class-wc-session-handler.php — WooCommerce 10.8.0-beta.2

woocommerce / includes / class-wc-session-handler.php

woocommerce / includes Last commit date

class-wc-session-handler.php

769 lines

1	<?php
2	/**
3	* Handle data for the current customers session.
4	* Implements the WC_Session abstract class.
5	*
6	* From 2.5 this uses a custom table for session storage. Based on https://github.com/kloon/woocommerce-large-sessions.
7	*
8	* @class WC_Session_Handler
9	* @package WooCommerce\Classes
10	*/
11
12	declare(strict_types=1);
13
14	use Automattic\Jetpack\Constants;
15	use Automattic\WooCommerce\Internal\Features\FeaturesController;
16	use Automattic\WooCommerce\Utilities\StringUtil;
17	use Automattic\WooCommerce\StoreApi\Utilities\CartTokenUtils;
18
19	defined( 'ABSPATH' ) \|\| exit;
20
21	/**
22	* Session handler class.
23	*/
24	class WC_Session_Handler extends WC_Session {
25
26	/**
27	* Cookie name used for the session.
28	*
29	* @var string cookie name
30	*/
31	protected $_cookie = ''; // phpcs:ignore PSR2.Classes.PropertyDeclaration.Underscore
32
33	/**
34	* Stores session expiry.
35	*
36	* @var int session due to expire timestamp
37	*/
38	protected $_session_expiring = 0; // phpcs:ignore PSR2.Classes.PropertyDeclaration.Underscore
39
40	/**
41	* Stores session due to expire timestamp.
42	*
43	* @var int session expiration timestamp
44	*/
45	protected $_session_expiration = 0; // phpcs:ignore PSR2.Classes.PropertyDeclaration.Underscore
46
47	/**
48	* True when the cookie exists.
49	*
50	* @var bool Based on whether a cookie exists.
51	*/
52	protected $_has_cookie = false; // phpcs:ignore PSR2.Classes.PropertyDeclaration.Underscore
53
54	/**
55	* Table name for session data.
56	*
57	* @var string Custom session table name
58	*/
59	protected $_table = ''; // phpcs:ignore PSR2.Classes.PropertyDeclaration.Underscore
60
61	/**
62	* Constructor for the session class.
63	*/
64	public function __construct() {
65	/**
66	* Filter the cookie name.
67	*
68	* @since 3.6.0
69	*
70	* @param string $cookie Cookie name.
71	*/
72	$this->_cookie = (string) apply_filters( 'woocommerce_cookie', 'wp_woocommerce_session_' . COOKIEHASH );
73	$this->_table = $GLOBALS['wpdb']->prefix . 'woocommerce_sessions';
74	$this->set_session_expiration();
75	}
76
77	/**
78	* Init hooks and session data.
79	*
80	* @since 3.3.0
81	*/
82	public function init() {
83	$this->init_hooks();
84	$this->init_session();
85	}
86
87	/**
88	* Initialize the hooks.
89	*/
90	protected function init_hooks() {
91	add_action( 'woocommerce_set_cart_cookies', array( $this, 'set_customer_session_cookie' ), 10 );
92	add_action( 'wp', array( $this, 'maybe_set_customer_session_cookie' ), 99 );
93	add_action( 'template_redirect', array( $this, 'destroy_session_if_empty' ), 999 );
94	add_action( 'shutdown', array( $this, 'save_data' ), 20 );
95	add_action( 'wp_logout', array( $this, 'destroy_session' ) );
96
97	if ( ! is_user_logged_in() ) {
98	add_filter( 'nonce_user_logged_out', array( $this, 'maybe_update_nonce_user_logged_out' ), 10, 2 );
99	}
100	}
101
102	/**
103	* Initialize the session from either the request or the cookie.
104	*/
105	private function init_session() {
106	if ( ! $this->init_session_from_request() ) {
107	$this->init_session_cookie();
108	}
109	}
110
111	/**
112	* Initialize the session from the query string parameter.
113	*
114	* If the current user is logged in, the token session will replace the current user's session.
115	* If the current user is logged out, the token session will be cloned to a new session.
116	*
117	* Only guest sessions are restored, hence the check for the t_ prefix on the customer ID.
118	*
119	* @return bool
120	*/
121	private function init_session_from_request() {
122	$session_token = is_string( $_GET['session'] ?? '' ) ? wc_clean( wp_unslash( $_GET['session'] ?? '' ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
123
124	if ( empty( $session_token ) \|\| ! CartTokenUtils::validate_cart_token( $session_token ) ) {
125	return false;
126	}
127
128	$payload = CartTokenUtils::get_cart_token_payload( $session_token );
129
130	if ( ! $this->is_customer_guest( $payload['user_id'] ) \|\| ! $this->session_exists( $payload['user_id'] ) ) {
131	return false;
132	}
133
134	// Check to see if the current user has a session before proceeding with token handling.
135	$cookie = $this->get_session_cookie();
136
137	if ( $cookie ) {
138	// User owns this token. Return and use cookie session.
139	if ( $cookie[0] === $payload['user_id'] ) {
140	return false;
141	}
142
143	$cookie_session_data = (array) $this->get_session( $cookie[0], array() );
144
145	// Cookie session was originally created via this token. Return and use cookie session to prevent creating a new clone.
146	if ( isset( $cookie_session_data['previous_customer_id'] ) && $cookie_session_data['previous_customer_id'] === $payload['user_id'] ) {
147	return false;
148	}
149	}
150
151	// Generate new customer ID for the new session before cloning the data.
152	$this->_customer_id = $this->generate_customer_id();
153	$this->set_customer_session_cookie( true );
154	$this->clone_session_data( $payload['user_id'] );
155
156	return true;
157	}
158
159	/**
160	* Setup cookie and customer ID.
161	*
162	* @since 3.6.0
163	*/
164	public function init_session_cookie() {
165	$cookie = $this->get_session_cookie();
166
167	if ( ! $cookie ) {
168	// If there is no cookie, generate a new session/customer ID.
169	$this->_customer_id = $this->generate_customer_id();
170	$this->_data = $this->get_session_data();
171	return;
172	}
173
174	// Customer ID will be an MD5 hash id this is a guest session.
175	$this->_customer_id = $cookie[0];
176	$this->_session_expiration = (int) $cookie[1];
177	$this->_session_expiring = (int) $cookie[2];
178	$this->_has_cookie = true;
179
180	$this->restore_session_data();
181
182	/**
183	* This clears the session if the cookie is invalid.
184	*/
185	if ( ! $this->is_session_cookie_valid() ) {
186	$this->destroy_session();
187	}
188
189	// If the user logs in, update session.
190	if ( is_user_logged_in() && (string) get_current_user_id() !== $this->get_customer_id() ) {
191	$this->migrate_guest_session_to_user_session();
192	}
193
194	// Update session if its close to expiring.
195	if ( $this->is_session_expiring() ) {
196	$this->set_session_expiration();
197	$this->update_session_timestamp( $this->get_customer_id(), $this->_session_expiration );
198	}
199	}
200
201	/**
202	* Clones a session to the current session. Exclude customer details for privacy reasons.
203	*
204	* @param string $clone_from_customer_id The customer ID to clone from.
205	*/
206	private function clone_session_data( string $clone_from_customer_id ) {
207	$session_data = (array) $this->get_session( $clone_from_customer_id, array() );
208	$session_data['previous_customer_id'] = $clone_from_customer_id;
209	$session_data = array_diff_key( $session_data, array( 'customer' => true ) );
210	$this->_data = $session_data;
211	$this->_dirty = true;
212	$this->save_data();
213	}
214
215	/**
216	* Migrates a guest session to the current user session.
217	*/
218	private function migrate_guest_session_to_user_session() {
219	$guest_session_id = $this->_customer_id;
220	$user_session_id = (string) get_current_user_id();
221
222	$this->_data = $this->get_session( $guest_session_id, array() );
223	$this->_dirty = true;
224	$this->_customer_id = $user_session_id;
225	$this->save_data( $guest_session_id );
226
227	/**
228	* Fires after a customer has logged in, and their guest session id has been
229	* deleted with its data migrated to a customer id.
230	*
231	* This hook gives extensions the chance to connect the old session id to the
232	* customer id, if the key is being used externally.
233	*
234	* @since 8.8.0
235	*
236	* @param string $guest_session_id The former session ID, as generated by `::generate_customer_id()`.
237	* @param string $user_session_id The Customer ID that the former session was converted to.
238	*/
239	do_action( 'woocommerce_guest_session_to_user_id', $guest_session_id, $user_session_id );
240
241	$this->set_session_expiration();
242	$this->update_session_timestamp( $this->get_customer_id(), $this->_session_expiration );
243	// Set cookie to user session. Otherwise next request still has guest id and the session is empty.
244	$this->set_customer_session_cookie( true );
245	}
246
247	/**
248	* Restore the session data from the database.
249	*
250	* @since 10.0.0
251	*/
252	private function restore_session_data() {
253	$session_data = $this->get_session_data();
254
255	/**
256	* Filters the session data when restoring from storage during initialization.
257	*
258	* This filter allows you to:
259	* 1. Modify the session data before it's loaded, including adding or removing specific session data entries
260	* 2. Clear the entire session by returning an empty array
261	*
262	* Note: If the filtered data is empty, the session will be destroyed and the
263	* guest's session cookie will be removed. This can be useful for high-traffic
264	* sites that prioritize page caching over maintaining all session data.
265	*
266	* @since 9.9.0
267	*
268	* @param array $session_data The session data loaded from storage.
269	* @return array Modified session data to be used for initialization.
270	*/
271	$this->_data = (array) apply_filters( 'woocommerce_restored_session_data', $session_data );
272	}
273
274	/**
275	* Checks if session cookie is expired, or belongs to a logged out user.
276	*
277	* @return bool Whether session cookie is valid.
278	*/
279	private function is_session_cookie_valid() {
280	// If session is expired, session cookie is invalid.
281	if ( time() > $this->_session_expiration ) {
282	return false;
283	}
284
285	// If user has logged out, session cookie is invalid.
286	if ( ! is_user_logged_in() && ! $this->is_customer_guest( $this->get_customer_id() ) ) {
287	return false;
288	}
289
290	// Session from a different user is not valid. (Although from a guest user will be valid).
291	if ( is_user_logged_in() && ! $this->is_customer_guest( $this->get_customer_id() ) && (string) get_current_user_id() !== $this->get_customer_id() ) {
292	return false;
293	}
294
295	return true;
296	}
297
298	/**
299	* Hooks into the wp action to maybe set the session cookie if the user is on a certain page e.g. a checkout endpoint.
300	*
301	* Certain gateways may rely on sessions and this ensures a session is present even if the customer does not have a
302	* cart.
303	*/
304	public function maybe_set_customer_session_cookie() {
305	if ( is_wc_endpoint_url( 'order-pay' ) ) {
306	$this->set_customer_session_cookie( true );
307	}
308	}
309
310	/**
311	* Hash a value using wp_fast_hash (from WP 6.8 onwards).
312	*
313	* This method can be removed when the minimum version supported is 6.8.
314	*
315	* @param string $message Value to hash.
316	* @return string Hashed value.
317	*/
318	private function hash( string $message ) {
319	if ( function_exists( 'wp_fast_hash' ) ) {
320	return wp_fast_hash( $message );
321	}
322	return hash_hmac( 'md5', $message, wp_hash( $message ) );
323	}
324
325	/**
326	* Verify a hash using wp_verify_fast_hash (from WP 6.8 onwards).
327	*
328	* This method can be removed when the minimum version supported is 6.8.
329	*
330	* @param string $message Message to verify.
331	* @param string $hash Hash to verify.
332	* @return bool Whether the hash is valid.
333	*/
334	private function verify_hash( string $message, string $hash ) {
335	if ( function_exists( 'wp_verify_fast_hash' ) ) {
336	return wp_verify_fast_hash( $message, $hash );
337	}
338	return hash_equals( hash_hmac( 'md5', $message, wp_hash( $message ) ), $hash );
339	}
340
341	/**
342	* Sets the session cookie on-demand (usually after adding an item to the cart).
343	*
344	* Since the cookie name (as of 2.1) is prepended with wp, cache systems like batcache will not cache pages when set.
345	*
346	* Warning: Cookies will only be set if this is called before the headers are sent.
347	*
348	* @param bool $set Should the session cookie be set.
349	*/
350	public function set_customer_session_cookie( $set ) {
351	if ( $set ) {
352	$cookie_hash = $this->hash( $this->get_customer_id() . '\|' . (string) $this->_session_expiration );
353	$cookie_value = $this->get_customer_id() . '\|' . (string) $this->_session_expiration . '\|' . (string) $this->_session_expiring . '\|' . $cookie_hash;
354
355	if ( ! isset( $_COOKIE[ $this->_cookie ] ) \|\| $_COOKIE[ $this->_cookie ] !== $cookie_value ) {
356	wc_setcookie( $this->_cookie, $cookie_value, $this->_session_expiration, $this->use_secure_cookie(), true );
357	}
358
359	$this->_has_cookie = true;
360	}
361	}
362
363	/**
364	* Should the session cookie be secure?
365	*
366	* @since 3.6.0
367	* @return bool
368	*/
369	protected function use_secure_cookie() {
370	/**
371	* Filter whether to use a secure cookie.
372	*
373	* @since 3.6.0
374	*
375	* @param bool $use_secure_cookie Whether to use a secure cookie.
376	*/
377	return (bool) apply_filters( 'wc_session_use_secure_cookie', wc_site_is_https() && is_ssl() );
378	}
379
380	/**
381	* Return true if the current user has an active session, i.e. a cookie to retrieve values.
382	*
383	* @return bool
384	*/
385	public function has_session() {
386	return isset( $_COOKIE[ $this->_cookie ] ) \|\| $this->_has_cookie \|\| is_user_logged_in();
387	}
388
389	/**
390	* Checks if the session is expiring.
391	*
392	* @return bool Whether session is expiring.
393	*/
394	private function is_session_expiring() {
395	return time() > $this->_session_expiring;
396	}
397
398	/**
399	* Set session expiration.
400	*/
401	public function set_session_expiration() {
402	$default_expiring_seconds = DAY_IN_SECONDS;
403	$default_expiration_seconds = is_user_logged_in() ? WEEK_IN_SECONDS : 2 * DAY_IN_SECONDS;
404	$max_expiration_seconds = MONTH_IN_SECONDS;
405	$max_expiring_seconds = $max_expiration_seconds - DAY_IN_SECONDS;
406	$session_limit_exceeded = false;
407
408	/**
409	* Filters the session expiration.
410	*
411	* @since 5.0.0
412	* @param int $expiration_seconds The expiration time in seconds.
413	*/
414	$expiring_seconds = intval( apply_filters( 'wc_session_expiring', $default_expiring_seconds ) ) ?: $default_expiring_seconds; // phpcs:ignore Universal.Operators.DisallowShortTernary.Found
415
416	if ( $expiring_seconds > $max_expiring_seconds ) {
417	$session_limit_exceeded = true;
418	}
419	/**
420	* Filters the session expiration.
421	*
422	* @since 5.0.0
423	* @param int $expiration_seconds The expiration time in seconds.
424	*/
425	$expiration_seconds = intval( apply_filters( 'wc_session_expiration', $default_expiration_seconds ) ) ?: $default_expiration_seconds; // phpcs:ignore Universal.Operators.DisallowShortTernary.Found
426
427	// We limit the expiration time to 30 days to avoid performance issues and the session table growing too large.
428	if ( $expiration_seconds > $max_expiration_seconds ) {
429	$session_limit_exceeded = true;
430	}
431
432	if ( $session_limit_exceeded ) {
433	$transient_key = 'wc_session_handler_warning';
434	if ( false === get_transient( $transient_key ) ) {
435	wc_get_logger()->warning(
436	sprintf(
437	'Keeping sessions for longer than %d days can cause performance issues and larger session tables. Monitor usage and adjust lifetimes via the wc_session_expiring and wc_session_expiration filters as needed.',
438	$max_expiration_seconds / DAY_IN_SECONDS
439	),
440	array( 'source' => 'wc_session_handler' )
441	);
442	set_transient( $transient_key, true, $max_expiration_seconds );
443	}
444	}
445
446	// If the expiring time is greater than the expiration time, set the expiring time to 90% of the expiration time.
447	if ( $expiring_seconds > $expiration_seconds ) {
448	$expiring_seconds = $expiration_seconds * 0.9;
449	}
450
451	$this->_session_expiring = time() + $expiring_seconds;
452	$this->_session_expiration = time() + $expiration_seconds;
453	}
454
455	/**
456	* Generate a unique customer ID for guests, or return user ID if logged in.
457	*
458	* @return string
459	*/
460	public function generate_customer_id() {
461	return is_user_logged_in() ? (string) get_current_user_id() : wc_rand_hash( 't_', 30 );
462	}
463
464	/**
465	* Checks if this is an auto-generated customer ID.
466	*
467	* @param string $customer_id Customer ID to check.
468	* @return bool Whether customer ID is randomly generated.
469	*/
470	private function is_customer_guest( $customer_id ) {
471	return empty( $customer_id ) \|\| 't_' === substr( $customer_id, 0, 2 );
472	}
473
474	/**
475	* Get session unique ID for requests if session is initialized or user ID if logged in.
476	* Introduced to help with unit tests.
477	*
478	* @since 5.3.0
479	* @return string
480	*/
481	public function get_customer_unique_id() {
482	$customer_id = '';
483
484	if ( $this->has_session() && $this->get_customer_id() ) {
485	$customer_id = $this->get_customer_id();
486	} elseif ( is_user_logged_in() ) {
487	$customer_id = (string) get_current_user_id();
488	}
489
490	return $customer_id;
491	}
492
493	/**
494	* Get the session cookie, if set. Otherwise return false.
495	*
496	* Session cookies without a customer ID are invalid.
497	*
498	* @return bool\|array
499	*/
500	public function get_session_cookie() {
501	$cookie_value = isset( $_COOKIE[ $this->_cookie ] ) ? wc_clean( wp_unslash( (string) $_COOKIE[ $this->_cookie ] ) ) : '';
502
503	if ( empty( $cookie_value ) ) {
504	return false;
505	}
506
507	// Check if the cookie value contains '\|\|' instead of '\|' to support older versions of the cookie. This can be removed in WC 11.0.0.
508	if ( strpos( $cookie_value, '\|\|' ) !== false ) {
509	$parsed_cookie = explode( '\|\|', $cookie_value );
510	} else {
511	$parsed_cookie = explode( '\|', $cookie_value );
512	}
513
514	if ( count( $parsed_cookie ) !== 4 ) {
515	return false;
516	}
517
518	list( $customer_id, $session_expiration, $session_expiring, $cookie_hash ) = $parsed_cookie;
519
520	if ( empty( $customer_id ) ) {
521	return false;
522	}
523
524	$verify_hash = $this->verify_hash( $customer_id . '\|' . $session_expiration, $cookie_hash );
525
526	if ( ! $verify_hash ) {
527	return false;
528	}
529
530	return array( $customer_id, $session_expiration, $session_expiring, $cookie_hash );
531	}
532
533	/**
534	* Get session data fresh from storage.
535	*
536	* This re-reads session data from the database rather than returning
537	* in-memory data, ensuring the latest persisted state is returned.
538	*
539	* @return array
540	*/
541	public function get_session_data() {
542	return $this->has_session() ? (array) $this->get_session( $this->get_customer_id(), array() ) : array();
543	}
544
545	/**
546	* Gets a cache prefix. This is used in session names so the entire cache can be invalidated with 1 function call.
547	*
548	* @return string
549	*/
550	private function get_cache_prefix() {
551	return WC_Cache_Helper::get_cache_prefix( WC_SESSION_CACHE_GROUP );
552	}
553
554	/**
555	* Save data and delete guest session.
556	*
557	* @param string\|mixed $old_session_key Optional session ID prior to user log-in. If $old_session_key is not tied
558	* to a user, the session will be deleted with the assumption that it was migrated
559	* to the current session being saved.
560	*/
561	public function save_data( $old_session_key = '' ) {
562	// Dirty if something changed - prevents saving nothing new.
563	if ( $this->_dirty && $this->has_session() ) {
564	global $wpdb;
565
566	$wpdb->query(
567	$wpdb->prepare(
568	'INSERT INTO %i (`session_key`, `session_value`, `session_expiry`) VALUES (%s, %s, %d)
569	ON DUPLICATE KEY UPDATE `session_value` = VALUES(`session_value`), `session_expiry` = VALUES(`session_expiry`)',
570	$this->_table,
571	$this->get_customer_id(),
572	maybe_serialize( $this->_data ),
573	$this->_session_expiration
574	)
575	);
576	wp_cache_set( $this->get_cache_prefix() . $this->get_customer_id(), $this->_data, WC_SESSION_CACHE_GROUP, $this->_session_expiration - time() );
577	$this->_dirty = false;
578
579	/**
580	* Ideally, the removal of guest session data migrated to a logged-in user would occur within
581	* self::init_session_cookie() upon user login detection initially occurs. However, since some third-party
582	* extensions override this method, relocating this logic could break backward compatibility.
583	*/
584	if ( ! empty( $old_session_key ) && $this->get_customer_id() !== $old_session_key && ! is_object( get_user_by( 'id', $old_session_key ) ) ) {
585	$this->delete_session( $old_session_key );
586	}
587	}
588	}
589
590	/**
591	* Destroy all session data.
592	*/
593	public function destroy_session() {
594	$this->delete_session( $this->get_customer_id() );
595	$this->forget_session();
596	$this->set_session_expiration();
597	}
598
599	/**
600	* Forget all session data without destroying it.
601	*/
602	public function forget_session() {
603	wc_setcookie( $this->_cookie, '', time() - YEAR_IN_SECONDS, $this->use_secure_cookie(), true );
604
605	if ( ! is_admin() ) {
606	include_once WC_ABSPATH . 'includes/wc-cart-functions.php';
607	wc_empty_cart();
608	}
609
610	$this->_data = array();
611	$this->_dirty = false;
612	$this->_customer_id = $this->generate_customer_id();
613	$this->_has_cookie = false;
614	}
615
616	/**
617	* When a user is logged out, ensure they have a unique nonce to manage cart and more using the customer/session ID.
618	* This filter runs everything `wp_verify_nonce()` and `wp_create_nonce()` gets called.
619	*
620	* @since 5.3.0
621	* @param int $uid User ID.
622	* @param int\|string $action The nonce action.
623	* @return int\|string
624	*/
625	public function maybe_update_nonce_user_logged_out( $uid, $action ) {
626	if ( is_string( $action ) && StringUtil::starts_with( $action, 'woocommerce' ) ) {
627	return $this->has_session() && $this->get_customer_id() ? $this->get_customer_id() : $uid;
628	}
629	return $uid;
630	}
631
632	/**
633	* Cleanup session data from the database and clear caches.
634	*/
635	public function cleanup_sessions() {
636	global $wpdb;
637
638	// Batch size of 100 and sleep time of 10ms = max 100 SQL queries and 10K entries deletion per second.
639	$batch_size = 100;
640	$deleted_entries_total = 0;
641	do {
642	$deleted_entries_count = (int) $wpdb->query(
643	$wpdb->prepare(
644	'DELETE FROM %i WHERE session_expiry < %d ORDER BY session_expiry LIMIT %d',
645	$this->_table,
646	time(),
647	$batch_size
648	)
649	);
650	$deleted_entries_total += $deleted_entries_count;
651	usleep( ( 10_000 / $batch_size ) * $deleted_entries_count );
652	} while ( $deleted_entries_count === $batch_size );
653
654	if ( $deleted_entries_total > 0 && class_exists( 'WC_Cache_Helper' ) ) {
655	WC_Cache_Helper::invalidate_cache_group( WC_SESSION_CACHE_GROUP );
656	}
657	}
658
659	/**
660	* Returns the session.
661	*
662	* @param string $customer_id Customer ID.
663	* @param mixed $default_value Default session value.
664	* @return mixed Returns either the session data or the default value. Returns false if WP setup is in progress.
665	*/
666	public function get_session( $customer_id, $default_value = false ) {
667	global $wpdb;
668
669	if ( Constants::is_defined( 'WP_SETUP_CONFIG' ) ) {
670	return $default_value;
671	}
672
673	// Try to get it from the cache, it will return false if not present or if object cache not in use.
674	$value = wp_cache_get( $this->get_cache_prefix() . $customer_id, WC_SESSION_CACHE_GROUP );
675
676	if ( false === $value ) {
677	$value = $wpdb->get_var( $wpdb->prepare( 'SELECT session_value FROM %i WHERE session_key = %s', $this->_table, $customer_id ) );
678
679	if ( is_null( $value ) ) {
680	$value = $default_value;
681	}
682
683	$cache_duration = $this->_session_expiration - time();
684	if ( 0 < $cache_duration ) {
685	wp_cache_add( $this->get_cache_prefix() . $customer_id, $value, WC_SESSION_CACHE_GROUP, $cache_duration );
686	}
687	}
688
689	return maybe_unserialize( $value );
690	}
691
692	/**
693	* Delete the session from the cache and database.
694	*
695	* @param string $customer_id Customer session ID.
696	*/
697	public function delete_session( $customer_id ) {
698	if ( ! $customer_id ) {
699	return;
700	}
701	$GLOBALS['wpdb']->delete( $this->_table, array( 'session_key' => $customer_id ) );
702	wp_cache_delete( $this->get_cache_prefix() . $customer_id, WC_SESSION_CACHE_GROUP );
703	}
704
705	/**
706	* Update the session expiry timestamp.
707	*
708	* @param string $customer_id Customer ID.
709	* @param int $timestamp Timestamp to expire the cookie.
710	*/
711	public function update_session_timestamp( $customer_id, $timestamp ) {
712	if ( ! $customer_id ) {
713	return;
714	}
715	$GLOBALS['wpdb']->update( $this->_table, array( 'session_expiry' => $timestamp ), array( 'session_key' => $customer_id ), array( '%d' ) );
716	}
717
718	/**
719	* Destroys the WooCommerce session if it contains no data for non-logged-in users.
720	*
721	* This method helps improve caching performance by removing session cookies when they
722	* are no longer needed, allowing non-logged-in customers to receive cached pages.
723	* Only runs if the destroy-empty-sessions feature is enabled.
724	*
725	* @return void
726	*
727	* @since 10.3.0
728	*
729	* @internal For exclusive usage of WooCommerce core, backwards compatibility not guaranteed.
730	*/
731	public function destroy_session_if_empty() {
732	if ( is_user_logged_in() \|\| ! $this->_has_cookie ) {
733	return;
734	}
735
736	if ( ! isset( $_COOKIE[ $this->_cookie ] ) ) {
737	// If $_COOKIE isn't set, then something triggered setting the cookie during this request. So we won't
738	// yet destroy the session if it is empty to expand compatibility at the cost of one additional request being uncached.
739	return;
740	}
741
742	if ( ! empty( $this->_data ) ) {
743	return;
744	}
745
746	if ( is_object( WC()->cart ) && ! WC()->cart->is_empty() ) {
747	// There is a pending cart to save that isn't yet in the session data.
748	return;
749	}
750
751	$feature_controller = wc_get_container()->get( FeaturesController::class );
752	if ( ! $feature_controller->feature_is_enabled( 'destroy-empty-sessions' ) ) {
753	return;
754	}
755
756	$this->destroy_session();
757	}
758
759	/**
760	* Check if a session exists in the database.
761	*
762	* @param string $customer_id Customer ID.
763	* @return bool
764	*/
765	private function session_exists( $customer_id ) {
766	return $customer_id && null !== $GLOBALS['wpdb']->get_var( $GLOBALS['wpdb']->prepare( 'SELECT session_key FROM %i WHERE session_key = %s', $this->_table, $customer_id ) );
767	}
768	}
769