PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / 4.0.2
Matomo Analytics – Powerful, Privacy-First Insights for WordPress v4.0.2
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / Session.php
matomo / app / core Last commit date
API 5 years ago Access 5 years ago Application 5 years ago Archive 5 years ago ArchiveProcessor 5 years ago Archiver 5 years ago AssetManager 5 years ago Auth 5 years ago Category 5 years ago CliMulti 5 years ago Columns 5 years ago Composer 5 years ago Concurrency 5 years ago Config 5 years ago Container 5 years ago CronArchive 5 years ago DataAccess 5 years ago DataFiles 5 years ago DataTable 5 years ago Db 5 years ago DeviceDetector 5 years ago Email 5 years ago Exception 5 years ago Http 5 years ago Intl 5 years ago Mail 5 years ago Measurable 5 years ago Menu 5 years ago Metrics 5 years ago Notification 5 years ago Period 5 years ago Plugin 5 years ago ProfessionalServices 5 years ago Report 5 years ago ReportRenderer 5 years ago Scheduler 5 years ago Segment 5 years ago Session 5 years ago Settings 5 years ago Tracker 5 years ago Translation 5 years ago UpdateCheck 5 years ago Updater 5 years ago Updates 5 years ago Validators 5 years ago View 5 years ago ViewDataTable 5 years ago Visualization 5 years ago Widget 5 years ago .htaccess 6 years ago Access.php 5 years ago Archive.php 5 years ago ArchiveProcessor.php 5 years ago AssetManager.php 5 years ago Auth.php 5 years ago AuthResult.php 5 years ago BaseFactory.php 5 years ago Cache.php 5 years ago CacheId.php 5 years ago CliMulti.php 5 years ago Common.php 5 years ago Config.php 5 years ago Console.php 5 years ago Context.php 5 years ago Cookie.php 5 years ago CronArchive.php 5 years ago DataArray.php 5 years ago DataTable.php 5 years ago Date.php 5 years ago Db.php 5 years ago DbHelper.php 5 years ago Development.php 5 years ago ErrorHandler.php 5 years ago EventDispatcher.php 5 years ago ExceptionHandler.php 5 years ago FileIntegrity.php 5 years ago Filechecks.php 5 years ago Filesystem.php 5 years ago FrontController.php 5 years ago Http.php 5 years ago IP.php 5 years ago Log.php 5 years ago LogDeleter.php 5 years ago Mail.php 5 years ago Metrics.php 5 years ago NoAccessException.php 5 years ago Nonce.php 5 years ago Notification.php 5 years ago NumberFormatter.php 5 years ago Option.php 5 years ago Period.php 5 years ago Piwik.php 5 years ago Plugin.php 5 years ago Profiler.php 5 years ago ProxyHeaders.php 5 years ago ProxyHttp.php 5 years ago QuickForm2.php 5 years ago RankingQuery.php 5 years ago ReportRenderer.php 5 years ago Segment.php 5 years ago Sequence.php 5 years ago Session.php 5 years ago SettingsPiwik.php 5 years ago SettingsServer.php 5 years ago Singleton.php 5 years ago Site.php 5 years ago TCPDF.php 5 years ago Theme.php 5 years ago Timer.php 5 years ago Tracker.php 5 years ago Twig.php 5 years ago Unzip.php 5 years ago UpdateCheck.php 5 years ago Updater.php 5 years ago UpdaterErrorException.php 5 years ago Updates.php 5 years ago Url.php 5 years ago UrlHelper.php 5 years ago Version.php 5 years ago View.php 5 years ago bootstrap.php 5 years ago dispatch.php 5 years ago testMinimumPhpVersion.php 5 years ago
Session.php
230 lines
1 <?php
2 /**
3 * Matomo - free/libre analytics platform
4 *
5 * @link https://matomo.org
6 * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
7 *
8 */
9 namespace Piwik;
10
11 use Exception;
12 use Piwik\Container\StaticContainer;
13 use Piwik\Exception\MissingFilePermissionException;
14 use Piwik\Session\SaveHandler\DbTable;
15 use Psr\Log\LoggerInterface;
16 use Zend_Session;
17
18 /**
19 * Session initialization.
20 */
21 class Session extends Zend_Session
22 {
23 const SESSION_NAME = 'MATOMO_SESSID';
24
25 public static $sessionName = self::SESSION_NAME;
26
27 protected static $sessionStarted = false;
28
29 /**
30 * Start the session
31 *
32 * @param array|bool $options An array of configuration options; the auto-start (bool) setting is ignored
33 * @return void
34 * @throws Exception if starting a session fails
35 */
36 public static function start($options = false)
37 {
38 if (headers_sent()
39 || self::$sessionStarted
40 || (defined('PIWIK_ENABLE_SESSION_START') && !PIWIK_ENABLE_SESSION_START)
41 || session_status() == PHP_SESSION_ACTIVE
42 ) {
43 return;
44 }
45 self::$sessionStarted = true;
46
47 if (defined('PIWIK_SESSION_NAME')) {
48 self::$sessionName = PIWIK_SESSION_NAME;
49 }
50
51 $config = Config::getInstance();
52
53 // use cookies to store session id on the client side
54 @ini_set('session.use_cookies', '1');
55
56 // prevent attacks involving session ids passed in URLs
57 @ini_set('session.use_only_cookies', '1');
58
59 // advise browser that session cookie should only be sent over secure connection
60 if (ProxyHttp::isHttps()) {
61 @ini_set('session.cookie_secure', '1');
62 }
63
64 // advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript)
65 @ini_set('session.cookie_httponly', '1');
66
67 // don't use the default: PHPSESSID
68 @ini_set('session.name', self::$sessionName);
69
70 // proxies may cause the referer check to fail and
71 // incorrectly invalidate the session
72 @ini_set('session.referer_check', '');
73
74 // to preserve previous behavior matomo_auth provided when it contained a token_auth, we ensure
75 // the session data won't be deleted until the cookie expires.
76 @ini_set('session.gc_maxlifetime', $config->General['login_cookie_expire']);
77
78 @ini_set('session.cookie_path', empty($config->General['login_cookie_path']) ? '/' : $config->General['login_cookie_path']);
79
80 $currentSaveHandler = ini_get('session.save_handler');
81
82 if (!SettingsPiwik::isMatomoInstalled()) {
83 // Note: this handler doesn't work well in load-balanced environments and may have a concurrency issue with locked session files
84
85 // for "files", use our own folder to prevent local session file hijacking
86 $sessionPath = self::getSessionsDirectory();
87 // We always call mkdir since it also chmods the directory which might help when permissions were reverted for some reasons
88 Filesystem::mkdir($sessionPath);
89
90 @ini_set('session.save_handler', 'files');
91 @ini_set('session.save_path', $sessionPath);
92 } else {
93 // as of Matomo 3.7.0 we only support files session handler during installation
94
95 // We consider these to be misconfigurations, in that:
96 // - user - we can't verify that user-defined session handler functions have already been set via session_set_save_handler()
97 // - mm - this handler is not recommended, unsupported, not available for Windows, and has a potential concurrency issue
98
99 if (@ini_get('session.serialize_handler') !== 'php_serialize') {
100 @ini_set('session.serialize_handler', 'php_serialize');
101 }
102
103 $config = array(
104 'name' => Common::prefixTable(DbTable::TABLE_NAME),
105 'primary' => 'id',
106 'modifiedColumn' => 'modified',
107 'dataColumn' => 'data',
108 'lifetimeColumn' => 'lifetime',
109 );
110
111 $saveHandler = new DbTable($config);
112 if ($saveHandler) {
113 self::setSaveHandler($saveHandler);
114 }
115 }
116
117 // set garbage collection according to user preferences (on by default)
118 @ini_set('session.gc_probability', Config::getInstance()->General['session_gc_probability']);
119
120 try {
121 parent::start();
122 register_shutdown_function(array('Zend_Session', 'writeClose'), true);
123 } catch (Exception $e) {
124 StaticContainer::get(LoggerInterface::class)->error('Unable to start session: {exception}', [
125 'exception' => $e,
126 'ignoreInScreenWriter' => true,
127 ]);
128
129 if (SettingsPiwik::isMatomoInstalled()) {
130 $pathToSessions = '';
131 } else {
132 $pathToSessions = Filechecks::getErrorMessageMissingPermissions(self::getSessionsDirectory());
133 }
134
135 $message = sprintf("Error: %s %s\n<pre>Debug: the original error was \n%s</pre>",
136 Piwik::translate('General_ExceptionUnableToStartSession'),
137 $pathToSessions,
138 $e->getMessage()
139 );
140
141 $ex = new MissingFilePermissionException($message, $e->getCode(), $e);
142 $ex->setIsHtmlMessage();
143
144 throw $ex;
145 }
146 }
147
148 /**
149 * Returns the directory session files are stored in.
150 *
151 * @return string
152 */
153 public static function getSessionsDirectory()
154 {
155 return StaticContainer::get('path.tmp') . '/sessions';
156 }
157
158 public static function close()
159 {
160 if (self::isSessionStarted()) {
161 // only write/close session if the session was actually started by us
162 // otherwise we will set the session values to base64 encoded and whoever the session started might not expect the values in that way
163 parent::writeClose();
164 }
165 }
166
167 public static function isSessionStarted()
168 {
169 return self::$sessionStarted;
170 }
171
172 public static function getSameSiteCookieValue()
173 {
174 $config = Config::getInstance();
175 $general = $config->General;
176
177 $module = Piwik::getModule();
178 $action = Piwik::getAction();
179
180 $isOptOutRequest = $module == 'CoreAdminHome' && $action == 'optOut';
181 $isOverlay = $module == 'Overlay';
182 $shouldUseNone = !empty($general['enable_framed_pages']) || $isOptOutRequest || $isOverlay;
183
184 if ($shouldUseNone && ProxyHttp::isHttps()) {
185 return 'None';
186 }
187
188 return 'Lax';
189 }
190
191 /**
192 * Write cookie header. Similar to the native setcookie() function but also supports
193 * the SameSite cookie property.
194 * @param $name
195 * @param $value
196 * @param int $expires
197 * @param string $path
198 * @param string $domain
199 * @param bool $secure
200 * @param bool $httpOnly
201 * @param string $sameSite
202 * @return string
203 */
204 public static function writeCookie($name, $value, $expires = 0, $path = '/', $domain = '/', $secure = false, $httpOnly = false, $sameSite = 'lax')
205 {
206 $headerStr = 'Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value);
207 if ($expires) {
208 $headerStr .= '; expires=' . gmdate('D, d-M-Y H:i:s', $expires) . ' GMT';
209 }
210 if ($path) {
211 $headerStr .= '; path=' . $path;
212 }
213 if ($domain) {
214 $headerStr .= '; domain=' . rawurlencode($domain);
215 }
216 if ($secure) {
217 $headerStr .= '; secure';
218 }
219 if ($httpOnly) {
220 $headerStr .= '; httponly';
221 }
222 if ($sameSite) {
223 $headerStr .= '; SameSite=' . $sameSite;
224 }
225
226 Common::sendHeader($headerStr);
227 return $headerStr;
228 }
229 }
230