PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / 1.3.1
Matomo Analytics – Powerful, Privacy-First Insights for WordPress v1.3.1
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / Session / SessionFingerprint.php
matomo / app / core / Session Last commit date
SaveHandler 6 years ago SessionAuth.php 6 years ago SessionFingerprint.php 6 years ago SessionInitializer.php 6 years ago SessionNamespace.php 6 years ago
SessionFingerprint.php
165 lines
1 <?php
2 /**
3 * Piwik - free/libre analytics platform
4 *
5 * @link https://matomo.org
6 * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
7 *
8 */
9
10 namespace Piwik\Session;
11
12 use Piwik\Config;
13 use Piwik\Date;
14
15 /**
16 * Manages session information that is used to identify who the session
17 * is for.
18 *
19 * Once a session is authenticated using either a user name & password or
20 * token auth, some information about the user is stored in the session.
21 * This info includes the user name and the user agent
22 * string of the user's client, and a random session secret.
23 *
24 * In subsequent requests that use this session, we use the above information
25 * to verify that the session is allowed to be used by the person sending the
26 * request.
27 *
28 * This is accomplished by checking the request's user agent
29 * against what is stored in the session. If it doesn't then this is a
30 * session hijacking attempt.
31 *
32 * We also check that a hash in the piwik_auth cookie matches the hash
33 * of the time the user last changed their password + the session secret.
34 * If they don't match, the password has been changed since this session
35 * started, and is no longer valid.
36 */
37 class SessionFingerprint
38 {
39 // used in case the global.ini.php becomes corrupt or doesn't update properly
40 const DEFAULT_IDLE_TIMEOUT = 3600;
41
42 const USER_NAME_SESSION_VAR_NAME = 'user.name';
43 const SESSION_INFO_SESSION_VAR_NAME = 'session.info';
44 const SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED = 'twofactorauth.verified';
45
46 public function getUser()
47 {
48 if (isset($_SESSION[self::USER_NAME_SESSION_VAR_NAME])) {
49 return $_SESSION[self::USER_NAME_SESSION_VAR_NAME];
50 }
51
52 return null;
53 }
54
55 public function getUserInfo()
56 {
57 if (isset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME])) {
58 return $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME];
59 }
60
61 return null;
62 }
63
64 public function hasVerifiedTwoFactor()
65 {
66 if (isset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED])) {
67 return !empty($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED]);
68 }
69
70 return null;
71 }
72
73 public function setTwoFactorAuthenticationVerified()
74 {
75 $_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED] = 1;
76 }
77
78 public function initialize($userName, $isRemembered = false, $time = null)
79 {
80 $time = $time ?: Date::now()->getTimestampUTC();
81 $_SESSION[self::USER_NAME_SESSION_VAR_NAME] = $userName;
82 $_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED] = 0;
83 $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME] = [
84 'ts' => $time,
85 'remembered' => $isRemembered,
86 'expiration' => $this->getExpirationTimeFromNow($time),
87 ];
88 }
89
90 public function clear()
91 {
92 if (isset($_SESSION[self::USER_NAME_SESSION_VAR_NAME])) { // may not be available during tests
93 unset($_SESSION[self::USER_NAME_SESSION_VAR_NAME]);
94 }
95
96 if (isset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME])) { // may not be available during tests
97 unset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME]);
98 }
99
100 if (isset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED])) { // may not be available during tests
101 unset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED]);
102 }
103 }
104
105 public function getSessionStartTime()
106 {
107 $userInfo = $this->getUserInfo();
108 if (empty($userInfo)
109 || empty($userInfo['ts'])
110 ) {
111 return null;
112 }
113
114 return $userInfo['ts'];
115 }
116
117 public function getExpirationTime()
118 {
119 $userInfo = $this->getUserInfo();
120 if (empty($userInfo)
121 || empty($userInfo['expiration'])
122 ) {
123 return null;
124 }
125
126 return $userInfo['expiration'];
127 }
128
129 public function isRemembered()
130 {
131 $userInfo = $this->getUserInfo();
132 return !empty($userInfo['remembered']);
133 }
134
135 public function updateSessionExpirationTime()
136 {
137 $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME]['expiration'] = $this->getExpirationTimeFromNow();
138 }
139
140 private function getExpirationTimeFromNow($time = null)
141 {
142 $time = $time ?: Date::now()->getTimestampUTC();
143
144 $general = Config::getInstance()->General;
145
146 if (!isset($general['login_session_not_remembered_idle_timeout'])
147 || (int) $general['login_session_not_remembered_idle_timeout'] <= 0
148 ) {
149 $nonRememberedSessionExpireTime = self::DEFAULT_IDLE_TIMEOUT;
150 } else {
151 $nonRememberedSessionExpireTime = (int) $general['login_session_not_remembered_idle_timeout'];
152 }
153
154 $sessionCookieLifetime = $general['login_cookie_expire'];
155
156 if ($this->isRemembered()) {
157 $expireDuration = $sessionCookieLifetime;
158 } else {
159 $expireDuration = $nonRememberedSessionExpireTime;
160 }
161
162 return $time + $expireDuration;
163 }
164 }
165