API
5 years ago
Access
5 years ago
Application
5 years ago
Archive
5 years ago
ArchiveProcessor
5 years ago
Archiver
5 years ago
AssetManager
5 years ago
Auth
5 years ago
Category
5 years ago
CliMulti
5 years ago
Columns
5 years ago
Composer
5 years ago
Concurrency
5 years ago
Config
5 years ago
Container
5 years ago
CronArchive
5 years ago
DataAccess
5 years ago
DataFiles
5 years ago
DataTable
5 years ago
Db
5 years ago
DeviceDetector
5 years ago
Email
5 years ago
Exception
5 years ago
Http
5 years ago
Intl
5 years ago
Mail
5 years ago
Measurable
5 years ago
Menu
5 years ago
Metrics
5 years ago
Notification
5 years ago
Period
5 years ago
Plugin
5 years ago
ProfessionalServices
5 years ago
Report
5 years ago
ReportRenderer
5 years ago
Scheduler
5 years ago
Segment
5 years ago
Session
5 years ago
Settings
5 years ago
Tracker
5 years ago
Translation
5 years ago
UpdateCheck
5 years ago
Updater
5 years ago
Updates
5 years ago
Validators
5 years ago
View
5 years ago
ViewDataTable
5 years ago
Visualization
5 years ago
Widget
5 years ago
.htaccess
6 years ago
Access.php
5 years ago
Archive.php
5 years ago
ArchiveProcessor.php
5 years ago
AssetManager.php
5 years ago
Auth.php
5 years ago
AuthResult.php
5 years ago
BaseFactory.php
5 years ago
Cache.php
5 years ago
CacheId.php
5 years ago
CliMulti.php
5 years ago
Common.php
5 years ago
Config.php
5 years ago
Console.php
5 years ago
Context.php
5 years ago
Cookie.php
5 years ago
CronArchive.php
5 years ago
DataArray.php
5 years ago
DataTable.php
5 years ago
Date.php
5 years ago
Db.php
5 years ago
DbHelper.php
5 years ago
Development.php
5 years ago
ErrorHandler.php
5 years ago
EventDispatcher.php
5 years ago
ExceptionHandler.php
5 years ago
FileIntegrity.php
5 years ago
Filechecks.php
5 years ago
Filesystem.php
5 years ago
FrontController.php
5 years ago
Http.php
5 years ago
IP.php
5 years ago
Log.php
5 years ago
LogDeleter.php
5 years ago
Mail.php
5 years ago
Metrics.php
5 years ago
NoAccessException.php
5 years ago
Nonce.php
5 years ago
Notification.php
5 years ago
NumberFormatter.php
5 years ago
Option.php
5 years ago
Period.php
5 years ago
Piwik.php
5 years ago
Plugin.php
5 years ago
Profiler.php
5 years ago
ProxyHeaders.php
5 years ago
ProxyHttp.php
5 years ago
QuickForm2.php
5 years ago
RankingQuery.php
5 years ago
ReportRenderer.php
5 years ago
Segment.php
5 years ago
Sequence.php
5 years ago
Session.php
5 years ago
SettingsPiwik.php
5 years ago
SettingsServer.php
5 years ago
Singleton.php
5 years ago
Site.php
5 years ago
TCPDF.php
5 years ago
Theme.php
5 years ago
Timer.php
5 years ago
Tracker.php
5 years ago
Twig.php
5 years ago
Unzip.php
5 years ago
UpdateCheck.php
5 years ago
Updater.php
5 years ago
UpdaterErrorException.php
5 years ago
Updates.php
5 years ago
Url.php
5 years ago
UrlHelper.php
5 years ago
Version.php
5 years ago
View.php
5 years ago
bootstrap.php
5 years ago
dispatch.php
5 years ago
testMinimumPhpVersion.php
5 years ago
Session.php
230 lines
| 1 | <?php |
| 2 | /** |
| 3 | * Matomo - free/libre analytics platform |
| 4 | * |
| 5 | * @link https://matomo.org |
| 6 | * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later |
| 7 | * |
| 8 | */ |
| 9 | namespace Piwik; |
| 10 | |
| 11 | use Exception; |
| 12 | use Piwik\Container\StaticContainer; |
| 13 | use Piwik\Exception\MissingFilePermissionException; |
| 14 | use Piwik\Session\SaveHandler\DbTable; |
| 15 | use Psr\Log\LoggerInterface; |
| 16 | use Zend_Session; |
| 17 | |
| 18 | /** |
| 19 | * Session initialization. |
| 20 | */ |
| 21 | class Session extends Zend_Session |
| 22 | { |
| 23 | const SESSION_NAME = 'MATOMO_SESSID'; |
| 24 | |
| 25 | public static $sessionName = self::SESSION_NAME; |
| 26 | |
| 27 | protected static $sessionStarted = false; |
| 28 | |
| 29 | /** |
| 30 | * Start the session |
| 31 | * |
| 32 | * @param array|bool $options An array of configuration options; the auto-start (bool) setting is ignored |
| 33 | * @return void |
| 34 | * @throws Exception if starting a session fails |
| 35 | */ |
| 36 | public static function start($options = false) |
| 37 | { |
| 38 | if (headers_sent() |
| 39 | || self::$sessionStarted |
| 40 | || (defined('PIWIK_ENABLE_SESSION_START') && !PIWIK_ENABLE_SESSION_START) |
| 41 | || session_status() == PHP_SESSION_ACTIVE |
| 42 | ) { |
| 43 | return; |
| 44 | } |
| 45 | self::$sessionStarted = true; |
| 46 | |
| 47 | if (defined('PIWIK_SESSION_NAME')) { |
| 48 | self::$sessionName = PIWIK_SESSION_NAME; |
| 49 | } |
| 50 | |
| 51 | $config = Config::getInstance(); |
| 52 | |
| 53 | // use cookies to store session id on the client side |
| 54 | @ini_set('session.use_cookies', '1'); |
| 55 | |
| 56 | // prevent attacks involving session ids passed in URLs |
| 57 | @ini_set('session.use_only_cookies', '1'); |
| 58 | |
| 59 | // advise browser that session cookie should only be sent over secure connection |
| 60 | if (ProxyHttp::isHttps()) { |
| 61 | @ini_set('session.cookie_secure', '1'); |
| 62 | } |
| 63 | |
| 64 | // advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript) |
| 65 | @ini_set('session.cookie_httponly', '1'); |
| 66 | |
| 67 | // don't use the default: PHPSESSID |
| 68 | @ini_set('session.name', self::$sessionName); |
| 69 | |
| 70 | // proxies may cause the referer check to fail and |
| 71 | // incorrectly invalidate the session |
| 72 | @ini_set('session.referer_check', ''); |
| 73 | |
| 74 | // to preserve previous behavior matomo_auth provided when it contained a token_auth, we ensure |
| 75 | // the session data won't be deleted until the cookie expires. |
| 76 | @ini_set('session.gc_maxlifetime', $config->General['login_cookie_expire']); |
| 77 | |
| 78 | @ini_set('session.cookie_path', empty($config->General['login_cookie_path']) ? '/' : $config->General['login_cookie_path']); |
| 79 | |
| 80 | $currentSaveHandler = ini_get('session.save_handler'); |
| 81 | |
| 82 | if (!SettingsPiwik::isMatomoInstalled()) { |
| 83 | // Note: this handler doesn't work well in load-balanced environments and may have a concurrency issue with locked session files |
| 84 | |
| 85 | // for "files", use our own folder to prevent local session file hijacking |
| 86 | $sessionPath = self::getSessionsDirectory(); |
| 87 | // We always call mkdir since it also chmods the directory which might help when permissions were reverted for some reasons |
| 88 | Filesystem::mkdir($sessionPath); |
| 89 | |
| 90 | @ini_set('session.save_handler', 'files'); |
| 91 | @ini_set('session.save_path', $sessionPath); |
| 92 | } else { |
| 93 | // as of Matomo 3.7.0 we only support files session handler during installation |
| 94 | |
| 95 | // We consider these to be misconfigurations, in that: |
| 96 | // - user - we can't verify that user-defined session handler functions have already been set via session_set_save_handler() |
| 97 | // - mm - this handler is not recommended, unsupported, not available for Windows, and has a potential concurrency issue |
| 98 | |
| 99 | if (@ini_get('session.serialize_handler') !== 'php_serialize') { |
| 100 | @ini_set('session.serialize_handler', 'php_serialize'); |
| 101 | } |
| 102 | |
| 103 | $config = array( |
| 104 | 'name' => Common::prefixTable(DbTable::TABLE_NAME), |
| 105 | 'primary' => 'id', |
| 106 | 'modifiedColumn' => 'modified', |
| 107 | 'dataColumn' => 'data', |
| 108 | 'lifetimeColumn' => 'lifetime', |
| 109 | ); |
| 110 | |
| 111 | $saveHandler = new DbTable($config); |
| 112 | if ($saveHandler) { |
| 113 | self::setSaveHandler($saveHandler); |
| 114 | } |
| 115 | } |
| 116 | |
| 117 | // set garbage collection according to user preferences (on by default) |
| 118 | @ini_set('session.gc_probability', Config::getInstance()->General['session_gc_probability']); |
| 119 | |
| 120 | try { |
| 121 | parent::start(); |
| 122 | register_shutdown_function(array('Zend_Session', 'writeClose'), true); |
| 123 | } catch (Exception $e) { |
| 124 | StaticContainer::get(LoggerInterface::class)->error('Unable to start session: {exception}', [ |
| 125 | 'exception' => $e, |
| 126 | 'ignoreInScreenWriter' => true, |
| 127 | ]); |
| 128 | |
| 129 | if (SettingsPiwik::isMatomoInstalled()) { |
| 130 | $pathToSessions = ''; |
| 131 | } else { |
| 132 | $pathToSessions = Filechecks::getErrorMessageMissingPermissions(self::getSessionsDirectory()); |
| 133 | } |
| 134 | |
| 135 | $message = sprintf("Error: %s %s\n<pre>Debug: the original error was \n%s</pre>", |
| 136 | Piwik::translate('General_ExceptionUnableToStartSession'), |
| 137 | $pathToSessions, |
| 138 | $e->getMessage() |
| 139 | ); |
| 140 | |
| 141 | $ex = new MissingFilePermissionException($message, $e->getCode(), $e); |
| 142 | $ex->setIsHtmlMessage(); |
| 143 | |
| 144 | throw $ex; |
| 145 | } |
| 146 | } |
| 147 | |
| 148 | /** |
| 149 | * Returns the directory session files are stored in. |
| 150 | * |
| 151 | * @return string |
| 152 | */ |
| 153 | public static function getSessionsDirectory() |
| 154 | { |
| 155 | return StaticContainer::get('path.tmp') . '/sessions'; |
| 156 | } |
| 157 | |
| 158 | public static function close() |
| 159 | { |
| 160 | if (self::isSessionStarted()) { |
| 161 | // only write/close session if the session was actually started by us |
| 162 | // otherwise we will set the session values to base64 encoded and whoever the session started might not expect the values in that way |
| 163 | parent::writeClose(); |
| 164 | } |
| 165 | } |
| 166 | |
| 167 | public static function isSessionStarted() |
| 168 | { |
| 169 | return self::$sessionStarted; |
| 170 | } |
| 171 | |
| 172 | public static function getSameSiteCookieValue() |
| 173 | { |
| 174 | $config = Config::getInstance(); |
| 175 | $general = $config->General; |
| 176 | |
| 177 | $module = Piwik::getModule(); |
| 178 | $action = Piwik::getAction(); |
| 179 | |
| 180 | $isOptOutRequest = $module == 'CoreAdminHome' && $action == 'optOut'; |
| 181 | $isOverlay = $module == 'Overlay'; |
| 182 | $shouldUseNone = !empty($general['enable_framed_pages']) || $isOptOutRequest || $isOverlay; |
| 183 | |
| 184 | if ($shouldUseNone && ProxyHttp::isHttps()) { |
| 185 | return 'None'; |
| 186 | } |
| 187 | |
| 188 | return 'Lax'; |
| 189 | } |
| 190 | |
| 191 | /** |
| 192 | * Write cookie header. Similar to the native setcookie() function but also supports |
| 193 | * the SameSite cookie property. |
| 194 | * @param $name |
| 195 | * @param $value |
| 196 | * @param int $expires |
| 197 | * @param string $path |
| 198 | * @param string $domain |
| 199 | * @param bool $secure |
| 200 | * @param bool $httpOnly |
| 201 | * @param string $sameSite |
| 202 | * @return string |
| 203 | */ |
| 204 | public static function writeCookie($name, $value, $expires = 0, $path = '/', $domain = '/', $secure = false, $httpOnly = false, $sameSite = 'lax') |
| 205 | { |
| 206 | $headerStr = 'Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value); |
| 207 | if ($expires) { |
| 208 | $headerStr .= '; expires=' . gmdate('D, d-M-Y H:i:s', $expires) . ' GMT'; |
| 209 | } |
| 210 | if ($path) { |
| 211 | $headerStr .= '; path=' . $path; |
| 212 | } |
| 213 | if ($domain) { |
| 214 | $headerStr .= '; domain=' . rawurlencode($domain); |
| 215 | } |
| 216 | if ($secure) { |
| 217 | $headerStr .= '; secure'; |
| 218 | } |
| 219 | if ($httpOnly) { |
| 220 | $headerStr .= '; httponly'; |
| 221 | } |
| 222 | if ($sameSite) { |
| 223 | $headerStr .= '; SameSite=' . $sameSite; |
| 224 | } |
| 225 | |
| 226 | Common::sendHeader($headerStr); |
| 227 | return $headerStr; |
| 228 | } |
| 229 | } |
| 230 |