API
1 year ago
Access
1 year ago
Application
1 year ago
Archive
1 year ago
ArchiveProcessor
1 year ago
Archiver
2 years ago
AssetManager
1 year ago
Auth
1 year ago
Category
2 years ago
Changes
1 year ago
CliMulti
1 year ago
Columns
1 year ago
Concurrency
1 year ago
Config
1 year ago
Container
1 year ago
CronArchive
1 year ago
DataAccess
1 year ago
DataFiles
2 years ago
DataTable
1 year ago
Db
1 year ago
DeviceDetector
1 year ago
Email
2 years ago
Exception
1 year ago
Http
1 year ago
Intl
1 year ago
Log
2 years ago
Mail
1 year ago
Measurable
1 year ago
Menu
1 year ago
Metrics
1 year ago
Notification
1 year ago
Period
1 year ago
Plugin
1 year ago
ProfessionalServices
1 year ago
Report
1 year ago
ReportRenderer
1 year ago
Scheduler
1 year ago
Segment
1 year ago
Session
1 year ago
Settings
1 year ago
Tracker
1 year ago
Translation
1 year ago
Twig
1 year ago
UpdateCheck
1 year ago
Updater
1 year ago
Updates
1 year ago
Validators
1 year ago
View
1 year ago
ViewDataTable
1 year ago
Visualization
1 year ago
Widget
1 year ago
.htaccess
2 years ago
Access.php
1 year ago
Archive.php
1 year ago
ArchiveProcessor.php
1 year ago
AssetManager.php
1 year ago
Auth.php
2 years ago
AuthResult.php
2 years ago
BaseFactory.php
2 years ago
Cache.php
2 years ago
CacheId.php
1 year ago
CliMulti.php
1 year ago
Common.php
1 year ago
Config.php
1 year ago
Console.php
1 year ago
Context.php
2 years ago
Cookie.php
1 year ago
CronArchive.php
1 year ago
DI.php
1 year ago
DataArray.php
1 year ago
DataTable.php
1 year ago
Date.php
1 year ago
Db.php
1 year ago
DbHelper.php
1 year ago
Development.php
1 year ago
ErrorHandler.php
1 year ago
EventDispatcher.php
1 year ago
ExceptionHandler.php
1 year ago
FileIntegrity.php
1 year ago
Filechecks.php
1 year ago
Filesystem.php
1 year ago
FrontController.php
1 year ago
Http.php
1 year ago
IP.php
1 year ago
Log.php
2 years ago
LogDeleter.php
1 year ago
Mail.php
1 year ago
Metrics.php
1 year ago
NoAccessException.php
2 years ago
Nonce.php
1 year ago
Notification.php
1 year ago
NumberFormatter.php
1 year ago
Option.php
1 year ago
Period.php
1 year ago
Piwik.php
1 year ago
Plugin.php
1 year ago
Process.php
1 year ago
Profiler.php
1 year ago
ProxyHeaders.php
2 years ago
ProxyHttp.php
1 year ago
QuickForm2.php
1 year ago
RankingQuery.php
1 year ago
ReportRenderer.php
1 year ago
Request.php
1 year ago
Segment.php
1 year ago
Sequence.php
2 years ago
Session.php
1 year ago
SettingsPiwik.php
1 year ago
SettingsServer.php
1 year ago
Singleton.php
2 years ago
Site.php
1 year ago
SiteContentDetector.php
1 year ago
SupportedBrowser.php
2 years ago
TCPDF.php
1 year ago
Theme.php
1 year ago
Timer.php
2 years ago
Tracker.php
1 year ago
Twig.php
1 year ago
Unzip.php
1 year ago
UpdateCheck.php
1 year ago
Updater.php
1 year ago
UpdaterErrorException.php
2 years ago
Updates.php
1 year ago
Url.php
1 year ago
UrlHelper.php
1 year ago
Version.php
1 year ago
View.php
1 year ago
bootstrap.php
1 year ago
dispatch.php
2 years ago
testMinimumPhpVersion.php
2 years ago
Session.php
181 lines
| 1 | <?php |
| 2 | |
| 3 | /** |
| 4 | * Matomo - free/libre analytics platform |
| 5 | * |
| 6 | * @link https://matomo.org |
| 7 | * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later |
| 8 | */ |
| 9 | namespace Piwik; |
| 10 | |
| 11 | use Exception; |
| 12 | use Piwik\Container\StaticContainer; |
| 13 | use Piwik\Exception\MissingFilePermissionException; |
| 14 | use Piwik\Plugins\Overlay\Overlay; |
| 15 | use Piwik\Session\SaveHandler\DbTable; |
| 16 | use Piwik\Log\LoggerInterface; |
| 17 | use Zend_Session; |
| 18 | /** |
| 19 | * Session initialization. |
| 20 | */ |
| 21 | class Session extends Zend_Session |
| 22 | { |
| 23 | public const SESSION_NAME = 'MATOMO_SESSID'; |
| 24 | public static $sessionName = self::SESSION_NAME; |
| 25 | protected static $sessionStarted = \false; |
| 26 | /** |
| 27 | * Start the session |
| 28 | * |
| 29 | * @param array|bool $options An array of configuration options; the auto-start (bool) setting is ignored |
| 30 | * @return void |
| 31 | * @throws Exception if starting a session fails |
| 32 | */ |
| 33 | public static function start($options = \false) |
| 34 | { |
| 35 | if (headers_sent() || self::$sessionStarted || defined('PIWIK_ENABLE_SESSION_START') && !PIWIK_ENABLE_SESSION_START || session_status() == \PHP_SESSION_ACTIVE) { |
| 36 | return; |
| 37 | } |
| 38 | self::$sessionStarted = \true; |
| 39 | if (defined('PIWIK_SESSION_NAME')) { |
| 40 | self::$sessionName = PIWIK_SESSION_NAME; |
| 41 | } |
| 42 | $config = \Piwik\Config::getInstance(); |
| 43 | // use cookies to store session id on the client side |
| 44 | @ini_set('session.use_cookies', '1'); |
| 45 | // prevent attacks involving session ids passed in URLs |
| 46 | @ini_set('session.use_only_cookies', '1'); |
| 47 | // advise browser that session cookie should only be sent over secure connection |
| 48 | if (\Piwik\ProxyHttp::isHttps()) { |
| 49 | @ini_set('session.cookie_secure', '1'); |
| 50 | } |
| 51 | // advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript) |
| 52 | @ini_set('session.cookie_httponly', '1'); |
| 53 | // don't use the default: PHPSESSID |
| 54 | @ini_set('session.name', self::$sessionName); |
| 55 | // proxies may cause the referer check to fail and |
| 56 | // incorrectly invalidate the session |
| 57 | @ini_set('session.referer_check', ''); |
| 58 | // to preserve previous behavior matomo_auth provided when it contained a token_auth, we ensure |
| 59 | // the session data won't be deleted until the cookie expires. |
| 60 | @ini_set('session.gc_maxlifetime', $config->General['login_cookie_expire']); |
| 61 | @ini_set('session.cookie_path', empty($config->General['login_cookie_path']) ? '/' : $config->General['login_cookie_path']); |
| 62 | $currentSaveHandler = ini_get('session.save_handler'); |
| 63 | if (!\Piwik\SettingsPiwik::isMatomoInstalled()) { |
| 64 | // Note: this handler doesn't work well in load-balanced environments and may have a concurrency issue with locked session files |
| 65 | // for "files", use our own folder to prevent local session file hijacking |
| 66 | $sessionPath = self::getSessionsDirectory(); |
| 67 | // We always call mkdir since it also chmods the directory which might help when permissions were reverted for some reasons |
| 68 | \Piwik\Filesystem::mkdir($sessionPath); |
| 69 | @ini_set('session.save_handler', 'files'); |
| 70 | @ini_set('session.save_path', $sessionPath); |
| 71 | } else { |
| 72 | // as of Matomo 3.7.0 we only support files session handler during installation |
| 73 | // We consider these to be misconfigurations, in that: |
| 74 | // - user - we can't verify that user-defined session handler functions have already been set via session_set_save_handler() |
| 75 | // - mm - this handler is not recommended, unsupported, not available for Windows, and has a potential concurrency issue |
| 76 | if (@ini_get('session.serialize_handler') !== 'php_serialize') { |
| 77 | @ini_set('session.serialize_handler', 'php_serialize'); |
| 78 | } |
| 79 | $config = self::getDbTableConfig(); |
| 80 | $saveHandler = new DbTable($config); |
| 81 | if ($saveHandler) { |
| 82 | self::setSaveHandler($saveHandler); |
| 83 | } |
| 84 | } |
| 85 | // set garbage collection according to user preferences (on by default) |
| 86 | @ini_set('session.gc_probability', \Piwik\Config::getInstance()->General['session_gc_probability']); |
| 87 | try { |
| 88 | parent::start(); |
| 89 | register_shutdown_function(array('Zend_Session', 'writeClose'), \true); |
| 90 | } catch (Exception $e) { |
| 91 | StaticContainer::get(LoggerInterface::class)->error('Unable to start session: {exception}', ['exception' => $e, 'ignoreInScreenWriter' => \true]); |
| 92 | if (\Piwik\SettingsPiwik::isMatomoInstalled()) { |
| 93 | $pathToSessions = ''; |
| 94 | } else { |
| 95 | $pathToSessions = \Piwik\Filechecks::getErrorMessageMissingPermissions(self::getSessionsDirectory()); |
| 96 | } |
| 97 | $message = sprintf("Error: %s %s\n<pre>Debug: the original error was \n%s</pre>", \Piwik\Piwik::translate('General_ExceptionUnableToStartSession'), $pathToSessions, $e->getMessage()); |
| 98 | $ex = new MissingFilePermissionException($message, $e->getCode(), $e); |
| 99 | $ex->setIsHtmlMessage(); |
| 100 | throw $ex; |
| 101 | } |
| 102 | } |
| 103 | /** |
| 104 | * Returns the directory session files are stored in. |
| 105 | * |
| 106 | * @return string |
| 107 | */ |
| 108 | public static function getSessionsDirectory() |
| 109 | { |
| 110 | return StaticContainer::get('path.tmp') . '/sessions'; |
| 111 | } |
| 112 | public static function close() |
| 113 | { |
| 114 | if (self::isSessionStarted()) { |
| 115 | // only write/close session if the session was actually started by us |
| 116 | // otherwise we will set the session values to base64 encoded and whoever the session started might not expect the values in that way |
| 117 | parent::writeClose(); |
| 118 | } |
| 119 | } |
| 120 | public static function isSessionStarted() |
| 121 | { |
| 122 | return self::$sessionStarted; |
| 123 | } |
| 124 | public static function getSameSiteCookieValue() |
| 125 | { |
| 126 | $config = \Piwik\Config::getInstance(); |
| 127 | $general = $config->General; |
| 128 | $module = \Piwik\Piwik::getModule(); |
| 129 | $action = \Piwik\Piwik::getAction(); |
| 130 | $method = \Piwik\Common::getRequestVar('method', '', 'string'); |
| 131 | $referer = \Piwik\Url::getReferrer(); |
| 132 | $isOptOutRequest = $module == 'CoreAdminHome' && ($action == 'optOut' || $action == 'optOutJS'); |
| 133 | $shouldUseNone = !empty($general['enable_framed_pages']) || $isOptOutRequest || Overlay::isOverlayRequest($module, $action, $method, $referer); |
| 134 | if ($shouldUseNone && \Piwik\ProxyHttp::isHttps()) { |
| 135 | return 'None'; |
| 136 | } |
| 137 | return 'Lax'; |
| 138 | } |
| 139 | /** |
| 140 | * Write cookie header. Similar to the native setcookie() function but also supports |
| 141 | * the SameSite cookie property. |
| 142 | * @param $name |
| 143 | * @param $value |
| 144 | * @param int $expires |
| 145 | * @param string $path |
| 146 | * @param string $domain |
| 147 | * @param bool $secure |
| 148 | * @param bool $httpOnly |
| 149 | * @param string $sameSite |
| 150 | * @return string |
| 151 | */ |
| 152 | public static function writeCookie($name, $value, $expires = 0, $path = '/', $domain = '/', $secure = \false, $httpOnly = \false, $sameSite = 'lax') |
| 153 | { |
| 154 | $headerStr = 'Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value); |
| 155 | if ($expires) { |
| 156 | $headerStr .= '; expires=' . gmdate('D, d-M-Y H:i:s', $expires) . ' GMT'; |
| 157 | } |
| 158 | if ($path) { |
| 159 | $headerStr .= '; path=' . $path; |
| 160 | } |
| 161 | if ($domain) { |
| 162 | $headerStr .= '; domain=' . rawurlencode($domain); |
| 163 | } |
| 164 | if ($secure) { |
| 165 | $headerStr .= '; secure'; |
| 166 | } |
| 167 | if ($httpOnly) { |
| 168 | $headerStr .= '; httponly'; |
| 169 | } |
| 170 | if ($sameSite) { |
| 171 | $headerStr .= '; SameSite=' . $sameSite; |
| 172 | } |
| 173 | \Piwik\Common::sendHeader($headerStr); |
| 174 | return $headerStr; |
| 175 | } |
| 176 | public static function getDbTableConfig() |
| 177 | { |
| 178 | return array('name' => \Piwik\Common::prefixTable(DbTable::TABLE_NAME), 'primary' => 'id', 'modifiedColumn' => 'modified', 'dataColumn' => 'data', 'lifetimeColumn' => 'lifetime'); |
| 179 | } |
| 180 | } |
| 181 |