class-wc-session-handler.php — WooCommerce 8.0.0-rc.2

woocommerce / includes / class-wc-session-handler.php

woocommerce / includes Last commit date

class-wc-session-handler.php

506 lines

1	<?php
2	/**
3	* Handle data for the current customers session.
4	* Implements the WC_Session abstract class.
5	*
6	* From 2.5 this uses a custom table for session storage. Based on https://github.com/kloon/woocommerce-large-sessions.
7	*
8	* @class WC_Session_Handler
9	* @version 2.5.0
10	* @package WooCommerce\Classes
11	*/
12
13	use Automattic\Jetpack\Constants;
14
15	defined( 'ABSPATH' ) \|\| exit;
16
17	/**
18	* Session handler class.
19	*/
20	class WC_Session_Handler extends WC_Session {
21
22	/**
23	* Cookie name used for the session.
24	*
25	* @var string cookie name
26	*/
27	protected $_cookie;
28
29	/**
30	* Stores session expiry.
31	*
32	* @var string session due to expire timestamp
33	*/
34	protected $_session_expiring;
35
36	/**
37	* Stores session due to expire timestamp.
38	*
39	* @var string session expiration timestamp
40	*/
41	protected $_session_expiration;
42
43	/**
44	* True when the cookie exists.
45	*
46	* @var bool Based on whether a cookie exists.
47	*/
48	protected $_has_cookie = false;
49
50	/**
51	* Table name for session data.
52	*
53	* @var string Custom session table name
54	*/
55	protected $_table;
56
57	/**
58	* Constructor for the session class.
59	*/
60	public function __construct() {
61	$this->_cookie = apply_filters( 'woocommerce_cookie', 'wp_woocommerce_session_' . COOKIEHASH );
62	$this->_table = $GLOBALS['wpdb']->prefix . 'woocommerce_sessions';
63	}
64
65	/**
66	* Init hooks and session data.
67	*
68	* @since 3.3.0
69	*/
70	public function init() {
71	$this->init_session_cookie();
72
73	add_action( 'woocommerce_set_cart_cookies', array( $this, 'set_customer_session_cookie' ), 10 );
74	add_action( 'shutdown', array( $this, 'save_data' ), 20 );
75	add_action( 'wp_logout', array( $this, 'destroy_session' ) );
76
77	if ( ! is_user_logged_in() ) {
78	add_filter( 'nonce_user_logged_out', array( $this, 'maybe_update_nonce_user_logged_out' ), 10, 2 );
79	}
80	}
81
82	/**
83	* Setup cookie and customer ID.
84	*
85	* @since 3.6.0
86	*/
87	public function init_session_cookie() {
88	$cookie = $this->get_session_cookie();
89
90	if ( $cookie ) {
91	// Customer ID will be an MD5 hash id this is a guest session.
92	$this->_customer_id = $cookie[0];
93	$this->_session_expiration = $cookie[1];
94	$this->_session_expiring = $cookie[2];
95	$this->_has_cookie = true;
96	$this->_data = $this->get_session_data();
97
98	if ( ! $this->is_session_cookie_valid() ) {
99	$this->destroy_session();
100	$this->set_session_expiration();
101	}
102
103	// If the user logs in, update session.
104	if ( is_user_logged_in() && strval( get_current_user_id() ) !== $this->_customer_id ) {
105	$guest_session_id = $this->_customer_id;
106	$this->_customer_id = strval( get_current_user_id() );
107	$this->_dirty = true;
108	$this->save_data( $guest_session_id );
109	$this->set_customer_session_cookie( true );
110	}
111
112	// Update session if its close to expiring.
113	if ( time() > $this->_session_expiring ) {
114	$this->set_session_expiration();
115	$this->update_session_timestamp( $this->_customer_id, $this->_session_expiration );
116	}
117	} else {
118	$this->set_session_expiration();
119	$this->_customer_id = $this->generate_customer_id();
120	$this->_data = $this->get_session_data();
121	}
122	}
123
124	/**
125	* Checks if session cookie is expired, or belongs to a logged out user.
126	*
127	* @return bool Whether session cookie is valid.
128	*/
129	private function is_session_cookie_valid() {
130	// If session is expired, session cookie is invalid.
131	if ( time() > $this->_session_expiration ) {
132	return false;
133	}
134
135	// If user has logged out, session cookie is invalid.
136	if ( ! is_user_logged_in() && ! $this->is_customer_guest( $this->_customer_id ) ) {
137	return false;
138	}
139
140	// Session from a different user is not valid. (Although from a guest user will be valid)
141	if ( is_user_logged_in() && ! $this->is_customer_guest( $this->_customer_id ) && strval( get_current_user_id() ) !== $this->_customer_id ) {
142	return false;
143	}
144
145	return true;
146	}
147
148	/**
149	* Sets the session cookie on-demand (usually after adding an item to the cart).
150	*
151	* Since the cookie name (as of 2.1) is prepended with wp, cache systems like batcache will not cache pages when set.
152	*
153	* Warning: Cookies will only be set if this is called before the headers are sent.
154	*
155	* @param bool $set Should the session cookie be set.
156	*/
157	public function set_customer_session_cookie( $set ) {
158	if ( $set ) {
159	$to_hash = $this->_customer_id . '\|' . $this->_session_expiration;
160	$cookie_hash = hash_hmac( 'md5', $to_hash, wp_hash( $to_hash ) );
161	$cookie_value = $this->_customer_id . '\|\|' . $this->_session_expiration . '\|\|' . $this->_session_expiring . '\|\|' . $cookie_hash;
162	$this->_has_cookie = true;
163
164	if ( ! isset( $_COOKIE[ $this->_cookie ] ) \|\| $_COOKIE[ $this->_cookie ] !== $cookie_value ) {
165	wc_setcookie( $this->_cookie, $cookie_value, $this->_session_expiration, $this->use_secure_cookie(), true );
166	}
167	}
168	}
169
170	/**
171	* Should the session cookie be secure?
172	*
173	* @since 3.6.0
174	* @return bool
175	*/
176	protected function use_secure_cookie() {
177	return apply_filters( 'wc_session_use_secure_cookie', wc_site_is_https() && is_ssl() );
178	}
179
180	/**
181	* Return true if the current user has an active session, i.e. a cookie to retrieve values.
182	*
183	* @return bool
184	*/
185	public function has_session() {
186	return isset( $_COOKIE[ $this->_cookie ] ) \|\| $this->_has_cookie \|\| is_user_logged_in(); // @codingStandardsIgnoreLine.
187	}
188
189	/**
190	* Set session expiration.
191	*/
192	public function set_session_expiration() {
193	$this->_session_expiring = time() + intval( apply_filters( 'wc_session_expiring', 60 * 60 * 47 ) ); // 47 Hours.
194	$this->_session_expiration = time() + intval( apply_filters( 'wc_session_expiration', 60 * 60 * 48 ) ); // 48 Hours.
195	}
196
197	/**
198	* Generate a unique customer ID for guests, or return user ID if logged in.
199	*
200	* Uses Portable PHP password hashing framework to generate a unique cryptographically strong ID.
201	*
202	* @return string
203	*/
204	public function generate_customer_id() {
205	$customer_id = '';
206
207	if ( is_user_logged_in() ) {
208	$customer_id = strval( get_current_user_id() );
209	}
210
211	if ( empty( $customer_id ) ) {
212	require_once ABSPATH . 'wp-includes/class-phpass.php';
213	$hasher = new PasswordHash( 8, false );
214	$customer_id = 't_' . substr( md5( $hasher->get_random_bytes( 32 ) ), 2 );
215	}
216
217	return $customer_id;
218	}
219
220	/**
221	* Checks if this is an auto-generated customer ID.
222	*
223	* @param string\|int $customer_id Customer ID to check.
224	*
225	* @return bool Whether customer ID is randomly generated.
226	*/
227	private function is_customer_guest( $customer_id ) {
228	$customer_id = strval( $customer_id );
229
230	if ( empty( $customer_id ) ) {
231	return true;
232	}
233
234	if ( 't_' === substr( $customer_id, 0, 2 ) ) {
235	return true;
236	}
237
238	/**
239	* Legacy checks. This is to handle sessions that were created from a previous release.
240	* Maybe we can get rid of them after a few releases.
241	*/
242
243	// Almost all random $customer_ids will have some letters in it, while all actual ids will be integers.
244	if ( strval( (int) $customer_id ) !== $customer_id ) {
245	return true;
246	}
247
248	// Performance hack to potentially save a DB query, when same user as $customer_id is logged in.
249	if ( is_user_logged_in() && strval( get_current_user_id() ) === $customer_id ) {
250	return false;
251	} else {
252	$customer = new WC_Customer( $customer_id );
253
254	if ( 0 === $customer->get_id() ) {
255	return true;
256	}
257	}
258
259	return false;
260	}
261
262	/**
263	* Get session unique ID for requests if session is initialized or user ID if logged in.
264	* Introduced to help with unit tests.
265	*
266	* @since 5.3.0
267	* @return string
268	*/
269	public function get_customer_unique_id() {
270	$customer_id = '';
271
272	if ( $this->has_session() && $this->_customer_id ) {
273	$customer_id = $this->_customer_id;
274	} elseif ( is_user_logged_in() ) {
275	$customer_id = (string) get_current_user_id();
276	}
277
278	return $customer_id;
279	}
280
281	/**
282	* Get the session cookie, if set. Otherwise return false.
283	*
284	* Session cookies without a customer ID are invalid.
285	*
286	* @return bool\|array
287	*/
288	public function get_session_cookie() {
289	$cookie_value = isset( $_COOKIE[ $this->_cookie ] ) ? wp_unslash( $_COOKIE[ $this->_cookie ] ) : false; // @codingStandardsIgnoreLine.
290
291	if ( empty( $cookie_value ) \|\| ! is_string( $cookie_value ) ) {
292	return false;
293	}
294
295	$parsed_cookie = explode( '\|\|', $cookie_value );
296
297	if ( count( $parsed_cookie ) < 4 ) {
298	return false;
299	}
300
301	list( $customer_id, $session_expiration, $session_expiring, $cookie_hash ) = $parsed_cookie;
302
303	if ( empty( $customer_id ) ) {
304	return false;
305	}
306
307	// Validate hash.
308	$to_hash = $customer_id . '\|' . $session_expiration;
309	$hash = hash_hmac( 'md5', $to_hash, wp_hash( $to_hash ) );
310
311	if ( empty( $cookie_hash ) \|\| ! hash_equals( $hash, $cookie_hash ) ) {
312	return false;
313	}
314
315	return array( $customer_id, $session_expiration, $session_expiring, $cookie_hash );
316	}
317
318	/**
319	* Get session data.
320	*
321	* @return array
322	*/
323	public function get_session_data() {
324	return $this->has_session() ? (array) $this->get_session( $this->_customer_id, array() ) : array();
325	}
326
327	/**
328	* Gets a cache prefix. This is used in session names so the entire cache can be invalidated with 1 function call.
329	*
330	* @return string
331	*/
332	private function get_cache_prefix() {
333	return WC_Cache_Helper::get_cache_prefix( WC_SESSION_CACHE_GROUP );
334	}
335
336	/**
337	* Save data and delete guest session.
338	*
339	* @param int $old_session_key session ID before user logs in.
340	*/
341	public function save_data( $old_session_key = 0 ) {
342	// Dirty if something changed - prevents saving nothing new.
343	if ( $this->_dirty && $this->has_session() ) {
344	global $wpdb;
345
346	$wpdb->query(
347	$wpdb->prepare(
348	"INSERT INTO {$wpdb->prefix}woocommerce_sessions (`session_key`, `session_value`, `session_expiry`) VALUES (%s, %s, %d)
349	ON DUPLICATE KEY UPDATE `session_value` = VALUES(`session_value`), `session_expiry` = VALUES(`session_expiry`)",
350	$this->_customer_id,
351	maybe_serialize( $this->_data ),
352	$this->_session_expiration
353	)
354	);
355
356	wp_cache_set( $this->get_cache_prefix() . $this->_customer_id, $this->_data, WC_SESSION_CACHE_GROUP, $this->_session_expiration - time() );
357	$this->_dirty = false;
358	if ( get_current_user_id() != $old_session_key && ! is_object( get_user_by( 'id', $old_session_key ) ) ) {
359	$this->delete_session( $old_session_key );
360	}
361	}
362	}
363
364	/**
365	* Destroy all session data.
366	*/
367	public function destroy_session() {
368	$this->delete_session( $this->_customer_id );
369	$this->forget_session();
370	}
371
372	/**
373	* Forget all session data without destroying it.
374	*/
375	public function forget_session() {
376	wc_setcookie( $this->_cookie, '', time() - YEAR_IN_SECONDS, $this->use_secure_cookie(), true );
377
378	if ( ! is_admin() ) {
379	include_once WC_ABSPATH . 'includes/wc-cart-functions.php';
380
381	wc_empty_cart();
382	}
383
384	$this->_data = array();
385	$this->_dirty = false;
386	$this->_customer_id = $this->generate_customer_id();
387	}
388
389	/**
390	* When a user is logged out, ensure they have a unique nonce by using the customer/session ID.
391	*
392	* @deprecated 5.3.0
393	* @param int $uid User ID.
394	* @return int\|string
395	*/
396	public function nonce_user_logged_out( $uid ) {
397	wc_deprecated_function( 'WC_Session_Handler::nonce_user_logged_out', '5.3', 'WC_Session_Handler::maybe_update_nonce_user_logged_out' );
398
399	return $this->has_session() && $this->_customer_id ? $this->_customer_id : $uid;
400	}
401
402	/**
403	* When a user is logged out, ensure they have a unique nonce to manage cart and more using the customer/session ID.
404	* This filter runs everything `wp_verify_nonce()` and `wp_create_nonce()` gets called.
405	*
406	* @since 5.3.0
407	* @param int $uid User ID.
408	* @param string $action The nonce action.
409	* @return int\|string
410	*/
411	public function maybe_update_nonce_user_logged_out( $uid, $action ) {
412	if ( Automattic\WooCommerce\Utilities\StringUtil::starts_with( $action, 'woocommerce' ) ) {
413	return $this->has_session() && $this->_customer_id ? $this->_customer_id : $uid;
414	}
415
416	return $uid;
417	}
418
419	/**
420	* Cleanup session data from the database and clear caches.
421	*/
422	public function cleanup_sessions() {
423	global $wpdb;
424
425	$wpdb->query( $wpdb->prepare( "DELETE FROM $this->_table WHERE session_expiry < %d", time() ) ); // @codingStandardsIgnoreLine.
426
427	if ( class_exists( 'WC_Cache_Helper' ) ) {
428	WC_Cache_Helper::invalidate_cache_group( WC_SESSION_CACHE_GROUP );
429	}
430	}
431
432	/**
433	* Returns the session.
434	*
435	* @param string $customer_id Customer ID.
436	* @param mixed $default Default session value.
437	* @return string\|array
438	*/
439	public function get_session( $customer_id, $default = false ) {
440	global $wpdb;
441
442	if ( Constants::is_defined( 'WP_SETUP_CONFIG' ) ) {
443	return false;
444	}
445
446	// Try to get it from the cache, it will return false if not present or if object cache not in use.
447	$value = wp_cache_get( $this->get_cache_prefix() . $customer_id, WC_SESSION_CACHE_GROUP );
448
449	if ( false === $value ) {
450	$value = $wpdb->get_var( $wpdb->prepare( "SELECT session_value FROM $this->_table WHERE session_key = %s", $customer_id ) ); // @codingStandardsIgnoreLine.
451
452	if ( is_null( $value ) ) {
453	$value = $default;
454	}
455
456	$cache_duration = $this->_session_expiration - time();
457	if ( 0 < $cache_duration ) {
458	wp_cache_add( $this->get_cache_prefix() . $customer_id, $value, WC_SESSION_CACHE_GROUP, $cache_duration );
459	}
460	}
461
462	return maybe_unserialize( $value );
463	}
464
465	/**
466	* Delete the session from the cache and database.
467	*
468	* @param int $customer_id Customer ID.
469	*/
470	public function delete_session( $customer_id ) {
471	global $wpdb;
472
473	wp_cache_delete( $this->get_cache_prefix() . $customer_id, WC_SESSION_CACHE_GROUP );
474
475	$wpdb->delete(
476	$this->_table,
477	array(
478	'session_key' => $customer_id,
479	)
480	);
481	}
482
483	/**
484	* Update the session expiry timestamp.
485	*
486	* @param string $customer_id Customer ID.
487	* @param int $timestamp Timestamp to expire the cookie.
488	*/
489	public function update_session_timestamp( $customer_id, $timestamp ) {
490	global $wpdb;
491
492	$wpdb->update(
493	$this->_table,
494	array(
495	'session_expiry' => $timestamp,
496	),
497	array(
498	'session_key' => $customer_id,
499	),
500	array(
501	'%d',
502	)
503	);
504	}
505	}
506