class-wc-session-handler.php — WooCommerce 4.4.0-rc.1

woocommerce / includes / class-wc-session-handler.php

woocommerce / includes Last commit date

class-wc-session-handler.php

385 lines

1	<?php
2	/**
3	* Handle data for the current customers session.
4	* Implements the WC_Session abstract class.
5	*
6	* From 2.5 this uses a custom table for session storage. Based on https://github.com/kloon/woocommerce-large-sessions.
7	*
8	* @class WC_Session_Handler
9	* @version 2.5.0
10	* @package WooCommerce/Classes
11	*/
12
13	use Automattic\Jetpack\Constants;
14
15	defined( 'ABSPATH' ) \|\| exit;
16
17	/**
18	* Session handler class.
19	*/
20	class WC_Session_Handler extends WC_Session {
21
22	/**
23	* Cookie name used for the session.
24	*
25	* @var string cookie name
26	*/
27	protected $_cookie;
28
29	/**
30	* Stores session expiry.
31	*
32	* @var string session due to expire timestamp
33	*/
34	protected $_session_expiring;
35
36	/**
37	* Stores session due to expire timestamp.
38	*
39	* @var string session expiration timestamp
40	*/
41	protected $_session_expiration;
42
43	/**
44	* True when the cookie exists.
45	*
46	* @var bool Based on whether a cookie exists.
47	*/
48	protected $_has_cookie = false;
49
50	/**
51	* Table name for session data.
52	*
53	* @var string Custom session table name
54	*/
55	protected $_table;
56
57	/**
58	* Constructor for the session class.
59	*/
60	public function __construct() {
61	$this->_cookie = apply_filters( 'woocommerce_cookie', 'wp_woocommerce_session_' . COOKIEHASH );
62	$this->_table = $GLOBALS['wpdb']->prefix . 'woocommerce_sessions';
63	}
64
65	/**
66	* Init hooks and session data.
67	*
68	* @since 3.3.0
69	*/
70	public function init() {
71	$this->init_session_cookie();
72
73	add_action( 'woocommerce_set_cart_cookies', array( $this, 'set_customer_session_cookie' ), 10 );
74	add_action( 'shutdown', array( $this, 'save_data' ), 20 );
75	add_action( 'wp_logout', array( $this, 'destroy_session' ) );
76
77	if ( ! is_user_logged_in() ) {
78	add_filter( 'nonce_user_logged_out', array( $this, 'nonce_user_logged_out' ) );
79	}
80	}
81
82	/**
83	* Setup cookie and customer ID.
84	*
85	* @since 3.6.0
86	*/
87	public function init_session_cookie() {
88	$cookie = $this->get_session_cookie();
89
90	if ( $cookie ) {
91	$this->_customer_id = $cookie[0];
92	$this->_session_expiration = $cookie[1];
93	$this->_session_expiring = $cookie[2];
94	$this->_has_cookie = true;
95	$this->_data = $this->get_session_data();
96
97	// If the user logs in, update session.
98	if ( is_user_logged_in() && strval( get_current_user_id() ) !== $this->_customer_id ) {
99	$guest_session_id = $this->_customer_id;
100	$this->_customer_id = strval( get_current_user_id() );
101	$this->_dirty = true;
102	$this->save_data( $guest_session_id );
103	$this->set_customer_session_cookie( true );
104	}
105
106	// Update session if its close to expiring.
107	if ( time() > $this->_session_expiring ) {
108	$this->set_session_expiration();
109	$this->update_session_timestamp( $this->_customer_id, $this->_session_expiration );
110	}
111	} else {
112	$this->set_session_expiration();
113	$this->_customer_id = $this->generate_customer_id();
114	$this->_data = $this->get_session_data();
115	}
116	}
117
118	/**
119	* Sets the session cookie on-demand (usually after adding an item to the cart).
120	*
121	* Since the cookie name (as of 2.1) is prepended with wp, cache systems like batcache will not cache pages when set.
122	*
123	* Warning: Cookies will only be set if this is called before the headers are sent.
124	*
125	* @param bool $set Should the session cookie be set.
126	*/
127	public function set_customer_session_cookie( $set ) {
128	if ( $set ) {
129	$to_hash = $this->_customer_id . '\|' . $this->_session_expiration;
130	$cookie_hash = hash_hmac( 'md5', $to_hash, wp_hash( $to_hash ) );
131	$cookie_value = $this->_customer_id . '\|\|' . $this->_session_expiration . '\|\|' . $this->_session_expiring . '\|\|' . $cookie_hash;
132	$this->_has_cookie = true;
133
134	if ( ! isset( $_COOKIE[ $this->_cookie ] ) \|\| $_COOKIE[ $this->_cookie ] !== $cookie_value ) {
135	wc_setcookie( $this->_cookie, $cookie_value, $this->_session_expiration, $this->use_secure_cookie(), true );
136	}
137	}
138	}
139
140	/**
141	* Should the session cookie be secure?
142	*
143	* @since 3.6.0
144	* @return bool
145	*/
146	protected function use_secure_cookie() {
147	return apply_filters( 'wc_session_use_secure_cookie', wc_site_is_https() && is_ssl() );
148	}
149
150	/**
151	* Return true if the current user has an active session, i.e. a cookie to retrieve values.
152	*
153	* @return bool
154	*/
155	public function has_session() {
156	return isset( $_COOKIE[ $this->_cookie ] ) \|\| $this->_has_cookie \|\| is_user_logged_in(); // @codingStandardsIgnoreLine.
157	}
158
159	/**
160	* Set session expiration.
161	*/
162	public function set_session_expiration() {
163	$this->_session_expiring = time() + intval( apply_filters( 'wc_session_expiring', 60 * 60 * 47 ) ); // 47 Hours.
164	$this->_session_expiration = time() + intval( apply_filters( 'wc_session_expiration', 60 * 60 * 48 ) ); // 48 Hours.
165	}
166
167	/**
168	* Generate a unique customer ID for guests, or return user ID if logged in.
169	*
170	* Uses Portable PHP password hashing framework to generate a unique cryptographically strong ID.
171	*
172	* @return string
173	*/
174	public function generate_customer_id() {
175	$customer_id = '';
176
177	if ( is_user_logged_in() ) {
178	$customer_id = strval( get_current_user_id() );
179	}
180
181	if ( empty( $customer_id ) ) {
182	require_once ABSPATH . 'wp-includes/class-phpass.php';
183	$hasher = new PasswordHash( 8, false );
184	$customer_id = md5( $hasher->get_random_bytes( 32 ) );
185	}
186
187	return $customer_id;
188	}
189
190	/**
191	* Get the session cookie, if set. Otherwise return false.
192	*
193	* Session cookies without a customer ID are invalid.
194	*
195	* @return bool\|array
196	*/
197	public function get_session_cookie() {
198	$cookie_value = isset( $_COOKIE[ $this->_cookie ] ) ? wp_unslash( $_COOKIE[ $this->_cookie ] ) : false; // @codingStandardsIgnoreLine.
199
200	if ( empty( $cookie_value ) \|\| ! is_string( $cookie_value ) ) {
201	return false;
202	}
203
204	list( $customer_id, $session_expiration, $session_expiring, $cookie_hash ) = explode( '\|\|', $cookie_value );
205
206	if ( empty( $customer_id ) ) {
207	return false;
208	}
209
210	// Validate hash.
211	$to_hash = $customer_id . '\|' . $session_expiration;
212	$hash = hash_hmac( 'md5', $to_hash, wp_hash( $to_hash ) );
213
214	if ( empty( $cookie_hash ) \|\| ! hash_equals( $hash, $cookie_hash ) ) {
215	return false;
216	}
217
218	return array( $customer_id, $session_expiration, $session_expiring, $cookie_hash );
219	}
220
221	/**
222	* Get session data.
223	*
224	* @return array
225	*/
226	public function get_session_data() {
227	return $this->has_session() ? (array) $this->get_session( $this->_customer_id, array() ) : array();
228	}
229
230	/**
231	* Gets a cache prefix. This is used in session names so the entire cache can be invalidated with 1 function call.
232	*
233	* @return string
234	*/
235	private function get_cache_prefix() {
236	return WC_Cache_Helper::get_cache_prefix( WC_SESSION_CACHE_GROUP );
237	}
238
239	/**
240	* Save data and delete guest session.
241	*
242	* @param int $old_session_key session ID before user logs in.
243	*/
244	public function save_data( $old_session_key = 0 ) {
245	// Dirty if something changed - prevents saving nothing new.
246	if ( $this->_dirty && $this->has_session() ) {
247	global $wpdb;
248
249	$wpdb->query(
250	$wpdb->prepare(
251	"INSERT INTO {$wpdb->prefix}woocommerce_sessions (`session_key`, `session_value`, `session_expiry`) VALUES (%s, %s, %d)
252	ON DUPLICATE KEY UPDATE `session_value` = VALUES(`session_value`), `session_expiry` = VALUES(`session_expiry`)",
253	$this->_customer_id,
254	maybe_serialize( $this->_data ),
255	$this->_session_expiration
256	)
257	);
258
259	wp_cache_set( $this->get_cache_prefix() . $this->_customer_id, $this->_data, WC_SESSION_CACHE_GROUP, $this->_session_expiration - time() );
260	$this->_dirty = false;
261	if ( get_current_user_id() != $old_session_key && ! is_object( get_user_by( 'id', $old_session_key ) ) ) {
262	$this->delete_session( $old_session_key );
263	}
264	}
265	}
266
267	/**
268	* Destroy all session data.
269	*/
270	public function destroy_session() {
271	$this->delete_session( $this->_customer_id );
272	$this->forget_session();
273	}
274
275	/**
276	* Forget all session data without destroying it.
277	*/
278	public function forget_session() {
279	wc_setcookie( $this->_cookie, '', time() - YEAR_IN_SECONDS, $this->use_secure_cookie(), true );
280
281	wc_empty_cart();
282
283	$this->_data = array();
284	$this->_dirty = false;
285	$this->_customer_id = $this->generate_customer_id();
286	}
287
288	/**
289	* When a user is logged out, ensure they have a unique nonce by using the customer/session ID.
290	*
291	* @param int $uid User ID.
292	* @return string
293	*/
294	public function nonce_user_logged_out( $uid ) {
295	return $this->has_session() && $this->_customer_id ? $this->_customer_id : $uid;
296	}
297
298	/**
299	* Cleanup session data from the database and clear caches.
300	*/
301	public function cleanup_sessions() {
302	global $wpdb;
303
304	$wpdb->query( $wpdb->prepare( "DELETE FROM $this->_table WHERE session_expiry < %d", time() ) ); // @codingStandardsIgnoreLine.
305
306	if ( class_exists( 'WC_Cache_Helper' ) ) {
307	WC_Cache_Helper::invalidate_cache_group( WC_SESSION_CACHE_GROUP );
308	}
309	}
310
311	/**
312	* Returns the session.
313	*
314	* @param string $customer_id Custo ID.
315	* @param mixed $default Default session value.
316	* @return string\|array
317	*/
318	public function get_session( $customer_id, $default = false ) {
319	global $wpdb;
320
321	if ( Constants::is_defined( 'WP_SETUP_CONFIG' ) ) {
322	return false;
323	}
324
325	// Try to get it from the cache, it will return false if not present or if object cache not in use.
326	$value = wp_cache_get( $this->get_cache_prefix() . $customer_id, WC_SESSION_CACHE_GROUP );
327
328	if ( false === $value ) {
329	$value = $wpdb->get_var( $wpdb->prepare( "SELECT session_value FROM $this->_table WHERE session_key = %s", $customer_id ) ); // @codingStandardsIgnoreLine.
330
331	if ( is_null( $value ) ) {
332	$value = $default;
333	}
334
335	$cache_duration = $this->_session_expiration - time();
336	if ( 0 < $cache_duration ) {
337	wp_cache_add( $this->get_cache_prefix() . $customer_id, $value, WC_SESSION_CACHE_GROUP, $cache_duration );
338	}
339	}
340
341	return maybe_unserialize( $value );
342	}
343
344	/**
345	* Delete the session from the cache and database.
346	*
347	* @param int $customer_id Customer ID.
348	*/
349	public function delete_session( $customer_id ) {
350	global $wpdb;
351
352	wp_cache_delete( $this->get_cache_prefix() . $customer_id, WC_SESSION_CACHE_GROUP );
353
354	$wpdb->delete(
355	$this->_table,
356	array(
357	'session_key' => $customer_id,
358	)
359	);
360	}
361
362	/**
363	* Update the session expiry timestamp.
364	*
365	* @param string $customer_id Customer ID.
366	* @param int $timestamp Timestamp to expire the cookie.
367	*/
368	public function update_session_timestamp( $customer_id, $timestamp ) {
369	global $wpdb;
370
371	$wpdb->update(
372	$this->_table,
373	array(
374	'session_expiry' => $timestamp,
375	),
376	array(
377	'session_key' => $customer_id,
378	),
379	array(
380	'%d',
381	)
382	);
383	}
384	}
385