API
1 month ago
Access
3 months ago
Application
1 month ago
Archive
1 month ago
ArchiveProcessor
1 month ago
Archiver
2 years ago
AssetManager
1 month ago
Auth
6 months ago
Category
6 months ago
Changes
1 month ago
CliMulti
1 year ago
Columns
1 month ago
Concurrency
1 month ago
Config
1 month ago
Container
1 month ago
CronArchive
3 months ago
DataAccess
1 month ago
DataFiles
2 years ago
DataTable
2 weeks ago
Db
2 weeks ago
DeviceDetector
1 year ago
Email
2 years ago
Exception
4 months ago
Http
4 months ago
Intl
3 months ago
Log
2 years ago
Mail
1 year ago
Measurable
6 months ago
Menu
1 month ago
Metrics
3 months ago
Notification
6 months ago
Period
1 month ago
Plugin
2 weeks ago
Policy
1 month ago
ProfessionalServices
1 year ago
Report
1 year ago
ReportRenderer
3 months ago
Request
3 months ago
Scheduler
1 month ago
Segment
1 month ago
Session
2 weeks ago
Settings
1 month ago
Tracker
2 weeks ago
Translation
1 month ago
Twig
1 year ago
UpdateCheck
3 months ago
Updater
1 month ago
Updates
2 days ago
Validators
1 year ago
View
1 month ago
ViewDataTable
2 weeks ago
Visualization
1 year ago
Widget
1 month ago
.htaccess
2 years ago
Access.php
1 month ago
Archive.php
1 month ago
ArchiveProcessor.php
1 month ago
AssetManager.php
1 month ago
Auth.php
6 months ago
AuthResult.php
6 months ago
BaseFactory.php
2 years ago
Cache.php
2 years ago
CacheId.php
4 months ago
CliMulti.php
1 month ago
Common.php
2 weeks ago
Config.php
1 month ago
Console.php
3 months ago
Context.php
2 years ago
Cookie.php
1 year ago
CronArchive.php
1 month ago
DI.php
3 months ago
DataArray.php
1 month ago
DataTable.php
1 month ago
Date.php
1 month ago
Db.php
1 month ago
DbHelper.php
1 month ago
Development.php
1 year ago
ErrorHandler.php
6 months ago
EventDispatcher.php
1 month ago
ExceptionHandler.php
4 months ago
FileIntegrity.php
1 month ago
Filechecks.php
1 year ago
Filesystem.php
1 month ago
FrontController.php
4 months ago
Http.php
1 month ago
IP.php
1 year ago
Log.php
3 months ago
LogDeleter.php
1 year ago
Mail.php
1 year ago
Metrics.php
1 month ago
NoAccessException.php
2 years ago
Nonce.php
6 months ago
Notification.php
1 month ago
NumberFormatter.php
5 months ago
Option.php
5 months ago
Period.php
1 month ago
Piwik.php
1 month ago
Plugin.php
1 month ago
Process.php
1 month ago
Profiler.php
6 months ago
ProxyHeaders.php
4 months ago
ProxyHttp.php
5 months ago
QuickForm2.php
3 months ago
RankingQuery.php
1 month ago
ReportRenderer.php
1 month ago
Request.php
1 month ago
Segment.php
1 month ago
Sequence.php
6 months ago
Session.php
2 weeks ago
SettingsPiwik.php
1 month ago
SettingsServer.php
1 year ago
Singleton.php
2 years ago
Site.php
1 month ago
SiteContentDetector.php
1 month ago
SupportedBrowser.php
2 years ago
TCPDF.php
1 year ago
Theme.php
1 year ago
Timer.php
1 month ago
Tracker.php
1 month ago
Twig.php
1 month ago
Unzip.php
1 year ago
UpdateCheck.php
1 month ago
Updater.php
1 month ago
UpdaterErrorException.php
2 years ago
Updates.php
3 months ago
Url.php
3 months ago
UrlHelper.php
1 month ago
Version.php
2 days ago
View.php
1 month ago
bootstrap.php
1 year ago
dispatch.php
2 years ago
testMinimumPhpVersion.php
6 months ago
Session.php
210 lines
| 1 | <?php |
| 2 | |
| 3 | /** |
| 4 | * Matomo - free/libre analytics platform |
| 5 | * |
| 6 | * @link https://matomo.org |
| 7 | * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later |
| 8 | */ |
| 9 | namespace Piwik; |
| 10 | |
| 11 | use Exception; |
| 12 | use Piwik\Container\StaticContainer; |
| 13 | use Piwik\Exception\MissingFilePermissionException; |
| 14 | use Piwik\Plugins\Overlay\Overlay; |
| 15 | use Piwik\Session\SaveHandler\DbTable; |
| 16 | use Piwik\Log\LoggerInterface; |
| 17 | use Piwik\Session\SessionFingerprint; |
| 18 | use Zend_Session; |
| 19 | /** |
| 20 | * Session initialization. |
| 21 | */ |
| 22 | class Session extends Zend_Session |
| 23 | { |
| 24 | public const SESSION_NAME = 'MATOMO_SESSID'; |
| 25 | public static $sessionName = self::SESSION_NAME; |
| 26 | protected static $sessionStarted = \false; |
| 27 | /** |
| 28 | * Start the session |
| 29 | * |
| 30 | * @param array|bool $options An array of configuration options; the auto-start (bool) setting is ignored |
| 31 | * @return void |
| 32 | * @throws Exception if starting a session fails |
| 33 | */ |
| 34 | public static function start($options = \false) |
| 35 | { |
| 36 | if (headers_sent() || self::$sessionStarted || defined('PIWIK_ENABLE_SESSION_START') && !PIWIK_ENABLE_SESSION_START || session_status() == \PHP_SESSION_ACTIVE) { |
| 37 | return; |
| 38 | } |
| 39 | self::$sessionStarted = \true; |
| 40 | if (defined('PIWIK_SESSION_NAME')) { |
| 41 | self::$sessionName = PIWIK_SESSION_NAME; |
| 42 | } |
| 43 | $config = \Piwik\Config::getInstance(); |
| 44 | // use cookies to store session id on the client side |
| 45 | @ini_set('session.use_cookies', '1'); |
| 46 | // prevent attacks involving session ids passed in URLs |
| 47 | @ini_set('session.use_only_cookies', '1'); |
| 48 | // advise browser that session cookie should only be sent over secure connection |
| 49 | if (\Piwik\ProxyHttp::isHttps()) { |
| 50 | @ini_set('session.cookie_secure', '1'); |
| 51 | } |
| 52 | // advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript) |
| 53 | @ini_set('session.cookie_httponly', '1'); |
| 54 | // don't use the default: PHPSESSID |
| 55 | @ini_set('session.name', self::$sessionName); |
| 56 | // proxies may cause the referer check to fail and |
| 57 | // incorrectly invalidate the session |
| 58 | @ini_set('session.referer_check', ''); |
| 59 | // to preserve previous behavior matomo_auth provided when it contained a token_auth, we ensure |
| 60 | // the session data won't be deleted until the cookie expires. |
| 61 | @ini_set('session.gc_maxlifetime', $config->General['login_cookie_expire']); |
| 62 | @ini_set('session.cookie_path', empty($config->General['login_cookie_path']) ? '/' : $config->General['login_cookie_path']); |
| 63 | $currentSaveHandler = ini_get('session.save_handler'); |
| 64 | if (!\Piwik\SettingsPiwik::isMatomoInstalled()) { |
| 65 | // Note: this handler doesn't work well in load-balanced environments and may have a concurrency issue with locked session files |
| 66 | // for "files", use our own folder to prevent local session file hijacking |
| 67 | $sessionPath = self::getSessionsDirectory(); |
| 68 | // We always call mkdir since it also chmods the directory which might help when permissions were reverted for some reasons |
| 69 | \Piwik\Filesystem::mkdir($sessionPath); |
| 70 | @ini_set('session.save_handler', 'files'); |
| 71 | @ini_set('session.save_path', $sessionPath); |
| 72 | } else { |
| 73 | // as of Matomo 3.7.0 we only support files session handler during installation |
| 74 | // We consider these to be misconfigurations, in that: |
| 75 | // - user - we can't verify that user-defined session handler functions have already been set via session_set_save_handler() |
| 76 | // - mm - this handler is not recommended, unsupported, not available for Windows, and has a potential concurrency issue |
| 77 | if (@ini_get('session.serialize_handler') !== 'php_serialize') { |
| 78 | @ini_set('session.serialize_handler', 'php_serialize'); |
| 79 | } |
| 80 | $config = self::getDbTableConfig(); |
| 81 | $saveHandler = new DbTable($config); |
| 82 | if ($saveHandler) { |
| 83 | self::setSaveHandler($saveHandler); |
| 84 | } |
| 85 | } |
| 86 | // set garbage collection according to user preferences (on by default) |
| 87 | @ini_set('session.gc_probability', \Piwik\Config::getInstance()->General['session_gc_probability']); |
| 88 | try { |
| 89 | parent::start(); |
| 90 | register_shutdown_function(array('Zend_Session', 'writeClose'), \true); |
| 91 | } catch (Exception $e) { |
| 92 | StaticContainer::get(LoggerInterface::class)->error('Unable to start session: {exception}', ['exception' => $e, 'ignoreInScreenWriter' => \true]); |
| 93 | if (\Piwik\SettingsPiwik::isMatomoInstalled()) { |
| 94 | $pathToSessions = ''; |
| 95 | } else { |
| 96 | $pathToSessions = \Piwik\Filechecks::getErrorMessageMissingPermissions(self::getSessionsDirectory()); |
| 97 | } |
| 98 | $message = sprintf("Error: %s %s\n<pre>Debug: the original error was \n%s</pre>", \Piwik\Piwik::translate('General_ExceptionUnableToStartSession'), $pathToSessions, $e->getMessage()); |
| 99 | $ex = new MissingFilePermissionException($message, $e->getCode(), $e); |
| 100 | $ex->setIsHtmlMessage(); |
| 101 | throw $ex; |
| 102 | } |
| 103 | } |
| 104 | /** |
| 105 | * Returns the directory session files are stored in. |
| 106 | * |
| 107 | * @return string |
| 108 | */ |
| 109 | public static function getSessionsDirectory() |
| 110 | { |
| 111 | return StaticContainer::get('path.tmp') . '/sessions'; |
| 112 | } |
| 113 | public static function close() |
| 114 | { |
| 115 | if (self::isSessionStarted()) { |
| 116 | // only write/close session if the session was actually started by us |
| 117 | // otherwise we will set the session values to base64 encoded and whoever the session started might not expect the values in that way |
| 118 | parent::writeClose(); |
| 119 | } |
| 120 | } |
| 121 | public static function isSessionStarted() |
| 122 | { |
| 123 | return self::$sessionStarted; |
| 124 | } |
| 125 | public static function getSameSiteCookieValue() |
| 126 | { |
| 127 | $config = \Piwik\Config::getInstance(); |
| 128 | $general = $config->General; |
| 129 | $module = \Piwik\Piwik::getModule(); |
| 130 | $action = \Piwik\Piwik::getAction(); |
| 131 | $method = \Piwik\Common::getRequestVar('method', '', 'string'); |
| 132 | $referer = \Piwik\Url::getReferrer(); |
| 133 | $isOptOutRequest = $module == 'CoreAdminHome' && ($action == 'optOut' || $action == 'optOutJS'); |
| 134 | $shouldUseNone = !empty($general['enable_framed_pages']) || $isOptOutRequest || Overlay::isOverlayRequest($module, $action, $method, $referer); |
| 135 | /** @var bool $shouldUseNoneForcefully */ |
| 136 | $shouldUseNoneForcefully = \false; |
| 137 | /** |
| 138 | * Triggered to determine whether the session cookie SameSite value should be forced to None. |
| 139 | * |
| 140 | * Plugins can set `$shouldUseNoneForcefully` to true when the session cookie needs to be |
| 141 | * sent in a third-party context that is not covered by Matomo's built-in iframe, opt-out, |
| 142 | * or Overlay detection. The final cookie value is still only set to `None` when the request |
| 143 | * is served over HTTPS. |
| 144 | * |
| 145 | * @param bool &$shouldUseNoneForcefully Set this to true to force the session cookie SameSite value to None. |
| 146 | * |
| 147 | * @internal |
| 148 | * |
| 149 | * @example |
| 150 | * Piwik::addAction('Session.shouldSendSameSiteCookieAsNoneForcefully', function (&$shouldUseNoneForcefully) { |
| 151 | * $shouldUseNoneForcefully = true; |
| 152 | * }); |
| 153 | */ |
| 154 | \Piwik\Piwik::postEvent('Session.shouldSendSameSiteCookieAsNoneForcefully', [&$shouldUseNoneForcefully]); |
| 155 | if (($shouldUseNone || $shouldUseNoneForcefully) && \Piwik\ProxyHttp::isHttps()) { |
| 156 | return 'None'; |
| 157 | } |
| 158 | return 'Lax'; |
| 159 | } |
| 160 | /** |
| 161 | * Write cookie header. Similar to the native setcookie() function but also supports |
| 162 | * the SameSite cookie property. |
| 163 | * @param $name |
| 164 | * @param $value |
| 165 | * @param int $expires |
| 166 | * @param string $path |
| 167 | * @param string $domain |
| 168 | * @param bool $secure |
| 169 | * @param bool $httpOnly |
| 170 | * @param string $sameSite |
| 171 | * @return string |
| 172 | */ |
| 173 | public static function writeCookie($name, $value, $expires = 0, $path = '/', $domain = '/', $secure = \false, $httpOnly = \false, $sameSite = 'lax') |
| 174 | { |
| 175 | $headerStr = 'Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value); |
| 176 | if ($expires) { |
| 177 | $headerStr .= '; expires=' . gmdate('D, d-M-Y H:i:s', $expires) . ' GMT'; |
| 178 | } |
| 179 | if ($path) { |
| 180 | $headerStr .= '; path=' . $path; |
| 181 | } |
| 182 | if ($domain) { |
| 183 | $headerStr .= '; domain=' . rawurlencode($domain); |
| 184 | } |
| 185 | if ($secure) { |
| 186 | $headerStr .= '; secure'; |
| 187 | } |
| 188 | if ($httpOnly) { |
| 189 | $headerStr .= '; httponly'; |
| 190 | } |
| 191 | if ($sameSite) { |
| 192 | $headerStr .= '; SameSite=' . $sameSite; |
| 193 | } |
| 194 | \Piwik\Common::sendHeader($headerStr); |
| 195 | return $headerStr; |
| 196 | } |
| 197 | public static function getDbTableConfig() : array |
| 198 | { |
| 199 | return array('name' => \Piwik\Common::prefixTable(DbTable::TABLE_NAME), 'primary' => 'id', 'modifiedColumn' => 'modified', 'dataColumn' => 'data', 'lifetimeColumn' => 'lifetime'); |
| 200 | } |
| 201 | public static function destroyAllSessions() : void |
| 202 | { |
| 203 | $config = self::getDbTableConfig(); |
| 204 | $saveHandler = new DbTable($config); |
| 205 | $saveHandler->destroyAll(); |
| 206 | $fingerprint = new SessionFingerprint(); |
| 207 | $fingerprint->clear(); |
| 208 | } |
| 209 | } |
| 210 |