TYPO3 CMS  TYPO3_6-2
All Classes Namespaces Files Functions Variables Pages
SessionService.php
Go to the documentation of this file.
1 <?php
2 namespace TYPO3\CMS\Install\Service;
3 
17 use TYPO3\CMS\Core\Utility\GeneralUtility;
18 use TYPO3\CMS\Install\Service\Exception;
19 
25 class SessionService implements \TYPO3\CMS\Core\SingletonInterface {
26 
33  private $typo3tempPath;
34 
41  private $sessionPath = 'InstallToolSessions/%s';
42 
48  private $cookieName = 'Typo3InstallTool';
49 
55  private $expireTimeInMinutes = 60;
56 
62  private $regenerateSessionIdTime = 5;
63 
69  public function __construct() {
70  $this->typo3tempPath = PATH_site . 'typo3temp/';
71  // Start our PHP session early so that hasSession() works
72  $sessionSavePath = $this->getSessionSavePath();
73  // Register our "save" session handler
74  session_set_save_handler(array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc'));
75  session_save_path($sessionSavePath);
76  session_name($this->cookieName);
77  ini_set('session.cookie_path', GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
78  // Always call the garbage collector to clean up stale session files
79  ini_set('session.gc_probability', 100);
80  ini_set('session.gc_divisor', 100);
81  ini_set('session.gc_maxlifetime', $this->expireTimeInMinutes * 2 * 60);
82  if (\TYPO3\CMS\Core\Utility\PhpOptionsUtility::isSessionAutoStartEnabled()) {
83  $sessionCreationError = 'Error: session.auto-start is enabled.<br />';
84  $sessionCreationError .= 'The PHP option session.auto-start is enabled. Disable this option in php.ini or .htaccess:<br />';
85  $sessionCreationError .= '<pre>php_value session.auto_start Off</pre>';
86  throw new \TYPO3\CMS\Install\Exception($sessionCreationError, 1294587485);
87  } elseif (defined('SID')) {
88  $sessionCreationError = 'Session already started by session_start().<br />';
89  $sessionCreationError .= 'Make sure no installed extension is starting a session in its ext_localconf.php or ext_tables.php.';
90  throw new \TYPO3\CMS\Install\Exception($sessionCreationError, 1294587486);
91  }
92  session_start();
93  }
94 
101  private function getSessionSavePath() {
102  if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
103  throw new \TYPO3\CMS\Install\Exception(
104  'No encryption key set to secure session',
105  1371243449
106  );
107  }
108  $sessionSavePath = sprintf(
109  $this->typo3tempPath . $this->sessionPath,
110  GeneralUtility::hmac('session:' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])
111  );
112  $this->ensureSessionSavePathExists($sessionSavePath);
113  return $sessionSavePath;
114  }
115 
123  private function ensureSessionSavePathExists($sessionSavePath) {
124  if (!is_dir($sessionSavePath)) {
125  try {
126  GeneralUtility::mkdir_deep($sessionSavePath);
127  } catch (\RuntimeException $exception) {
128  throw new \TYPO3\CMS\Install\Exception(
129  'Could not create session folder in typo3temp/. Make sure it is writeable!',
130  1294587484
131  );
132  }
133  $htaccessContent = '
134 # Apache < 2.3
135 <IfModule !mod_authz_core.c>
136  Order allow,deny
137  Deny from all
138  Satisfy All
139 </IfModule>
140 
141 # Apache ≥ 2.3
142 <IfModule mod_authz_core.c>
143  Require all denied
144 </IfModule>
145  ';
146  GeneralUtility::writeFile($sessionSavePath . '/.htaccess', $htaccessContent);
147  $indexContent = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">';
148  $indexContent .= '<HTML><HEAD<TITLE></TITLE><META http-equiv=Refresh Content="0; Url=../../">';
149  $indexContent .= '</HEAD></HTML>';
150  GeneralUtility::writeFile($sessionSavePath . '/index.html', $indexContent);
151  }
152  }
153 
159  public function startSession() {
160  $_SESSION['active'] = TRUE;
161  // Be sure to use our own session id, so create a new one
162  return $this->renewSession();
163  }
164 
168  public function destroySession() {
169  session_destroy();
170  }
171 
175  public function resetSession() {
176  $_SESSION = array();
177  $_SESSION['active'] = FALSE;
178  }
179 
185  private function renewSession() {
186  session_regenerate_id();
187  return session_id();
188  }
189 
195  public function hasSession() {
196  return ($_SESSION['active'] === TRUE);
197  }
198 
204  public function getSessionId() {
205  return session_id();
206  }
207 
216  private function getSessionHash($sessionId = '') {
217  if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
218  throw new \TYPO3\CMS\Install\Exception(
219  'No encryption key set to secure session',
220  1371243450
221  );
222  }
223  if (!$sessionId) {
224  $sessionId = $this->getSessionId();
225  }
226  return md5($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] . '|' . $sessionId);
227  }
228 
237  public function setAuthorized() {
238  $_SESSION['authorized'] = TRUE;
239  $_SESSION['lastSessionId'] = time();
240  $_SESSION['tstamp'] = time();
241  $_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60;
242  // Renew the session id to avoid session fixation
243  $this->renewSession();
244  }
245 
251  public function isAuthorized() {
252  if (!$_SESSION['authorized']) {
253  return FALSE;
254  }
255  if ($_SESSION['expires'] < time()) {
256  // This session has already expired
257  return FALSE;
258  }
259  return TRUE;
260  }
261 
269  public function isExpired() {
270  if (!$_SESSION['authorized']) {
271  // Session never existed, means it is not "expired"
272  return FALSE;
273  }
274  if ($_SESSION['expires'] < time()) {
275  // This session was authorized before, but has expired
276  return TRUE;
277  }
278  return FALSE;
279  }
280 
288  public function refreshSession() {
289  $_SESSION['tstamp'] = time();
290  $_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60;
291  if (time() > $_SESSION['lastSessionId'] + $this->regenerateSessionIdTime * 60) {
292  // Renew our session ID
293  $_SESSION['lastSessionId'] = time();
294  $this->renewSession();
295  }
296  }
297 
304  public function addMessage(\TYPO3\CMS\Install\Status\StatusInterface $message) {
305  if (!is_array($_SESSION['messages'])) {
306  $_SESSION['messages'] = array();
307  }
308  $_SESSION['messages'][] = $message;
309  }
310 
316  public function getMessagesAndFlush() {
317  $messages = array();
318  if (is_array($_SESSION['messages'])) {
319  $messages = $_SESSION['messages'];
320  }
321  $_SESSION['messages'] = array();
322  return $messages;
323  }
324 
325  /*************************
326  *
327  * PHP session handling with "secure" session files (hashed session id)
328  * see http://www.php.net/manual/en/function.session-set-save-handler.php
329  *
330  *************************/
337  private function getSessionFile($id) {
338  $sessionSavePath = $this->getSessionSavePath();
339  return $sessionSavePath . '/hash_' . $this->getSessionHash($id);
340  }
341 
349  public function open($savePath, $sessionName) {
350  return TRUE;
351  }
352 
358  public function close() {
359  return TRUE;
360  }
361 
368  public function read($id) {
369  $sessionFile = $this->getSessionFile($id);
370  $content = (string)(@file_get_contents($sessionFile));
371  // Do a "test write" of the session file after opening it. The real session data is written in
372  // __destruct() and we can not create a sane error message there anymore, so this test should fail
373  // before if final session file can not be written due to permission problems.
374  $this->write($id, $content);
375  return $content;
376  }
377 
386  public function write($id, $sessionData) {
387  $sessionFile = $this->getSessionFile($id);
388  $result = GeneralUtility::writeFile($sessionFile, $sessionData);
389  if (!$result) {
390  throw new Exception(
391  'Session file not writable. Please check permission on typo3temp/InstallToolSessions and its subdirectories.',
392  1424355157
393  );
394  }
395  return $result;
396  }
397 
404  public function destroy($id) {
405  $sessionFile = $this->getSessionFile($id);
406  return @unlink($sessionFile);
407  }
408 
415  public function gc($maxLifeTime) {
416  $sessionSavePath = $this->getSessionSavePath();
417  $files = glob($sessionSavePath . '/hash_*');
418  if (!is_array($files)) {
419  return TRUE;
420  }
421  foreach ($files as $filename) {
422  if (filemtime($filename) + $this->expireTimeInMinutes * 60 < time()) {
423  @unlink($filename);
424  }
425  }
426  return TRUE;
427  }
428 
442  public function __destruct() {
443  session_write_close();
444  }
445 }
TYPO3\CMS\Core\Utility\GeneralUtility\mkdir_deep
static mkdir_deep($directory, $deepDirectory='')
Definition: GeneralUtility.php:2872
TYPO3\CMS\Core\Utility\GeneralUtility\writeFile
static writeFile($file, $content, $changePermissions=FALSE)
Definition: GeneralUtility.php:2707
TYPO3\CMS\Core\Utility\GeneralUtility\hmac
static hmac($input, $additionalSecret='')
Definition: GeneralUtility.php:828
TYPO3\CMS\Install\Service\SessionService\addMessage
addMessage(\TYPO3\CMS\Install\Status\StatusInterface $message)
Definition: SessionService.php:304
$result
if($list_of_literals) if(!empty($literals)) if(!empty($literals)) $result
Analyse literals to prepend the N char to them if their contents aren&#39;t numeric.
Definition: adodb-mssql_n.inc.php:148
$GLOBALS
if(!defined('TYPO3_MODE')) $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['logoff_pre_processing'][]
Definition: ext_localconf.php:5