PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / 4.3.0
Matomo Analytics – Powerful, Privacy-First Insights for WordPress v4.3.0
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / Session / SessionFingerprint.php
matomo / app / core / Session Last commit date
SaveHandler 5 years ago SessionAuth.php 5 years ago SessionFingerprint.php 5 years ago SessionInitializer.php 5 years ago SessionNamespace.php 5 years ago
SessionFingerprint.php
181 lines
1 <?php
2 /**
3 * Matomo - free/libre analytics platform
4 *
5 * @link https://matomo.org
6 * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
7 *
8 */
9
10 namespace Piwik\Session;
11
12 use Piwik\Common;
13 use Piwik\Config;
14 use Piwik\Date;
15
16 /**
17 * Manages session information that is used to identify who the session
18 * is for.
19 *
20 * Once a session is authenticated using either a user name & password or
21 * token auth, some information about the user is stored in the session.
22 * This info includes the user name and the user agent
23 * string of the user's client, and a random session secret.
24 *
25 * In subsequent requests that use this session, we use the above information
26 * to verify that the session is allowed to be used by the person sending the
27 * request.
28 *
29 * This is accomplished by checking the request's user agent
30 * against what is stored in the session. If it doesn't then this is a
31 * session hijacking attempt.
32 *
33 * We also check that a hash in the matomo_auth cookie matches the hash
34 * of the time the user last changed their password + the session secret.
35 * If they don't match, the password has been changed since this session
36 * started, and is no longer valid.
37 */
38 class SessionFingerprint
39 {
40 // used in case the global.ini.php becomes corrupt or doesn't update properly
41 const DEFAULT_IDLE_TIMEOUT = 3600;
42
43 const USER_NAME_SESSION_VAR_NAME = 'user.name';
44 const SESSION_INFO_SESSION_VAR_NAME = 'session.info';
45 const SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED = 'twofactorauth.verified';
46 const SESSION_INFO_TEMP_TOKEN_AUTH = 'user.token_auth_temp';
47
48 public function getUser()
49 {
50 if (isset($_SESSION[self::USER_NAME_SESSION_VAR_NAME])) {
51 return $_SESSION[self::USER_NAME_SESSION_VAR_NAME];
52 }
53
54 return null;
55 }
56
57 public function getUserInfo()
58 {
59 if (isset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME])) {
60 return $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME];
61 }
62
63 return null;
64 }
65
66 public function getSessionTokenAuth()
67 {
68 if (!empty($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH])) {
69 return $_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH];
70 }
71
72 return null;
73 }
74
75 public function hasVerifiedTwoFactor()
76 {
77 if (isset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED])) {
78 return !empty($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED]);
79 }
80
81 return null;
82 }
83
84 public function setTwoFactorAuthenticationVerified()
85 {
86 $_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED] = 1;
87 }
88
89 public function initialize($userName, $tokenAuth, $isRemembered = false, $time = null)
90 {
91 $time = $time ?: Date::now()->getTimestampUTC();
92 $_SESSION[self::USER_NAME_SESSION_VAR_NAME] = $userName;
93 $_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED] = 0;
94 $_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH] = $tokenAuth;
95 $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME] = [
96 'ts' => $time,
97 'remembered' => $isRemembered,
98 'expiration' => $this->getExpirationTimeFromNow($time),
99 ];
100 }
101
102 public function clear()
103 {
104 if (isset($_SESSION[self::USER_NAME_SESSION_VAR_NAME])) { // may not be available during tests
105 unset($_SESSION[self::USER_NAME_SESSION_VAR_NAME]);
106 }
107
108 if (isset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME])) { // may not be available during tests
109 unset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME]);
110 }
111
112 if (isset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED])) { // may not be available during tests
113 unset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED]);
114 }
115
116 if (isset($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH])) { // may not be available during tests
117 unset($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH]);
118 }
119 }
120
121 public function getSessionStartTime()
122 {
123 $userInfo = $this->getUserInfo();
124 if (empty($userInfo)
125 || empty($userInfo['ts'])
126 ) {
127 return null;
128 }
129
130 return $userInfo['ts'];
131 }
132
133 public function getExpirationTime()
134 {
135 $userInfo = $this->getUserInfo();
136 if (empty($userInfo)
137 || empty($userInfo['expiration'])
138 ) {
139 return null;
140 }
141
142 return $userInfo['expiration'];
143 }
144
145 public function isRemembered()
146 {
147 $userInfo = $this->getUserInfo();
148 return !empty($userInfo['remembered']);
149 }
150
151 public function updateSessionExpirationTime()
152 {
153 $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME]['expiration'] = $this->getExpirationTimeFromNow();
154 }
155
156 private function getExpirationTimeFromNow($time = null)
157 {
158 $time = $time ?: Date::now()->getTimestampUTC();
159
160 $general = Config::getInstance()->General;
161
162 if (!isset($general['login_session_not_remembered_idle_timeout'])
163 || (int) $general['login_session_not_remembered_idle_timeout'] <= 0
164 ) {
165 $nonRememberedSessionExpireTime = self::DEFAULT_IDLE_TIMEOUT;
166 } else {
167 $nonRememberedSessionExpireTime = (int) $general['login_session_not_remembered_idle_timeout'];
168 }
169
170 $sessionCookieLifetime = $general['login_cookie_expire'];
171
172 if ($this->isRemembered()) {
173 $expireDuration = $sessionCookieLifetime;
174 } else {
175 $expireDuration = $nonRememberedSessionExpireTime;
176 }
177
178 return $time + $expireDuration;
179 }
180 }
181