9.5/_session_service_8php_source.html

<?php

namespace ‪TYPO3\CMS\Install\Service;


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


use Symfony\Component\HttpFoundation\Cookie;

use ‪TYPO3\CMS\Core\Core\Environment;

use ‪TYPO3\CMS\Core\Http\CookieHeaderTrait;

use ‪TYPO3\CMS\Core\Messaging\FlashMessage;

use ‪TYPO3\CMS\Core\Security\BlockSerializationTrait;

use ‪TYPO3\CMS\Core\SingletonInterface;

use ‪TYPO3\CMS\Core\Utility\GeneralUtility;


class ‪SessionService implements ‪SingletonInterface

{

    use ‪BlockSerializationTrait;

    use ‪CookieHeaderTrait;


    private ‪$basePath;


    private ‪$sessionPath = 'session/%s';


    private ‪$cookieName = 'Typo3InstallTool';


    private ‪$expireTimeInMinutes = 15;


    private ‪$regenerateSessionIdTime = 5;


    public function ‪__construct()

    {

        $this->basePath = ‪Environment::getVarPath() . '/';

        // Start our PHP session early so that hasSession() works

        $sessionSavePath = $this->‪getSessionSavePath();

        // Register our "save" session handler

        session_set_save_handler([$this, 'open'], [$this, 'close'], [$this, 'read'], [$this, 'write'], [$this, 'destroy'], [$this, 'gc']);

        session_save_path($sessionSavePath);

        session_name($this->cookieName);

        ini_set('session.cookie_httponly', true);

        if ($this->hasSameSiteCookieSupport()) {

            ini_set('session.cookie_samesite', Cookie::SAMESITE_STRICT);

        }

        ini_set('session.cookie_path', (string)GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));

        // Always call the garbage collector to clean up stale session files

        ini_set('session.gc_probability', (string)100);

        ini_set('session.gc_divisor', (string)100);

        ini_set('session.gc_maxlifetime', (string)$this->expireTimeInMinutes * 2 * 60);

        if ($this->‪isSessionAutoStartEnabled()) {

            $sessionCreationError = 'Error: session.auto-start is enabled.<br />';

            $sessionCreationError .= 'The PHP option session.auto-start is enabled. Disable this option in php.ini or .htaccess:<br />';

            $sessionCreationError .= '<pre>php_value session.auto_start Off</pre>';

            throw new \TYPO3\CMS\Install\Exception($sessionCreationError, 1294587485);

        }

        if (session_status() === PHP_SESSION_ACTIVE) {

            $sessionCreationError = 'Session already started by session_start().<br />';

            $sessionCreationError .= 'Make sure no installed extension is starting a session in its ext_localconf.php or ext_tables.php.';

            throw new \TYPO3\CMS\Install\Exception($sessionCreationError, 1294587486);

        }

        session_start();

        if (!$this->hasSameSiteCookieSupport()) {

            $this->resendCookieHeader([$this->cookieName]);

        }

    }


    private function ‪getSessionSavePath()

    {

        if (empty(‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {

            throw new \TYPO3\CMS\Install\Exception(

                'No encryption key set to secure session',

                1371243449

            );

        }

        $sessionSavePath = sprintf(

            $this->basePath . $this->sessionPath,

            GeneralUtility::hmac('session:' . ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])

        );

        $this->‪ensureSessionSavePathExists($sessionSavePath);

        return $sessionSavePath;

    }


    private function ‪ensureSessionSavePathExists($sessionSavePath)

    {

        if (!is_dir($sessionSavePath)) {

            try {

                GeneralUtility::mkdir_deep($sessionSavePath);

            } catch (\RuntimeException $exception) {

                throw new \TYPO3\CMS\Install\Exception(

                    'Could not create session folder in ' . ‪Environment::getVarPath() . '. Make sure it is writeable!',

                    1294587484

                );

            }

            $htaccessContent = '

# Apache < 2.3

<IfModule !mod_authz_core.c>

    Order allow,deny

    Deny from all

    Satisfy All

</IfModule>


# Apache ≥ 2.3

<IfModule mod_authz_core.c>

    Require all denied

</IfModule>

            ';

            GeneralUtility::writeFile($sessionSavePath . '/.htaccess', $htaccessContent);

            $indexContent = '<!DOCTYPE html>';

            $indexContent .= '<html><head><title></title><meta http-equiv=Refresh Content="0; Url=../../"/>';

            $indexContent .= '</head></html>';

            GeneralUtility::writeFile($sessionSavePath . '/index.html', $indexContent);

        }

    }


    public function ‪startSession()

    {

        $_SESSION['active'] = true;

        // Be sure to use our own session id, so create a new one

        return $this->‪renewSession();

    }


    public function ‪destroySession()

    {

        session_destroy();

    }


    public function ‪resetSession()

    {

        $_SESSION = [];

        $_SESSION['active'] = false;

    }


    private function ‪renewSession()

    {

        session_regenerate_id();

        if (!$this->hasSameSiteCookieSupport()) {

            $this->resendCookieHeader([$this->cookieName]);

        }

        return session_id();

    }


    public function ‪hasSession()

    {

        return $_SESSION['active'] === true;

    }


    public function ‪getSessionId()

    {

        return session_id();

    }


    private function ‪getSessionHash($sessionId = '')

    {

        if (empty(‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {

            throw new \TYPO3\CMS\Install\Exception(

                'No encryption key set to secure session',

                1371243450

            );

        }

        if (!$sessionId) {

            $sessionId = $this->‪getSessionId();

        }

        return md5(‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] . '|' . $sessionId);

    }


    public function ‪setAuthorized()

    {

        $_SESSION['authorized'] = true;

        $_SESSION['lastSessionId'] = time();

        $_SESSION['tstamp'] = time();

        $_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60;

        // Renew the session id to avoid session fixation

        $this->‪renewSession();

    }


    public function ‪setAuthorizedBackendSession()

    {

        $_SESSION['authorized'] = true;

        $_SESSION['lastSessionId'] = time();

        $_SESSION['tstamp'] = time();

        $_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60;

        $_SESSION['isBackendSession'] = true;

        // Renew the session id to avoid session fixation

        $this->‪renewSession();

    }


    public function ‪isAuthorized()

    {

        if (!$_SESSION['authorized']) {

            return false;

        }

        if ($_SESSION['expires'] < time()) {

            // This session has already expired

            return false;

        }

        return true;

    }


    public function ‪isAuthorizedBackendUserSession()

    {

        if (!$_SESSION['authorized'] || !$_SESSION['isBackendSession']) {

            return false;

        }

        if ($_SESSION['expires'] < time()) {

            // This session has already expired

            return false;

        }

        return true;

    }


    public function ‪isExpired()

    {

        if (!$_SESSION['authorized']) {

            // Session never existed, means it is not "expired"

            return false;

        }

        if ($_SESSION['expires'] < time()) {

            // This session was authorized before, but has expired

            return true;

        }

        return false;

    }


    public function ‪refreshSession()

    {

        $_SESSION['tstamp'] = time();

        $_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60;

        if (time() > $_SESSION['lastSessionId'] + $this->regenerateSessionIdTime * 60) {

            // Renew our session ID

            $_SESSION['lastSessionId'] = time();

            $this->‪renewSession();

        }

    }


    public function ‪addMessage(FlashMessage $message)

    {

        if (!is_array($_SESSION['messages'])) {

            $_SESSION['messages'] = [];

        }

        $_SESSION['messages'][] = $message;

    }


    public function ‪getMessagesAndFlush()

    {

        $messages = [];

        if (is_array($_SESSION['messages'])) {

            $messages = $_SESSION['messages'];

        }

        $_SESSION['messages'] = [];

        return $messages;

    }


    /*************************

     *

     * PHP session handling with "secure" session files (hashed session id)

     * see http://www.php.net/manual/en/function.session-set-save-handler.php

     *

     *************************/

    private function ‪getSessionFile($id)

    {

        $sessionSavePath = $this->‪getSessionSavePath();

        return $sessionSavePath . '/hash_' . $this->‪getSessionHash($id);

    }


    public function ‪open($savePath, $sessionName)

    {

        return true;

    }


    public function ‪close()

    {

        return true;

    }


    public function ‪read($id)

    {

        $sessionFile = $this->‪getSessionFile($id);

        $content = '';

        if (file_exists($sessionFile)) {

            if ($fd = fopen($sessionFile, 'rb')) {

                $lockres = flock($fd, LOCK_SH);

                if ($lockres) {

                    $length = filesize($sessionFile);

                    if ($length > 0) {

                        $content = fread($fd, $length);

                    }

                    flock($fd, LOCK_UN);

                }

                fclose($fd);

            }

        }

        // Do a "test write" of the session file after opening it. The real session data is written in

        // __destruct() and we can not create a sane error message there anymore, so this test should fail

        // before if final session file can not be written due to permission problems.

        $this->‪write($id, $content);

        return $content;

    }


    public function ‪write($id, $sessionData)

    {

        $sessionFile = $this->‪getSessionFile($id);

        $result = false;

        $changePermissions = !@is_file($sessionFile);

        if ($fd = fopen($sessionFile, 'cb')) {

            if (flock($fd, LOCK_EX)) {

                ftruncate($fd, 0);

                $res = fwrite($fd, $sessionData);

                if ($res !== false) {

                    fflush($fd);

                    $result = true;

                }

                flock($fd, LOCK_UN);

            }

            fclose($fd);

            // Change the permissions only if the file has just been created

            if ($changePermissions) {

                GeneralUtility::fixPermissions($sessionFile);

            }

        }

        if (!$result) {

            throw new Exception(

                'Session file not writable. Please check permission on ' .

                ‪Environment::getVarPath() . '/session and its subdirectories.',

                1424355157

            );

        }

        return $result;

    }


    public function ‪destroy($id)

    {

        $sessionFile = $this->‪getSessionFile($id);

        return @unlink($sessionFile);

    }


    public function ‪gc($maxLifeTime)

    {

        $sessionSavePath = $this->‪getSessionSavePath();

        $files = glob($sessionSavePath . '/hash_*');

        if (!is_array($files)) {

            return true;

        }

        foreach ($files as $filename) {

            if (filemtime($filename) + $this->expireTimeInMinutes * 60 < time()) {

                @unlink($filename);

            }

        }

        return true;

    }


    public function ‪__destruct()

    {

        session_write_close();

    }


    protected function ‪isSessionAutoStartEnabled()

    {

        return $this->‪getIniValueBoolean('session.auto_start');

    }


    protected function ‪getIniValueBoolean($configOption)

    {

        return filter_var(ini_get($configOption), FILTER_VALIDATE_BOOLEAN, [FILTER_REQUIRE_SCALAR, FILTER_NULL_ON_FAILURE]);

    }

}