {
268  $value = (isset($_SESSION[$name])) ? $_SESSION[$name] : null;
269  unset($_SESSION[$name]);
270 
271  return $value;
272  }
273 
279  public function clear()
280  {
281  $oldValues = $_SESSION;
282  $_SESSION = array();
283  return $oldValues;
284  }
285 }
$path
$path
Definition: execute.php:31
$_SESSION
$_SESSION['RF']["verify"]
Definition: dialog.php:4
Xoops\getInstance
static getInstance()
Definition: Xoops.php:160
Xoops\Core\Session\Manager\set
set($name, $value)
Definition: Manager.php:241
XoopsBaseConfig\get
static get($name)
Definition: XoopsBaseConfig.php:117
$name
$name
Definition: force_download.php:15