PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / 1.3.1
Matomo Analytics – Powerful, Privacy-First Insights for WordPress v1.3.1
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / Session.php
matomo / app / core Last commit date
API 6 years ago Access 6 years ago Application 6 years ago Archive 6 years ago ArchiveProcessor 6 years ago Archiver 6 years ago AssetManager 6 years ago Auth 6 years ago Category 6 years ago CliMulti 6 years ago Columns 6 years ago Composer 6 years ago Concurrency 6 years ago Config 6 years ago Container 6 years ago CronArchive 6 years ago DataAccess 5 years ago DataFiles 6 years ago DataTable 6 years ago Db 6 years ago DeviceDetector 5 years ago Email 6 years ago Exception 6 years ago Http 6 years ago Intl 6 years ago Mail 6 years ago Measurable 6 years ago Menu 6 years ago Metrics 6 years ago Notification 6 years ago Period 6 years ago Plugin 6 years ago ProfessionalServices 6 years ago Report 6 years ago ReportRenderer 6 years ago Scheduler 6 years ago Segment 6 years ago Session 6 years ago Settings 6 years ago Tracker 5 years ago Translation 6 years ago UpdateCheck 6 years ago Updater 6 years ago Updates 6 years ago Validators 6 years ago View 6 years ago ViewDataTable 6 years ago Visualization 6 years ago Widget 6 years ago .htaccess 6 years ago Access.php 6 years ago Archive.php 6 years ago ArchiveProcessor.php 6 years ago AssetManager.php 6 years ago Auth.php 6 years ago BaseFactory.php 6 years ago Cache.php 6 years ago CacheId.php 6 years ago CliMulti.php 6 years ago Common.php 6 years ago Config.php 6 years ago Console.php 6 years ago Context.php 6 years ago Cookie.php 5 years ago CronArchive.php 5 years ago DataArray.php 6 years ago DataTable.php 6 years ago Date.php 6 years ago Db.php 6 years ago DbHelper.php 6 years ago Development.php 6 years ago DeviceDetectorFactory.php 6 years ago ErrorHandler.php 6 years ago EventDispatcher.php 6 years ago ExceptionHandler.php 6 years ago FileIntegrity.php 6 years ago Filechecks.php 6 years ago Filesystem.php 6 years ago FrontController.php 6 years ago Http.php 6 years ago IP.php 6 years ago Log.php 6 years ago LogDeleter.php 6 years ago Mail.php 6 years ago Metrics.php 6 years ago MetricsFormatter.php 6 years ago Nonce.php 5 years ago Notification.php 6 years ago NumberFormatter.php 6 years ago Option.php 5 years ago Period.php 6 years ago Piwik.php 6 years ago Plugin.php 6 years ago Profiler.php 6 years ago ProxyHeaders.php 6 years ago ProxyHttp.php 6 years ago QuickForm2.php 6 years ago RankingQuery.php 6 years ago Registry.php 6 years ago ReportRenderer.php 6 years ago ScheduledTask.php 6 years ago Segment.php 6 years ago Sequence.php 6 years ago Session.php 6 years ago SettingsPiwik.php 6 years ago SettingsServer.php 6 years ago Singleton.php 6 years ago Site.php 6 years ago TCPDF.php 6 years ago TaskScheduler.php 6 years ago Theme.php 6 years ago Timer.php 6 years ago Tracker.php 6 years ago Translate.php 6 years ago Twig.php 6 years ago Unzip.php 6 years ago UpdateCheck.php 6 years ago Updater.php 6 years ago Updates.php 6 years ago Url.php 6 years ago UrlHelper.php 6 years ago Version.php 5 years ago View.php 6 years ago bootstrap.php 6 years ago dispatch.php 6 years ago testMinimumPhpVersion.php 6 years ago
Session.php
247 lines
1 <?php
2 /**
3 * Piwik - free/libre analytics platform
4 *
5 * @link https://matomo.org
6 * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
7 *
8 */
9 namespace Piwik;
10
11 use Exception;
12 use Piwik\Container\StaticContainer;
13 use Piwik\Exception\MissingFilePermissionException;
14 use Piwik\Session\SaveHandler\DbTable;
15 use Psr\Log\LoggerInterface;
16 use Zend_Session;
17
18 /**
19 * Session initialization.
20 */
21 class Session extends Zend_Session
22 {
23 const SESSION_NAME = 'MATOMO_SESSID';
24
25 public static $sessionName = self::SESSION_NAME;
26
27 protected static $sessionStarted = false;
28
29 /**
30 * Are we using file-based session store?
31 *
32 * @return bool True if file-based; false otherwise
33 */
34 public static function isSessionHandler($handler)
35 {
36 $config = Config::getInstance();
37 return !isset($config->General['session_save_handler'])
38 || $config->General['session_save_handler'] === $handler;
39 }
40
41 /**
42 * Start the session
43 *
44 * @param array|bool $options An array of configuration options; the auto-start (bool) setting is ignored
45 * @return void
46 * @throws Exception if starting a session fails
47 */
48 public static function start($options = false)
49 {
50 if (headers_sent()
51 || self::$sessionStarted
52 || (defined('PIWIK_ENABLE_SESSION_START') && !PIWIK_ENABLE_SESSION_START)
53 || session_status() == PHP_SESSION_ACTIVE
54 ) {
55 return;
56 }
57 self::$sessionStarted = true;
58
59 if (defined('PIWIK_SESSION_NAME')) {
60 self::$sessionName = PIWIK_SESSION_NAME;
61 }
62
63 $config = Config::getInstance();
64
65 // use cookies to store session id on the client side
66 @ini_set('session.use_cookies', '1');
67
68 // prevent attacks involving session ids passed in URLs
69 @ini_set('session.use_only_cookies', '1');
70
71 // advise browser that session cookie should only be sent over secure connection
72 if (ProxyHttp::isHttps()) {
73 @ini_set('session.cookie_secure', '1');
74 }
75
76 // advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript)
77 @ini_set('session.cookie_httponly', '1');
78
79 // don't use the default: PHPSESSID
80 @ini_set('session.name', self::$sessionName);
81
82 // proxies may cause the referer check to fail and
83 // incorrectly invalidate the session
84 @ini_set('session.referer_check', '');
85
86 // to preserve previous behavior piwik_auth provided when it contained a token_auth, we ensure
87 // the session data won't be deleted until the cookie expires.
88 @ini_set('session.gc_maxlifetime', $config->General['login_cookie_expire']);
89
90 @ini_set('session.cookie_path', empty($config->General['login_cookie_path']) ? '/' : $config->General['login_cookie_path']);
91
92 $currentSaveHandler = ini_get('session.save_handler');
93
94 if (!SettingsPiwik::isPiwikInstalled()) {
95 // Note: this handler doesn't work well in load-balanced environments and may have a concurrency issue with locked session files
96
97 // for "files", use our own folder to prevent local session file hijacking
98 $sessionPath = self::getSessionsDirectory();
99 // We always call mkdir since it also chmods the directory which might help when permissions were reverted for some reasons
100 Filesystem::mkdir($sessionPath);
101
102 @ini_set('session.save_handler', 'files');
103 @ini_set('session.save_path', $sessionPath);
104 } elseif (self::isSessionHandler('dbtable')
105 || self::isSessionHandler('files')
106 || in_array($currentSaveHandler, array('user', 'mm'))
107 ) {
108 // as of Matomo 3.7.0 we only support files session handler during installation
109
110 // We consider these to be misconfigurations, in that:
111 // - user - we can't verify that user-defined session handler functions have already been set via session_set_save_handler()
112 // - mm - this handler is not recommended, unsupported, not available for Windows, and has a potential concurrency issue
113
114 if (@ini_get('session.serialize_handler') !== 'php_serialize') {
115 @ini_set('session.serialize_handler', 'php_serialize');
116 }
117
118 $config = array(
119 'name' => Common::prefixTable(DbTable::TABLE_NAME),
120 'primary' => 'id',
121 'modifiedColumn' => 'modified',
122 'dataColumn' => 'data',
123 'lifetimeColumn' => 'lifetime',
124 );
125
126 $saveHandler = new DbTable($config);
127 if ($saveHandler) {
128 self::setSaveHandler($saveHandler);
129 }
130 }
131
132 // garbage collection may disabled by default (e.g., Debian)
133 if (ini_get('session.gc_probability') == 0) {
134 @ini_set('session.gc_probability', 1);
135 }
136
137 try {
138 parent::start();
139 register_shutdown_function(array('Zend_Session', 'writeClose'), true);
140 } catch (Exception $e) {
141 StaticContainer::get(LoggerInterface::class)->error('Unable to start session: {exception}', [
142 'exception' => $e,
143 'ignoreInScreenWriter' => true,
144 ]);
145
146 if (SettingsPiwik::isPiwikInstalled()) {
147 $pathToSessions = '';
148 } else {
149 $pathToSessions = Filechecks::getErrorMessageMissingPermissions(self::getSessionsDirectory());
150 }
151
152 $message = sprintf("Error: %s %s\n<pre>Debug: the original error was \n%s</pre>",
153 Piwik::translate('General_ExceptionUnableToStartSession'),
154 $pathToSessions,
155 $e->getMessage()
156 );
157
158 $ex = new MissingFilePermissionException($message, $e->getCode(), $e);
159 $ex->setIsHtmlMessage();
160
161 throw $ex;
162 }
163 }
164
165 /**
166 * Returns the directory session files are stored in.
167 *
168 * @return string
169 */
170 public static function getSessionsDirectory()
171 {
172 return StaticContainer::get('path.tmp') . '/sessions';
173 }
174
175 public static function close()
176 {
177 if (self::isSessionStarted()) {
178 // only write/close session if the session was actually started by us
179 // otherwise we will set the session values to base64 encoded and whoever the session started might not expect the values in that way
180 parent::writeClose();
181 }
182 }
183
184 public static function isSessionStarted()
185 {
186 return self::$sessionStarted;
187 }
188
189 public static function getSameSiteCookieValue()
190 {
191 $config = Config::getInstance();
192 $general = $config->General;
193
194 $module = Piwik::getModule();
195 $action = Piwik::getAction();
196
197 $isOptOutRequest = $module == 'CoreAdminHome' && $action == 'optOut';
198 $isOverlay = $module == 'Overlay';
199 $shouldUseNone = !empty($general['enable_framed_pages']) || $isOptOutRequest || $isOverlay;
200
201 if ($shouldUseNone && ProxyHttp::isHttps()) {
202 return 'None';
203 }
204
205 return 'Lax';
206 }
207
208 /**
209 * Write cookie header. Similar to the native setcookie() function but also supports
210 * the SameSite cookie property.
211 * @param $name
212 * @param $value
213 * @param int $expires
214 * @param string $path
215 * @param string $domain
216 * @param bool $secure
217 * @param bool $httpOnly
218 * @param string $sameSite
219 * @return string
220 */
221 public static function writeCookie($name, $value, $expires = 0, $path = '/', $domain = '/', $secure = false, $httpOnly = false, $sameSite = 'lax')
222 {
223 $headerStr = 'Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value);
224 if ($expires) {
225 $headerStr .= '; expires=' . gmdate('D, d-M-Y H:i:s', $expires) . ' GMT';
226 }
227 if ($path) {
228 $headerStr .= '; path=' . $path;
229 }
230 if ($domain) {
231 $headerStr .= '; domain=' . rawurlencode($domain);
232 }
233 if ($secure) {
234 $headerStr .= '; secure';
235 }
236 if ($httpOnly) {
237 $headerStr .= '; httponly';
238 }
239 if ($sameSite) {
240 $headerStr .= '; SameSite=' . $sameSite;
241 }
242
243 Common::sendHeader($headerStr);
244 return $headerStr;
245 }
246 }
247