TYPO3/_session_service_8php_source.html

<?php

namespace TYPO3\CMS\Install\Service;


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


use TYPO3\CMS\Core\Utility\GeneralUtility;


class SessionService implements \TYPO3\CMS\Core\SingletonInterface

{

    private $typo3tempPath;


    private $sessionPath = 'InstallToolSessions/%s';


    private $cookieName = 'Typo3InstallTool';


    private $expireTimeInMinutes = 60;


    private $regenerateSessionIdTime = 5;


    public function __construct()

    {

        $this->typo3tempPath = PATH_site . 'typo3temp/';

        // Start our PHP session early so that hasSession() works

        $sessionSavePath = $this->getSessionSavePath();

        // Register our "save" session handler

        session_set_save_handler(array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc'));

        session_save_path($sessionSavePath);

        session_name($this->cookieName);

        ini_set('session.cookie_path', GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));

        // Always call the garbage collector to clean up stale session files

        ini_set('session.gc_probability', 100);

        ini_set('session.gc_divisor', 100);

        ini_set('session.gc_maxlifetime', $this->expireTimeInMinutes * 2 * 60);

        if (\TYPO3\CMS\Core\Utility\PhpOptionsUtility::isSessionAutoStartEnabled()) {

            $sessionCreationError = 'Error: session.auto-start is enabled.<br />';

            $sessionCreationError .= 'The PHP option session.auto-start is enabled. Disable this option in php.ini or .htaccess:<br />';

            $sessionCreationError .= '<pre>php_value session.auto_start Off</pre>';

            throw new \TYPO3\CMS\Install\Exception($sessionCreationError, 1294587485);

        } elseif (defined('SID')) {

            $sessionCreationError = 'Session already started by session_start().<br />';

            $sessionCreationError .= 'Make sure no installed extension is starting a session in its ext_localconf.php or ext_tables.php.';

            throw new \TYPO3\CMS\Install\Exception($sessionCreationError, 1294587486);

        }

        session_start();

    }


    private function getSessionSavePath()

    {

        if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {

            throw new \TYPO3\CMS\Install\Exception(

                'No encryption key set to secure session',

                1371243449

            );

        }

        $sessionSavePath = sprintf(

            $this->typo3tempPath . $this->sessionPath,

            GeneralUtility::hmac('session:' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])

        );

        $this->ensureSessionSavePathExists($sessionSavePath);

        return $sessionSavePath;

    }


    private function ensureSessionSavePathExists($sessionSavePath)

    {

        if (!is_dir($sessionSavePath)) {

            try {

                GeneralUtility::mkdir_deep($sessionSavePath);

            } catch (\RuntimeException $exception) {

                throw new \TYPO3\CMS\Install\Exception(

                    'Could not create session folder in typo3temp/. Make sure it is writeable!',

                    1294587484

                );

            }

            $htaccessContent = '

# Apache < 2.3

<IfModule !mod_authz_core.c>

        Order allow,deny

        Deny from all

        Satisfy All

</IfModule>


# Apache ≥ 2.3

<IfModule mod_authz_core.c>

        Require all denied

</IfModule>

                        ';

            GeneralUtility::writeFile($sessionSavePath . '/.htaccess', $htaccessContent);

            $indexContent = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">';

            $indexContent .= '<HTML><HEAD<TITLE></TITLE><META http-equiv=Refresh Content="0; Url=../../">';

            $indexContent .= '</HEAD></HTML>';

            GeneralUtility::writeFile($sessionSavePath . '/index.html', $indexContent);

        }

    }


    public function startSession()

    {

        $_SESSION['active'] = true;

        // Be sure to use our own session id, so create a new one

        return $this->renewSession();

    }


    public function destroySession()

    {

        session_destroy();

    }


    public function resetSession()

    {

        $_SESSION = array();

        $_SESSION['active'] = false;

    }


    private function renewSession()

    {

        session_regenerate_id();

        return session_id();

    }


    public function hasSession()

    {

        return ($_SESSION['active'] === true);

    }


    public function getSessionId()

    {

        return session_id();

    }


    private function getSessionHash($sessionId = '')

    {

        if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {

            throw new \TYPO3\CMS\Install\Exception(

                'No encryption key set to secure session',

                1371243450

            );

        }

        if (!$sessionId) {

            $sessionId = $this->getSessionId();

        }

        return md5($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] . '|' . $sessionId);

    }


    public function setAuthorized()

    {

        $_SESSION['authorized'] = true;

        $_SESSION['lastSessionId'] = time();

        $_SESSION['tstamp'] = time();

        $_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60;

        // Renew the session id to avoid session fixation

        $this->renewSession();

    }


    public function isAuthorized()

    {

        if (!$_SESSION['authorized']) {

            return false;

        }

        if ($_SESSION['expires'] < time()) {

            // This session has already expired

            return false;

        }

        return true;

    }


    public function isExpired()

    {

        if (!$_SESSION['authorized']) {

            // Session never existed, means it is not "expired"

            return false;

        }

        if ($_SESSION['expires'] < time()) {

            // This session was authorized before, but has expired

            return true;

        }

        return false;

    }


    public function refreshSession()

    {

        $_SESSION['tstamp'] = time();

        $_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60;

        if (time() > $_SESSION['lastSessionId'] + $this->regenerateSessionIdTime * 60) {

            // Renew our session ID

            $_SESSION['lastSessionId'] = time();

            $this->renewSession();

        }

    }


    public function addMessage(\TYPO3\CMS\Install\Status\StatusInterface $message)

    {

        if (!is_array($_SESSION['messages'])) {

            $_SESSION['messages'] = array();

        }

        $_SESSION['messages'][] = $message;

    }


    public function getMessagesAndFlush()

    {

        $messages = array();

        if (is_array($_SESSION['messages'])) {

            $messages = $_SESSION['messages'];

        }

        $_SESSION['messages'] = array();

        return $messages;

    }


    /*************************

     *

     * PHP session handling with "secure" session files (hashed session id)

     * see http://www.php.net/manual/en/function.session-set-save-handler.php

     *

     *************************/

    private function getSessionFile($id)

    {

        $sessionSavePath = $this->getSessionSavePath();

        return $sessionSavePath . '/hash_' . $this->getSessionHash($id);

    }


    public function open($savePath, $sessionName)

    {

        return true;

    }


    public function close()

    {

        return true;

    }


    public function read($id)

    {

        $sessionFile = $this->getSessionFile($id);

        $content = (string)(@file_get_contents($sessionFile));

        // Do a "test write" of the session file after opening it. The real session data is written in

        // __destruct() and we can not create a sane error message there anymore, so this test should fail

        // before if final session file can not be written due to permission problems.

        $this->write($id, $content);

        return $content;

    }


    public function write($id, $sessionData)

    {

        $sessionFile = $this->getSessionFile($id);

        $result = GeneralUtility::writeFile($sessionFile, $sessionData);

        if (!$result) {

            throw new Exception(

                'Session file not writable. Please check permission on typo3temp/InstallToolSessions and its subdirectories.',

                1424355157

            );

        }

        return $result;

    }


    public function destroy($id)

    {

        $sessionFile = $this->getSessionFile($id);

        return @unlink($sessionFile);

    }


    public function gc($maxLifeTime)

    {

        $sessionSavePath = $this->getSessionSavePath();

        $files = glob($sessionSavePath . '/hash_*');

        if (!is_array($files)) {

            return true;

        }

        foreach ($files as $filename) {

            if (filemtime($filename) + $this->expireTimeInMinutes * 60 < time()) {

                @unlink($filename);

            }

        }

        return true;

    }


    public function __destruct()

    {

        session_write_close();

    }

}