Source for file Session.php

Documentation is available at Session.php

1: <?php
2:
3: /**
4: * Nette Framework
5: *
6: * Copyright (c) 2004, 2009 David Grudl (http://davidgrudl.com)
7: *
8: * This source file is subject to the "Nette license" that is bundled
9: * with this package in the file license.txt.
10: *
11: * For more information please see https://nette.org
12: *
13: * @copyright Copyright (c) 2004, 2009 David Grudl
14: * @license https://nette.org/license Nette license
15: * @link https://nette.org
16: * @category Nette
17: * @package Nette\Web
18: * @version $Id$
19: */
20:
21:
22:
23: require_once dirname(__FILE__) . '/../Object.php';
24:
25:
26:
27: /**
28: * Provides access to session namespaces as well as session settings and management methods.
29: *
30: * @author David Grudl
31: * @copyright Copyright (c) 2004, 2009 David Grudl
32: * @package Nette\Web
33: */
34: class Session extends Object
35: {
36: /** Default file lifetime is 3 hours */
37: const DEFAULT_FILE_LIFETIME = 10800;
38:
39: /** @var callback Validation key generator */
40: public $verificationKeyGenerator;
41:
42: /** @var bool is required session ID regeneration? */
43: private $regenerationNeeded;
44:
45: /** @var bool has been session started? */
46: private static $started;
47:
48: /** @var array default configuration */
49: private static $defaultConfig = array(
50: // security
51: 'session.referer_check' => '', // must be disabled because PHP implementation is invalid
52: 'session.use_cookies' => 1, // must be enabled to prevent Session Hijacking and Fixation
53: 'session.use_only_cookies' => 1, // must be enabled to prevent Session Fixation
54: 'session.use_trans_sid' => 0, // must be disabled to prevent Session Hijacking and Fixation
55:
56: // cookies
57: 'session.cookie_lifetime' => 0, // until the browser is closed
58: 'session.cookie_path' => '/', // cookie is available within the entire domain
59: 'session.cookie_domain' => '', // cookie is available on current subdomain only
60: 'session.cookie_secure' => FALSE, // cookie is available on HTTP & HTTPS
61: 'session.cookie_httponly' => TRUE,// must be enabled to prevent Session Fixation
62:
63: // other
64: 'session.gc_maxlifetime' => self::DEFAULT_FILE_LIFETIME,// 3 hours
65: 'session.cache_limiter' => NULL, // (default "nocache", special value "\0")
66: 'session.cache_expire' => NULL, // (default "180")
67: 'session.hash_function' => NULL, // (default "0", means MD5)
68: 'session.hash_bits_per_character' => NULL, // (default "4")
69: );
70:
71:
72:
73: public function __construct()
74: {
75: $this->verificationKeyGenerator = array($this, 'generateVerificationKey');
76: }
77:
78:
79:
80: /**
81: * Starts and initializes session data.
82: * @throws InvalidStateException
83: * @return void
84: */
85: public function start()
86: {
87: if (self::$started) {
88: throw new InvalidStateException('Session has already been started.');
89:
90: } elseif (self::$started === NULL && defined('SID')) {
91: throw new InvalidStateException('A session had already been started by session.auto-start or session_start().');
92: }
93:
94:
95: // additional protection against Session Hijacking & Fixation
96: if ($this->verificationKeyGenerator) {
97: fixCallback($this->verificationKeyGenerator);
98: if (!is_callable($this->verificationKeyGenerator)) {
99: $able = is_callable($this->verificationKeyGenerator, TRUE, $textual);
100: throw new InvalidStateException("Verification key generator '$textual' is not " . ($able ? 'callable.' : 'valid PHP callback.'));
101: }
102: }
103:
104:
105: // start session
106: $this->configure(self::$defaultConfig, FALSE);
107:
108: Tools::tryError();
109: session_start();
110: if (Tools::catchError($msg)) {
111: @session_write_close(); // this is needed
112: throw new InvalidStateException($msg);
113: }
114:
115: self::$started = TRUE;
116: if ($this->regenerationNeeded) {
117: session_regenerate_id(TRUE);
118: $this->regenerationNeeded = FALSE;
119: }
120:
121: /* structure:
122: nette: __NT
123: data: __NS->namespace->variable = data
124: meta: __NM->namespace->EXP->variable = timestamp
125: */
126:
127: // initialize structures
128: $verKey = $this->verificationKeyGenerator ? (string) call_user_func($this->verificationKeyGenerator) : '';
129: if (!isset($_SESSION['__NT']['V'])) { // new session
130: $_SESSION['__NT'] = array();
131: $_SESSION['__NT']['C'] = 0;
132: $_SESSION['__NT']['V'] = $verKey;
133:
134: } else {
135: $saved = & $_SESSION['__NT']['V'];
136: if ($saved === $verKey) { // verified
137: $_SESSION['__NT']['C']++;
138:
139: } else { // session attack?
140: session_regenerate_id(TRUE);
141: $_SESSION = array();
142: $_SESSION['__NT']['C'] = 0;
143: $_SESSION['__NT']['V'] = $verKey;
144: }
145: }
146:
147: // browser closing detection
148: $browserKey = $this->getHttpRequest()->getCookie('nette-browser');
149: if (!$browserKey) {
150: $browserKey = (string) lcg_value();
151: }
152: $browserClosed = !isset($_SESSION['__NT']['B']) || $_SESSION['__NT']['B'] !== $browserKey;
153: $_SESSION['__NT']['B'] = $browserKey;
154:
155: // resend cookie
156: $this->sendCookie();
157:
158: // process meta metadata
159: if (isset($_SESSION['__NM'])) {
160: $now = time();
161:
162: // expire namespace variables
163: foreach ($_SESSION['__NM'] as $namespace => $metadata) {
164: if (isset($metadata['EXP'])) {
165: foreach ($metadata['EXP'] as $variable => $time) {
166: if ((!$time && $browserClosed) || ($time && $now > $time)) {
167: if ($variable === '') { // expire whole namespace
168: unset($_SESSION['__NM'][$namespace], $_SESSION['__NS'][$namespace]);
169: continue 2;
170: }
171: unset($_SESSION['__NS'][$namespace][$variable],
172: $_SESSION['__NM'][$namespace]['EXP'][$variable]);
173: }
174: }
175: }
176: }
177: }
178:
179: register_shutdown_function(array($this, 'clean'));
180: }
181:
182:
183:
184: /**
185: * Has been session started?
186: * @return bool
187: */
188: public function isStarted()
189: {
190: return (bool) self::$started;
191: }
192:
193:
194:
195: /**
196: * Ends the current session and store session data.
197: * @return void
198: */
199: public function close()
200: {
201: if (self::$started) {
202: session_write_close();
203: self::$started = FALSE;
204: }
205: }
206:
207:
208:
209: /**
210: * Destroys all data registered to a session.
211: * @return void
212: */
213: public function destroy()
214: {
215: if (!self::$started) {
216: throw new InvalidStateException('Session is not started.');
217: }
218:
219: session_destroy();
220: $_SESSION = NULL;
221: self::$started = FALSE;
222: if (!headers_sent()) {
223: $params = session_get_cookie_params();
224: $this->getHttpResponse()->deleteCookie(session_name(), $params['path'], $params['domain'], $params['secure']);
225: }
226: }
227:
228:
229:
230: /**
231: * Does session exists for the current request?
232: * @return bool
233: */
234: public function exists()
235: {
236: return self::$started || $this->getHttpRequest()->getCookie(session_name()) !== NULL;
237: }
238:
239:
240:
241: /**
242: * Regenerates the session ID.
243: * @throws InvalidStateException
244: * @return void
245: */
246: public function regenerateId()
247: {
248: if (self::$started) {
249: if (headers_sent($file, $line)) {
250: throw new InvalidStateException("Cannot regenerate session ID after HTTP headers have been sent" . ($file ? " (output started at $file:$line)." : "."));
251: }
252: $_SESSION['__NT']['V'] = $this->verificationKeyGenerator ? (string) call_user_func($this->verificationKeyGenerator) : '';
253: session_regenerate_id(TRUE);
254:
255: } else {
256: $this->regenerationNeeded = TRUE;
257: }
258: }
259:
260:
261:
262: /**
263: * Sets the session ID to a specified one.
264: * @deprecated
265: */
266: public function setId($id)
267: {
268: throw new DeprecatedException('Method '.__METHOD__.'() is deprecated.');
269: }
270:
271:
272:
273: /**
274: * Returns the current session ID. Don't make dependencies, can be changed for each request.
275: * @return string
276: */
277: public function getId()
278: {
279: return session_id();
280: }
281:
282:
283:
284: /**
285: * Sets the session name to a specified one.
286: * @param string
287: * @return void
288: */
289: public function setName($name)
290: {
291: if (!is_string($name) || !preg_match('#[^0-9.][^.]*$#A', $name)) {
292: throw new InvalidArgumentException('Session name must be a string and cannot contain dot.');
293: }
294:
295: $this->configure(array(
296: 'session.name' => $name,
297: ));
298: }
299:
300:
301:
302: /**
303: * Gets the session name.
304: * @return string
305: */
306: public function getName()
307: {
308: return session_name();
309: }
310:
311:
312:
313: /**
314: * Generates key as protection against Session Hijacking & Fixation.
315: * @return string
316: */
317: public function generateVerificationKey()
318: {
319: $list = array('Accept-Charset', 'Accept-Encoding', 'Accept-Language', 'User-Agent');
320: $key = array();
321: $httpRequest = $this->getHttpRequest();
322: foreach ($list as $header) {
323: $key[] = $httpRequest->getHeader($header);
324: }
325: return md5(implode("\0", $key));
326: }
327:
328:
329:
330: /********************* namespaces management ****************d*g**/
331:
332:
333:
334: /**
335: * Returns specified session namespace.
336: * @param string
337: * @param string
338: * @return SessionNamespace
339: * @throws InvalidArgumentException
340: */
341: public function getNamespace($namespace, $class = 'SessionNamespace')
342: {
343: if (!is_string($namespace) || $namespace === '') {
344: throw new InvalidArgumentException('Session namespace must be a non-empty string.');
345: }
346:
347: if (!self::$started) {
348: $this->start();
349: }
350:
351: return new $class($_SESSION['__NS'][$namespace], $_SESSION['__NM'][$namespace]);
352: }
353:
354:
355:
356: /**
357: * Checks if a session namespace exist and is not empty.
358: * @param string
359: * @return bool
360: */
361: public function hasNamespace($namespace)
362: {
363: if ($this->exists() && !self::$started) {
364: $this->start();
365: }
366:
367: return !empty($_SESSION['__NS'][$namespace]);
368: }
369:
370:
371:
372: /**
373: * Iteration over all namespaces.
374: * @return ArrayIterator
375: */
376: public function getIterator()
377: {
378: if ($this->exists() && !self::$started) {
379: $this->start();
380: }
381:
382: if (isset($_SESSION['__NS'])) {
383: return new ArrayIterator(array_keys($_SESSION['__NS']));
384:
385: } else {
386: return new ArrayIterator;
387: }
388: }
389:
390:
391:
392: /**
393: * Cleans and minimizes meta structures.
394: * @return void
395: */
396: public function clean()
397: {
398: if (!self::$started || empty($_SESSION)) {
399: return;
400: }
401:
402: if (isset($_SESSION['__NM']) && is_array($_SESSION['__NM'])) {
403: foreach ($_SESSION['__NM'] as $name => $foo) {
404: if (empty($_SESSION['__NM'][$name]['EXP'])) {
405: unset($_SESSION['__NM'][$name]['EXP']);
406: }
407:
408: if (empty($_SESSION['__NM'][$name])) {
409: unset($_SESSION['__NM'][$name]);
410: }
411: }
412: }
413:
414: if (empty($_SESSION['__NM'])) {
415: unset($_SESSION['__NM']);
416: }
417:
418: if (empty($_SESSION['__NS'])) {
419: unset($_SESSION['__NS']);
420: }
421:
422: if (empty($_SESSION)) {
423: //$this->destroy(); only when shutting down
424: }
425: }
426:
427:
428:
429: /********************* configuration ****************d*g**/
430:
431:
432:
433: /**
434: * Configurates session environment.
435: * @param array
436: * @param bool throw exception?
437: * @return void
438: * @throws NotSupportedException
439: * @throws InvalidStateException
440: */
441: public function configure(array $config, $throwException = TRUE)
442: {
443: $special = array('session.cache_expire' => 1, 'session.cache_limiter' => 1,
444: 'session.save_path' => 1, 'session.name' => 1);
445:
446: foreach ($config as $key => $value) {
447: unset(self::$defaultConfig[$key]); // prevents overwriting
448:
449: if ($value === NULL) {
450: continue;
451:
452: } elseif (isset($special[$key])) {
453: if (self::$started) {
454: throw new InvalidStateException('Session has already been started.');
455: }
456: $key = strtr($key, '.', '_');
457: $key($value);
458:
459: } elseif (strncmp($key, 'session.cookie_', 15) === 0) {
460: if (!isset($cookie)) {
461: $cookie = session_get_cookie_params();
462: }
463: $cookie[substr($key, 15)] = $value;
464:
465: } elseif (!function_exists('ini_set')) {
466: if ($throwException && ini_get($key) != $value) { // intentionally ==
467: throw new NotSupportedException('Required function ini_set() is disabled.');
468: }
469:
470: } else {
471: if (self::$started) {
472: throw new InvalidStateException('Session has already been started.');
473: }
474: ini_set($key, $value);
475: }
476: }
477:
478: if (isset($cookie)) {
479: session_set_cookie_params($cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure'], $cookie['httponly']);
480: if (self::$started) {
481: $this->sendCookie();
482: }
483: }
484: }
485:
486:
487:
488: /**
489: * Sets the amount of time allowed between requests before the session will be terminated.
490: * @param int number of seconds, value 0 means "until the browser is closed"
491: * @return void
492: */
493: public function setExpiration($seconds)
494: {
495: if ($seconds <= 0) {
496: $this->configure(array(
497: 'session.gc_maxlifetime' => self::DEFAULT_FILE_LIFETIME,
498: 'session.cookie_lifetime' => 0,
499: ));
500:
501: } else {
502: if ($seconds > Tools::YEAR) {
503: $seconds -= time();
504: }
505: $this->configure(array(
506: 'session.gc_maxlifetime' => $seconds,
507: 'session.cookie_lifetime' => $seconds,
508: ));
509: }
510: }
511:
512:
513:
514: /**
515: * Sets the session cookie parameters.
516: * @param string path
517: * @param string domain
518: * @param bool secure
519: * @return void
520: */
521: public function setCookieParams($path, $domain = NULL, $secure = NULL)
522: {
523: $this->configure(array(
524: 'session.cookie_path' => $path,
525: 'session.cookie_domain' => $domain,
526: 'session.cookie_secure' => $secure
527: ));
528: }
529:
530:
531:
532: /**
533: * Returns the session cookie parameters.
534: * @return array containing items: lifetime, path, domain, secure, httponly
535: */
536: public function getCookieParams()
537: {
538: return session_get_cookie_params();
539: }
540:
541:
542:
543: /**
544: * Sets path of the directory used to save session data.
545: * @return void
546: */
547: public function setSavePath($path)
548: {
549: $this->configure(array(
550: 'session.save_path' => $path,
551: ));
552: }
553:
554:
555:
556: /**
557: * Sends the session cookies.
558: * @return void
559: */
560: private function sendCookie()
561: {
562: $cookie = $this->getCookieParams();
563: $this->getHttpResponse()->setCookie(session_name(), session_id(), $cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure'], $cookie['httponly']);
564: $this->getHttpResponse()->setCookie('nette-browser', $_SESSION['__NT']['B'], HttpResponse::BROWSER, $cookie['path'], $cookie['domain'], $cookie['secure'], $cookie['httponly']);
565: }
566:
567:
568:
569: /********************* backend ****************d*g**/
570:
571:
572:
573: /**
574: * @return IHttpRequest
575: */
576: protected function getHttpRequest()
577: {
578: return Environment::getHttpRequest();
579: }
580:
581:
582:
583: /**
584: * @return IHttpResponse
585: */
586: protected function getHttpResponse()
587: {
588: return Environment::getHttpResponse();
589: }
590:
591: }

Source for file Session.php

Namespaces