統計
| ブランチ: | リビジョン:

pictcode_admin / lib / Cake / Model / Datasource / CakeSession.php @ 5ad38a95

履歴 | 表示 | アノテート | ダウンロード (18.596 KB)

1 5ad38a95 spyder1211
<?php
2
/**
3
 * Session class for CakePHP.
4
 *
5
 * CakePHP abstracts the handling of sessions.
6
 * There are several convenient methods to access session information.
7
 * This class is the implementation of those methods.
8
 * They are mostly used by the Session Component.
9
 *
10
 * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
11
 * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
12
 *
13
 * Licensed under The MIT License
14
 * For full copyright and license information, please see the LICENSE.txt
15
 * Redistributions of files must retain the above copyright notice.
16
 *
17
 * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
18
 * @link          http://cakephp.org CakePHP(tm) Project
19
 * @package       Cake.Model.Datasource
20
 * @since         CakePHP(tm) v .0.10.0.1222
21
 * @license       http://www.opensource.org/licenses/mit-license.php MIT License
22
 */
23
24
App::uses('Hash', 'Utility');
25
App::uses('Security', 'Utility');
26
27
/**
28
 * Session class for CakePHP.
29
 *
30
 * CakePHP abstracts the handling of sessions. There are several convenient methods to access session information.
31
 * This class is the implementation of those methods. They are mostly used by the Session Component.
32
 *
33
 * @package       Cake.Model.Datasource
34
 */
35
class CakeSession {
36
37
/**
38
 * True if the Session is still valid
39
 *
40
 * @var bool
41
 */
42
        public static $valid = false;
43
44
/**
45
 * Error messages for this session
46
 *
47
 * @var array
48
 */
49
        public static $error = false;
50
51
/**
52
 * User agent string
53
 *
54
 * @var string
55
 */
56
        protected static $_userAgent = '';
57
58
/**
59
 * Path to where the session is active.
60
 *
61
 * @var string
62
 */
63
        public static $path = '/';
64
65
/**
66
 * Error number of last occurred error
67
 *
68
 * @var int
69
 */
70
        public static $lastError = null;
71
72
/**
73
 * Start time for this session.
74
 *
75
 * @var int
76
 */
77
        public static $time = false;
78
79
/**
80
 * Cookie lifetime
81
 *
82
 * @var int
83
 */
84
        public static $cookieLifeTime;
85
86
/**
87
 * Time when this session becomes invalid.
88
 *
89
 * @var int
90
 */
91
        public static $sessionTime = false;
92
93
/**
94
 * Current Session id
95
 *
96
 * @var string
97
 */
98
        public static $id = null;
99
100
/**
101
 * Hostname
102
 *
103
 * @var string
104
 */
105
        public static $host = null;
106
107
/**
108
 * Session timeout multiplier factor
109
 *
110
 * @var int
111
 */
112
        public static $timeout = null;
113
114
/**
115
 * Number of requests that can occur during a session time without the session being renewed.
116
 * This feature is only used when config value `Session.autoRegenerate` is set to true.
117
 *
118
 * @var int
119
 * @see CakeSession::_checkValid()
120
 */
121
        public static $requestCountdown = 10;
122
123
/**
124
 * Whether or not the init function in this class was already called
125
 *
126
 * @var bool
127
 */
128
        protected static $_initialized = false;
129
130
/**
131
 * Session cookie name
132
 *
133
 * @var string
134
 */
135
        protected static $_cookieName = null;
136
137
/**
138
 * Pseudo constructor.
139
 *
140
 * @param string|null $base The base path for the Session
141
 * @return void
142
 */
143
        public static function init($base = null) {
144
                static::$time = time();
145
146
                if (env('HTTP_USER_AGENT')) {
147
                        static::$_userAgent = md5(env('HTTP_USER_AGENT') . Configure::read('Security.salt'));
148
                }
149
150
                static::_setPath($base);
151
                static::_setHost(env('HTTP_HOST'));
152
153
                if (!static::$_initialized) {
154
                        register_shutdown_function('session_write_close');
155
                }
156
157
                static::$_initialized = true;
158
        }
159
160
/**
161
 * Setup the Path variable
162
 *
163
 * @param string|null $base base path
164
 * @return void
165
 */
166
        protected static function _setPath($base = null) {
167
                if (empty($base)) {
168
                        static::$path = '/';
169
                        return;
170
                }
171
                if (strpos($base, 'index.php') !== false) {
172
                        $base = str_replace('index.php', '', $base);
173
                }
174
                if (strpos($base, '?') !== false) {
175
                        $base = str_replace('?', '', $base);
176
                }
177
                static::$path = $base;
178
        }
179
180
/**
181
 * Set the host name
182
 *
183
 * @param string $host Hostname
184
 * @return void
185
 */
186
        protected static function _setHost($host) {
187
                static::$host = $host;
188
                if (strpos(static::$host, ':') !== false) {
189
                        static::$host = substr(static::$host, 0, strpos(static::$host, ':'));
190
                }
191
        }
192
193
/**
194
 * Starts the Session.
195
 *
196
 * @return bool True if session was started
197
 */
198
        public static function start() {
199
                if (static::started()) {
200
                        return true;
201
                }
202
203
                $id = static::id();
204
                static::_startSession();
205
206
                if (!$id && static::started()) {
207
                        static::_checkValid();
208
                }
209
210
                static::$error = false;
211
                static::$valid = true;
212
                return static::started();
213
        }
214
215
/**
216
 * Determine if Session has been started.
217
 *
218
 * @return bool True if session has been started.
219
 */
220
        public static function started() {
221
                return isset($_SESSION) && session_id();
222
        }
223
224
/**
225
 * Returns true if given variable is set in session.
226
 *
227
 * @param string $name Variable name to check for
228
 * @return bool True if variable is there
229
 */
230
        public static function check($name) {
231
                if (empty($name) || !static::_hasSession() || !static::start()) {
232
                        return false;
233
                }
234
235
                return Hash::get($_SESSION, $name) !== null;
236
        }
237
238
/**
239
 * Returns the session id.
240
 * Calling this method will not auto start the session. You might have to manually
241
 * assert a started session.
242
 *
243
 * Passing an id into it, you can also replace the session id if the session
244
 * has not already been started.
245
 * Note that depending on the session handler, not all characters are allowed
246
 * within the session id. For example, the file session handler only allows
247
 * characters in the range a-z A-Z 0-9 , (comma) and - (minus).
248
 *
249
 * @param string|null $id Id to replace the current session id
250
 * @return string Session id
251
 */
252
        public static function id($id = null) {
253
                if ($id) {
254
                        static::$id = $id;
255
                        session_id(static::$id);
256
                }
257
                if (static::started()) {
258
                        return session_id();
259
                }
260
                return static::$id;
261
        }
262
263
/**
264
 * Removes a variable from session.
265
 *
266
 * @param string $name Session variable to remove
267
 * @return bool Success
268
 */
269
        public static function delete($name) {
270
                if (static::check($name)) {
271
                        static::_overwrite($_SESSION, Hash::remove($_SESSION, $name));
272
                        return !static::check($name);
273
                }
274
                return false;
275
        }
276
277
/**
278
 * Used to write new data to _SESSION, since PHP doesn't like us setting the _SESSION var itself.
279
 *
280
 * @param array &$old Set of old variables => values
281
 * @param array $new New set of variable => value
282
 * @return void
283
 */
284
        protected static function _overwrite(&$old, $new) {
285
                if (!empty($old)) {
286
                        foreach ($old as $key => $var) {
287
                                if (!isset($new[$key])) {
288
                                        unset($old[$key]);
289
                                }
290
                        }
291
                }
292
                foreach ($new as $key => $var) {
293
                        $old[$key] = $var;
294
                }
295
        }
296
297
/**
298
 * Return error description for given error number.
299
 *
300
 * @param int $errorNumber Error to set
301
 * @return string Error as string
302
 */
303
        protected static function _error($errorNumber) {
304
                if (!is_array(static::$error) || !array_key_exists($errorNumber, static::$error)) {
305
                        return false;
306
                }
307
                return static::$error[$errorNumber];
308
        }
309
310
/**
311
 * Returns last occurred error as a string, if any.
312
 *
313
 * @return mixed Error description as a string, or false.
314
 */
315
        public static function error() {
316
                if (static::$lastError) {
317
                        return static::_error(static::$lastError);
318
                }
319
                return false;
320
        }
321
322
/**
323
 * Returns true if session is valid.
324
 *
325
 * @return bool Success
326
 */
327
        public static function valid() {
328
                if (static::start() && static::read('Config')) {
329
                        if (static::_validAgentAndTime() && static::$error === false) {
330
                                static::$valid = true;
331
                        } else {
332
                                static::$valid = false;
333
                                static::_setError(1, 'Session Highjacking Attempted !!!');
334
                        }
335
                }
336
                return static::$valid;
337
        }
338
339
/**
340
 * Tests that the user agent is valid and that the session hasn't 'timed out'.
341
 * Since timeouts are implemented in CakeSession it checks the current static::$time
342
 * against the time the session is set to expire. The User agent is only checked
343
 * if Session.checkAgent == true.
344
 *
345
 * @return bool
346
 */
347
        protected static function _validAgentAndTime() {
348
                $config = static::read('Config');
349
                $validAgent = (
350
                        Configure::read('Session.checkAgent') === false ||
351
                        isset($config['userAgent']) && static::$_userAgent === $config['userAgent']
352
                );
353
                return ($validAgent && static::$time <= $config['time']);
354
        }
355
356
/**
357
 * Get / Set the user agent
358
 *
359
 * @param string|null $userAgent Set the user agent
360
 * @return string Current user agent.
361
 */
362
        public static function userAgent($userAgent = null) {
363
                if ($userAgent) {
364
                        static::$_userAgent = $userAgent;
365
                }
366
                if (empty(static::$_userAgent)) {
367
                        CakeSession::init(static::$path);
368
                }
369
                return static::$_userAgent;
370
        }
371
372
/**
373
 * Returns given session variable, or all of them, if no parameters given.
374
 *
375
 * @param string|null $name The name of the session variable (or a path as sent to Set.extract)
376
 * @return mixed The value of the session variable, null if session not available,
377
 *   session not started, or provided name not found in the session, false on failure.
378
 */
379
        public static function read($name = null) {
380
                if (empty($name) && $name !== null) {
381
                        return null;
382
                }
383
                if (!static::_hasSession() || !static::start()) {
384
                        return null;
385
                }
386
                if ($name === null) {
387
                        return static::_returnSessionVars();
388
                }
389
                $result = Hash::get($_SESSION, $name);
390
391
                if (isset($result)) {
392
                        return $result;
393
                }
394
                return null;
395
        }
396
397
/**
398
 * Returns all session variables.
399
 *
400
 * @return mixed Full $_SESSION array, or false on error.
401
 */
402
        protected static function _returnSessionVars() {
403
                if (!empty($_SESSION)) {
404
                        return $_SESSION;
405
                }
406
                static::_setError(2, 'No Session vars set');
407
                return false;
408
        }
409
410
/**
411
 * Writes value to given session variable name.
412
 *
413
 * @param string|array $name Name of variable
414
 * @param string $value Value to write
415
 * @return bool True if the write was successful, false if the write failed
416
 */
417
        public static function write($name, $value = null) {
418
                if (empty($name) || !static::start()) {
419
                        return false;
420
                }
421
422
                $write = $name;
423
                if (!is_array($name)) {
424
                        $write = array($name => $value);
425
                }
426
                foreach ($write as $key => $val) {
427
                        static::_overwrite($_SESSION, Hash::insert($_SESSION, $key, $val));
428
                        if (Hash::get($_SESSION, $key) !== $val) {
429
                                return false;
430
                        }
431
                }
432
                return true;
433
        }
434
435
/**
436
 * Reads and deletes a variable from session.
437
 *
438
 * @param string $name The key to read and remove (or a path as sent to Hash.extract).
439
 * @return mixed The value of the session variable, null if session not available,
440
 *   session not started, or provided name not found in the session.
441
 */
442
        public static function consume($name) {
443
                if (empty($name)) {
444
                        return null;
445
                }
446
                $value = static::read($name);
447
                if ($value !== null) {
448
                        static::_overwrite($_SESSION, Hash::remove($_SESSION, $name));
449
                }
450
                return $value;
451
        }
452
453
/**
454
 * Helper method to destroy invalid sessions.
455
 *
456
 * @return void
457
 */
458
        public static function destroy() {
459
                if (!static::started()) {
460
                        static::_startSession();
461
                }
462
463
                if (static::started()) {
464
                        session_destroy();
465
                }
466
467
                $_SESSION = null;
468
                static::$id = null;
469
                static::$_cookieName = null;
470
        }
471
472
/**
473
 * Clears the session.
474
 *
475
 * Optionally also clears the session id and renews the session.
476
 *
477
 * @param bool $renew If the session should also be renewed. Defaults to true.
478
 * @return void
479
 */
480
        public static function clear($renew = true) {
481
                if (!$renew) {
482
                        $_SESSION = array();
483
                        return;
484
                }
485
486
                $_SESSION = null;
487
                static::$id = null;
488
                static::renew();
489
        }
490
491
/**
492
 * Helper method to initialize a session, based on CakePHP core settings.
493
 *
494
 * Sessions can be configured with a few shortcut names as well as have any number of ini settings declared.
495
 *
496
 * @return void
497
 * @throws CakeSessionException Throws exceptions when ini_set() fails.
498
 */
499
        protected static function _configureSession() {
500
                $sessionConfig = Configure::read('Session');
501
502
                if (isset($sessionConfig['defaults'])) {
503
                        $defaults = static::_defaultConfig($sessionConfig['defaults']);
504
                        if ($defaults) {
505
                                $sessionConfig = Hash::merge($defaults, $sessionConfig);
506
                        }
507
                }
508
                if (!isset($sessionConfig['ini']['session.cookie_secure']) && env('HTTPS')) {
509
                        $sessionConfig['ini']['session.cookie_secure'] = 1;
510
                }
511
                if (isset($sessionConfig['timeout']) && !isset($sessionConfig['cookieTimeout'])) {
512
                        $sessionConfig['cookieTimeout'] = $sessionConfig['timeout'];
513
                }
514
                if (!isset($sessionConfig['ini']['session.cookie_lifetime'])) {
515
                        $sessionConfig['ini']['session.cookie_lifetime'] = $sessionConfig['cookieTimeout'] * 60;
516
                }
517
518
                if (!isset($sessionConfig['ini']['session.name'])) {
519
                        $sessionConfig['ini']['session.name'] = $sessionConfig['cookie'];
520
                }
521
                static::$_cookieName = $sessionConfig['ini']['session.name'];
522
523
                if (!empty($sessionConfig['handler'])) {
524
                        $sessionConfig['ini']['session.save_handler'] = 'user';
525
                } elseif (!empty($sessionConfig['session.save_path']) && Configure::read('debug')) {
526
                        if (!is_dir($sessionConfig['session.save_path'])) {
527
                                mkdir($sessionConfig['session.save_path'], 0775, true);
528
                        }
529
                }
530
531
                if (!isset($sessionConfig['ini']['session.gc_maxlifetime'])) {
532
                        $sessionConfig['ini']['session.gc_maxlifetime'] = $sessionConfig['timeout'] * 60;
533
                }
534
                if (!isset($sessionConfig['ini']['session.cookie_httponly'])) {
535
                        $sessionConfig['ini']['session.cookie_httponly'] = 1;
536
                }
537
538
                if (empty($_SESSION)) {
539
                        if (!empty($sessionConfig['ini']) && is_array($sessionConfig['ini'])) {
540
                                foreach ($sessionConfig['ini'] as $setting => $value) {
541
                                        if (ini_set($setting, $value) === false) {
542
                                                throw new CakeSessionException(__d('cake_dev', 'Unable to configure the session, setting %s failed.', $setting));
543
                                        }
544
                                }
545
                        }
546
                }
547
                if (!empty($sessionConfig['handler']) && !isset($sessionConfig['handler']['engine'])) {
548
                        call_user_func_array('session_set_save_handler', $sessionConfig['handler']);
549
                }
550
                if (!empty($sessionConfig['handler']['engine'])) {
551
                        $handler = static::_getHandler($sessionConfig['handler']['engine']);
552
                        session_set_save_handler(
553
                                array($handler, 'open'),
554
                                array($handler, 'close'),
555
                                array($handler, 'read'),
556
                                array($handler, 'write'),
557
                                array($handler, 'destroy'),
558
                                array($handler, 'gc')
559
                        );
560
                }
561
                Configure::write('Session', $sessionConfig);
562
                static::$sessionTime = static::$time + ($sessionConfig['timeout'] * 60);
563
        }
564
565
/**
566
 * Get session cookie name.
567
 *
568
 * @return string
569
 */
570
        protected static function _cookieName() {
571
                if (static::$_cookieName !== null) {
572
                        return static::$_cookieName;
573
                }
574
575
                static::init();
576
                static::_configureSession();
577
578
                return static::$_cookieName = session_name();
579
        }
580
581
/**
582
 * Returns whether a session exists
583
 *
584
 * @return bool
585
 */
586
        protected static function _hasSession() {
587
                return static::started() || isset($_COOKIE[static::_cookieName()]);
588
        }
589
590
/**
591
 * Find the handler class and make sure it implements the correct interface.
592
 *
593
 * @param string $handler Handler name.
594
 * @return void
595
 * @throws CakeSessionException
596
 */
597
        protected static function _getHandler($handler) {
598
                list($plugin, $class) = pluginSplit($handler, true);
599
                App::uses($class, $plugin . 'Model/Datasource/Session');
600
                if (!class_exists($class)) {
601
                        throw new CakeSessionException(__d('cake_dev', 'Could not load %s to handle the session.', $class));
602
                }
603
                $handler = new $class();
604
                if ($handler instanceof CakeSessionHandlerInterface) {
605
                        return $handler;
606
                }
607
                throw new CakeSessionException(__d('cake_dev', 'Chosen SessionHandler does not implement CakeSessionHandlerInterface it cannot be used with an engine key.'));
608
        }
609
610
/**
611
 * Get one of the prebaked default session configurations.
612
 *
613
 * @param string $name Config name.
614
 * @return bool|array
615
 */
616
        protected static function _defaultConfig($name) {
617
                $defaults = array(
618
                        'php' => array(
619
                                'cookie' => 'CAKEPHP',
620
                                'timeout' => 240,
621
                                'ini' => array(
622
                                        'session.use_trans_sid' => 0,
623
                                        'session.cookie_path' => static::$path
624
                                )
625
                        ),
626
                        'cake' => array(
627
                                'cookie' => 'CAKEPHP',
628
                                'timeout' => 240,
629
                                'ini' => array(
630
                                        'session.use_trans_sid' => 0,
631
                                        'url_rewriter.tags' => '',
632
                                        'session.serialize_handler' => 'php',
633
                                        'session.use_cookies' => 1,
634
                                        'session.cookie_path' => static::$path,
635
                                        'session.save_path' => TMP . 'sessions',
636
                                        'session.save_handler' => 'files'
637
                                )
638
                        ),
639
                        'cache' => array(
640
                                'cookie' => 'CAKEPHP',
641
                                'timeout' => 240,
642
                                'ini' => array(
643
                                        'session.use_trans_sid' => 0,
644
                                        'url_rewriter.tags' => '',
645
                                        'session.use_cookies' => 1,
646
                                        'session.cookie_path' => static::$path,
647
                                        'session.save_handler' => 'user',
648
                                ),
649
                                'handler' => array(
650
                                        'engine' => 'CacheSession',
651
                                        'config' => 'default'
652
                                )
653
                        ),
654
                        'database' => array(
655
                                'cookie' => 'CAKEPHP',
656
                                'timeout' => 240,
657
                                'ini' => array(
658
                                        'session.use_trans_sid' => 0,
659
                                        'url_rewriter.tags' => '',
660
                                        'session.use_cookies' => 1,
661
                                        'session.cookie_path' => static::$path,
662
                                        'session.save_handler' => 'user',
663
                                        'session.serialize_handler' => 'php',
664
                                ),
665
                                'handler' => array(
666
                                        'engine' => 'DatabaseSession',
667
                                        'model' => 'Session'
668
                                )
669
                        )
670
                );
671
                if (isset($defaults[$name])) {
672
                        return $defaults[$name];
673
                }
674
                return false;
675
        }
676
677
/**
678
 * Helper method to start a session
679
 *
680
 * @return bool Success
681
 */
682
        protected static function _startSession() {
683
                static::init();
684
                session_write_close();
685
                static::_configureSession();
686
687
                if (headers_sent()) {
688
                        if (empty($_SESSION)) {
689
                                $_SESSION = array();
690
                        }
691
                } else {
692
                        // For IE<=8
693
                        session_cache_limiter("must-revalidate");
694
                        session_start();
695
                }
696
                return true;
697
        }
698
699
/**
700
 * Helper method to create a new session.
701
 *
702
 * @return void
703
 */
704
        protected static function _checkValid() {
705
                $config = static::read('Config');
706
                if ($config) {
707
                        $sessionConfig = Configure::read('Session');
708
709
                        if (static::valid()) {
710
                                static::write('Config.time', static::$sessionTime);
711
                                if (isset($sessionConfig['autoRegenerate']) && $sessionConfig['autoRegenerate'] === true) {
712
                                        $check = $config['countdown'];
713
                                        $check -= 1;
714
                                        static::write('Config.countdown', $check);
715
716
                                        if ($check < 1) {
717
                                                static::renew();
718
                                                static::write('Config.countdown', static::$requestCountdown);
719
                                        }
720
                                }
721
                        } else {
722
                                $_SESSION = array();
723
                                static::destroy();
724
                                static::_setError(1, 'Session Highjacking Attempted !!!');
725
                                static::_startSession();
726
                                static::_writeConfig();
727
                        }
728
                } else {
729
                        static::_writeConfig();
730
                }
731
        }
732
733
/**
734
 * Writes configuration variables to the session
735
 *
736
 * @return void
737
 */
738
        protected static function _writeConfig() {
739
                static::write('Config.userAgent', static::$_userAgent);
740
                static::write('Config.time', static::$sessionTime);
741
                static::write('Config.countdown', static::$requestCountdown);
742
        }
743
744
/**
745
 * Restarts this session.
746
 *
747
 * @return void
748
 */
749
        public static function renew() {
750
                if (session_id() === '') {
751
                        return;
752
                }
753
                if (isset($_COOKIE[session_name()])) {
754
                        setcookie(Configure::read('Session.cookie'), '', time() - 42000, static::$path);
755
                }
756
                session_regenerate_id(true);
757
        }
758
759
/**
760
 * Helper method to set an internal error message.
761
 *
762
 * @param int $errorNumber Number of the error
763
 * @param string $errorMessage Description of the error
764
 * @return void
765
 */
766
        protected static function _setError($errorNumber, $errorMessage) {
767
                if (static::$error === false) {
768
                        static::$error = array();
769
                }
770
                static::$error[$errorNumber] = $errorMessage;
771
                static::$lastError = $errorNumber;
772
        }
773
774
}