API
6 years ago
Access
6 years ago
Application
6 years ago
Archive
6 years ago
ArchiveProcessor
6 years ago
Archiver
6 years ago
AssetManager
6 years ago
Auth
6 years ago
Category
6 years ago
CliMulti
6 years ago
Columns
6 years ago
Composer
6 years ago
Concurrency
6 years ago
Config
6 years ago
Container
6 years ago
CronArchive
6 years ago
DataAccess
5 years ago
DataFiles
6 years ago
DataTable
6 years ago
Db
6 years ago
DeviceDetector
5 years ago
Email
6 years ago
Exception
6 years ago
Http
6 years ago
Intl
6 years ago
Mail
6 years ago
Measurable
6 years ago
Menu
6 years ago
Metrics
6 years ago
Notification
6 years ago
Period
6 years ago
Plugin
6 years ago
ProfessionalServices
6 years ago
Report
6 years ago
ReportRenderer
6 years ago
Scheduler
6 years ago
Segment
6 years ago
Session
6 years ago
Settings
6 years ago
Tracker
5 years ago
Translation
6 years ago
UpdateCheck
6 years ago
Updater
6 years ago
Updates
6 years ago
Validators
6 years ago
View
6 years ago
ViewDataTable
6 years ago
Visualization
6 years ago
Widget
6 years ago
.htaccess
6 years ago
Access.php
6 years ago
Archive.php
6 years ago
ArchiveProcessor.php
6 years ago
AssetManager.php
6 years ago
Auth.php
6 years ago
BaseFactory.php
6 years ago
Cache.php
6 years ago
CacheId.php
6 years ago
CliMulti.php
6 years ago
Common.php
6 years ago
Config.php
6 years ago
Console.php
6 years ago
Context.php
6 years ago
Cookie.php
5 years ago
CronArchive.php
5 years ago
DataArray.php
6 years ago
DataTable.php
6 years ago
Date.php
6 years ago
Db.php
6 years ago
DbHelper.php
6 years ago
Development.php
6 years ago
DeviceDetectorFactory.php
6 years ago
ErrorHandler.php
6 years ago
EventDispatcher.php
6 years ago
ExceptionHandler.php
6 years ago
FileIntegrity.php
6 years ago
Filechecks.php
6 years ago
Filesystem.php
6 years ago
FrontController.php
6 years ago
Http.php
6 years ago
IP.php
6 years ago
Log.php
6 years ago
LogDeleter.php
6 years ago
Mail.php
6 years ago
Metrics.php
6 years ago
MetricsFormatter.php
6 years ago
Nonce.php
5 years ago
Notification.php
6 years ago
NumberFormatter.php
6 years ago
Option.php
5 years ago
Period.php
6 years ago
Piwik.php
6 years ago
Plugin.php
6 years ago
Profiler.php
6 years ago
ProxyHeaders.php
6 years ago
ProxyHttp.php
6 years ago
QuickForm2.php
6 years ago
RankingQuery.php
6 years ago
Registry.php
6 years ago
ReportRenderer.php
6 years ago
ScheduledTask.php
6 years ago
Segment.php
6 years ago
Sequence.php
6 years ago
Session.php
6 years ago
SettingsPiwik.php
6 years ago
SettingsServer.php
6 years ago
Singleton.php
6 years ago
Site.php
6 years ago
TCPDF.php
6 years ago
TaskScheduler.php
6 years ago
Theme.php
6 years ago
Timer.php
6 years ago
Tracker.php
6 years ago
Translate.php
6 years ago
Twig.php
6 years ago
Unzip.php
6 years ago
UpdateCheck.php
6 years ago
Updater.php
6 years ago
Updates.php
6 years ago
Url.php
6 years ago
UrlHelper.php
6 years ago
Version.php
5 years ago
View.php
6 years ago
bootstrap.php
6 years ago
dispatch.php
6 years ago
testMinimumPhpVersion.php
6 years ago
Session.php
247 lines
| 1 | <?php |
| 2 | /** |
| 3 | * Piwik - free/libre analytics platform |
| 4 | * |
| 5 | * @link https://matomo.org |
| 6 | * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later |
| 7 | * |
| 8 | */ |
| 9 | namespace Piwik; |
| 10 | |
| 11 | use Exception; |
| 12 | use Piwik\Container\StaticContainer; |
| 13 | use Piwik\Exception\MissingFilePermissionException; |
| 14 | use Piwik\Session\SaveHandler\DbTable; |
| 15 | use Psr\Log\LoggerInterface; |
| 16 | use Zend_Session; |
| 17 | |
| 18 | /** |
| 19 | * Session initialization. |
| 20 | */ |
| 21 | class Session extends Zend_Session |
| 22 | { |
| 23 | const SESSION_NAME = 'MATOMO_SESSID'; |
| 24 | |
| 25 | public static $sessionName = self::SESSION_NAME; |
| 26 | |
| 27 | protected static $sessionStarted = false; |
| 28 | |
| 29 | /** |
| 30 | * Are we using file-based session store? |
| 31 | * |
| 32 | * @return bool True if file-based; false otherwise |
| 33 | */ |
| 34 | public static function isSessionHandler($handler) |
| 35 | { |
| 36 | $config = Config::getInstance(); |
| 37 | return !isset($config->General['session_save_handler']) |
| 38 | || $config->General['session_save_handler'] === $handler; |
| 39 | } |
| 40 | |
| 41 | /** |
| 42 | * Start the session |
| 43 | * |
| 44 | * @param array|bool $options An array of configuration options; the auto-start (bool) setting is ignored |
| 45 | * @return void |
| 46 | * @throws Exception if starting a session fails |
| 47 | */ |
| 48 | public static function start($options = false) |
| 49 | { |
| 50 | if (headers_sent() |
| 51 | || self::$sessionStarted |
| 52 | || (defined('PIWIK_ENABLE_SESSION_START') && !PIWIK_ENABLE_SESSION_START) |
| 53 | || session_status() == PHP_SESSION_ACTIVE |
| 54 | ) { |
| 55 | return; |
| 56 | } |
| 57 | self::$sessionStarted = true; |
| 58 | |
| 59 | if (defined('PIWIK_SESSION_NAME')) { |
| 60 | self::$sessionName = PIWIK_SESSION_NAME; |
| 61 | } |
| 62 | |
| 63 | $config = Config::getInstance(); |
| 64 | |
| 65 | // use cookies to store session id on the client side |
| 66 | @ini_set('session.use_cookies', '1'); |
| 67 | |
| 68 | // prevent attacks involving session ids passed in URLs |
| 69 | @ini_set('session.use_only_cookies', '1'); |
| 70 | |
| 71 | // advise browser that session cookie should only be sent over secure connection |
| 72 | if (ProxyHttp::isHttps()) { |
| 73 | @ini_set('session.cookie_secure', '1'); |
| 74 | } |
| 75 | |
| 76 | // advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript) |
| 77 | @ini_set('session.cookie_httponly', '1'); |
| 78 | |
| 79 | // don't use the default: PHPSESSID |
| 80 | @ini_set('session.name', self::$sessionName); |
| 81 | |
| 82 | // proxies may cause the referer check to fail and |
| 83 | // incorrectly invalidate the session |
| 84 | @ini_set('session.referer_check', ''); |
| 85 | |
| 86 | // to preserve previous behavior piwik_auth provided when it contained a token_auth, we ensure |
| 87 | // the session data won't be deleted until the cookie expires. |
| 88 | @ini_set('session.gc_maxlifetime', $config->General['login_cookie_expire']); |
| 89 | |
| 90 | @ini_set('session.cookie_path', empty($config->General['login_cookie_path']) ? '/' : $config->General['login_cookie_path']); |
| 91 | |
| 92 | $currentSaveHandler = ini_get('session.save_handler'); |
| 93 | |
| 94 | if (!SettingsPiwik::isPiwikInstalled()) { |
| 95 | // Note: this handler doesn't work well in load-balanced environments and may have a concurrency issue with locked session files |
| 96 | |
| 97 | // for "files", use our own folder to prevent local session file hijacking |
| 98 | $sessionPath = self::getSessionsDirectory(); |
| 99 | // We always call mkdir since it also chmods the directory which might help when permissions were reverted for some reasons |
| 100 | Filesystem::mkdir($sessionPath); |
| 101 | |
| 102 | @ini_set('session.save_handler', 'files'); |
| 103 | @ini_set('session.save_path', $sessionPath); |
| 104 | } elseif (self::isSessionHandler('dbtable') |
| 105 | || self::isSessionHandler('files') |
| 106 | || in_array($currentSaveHandler, array('user', 'mm')) |
| 107 | ) { |
| 108 | // as of Matomo 3.7.0 we only support files session handler during installation |
| 109 | |
| 110 | // We consider these to be misconfigurations, in that: |
| 111 | // - user - we can't verify that user-defined session handler functions have already been set via session_set_save_handler() |
| 112 | // - mm - this handler is not recommended, unsupported, not available for Windows, and has a potential concurrency issue |
| 113 | |
| 114 | if (@ini_get('session.serialize_handler') !== 'php_serialize') { |
| 115 | @ini_set('session.serialize_handler', 'php_serialize'); |
| 116 | } |
| 117 | |
| 118 | $config = array( |
| 119 | 'name' => Common::prefixTable(DbTable::TABLE_NAME), |
| 120 | 'primary' => 'id', |
| 121 | 'modifiedColumn' => 'modified', |
| 122 | 'dataColumn' => 'data', |
| 123 | 'lifetimeColumn' => 'lifetime', |
| 124 | ); |
| 125 | |
| 126 | $saveHandler = new DbTable($config); |
| 127 | if ($saveHandler) { |
| 128 | self::setSaveHandler($saveHandler); |
| 129 | } |
| 130 | } |
| 131 | |
| 132 | // garbage collection may disabled by default (e.g., Debian) |
| 133 | if (ini_get('session.gc_probability') == 0) { |
| 134 | @ini_set('session.gc_probability', 1); |
| 135 | } |
| 136 | |
| 137 | try { |
| 138 | parent::start(); |
| 139 | register_shutdown_function(array('Zend_Session', 'writeClose'), true); |
| 140 | } catch (Exception $e) { |
| 141 | StaticContainer::get(LoggerInterface::class)->error('Unable to start session: {exception}', [ |
| 142 | 'exception' => $e, |
| 143 | 'ignoreInScreenWriter' => true, |
| 144 | ]); |
| 145 | |
| 146 | if (SettingsPiwik::isPiwikInstalled()) { |
| 147 | $pathToSessions = ''; |
| 148 | } else { |
| 149 | $pathToSessions = Filechecks::getErrorMessageMissingPermissions(self::getSessionsDirectory()); |
| 150 | } |
| 151 | |
| 152 | $message = sprintf("Error: %s %s\n<pre>Debug: the original error was \n%s</pre>", |
| 153 | Piwik::translate('General_ExceptionUnableToStartSession'), |
| 154 | $pathToSessions, |
| 155 | $e->getMessage() |
| 156 | ); |
| 157 | |
| 158 | $ex = new MissingFilePermissionException($message, $e->getCode(), $e); |
| 159 | $ex->setIsHtmlMessage(); |
| 160 | |
| 161 | throw $ex; |
| 162 | } |
| 163 | } |
| 164 | |
| 165 | /** |
| 166 | * Returns the directory session files are stored in. |
| 167 | * |
| 168 | * @return string |
| 169 | */ |
| 170 | public static function getSessionsDirectory() |
| 171 | { |
| 172 | return StaticContainer::get('path.tmp') . '/sessions'; |
| 173 | } |
| 174 | |
| 175 | public static function close() |
| 176 | { |
| 177 | if (self::isSessionStarted()) { |
| 178 | // only write/close session if the session was actually started by us |
| 179 | // otherwise we will set the session values to base64 encoded and whoever the session started might not expect the values in that way |
| 180 | parent::writeClose(); |
| 181 | } |
| 182 | } |
| 183 | |
| 184 | public static function isSessionStarted() |
| 185 | { |
| 186 | return self::$sessionStarted; |
| 187 | } |
| 188 | |
| 189 | public static function getSameSiteCookieValue() |
| 190 | { |
| 191 | $config = Config::getInstance(); |
| 192 | $general = $config->General; |
| 193 | |
| 194 | $module = Piwik::getModule(); |
| 195 | $action = Piwik::getAction(); |
| 196 | |
| 197 | $isOptOutRequest = $module == 'CoreAdminHome' && $action == 'optOut'; |
| 198 | $isOverlay = $module == 'Overlay'; |
| 199 | $shouldUseNone = !empty($general['enable_framed_pages']) || $isOptOutRequest || $isOverlay; |
| 200 | |
| 201 | if ($shouldUseNone && ProxyHttp::isHttps()) { |
| 202 | return 'None'; |
| 203 | } |
| 204 | |
| 205 | return 'Lax'; |
| 206 | } |
| 207 | |
| 208 | /** |
| 209 | * Write cookie header. Similar to the native setcookie() function but also supports |
| 210 | * the SameSite cookie property. |
| 211 | * @param $name |
| 212 | * @param $value |
| 213 | * @param int $expires |
| 214 | * @param string $path |
| 215 | * @param string $domain |
| 216 | * @param bool $secure |
| 217 | * @param bool $httpOnly |
| 218 | * @param string $sameSite |
| 219 | * @return string |
| 220 | */ |
| 221 | public static function writeCookie($name, $value, $expires = 0, $path = '/', $domain = '/', $secure = false, $httpOnly = false, $sameSite = 'lax') |
| 222 | { |
| 223 | $headerStr = 'Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value); |
| 224 | if ($expires) { |
| 225 | $headerStr .= '; expires=' . gmdate('D, d-M-Y H:i:s', $expires) . ' GMT'; |
| 226 | } |
| 227 | if ($path) { |
| 228 | $headerStr .= '; path=' . $path; |
| 229 | } |
| 230 | if ($domain) { |
| 231 | $headerStr .= '; domain=' . rawurlencode($domain); |
| 232 | } |
| 233 | if ($secure) { |
| 234 | $headerStr .= '; secure'; |
| 235 | } |
| 236 | if ($httpOnly) { |
| 237 | $headerStr .= '; httponly'; |
| 238 | } |
| 239 | if ($sameSite) { |
| 240 | $headerStr .= '; SameSite=' . $sameSite; |
| 241 | } |
| 242 | |
| 243 | Common::sendHeader($headerStr); |
| 244 | return $headerStr; |
| 245 | } |
| 246 | } |
| 247 |