PageRenderTime 43ms CodeModel.GetById 15ms RepoModel.GetById 0ms app.codeStats 0ms

/libraries/joomla/session/session.php

https://bitbucket.org/izubizarreta/https-bitbucket.org-bityvip
PHP | 920 lines | 734 code | 32 blank | 154 comment | 8 complexity | 96ee642f64967127a349b680086ea669 MD5 | raw file
Possible License(s): LGPL-3.0, LGPL-2.0, JSON, GPL-2.0, BSD-3-Clause, LGPL-2.1, MIT 
    

  1. <?php
    2. 

  2. /**
    3. 

  3.  * @package     Joomla.Platform
    4. 

  4.  * @subpackage  Session
    5. 

  5.  *
    6. 

  6.  * @copyright   Copyright (C) 2005 - 2012 Open Source Matters, Inc. All rights reserved.
    7. 

  7.  * @license     GNU General Public License version 2 or later; see LICENSE
    8. 

  8.  */
    9. 

  9. 

  10. defined('JPATH_PLATFORM') or die;
    11. 

  11. 

  12. jimport('joomla.environment.request');
    13. 

  13. 

  14. /**
    15. 

  15.  * Class for managing HTTP sessions
    16. 

  16.  *
    17. 

  17.  * Provides access to session-state values as well as session-level
    18. 

  18.  * settings and lifetime management methods.
    19. 

  19.  * Based on the standard PHP session handling mechanism it provides
    20. 

  20.  * more advanced features such as expire timeouts.
    21. 

  21.  *
    22. 

  22.  * @package     Joomla.Platform
    23. 

  23.  * @subpackage  Session
    24. 

  24.  * @since       11.1
    25. 

  25.  */
    26. 

  26. class JSession extends JObject
    27. 

  27. {
    28. 

  28. 	/**
    29. 

  29. 	 * Internal state.
    30. 

  30. 	 * One of 'active'|'expired'|'destroyed'|'error'
    31. 

  31. 	 *
    32. 

  32. 	 * @var    string
    33. 

  33. 	 * @see    getState()
    34. 

  34. 	 * @since  11.1
    35. 

  35. 	 */
    36. 

  36. 	protected $_state = 'active';
    37. 

  37. 

  38. 	/**
    39. 

  39. 	 * Maximum age of unused session in minutes
    40. 

  40. 	 *
    41. 

  41. 	 * @var    string
    42. 

  42. 	 * @since  11.1
    43. 

  43. 	 */
    44. 

  44. 	protected $_expire = 15;
    45. 

  45. 

  46. 	/**
    47. 

  47. 	 * The session store object.
    48. 

  48. 	 *
    49. 

  49. 	 * @var    JSessionStorage
    50. 

  50. 	 * @since  11.1
    51. 

  51. 	 */
    52. 

  52. 	protected $_store = null;
    53. 

  53. 

  54. 	/**
    55. 

  55. 	 * Security policy.
    56. 

  56. 	 * List of checks that will be done.
    57. 

  57. 	 *
    58. 

  58. 	 * Default values:
    59. 

  59. 	 * - fix_browser
    60. 

  60. 	 * - fix_adress
    61. 

  61. 	 *
    62. 

  62. 	 * @var array
    63. 

  63. 	 * @since  11.1
    64. 

  64. 	 */
    65. 

  65. 	protected $_security = array('fix_browser');
    66. 

  66. 

  67. 	/**
    68. 

  68. 	 * Force cookies to be SSL only
    69. 

  69. 	 * Default  false
    70. 

  70. 	 *
    71. 

  71. 	 * @var    boolean
    72. 

  72. 	 * @since  11.1
    73. 

  73. 	 */
    74. 

  74. 	protected $_force_ssl = false;
    75. 

  75. 

  76. 	/**
    77. 

  77. 	 * @var    JSession  JSession instances container.
    78. 

  78. 	 * @since  11.3
    79. 

  79. 	 */
    80. 

  80. 	protected static $instance;
    81. 

  81. 

  82. 	/**
    83. 

  83. 	 * Constructor
    84. 

  84. 	 *
    85. 

  85. 	 * @param   string  $store    The type of storage for the session.
    86. 

  86. 	 * @param   array   $options  Optional parameters
    87. 

  87. 	 *
    88. 

  88. 	 * @since   11.1
    89. 

  89. 	 */
    90. 

  90. 	public function __construct($store = 'none', $options = array())
    91. 

  91. 	{
    92. 

  92. 		// Need to destroy any existing sessions started with session.auto_start
    93. 

  93. 		if (session_id())
    94. 

  94. 		{
    95. 

  95. 			session_unset();
    96. 

  96. 			session_destroy();
    97. 

  97. 		}
    98. 

  98. 

  99. 		// Set default sessios save handler
    100. 

  100. 		ini_set('session.save_handler', 'files');
    101. 

  101. 

  102. 		// Disable transparent sid support
    103. 

  103. 		ini_set('session.use_trans_sid', '0');
    104. 

  104. 

  105. 		// Create handler
    106. 

  106. 		$this->_store = JSessionStorage::getInstance($store, $options);
    107. 

  107. 

  108. 		// Set options
    109. 

  109. 		$this->_setOptions($options);
    110. 

  110. 

  111. 		$this->_setCookieParams();
    112. 

  112. 

  113. 		// Load the session
    114. 

  114. 		$this->_start();
    115. 

  115. 

  116. 		// Initialise the session
    117. 

  117. 		$this->_setCounter();
    118. 

  118. 		$this->_setTimers();
    119. 

  119. 

  120. 		$this->_state = 'active';
    121. 

  121. 

  122. 		// Perform security checks
    123. 

  123. 		$this->_validate();
    124. 

  124. 	}
    125. 

  125. 

  126. 	/**
    127. 

  127. 	 * Session object destructor
    128. 

  128. 	 *
    129. 

  129. 	 * @since   11.1
    130. 

  130. 	 */
    131. 

  131. 	public function __destruct()
    132. 

  132. 	{
    133. 

  133. 		$this->close();
    134. 

  134. 	}
    135. 

  135. 

  136. 	/**
    137. 

  137. 	 * Returns the global Session object, only creating it
    138. 

  138. 	 * if it doesn't already exist.
    139. 

  139. 	 *
    140. 

  140. 	 * @param   string  $handler  The type of session handler.
    141. 

  141. 	 * @param   array   $options  An array of configuration options.
    142. 

  142. 	 *
    143. 

  143. 	 * @return  JSession  The Session object.
    144. 

  144. 	 *
    145. 

  145. 	 * @since   11.1
    146. 

  146. 	 */
    147. 

  147. 	public static function getInstance($handler, $options)
    148. 

  148. 	{
    149. 

  149. 		if (!is_object(self::$instance))
    150. 

  150. 		{
    151. 

  151. 			self::$instance = new JSession($handler, $options);
    152. 

  152. 		}
    153. 

  153. 

  154. 		return self::$instance;
    155. 

  155. 	}
    156. 

  156. 

  157. 	/**
    158. 

  158. 	 * Get current state of session
    159. 

  159. 	 *
    160. 

  160. 	 * @return  string  The session state
    161. 

  161. 	 *
    162. 

  162. 	 * @since   11.1
    163. 

  163. 	 */
    164. 

  164. 	public function getState()
    165. 

  165. 	{
    166. 

  166. 		return $this->_state;
    167. 

  167. 	}
    168. 

  168. 

  169. 	/**
    170. 

  170. 	 * Get expiration time in minutes
    171. 

  171. 	 *
    172. 

  172. 	 * @return  integer  The session expiration time in minutes
    173. 

  173. 	 *
    174. 

  174. 	 * @since   11.1
    175. 

  175. 	 */
    176. 

  176. 	public function getExpire()
    177. 

  177. 	{
    178. 

  178. 		return $this->_expire;
    179. 

  179. 	}
    180. 

  180. 

  181. 	/**
    182. 

  182. 	 * Get a session token, if a token isn't set yet one will be generated.
    183. 

  183. 	 *
    184. 

  184. 	 * Tokens are used to secure forms from spamming attacks. Once a token
    185. 

  185. 	 * has been generated the system will check the post request to see if
    186. 

  186. 	 * it is present, if not it will invalidate the session.
    187. 

  187. 	 *
    188. 

  188. 	 * @param   boolean  $forceNew  If true, force a new token to be created
    189. 

  189. 	 *
    190. 

  190. 	 * @return  string  The session token
    191. 

  191. 	 *
    192. 

  192. 	 * @since   11.1
    193. 

  193. 	 */
    194. 

  194. 	public function getToken($forceNew = false)
    195. 

  195. 	{
    196. 

  196. 		$token = $this->get('session.token');
    197. 

  197. 

  198. 		// Create a token
    199. 

  199. 		if ($token === null || $forceNew)
    200. 

  200. 		{
    201. 

  201. 			$token = $this->_createToken(12);
    202. 

  202. 			$this->set('session.token', $token);
    203. 

  203. 		}
    204. 

  204. 

  205. 		return $token;
    206. 

  206. 	}
    207. 

  207. 

  208. 	/**
    209. 

  209. 	 * Method to determine if a token exists in the session. If not the
    210. 

  210. 	 * session will be set to expired
    211. 

  211. 	 *
    212. 

  212. 	 * @param   string   $tCheck       Hashed token to be verified
    213. 

  213. 	 * @param   boolean  $forceExpire  If true, expires the session
    214. 

  214. 	 *
    215. 

  215. 	 * @return  boolean
    216. 

  216. 	 *
    217. 

  217. 	 * @since   11.1
    218. 

  218. 	 */
    219. 

  219. 	public function hasToken($tCheck, $forceExpire = true)
    220. 

  220. 	{
    221. 

  221. 		// Check if a token exists in the session
    222. 

  222. 		$tStored = $this->get('session.token');
    223. 

  223. 

  224. 		// Check token
    225. 

  225. 		if (($tStored !== $tCheck))
    226. 

  226. 		{
    227. 

  227. 			if ($forceExpire)
    228. 

  228. 			{
    229. 

  229. 				$this->_state = 'expired';
    230. 

  230. 			}
    231. 

  231. 			return false;
    232. 

  232. 		}
    233. 

  233. 

  234. 		return true;
    235. 

  235. 	}
    236. 

  236. 

  237. 	/**
    238. 

  238. 	 * Method to determine a hash for anti-spoofing variable names
    239. 

  239. 	 *
    240. 

  240. 	 * @param   boolean  $forceNew  If true, force a new token to be created
    241. 

  241. 	 *
    242. 

  242. 	 * @return  string  Hashed var name
    243. 

  243. 	 *
    244. 

  244. 	 * @since   11.1
    245. 

  245. 	 */
    246. 

  246. 	public static function getFormToken($forceNew = false)
    247. 

  247. 	{
    248. 

  248. 		$user = JFactory::getUser();
    249. 

  249. 		$session = JFactory::getSession();
    250. 

  250. 		$hash = JApplication::getHash($user->get('id', 0) . $session->getToken($forceNew));
    251. 

  251. 

  252. 		return $hash;
    253. 

  253. 	}
    254. 

  254. 

  255. 	/**
    256. 

  256. 	 * Checks for a form token in the request.
    257. 

  257. 	 *
    258. 

  258. 	 * Use in conjunction with JHtml::_('form.token') or JSession::getFormToken.
    259. 

  259. 	 *
    260. 

  260. 	 * @param   string  $method  The request method in which to look for the token key.
    261. 

  261. 	 *
    262. 

  262. 	 * @return  boolean  True if found and valid, false otherwise.
    263. 

  263. 	 *
    264. 

  264. 	 * @since   12.1
    265. 

  265. 	 */
    266. 

  266. 	public static function checkToken($method = 'post')
    267. 

  267. 	{
    268. 

  268. 		if ($method == 'default')
    269. 

  269. 		{
    270. 

  270. 			trigger_error("JSession::checkToken() doesn't support 'default' for the method parameter.", E_USER_ERROR);
    271. 

  271. 			return false;
    272. 

  272. 		}
    273. 

  273. 

  274. 		$token = self::getFormToken();
    275. 

  275. 		$app = JFactory::getApplication();
    276. 

  276. 

  277. 		if (!JRequest::getVar($token, '', $method, 'alnum'))
    278. 

  278. 		{
    279. 

  279. 			$session = JFactory::getSession();
    280. 

  280. 			if ($session->isNew())
    281. 

  281. 			{
    282. 

  282. 				// Redirect to login screen.
    283. 

  283. 				$app->redirect(JRoute::_('index.php'), JText::_('JLIB_ENVIRONMENT_SESSION_EXPIRED'));
    284. 

  284. 				$app->close();
    285. 

  285. 			}
    286. 

  286. 			else
    287. 

  287. 			{
    288. 

  288. 				return false;
    289. 

  289. 			}
    290. 

  290. 		}
    291. 

  291. 		else
    292. 

  292. 		{
    293. 

  293. 			return true;
    294. 

  294. 		}
    295. 

  295. 	}
    296. 

  296. 

  297. 	/**
    298. 

  298. 	 * Get session name
    299. 

  299. 	 *
    300. 

  300. 	 * @return  string  The session name
    301. 

  301. 	 *
    302. 

  302. 	 * @since   11.1
    303. 

  303. 	 */
    304. 

  304. 	public function getName()
    305. 

  305. 	{
    306. 

  306. 		if ($this->_state === 'destroyed')
    307. 

  307. 		{
    308. 

  308. 			// @TODO : raise error
    309. 

  309. 			return null;
    310. 

  310. 		}
    311. 

  311. 		return session_name();
    312. 

  312. 	}
    313. 

  313. 

  314. 	/**
    315. 

  315. 	 * Get session id
    316. 

  316. 	 *
    317. 

  317. 	 * @return  string  The session name
    318. 

  318. 	 *
    319. 

  319. 	 * @since   11.1
    320. 

  320. 	 */
    321. 

  321. 	public function getId()
    322. 

  322. 	{
    323. 

  323. 		if ($this->_state === 'destroyed')
    324. 

  324. 		{
    325. 

  325. 			// @TODO : raise error
    326. 

  326. 			return null;
    327. 

  327. 		}
    328. 

  328. 		return session_id();
    329. 

  329. 	}
    330. 

  330. 

  331. 	/**
    332. 

  332. 	 * Get the session handlers
    333. 

  333. 	 *
    334. 

  334. 	 * @return  array  An array of available session handlers
    335. 

  335. 	 *
    336. 

  336. 	 * @since   11.1
    337. 

  337. 	 */
    338. 

  338. 	public static function getStores()
    339. 

  339. 	{
    340. 

  340. 		jimport('joomla.filesystem.folder');
    341. 

  341. 		$handlers = JFolder::files(dirname(__FILE__) . '/storage', '.php$');
    342. 

  342. 

  343. 		$names = array();
    344. 

  344. 		foreach ($handlers as $handler)
    345. 

  345. 		{
    346. 

  346. 			$name = substr($handler, 0, strrpos($handler, '.'));
    347. 

  347. 			$class = 'JSessionStorage' . ucfirst($name);
    348. 

  348. 

  349. 			// Load the class only if needed
    350. 

  350. 			if (!class_exists($class))
    351. 

  351. 			{
    352. 

  352. 				require_once dirname(__FILE__) . '/storage/' . $name . '.php';
    353. 

  353. 			}
    354. 

  354. 

  355. 			if (call_user_func_array(array(trim($class), 'test'), array()))
    356. 

  356. 			{
    357. 

  357. 				$names[] = $name;
    358. 

  358. 			}
    359. 

  359. 		}
    360. 

  360. 

  361. 		return $names;
    362. 

  362. 	}
    363. 

  363. 

  364. 	/**
    365. 

  365. 	 * Check whether this session is currently created
    366. 

  366. 	 *
    367. 

  367. 	 * @return  boolean  True on success.
    368. 

  368. 	 *
    369. 

  369. 	 * @since   11.1
    370. 

  370. 	 */
    371. 

  371. 	public function isNew()
    372. 

  372. 	{
    373. 

  373. 		$counter = $this->get('session.counter');
    374. 

  374. 		if ($counter === 1)
    375. 

  375. 		{
    376. 

  376. 			return true;
    377. 

  377. 		}
    378. 

  378. 		return false;
    379. 

  379. 	}
    380. 

  380. 

  381. 	/**
    382. 

  382. 	 * Get data from the session store
    383. 

  383. 	 *
    384. 

  384. 	 * @param   string  $name       Name of a variable
    385. 

  385. 	 * @param   mixed   $default    Default value of a variable if not set
    386. 

  386. 	 * @param   string  $namespace  Namespace to use, default to 'default'
    387. 

  387. 	 *
    388. 

  388. 	 * @return  mixed  Value of a variable
    389. 

  389. 	 *
    390. 

  390. 	 * @since   11.1
    391. 

  391. 	 */
    392. 

  392. 	public function get($name, $default = null, $namespace = 'default')
    393. 

  393. 	{
    394. 

  394. 		// Add prefix to namespace to avoid collisions
    395. 

  395. 		$namespace = '__' . $namespace;
    396. 

  396. 

  397. 		if ($this->_state !== 'active' && $this->_state !== 'expired')
    398. 

  398. 		{
    399. 

  399. 			// @TODO :: generated error here
    400. 

  400. 			$error = null;
    401. 

  401. 			return $error;
    402. 

  402. 		}
    403. 

  403. 

  404. 		if (isset($_SESSION[$namespace][$name]))
    405. 

  405. 		{
    406. 

  406. 			return $_SESSION[$namespace][$name];
    407. 

  407. 		}
    408. 

  408. 		return $default;
    409. 

  409. 	}
    410. 

  410. 

  411. 	/**
    412. 

  412. 	 * Set data into the session store.
    413. 

  413. 	 *
    414. 

  414. 	 * @param   string  $name       Name of a variable.
    415. 

  415. 	 * @param   mixed   $value      Value of a variable.
    416. 

  416. 	 * @param   string  $namespace  Namespace to use, default to 'default'.
    417. 

  417. 	 *
    418. 

  418. 	 * @return  mixed  Old value of a variable.
    419. 

  419. 	 *
    420. 

  420. 	 * @since   11.1
    421. 

  421. 	 */
    422. 

  422. 	public function set($name, $value = null, $namespace = 'default')
    423. 

  423. 	{
    424. 

  424. 		// Add prefix to namespace to avoid collisions
    425. 

  425. 		$namespace = '__' . $namespace;
    426. 

  426. 

  427. 		if ($this->_state !== 'active')
    428. 

  428. 		{
    429. 

  429. 			// @TODO :: generated error here
    430. 

  430. 			return null;
    431. 

  431. 		}
    432. 

  432. 

  433. 		$old = isset($_SESSION[$namespace][$name]) ? $_SESSION[$namespace][$name] : null;
    434. 

  434. 

  435. 		if (null === $value)
    436. 

  436. 		{
    437. 

  437. 			unset($_SESSION[$namespace][$name]);
    438. 

  438. 		}
    439. 

  439. 		else
    440. 

  440. 		{
    441. 

  441. 			$_SESSION[$namespace][$name] = $value;
    442. 

  442. 		}
    443. 

  443. 

  444. 		return $old;
    445. 

  445. 	}
    446. 

  446. 

  447. 	/**
    448. 

  448. 	 * Check whether data exists in the session store
    449. 

  449. 	 *
    450. 

  450. 	 * @param   string  $name       Name of variable
    451. 

  451. 	 * @param   string  $namespace  Namespace to use, default to 'default'
    452. 

  452. 	 *
    453. 

  453. 	 * @return  boolean  True if the variable exists
    454. 

  454. 	 *
    455. 

  455. 	 * @since   11.1
    456. 

  456. 	 */
    457. 

  457. 	public function has($name, $namespace = 'default')
    458. 

  458. 	{
    459. 

  459. 		// Add prefix to namespace to avoid collisions.
    460. 

  460. 		$namespace = '__' . $namespace;
    461. 

  461. 

  462. 		if ($this->_state !== 'active')
    463. 

  463. 		{
    464. 

  464. 			// @TODO :: generated error here
    465. 

  465. 			return null;
    466. 

  466. 		}
    467. 

  467. 

  468. 		return isset($_SESSION[$namespace][$name]);
    469. 

  469. 	}
    470. 

  470. 

  471. 	/**
    472. 

  472. 	 * Unset data from the session store
    473. 

  473. 	 *
    474. 

  474. 	 * @param   string  $name       Name of variable
    475. 

  475. 	 * @param   string  $namespace  Namespace to use, default to 'default'
    476. 

  476. 	 *
    477. 

  477. 	 * @return  mixed   The value from session or NULL if not set
    478. 

  478. 	 *
    479. 

  479. 	 * @since   11.1
    480. 

  480. 	 */
    481. 

  481. 	public function clear($name, $namespace = 'default')
    482. 

  482. 	{
    483. 

  483. 		// Add prefix to namespace to avoid collisions
    484. 

  484. 		$namespace = '__' . $namespace;
    485. 

  485. 

  486. 		if ($this->_state !== 'active')
    487. 

  487. 		{
    488. 

  488. 			// @TODO :: generated error here
    489. 

  489. 			return null;
    490. 

  490. 		}
    491. 

  491. 

  492. 		$value = null;
    493. 

  493. 		if (isset($_SESSION[$namespace][$name]))
    494. 

  494. 		{
    495. 

  495. 			$value = $_SESSION[$namespace][$name];
    496. 

  496. 			unset($_SESSION[$namespace][$name]);
    497. 

  497. 		}
    498. 

  498. 

  499. 		return $value;
    500. 

  500. 	}
    501. 

  501. 

  502. 	/**
    503. 

  503. 	 * Start a session.
    504. 

  504. 	 *
    505. 

  505. 	 * Creates a session (or resumes the current one based on the state of the session)
    506. 

  506. 	 *
    507. 

  507. 	 * @return  boolean  true on success
    508. 

  508. 	 *
    509. 

  509. 	 * @since   11.1
    510. 

  510. 	 */
    511. 

  511. 	protected function _start()
    512. 

  512. 	{
    513. 

  513. 		// Start session if not started
    514. 

  514. 		if ($this->_state == 'restart')
    515. 

  515. 		{
    516. 

  516. 			session_id($this->_createId());
    517. 

  517. 		}
    518. 

  518. 		else
    519. 

  519. 		{
    520. 

  520. 			$session_name = session_name();
    521. 

  521. 			if (!JRequest::getVar($session_name, false, 'COOKIE'))
    522. 

  522. 			{
    523. 

  523. 				if (JRequest::getVar($session_name))
    524. 

  524. 				{
    525. 

  525. 					session_id(JRequest::getVar($session_name));
    526. 

  526. 					setcookie($session_name, '', time() - 3600);
    527. 

  527. 				}
    528. 

  528. 			}
    529. 

  529. 		}
    530. 

  530. 

  531. 		session_cache_limiter('none');
    532. 

  532. 		session_start();
    533. 

  533. 		$_SESSION["plan"]=0;
    534. 

  534. 

  535. 		return true;
    536. 

  536. 	}
    537. 

  537. 

  538. 	/**
    539. 

  539. 	 * Frees all session variables and destroys all data registered to a session
    540. 

  540. 	 *
    541. 

  541. 	 * This method resets the $_SESSION variable and destroys all of the data associated
    542. 

  542. 	 * with the current session in its storage (file or DB). It forces new session to be
    543. 

  543. 	 * started after this method is called. It does not unset the session cookie.
    544. 

  544. 	 *
    545. 

  545. 	 * @return  boolean  True on success
    546. 

  546. 	 *
    547. 

  547. 	 * @see     session_destroy()
    548. 

  548. 	 * @see     session_unset()
    549. 

  549. 	 * @since   11.1
    550. 

  550. 	 */
    551. 

  551. 	public function destroy()
    552. 

  552. 	{
    553. 

  553. 		// Session was already destroyed
    554. 

  554. 		if ($this->_state === 'destroyed')
    555. 

  555. 		{
    556. 

  556. 			return true;
    557. 

  557. 		}
    558. 

  558. 

  559. 		/*
    560. 

  560. 		 * In order to kill the session altogether, such as to log the user out, the session id
    561. 

  561. 		 * must also be unset. If a cookie is used to propagate the session id (default behavior),
    562. 

  562. 		 * then the session cookie must be deleted.
    563. 

  563. 		 */
    564. 

  564. 		if (isset($_COOKIE[session_name()]))
    565. 

  565. 		{
    566. 

  566. 			$config = JFactory::getConfig();
    567. 

  567. 			$cookie_domain = $config->get('cookie_domain', '');
    568. 

  568. 			$cookie_path = $config->get('cookie_path', '/');
    569. 

  569. 			setcookie(session_name(), '', time() - 42000, $cookie_path, $cookie_domain);
    570. 

  570. 		}
    571. 

  571. 

  572. 		session_unset();
    573. 

  573. 		session_destroy();
    574. 

  574. 

  575. 		$this->_state = 'destroyed';
    576. 

  576. 		return true;
    577. 

  577. 	}
    578. 

  578. 

  579. 	/**
    580. 

  580. 	 * Restart an expired or locked session.
    581. 

  581. 	 *
    582. 

  582. 	 * @return  boolean  True on success
    583. 

  583. 	 *
    584. 

  584. 	 * @see     destroy
    585. 

  585. 	 * @since   11.1
    586. 

  586. 	 */
    587. 

  587. 	public function restart()
    588. 

  588. 	{
    589. 

  589. 		$this->destroy();
    590. 

  590. 		if ($this->_state !== 'destroyed')
    591. 

  591. 		{
    592. 

  592. 			// @TODO :: generated error here
    593. 

  593. 			return false;
    594. 

  594. 		}
    595. 

  595. 

  596. 		// Re-register the session handler after a session has been destroyed, to avoid PHP bug
    597. 

  597. 		$this->_store->register();
    598. 

  598. 

  599. 		$this->_state = 'restart';
    600. 

  600. 

  601. 		// Regenerate session id
    602. 

  602. 		$id = $this->_createId();
    603. 

  603. 		session_id($id);
    604. 

  604. 		$this->_start();
    605. 

  605. 		$this->_state = 'active';
    606. 

  606. 

  607. 		$this->_validate();
    608. 

  608. 		$this->_setCounter();
    609. 

  609. 

  610. 		return true;
    611. 

  611. 	}
    612. 

  612. 

  613. 	/**
    614. 

  614. 	 * Create a new session and copy variables from the old one
    615. 

  615. 	 *
    616. 

  616. 	 * @return  boolean $result true on success
    617. 

  617. 	 *
    618. 

  618. 	 * @since   11.1
    619. 

  619. 	 */
    620. 

  620. 	public function fork()
    621. 

  621. 	{
    622. 

  622. 		if ($this->_state !== 'active')
    623. 

  623. 		{
    624. 

  624. 			// @TODO :: generated error here
    625. 

  625. 			return false;
    626. 

  626. 		}
    627. 

  627. 

  628. 		// Save values
    629. 

  629. 		$values = $_SESSION;
    630. 

  630. 

  631. 		// Keep session config
    632. 

  632. 		$trans = ini_get('session.use_trans_sid');
    633. 

  633. 		if ($trans)
    634. 

  634. 		{
    635. 

  635. 			ini_set('session.use_trans_sid', 0);
    636. 

  636. 		}
    637. 

  637. 		$cookie = session_get_cookie_params();
    638. 

  638. 

  639. 		// Create new session id
    640. 

  640. 		$id = $this->_createId();
    641. 

  641. 

  642. 		// Kill session
    643. 

  643. 		session_destroy();
    644. 

  644. 

  645. 		// Re-register the session store after a session has been destroyed, to avoid PHP bug
    646. 

  646. 		$this->_store->register();
    647. 

  647. 

  648. 		// Restore config
    649. 

  649. 		ini_set('session.use_trans_sid', $trans);
    650. 

  650. 		session_set_cookie_params($cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure']);
    651. 

  651. 

  652. 		// Restart session with new id
    653. 

  653. 		session_id($id);
    654. 

  654. 		session_start();
    655. 

  655. 

  656. 		return true;
    657. 

  657. 	}
    658. 

  658. 

  659. 	/**
    660. 

  660. 	 * Writes session data and ends session
    661. 

  661. 	 *
    662. 

  662. 	 * Session data is usually stored after your script terminated without the need
    663. 

  663. 	 * to call JSession::close(), but as session data is locked to prevent concurrent
    664. 

  664. 	 * writes only one script may operate on a session at any time. When using
    665. 

  665. 	 * framesets together with sessions you will experience the frames loading one
    666. 

  666. 	 * by one due to this locking. You can reduce the time needed to load all the
    667. 

  667. 	 * frames by ending the session as soon as all changes to session variables are
    668. 

  668. 	 * done.
    669. 

  669. 	 *
    670. 

  670. 	 * @return  void
    671. 

  671. 	 *
    672. 

  672. 	 * @see     session_write_close()
    673. 

  673. 	 * @since   11.1
    674. 

  674. 	 */
    675. 

  675. 	public function close()
    676. 

  676. 	{
    677. 

  677. 		session_write_close();
    678. 

  678. 	}
    679. 

  679. 

  680. 	/**
    681. 

  681. 	 * Create a session id
    682. 

  682. 	 *
    683. 

  683. 	 * @return  string  Session ID
    684. 

  684. 	 *
    685. 

  685. 	 * @since   11.1
    686. 

  686. 	 */
    687. 

  687. 	protected function _createId()
    688. 

  688. 	{
    689. 

  689. 		$id = 0;
    690. 

  690. 		while (strlen($id) < 32)
    691. 

  691. 		{
    692. 

  692. 			$id .= mt_rand(0, mt_getrandmax());
    693. 

  693. 		}
    694. 

  694. 

  695. 		$id = md5(uniqid($id, true));
    696. 

  696. 		return $id;
    697. 

  697. 	}
    698. 

  698. 

  699. 	/**
    700. 

  700. 	 * Set session cookie parameters
    701. 

  701. 	 *
    702. 

  702. 	 * @return  void
    703. 

  703. 	 *
    704. 

  704. 	 * @since   11.1
    705. 

  705. 	 */
    706. 

  706. 	protected function _setCookieParams()
    707. 

  707. 	{
    708. 

  708. 		$cookie = session_get_cookie_params();
    709. 

  709. 		if ($this->_force_ssl)
    710. 

  710. 		{
    711. 

  711. 			$cookie['secure'] = true;
    712. 

  712. 		}
    713. 

  713. 

  714. 		$config = JFactory::getConfig();
    715. 

  715. 

  716. 		if ($config->get('cookie_domain', '') != '')
    717. 

  717. 		{
    718. 

  718. 			$cookie['domain'] = $config->get('cookie_domain');
    719. 

  719. 		}
    720. 

  720. 

  721. 		if ($config->get('cookie_path', '') != '')
    722. 

  722. 		{
    723. 

  723. 			$cookie['path'] = $config->get('cookie_path');
    724. 

  724. 		}
    725. 

  725. 		session_set_cookie_params($cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure']);
    726. 

  726. 	}
    727. 

  727. 

  728. 	/**
    729. 

  729. 	 * Create a token-string
    730. 

  730. 	 *
    731. 

  731. 	 * @param   integer  $length  Length of string
    732. 

  732. 	 *
    733. 

  733. 	 * @return  string  Generated token
    734. 

  734. 	 *
    735. 

  735. 	 * @since   11.1
    736. 

  736. 	 */
    737. 

  737. 	protected function _createToken($length = 32)
    738. 

  738. 	{
    739. 

  739. 		static $chars = '0123456789abcdef';
    740. 

  740. 		$max = strlen($chars) - 1;
    741. 

  741. 		$token = '';
    742. 

  742. 		$name = session_name();
    743. 

  743. 		for ($i = 0; $i < $length; ++$i)
    744. 

  744. 		{
    745. 

  745. 			$token .= $chars[(rand(0, $max))];
    746. 

  746. 		}
    747. 

  747. 

  748. 		return md5($token . $name);
    749. 

  749. 	}
    750. 

  750. 

  751. 	/**
    752. 

  752. 	 * Set counter of session usage
    753. 

  753. 	 *
    754. 

  754. 	 * @return  boolean  True on success
    755. 

  755. 	 *
    756. 

  756. 	 * @since   11.1
    757. 

  757. 	 */
    758. 

  758. 	protected function _setCounter()
    759. 

  759. 	{
    760. 

  760. 		$counter = $this->get('session.counter', 0);
    761. 

  761. 		++$counter;
    762. 

  762. 

  763. 		$this->set('session.counter', $counter);
    764. 

  764. 		return true;
    765. 

  765. 	}
    766. 

  766. 

  767. 	/**
    768. 

  768. 	 * Set the session timers
    769. 

  769. 	 *
    770. 

  770. 	 * @return  boolean  True on success
    771. 

  771. 	 *
    772. 

  772. 	 * @since   11.1
    773. 

  773. 	 */
    774. 

  774. 	protected function _setTimers()
    775. 

  775. 	{
    776. 

  776. 		if (!$this->has('session.timer.start'))
    777. 

  777. 		{
    778. 

  778. 			$start = time();
    779. 

  779. 

  780. 			$this->set('session.timer.start', $start);
    781. 

  781. 			$this->set('session.timer.last', $start);
    782. 

  782. 			$this->set('session.timer.now', $start);
    783. 

  783. 		}
    784. 

  784. 

  785. 		$this->set('session.timer.last', $this->get('session.timer.now'));
    786. 

  786. 		$this->set('session.timer.now', time());
    787. 

  787. 

  788. 		return true;
    789. 

  789. 	}
    790. 

  790. 

  791. 	/**
    792. 

  792. 	 * Set additional session options
    793. 

  793. 	 *
    794. 

  794. 	 * @param   array  &$options  List of parameter
    795. 

  795. 	 *
    796. 

  796. 	 * @return  boolean  True on success
    797. 

  797. 	 *
    798. 

  798. 	 * @since   11.1
    799. 

  799. 	 */
    800. 

  800. 	protected function _setOptions(&$options)
    801. 

  801. 	{
    802. 

  802. 		// Set name
    803. 

  803. 		if (isset($options['name']))
    804. 

  804. 		{
    805. 

  805. 			session_name(md5($options['name']));
    806. 

  806. 		}
    807. 

  807. 

  808. 		// Set id
    809. 

  809. 		if (isset($options['id']))
    810. 

  810. 		{
    811. 

  811. 			session_id($options['id']);
    812. 

  812. 		}
    813. 

  813. 

  814. 		// Set expire time
    815. 

  815. 		if (isset($options['expire']))
    816. 

  816. 		{
    817. 

  817. 			$this->_expire = $options['expire'];
    818. 

  818. 		}
    819. 

  819. 

  820. 		// Get security options
    821. 

  821. 		if (isset($options['security']))
    822. 

  822. 		{
    823. 

  823. 			$this->_security = explode(',', $options['security']);
    824. 

  824. 		}
    825. 

  825. 

  826. 		if (isset($options['force_ssl']))
    827. 

  827. 		{
    828. 

  828. 			$this->_force_ssl = (bool) $options['force_ssl'];
    829. 

  829. 		}
    830. 

  830. 

  831. 		// Sync the session maxlifetime
    832. 

  832. 		ini_set('session.gc_maxlifetime', $this->_expire);
    833. 

  833. 

  834. 		return true;
    835. 

  835. 	}
    836. 

  836. 

  837. 	/**
    838. 

  838. 	 * Do some checks for security reason
    839. 

  839. 	 *
    840. 

  840. 	 * - timeout check (expire)
    841. 

  841. 	 * - ip-fixiation
    842. 

  842. 	 * - browser-fixiation
    843. 

  843. 	 *
    844. 

  844. 	 * If one check failed, session data has to be cleaned.
    845. 

  845. 	 *
    846. 

  846. 	 * @param   boolean  $restart  Reactivate session
    847. 

  847. 	 *
    848. 

  848. 	 * @return  boolean  True on success
    849. 

  849. 	 *
    850. 

  850. 	 * @see     http://shiflett.org/articles/the-truth-about-sessions
    851. 

  851. 	 * @since   11.1
    852. 

  852. 	 */
    853. 

  853. 	protected function _validate($restart = false)
    854. 

  854. 	{
    855. 

  855. 		// Allow to restart a session
    856. 

  856. 		if ($restart)
    857. 

  857. 		{
    858. 

  858. 			$this->_state = 'active';
    859. 

  859. 

  860. 			$this->set('session.client.address', null);
    861. 

  861. 			$this->set('session.client.forwarded', null);
    862. 

  862. 			$this->set('session.client.browser', null);
    863. 

  863. 			$this->set('session.token', null);
    864. 

  864. 		}
    865. 

  865. 

  866. 		// Check if session has expired
    867. 

  867. 		if ($this->_expire)
    868. 

  868. 		{
    869. 

  869. 			$curTime = $this->get('session.timer.now', 0);
    870. 

  870. 			$maxTime = $this->get('session.timer.last', 0) + $this->_expire;
    871. 

  871. 

  872. 			// Empty session variables
    873. 

  873. 			if ($maxTime < $curTime)
    874. 

  874. 			{
    875. 

  875. 				$this->_state = 'expired';
    876. 

  876. 				return false;
    877. 

  877. 			}
    878. 

  878. 		}
    879. 

  879. 

  880. 		// Record proxy forwarded for in the session in case we need it later
    881. 

  881. 		if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
    882. 

  882. 		{
    883. 

  883. 			$this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);
    884. 

  884. 		}
    885. 

  885. 

  886. 		// Check for client address
    887. 

  887. 		if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']))
    888. 

  888. 		{
    889. 

  889. 			$ip = $this->get('session.client.address');
    890. 

  890. 

  891. 			if ($ip === null)
    892. 

  892. 			{
    893. 

  893. 				$this->set('session.client.address', $_SERVER['REMOTE_ADDR']);
    894. 

  894. 			}
    895. 

  895. 			elseif ($_SERVER['REMOTE_ADDR'] !== $ip)
    896. 

  896. 			{
    897. 

  897. 				$this->_state = 'error';
    898. 

  898. 				return false;
    899. 

  899. 			}
    900. 

  900. 		}
    901. 

  901. 

  902. 		// Check for clients browser
    903. 

  903. 		if (in_array('fix_browser', $this->_security) && isset($_SERVER['HTTP_USER_AGENT']))
    904. 

  904. 		{
    905. 

  905. 			$browser = $this->get('session.client.browser');
    906. 

  906. 

  907. 			if ($browser === null)
    908. 

  908. 			{
    909. 

  909. 				$this->set('session.client.browser', $_SERVER['HTTP_USER_AGENT']);
    910. 

  910. 			}
    911. 

  911. 			elseif ($_SERVER['HTTP_USER_AGENT'] !== $browser)
    912. 

  912. 			{
    913. 

  913. 				// @todo remove code: 				$this->_state	=	'error';
    914. 

  914. 				// @todo remove code: 				return false;
    915. 

  915. 			}
    916. 

  916. 		}
    917. 

  917. 

  918. 		return true;
    919. 

  919. 	}
    920. 

  920. }
    921. 

  921.