PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / trunk
Matomo Analytics – Powerful, Privacy-First Insights for WordPress vtrunk
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / Session.php
matomo / app / core Last commit date
API 1 month ago Access 3 months ago Application 1 month ago Archive 1 month ago ArchiveProcessor 1 month ago Archiver 2 years ago AssetManager 1 month ago Auth 6 months ago Category 6 months ago Changes 1 month ago CliMulti 1 year ago Columns 1 month ago Concurrency 1 month ago Config 1 month ago Container 1 month ago CronArchive 3 months ago DataAccess 1 month ago DataFiles 2 years ago DataTable 2 weeks ago Db 2 weeks ago DeviceDetector 1 year ago Email 2 years ago Exception 4 months ago Http 4 months ago Intl 3 months ago Log 2 years ago Mail 1 year ago Measurable 6 months ago Menu 1 month ago Metrics 3 months ago Notification 6 months ago Period 1 month ago Plugin 2 weeks ago Policy 1 month ago ProfessionalServices 1 year ago Report 1 year ago ReportRenderer 3 months ago Request 3 months ago Scheduler 1 month ago Segment 1 month ago Session 2 weeks ago Settings 1 month ago Tracker 2 weeks ago Translation 1 month ago Twig 1 year ago UpdateCheck 3 months ago Updater 1 month ago Updates 2 days ago Validators 1 year ago View 1 month ago ViewDataTable 2 weeks ago Visualization 1 year ago Widget 1 month ago .htaccess 2 years ago Access.php 1 month ago Archive.php 1 month ago ArchiveProcessor.php 1 month ago AssetManager.php 1 month ago Auth.php 6 months ago AuthResult.php 6 months ago BaseFactory.php 2 years ago Cache.php 2 years ago CacheId.php 4 months ago CliMulti.php 1 month ago Common.php 2 weeks ago Config.php 1 month ago Console.php 3 months ago Context.php 2 years ago Cookie.php 1 year ago CronArchive.php 1 month ago DI.php 3 months ago DataArray.php 1 month ago DataTable.php 1 month ago Date.php 1 month ago Db.php 1 month ago DbHelper.php 1 month ago Development.php 1 year ago ErrorHandler.php 6 months ago EventDispatcher.php 1 month ago ExceptionHandler.php 4 months ago FileIntegrity.php 1 month ago Filechecks.php 1 year ago Filesystem.php 1 month ago FrontController.php 4 months ago Http.php 1 month ago IP.php 1 year ago Log.php 3 months ago LogDeleter.php 1 year ago Mail.php 1 year ago Metrics.php 1 month ago NoAccessException.php 2 years ago Nonce.php 6 months ago Notification.php 1 month ago NumberFormatter.php 5 months ago Option.php 5 months ago Period.php 1 month ago Piwik.php 1 month ago Plugin.php 1 month ago Process.php 1 month ago Profiler.php 6 months ago ProxyHeaders.php 4 months ago ProxyHttp.php 5 months ago QuickForm2.php 3 months ago RankingQuery.php 1 month ago ReportRenderer.php 1 month ago Request.php 1 month ago Segment.php 1 month ago Sequence.php 6 months ago Session.php 2 weeks ago SettingsPiwik.php 1 month ago SettingsServer.php 1 year ago Singleton.php 2 years ago Site.php 1 month ago SiteContentDetector.php 1 month ago SupportedBrowser.php 2 years ago TCPDF.php 1 year ago Theme.php 1 year ago Timer.php 1 month ago Tracker.php 1 month ago Twig.php 1 month ago Unzip.php 1 year ago UpdateCheck.php 1 month ago Updater.php 1 month ago UpdaterErrorException.php 2 years ago Updates.php 3 months ago Url.php 3 months ago UrlHelper.php 1 month ago Version.php 2 days ago View.php 1 month ago bootstrap.php 1 year ago dispatch.php 2 years ago testMinimumPhpVersion.php 6 months ago
Session.php
210 lines
1 <?php
2
3 /**
4 * Matomo - free/libre analytics platform
5 *
6 * @link https://matomo.org
7 * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
8 */
9 namespace Piwik;
10
11 use Exception;
12 use Piwik\Container\StaticContainer;
13 use Piwik\Exception\MissingFilePermissionException;
14 use Piwik\Plugins\Overlay\Overlay;
15 use Piwik\Session\SaveHandler\DbTable;
16 use Piwik\Log\LoggerInterface;
17 use Piwik\Session\SessionFingerprint;
18 use Zend_Session;
19 /**
20 * Session initialization.
21 */
22 class Session extends Zend_Session
23 {
24 public const SESSION_NAME = 'MATOMO_SESSID';
25 public static $sessionName = self::SESSION_NAME;
26 protected static $sessionStarted = \false;
27 /**
28 * Start the session
29 *
30 * @param array|bool $options An array of configuration options; the auto-start (bool) setting is ignored
31 * @return void
32 * @throws Exception if starting a session fails
33 */
34 public static function start($options = \false)
35 {
36 if (headers_sent() || self::$sessionStarted || defined('PIWIK_ENABLE_SESSION_START') && !PIWIK_ENABLE_SESSION_START || session_status() == \PHP_SESSION_ACTIVE) {
37 return;
38 }
39 self::$sessionStarted = \true;
40 if (defined('PIWIK_SESSION_NAME')) {
41 self::$sessionName = PIWIK_SESSION_NAME;
42 }
43 $config = \Piwik\Config::getInstance();
44 // use cookies to store session id on the client side
45 @ini_set('session.use_cookies', '1');
46 // prevent attacks involving session ids passed in URLs
47 @ini_set('session.use_only_cookies', '1');
48 // advise browser that session cookie should only be sent over secure connection
49 if (\Piwik\ProxyHttp::isHttps()) {
50 @ini_set('session.cookie_secure', '1');
51 }
52 // advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript)
53 @ini_set('session.cookie_httponly', '1');
54 // don't use the default: PHPSESSID
55 @ini_set('session.name', self::$sessionName);
56 // proxies may cause the referer check to fail and
57 // incorrectly invalidate the session
58 @ini_set('session.referer_check', '');
59 // to preserve previous behavior matomo_auth provided when it contained a token_auth, we ensure
60 // the session data won't be deleted until the cookie expires.
61 @ini_set('session.gc_maxlifetime', $config->General['login_cookie_expire']);
62 @ini_set('session.cookie_path', empty($config->General['login_cookie_path']) ? '/' : $config->General['login_cookie_path']);
63 $currentSaveHandler = ini_get('session.save_handler');
64 if (!\Piwik\SettingsPiwik::isMatomoInstalled()) {
65 // Note: this handler doesn't work well in load-balanced environments and may have a concurrency issue with locked session files
66 // for "files", use our own folder to prevent local session file hijacking
67 $sessionPath = self::getSessionsDirectory();
68 // We always call mkdir since it also chmods the directory which might help when permissions were reverted for some reasons
69 \Piwik\Filesystem::mkdir($sessionPath);
70 @ini_set('session.save_handler', 'files');
71 @ini_set('session.save_path', $sessionPath);
72 } else {
73 // as of Matomo 3.7.0 we only support files session handler during installation
74 // We consider these to be misconfigurations, in that:
75 // - user - we can't verify that user-defined session handler functions have already been set via session_set_save_handler()
76 // - mm - this handler is not recommended, unsupported, not available for Windows, and has a potential concurrency issue
77 if (@ini_get('session.serialize_handler') !== 'php_serialize') {
78 @ini_set('session.serialize_handler', 'php_serialize');
79 }
80 $config = self::getDbTableConfig();
81 $saveHandler = new DbTable($config);
82 if ($saveHandler) {
83 self::setSaveHandler($saveHandler);
84 }
85 }
86 // set garbage collection according to user preferences (on by default)
87 @ini_set('session.gc_probability', \Piwik\Config::getInstance()->General['session_gc_probability']);
88 try {
89 parent::start();
90 register_shutdown_function(array('Zend_Session', 'writeClose'), \true);
91 } catch (Exception $e) {
92 StaticContainer::get(LoggerInterface::class)->error('Unable to start session: {exception}', ['exception' => $e, 'ignoreInScreenWriter' => \true]);
93 if (\Piwik\SettingsPiwik::isMatomoInstalled()) {
94 $pathToSessions = '';
95 } else {
96 $pathToSessions = \Piwik\Filechecks::getErrorMessageMissingPermissions(self::getSessionsDirectory());
97 }
98 $message = sprintf("Error: %s %s\n<pre>Debug: the original error was \n%s</pre>", \Piwik\Piwik::translate('General_ExceptionUnableToStartSession'), $pathToSessions, $e->getMessage());
99 $ex = new MissingFilePermissionException($message, $e->getCode(), $e);
100 $ex->setIsHtmlMessage();
101 throw $ex;
102 }
103 }
104 /**
105 * Returns the directory session files are stored in.
106 *
107 * @return string
108 */
109 public static function getSessionsDirectory()
110 {
111 return StaticContainer::get('path.tmp') . '/sessions';
112 }
113 public static function close()
114 {
115 if (self::isSessionStarted()) {
116 // only write/close session if the session was actually started by us
117 // otherwise we will set the session values to base64 encoded and whoever the session started might not expect the values in that way
118 parent::writeClose();
119 }
120 }
121 public static function isSessionStarted()
122 {
123 return self::$sessionStarted;
124 }
125 public static function getSameSiteCookieValue()
126 {
127 $config = \Piwik\Config::getInstance();
128 $general = $config->General;
129 $module = \Piwik\Piwik::getModule();
130 $action = \Piwik\Piwik::getAction();
131 $method = \Piwik\Common::getRequestVar('method', '', 'string');
132 $referer = \Piwik\Url::getReferrer();
133 $isOptOutRequest = $module == 'CoreAdminHome' && ($action == 'optOut' || $action == 'optOutJS');
134 $shouldUseNone = !empty($general['enable_framed_pages']) || $isOptOutRequest || Overlay::isOverlayRequest($module, $action, $method, $referer);
135 /** @var bool $shouldUseNoneForcefully */
136 $shouldUseNoneForcefully = \false;
137 /**
138 * Triggered to determine whether the session cookie SameSite value should be forced to None.
139 *
140 * Plugins can set `$shouldUseNoneForcefully` to true when the session cookie needs to be
141 * sent in a third-party context that is not covered by Matomo's built-in iframe, opt-out,
142 * or Overlay detection. The final cookie value is still only set to `None` when the request
143 * is served over HTTPS.
144 *
145 * @param bool &$shouldUseNoneForcefully Set this to true to force the session cookie SameSite value to None.
146 *
147 * @internal
148 *
149 * @example
150 * Piwik::addAction('Session.shouldSendSameSiteCookieAsNoneForcefully', function (&$shouldUseNoneForcefully) {
151 * $shouldUseNoneForcefully = true;
152 * });
153 */
154 \Piwik\Piwik::postEvent('Session.shouldSendSameSiteCookieAsNoneForcefully', [&$shouldUseNoneForcefully]);
155 if (($shouldUseNone || $shouldUseNoneForcefully) && \Piwik\ProxyHttp::isHttps()) {
156 return 'None';
157 }
158 return 'Lax';
159 }
160 /**
161 * Write cookie header. Similar to the native setcookie() function but also supports
162 * the SameSite cookie property.
163 * @param $name
164 * @param $value
165 * @param int $expires
166 * @param string $path
167 * @param string $domain
168 * @param bool $secure
169 * @param bool $httpOnly
170 * @param string $sameSite
171 * @return string
172 */
173 public static function writeCookie($name, $value, $expires = 0, $path = '/', $domain = '/', $secure = \false, $httpOnly = \false, $sameSite = 'lax')
174 {
175 $headerStr = 'Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value);
176 if ($expires) {
177 $headerStr .= '; expires=' . gmdate('D, d-M-Y H:i:s', $expires) . ' GMT';
178 }
179 if ($path) {
180 $headerStr .= '; path=' . $path;
181 }
182 if ($domain) {
183 $headerStr .= '; domain=' . rawurlencode($domain);
184 }
185 if ($secure) {
186 $headerStr .= '; secure';
187 }
188 if ($httpOnly) {
189 $headerStr .= '; httponly';
190 }
191 if ($sameSite) {
192 $headerStr .= '; SameSite=' . $sameSite;
193 }
194 \Piwik\Common::sendHeader($headerStr);
195 return $headerStr;
196 }
197 public static function getDbTableConfig() : array
198 {
199 return array('name' => \Piwik\Common::prefixTable(DbTable::TABLE_NAME), 'primary' => 'id', 'modifiedColumn' => 'modified', 'dataColumn' => 'data', 'lifetimeColumn' => 'lifetime');
200 }
201 public static function destroyAllSessions() : void
202 {
203 $config = self::getDbTableConfig();
204 $saveHandler = new DbTable($config);
205 $saveHandler->destroyAll();
206 $fingerprint = new SessionFingerprint();
207 $fingerprint->clear();
208 }
209 }
210