oxsession.php

Go to the documentation of this file.

<?php

DEFINE('_DB_SESSION_HANDLER', getShopBasePath() . 'core/adodblite/session/adodb-session.php');
// Including database session managing class if needed.
if (oxConfig::getInstance()->getConfigParam( 'blAdodbSessionHandler' ) ) {
    $oDB = oxDb::getDb();
    include_once _DB_SESSION_HANDLER;
}

class oxSession extends oxSuperCfg
{
    protected $_sName = 'sid';

    protected $_sForcedPrefix = 'force_';

    protected  $_sId     = null;

    protected static $_blIsNewSession = false;

    protected static $_instance = null;

    protected static  $_oUser = null;

    protected $_blNewSession = false;

    protected $_sErrorMsg = null;

    protected $_oBasket = null;

    protected $_oBasketReservations = null;

    protected $_aRequireCookiesInFncs = array();

    protected $_aRequireSessionWithParams = array(
                       'cl' => array (
                            'register' => true,
                            'account'  => true,
                           ),
                       'fnc' => array (
                           'tobasket'         => true,
                           'login_noredirect' => true,
                           'tocomparelist'    => true,
                           ),
                       '_artperpage' => true,
                       'listorderby' => true,
    );

    protected $_blSidNeeded = null;

    protected $_aPersistentParams = array("actshop", "lang", "currency", "language", "tpllanguage");

    public static function getInstance()
    {
        if ( defined('OXID_PHP_UNIT')) {
            if ( isset( modSession::$unitMOD) && is_object( modSession::$unitMOD)) {
                return modSession::$unitMOD;
            }
        }
        if (!isset(self::$_instance)) {
            self::$_instance  = oxNew( 'oxsession' );
        }
        return self::$_instance;
    }

    public function getId()
    {
        return $this->_sId;
    }

    public function setId($sVal)
    {
        $this->_sId = $sVal;
    }

    public function setName($sVal)
    {
        $this->_sName = $sVal;
    }

    public function getForcedName()
    {
        return $this->_sForcedPrefix . $this->getName();
    }

    public function getName()
    {
        return $this->_sName;
    }

    public function start()
    {
        $myConfig = $this->getConfig();
        $sid = null;

        if ( $this->isAdmin() ) {
            $this->setName("admin_sid");
        } else {
            $this->setName("sid");
        }

        $sForceSidParam = oxConfig::getParameter($this->getForcedName());
        $sSidParam = oxConfig::getParameter($this->getName());

        //forcing sid for SSL<->nonSSL transitions
        if ($sForceSidParam) {
            $sid = $sForceSidParam;
        } elseif ($this->_getSessionUseCookies() && $this->_getCookieSid()) {
            $sid = $this->_getCookieSid();
        } elseif ($sSidParam) {
            $sid = $sSidParam;
        }

        //starting session if only we can
        if ( $this->_allowSessionStart() ) {

            //creating new sid
            if ( !$sid ) {
                self::$_blIsNewSession = true;
                $this->initNewSession();
            } else {
                self::$_blIsNewSession = false;
                $this->_setSessionId( $sid );
                $this->_sessionStart();
            }

            //special handling for new ZP cluster session, as in that case session_start() regenerates id
            if ( $this->_sId != session_id() ) {
                $this->_setSessionId( session_id() );
            }

            //checking for swapped client
            $blSwapped = $this->_isSwappedClient();
            if ( !self::$_blIsNewSession && $blSwapped ) {
                $this->initNewSession();

                // passing notification about session problems
                if ( $this->_sErrorMsg && $myConfig->getConfigParam( 'iDebug' ) ) {
                    oxUtilsView::getInstance()->addErrorToDisplay( new oxException( $this->_sErrorMsg ) );
                }
            } elseif ( !$blSwapped ) {
                // transferring cookies between hosts
                oxUtilsServer::getInstance()->loadSessionCookies();
            }
        }
    }

    public function getRequestChallengeToken()
    {
        return preg_replace('/[^a-z0-9]/i', '', oxConfig::getParameter('stoken'));
    }

    public function getSessionChallengeToken()
    {
        $sRet = preg_replace('/[^a-z0-9]/i', '', self::getVar('sess_stoken'));
        if (!$sRet) {
            $this->_initNewSessionChallenge();
            $sRet = self::getVar('sess_stoken');
        }
        return $sRet;
    }

    public function checkSessionChallenge()
    {
        $sToken = $this->getSessionChallengeToken();
        return $sToken && ($sToken == $this->getRequestChallengeToken());
    }

    protected function _initNewSessionChallenge()
    {
        self::setVar('sess_stoken', sprintf('%X', crc32(oxUtilsObject::getInstance()->generateUID())));
    }

    protected function _sessionStart()
    {
        //enforcing no caching when session is started
        session_cache_limiter( 'nocache' );

        //cache limiter workaround for AOL browsers
        //as suggested at http://ilia.ws/archives/59-AOL-Browser-Woes.html
        if (strpos($_SERVER['HTTP_USER_AGENT'], 'AOL') !== false ) {
            session_cache_limiter(false);
            header("Cache-Control: no-store, private, must-revalidate, proxy-revalidate, post-check=0, pre-check=0, max-age=0, s-maxage=0");
        }

        $blStarted = @session_start();
        if ( !$this->getSessionChallengeToken() ) {
            $this->_initNewSessionChallenge();
        }

        return $blStarted;
    }

    public function initNewSession()
    {
        // starting session only if it was not started yet
        if ( self::$_blIsNewSession ) {
            $this->_sessionStart();
        }

        //saving persistent params if old session exists
        $aPersistent = array();
        foreach ( $this->_aPersistentParams as $sParam ) {
            if ( ( $sValue = self::getVar( $sParam ) ) ) {
                $aPersistent[$sParam] = $sValue;
            }
        }

        $this->_setSessionId( $this->_getNewSessionId() );

        //restoring persistent params to session
        foreach ( $aPersistent as $sKey => $sParam ) {
            self::setVar( $sKey, $aPersistent[$sKey] );
        }

        $this->_initNewSessionChallenge();

        // (re)setting actual user agent when initiating new session
        self::setVar( "sessionagent", oxUtilsServer::getInstance()->getServerVar( 'HTTP_USER_AGENT' ) );
    }

    protected function _getNewSessionId()
    {
        session_regenerate_id( true );
        session_unset();
        return session_id();
    }

    public function freeze()
    {
        // storing basket ..
        self::setVar( $this->_getBasketName(), serialize( $this->getBasket() ) );

        session_write_close();
    }

    public function destroy()
    {
        //session_unset();
        unset($_SESSION);
        session_destroy();
    }

    public static function hasVar( $name )
    {
        if ( defined( 'OXID_PHP_UNIT' ) ) {
            if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
                try{
                    $sVal = modSession::getInstance()->getVar( $name );
                    return isset( $sVal );
                } catch( Exception $e ) {
                    // if exception is thrown, use default
                }
            }
        }

        return isset($_SESSION[$name]);
    }

    public static function setVar( $name, $value)
    {
        if ( defined( 'OXID_PHP_UNIT' ) ) {
            if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
                try{
                    return modSession::getInstance()->setVar(  $name, $value );
                } catch( Exception $e ) {
                    // if exception is thrown, use default
                }
            }
        }

        $_SESSION[$name] = $value;
        //logger( "set sessionvar : $name -> $value");
    }

    public static function getVar( $name )
    {
        if ( defined( 'OXID_PHP_UNIT' ) ) {
            if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
                try{
                    return modSession::getInstance()->getVar( $name );
                } catch( Exception $e ) {
                    // if exception is thrown, use default
                }
            }
        }

        if ( isset( $_SESSION[$name] )) {
            return $_SESSION[$name];
        } else {
            return null;
        }
    }

    public static function deleteVar( $name )
    {
        if ( defined( 'OXID_PHP_UNIT' ) ) {
            if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
                try{
                    return modSession::getInstance()->setVar( $name, null );
                } catch( Exception $e ) {
                    // if exception is thrown, use default
                }
            }
        }

        $_SESSION[$name] = null;
        //logger( "delete sessionvar : $name");
        unset($_SESSION[$name]);
    }

    public function url( $sUrl )
    {
        $myConfig = $this->getConfig();
        $blUseCookies = $this->_getSessionUseCookies();
        $sSeparator = getStr()->strstr( $sUrl, "?" ) !== false ?  "&amp;" : "?";
        $sUrl .= $sSeparator;

        if ( $blUseCookies && $this->_getCookieSid() ) {
            // switching from ssl to non ssl or vice versa?
            if ( ( strpos( $sUrl, "https:" ) === 0 && !$myConfig->isSsl() ) ||
                 ( strpos( $sUrl, "http:" ) === 0 && $myConfig->isSsl() ) ) {
                $sUrl .= $this->getForcedName(). '=' . $this->getId() . "&amp;";
            }
            if ($this->isAdmin()) {
                // admin mode always has to have token
                $sUrl .= 'stoken='.$this->getSessionChallengeToken().'&amp;';
            }
        } elseif ( oxUtils::getInstance()->isSearchEngine() ) {
            //adding lang parameter for search engines
            $sLangParam = (int) oxConfig::getParameter( "lang" );
            $sConfLang  = (int) $myConfig->getConfigParam( "sDefaultLang" );
            if ( $sLangParam != $sConfLang ) {
                $sUrl   .= "lang={$sLangParam}&amp;";
            }
        } elseif ( ( $sIcludeParams = $this->sid() ) ) {
            //cookies are not supported or this is first time visit
            $sUrl .= "{$sIcludeParams}&amp;";
        }

        return $sUrl;
    }

    public function sid( $blForceSid = false )
    {
        $myConfig     = $this->getConfig();
        $blUseCookies = $this->_getSessionUseCookies();
        $sRet         = '';

        $blDisableSid = oxUtils::getInstance()->isSearchEngine()
                        && is_array($myConfig->getConfigParam( 'aCacheViews' ) )
                        && !$this->isAdmin();

        //no cookie?
        if ( !$blDisableSid && $this->getId() && ($blForceSid || !$blUseCookies || !$this->_getCookieSid())) {
            $sRet = ( $blForceSid ? $this->getForcedName() : $this->getName() )."=".$this->getId();
        }

        if ($this->isAdmin()) {
            // admin mode always has to have token
            if ($sRet) {
                $sRet .= '&amp;';
            }
            $sRet .= 'stoken='.$this->getSessionChallengeToken();
        }

        return $sRet;
    }

    public function hiddenSid()
    {
        $sToken = "<input type=\"hidden\" name=\"stoken\" value=\"".$this->getSessionChallengeToken(). "\">";
        $sSid   = "<input type=\"hidden\" name=\"".$this->getForcedName()."\" value=\"". $this->getId() . "\">";
        return $sToken.$sSid;
    }

    public function getBasket()
    {
        if ( $this->_oBasket === null ) {
            $sBasket = self::getVar( $this->_getBasketName() );

            //init oxbasketitem class first
            //#1746
            oxNew('oxbasketitem');

            $oBasket = ( $sBasket && ( $oBasket = unserialize( $sBasket ) ) ) ? $oBasket : oxNew( 'oxbasket' );
            $this->setBasket( $oBasket );
        }

        return $this->_oBasket;
    }

    public function setBasket( $oBasket )
    {
        // sets basket session object
        $this->_oBasket = $oBasket;
    }

    public function delBasket()
    {
        $this->setBasket( null );
        self::deleteVar( $this->_getBasketName());
    }

    public function isNewSession()
    {
        return self::$_blIsNewSession;
    }

    public function isSidNeeded( $sUrl = null )
    {
        if ( $this->_getSessionUseCookies() && $this->_getCookieSid() ) {
            // switching from ssl to non ssl or vice versa?
            if ( ( strpos( $sUrl, "https:" ) === 0 && !$this->getConfig()->isSsl() ) ||
                 ( strpos( $sUrl, "http:" ) === 0 && $this->getConfig()->isSsl() ) ) {
                return true;
            }
        }

        if ( $sUrl && !$this->getConfig()->isCurrentUrl( $sUrl ) ) {
            return true;
        } elseif ( $this->_blSidNeeded === null ) {
            // setting initial state
            $this->_blSidNeeded = false;

            // no SIDs for seach engines
            if ( !oxUtils::getInstance()->isSearchEngine() ) {
                // cookie found - SID is not needed
                if ( oxUtilsServer::getInstance()->getOxCookie( $this->getName() ) ) {
                    $this->_blSidNeeded = false;
                } elseif ( $this->_forceSessionStart() ) {
                    $this->_blSidNeeded = true;
                } else {
                    // no cookie, so must check session
                    if ( $blSidNeeded = self::getVar( 'blSidNeeded' ) ) {
                        $this->_blSidNeeded = true;
                    } elseif ( $this->_isSessionRequiredAction() ) {
                        $this->_blSidNeeded = true;

                        // storing to session, performance..
                        self::setVar( 'blSidNeeded', $this->_blSidNeeded  );
                    }
                }
            }
        }

        return $this->_blSidNeeded;
    }

    public function processUrl( $sUrl )
    {
        if (!$this->isAdmin()) {
            $sSid = '';
            if ( $this->isSidNeeded( $sUrl ) ) {
                // only if sid is not yet set and we have something to append
                $sSid = $this->sid( true );
            } else {
                $sSid = $this->sid();
            }
            if ($sSid) {
                $oStr = getStr();
                if ( !$oStr->preg_match('/(\?|&(amp;)?)sid=/i', $sUrl) && (false === $oStr->strpos($sUrl, $sSid))) {
                    if (!$oStr->preg_match('/(\?|&(amp;)?)$/', $sUrl)) {
                        $sUrl .= ( $oStr->strstr( $sUrl, '?' ) !== false ?  '&amp;' : '?' );
                    }
                    $sUrl .= $sSid . '&amp;';
                }
            }
        }
        return $sUrl;
    }

    public function getRemoteAccessToken($blGenerateNew = true)
    {
        $sToken = $this->getVar('_rtoken');
        if (!$sToken && $blGenerateNew) {
            $sToken = md5(rand() . $this->getId());
            $sToken = substr($sToken, 0, 8);
            $this->setVar('_rtoken', $sToken);
        }

        return $sToken;
    }

    protected function _forceSessionStart()
    {
        return ( !oxUtils::getInstance()->isSearchEngine() ) && ( (( bool ) $this->getConfig()->getConfigParam( 'blForceSessionStart' )) || oxConfig::getParameter( "su" ) ) ;
    }

    protected function _allowSessionStart()
    {
        $blAllowSessionStart = true;

        // special handling only in non-admin mode
        if ( !$this->isAdmin() ) {
            if ( oxUtils::getInstance()->isSearchEngine() || oxConfig::getParameter( 'skipSession' ) ) {
                $blAllowSessionStart = false;
            } elseif ( !$this->_forceSessionStart() && !oxUtilsServer::getInstance()->getOxCookie( 'sid_key' ) ) {

                // session is not needed to start when it is not necessary:
                // - no sid in request and also user executes no session connected action
                // - no cookie set and user executes no session connected action
                if ( !oxUtilsServer::getInstance()->getOxCookie( $this->getName() ) &&
                     !( oxConfig::getParameter( $this->getName() ) || oxConfig::getParameter( $this->getForcedName() ) ) &&
                     !$this->_isSessionRequiredAction() ) {
                    $blAllowSessionStart = false;
                }
            }
        }

        return $blAllowSessionStart;
    }

    protected function _isSwappedClient()
    {
        $blSwapped = false;
        $myUtilsServer = oxUtilsServer::getInstance();

        // check only for non search engines
        if ( !oxUtils::getInstance()->isSearchEngine() && !$myUtilsServer->isTrustedClientIp() && !$this->_isValidRemoteAccessToken()) {

            $myConfig = $this->getConfig();

            // checking if session user agent matches actual
            $blSwapped = $this->_checkUserAgent( $myUtilsServer->getServerVar( 'HTTP_USER_AGENT' ), self::getVar( 'sessionagent' ) );
            if ( !$blSwapped ) {
                if ( $myConfig->getConfigParam( 'blAdodbSessionHandler' ) ) {
                    $blSwapped = $this->_checkSid();
                }

                if ( !$blSwapped ) {
                    $blDisableCookieCheck = $myConfig->getConfigParam( 'blDisableCookieCheck' );
                    $blUseCookies         = $this->_getSessionUseCookies();
                    if ( !$blDisableCookieCheck && $blUseCookies ) {
                        $blSwapped = $this->_checkCookies( $myUtilsServer->getOxCookie( 'sid_key' ), self::getVar( "sessioncookieisset" ) );
                    }
                }
            }
        }

        return $blSwapped;
    }

    protected function _checkUserAgent( $sAgent, $sExistingAgent )
    {
        $blCheck = false;

        // processing
        $oUtils = oxUtilsServer::getInstance();
        $sAgent = $oUtils->processUserAgentInfo( $sAgent );
        $sExistingAgent = $oUtils->processUserAgentInfo( $sExistingAgent );

        if ( $sAgent && $sAgent !== $sExistingAgent ) {
            if ( $sExistingAgent ) {
                $this->_sErrorMsg = "Different browser ({$sExistingAgent}, {$sAgent}), creating new SID...<br>";
            }
            $blCheck = true;
        }

        return $blCheck;
    }

    protected function _checkSid()
    {
        //matze changed sesskey to SessionID because structure of oxsession changed!!
        $sSID = oxDb::getDb()->GetOne("select SessionID from oxsessions where SessionID = '".$this->getId()."'");

        //2007-05-14
        //we check _blNewSession as well as this may be actually new session not written to db yet
        if ( !$this->_blNewSession && (!isset( $sSID) || !$sSID)) {
            // this means, that this session has expired in the past and someone uses this sid to reactivate it
            $this->_sErrorMsg = "Session has expired in the past and someone uses this sid to reactivate it, creating new SID...<br>";
            return true;
        }
        return false;
    }

    protected function _checkCookies( $sCookieSid, $aSessCookieSetOnce )
    {
        $blSwapped = false;
        $myConfig  = $this->getConfig();
        $sCurrUrl  = $myConfig->isSsl() ? $myConfig->getSslShopUrl( 0 ) : $myConfig->getShopUrl( 0 );

        $blSessCookieSetOnce = false;
        if ( isset( $aSessCookieSetOnce[$sCurrUrl] ) ) {
            $blSessCookieSetOnce = $aSessCookieSetOnce[$sCurrUrl];
        }

        //if cookie was there once but now is gone it means we have to reset
        if ( $blSessCookieSetOnce && !$sCookieSid ) {
            if ( $myConfig->getConfigParam( 'iDebug' ) ) {
                $this->_sErrorMsg  = "Cookie not found, creating new SID...<br>";
                $this->_sErrorMsg .= "Cookie: $sCookieSid<br>";
                $this->_sErrorMsg .= "Session: $blSessCookieSetOnce<br>";
                $this->_sErrorMsg .= "URL: ".$sCurrUrl."<br>";
            }
            $blSwapped = true;
        }

        //if we detect the cookie then set session var for possible later use
        if ( $sCookieSid == "oxid" && !$blSessCookieSetOnce ) {
            $aSessCookieSetOnce[$sCurrUrl] = "ox_true";
            self::setVar( "sessioncookieisset", $aSessCookieSetOnce );
        }

        //if we have no cookie then try to set it
        if ( !$sCookieSid ) {
            oxUtilsServer::getInstance()->setOxCookie( 'sid_key', 'oxid' );
        }
        return $blSwapped;
    }

    protected function _setSessionId($sSessId)
    {
        //marking this session as new one, as it might be not writen to db yet
        if ( $sSessId && session_id() != $sSessId ) {
            $this->_blNewSession = true;
        }

        session_id( $sSessId );

        $this->setId( $sSessId );

        $blUseCookies = $this->_getSessionUseCookies();

        if ( !$this->_allowSessionStart() ) {
            if ( $blUseCookies ) {
                oxUtilsServer::getInstance()->setOxCookie( $this->getName(), null );
            }
            return;
        }

        if ( $blUseCookies ) {
            //setting session cookie
            oxUtilsServer::getInstance()->setOxCookie( $this->getName(), $sSessId );
        }
    }

    protected function _getBasketName()
    {
        $myConfig = $this->getConfig();
        if ( $myConfig->getConfigParam( 'blMallSharedBasket' ) == 0 ) {
            return $myConfig->getShopId()."_basket";
        }
        return "basket";
    }

    protected function _getCookieSid()
    {
        return oxUtilsServer::getInstance()->getOxCookie($this->getName());
    }

    protected function _getRequireSessionWithParams()
    {
        $aCfgArray = $this->getConfig()->getConfigParam('aRequireSessionWithParams');
        if (is_array($aCfgArray)) {
            $aDefault = $this->_aRequireSessionWithParams;
            foreach ($aCfgArray as $key => $val) {
                if (!is_array($val) && $val) {
                    unset($aDefault[$key]);
                }
            }
            return array_merge_recursive($aCfgArray, $aDefault);
        }
        return $this->_aRequireSessionWithParams;
    }

    protected function _isSessionRequiredAction()
    {
        // deprecated functionality for backwards compatibility
        $sFunction = oxConfig::getParameter( 'fnc' );
        $sClass = oxConfig::getParameter( 'cl' );

        if (( $sFunction && in_array( strtolower( $sFunction ), $this->_aRequireCookiesInFncs ) ) ||
               ( $sClass && array_key_exists( strtolower( $sClass ), $this->_aRequireCookiesInFncs ) )) {
            return true;
        }
        // end of deprecated functionality for backwards compatibility
        foreach ($this->_getRequireSessionWithParams() as $sParam => $aValues) {
            $sValue = oxConfig::getParameter( $sParam );
            if (isset($sValue)) {
                if (is_array($aValues)) {
                    if (isset($aValues[$sValue]) && $aValues[$sValue]) {
                        return true;
                    }
                } elseif ($aValues) {
                    return true;
                }
            }
        }

        return ($_SERVER['REQUEST_METHOD'] == 'POST');
    }

    protected function _getSessionUseCookies()
    {
        return $this->isAdmin() || $this->getConfig()->getConfigParam( 'blSessionUseCookies');
    }

    protected function _isValidRemoteAccessToken()
    {
        $sInputToken = oxConfig::getInstance()->getParameter('rtoken');
        $sToken = $this->getRemoteAccessToken(false);
        $blTokenEqual = !(bool)strcmp($sInputToken, $sToken);
        $blValid = $sInputToken && $blTokenEqual;

        return $blValid;
    }

    public function getBasketReservations()
    {
        if (!$this->_oBasketReservations) {
            $this->_oBasketReservations = oxNew('oxBasketReservation');
        }
        return $this->_oBasketReservations;
    }
}