PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / trunk
Matomo Analytics – Powerful, Privacy-First Insights for WordPress vtrunk
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / Session / SessionFingerprint.php
matomo / app / core / Session Last commit date
SaveHandler 1 month ago SessionAuth.php 4 months ago SessionFingerprint.php 3 weeks ago SessionInitializer.php 1 year ago SessionNamespace.php 1 year ago
SessionFingerprint.php
170 lines
1 <?php
2
3 /**
4 * Matomo - free/libre analytics platform
5 *
6 * @link https://matomo.org
7 * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
8 */
9 namespace Piwik\Session;
10
11 use Piwik\Config;
12 use Piwik\Date;
13 /**
14 * Manages session information that is used to identify who the session
15 * is for.
16 *
17 * Once a session is authenticated using either a user name & password or
18 * token auth, some information about the user is stored in the session.
19 * This info includes the user name and the user agent
20 * string of the user's client, and a random session secret.
21 *
22 * In subsequent requests that use this session, we use the above information
23 * to verify that the session is allowed to be used by the person sending the
24 * request.
25 *
26 * This is accomplished by checking the request's user agent
27 * against what is stored in the session. If it doesn't then this is a
28 * session hijacking attempt.
29 *
30 * We also check that a hash in the matomo_auth cookie matches the hash
31 * of the time the user last changed their password + the session secret.
32 * If they don't match, the password has been changed since this session
33 * started, and is no longer valid.
34 */
35 class SessionFingerprint
36 {
37 // used in case the global.ini.php becomes corrupt or doesn't update properly
38 public const DEFAULT_IDLE_TIMEOUT = 3600;
39 public const USER_NAME_SESSION_VAR_NAME = 'user.name';
40 public const SESSION_INFO_SESSION_VAR_NAME = 'session.info';
41 public const SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED = 'twofactorauth.verified';
42 public const SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED_USER = 'twofactorauth.verified_user';
43 public const SESSION_INFO_TEMP_TOKEN_AUTH = 'user.token_auth_temp';
44 public function getUser()
45 {
46 if (isset($_SESSION[self::USER_NAME_SESSION_VAR_NAME])) {
47 return $_SESSION[self::USER_NAME_SESSION_VAR_NAME];
48 }
49 return null;
50 }
51 public function getUserInfo()
52 {
53 if (isset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME])) {
54 return $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME];
55 }
56 return null;
57 }
58 public function getSessionTokenAuth()
59 {
60 if (!empty($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH])) {
61 return $_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH];
62 }
63 return null;
64 }
65 public function hasVerifiedTwoFactor()
66 {
67 if (!isset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED])) {
68 return null;
69 }
70 if (empty($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED])) {
71 return \false;
72 }
73 $verifiedUser = $this->getVerifiedTwoFactorUser();
74 if (!empty($verifiedUser)) {
75 return $verifiedUser === $this->getUser();
76 }
77 return \true;
78 }
79 public function getVerifiedTwoFactorUser()
80 {
81 return $_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED_USER] ?? null;
82 }
83 public function setTwoFactorAuthenticationVerified($userName = null)
84 {
85 $_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED] = 1;
86 $userName = $userName ?? $this->getUser();
87 if (!empty($userName)) {
88 $_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED_USER] = $userName;
89 } else {
90 unset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED_USER]);
91 }
92 }
93 public function initialize($userName,
94 #[\SensitiveParameter]
95 $tokenAuth, $isRemembered = \false, $time = null)
96 {
97 $time = $time ?: Date::now()->getTimestampUTC();
98 $_SESSION[self::USER_NAME_SESSION_VAR_NAME] = $userName;
99 $_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED] = 0;
100 unset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED_USER]);
101 $_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH] = $tokenAuth;
102 $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME] = ['ts' => $time, 'remembered' => $isRemembered, 'expiration' => $this->getExpirationTimeFromNow($time)];
103 }
104 public function clear()
105 {
106 if (isset($_SESSION[self::USER_NAME_SESSION_VAR_NAME])) {
107 // may not be available during tests
108 unset($_SESSION[self::USER_NAME_SESSION_VAR_NAME]);
109 }
110 if (isset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME])) {
111 // may not be available during tests
112 unset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME]);
113 }
114 if (isset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED])) {
115 // may not be available during tests
116 unset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED]);
117 }
118 if (isset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED_USER])) {
119 // may not be available during tests
120 unset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED_USER]);
121 }
122 if (isset($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH])) {
123 // may not be available during tests
124 unset($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH]);
125 }
126 }
127 public function getSessionStartTime()
128 {
129 $userInfo = $this->getUserInfo();
130 if (empty($userInfo) || empty($userInfo['ts'])) {
131 return null;
132 }
133 return $userInfo['ts'];
134 }
135 public function getExpirationTime()
136 {
137 $userInfo = $this->getUserInfo();
138 if (empty($userInfo) || empty($userInfo['expiration'])) {
139 return null;
140 }
141 return $userInfo['expiration'];
142 }
143 public function isRemembered()
144 {
145 $userInfo = $this->getUserInfo();
146 return !empty($userInfo['remembered']);
147 }
148 public function updateSessionExpirationTime()
149 {
150 $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME]['expiration'] = $this->getExpirationTimeFromNow();
151 }
152 private function getExpirationTimeFromNow($time = null)
153 {
154 $time = $time ?: Date::now()->getTimestampUTC();
155 $general = Config::getInstance()->General;
156 if (!isset($general['login_session_not_remembered_idle_timeout']) || (int) $general['login_session_not_remembered_idle_timeout'] <= 0) {
157 $nonRememberedSessionExpireTime = self::DEFAULT_IDLE_TIMEOUT;
158 } else {
159 $nonRememberedSessionExpireTime = (int) $general['login_session_not_remembered_idle_timeout'];
160 }
161 $sessionCookieLifetime = $general['login_cookie_expire'];
162 if ($this->isRemembered()) {
163 $expireDuration = $sessionCookieLifetime;
164 } else {
165 $expireDuration = $nonRememberedSessionExpireTime;
166 }
167 return $time + $expireDuration;
168 }
169 }
170