class-wc-session-handler.php — WooCommerce 3.5.0-rc.2

woocommerce / includes / class-wc-session-handler.php

woocommerce / includes Last commit date

class-wc-session-handler.php

339 lines

1	<?php
2	/**
3	* Handle data for the current customers session.
4	* Implements the WC_Session abstract class.
5	*
6	* From 2.5 this uses a custom table for session storage. Based on https://github.com/kloon/woocommerce-large-sessions.
7	*
8	* @class WC_Session_Handler
9	* @version 2.5.0
10	* @package WooCommerce/Classes
11	*/
12
13	defined( 'ABSPATH' ) \|\| exit;
14
15	/**
16	* Session handler class.
17	*/
18	class WC_Session_Handler extends WC_Session {
19
20	/**
21	* Cookie name used for the session.
22	*
23	* @var string cookie name
24	*/
25	protected $_cookie;
26
27	/**
28	* Stores session expiry.
29	*
30	* @var string session due to expire timestamp
31	*/
32	protected $_session_expiring;
33
34	/**
35	* Stores session due to expire timestamp.
36	*
37	* @var string session expiration timestamp
38	*/
39	protected $_session_expiration;
40
41	/**
42	* True when the cookie exists.
43	*
44	* @var bool Based on whether a cookie exists.
45	*/
46	protected $_has_cookie = false;
47
48	/**
49	* Table name for session data.
50	*
51	* @var string Custom session table name
52	*/
53	protected $_table;
54
55	/**
56	* Constructor for the session class.
57	*/
58	public function __construct() {
59	$this->_cookie = apply_filters( 'woocommerce_cookie', 'wp_woocommerce_session_' . COOKIEHASH );
60	$this->_table = $GLOBALS['wpdb']->prefix . 'woocommerce_sessions';
61	}
62
63	/**
64	* Init hooks and session data.
65	*
66	* @since 3.3.0
67	*/
68	public function init() {
69	$cookie = $this->get_session_cookie();
70
71	if ( $cookie ) {
72	$this->_customer_id = $cookie[0];
73	$this->_session_expiration = $cookie[1];
74	$this->_session_expiring = $cookie[2];
75	$this->_has_cookie = true;
76
77	// Update session if its close to expiring.
78	if ( time() > $this->_session_expiring ) {
79	$this->set_session_expiration();
80	$this->update_session_timestamp( $this->_customer_id, $this->_session_expiration );
81	}
82	} else {
83	$this->set_session_expiration();
84	$this->_customer_id = $this->generate_customer_id();
85	}
86
87	$this->_data = $this->get_session_data();
88
89	add_action( 'woocommerce_set_cart_cookies', array( $this, 'set_customer_session_cookie' ), 10 );
90	add_action( 'shutdown', array( $this, 'save_data' ), 20 );
91	add_action( 'wp_logout', array( $this, 'destroy_session' ) );
92
93	if ( ! is_user_logged_in() ) {
94	add_filter( 'nonce_user_logged_out', array( $this, 'nonce_user_logged_out' ) );
95	}
96	}
97
98	/**
99	* Sets the session cookie on-demand (usually after adding an item to the cart).
100	*
101	* Since the cookie name (as of 2.1) is prepended with wp, cache systems like batcache will not cache pages when set.
102	*
103	* Warning: Cookies will only be set if this is called before the headers are sent.
104	*
105	* @param bool $set Should the session cookie be set.
106	*/
107	public function set_customer_session_cookie( $set ) {
108	if ( $set ) {
109	$to_hash = $this->_customer_id . '\|' . $this->_session_expiration;
110	$cookie_hash = hash_hmac( 'md5', $to_hash, wp_hash( $to_hash ) );
111	$cookie_value = $this->_customer_id . '\|\|' . $this->_session_expiration . '\|\|' . $this->_session_expiring . '\|\|' . $cookie_hash;
112	$this->_has_cookie = true;
113
114	wc_setcookie( $this->_cookie, $cookie_value, $this->_session_expiration, apply_filters( 'wc_session_use_secure_cookie', false ) );
115	}
116	}
117
118	/**
119	* Return true if the current user has an active session, i.e. a cookie to retrieve values.
120	*
121	* @return bool
122	*/
123	public function has_session() {
124	return isset( $_COOKIE[ $this->_cookie ] ) \|\| $this->_has_cookie \|\| is_user_logged_in(); // @codingStandardsIgnoreLine.
125	}
126
127	/**
128	* Set session expiration.
129	*/
130	public function set_session_expiration() {
131	$this->_session_expiring = time() + intval( apply_filters( 'wc_session_expiring', 60 * 60 * 47 ) ); // 47 Hours.
132	$this->_session_expiration = time() + intval( apply_filters( 'wc_session_expiration', 60 * 60 * 48 ) ); // 48 Hours.
133	}
134
135	/**
136	* Generate a unique customer ID for guests, or return user ID if logged in.
137	*
138	* Uses Portable PHP password hashing framework to generate a unique cryptographically strong ID.
139	*
140	* @return string
141	*/
142	public function generate_customer_id() {
143	$customer_id = '';
144
145	if ( is_user_logged_in() ) {
146	$customer_id = get_current_user_id();
147	}
148
149	if ( empty( $customer_id ) ) {
150	require_once ABSPATH . 'wp-includes/class-phpass.php';
151	$hasher = new PasswordHash( 8, false );
152	$customer_id = md5( $hasher->get_random_bytes( 32 ) );
153	}
154
155	return $customer_id;
156	}
157
158	/**
159	* Get the session cookie, if set. Otherwise return false.
160	*
161	* Session cookies without a customer ID are invalid.
162	*
163	* @return bool\|array
164	*/
165	public function get_session_cookie() {
166	$cookie_value = isset( $_COOKIE[ $this->_cookie ] ) ? wp_unslash( $_COOKIE[ $this->_cookie ] ) : false; // @codingStandardsIgnoreLine.
167
168	if ( empty( $cookie_value ) \|\| ! is_string( $cookie_value ) ) {
169	return false;
170	}
171
172	list( $customer_id, $session_expiration, $session_expiring, $cookie_hash ) = explode( '\|\|', $cookie_value );
173
174	if ( empty( $customer_id ) ) {
175	return false;
176	}
177
178	// Validate hash.
179	$to_hash = $customer_id . '\|' . $session_expiration;
180	$hash = hash_hmac( 'md5', $to_hash, wp_hash( $to_hash ) );
181
182	if ( empty( $cookie_hash ) \|\| ! hash_equals( $hash, $cookie_hash ) ) {
183	return false;
184	}
185
186	return array( $customer_id, $session_expiration, $session_expiring, $cookie_hash );
187	}
188
189	/**
190	* Get session data.
191	*
192	* @return array
193	*/
194	public function get_session_data() {
195	return $this->has_session() ? (array) $this->get_session( $this->_customer_id, array() ) : array();
196	}
197
198	/**
199	* Gets a cache prefix. This is used in session names so the entire cache can be invalidated with 1 function call.
200	*
201	* @return string
202	*/
203	private function get_cache_prefix() {
204	return WC_Cache_Helper::get_cache_prefix( WC_SESSION_CACHE_GROUP );
205	}
206
207	/**
208	* Save data.
209	*/
210	public function save_data() {
211	// Dirty if something changed - prevents saving nothing new.
212	if ( $this->_dirty && $this->has_session() ) {
213	global $wpdb;
214
215	$wpdb->query(
216	$wpdb->prepare(
217	"INSERT INTO {$wpdb->prefix}woocommerce_sessions (`session_key`, `session_value`, `session_expiry`) VALUES (%s, %s, %d)
218	ON DUPLICATE KEY UPDATE `session_value` = VALUES(`session_value`), `session_expiry` = VALUES(`session_expiry`)",
219	$this->_customer_id,
220	maybe_serialize( $this->_data ),
221	$this->_session_expiration
222	)
223	);
224
225	wp_cache_set( $this->get_cache_prefix() . $this->_customer_id, $this->_data, WC_SESSION_CACHE_GROUP, $this->_session_expiration - time() );
226	$this->_dirty = false;
227	}
228	}
229
230	/**
231	* Destroy all session data.
232	*/
233	public function destroy_session() {
234	wc_setcookie( $this->_cookie, '', time() - YEAR_IN_SECONDS, apply_filters( 'wc_session_use_secure_cookie', false ) );
235
236	$this->delete_session( $this->_customer_id );
237
238	wc_empty_cart();
239
240	$this->_data = array();
241	$this->_dirty = false;
242	$this->_customer_id = $this->generate_customer_id();
243	}
244
245	/**
246	* When a user is logged out, ensure they have a unique nonce by using the customer/session ID.
247	*
248	* @param int $uid User ID.
249	* @return string
250	*/
251	public function nonce_user_logged_out( $uid ) {
252	return $this->has_session() && $this->_customer_id ? $this->_customer_id : $uid;
253	}
254
255	/**
256	* Cleanup session data from the database and clear caches.
257	*/
258	public function cleanup_sessions() {
259	global $wpdb;
260
261	$wpdb->query( $wpdb->prepare( "DELETE FROM $this->_table WHERE session_expiry < %d", time() ) ); // @codingStandardsIgnoreLine.
262
263	if ( class_exists( 'WC_Cache_Helper' ) ) {
264	WC_Cache_Helper::incr_cache_prefix( WC_SESSION_CACHE_GROUP );
265	}
266	}
267
268	/**
269	* Returns the session.
270	*
271	* @param string $customer_id Custo ID.
272	* @param mixed $default Default session value.
273	* @return string\|array
274	*/
275	public function get_session( $customer_id, $default = false ) {
276	global $wpdb;
277
278	if ( defined( 'WP_SETUP_CONFIG' ) ) {
279	return false;
280	}
281
282	// Try to get it from the cache, it will return false if not present or if object cache not in use.
283	$value = wp_cache_get( $this->get_cache_prefix() . $customer_id, WC_SESSION_CACHE_GROUP );
284
285	if ( false === $value ) {
286	$value = $wpdb->get_var( $wpdb->prepare( "SELECT session_value FROM $this->_table WHERE session_key = %s", $customer_id ) ); // @codingStandardsIgnoreLine.
287
288	if ( is_null( $value ) ) {
289	$value = $default;
290	}
291
292	wp_cache_add( $this->get_cache_prefix() . $customer_id, $value, WC_SESSION_CACHE_GROUP, $this->_session_expiration - time() );
293	}
294
295	return maybe_unserialize( $value );
296	}
297
298	/**
299	* Delete the session from the cache and database.
300	*
301	* @param int $customer_id Customer ID.
302	*/
303	public function delete_session( $customer_id ) {
304	global $wpdb;
305
306	wp_cache_delete( $this->get_cache_prefix() . $customer_id, WC_SESSION_CACHE_GROUP );
307
308	$wpdb->delete(
309	$this->_table,
310	array(
311	'session_key' => $customer_id,
312	)
313	);
314	}
315
316	/**
317	* Update the session expiry timestamp.
318	*
319	* @param string $customer_id Customer ID.
320	* @param int $timestamp Timestamp to expire the cookie.
321	*/
322	public function update_session_timestamp( $customer_id, $timestamp ) {
323	global $wpdb;
324
325	$wpdb->update(
326	$this->_table,
327	array(
328	'session_expiry' => $timestamp,
329	),
330	array(
331	'session_key' => $customer_id,
332	),
333	array(
334	'%d',
335	)
336	);
337	}
338	}
339