PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / 5.8.2
Matomo Analytics – Powerful, Privacy-First Insights for WordPress v5.8.2
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / Session.php
matomo / app / core Last commit date
API 3 months ago Access 3 months ago Application 3 months ago Archive 3 months ago ArchiveProcessor 3 months ago Archiver 2 years ago AssetManager 3 months ago Auth 6 months ago Category 6 months ago Changes 3 months ago CliMulti 1 year ago Columns 3 months ago Concurrency 3 months ago Config 3 months ago Container 3 months ago CronArchive 3 months ago DataAccess 3 months ago DataFiles 2 years ago DataTable 3 months ago Db 3 months ago DeviceDetector 1 year ago Email 2 years ago Exception 4 months ago Http 4 months ago Intl 3 months ago Log 2 years ago Mail 1 year ago Measurable 6 months ago Menu 3 months ago Metrics 3 months ago Notification 6 months ago Period 3 months ago Plugin 3 months ago Policy 3 months ago ProfessionalServices 1 year ago Report 1 year ago ReportRenderer 3 months ago Request 3 months ago Scheduler 3 months ago Segment 3 months ago Session 3 months ago Settings 3 months ago Tracker 3 months ago Translation 3 months ago Twig 1 year ago UpdateCheck 3 months ago Updater 4 months ago Updates 3 months ago Validators 1 year ago View 6 months ago ViewDataTable 3 months ago Visualization 1 year ago Widget 3 months ago .htaccess 2 years ago Access.php 3 months ago Archive.php 3 months ago ArchiveProcessor.php 4 months ago AssetManager.php 3 months ago Auth.php 6 months ago AuthResult.php 6 months ago BaseFactory.php 2 years ago Cache.php 2 years ago CacheId.php 4 months ago CliMulti.php 3 months ago Common.php 3 months ago Config.php 3 months ago Console.php 3 months ago Context.php 2 years ago Cookie.php 1 year ago CronArchive.php 3 months ago DI.php 3 months ago DataArray.php 5 months ago DataTable.php 3 months ago Date.php 3 months ago Db.php 3 months ago DbHelper.php 3 months ago Development.php 1 year ago ErrorHandler.php 6 months ago EventDispatcher.php 1 year ago ExceptionHandler.php 4 months ago FileIntegrity.php 3 months ago Filechecks.php 1 year ago Filesystem.php 3 months ago FrontController.php 4 months ago Http.php 4 months ago IP.php 1 year ago Log.php 3 months ago LogDeleter.php 1 year ago Mail.php 1 year ago Metrics.php 3 months ago NoAccessException.php 2 years ago Nonce.php 6 months ago Notification.php 6 months ago NumberFormatter.php 5 months ago Option.php 5 months ago Period.php 3 months ago Piwik.php 3 months ago Plugin.php 3 months ago Process.php 1 year ago Profiler.php 6 months ago ProxyHeaders.php 4 months ago ProxyHttp.php 5 months ago QuickForm2.php 3 months ago RankingQuery.php 5 months ago ReportRenderer.php 3 months ago Request.php 3 months ago Segment.php 3 months ago Sequence.php 6 months ago Session.php 3 months ago SettingsPiwik.php 3 months ago SettingsServer.php 1 year ago Singleton.php 2 years ago Site.php 4 months ago SiteContentDetector.php 3 months ago SupportedBrowser.php 2 years ago TCPDF.php 1 year ago Theme.php 1 year ago Timer.php 2 years ago Tracker.php 3 months ago Twig.php 3 months ago Unzip.php 1 year ago UpdateCheck.php 3 months ago Updater.php 3 months ago UpdaterErrorException.php 2 years ago Updates.php 3 months ago Url.php 3 months ago UrlHelper.php 3 months ago Version.php 3 months ago View.php 3 months ago bootstrap.php 1 year ago dispatch.php 2 years ago testMinimumPhpVersion.php 6 months ago
Session.php
190 lines
1 <?php
2
3 /**
4 * Matomo - free/libre analytics platform
5 *
6 * @link https://matomo.org
7 * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
8 */
9 namespace Piwik;
10
11 use Exception;
12 use Piwik\Container\StaticContainer;
13 use Piwik\Exception\MissingFilePermissionException;
14 use Piwik\Plugins\Overlay\Overlay;
15 use Piwik\Session\SaveHandler\DbTable;
16 use Piwik\Log\LoggerInterface;
17 use Piwik\Session\SessionFingerprint;
18 use Zend_Session;
19 /**
20 * Session initialization.
21 */
22 class Session extends Zend_Session
23 {
24 public const SESSION_NAME = 'MATOMO_SESSID';
25 public static $sessionName = self::SESSION_NAME;
26 protected static $sessionStarted = \false;
27 /**
28 * Start the session
29 *
30 * @param array|bool $options An array of configuration options; the auto-start (bool) setting is ignored
31 * @return void
32 * @throws Exception if starting a session fails
33 */
34 public static function start($options = \false)
35 {
36 if (headers_sent() || self::$sessionStarted || defined('PIWIK_ENABLE_SESSION_START') && !PIWIK_ENABLE_SESSION_START || session_status() == \PHP_SESSION_ACTIVE) {
37 return;
38 }
39 self::$sessionStarted = \true;
40 if (defined('PIWIK_SESSION_NAME')) {
41 self::$sessionName = PIWIK_SESSION_NAME;
42 }
43 $config = \Piwik\Config::getInstance();
44 // use cookies to store session id on the client side
45 @ini_set('session.use_cookies', '1');
46 // prevent attacks involving session ids passed in URLs
47 @ini_set('session.use_only_cookies', '1');
48 // advise browser that session cookie should only be sent over secure connection
49 if (\Piwik\ProxyHttp::isHttps()) {
50 @ini_set('session.cookie_secure', '1');
51 }
52 // advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript)
53 @ini_set('session.cookie_httponly', '1');
54 // don't use the default: PHPSESSID
55 @ini_set('session.name', self::$sessionName);
56 // proxies may cause the referer check to fail and
57 // incorrectly invalidate the session
58 @ini_set('session.referer_check', '');
59 // to preserve previous behavior matomo_auth provided when it contained a token_auth, we ensure
60 // the session data won't be deleted until the cookie expires.
61 @ini_set('session.gc_maxlifetime', $config->General['login_cookie_expire']);
62 @ini_set('session.cookie_path', empty($config->General['login_cookie_path']) ? '/' : $config->General['login_cookie_path']);
63 $currentSaveHandler = ini_get('session.save_handler');
64 if (!\Piwik\SettingsPiwik::isMatomoInstalled()) {
65 // Note: this handler doesn't work well in load-balanced environments and may have a concurrency issue with locked session files
66 // for "files", use our own folder to prevent local session file hijacking
67 $sessionPath = self::getSessionsDirectory();
68 // We always call mkdir since it also chmods the directory which might help when permissions were reverted for some reasons
69 \Piwik\Filesystem::mkdir($sessionPath);
70 @ini_set('session.save_handler', 'files');
71 @ini_set('session.save_path', $sessionPath);
72 } else {
73 // as of Matomo 3.7.0 we only support files session handler during installation
74 // We consider these to be misconfigurations, in that:
75 // - user - we can't verify that user-defined session handler functions have already been set via session_set_save_handler()
76 // - mm - this handler is not recommended, unsupported, not available for Windows, and has a potential concurrency issue
77 if (@ini_get('session.serialize_handler') !== 'php_serialize') {
78 @ini_set('session.serialize_handler', 'php_serialize');
79 }
80 $config = self::getDbTableConfig();
81 $saveHandler = new DbTable($config);
82 if ($saveHandler) {
83 self::setSaveHandler($saveHandler);
84 }
85 }
86 // set garbage collection according to user preferences (on by default)
87 @ini_set('session.gc_probability', \Piwik\Config::getInstance()->General['session_gc_probability']);
88 try {
89 parent::start();
90 register_shutdown_function(array('Zend_Session', 'writeClose'), \true);
91 } catch (Exception $e) {
92 StaticContainer::get(LoggerInterface::class)->error('Unable to start session: {exception}', ['exception' => $e, 'ignoreInScreenWriter' => \true]);
93 if (\Piwik\SettingsPiwik::isMatomoInstalled()) {
94 $pathToSessions = '';
95 } else {
96 $pathToSessions = \Piwik\Filechecks::getErrorMessageMissingPermissions(self::getSessionsDirectory());
97 }
98 $message = sprintf("Error: %s %s\n<pre>Debug: the original error was \n%s</pre>", \Piwik\Piwik::translate('General_ExceptionUnableToStartSession'), $pathToSessions, $e->getMessage());
99 $ex = new MissingFilePermissionException($message, $e->getCode(), $e);
100 $ex->setIsHtmlMessage();
101 throw $ex;
102 }
103 }
104 /**
105 * Returns the directory session files are stored in.
106 *
107 * @return string
108 */
109 public static function getSessionsDirectory()
110 {
111 return StaticContainer::get('path.tmp') . '/sessions';
112 }
113 public static function close()
114 {
115 if (self::isSessionStarted()) {
116 // only write/close session if the session was actually started by us
117 // otherwise we will set the session values to base64 encoded and whoever the session started might not expect the values in that way
118 parent::writeClose();
119 }
120 }
121 public static function isSessionStarted()
122 {
123 return self::$sessionStarted;
124 }
125 public static function getSameSiteCookieValue()
126 {
127 $config = \Piwik\Config::getInstance();
128 $general = $config->General;
129 $module = \Piwik\Piwik::getModule();
130 $action = \Piwik\Piwik::getAction();
131 $method = \Piwik\Common::getRequestVar('method', '', 'string');
132 $referer = \Piwik\Url::getReferrer();
133 $isOptOutRequest = $module == 'CoreAdminHome' && ($action == 'optOut' || $action == 'optOutJS');
134 $shouldUseNone = !empty($general['enable_framed_pages']) || $isOptOutRequest || Overlay::isOverlayRequest($module, $action, $method, $referer);
135 if ($shouldUseNone && \Piwik\ProxyHttp::isHttps()) {
136 return 'None';
137 }
138 return 'Lax';
139 }
140 /**
141 * Write cookie header. Similar to the native setcookie() function but also supports
142 * the SameSite cookie property.
143 * @param $name
144 * @param $value
145 * @param int $expires
146 * @param string $path
147 * @param string $domain
148 * @param bool $secure
149 * @param bool $httpOnly
150 * @param string $sameSite
151 * @return string
152 */
153 public static function writeCookie($name, $value, $expires = 0, $path = '/', $domain = '/', $secure = \false, $httpOnly = \false, $sameSite = 'lax')
154 {
155 $headerStr = 'Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value);
156 if ($expires) {
157 $headerStr .= '; expires=' . gmdate('D, d-M-Y H:i:s', $expires) . ' GMT';
158 }
159 if ($path) {
160 $headerStr .= '; path=' . $path;
161 }
162 if ($domain) {
163 $headerStr .= '; domain=' . rawurlencode($domain);
164 }
165 if ($secure) {
166 $headerStr .= '; secure';
167 }
168 if ($httpOnly) {
169 $headerStr .= '; httponly';
170 }
171 if ($sameSite) {
172 $headerStr .= '; SameSite=' . $sameSite;
173 }
174 \Piwik\Common::sendHeader($headerStr);
175 return $headerStr;
176 }
177 public static function getDbTableConfig() : array
178 {
179 return array('name' => \Piwik\Common::prefixTable(DbTable::TABLE_NAME), 'primary' => 'id', 'modifiedColumn' => 'modified', 'dataColumn' => 'data', 'lifetimeColumn' => 'lifetime');
180 }
181 public static function destroyAllSessions() : void
182 {
183 $config = self::getDbTableConfig();
184 $saveHandler = new DbTable($config);
185 $saveHandler->destroyAll();
186 $fingerprint = new SessionFingerprint();
187 $fingerprint->clear();
188 }
189 }
190