PluginProbe ʕ •ᴥ•ʔ
LatePoint – Calendar Booking Plugin for Appointments and Events / trunk
LatePoint – Calendar Booking Plugin for Appointments and Events vtrunk
5.6.7 5.6.6 5.6.5 5.6.4 5.6.3 5.6.2 5.6.1 5.6.0 5.5.2 5.5.1 5.5.0 5.4.2 trunk 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.1.91 5.1.92 5.1.93 5.1.94 5.2.0 5.2.1 5.2.10 5.2.11 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.3.0 5.3.1 5.3.2 5.4.0 5.4.1
latepoint / lib / helpers / sessions_helper.php
latepoint / lib / helpers Last commit date
activities_helper.php 3 months ago agent_helper.php 3 months ago analytics_helper.php 1 week ago auth_helper.php 6 days ago blocks_helper.php 3 weeks ago booking_helper.php 4 days ago bricks_helper.php 3 months ago bundles_helper.php 4 days ago calendar_helper.php 3 days ago carts_helper.php 3 months ago connector_helper.php 3 months ago csv_helper.php 3 months ago customer_helper.php 1 month ago customer_import_helper.php 1 month ago database_helper.php 1 week ago debug_helper.php 3 months ago defaults_helper.php 3 months ago elementor_helper.php 3 months ago email_helper.php 3 months ago encrypt_helper.php 3 months ago events_helper.php 3 months ago form_helper.php 3 months ago icalendar_helper.php 3 months ago image_helper.php 3 months ago invoices_helper.php 3 weeks ago license_helper.php 3 months ago location_helper.php 3 months ago marketing_systems_helper.php 3 months ago meeting_systems_helper.php 3 months ago menu_helper.php 3 weeks ago meta_helper.php 3 months ago migrations_helper.php 3 months ago money_helper.php 3 months ago notifications_helper.php 3 months ago nps_survey_helper.php 3 months ago order_intent_helper.php 2 months ago orders_helper.php 16 hours ago otp_helper.php 3 months ago pages_helper.php 3 months ago params_helper.php 3 months ago payments_helper.php 16 hours ago plugin_version_update_helper.php 2 months ago price_breakdown_helper.php 3 months ago process_jobs_helper.php 3 months ago processes_helper.php 3 months ago razorpay_connect_helper.php 1 week ago replacer_helper.php 3 months ago resource_helper.php 4 days ago roles_helper.php 3 weeks ago router_helper.php 3 months ago service_helper.php 3 months ago sessions_helper.php 3 months ago settings_helper.php 1 week ago short_links_systems_helper.php 3 months ago shortcodes_helper.php 3 weeks ago sms_helper.php 3 months ago steps_helper.php 16 hours ago stripe_connect_helper.php 1 week ago styles_helper.php 3 months ago support_topics_helper.php 3 months ago time_helper.php 2 months ago timeline_helper.php 2 months ago transaction_helper.php 1 month ago transaction_intent_helper.php 3 months ago util_helper.php 1 month ago version_specific_updates_helper.php 3 months ago whatsapp_helper.php 1 month ago work_periods_helper.php 3 months ago wp_datetime.php 3 months ago wp_user_helper.php 3 months ago
sessions_helper.php
122 lines
1 <?php
2
3 class OsSessionsHelper {
4
5 private static $logged_in_customer_id = false;
6
7 public static function setcookie( $name, $value, $expire = 0, $secure = false, $httponly = false ) {
8 if ( ! headers_sent() ) {
9 setcookie( $name, $value, $expire, COOKIEPATH ? COOKIEPATH : '/', COOKIE_DOMAIN, $secure, $httponly );
10 } elseif ( class_exists( 'Constants' ) && Constants::is_true( 'WP_DEBUG' ) ) {
11 headers_sent( $file, $line );
12 trigger_error( "{$name} cookie cannot be set - headers already sent by {$file} on line {$line}", E_USER_NOTICE ); // @codingStandardsIgnoreLine
13 }
14 }
15
16 public static function get_customer_session_cookie() {
17 if ( isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) ) {
18 return sanitize_text_field( wp_unslash( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) );
19 } else {
20 return false;
21 }
22 }
23
24 /**
25 * Generate secure, per-customer session token
26 *
27 * Uses WordPress auth salts + customer ID + installation seed for unique tokens
28 * Prevents session forgery by ensuring each customer has unpredictable token
29 *
30 * @since 5.1.0 Security fix for hardcoded session token
31 * @param int $customer_id Customer ID
32 * @return string Cryptographically secure token
33 */
34 public static function get_customer_token( $customer_id ) {
35 // Validate customer_id (prevent injection)
36 $customer_id = absint( $customer_id );
37
38 if ( ! $customer_id ) {
39 return ''; // Fail safely for invalid IDs
40 }
41
42 return wp_hash( 'latepoint|' . $customer_id );
43 }
44
45 public static function set_customer_session_cookie( $session, $expiration, $token ) {
46 $to_hash = $session->id . '|' . $session->hash . '|' . $expiration . '|' . $token;
47 // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
48 $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
49 $cookie_hash = hash_hmac( $algo, $to_hash, wp_hash( $to_hash ) );
50 $cookie_value = $session->id . '||' . $expiration . '||' . $cookie_hash;
51
52 if ( ! isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) || $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] !== $cookie_value ) {
53 self::setcookie( LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE, $cookie_value );
54 }
55 }
56
57 public static function get_customer_id_from_session() {
58 if ( self::$logged_in_customer_id ) {
59 return self::$logged_in_customer_id;
60 }
61 $cookie = self::get_customer_session_cookie();
62 if ( ! $cookie ) {
63 return false;
64 }
65 list($session_id, $expiration, $cookie_hash) = explode( '||', $cookie );
66 if ( ! isset( $session_id ) || ! is_numeric( $session_id ) || ! isset( $expiration ) || ! isset( $cookie_hash ) ) {
67 return false;
68 }
69 $session = new OsSessionModel( $session_id );
70 if ( ! $session ) {
71 return false;
72 }
73
74 $token = self::get_customer_token( $session->session_key );
75
76 $to_hash = $session->id . '|' . $session->hash . '|' . $expiration . '|' . $token;
77
78 $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
79 $control_hash = hash_hmac( $algo, $to_hash, wp_hash( $to_hash ) );
80 // check if the cookie was altered by malicious user
81 if ( ! hash_equals( $control_hash, $cookie_hash ) ) {
82 OsAuthHelper::logout_customer();
83 self::destroy_customer_session_cookie();
84 return false;
85 } else {
86 self::$logged_in_customer_id = $session->session_key;
87 return self::$logged_in_customer_id;
88 }
89 }
90
91 public static function start_or_use_session_for_customer( $customer_id ) {
92 // find existing session for the customer
93 $session_model = new OsSessionModel();
94 $session = $session_model->where( [ 'session_key' => $customer_id ] )->set_limit( 1 )->get_results_as_models();
95 $token = self::get_customer_token( $customer_id );
96 if ( $session ) {
97 // expired session, renew
98 if ( $session->expiration < time() ) {
99 $session->expiration = time() + 2 * DAY_IN_SECONDS;
100 $session->save();
101 }
102 } else {
103 $session = new OsSessionModel();
104 $session->session_key = $customer_id;
105 $session->expiration = time() + 2 * DAY_IN_SECONDS;
106 $session->session_value = maybe_serialize( [] );
107 $session->hash = wp_generate_password( 20, false, false );
108 $session->save();
109 }
110 self::set_customer_session_cookie( $session, $session->expiration, $token );
111 self::$logged_in_customer_id = $customer_id;
112 }
113
114 public static function destroy_customer_session_cookie() {
115 self::$logged_in_customer_id = false;
116 if ( isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) ) {
117 unset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] );
118 setcookie( LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE, '', time() - 3600, COOKIEPATH ? COOKIEPATH : '/', COOKIE_DOMAIN );
119 }
120 }
121 }
122