PluginProbe ʕ •ᴥ•ʔ
LatePoint – Calendar Booking Plugin for Appointments and Events / 5.2.11
LatePoint – Calendar Booking Plugin for Appointments and Events v5.2.11
5.6.6 5.6.5 5.6.4 5.6.3 5.6.2 5.6.1 5.6.0 5.5.2 5.5.1 5.5.0 5.4.2 trunk 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.1.91 5.1.92 5.1.93 5.1.94 5.2.0 5.2.1 5.2.10 5.2.11 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.3.0 5.3.1 5.3.2 5.4.0 5.4.1
latepoint / lib / helpers / sessions_helper.php
latepoint / lib / helpers Last commit date
activities_helper.php 3 months ago agent_helper.php 3 months ago analytics_helper.php 4 months ago auth_helper.php 3 months ago blocks_helper.php 3 months ago booking_helper.php 3 months ago bricks_helper.php 3 months ago bundles_helper.php 3 months ago calendar_helper.php 3 months ago carts_helper.php 3 months ago connector_helper.php 3 months ago csv_helper.php 3 months ago customer_helper.php 3 months ago customer_import_helper.php 3 months ago database_helper.php 3 months ago debug_helper.php 3 months ago defaults_helper.php 3 months ago elementor_helper.php 3 months ago email_helper.php 3 months ago encrypt_helper.php 3 months ago events_helper.php 3 months ago form_helper.php 3 months ago icalendar_helper.php 3 months ago image_helper.php 3 months ago invoices_helper.php 3 months ago license_helper.php 3 months ago location_helper.php 3 months ago marketing_systems_helper.php 3 months ago meeting_systems_helper.php 3 months ago menu_helper.php 3 months ago meta_helper.php 3 months ago migrations_helper.php 3 months ago money_helper.php 3 months ago notifications_helper.php 3 months ago nps_survey_helper.php 3 months ago order_intent_helper.php 3 months ago orders_helper.php 3 months ago otp_helper.php 3 months ago pages_helper.php 3 months ago params_helper.php 3 months ago payments_helper.php 3 months ago price_breakdown_helper.php 3 months ago process_jobs_helper.php 3 months ago processes_helper.php 3 months ago replacer_helper.php 3 months ago resource_helper.php 3 months ago roles_helper.php 3 months ago router_helper.php 3 months ago service_helper.php 3 months ago sessions_helper.php 3 months ago settings_helper.php 3 months ago short_links_systems_helper.php 3 months ago shortcodes_helper.php 3 months ago sms_helper.php 3 months ago steps_helper.php 3 months ago stripe_connect_helper.php 3 months ago styles_helper.php 3 months ago support_topics_helper.php 3 months ago time_helper.php 3 months ago timeline_helper.php 3 months ago transaction_helper.php 3 months ago transaction_intent_helper.php 3 months ago util_helper.php 3 months ago version_specific_updates_helper.php 3 months ago whatsapp_helper.php 3 months ago work_periods_helper.php 3 months ago wp_datetime.php 3 months ago wp_user_helper.php 3 months ago
sessions_helper.php
122 lines
1 <?php
2
3 class OsSessionsHelper {
4
5 private static $logged_in_customer_id = false;
6
7 public static function setcookie( $name, $value, $expire = 0, $secure = false, $httponly = false ) {
8 if ( ! headers_sent() ) {
9 setcookie( $name, $value, $expire, COOKIEPATH ? COOKIEPATH : '/', COOKIE_DOMAIN, $secure, $httponly );
10 } elseif ( class_exists( 'Constants' ) && Constants::is_true( 'WP_DEBUG' ) ) {
11 headers_sent( $file, $line );
12 trigger_error( "{$name} cookie cannot be set - headers already sent by {$file} on line {$line}", E_USER_NOTICE ); // @codingStandardsIgnoreLine
13 }
14 }
15
16 public static function get_customer_session_cookie() {
17 if ( isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) ) {
18 return sanitize_text_field( wp_unslash( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) );
19 } else {
20 return false;
21 }
22 }
23
24 /**
25 * Generate secure, per-customer session token
26 *
27 * Uses WordPress auth salts + customer ID + installation seed for unique tokens
28 * Prevents session forgery by ensuring each customer has unpredictable token
29 *
30 * @since 5.1.0 Security fix for hardcoded session token
31 * @param int $customer_id Customer ID
32 * @return string Cryptographically secure token
33 */
34 public static function get_customer_token( $customer_id ) {
35 // Validate customer_id (prevent injection)
36 $customer_id = absint( $customer_id );
37
38 if ( ! $customer_id ) {
39 return ''; // Fail safely for invalid IDs
40 }
41
42 return wp_hash( 'latepoint|' . $customer_id );
43 }
44
45 public static function set_customer_session_cookie( $session, $expiration, $token ) {
46 $to_hash = $session->id . '|' . $session->hash . '|' . $expiration . '|' . $token;
47 // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
48 $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
49 $cookie_hash = hash_hmac( $algo, $to_hash, wp_hash( $to_hash ) );
50 $cookie_value = $session->id . '||' . $expiration . '||' . $cookie_hash;
51
52 if ( ! isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) || $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] !== $cookie_value ) {
53 self::setcookie( LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE, $cookie_value );
54 }
55 }
56
57 public static function get_customer_id_from_session() {
58 if ( self::$logged_in_customer_id ) {
59 return self::$logged_in_customer_id;
60 }
61 $cookie = self::get_customer_session_cookie();
62 if ( ! $cookie ) {
63 return false;
64 }
65 list($session_id, $expiration, $cookie_hash) = explode( '||', $cookie );
66 if ( ! isset( $session_id ) || ! is_numeric( $session_id ) || ! isset( $expiration ) || ! isset( $cookie_hash ) ) {
67 return false;
68 }
69 $session = new OsSessionModel( $session_id );
70 if ( ! $session ) {
71 return false;
72 }
73
74 $token = self::get_customer_token( $session->session_key );
75
76 $to_hash = $session->id . '|' . $session->hash . '|' . $expiration . '|' . $token;
77
78 $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
79 $control_hash = hash_hmac( $algo, $to_hash, wp_hash( $to_hash ) );
80 // check if the cookie was altered by malicious user
81 if ( ! hash_equals( $control_hash, $cookie_hash ) ) {
82 OsAuthHelper::logout_customer();
83 self::destroy_customer_session_cookie();
84 return false;
85 } else {
86 self::$logged_in_customer_id = $session->session_key;
87 return self::$logged_in_customer_id;
88 }
89 }
90
91 public static function start_or_use_session_for_customer( $customer_id ) {
92 // find existing session for the customer
93 $session_model = new OsSessionModel();
94 $session = $session_model->where( [ 'session_key' => $customer_id ] )->set_limit( 1 )->get_results_as_models();
95 $token = self::get_customer_token( $customer_id );
96 if ( $session ) {
97 // expired session, renew
98 if ( $session->expiration < time() ) {
99 $session->expiration = time() + 2 * DAY_IN_SECONDS;
100 $session->save();
101 }
102 } else {
103 $session = new OsSessionModel();
104 $session->session_key = $customer_id;
105 $session->expiration = time() + 2 * DAY_IN_SECONDS;
106 $session->session_value = maybe_serialize( [] );
107 $session->hash = wp_generate_password( 20, false, false );
108 $session->save();
109 }
110 self::set_customer_session_cookie( $session, $session->expiration, $token );
111 self::$logged_in_customer_id = $customer_id;
112 }
113
114 public static function destroy_customer_session_cookie() {
115 self::$logged_in_customer_id = false;
116 if ( isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) ) {
117 unset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] );
118 setcookie( LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE, '', time() - 3600, COOKIEPATH ? COOKIEPATH : '/', COOKIE_DOMAIN );
119 }
120 }
121 }
122