PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / 5.2.2
Matomo Analytics – Powerful, Privacy-First Insights for WordPress v5.2.2
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / Session.php
matomo / app / core Last commit date
API 1 year ago Access 1 year ago Application 1 year ago Archive 1 year ago ArchiveProcessor 1 year ago Archiver 2 years ago AssetManager 1 year ago Auth 1 year ago Category 2 years ago Changes 1 year ago CliMulti 1 year ago Columns 1 year ago Concurrency 1 year ago Config 1 year ago Container 1 year ago CronArchive 1 year ago DataAccess 1 year ago DataFiles 2 years ago DataTable 1 year ago Db 1 year ago DeviceDetector 1 year ago Email 2 years ago Exception 1 year ago Http 1 year ago Intl 1 year ago Log 2 years ago Mail 1 year ago Measurable 1 year ago Menu 1 year ago Metrics 1 year ago Notification 1 year ago Period 1 year ago Plugin 1 year ago ProfessionalServices 1 year ago Report 1 year ago ReportRenderer 1 year ago Scheduler 1 year ago Segment 1 year ago Session 1 year ago Settings 1 year ago Tracker 1 year ago Translation 1 year ago Twig 1 year ago UpdateCheck 1 year ago Updater 1 year ago Updates 1 year ago Validators 1 year ago View 1 year ago ViewDataTable 1 year ago Visualization 1 year ago Widget 1 year ago .htaccess 2 years ago Access.php 1 year ago Archive.php 1 year ago ArchiveProcessor.php 1 year ago AssetManager.php 1 year ago Auth.php 2 years ago AuthResult.php 2 years ago BaseFactory.php 2 years ago Cache.php 2 years ago CacheId.php 1 year ago CliMulti.php 1 year ago Common.php 1 year ago Config.php 1 year ago Console.php 1 year ago Context.php 2 years ago Cookie.php 1 year ago CronArchive.php 1 year ago DI.php 1 year ago DataArray.php 1 year ago DataTable.php 1 year ago Date.php 1 year ago Db.php 1 year ago DbHelper.php 1 year ago Development.php 1 year ago ErrorHandler.php 1 year ago EventDispatcher.php 1 year ago ExceptionHandler.php 1 year ago FileIntegrity.php 1 year ago Filechecks.php 1 year ago Filesystem.php 1 year ago FrontController.php 1 year ago Http.php 1 year ago IP.php 1 year ago Log.php 2 years ago LogDeleter.php 1 year ago Mail.php 1 year ago Metrics.php 1 year ago NoAccessException.php 2 years ago Nonce.php 1 year ago Notification.php 1 year ago NumberFormatter.php 1 year ago Option.php 1 year ago Period.php 1 year ago Piwik.php 1 year ago Plugin.php 1 year ago Process.php 1 year ago Profiler.php 1 year ago ProxyHeaders.php 2 years ago ProxyHttp.php 1 year ago QuickForm2.php 1 year ago RankingQuery.php 1 year ago ReportRenderer.php 1 year ago Request.php 1 year ago Segment.php 1 year ago Sequence.php 2 years ago Session.php 1 year ago SettingsPiwik.php 1 year ago SettingsServer.php 1 year ago Singleton.php 2 years ago Site.php 1 year ago SiteContentDetector.php 1 year ago SupportedBrowser.php 2 years ago TCPDF.php 1 year ago Theme.php 1 year ago Timer.php 2 years ago Tracker.php 1 year ago Twig.php 1 year ago Unzip.php 1 year ago UpdateCheck.php 1 year ago Updater.php 1 year ago UpdaterErrorException.php 2 years ago Updates.php 1 year ago Url.php 1 year ago UrlHelper.php 1 year ago Version.php 1 year ago View.php 1 year ago bootstrap.php 1 year ago dispatch.php 2 years ago testMinimumPhpVersion.php 2 years ago
Session.php
181 lines
1 <?php
2
3 /**
4 * Matomo - free/libre analytics platform
5 *
6 * @link https://matomo.org
7 * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
8 */
9 namespace Piwik;
10
11 use Exception;
12 use Piwik\Container\StaticContainer;
13 use Piwik\Exception\MissingFilePermissionException;
14 use Piwik\Plugins\Overlay\Overlay;
15 use Piwik\Session\SaveHandler\DbTable;
16 use Piwik\Log\LoggerInterface;
17 use Zend_Session;
18 /**
19 * Session initialization.
20 */
21 class Session extends Zend_Session
22 {
23 public const SESSION_NAME = 'MATOMO_SESSID';
24 public static $sessionName = self::SESSION_NAME;
25 protected static $sessionStarted = \false;
26 /**
27 * Start the session
28 *
29 * @param array|bool $options An array of configuration options; the auto-start (bool) setting is ignored
30 * @return void
31 * @throws Exception if starting a session fails
32 */
33 public static function start($options = \false)
34 {
35 if (headers_sent() || self::$sessionStarted || defined('PIWIK_ENABLE_SESSION_START') && !PIWIK_ENABLE_SESSION_START || session_status() == \PHP_SESSION_ACTIVE) {
36 return;
37 }
38 self::$sessionStarted = \true;
39 if (defined('PIWIK_SESSION_NAME')) {
40 self::$sessionName = PIWIK_SESSION_NAME;
41 }
42 $config = \Piwik\Config::getInstance();
43 // use cookies to store session id on the client side
44 @ini_set('session.use_cookies', '1');
45 // prevent attacks involving session ids passed in URLs
46 @ini_set('session.use_only_cookies', '1');
47 // advise browser that session cookie should only be sent over secure connection
48 if (\Piwik\ProxyHttp::isHttps()) {
49 @ini_set('session.cookie_secure', '1');
50 }
51 // advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript)
52 @ini_set('session.cookie_httponly', '1');
53 // don't use the default: PHPSESSID
54 @ini_set('session.name', self::$sessionName);
55 // proxies may cause the referer check to fail and
56 // incorrectly invalidate the session
57 @ini_set('session.referer_check', '');
58 // to preserve previous behavior matomo_auth provided when it contained a token_auth, we ensure
59 // the session data won't be deleted until the cookie expires.
60 @ini_set('session.gc_maxlifetime', $config->General['login_cookie_expire']);
61 @ini_set('session.cookie_path', empty($config->General['login_cookie_path']) ? '/' : $config->General['login_cookie_path']);
62 $currentSaveHandler = ini_get('session.save_handler');
63 if (!\Piwik\SettingsPiwik::isMatomoInstalled()) {
64 // Note: this handler doesn't work well in load-balanced environments and may have a concurrency issue with locked session files
65 // for "files", use our own folder to prevent local session file hijacking
66 $sessionPath = self::getSessionsDirectory();
67 // We always call mkdir since it also chmods the directory which might help when permissions were reverted for some reasons
68 \Piwik\Filesystem::mkdir($sessionPath);
69 @ini_set('session.save_handler', 'files');
70 @ini_set('session.save_path', $sessionPath);
71 } else {
72 // as of Matomo 3.7.0 we only support files session handler during installation
73 // We consider these to be misconfigurations, in that:
74 // - user - we can't verify that user-defined session handler functions have already been set via session_set_save_handler()
75 // - mm - this handler is not recommended, unsupported, not available for Windows, and has a potential concurrency issue
76 if (@ini_get('session.serialize_handler') !== 'php_serialize') {
77 @ini_set('session.serialize_handler', 'php_serialize');
78 }
79 $config = self::getDbTableConfig();
80 $saveHandler = new DbTable($config);
81 if ($saveHandler) {
82 self::setSaveHandler($saveHandler);
83 }
84 }
85 // set garbage collection according to user preferences (on by default)
86 @ini_set('session.gc_probability', \Piwik\Config::getInstance()->General['session_gc_probability']);
87 try {
88 parent::start();
89 register_shutdown_function(array('Zend_Session', 'writeClose'), \true);
90 } catch (Exception $e) {
91 StaticContainer::get(LoggerInterface::class)->error('Unable to start session: {exception}', ['exception' => $e, 'ignoreInScreenWriter' => \true]);
92 if (\Piwik\SettingsPiwik::isMatomoInstalled()) {
93 $pathToSessions = '';
94 } else {
95 $pathToSessions = \Piwik\Filechecks::getErrorMessageMissingPermissions(self::getSessionsDirectory());
96 }
97 $message = sprintf("Error: %s %s\n<pre>Debug: the original error was \n%s</pre>", \Piwik\Piwik::translate('General_ExceptionUnableToStartSession'), $pathToSessions, $e->getMessage());
98 $ex = new MissingFilePermissionException($message, $e->getCode(), $e);
99 $ex->setIsHtmlMessage();
100 throw $ex;
101 }
102 }
103 /**
104 * Returns the directory session files are stored in.
105 *
106 * @return string
107 */
108 public static function getSessionsDirectory()
109 {
110 return StaticContainer::get('path.tmp') . '/sessions';
111 }
112 public static function close()
113 {
114 if (self::isSessionStarted()) {
115 // only write/close session if the session was actually started by us
116 // otherwise we will set the session values to base64 encoded and whoever the session started might not expect the values in that way
117 parent::writeClose();
118 }
119 }
120 public static function isSessionStarted()
121 {
122 return self::$sessionStarted;
123 }
124 public static function getSameSiteCookieValue()
125 {
126 $config = \Piwik\Config::getInstance();
127 $general = $config->General;
128 $module = \Piwik\Piwik::getModule();
129 $action = \Piwik\Piwik::getAction();
130 $method = \Piwik\Common::getRequestVar('method', '', 'string');
131 $referer = \Piwik\Url::getReferrer();
132 $isOptOutRequest = $module == 'CoreAdminHome' && ($action == 'optOut' || $action == 'optOutJS');
133 $shouldUseNone = !empty($general['enable_framed_pages']) || $isOptOutRequest || Overlay::isOverlayRequest($module, $action, $method, $referer);
134 if ($shouldUseNone && \Piwik\ProxyHttp::isHttps()) {
135 return 'None';
136 }
137 return 'Lax';
138 }
139 /**
140 * Write cookie header. Similar to the native setcookie() function but also supports
141 * the SameSite cookie property.
142 * @param $name
143 * @param $value
144 * @param int $expires
145 * @param string $path
146 * @param string $domain
147 * @param bool $secure
148 * @param bool $httpOnly
149 * @param string $sameSite
150 * @return string
151 */
152 public static function writeCookie($name, $value, $expires = 0, $path = '/', $domain = '/', $secure = \false, $httpOnly = \false, $sameSite = 'lax')
153 {
154 $headerStr = 'Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value);
155 if ($expires) {
156 $headerStr .= '; expires=' . gmdate('D, d-M-Y H:i:s', $expires) . ' GMT';
157 }
158 if ($path) {
159 $headerStr .= '; path=' . $path;
160 }
161 if ($domain) {
162 $headerStr .= '; domain=' . rawurlencode($domain);
163 }
164 if ($secure) {
165 $headerStr .= '; secure';
166 }
167 if ($httpOnly) {
168 $headerStr .= '; httponly';
169 }
170 if ($sameSite) {
171 $headerStr .= '; SameSite=' . $sameSite;
172 }
173 \Piwik\Common::sendHeader($headerStr);
174 return $headerStr;
175 }
176 public static function getDbTableConfig()
177 {
178 return array('name' => \Piwik\Common::prefixTable(DbTable::TABLE_NAME), 'primary' => 'id', 'modifiedColumn' => 'modified', 'dataColumn' => 'data', 'lifetimeColumn' => 'lifetime');
179 }
180 }
181