PageRenderTime 33ms CodeModel.GetById 7ms RepoModel.GetById 0ms app.codeStats 0ms

/SPF_Session.php

http://spf-php.googlecode.com/
PHP | 336 lines | 106 code | 60 blank | 170 comment | 13 complexity | 77f1fb6240e5afc46e0bb739a69b8075 MD5 | raw file
    

  1. <?php

    2. 

  2. /**

    3. 

  3.  * SPF_Session

    4. 

  4.  * @package    spf 

    5. 

  5.  * @author     Simon Downes <simon@simondownes.co.uk>

    6. 

  6.  * @copyright  Copyright (c) 2007, Simon Downes 

    7. 

  7.  * @license    http://www.opensource.org/licenses/mit-license.php

    8. 

  8.  */

    9. 

  9. 

    10. 

  10. /**

    11. 

  11.  * Base session management class.

    12. 

  12.  * As a basic session hijacking prevention technique, the $_SESSION['HTTP_USER_AGENT']

    13. 

  13.  * variable must remain constant between requests using the same session id.

    14. 

  14.  * 

    15. 

  15.  * TODO: split functionality out into native and database drivers.

    16. 

  16.  *

    17. 

  17.  * @final

    18. 

  18.  * @package    spf 

    19. 

  19.  * @author     Simon Downes <simon@simondownes.co.uk>

    20. 

  20.  * @copyright  Copyright (c) 2007, Simon Downes 

    21. 

  21.  * @license    http://www.opensource.org/licenses/mit-license.php

    22. 

  22.  */

    23. 

  23. final class SPF_Session extends SPF_Object {

    24. 

  24. 

    25. 

  25.    /**

    26. 

  26.     * The session id assigned by PHP (usually a 32 character alpha-numeric string).

    27. 

  27.     * @var     string

    28. 

  28.     */

    29. 

  29.    public $session_id;

    30. 

  30. 

    31. 

  31.    /**

    32. 

  32.     * The name of the session.

    33. 

  33.     * This is the name of the cookie on client machines used to hold the session id.

    34. 

  34.     * @var     string

    35. 

  35.     */

    36. 

  36.    public $session_name;

    37. 

  37. 

    38. 

  38.    /**

    39. 

  39.     * Maximum number of seconds allowed between requests using the same session.

    40. 

  40.     * @var     integer

    41. 

  41.     */

    42. 

  42.    public $lifetime;

    43. 

  43. 

    44. 

  44.    /**

    45. 

  45.     * Constructor.

    46. 

  46.     * Session is initialised automatically upon creation of the object.    

    47. 

  47.     *

    48. 

  48.     * @param   string    $name       name of the cookie used to store the session id on the client.

    49. 

  49.     * @param   integer   $lifetime   maximum number of seconds allowed between requests using the same session.    

    50. 

  50.     * @return  void

    51. 

  51.     */

    52. 

  52.    public function __construct( $name = '', $lifetime = 0 ) {

    53. 

  53.       

    54. 

  54.       parent::__construct();

    55. 

  55.       

    56. 

  56.       // initialise the session

    57. 

  57.       $this->session_name = $name ? $name : 'SPF_SESSION';

    58. 

  58.       $this->lifetime     = (int) $lifetime;

    59. 

  59.       

    60. 

  60.       $this->start();

    61. 

  61. 

    62. 

  62.    } // __construct

    63. 

  63. 

    64. 

  64.    /**

    65. 

  65.     * Destructor.

    66. 

  66.     *

    67. 

  67.     * @return  void

    68. 

  68.     */

    69. 

  69.    public function __destruct() {

    70. 

  70.       // write and pending data to storage

    71. 

  71.       session_write_close();

    72. 

  72.       parent::__destruct();

    73. 

  73.    }

    74. 

  74. 

    75. 

  75.    /**

    76. 

  76.     * Disable PHP5's cloning method so people can't make copies of the session instance.

    77. 

  77.     *

    78. 

  78.     * @return  void

    79. 

  79.    */

    80. 

  80.    public function __clone() {

    81. 

  81.       throw new SPF_Session_Exception('Object cloning is not allowed for '. __CLASS__);

    82. 

  82.    }

    83. 

  83. 

    84. 

  84.    /**

    85. 

  85.     * Stores a name/value pair in the session.

    86. 

  86.     *

    87. 

  87.     * Using PHP5's overloading for setting and getting variables we can

    88. 

  88.     * use $session->var = $val and have it stored in the $_SESSION

    89. 

  89.     * variable. To set an email address, for instance you would do the

    90. 

  90.     * following:

    91. 

  91.     *

    92. 

  92.     * <code>

    93. 

  93.     * $session->email = 'user@example.com';

    94. 

  94.     * </code>

    95. 

  95.     *

    96. 

  96.     * This doesn't actually store 'user@example.com' into $session->email,

    97. 

  97.     * rather it is stored in $_SESSION['email'].

    98. 

  98.     *

    99. 

  99.     * @param   string    $var   the name of the variable to be stored.

    100. 

  100.     * @param   mixed     $val   the value to be stored.

    101. 

  101.     * @return  void

    102. 

  102.     * @link    http://us3.php.net/manual/en/language.oop5.overloading.php

    103. 

  103.     */

    104. 

  104.    public function __set( $var, $val ) {

    105. 

  105.       $_SESSION[$var] = $val;

    106. 

  106.    }

    107. 

  107. 

    108. 

  108.    /**

    109. 

  109.     * Returns the requested session variable.

    110. 

  110.     *

    111. 

  111.     * @param   string    $var   the name of the variable to be retrieved.

    112. 

  112.     * @return  mixed     the value of the request variable.

    113. 

  113.     */

    114. 

  114.    public function __get( $var ) {

    115. 

  115.       return isset($_SESSION[$var]) ? $_SESSION[$var] : NULL;

    116. 

  116.    }

    117. 

  117. 

    118. 

  118.    /**

    119. 

  119.     * Determines if a variable exists in the session.

    120. 

  120.     *

    121. 

  121.     * @param   string    $var   the name of the variable to look for.

    122. 

  122.     * @return  boolean

    123. 

  123.     */

    124. 

  124.    public function __isset( $var ) {

    125. 

  125.       return isset($_SESSION[$var]);

    126. 

  126.    }

    127. 

  127. 

    128. 

  128.    /**

    129. 

  129.     * Removes a variable from the session.

    130. 

  130.     *

    131. 

  131.     * @param   string    $var   the name of the variable to remove.

    132. 

  132.     * @return  void

    133. 

  133.     */

    134. 

  134.    public function __unset( $var ) {

    135. 

  135.       unset($_SESSION[$var]);

    136. 

  136.    }

    137. 

  137. 

    138. 

  138.    /**

    139. 

  139.     * Determines if there is an active session.

    140. 

  140.     *

    141. 

  141.     * @return  boolean

    142. 

  142.     */

    143. 

  143.    public function is_active() {

    144. 

  144. 

    145. 

  145.       return ($this->session_id !== NULL && strlen($this->session_id) == 32 );

    146. 

  146. 

    147. 

  147.    } // is_active

    148. 

  148. 

    149. 

  149.    /**

    150. 

  150.     * Initialises the session.

    151. 

  151.     *

    152. 

  152.     * @return  void

    153. 

  153.     */

    154. 

  154.    public function start() {

    155. 

  155. 

    156. 

  156.       // if there is already an active session then do nothing

    157. 

  157.       if( $this->is_active() )

    158. 

  158.          return;

    159. 

  159. 

    160. 

  160.       // set the session name and load the session data

    161. 

  161.       session_name( $this->session_name );

    162. 

  162.       session_start();

    163. 

  163. 

    164. 

  164.       // store session parameters

    165. 

  165.       $this->session_name = session_name();

    166. 

  166.       $this->session_id   = session_id();

    167. 

  167. 

    168. 

  168.       // if we have previously stored the USER_AGENT header then check that the

    169. 

  169.       // current header matches the stored one, and if not then throw and exception

    170. 

  170.       // as someone is probably attempting to hijack the session...

    171. 

  171.       if( isset($_SESSION['HTTP_USER_AGENT']) && $_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']) ) {

    172. 

  172.         $this->destroy();

    173. 

  173.         throw new SPF_Session_Exception('Attempt to hijack a session!');

    174. 

  174.       }

    175. 

  175.       // if no USER_AGENT header is currently stored then store it

    176. 

  176.       else

    177. 

  177.          $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);

    178. 

  178. 

    179. 

  179.       // check that the secure session token is valid if it exists

    180. 

  180.       if( !$this->check_token() ) {

    181. 

  181.          $this->destroy();

    182. 

  182.          throw new SPF_Session_Exception('Invalid Token');

    183. 

  183.       }

    184. 

  184. 

    185. 

  185.       // if session lifetime is enabled...

    186. 

  186.       if( $this->lifetime > 0 ) {

    187. 

  187. 

    188. 

  188.          // if expiry is set and less than the current timestamp then session has expired...

    189. 

  189.          if( isset($_SESSION['session_expires']) && $_SESSION['session_expires'] < time() ) {

    190. 

  190.             $this->destroy();

    191. 

  191.             throw new SPF_Session_Exception('Expired');

    192. 

  192.          }

    193. 

  193.          // otherwise we just need to (re)set the expiry timestamp

    194. 

  194.          else

    195. 

  195.             $_SESSION['session_expires'] = time() + ($this->lifetime * 60);

    196. 

  196. 

    197. 

  197.       }

    198. 

  198. 

    199. 

  199. 

    200. 

  200.    } // start

    201. 

  201. 

    202. 

  202.    /**

    203. 

  203.     * Clears the session data but keeps the session active.

    204. 

  204.     *

    205. 

  205.     * @return  void

    206. 

  206.     */

    207. 

  207.    public function clear() {

    208. 

  208. 

    209. 

  209.       foreach ( $_SESSION as $var => $val ) {

    210. 

  210.          unset( $_SESSION[$var] );

    211. 

  211.       }

    212. 

  212. 

    213. 

  213.    } // clear

    214. 

  214. 

    215. 

  215.    /**

    216. 

  216.     * Destroys the session including associated data.

    217. 

  217.     *

    218. 

  218.     * @return  void

    219. 

  219.     */

    220. 

  220.    public function destroy() {

    221. 

  221. 

    222. 

  222.       // first unset the current session variables

    223. 

  223.       $this->remove_token();

    224. 

  224.       $this->clear();

    225. 

  225.       session_unset();

    226. 

  226. 

    227. 

  227.       // delete the session cookie if it exists - sets the expires time to be a year ago

    228. 

  228.       if( isset($_COOKIE[session_name()]) )

    229. 

  229.          setcookie( $this->session_name, '', time() - (60 * 60 * 24 * 365), '/' );

    230. 

  230. 

    231. 

  231.       // remove all traces of the session from the server

    232. 

  232.       session_destroy();

    233. 

  233. 

    234. 

  234.       // update session parameters

    235. 

  235.       $this->session_name = session_name();

    236. 

  236.       $this->session_id   = session_id();

    237. 

  237. 

    238. 

  238.    } // destroy

    239. 

  239. 

    240. 

  240.    /**

    241. 

  241.     * Restarts the session.

    242. 

  242.     * Session data is cleared and a new session id is generated.

    243. 

  243.     *

    244. 

  244.     * @return  void

    245. 

  245.     */

    246. 

  246.    public function restart() {

    247. 

  247. 

    248. 

  248.       // first unset the current session variables

    249. 

  249.       $this->clear();

    250. 

  250.       session_unset();

    251. 

  251. 

    252. 

  252.       // now generate a new session id

    253. 

  253.       session_regenerate_id();

    254. 

  254. 

    255. 

  255.       // update session parameters

    256. 

  256.       $this->session_name = session_name();

    257. 

  257.       $this->session_id   = session_id();

    258. 

  258. 

    259. 

  259.    } // destroy

    260. 

  260. 

    261. 

  261.    /**

    262. 

  262.     * Sets a secure token against the session.

    263. 

  263.     * This is an additional security measure in addition to the session id and the USER_AGENT header check.

    264. 

  264.     * It means that even if an attacker managed to guess the session id of an authenticated user

    265. 

  265.     * AND managed to send the correct USER_AGENT header, they'd also have to send the correct token as well.<br /><br />

    266. 

  266.     * The secure token is only used for authenticated session (ie the user has already logged in),

    267. 

  267.     * which means attackers won't even know they need to send it unless they've successfully authenticated

    268. 

  268.     * a user, or they've examined the cookies stored on a client machine that has an authenticated session.

    269. 

  269.     *

    270. 

  270.     * @return  boolean

    271. 

  271.     */

    272. 

  272.    public function set_token() {

    273. 

  273. 

    274. 

  274.       $fingerprint = SPF::hash();

    275. 

  275.       $_SESSION['session_token'] = $fingerprint;

    276. 

  276.       setcookie( 'session_token', $fingerprint );

    277. 

  277. 

    278. 

  278.    } // set_fingerprint

    279. 

  279.    

    280. 

  280.    /**

    281. 

  281.     * Removes the secure session token.

    282. 

  282.     *

    283. 

  283.     * @return  void

    284. 

  284.     */

    285. 

  285.    public function remove_token() {

    286. 

  286. 

    287. 

  287.       unset($_SESSION['session_token']);

    288. 

  288.       setcookie( 'session_token', '', time() - 42000, '/' );

    289. 

  289. 

    290. 

  290.    } // remove_token

    291. 

  291. 

    292. 

  292.    /**

    293. 

  293.     * Determines whether the session has a secure token set.

    294. 

  294.     *

    295. 

  295.     * @return  boolean

    296. 

  296.     */

    297. 

  297.    public function has_token() {

    298. 

  298. 

    299. 

  299.       return isset($_SESSION['session_token']);

    300. 

  300. 

    301. 

  301.    } // has_token

    302. 

  302. 

    303. 

  303.    /**

    304. 

  304.     * Verfies that the secure token held by the client matches the one stored in the session.

    305. 

  305.     * If the token has not been set this function will return true.

    306. 

  306.     *

    307. 

  307.     * @return  boolean

    308. 

  308.     */

    309. 

  309.    public function check_token() {

    310. 

  310. 

    311. 

  311.       if( $this->has_token() )

    312. 

  312.          return isset($_COOKIE['session_token']) && $_COOKIE['session_token'] = $_SESSION['session_token'];

    313. 

  313.       else

    314. 

  314.          return true;

    315. 

  315. 

    316. 

  316.    } // check_token

    317. 

  317. 

    318. 

  318. } // SPF_Session

    319. 

  319. 

    320. 

  320. /**

    321. 

  321.  * Thrown when a session is invalid.

    322. 

  322.  *

    323. 

  323.  * @package    spf 

    324. 

  324.  * @author     Simon Downes <simon@simondownes.co.uk>

    325. 

  325.  * @copyright  Copyright (c) 2007, Simon Downes 

    326. 

  326.  * @license    http://www.opensource.org/licenses/mit-license.php

    327. 

  327.  */

    328. 

  328. class SPF_Session_Exception extends SPF_Exception {

    329. 

  329. 

    330. 

  330.    public function __construct( $message ) {

    331. 

  331.       parent::__construct( $message );

    332. 

  332.    }

    333. 

  333. 

    334. 

  334. } // SPF_Session_Exception

    335. 

  335. 

    336. 

  336. ?>

    337. 

  337.