class-wc-session-handler.php - Update session if its close …

/includes/class-wc-session-handler.php

https://github.com/crowdfavorite/woocommerce · PHP · 239 lines · 128 code · 35 blank · 76 comment · 23 complexity · 9244fb25f3f52962d857a93993ecea44 MD5 · raw file


<?php
if ( ! defined( 'ABSPATH' ) ) {
	exit;
}

/**
 * Handle data for the current customers session.
 * Implements the WC_Session abstract class
 *
 * Long term plan will be, if https://github.com/ericmann/wp-session-manager/ gains traction
 * in WP core, this will be switched out to use it and maintain backwards compatibility :)
 *
 * Partly based on WP SESSION by Eric Mann.
 *
 * @class 		WC_Session_Handler
 * @version		2.0.0
 * @package		WooCommerce/Classes
 * @category	Class
 * @author 		WooThemes
 */
class WC_Session_Handler extends WC_Session {

	/** cookie name */
	private $_cookie;

	/** session due to expire timestamp */
	private $_session_expiring;

	/** session expiration timestamp */
	private $_session_expiration;

	/** Bool based on whether a cookie exists **/
	private $_has_cookie = false;

	/**
	 * Constructor for the session class.
	 */
	public function __construct() {
		$this->_cookie = 'wp_woocommerce_session_' . COOKIEHASH;

		if ( $cookie = $this->get_session_cookie() ) {
			$this->_customer_id        = $cookie[0];
			$this->_session_expiration = $cookie[1];
			$this->_session_expiring   = $cookie[2];
			$this->_has_cookie         = true;

			// Update session if its close to expiring
			if ( time() > $this->_session_expiring ) {
				$this->set_session_expiration();
				$session_expiry_option = '_wc_session_expires_' . $this->_customer_id;
				// Check if option exists first to avoid auloading cleaned up sessions
				if ( false === get_option( $session_expiry_option ) ) {
					add_option( $session_expiry_option, $this->_session_expiration, '', 'no' );
				} else {
					update_option( $session_expiry_option, $this->_session_expiration );
				}
			}

		} else {
			$this->set_session_expiration();
			$this->_customer_id = $this->generate_customer_id();
		}

		$this->_data = $this->get_session_data();

    	// Actions
    	add_action( 'woocommerce_set_cart_cookies', array( $this, 'set_customer_session_cookie' ), 10 );
    	add_action( 'woocommerce_cleanup_sessions', array( $this, 'cleanup_sessions' ), 10 );
    	add_action( 'shutdown', array( $this, 'save_data' ), 20 );
    	add_action( 'wp_logout', array( $this, 'destroy_session' ) );
    	if ( ! is_user_logged_in() ) {
    		add_action( 'woocommerce_thankyou', array( $this, 'destroy_session' ) );
    	}
    }

    /**
     * Sets the session cookie on-demand (usually after adding an item to the cart).
     *
     * Since the cookie name (as of 2.1) is prepended with wp, cache systems like batcache will not cache pages when set.
     *
     * Warning: Cookies will only be set if this is called before the headers are sent.
     */
    public function set_customer_session_cookie( $set ) {
    	if ( $set ) {
	    	// Set/renew our cookie
			$to_hash           = $this->_customer_id . $this->_session_expiration;
			$cookie_hash       = hash_hmac( 'md5', $to_hash, wp_hash( $to_hash ) );
			$cookie_value      = $this->_customer_id . '||' . $this->_session_expiration . '||' . $this->_session_expiring . '||' . $cookie_hash;
			$this->_has_cookie = true;

	    	// Set the cookie
	    	wc_setcookie( $this->_cookie, $cookie_value, $this->_session_expiration, apply_filters( 'wc_session_use_secure_cookie', false ) );
	    }
    }

    /**
     * Return true if the current user has an active session, i.e. a cookie to retrieve values
     * @return boolean
     */
    public function has_session() {
    	return isset( $_COOKIE[ $this->_cookie ] ) || $this->_has_cookie || is_user_logged_in();
    }

    /**
     * set_session_expiration function.
     */
    public function set_session_expiration() {
	    $this->_session_expiring    = time() + intval( apply_filters( 'wc_session_expiring', 60 * 60 * 47 ) ); // 47 Hours
		$this->_session_expiration  = time() + intval( apply_filters( 'wc_session_expiration', 60 * 60 * 48 ) ); // 48 Hours
    }

	/**
	 * Generate a unique customer ID for guests, or return user ID if logged in.
	 *
	 * Uses Portable PHP password hashing framework to generate a unique cryptographically strong ID.
	 *
	 * @return int|string
	 */
	public function generate_customer_id() {
		if ( is_user_logged_in() ) {
			return get_current_user_id();
		} else {
			require_once( ABSPATH . 'wp-includes/class-phpass.php');
			$hasher = new PasswordHash( 8, false );
			return md5( $hasher->get_random_bytes( 32 ) );
		}
	}

	/**
	 * get_session_cookie function.
	 *
	 * @return bool|array
	 */
	public function get_session_cookie() {
		if ( empty( $_COOKIE[ $this->_cookie ] ) ) {
			return false;
		}

		list( $customer_id, $session_expiration, $session_expiring, $cookie_hash ) = explode( '||', $_COOKIE[ $this->_cookie ] );

		// Validate hash
		$to_hash = $customer_id . $session_expiration;
		$hash    = hash_hmac( 'md5', $to_hash, wp_hash( $to_hash ) );

		if ( $hash != $cookie_hash ) {
			return false;
		}

		return array( $customer_id, $session_expiration, $session_expiring, $cookie_hash );
	}

	/**
	 * get_session_data function.
	 *
	 * @return array
	 */
	public function get_session_data() {
		return $this->has_session() ? (array) get_option( '_wc_session_' . $this->_customer_id, array() ) : array();
	}

    /**
     * save_data function.
     */
    public function save_data() {
    	// Dirty if something changed - prevents saving nothing new
    	if ( $this->_dirty && $this->has_session() ) {

			$session_option        = '_wc_session_' . $this->_customer_id;
			$session_expiry_option = '_wc_session_expires_' . $this->_customer_id;

	    	if ( false === get_option( $session_option ) ) {
	    		add_option( $session_option, $this->_data, '', 'no' );
		    	add_option( $session_expiry_option, $this->_session_expiration, '', 'no' );
	    	} else {
		    	update_option( $session_option, $this->_data );
	    	}
	    	// Mark session clean after saving
	    	$this->_dirty = false;
	    }
    }

    /**
     * Destroy all session data
     */
    public function destroy_session() {
		// Clear cookie
		wc_setcookie( $this->_cookie, '', time() - YEAR_IN_SECONDS, apply_filters( 'wc_session_use_secure_cookie', false ) );

		// Delete session
		$session_option        = '_wc_session_' . $this->_customer_id;
		$session_expiry_option = '_wc_session_expires_' . $this->_customer_id;

		delete_option( $session_option );
		delete_option( $session_expiry_option );

		// Clear cart
		wc_empty_cart();

		// Clear data
		$this->_data        = array();
		$this->_dirty       = false;
		$this->_customer_id = $this->generate_customer_id();
	}

    /**
	 * cleanup_sessions function.
	 */
	public function cleanup_sessions() {
		global $wpdb;

		if ( ! defined( 'WP_SETUP_CONFIG' ) && ! defined( 'WP_INSTALLING' ) ) {
			$now                = time();
			$expired_sessions   = array();
			$wc_session_expires = $wpdb->get_col( "SELECT option_name FROM $wpdb->options WHERE option_name LIKE '\_wc\_session\_expires\_%' AND option_value < '$now'" );

			foreach ( $wc_session_expires as $option_name ) {
				$session_id         = substr( $option_name, 20 );
				$expired_sessions[] = $option_name;  // Expires key
				$expired_sessions[] = "_wc_session_$session_id"; // Session key
			}

			if ( ! empty( $expired_sessions ) ) {
				$expired_sessions_chunked = array_chunk( $expired_sessions, 100 );
				foreach ( $expired_sessions_chunked as $chunk ) {
					if ( wp_using_ext_object_cache() ) {
						// delete from object cache first, to avoid cached but deleted options
						foreach ( $chunk as $option ) {
							wp_cache_delete( $option, 'options' );
						}
					}

					// delete from options table
					$option_names = implode( "','", $chunk );
					$wpdb->query( "DELETE FROM $wpdb->options WHERE option_name IN ('$option_names')" );
				}
			}
		}
	}
}

Alerts (2)

'md5(' Weak hashing detected; use password_hash() with PASSWORD_DEFAULT for secure password storage
125
'global $' Use of global variables; prefer dependency injection or function parameters
209