PageRenderTime 32ms CodeModel.GetById 8ms RepoModel.GetById 0ms app.codeStats 0ms

/classes/session/SessionManager.inc.php

https://github.com/mbehiels/pkp-lib
PHP | 256 lines | 130 code | 35 blank | 91 comment | 22 complexity | ad94b3ab02da6d80e3894133e8e2fa9c MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * @file classes/session/SessionManager.inc.php
    5. 

  5.  *
    6. 

  6.  * Copyright (c) 2000-2011 John Willinsky
    7. 

  7.  * Distributed under the GNU GPL v2. For full terms see the file docs/COPYING.
    8. 

  8.  *
    9. 

  9.  * @class SessionManager
    10. 

  10.  * @ingroup session
    11. 

  11.  *
    12. 

  12.  * @brief Implements PHP methods for a custom session storage handler (see http://php.net/session).
    13. 

  13.  */
    14. 

  14. 

  15. 

  16. class SessionManager {
    17. 

  17. 

  18. 	/** @var object The DAO for accessing Session objects */
    19. 

  19. 	var $sessionDao;
    20. 

  20. 

  21. 	/** @var object The Session associated with the current request */
    22. 

  22. 	var $userSession;
    23. 

  23. 

  24. 	/**
    25. 

  25. 	 * Constructor.
    26. 

  26. 	 * Initialize session configuration and set PHP session handlers.
    27. 

  27. 	 * Attempts to rejoin a user's session if it exists, or create a new session otherwise.
    28. 

  28. 	 * @param $sessionDao SessionDAO
    29. 

  29. 	 * @param $request PKPRequest
    30. 

  30. 	 */
    31. 

  31. 	function SessionManager(&$sessionDao, &$request) {
    32. 

  32. 		$this->sessionDao =& $sessionDao;
    33. 

  33. 

  34. 		// Configure PHP session parameters
    35. 

  35. 		ini_set('session.use_trans_sid', 0);
    36. 

  36. 		ini_set('session.save_handler', 'user');
    37. 

  37. 		ini_set('session.serialize_handler', 'php');
    38. 

  38. 		ini_set('session.use_cookies', 1);
    39. 

  39. 		ini_set('session.name', Config::getVar('general', 'session_cookie_name')); // Cookie name
    40. 

  40. 		ini_set('session.cookie_lifetime', 0);
    41. 

  41. 		ini_set('session.cookie_path', $request->getBasePath() . '/');
    42. 

  42. 		ini_set('session.gc_probability', 1);
    43. 

  43. 		ini_set('session.gc_maxlifetime', 60 * 60);
    44. 

  44. 		ini_set('session.auto_start', 1);
    45. 

  45. 		ini_set('session.cache_limiter', 'none');
    46. 

  46. 

  47. 		session_set_save_handler(
    48. 

  48. 			array(&$this, 'open'),
    49. 

  49. 			array(&$this, 'close'),
    50. 

  50. 			array(&$this, 'read'),
    51. 

  51. 			array(&$this, 'write'),
    52. 

  52. 			array(&$this, 'destroy'),
    53. 

  53. 			array(&$this, 'gc')
    54. 

  54. 		);
    55. 

  55. 

  56. 		// Initialize the session. This calls SessionManager::read() and
    57. 

  57. 		// sets $this->userSession if a session is present.
    58. 

  58. 		session_start();
    59. 

  59. 		$sessionId = session_id();
    60. 

  60. 

  61. 		$ip = $request->getRemoteAddr();
    62. 

  62. 		$userAgent = $request->getUserAgent();
    63. 

  63. 		$now = time();
    64. 

  64. 

  65. 		if (!isset($this->userSession) || (Config::getVar('security', 'session_check_ip') && $this->userSession->getIpAddress() != $ip) || $this->userSession->getUserAgent() != substr($userAgent, 0, 255)) {
    66. 

  66. 			if (isset($this->userSession)) {
    67. 

  67. 				// Destroy old session
    68. 

  68. 				session_destroy();
    69. 

  69. 			}
    70. 

  70. 

  71. 			// Create new session
    72. 

  72. 			$this->userSession = new Session();
    73. 

  73. 			$this->userSession->setId($sessionId);
    74. 

  74. 			$this->userSession->setIpAddress($ip);
    75. 

  75. 			$this->userSession->setUserAgent($userAgent);
    76. 

  76. 			$this->userSession->setSecondsCreated($now);
    77. 

  77. 			$this->userSession->setSecondsLastUsed($now);
    78. 

  78. 			$this->userSession->setSessionData('');
    79. 

  79. 

  80. 			$this->sessionDao->insertSession($this->userSession);
    81. 

  81. 

  82. 		} else {
    83. 

  83. 			if ($this->userSession->getRemember()) {
    84. 

  84. 				// Update session timestamp for remembered sessions so it doesn't expire in the middle of a browser session
    85. 

  85. 				if (Config::getVar('general', 'session_lifetime') > 0) {
    86. 

  86. 					$this->updateSessionLifetime(time() + Config::getVar('general', 'session_lifetime') * 86400);
    87. 

  87. 				} else {
    88. 

  88. 					$this->userSession->setRemember(0);
    89. 

  89. 					$this->updateSessionLifetime(0);
    90. 

  90. 				}
    91. 

  91. 			}
    92. 

  92. 

  93. 			// Update existing session's timestamp; will be saved when write is called
    94. 

  94. 			$this->userSession->setSecondsLastUsed($now);
    95. 

  95. 		}
    96. 

  96. 	}
    97. 

  97. 

  98. 	/**
    99. 

  99. 	 * Return an instance of the session manager.
    100. 

  100. 	 * @return SessionManager
    101. 

  101. 	 */
    102. 

  102. 	function &getManager() {
    103. 

  103. 		$instance =& Registry::get('sessionManager', true, null);
    104. 

  104. 

  105. 		if (is_null($instance)) {
    106. 

  106. 			$application =& Registry::get('application');
    107. 

  107. 			assert(!is_null($application));
    108. 

  108. 			$request =& $application->getRequest();
    109. 

  109. 			assert(!is_null($request));
    110. 

  110. 

  111. 			// Implicitly set session manager by ref in the registry
    112. 

  112. 			$instance = new SessionManager(DAORegistry::getDAO('SessionDAO'), $request);
    113. 

  113. 		}
    114. 

  114. 

  115. 		return $instance;
    116. 

  116. 	}
    117. 

  117. 

  118. 	/**
    119. 

  119. 	 * Get the session associated with the current request.
    120. 

  120. 	 * @return Session
    121. 

  121. 	 */
    122. 

  122. 	function &getUserSession() {
    123. 

  123. 		return $this->userSession;
    124. 

  124. 	}
    125. 

  125. 

  126. 	/**
    127. 

  127. 	 * Open a session.
    128. 

  128. 	 * Does nothing; only here to satisfy PHP session handler requirements.
    129. 

  129. 	 * @return boolean
    130. 

  130. 	 */
    131. 

  131. 	function open() {
    132. 

  132. 		return true;
    133. 

  133. 	}
    134. 

  134. 

  135. 	/**
    136. 

  136. 	 * Close a session.
    137. 

  137. 	 * Does nothing; only here to satisfy PHP session handler requirements.
    138. 

  138. 	 * @return boolean
    139. 

  139. 	 */
    140. 

  140. 	function close() {
    141. 

  141. 		return true;
    142. 

  142. 	}
    143. 

  143. 

  144. 	/**
    145. 

  145. 	 * Read session data from database.
    146. 

  146. 	 * @param $sessionId string
    147. 

  147. 	 * @return boolean
    148. 

  148. 	 */
    149. 

  149. 	function read($sessionId) {
    150. 

  150. 		if (!isset($this->userSession)) {
    151. 

  151. 			$this->userSession =& $this->sessionDao->getSession($sessionId);
    152. 

  152. 			if (isset($this->userSession)) {
    153. 

  153. 				$data = $this->userSession->getSessionData();
    154. 

  154. 			}
    155. 

  155. 		}
    156. 

  156. 		return isset($data) ? $data : '';
    157. 

  157. 	}
    158. 

  158. 

  159. 	/**
    160. 

  160. 	 * Save session data to database.
    161. 

  161. 	 * @param $sessionId string
    162. 

  162. 	 * @param $data array
    163. 

  163. 	 * @return boolean
    164. 

  164. 	 */
    165. 

  165. 	function write($sessionId, $data) {
    166. 

  166. 		if (isset($this->userSession)) {
    167. 

  167. 			$this->userSession->setSessionData($data);
    168. 

  168. 			return $this->sessionDao->updateObject($this->userSession);
    169. 

  169. 

  170. 		} else {
    171. 

  171. 			return true;
    172. 

  172. 		}
    173. 

  173. 	}
    174. 

  174. 

  175. 	/**
    176. 

  176. 	 * Destroy (delete) a session.
    177. 

  177. 	 * @param $sessionId string
    178. 

  178. 	 * @return boolean
    179. 

  179. 	 */
    180. 

  180. 	function destroy($sessionId) {
    181. 

  181. 		return $this->sessionDao->deleteSessionById($sessionId);
    182. 

  182. 	}
    183. 

  183. 

  184. 	/**
    185. 

  185. 	 * Garbage collect unused session data.
    186. 

  186. 	 * TODO: Use $maxlifetime instead of assuming 24 hours?
    187. 

  187. 	 * @param $maxlifetime int the number of seconds after which data will be seen as "garbage" and cleaned up
    188. 

  188. 	 * @return boolean
    189. 

  189. 	 */
    190. 

  190. 	function gc($maxlifetime) {
    191. 

  191. 		return $this->sessionDao->deleteSessionByLastUsed(time() - 86400, Config::getVar('general', 'session_lifetime') <= 0 ? 0 : time() - Config::getVar('general', 'session_lifetime') * 86400);
    192. 

  192. 	}
    193. 

  193. 

  194. 	/**
    195. 

  195. 	 * Resubmit the session cookie.
    196. 

  196. 	 * @param $sessionId string new session ID (or false to keep current ID)
    197. 

  197. 	 * @param $expireTime int new expiration time in seconds (0 = current session)
    198. 

  198. 	 * @return boolean
    199. 

  199. 	 */
    200. 

  200. 	function updateSessionCookie($sessionId = false, $expireTime = 0) {
    201. 

  201. 		return setcookie(session_name(), ($sessionId === false) ? session_id() : $sessionId, $expireTime, ini_get('session.cookie_path'));
    202. 

  202. 	}
    203. 

  203. 

  204. 	/**
    205. 

  205. 	 * Regenerate the session ID for the current user session.
    206. 

  206. 	 * This is useful to guard against the "session fixation" form of hijacking
    207. 

  207. 	 * by changing the user's session ID after they have logged in (in case the
    208. 

  208. 	 * original session ID had been pre-populated).
    209. 

  209. 	 * @return boolean
    210. 

  210. 	 */
    211. 

  211. 	function regenerateSessionId() {
    212. 

  212. 		$success = false;
    213. 

  213. 		$currentSessionId = session_id();
    214. 

  214. 

  215. 		if (function_exists('session_regenerate_id')) {
    216. 

  216. 			// session_regenerate_id is only available on PHP >= 4.3.2
    217. 

  217. 			if (session_regenerate_id() && isset($this->userSession)) {
    218. 

  218. 				// Delete old session and insert new session
    219. 

  219. 				$this->sessionDao->deleteSessionById($currentSessionId);
    220. 

  220. 				$this->userSession->setId(session_id());
    221. 

  221. 				$this->sessionDao->insertSession($this->userSession);
    222. 

  222. 				$this->updateSessionCookie(); // TODO: this might not be needed on >= 4.3.3
    223. 

  223. 				$success = true;
    224. 

  224. 			}
    225. 

  225. 

  226. 		} else {
    227. 

  227. 			// Regenerate session ID (for PHP < 4.3.2)
    228. 

  228. 			do {
    229. 

  229. 				// Generate new session ID -- should be random enough to typically execute only once
    230. 

  230. 				$newSessionId = md5(mt_rand());
    231. 

  231. 			} while ($this->sessionDao->sessionExistsById($newSessionId));
    232. 

  232. 

  233. 			if (isset($this->userSession)) {
    234. 

  234. 				// Delete old session and insert new session
    235. 

  235. 				$this->sessionDao->deleteSessionById($currentSessionId);
    236. 

  236. 				$this->userSession->setId($newSessionId);
    237. 

  237. 				$this->sessionDao->insertSession($this->userSession);
    238. 

  238. 				$this->updateSessionCookie($newSessionId);
    239. 

  239. 				$success = true;
    240. 

  240. 			}
    241. 

  241. 		}
    242. 

  242. 

  243. 		return $success;
    244. 

  244. 	}
    245. 

  245. 

  246. 	/**
    247. 

  247. 	 * Change the lifetime of the current session cookie.
    248. 

  248. 	 * @param $expireTime int new expiration time in seconds (0 = current session)
    249. 

  249. 	 * @return boolean
    250. 

  250. 	 */
    251. 

  251. 	function updateSessionLifetime($expireTime = 0) {
    252. 

  252. 		return $this->updateSessionCookie(false, $expireTime);
    253. 

  253. 	}
    254. 

  254. }
    255. 

  255. 

  256. ?>
    257. 

  257.