activities_helper.php
3 months ago
agent_helper.php
3 months ago
analytics_helper.php
4 months ago
auth_helper.php
3 months ago
blocks_helper.php
3 months ago
booking_helper.php
3 months ago
bricks_helper.php
3 months ago
bundles_helper.php
3 months ago
calendar_helper.php
3 months ago
carts_helper.php
3 months ago
connector_helper.php
3 months ago
csv_helper.php
3 months ago
customer_helper.php
3 months ago
customer_import_helper.php
3 months ago
database_helper.php
3 months ago
debug_helper.php
3 months ago
defaults_helper.php
3 months ago
elementor_helper.php
3 months ago
email_helper.php
3 months ago
encrypt_helper.php
3 months ago
events_helper.php
3 months ago
form_helper.php
3 months ago
icalendar_helper.php
3 months ago
image_helper.php
3 months ago
invoices_helper.php
3 months ago
license_helper.php
3 months ago
location_helper.php
3 months ago
marketing_systems_helper.php
3 months ago
meeting_systems_helper.php
3 months ago
menu_helper.php
3 months ago
meta_helper.php
3 months ago
migrations_helper.php
3 months ago
money_helper.php
3 months ago
notifications_helper.php
3 months ago
nps_survey_helper.php
3 months ago
order_intent_helper.php
3 months ago
orders_helper.php
3 months ago
otp_helper.php
3 months ago
pages_helper.php
3 months ago
params_helper.php
3 months ago
payments_helper.php
3 months ago
price_breakdown_helper.php
3 months ago
process_jobs_helper.php
3 months ago
processes_helper.php
3 months ago
replacer_helper.php
3 months ago
resource_helper.php
3 months ago
roles_helper.php
3 months ago
router_helper.php
3 months ago
service_helper.php
3 months ago
sessions_helper.php
3 months ago
settings_helper.php
3 months ago
short_links_systems_helper.php
3 months ago
shortcodes_helper.php
3 months ago
sms_helper.php
3 months ago
steps_helper.php
3 months ago
stripe_connect_helper.php
3 months ago
styles_helper.php
3 months ago
support_topics_helper.php
3 months ago
time_helper.php
3 months ago
timeline_helper.php
3 months ago
transaction_helper.php
3 months ago
transaction_intent_helper.php
3 months ago
util_helper.php
3 months ago
version_specific_updates_helper.php
3 months ago
whatsapp_helper.php
3 months ago
work_periods_helper.php
3 months ago
wp_datetime.php
3 months ago
wp_user_helper.php
3 months ago
sessions_helper.php
122 lines
| 1 | <?php |
| 2 | |
| 3 | class OsSessionsHelper { |
| 4 | |
| 5 | private static $logged_in_customer_id = false; |
| 6 | |
| 7 | public static function setcookie( $name, $value, $expire = 0, $secure = false, $httponly = false ) { |
| 8 | if ( ! headers_sent() ) { |
| 9 | setcookie( $name, $value, $expire, COOKIEPATH ? COOKIEPATH : '/', COOKIE_DOMAIN, $secure, $httponly ); |
| 10 | } elseif ( class_exists( 'Constants' ) && Constants::is_true( 'WP_DEBUG' ) ) { |
| 11 | headers_sent( $file, $line ); |
| 12 | trigger_error( "{$name} cookie cannot be set - headers already sent by {$file} on line {$line}", E_USER_NOTICE ); // @codingStandardsIgnoreLine |
| 13 | } |
| 14 | } |
| 15 | |
| 16 | public static function get_customer_session_cookie() { |
| 17 | if ( isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) ) { |
| 18 | return sanitize_text_field( wp_unslash( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) ); |
| 19 | } else { |
| 20 | return false; |
| 21 | } |
| 22 | } |
| 23 | |
| 24 | /** |
| 25 | * Generate secure, per-customer session token |
| 26 | * |
| 27 | * Uses WordPress auth salts + customer ID + installation seed for unique tokens |
| 28 | * Prevents session forgery by ensuring each customer has unpredictable token |
| 29 | * |
| 30 | * @since 5.1.0 Security fix for hardcoded session token |
| 31 | * @param int $customer_id Customer ID |
| 32 | * @return string Cryptographically secure token |
| 33 | */ |
| 34 | public static function get_customer_token( $customer_id ) { |
| 35 | // Validate customer_id (prevent injection) |
| 36 | $customer_id = absint( $customer_id ); |
| 37 | |
| 38 | if ( ! $customer_id ) { |
| 39 | return ''; // Fail safely for invalid IDs |
| 40 | } |
| 41 | |
| 42 | return wp_hash( 'latepoint|' . $customer_id ); |
| 43 | } |
| 44 | |
| 45 | public static function set_customer_session_cookie( $session, $expiration, $token ) { |
| 46 | $to_hash = $session->id . '|' . $session->hash . '|' . $expiration . '|' . $token; |
| 47 | // If ext/hash is not present, compat.php's hash_hmac() does not support sha256. |
| 48 | $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; |
| 49 | $cookie_hash = hash_hmac( $algo, $to_hash, wp_hash( $to_hash ) ); |
| 50 | $cookie_value = $session->id . '||' . $expiration . '||' . $cookie_hash; |
| 51 | |
| 52 | if ( ! isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) || $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] !== $cookie_value ) { |
| 53 | self::setcookie( LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE, $cookie_value ); |
| 54 | } |
| 55 | } |
| 56 | |
| 57 | public static function get_customer_id_from_session() { |
| 58 | if ( self::$logged_in_customer_id ) { |
| 59 | return self::$logged_in_customer_id; |
| 60 | } |
| 61 | $cookie = self::get_customer_session_cookie(); |
| 62 | if ( ! $cookie ) { |
| 63 | return false; |
| 64 | } |
| 65 | list($session_id, $expiration, $cookie_hash) = explode( '||', $cookie ); |
| 66 | if ( ! isset( $session_id ) || ! is_numeric( $session_id ) || ! isset( $expiration ) || ! isset( $cookie_hash ) ) { |
| 67 | return false; |
| 68 | } |
| 69 | $session = new OsSessionModel( $session_id ); |
| 70 | if ( ! $session ) { |
| 71 | return false; |
| 72 | } |
| 73 | |
| 74 | $token = self::get_customer_token( $session->session_key ); |
| 75 | |
| 76 | $to_hash = $session->id . '|' . $session->hash . '|' . $expiration . '|' . $token; |
| 77 | |
| 78 | $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; |
| 79 | $control_hash = hash_hmac( $algo, $to_hash, wp_hash( $to_hash ) ); |
| 80 | // check if the cookie was altered by malicious user |
| 81 | if ( ! hash_equals( $control_hash, $cookie_hash ) ) { |
| 82 | OsAuthHelper::logout_customer(); |
| 83 | self::destroy_customer_session_cookie(); |
| 84 | return false; |
| 85 | } else { |
| 86 | self::$logged_in_customer_id = $session->session_key; |
| 87 | return self::$logged_in_customer_id; |
| 88 | } |
| 89 | } |
| 90 | |
| 91 | public static function start_or_use_session_for_customer( $customer_id ) { |
| 92 | // find existing session for the customer |
| 93 | $session_model = new OsSessionModel(); |
| 94 | $session = $session_model->where( [ 'session_key' => $customer_id ] )->set_limit( 1 )->get_results_as_models(); |
| 95 | $token = self::get_customer_token( $customer_id ); |
| 96 | if ( $session ) { |
| 97 | // expired session, renew |
| 98 | if ( $session->expiration < time() ) { |
| 99 | $session->expiration = time() + 2 * DAY_IN_SECONDS; |
| 100 | $session->save(); |
| 101 | } |
| 102 | } else { |
| 103 | $session = new OsSessionModel(); |
| 104 | $session->session_key = $customer_id; |
| 105 | $session->expiration = time() + 2 * DAY_IN_SECONDS; |
| 106 | $session->session_value = maybe_serialize( [] ); |
| 107 | $session->hash = wp_generate_password( 20, false, false ); |
| 108 | $session->save(); |
| 109 | } |
| 110 | self::set_customer_session_cookie( $session, $session->expiration, $token ); |
| 111 | self::$logged_in_customer_id = $customer_id; |
| 112 | } |
| 113 | |
| 114 | public static function destroy_customer_session_cookie() { |
| 115 | self::$logged_in_customer_id = false; |
| 116 | if ( isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) ) { |
| 117 | unset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ); |
| 118 | setcookie( LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE, '', time() - 3600, COOKIEPATH ? COOKIEPATH : '/', COOKIE_DOMAIN ); |
| 119 | } |
| 120 | } |
| 121 | } |
| 122 |