00001 <?php
00002
00003 DEFINE('_DB_SESSION_HANDLER', getShopBasePath() . 'core/adodblite/session/adodb-session.php');
00004
00005 if (oxConfig::getInstance()->getConfigParam( 'blAdodbSessionHandler' ) ) {
00006 $oDB = oxDb::getDb();
00007 include_once _DB_SESSION_HANDLER;
00008 }
00009
00015 class oxSession extends oxSuperCfg
00016 {
00022 protected $_sName = 'sid';
00023
00029 protected $_sForcedPrefix = 'force_';
00030
00035 protected $_sId = null;
00036
00042 protected static $_blIsNewSession = false;
00043
00047 protected static $_instance = null;
00048
00053 protected static $_oUser = null;
00054
00061 protected $_blNewSession = false;
00062
00068 protected $_blForceNewSession = false;
00069
00075 protected $_sErrorMsg = null;
00076
00082 protected $_oBasket = null;
00083
00089 protected $_oBasketReservations = null;
00090
00096 protected $_blStarted = false;
00097
00106 protected $_aRequireSessionWithParams = array(
00107 'cl' => array (
00108 'register' => true,
00109 'account' => true,
00110 ),
00111 'fnc' => array (
00112 'tobasket' => true,
00113 'login_noredirect' => true,
00114 'tocomparelist' => true,
00115 ),
00116 '_artperpage' => true,
00117 'ldtype' => true,
00118 'listorderby' => true,
00119 );
00120
00126 protected $_blSidNeeded = null;
00127
00133 protected $_aPersistentParams = array("actshop", "lang", "currency", "language", "tpllanguage");
00134
00140 public static function getInstance()
00141 {
00142 if ( defined('OXID_PHP_UNIT')) {
00143 if ( isset( modSession::$unitMOD) && is_object( modSession::$unitMOD)) {
00144 return modSession::$unitMOD;
00145 }
00146 }
00147 if (!isset(self::$_instance)) {
00148 self::$_instance = oxNew( 'oxsession' );
00149 }
00150 return self::$_instance;
00151 }
00152
00158 public function getId()
00159 {
00160 return $this->_sId;
00161 }
00162
00170 public function setId($sVal)
00171 {
00172 $this->_sId = $sVal;
00173 }
00174
00182 public function setName($sVal)
00183 {
00184 $this->_sName = $sVal;
00185 }
00186
00192 public function getForcedName()
00193 {
00194 return $this->_sForcedPrefix . $this->getName();
00195 }
00196
00202 public function getName()
00203 {
00204 return $this->_sName;
00205 }
00206
00212 public function start()
00213 {
00214 $myConfig = $this->getConfig();
00215 $sid = null;
00216
00217 if ( $this->isAdmin() ) {
00218 $this->setName("admin_sid");
00219 } else {
00220 $this->setName("sid");
00221 }
00222
00223 $sForceSidParam = oxConfig::getParameter($this->getForcedName());
00224 $sSidParam = oxConfig::getParameter($this->getName());
00225
00226
00227 if ($sForceSidParam) {
00228 $sid = $sForceSidParam;
00229 } elseif ($this->_getSessionUseCookies() && $this->_getCookieSid()) {
00230 $sid = $this->_getCookieSid();
00231 } elseif ($sSidParam) {
00232 $sid = $sSidParam;
00233 }
00234
00235
00236 if ( $this->_allowSessionStart() ) {
00237
00238
00239 if ( !$sid ) {
00240 self::$_blIsNewSession = true;
00241 $this->initNewSession();
00242 } else {
00243 self::$_blIsNewSession = false;
00244 $this->_setSessionId( $sid );
00245 $this->_sessionStart();
00246 }
00247
00248
00249 if ( $this->_sId != session_id() ) {
00250 $this->_setSessionId( session_id() );
00251 }
00252
00253
00254 $blSwapped = $this->_isSwappedClient();
00255 if ( !self::$_blIsNewSession && $blSwapped ) {
00256 $this->initNewSession();
00257
00258
00259 if ( $this->_sErrorMsg && $myConfig->getConfigParam( 'iDebug' ) ) {
00260 oxUtilsView::getInstance()->addErrorToDisplay( new oxException( $this->_sErrorMsg ) );
00261 }
00262 } elseif ( !$blSwapped ) {
00263
00264 oxUtilsServer::getInstance()->loadSessionCookies();
00265 }
00266 }
00267 }
00268
00274 public function getRequestChallengeToken()
00275 {
00276 return preg_replace('/[^a-z0-9]/i', '', oxConfig::getParameter('stoken'));
00277 }
00278
00284 public function getSessionChallengeToken()
00285 {
00286 $sRet = preg_replace('/[^a-z0-9]/i', '', self::getVar('sess_stoken'));
00287 if (!$sRet) {
00288 $this->_initNewSessionChallenge();
00289 $sRet = self::getVar('sess_stoken');
00290 }
00291 return $sRet;
00292 }
00293
00300 public function checkSessionChallenge()
00301 {
00302 $sToken = $this->getSessionChallengeToken();
00303 return $sToken && ($sToken == $this->getRequestChallengeToken());
00304 }
00305
00311 protected function _initNewSessionChallenge()
00312 {
00313 self::setVar('sess_stoken', sprintf('%X', crc32(oxUtilsObject::getInstance()->generateUID())));
00314 }
00315
00321 protected function _sessionStart()
00322 {
00323
00324 session_cache_limiter( 'nocache' );
00325
00326
00327
00328 if ( isset( $_SERVER['HTTP_USER_AGENT'] ) &&
00329 strpos( $_SERVER['HTTP_USER_AGENT'], 'AOL' ) !== false ) {
00330
00331 session_cache_limiter(false);
00332 header("Cache-Control: no-store, private, must-revalidate, proxy-revalidate, post-check=0, pre-check=0, max-age=0, s-maxage=0");
00333 }
00334
00335 $this->_blStarted = @session_start();
00336 if ( !$this->getSessionChallengeToken() ) {
00337 $this->_initNewSessionChallenge();
00338 }
00339
00340 return $this->_blStarted;
00341 }
00342
00348 public function initNewSession()
00349 {
00350
00351 if ( self::$_blIsNewSession ) {
00352 $this->_sessionStart();
00353 }
00354
00355
00356 $aPersistent = array();
00357 foreach ( $this->_aPersistentParams as $sParam ) {
00358 if ( ( $sValue = self::getVar( $sParam ) ) ) {
00359 $aPersistent[$sParam] = $sValue;
00360 }
00361 }
00362
00363 $this->_setSessionId( $this->_getNewSessionId() );
00364
00365
00366 foreach ( $aPersistent as $sKey => $sParam ) {
00367 self::setVar( $sKey, $aPersistent[$sKey] );
00368 }
00369
00370 $this->_initNewSessionChallenge();
00371
00372
00373 self::setVar( "sessionagent", oxUtilsServer::getInstance()->getServerVar( 'HTTP_USER_AGENT' ) );
00374 }
00375
00381 public function regenerateSessionId()
00382 {
00383
00384 if ( self::$_blIsNewSession ) {
00385 $this->_sessionStart();
00386
00387
00388 self::setVar( "sessionagent", oxUtilsServer::getInstance()->getServerVar( 'HTTP_USER_AGENT' ) );
00389 }
00390
00391 $this->_setSessionId( $this->_getNewSessionId( false ) );
00392 $this->_initNewSessionChallenge();
00393 }
00394
00403 protected function _getNewSessionId( $blUnset = true )
00404 {
00405 $sOldId = session_id();
00406 session_regenerate_id( ! oxConfig::getInstance()->getConfigParam( 'blAdodbSessionHandler' ) );
00407 $sNewId = session_id();
00408
00409 if ( $blUnset ) {
00410 session_unset();
00411 }
00412
00413 if ( oxConfig::getInstance()->getConfigParam( 'blAdodbSessionHandler' ) ) {
00414 $oDB = oxDb::getDb();
00415 $oDB->execute("UPDATE oxsessions SET SessionID = ".$oDB->quote( $sNewId )." WHERE SessionID = ".$oDB->quote( $sOldId ) );
00416 }
00417
00418 return session_id();
00419 }
00420
00426 public function freeze()
00427 {
00428
00429 self::setVar( $this->_getBasketName(), serialize( $this->getBasket() ) );
00430
00431 session_write_close();
00432 }
00433
00439 public function destroy()
00440 {
00441
00442 unset($_SESSION);
00443 session_destroy();
00444 }
00445
00453 public static function hasVar( $name )
00454 {
00455 if ( defined( 'OXID_PHP_UNIT' ) ) {
00456 if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
00457 try{
00458 $sVal = modSession::getInstance()->getVar( $name );
00459 return isset( $sVal );
00460 } catch( Exception $e ) {
00461
00462 }
00463 }
00464 }
00465
00466 return isset($_SESSION[$name]);
00467 }
00468
00477 public static function setVar( $name, $value)
00478 {
00479 if ( defined( 'OXID_PHP_UNIT' ) ) {
00480 if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
00481 try{
00482 return modSession::getInstance()->setVar( $name, $value );
00483 } catch( Exception $e ) {
00484
00485 }
00486 }
00487 }
00488
00489 $_SESSION[$name] = $value;
00490
00491 }
00492
00500 public static function getVar( $name )
00501 {
00502 if ( defined( 'OXID_PHP_UNIT' ) ) {
00503 if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
00504 try{
00505 return modSession::getInstance()->getVar( $name );
00506 } catch( Exception $e ) {
00507
00508 }
00509 }
00510 }
00511
00512 if ( isset( $_SESSION[$name] )) {
00513 return $_SESSION[$name];
00514 } else {
00515 return null;
00516 }
00517 }
00518
00526 public static function deleteVar( $name )
00527 {
00528 if ( defined( 'OXID_PHP_UNIT' ) ) {
00529 if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
00530 try{
00531 return modSession::getInstance()->setVar( $name, null );
00532 } catch( Exception $e ) {
00533
00534 }
00535 }
00536 }
00537
00538 $_SESSION[$name] = null;
00539
00540 unset($_SESSION[$name]);
00541 }
00542
00552 public function sid( $blForceSid = false )
00553 {
00554 $myConfig = $this->getConfig();
00555 $blUseCookies = $this->_getSessionUseCookies();
00556 $sRet = '';
00557
00558 $blDisableSid = oxUtils::getInstance()->isSearchEngine()
00559 && is_array($myConfig->getConfigParam( 'aCacheViews' ) )
00560 && !$this->isAdmin();
00561
00562
00563 if ( !$blDisableSid && $this->getId() && ($blForceSid || !$blUseCookies || !$this->_getCookieSid())) {
00564 $sRet = ( $blForceSid ? $this->getForcedName() : $this->getName() )."=".$this->getId();
00565 }
00566
00567 if ($this->isAdmin()) {
00568
00569 if ($sRet) {
00570 $sRet .= '&';
00571 }
00572 $sRet .= 'stoken='.$this->getSessionChallengeToken();
00573 }
00574
00575 return $sRet;
00576 }
00577
00583 public function hiddenSid()
00584 {
00585 $sToken = "<input type=\"hidden\" name=\"stoken\" value=\"".$this->getSessionChallengeToken(). "\">";
00586 $sSid = "<input type=\"hidden\" name=\"".$this->getForcedName()."\" value=\"". $this->getId() . "\">";
00587 return $sToken.$sSid;
00588 }
00589
00595 public function getBasket()
00596 {
00597 if ( $this->_oBasket === null ) {
00598 $sBasket = self::getVar( $this->_getBasketName() );
00599
00600
00601
00602 oxNew('oxbasketitem');
00603
00604 $oBasket = ( $sBasket && ( $oBasket = unserialize( $sBasket ) ) ) ? $oBasket : oxNew( 'oxbasket' );
00605 $this->setBasket( $oBasket );
00606 }
00607
00608 return $this->_oBasket;
00609 }
00610
00618 public function setBasket( $oBasket )
00619 {
00620
00621 $this->_oBasket = $oBasket;
00622 }
00623
00629 public function delBasket()
00630 {
00631 $this->setBasket( null );
00632 self::deleteVar( $this->_getBasketName());
00633 }
00634
00640 public function isNewSession()
00641 {
00642 return self::$_blIsNewSession;
00643 }
00644
00651 public function setForceNewSession()
00652 {
00653 $this->_blForceNewSession = true;
00654 }
00655
00663 public function isSidNeeded( $sUrl = null )
00664 {
00665 if ( $this->_getSessionUseCookies() && $this->_getCookieSid() ) {
00666
00667 if ( ( strpos( $sUrl, "https:" ) === 0 && !$this->getConfig()->isSsl() ) ||
00668 ( strpos( $sUrl, "http:" ) === 0 && $this->getConfig()->isSsl() ) ) {
00669 return true;
00670 }
00671 }
00672
00673 if ( $sUrl && !$this->getConfig()->isCurrentUrl( $sUrl ) ) {
00674 return true;
00675 } elseif ( $this->_blSidNeeded === null ) {
00676
00677 $this->_blSidNeeded = false;
00678
00679
00680 if ( !oxUtils::getInstance()->isSearchEngine() ) {
00681
00682 if ( oxUtilsServer::getInstance()->getOxCookie( $this->getName() ) ) {
00683 $this->_blSidNeeded = false;
00684 } elseif ( $this->_forceSessionStart() ) {
00685 $this->_blSidNeeded = true;
00686 } else {
00687
00688 if ( $blSidNeeded = self::getVar( 'blSidNeeded' ) ) {
00689 $this->_blSidNeeded = true;
00690 } elseif ( $this->_isSessionRequiredAction() ) {
00691 $this->_blSidNeeded = true;
00692
00693
00694 self::setVar( 'blSidNeeded', $this->_blSidNeeded );
00695 }
00696 }
00697 }
00698 }
00699
00700 return $this->_blSidNeeded;
00701 }
00702
00714 public function processUrl( $sUrl )
00715 {
00716 $sSid = $this->sid( $this->isSidNeeded( $sUrl ) );
00717 if ($sSid) {
00718 $oStr = getStr();
00719 $aUrlParts = explode( '#', $sUrl );
00720 if ( !$oStr->preg_match('/(\?|&(amp;)?)sid=/i', $aUrlParts[0]) && (false === $oStr->strpos($aUrlParts[0], $sSid))) {
00721 if (!$oStr->preg_match('/(\?|&(amp;)?)$/', $sUrl)) {
00722 $aUrlParts[0] .= ( $oStr->strstr( $aUrlParts[0], '?' ) !== false ? '&' : '?' );
00723 }
00724 $aUrlParts[0] .= $sSid . '&';
00725 }
00726 $sUrl = join( '#', $aUrlParts );
00727 }
00728 return $sUrl;
00729 }
00730
00740 public function getRemoteAccessToken($blGenerateNew = true)
00741 {
00742 $sToken = $this->getVar('_rtoken');
00743 if (!$sToken && $blGenerateNew) {
00744 $sToken = md5(rand() . $this->getId());
00745 $sToken = substr($sToken, 0, 8);
00746 self::setVar('_rtoken', $sToken);
00747 }
00748
00749 return $sToken;
00750 }
00751
00758 protected function _forceSessionStart()
00759 {
00760 return ( !oxUtils::getInstance()->isSearchEngine() ) && ( (( bool ) $this->getConfig()->getConfigParam( 'blForceSessionStart' )) || oxConfig::getParameter( "su" ) || $this->_blForceNewSession );
00761 }
00762
00768 protected function _allowSessionStart()
00769 {
00770 $blAllowSessionStart = true;
00771
00772
00773 if ( !$this->isAdmin() ) {
00774 if ( oxUtils::getInstance()->isSearchEngine() || oxConfig::getParameter( 'skipSession' ) ) {
00775 $blAllowSessionStart = false;
00776 } elseif ( !$this->_forceSessionStart() && !oxUtilsServer::getInstance()->getOxCookie( 'sid_key' ) ) {
00777
00778
00779
00780
00781 if ( !oxUtilsServer::getInstance()->getOxCookie( $this->getName() ) &&
00782 !( oxConfig::getParameter( $this->getName() ) || oxConfig::getParameter( $this->getForcedName() ) ) &&
00783 !$this->_isSessionRequiredAction() ) {
00784 $blAllowSessionStart = false;
00785 }
00786 }
00787 }
00788
00789 return $blAllowSessionStart;
00790 }
00791
00799 protected function _isSwappedClient()
00800 {
00801 $blSwapped = false;
00802 $myUtilsServer = oxUtilsServer::getInstance();
00803
00804
00805 if ( !oxUtils::getInstance()->isSearchEngine() && !$myUtilsServer->isTrustedClientIp() && !$this->_isValidRemoteAccessToken()) {
00806
00807 $myConfig = $this->getConfig();
00808
00809
00810 $blSwapped = $this->_checkUserAgent( $myUtilsServer->getServerVar( 'HTTP_USER_AGENT' ), self::getVar( 'sessionagent' ) );
00811 if ( !$blSwapped ) {
00812 if ( $myConfig->getConfigParam( 'blAdodbSessionHandler' ) ) {
00813 $blSwapped = $this->_checkSid();
00814 }
00815
00816 if ( !$blSwapped ) {
00817 $blDisableCookieCheck = $myConfig->getConfigParam( 'blDisableCookieCheck' );
00818 $blUseCookies = $this->_getSessionUseCookies();
00819 if ( !$blDisableCookieCheck && $blUseCookies ) {
00820 $blSwapped = $this->_checkCookies( $myUtilsServer->getOxCookie( 'sid_key' ), self::getVar( "sessioncookieisset" ) );
00821 }
00822 }
00823 }
00824 }
00825
00826 return $blSwapped;
00827 }
00828
00837 protected function _checkUserAgent( $sAgent, $sExistingAgent )
00838 {
00839 $blCheck = false;
00840
00841
00842 $oUtils = oxUtilsServer::getInstance();
00843 $sAgent = $oUtils->processUserAgentInfo( $sAgent );
00844 $sExistingAgent = $oUtils->processUserAgentInfo( $sExistingAgent );
00845
00846 if ( $sAgent && $sAgent !== $sExistingAgent ) {
00847 if ( $sExistingAgent ) {
00848 $this->_sErrorMsg = "Different browser ({$sExistingAgent}, {$sAgent}), creating new SID...<br>";
00849 }
00850 $blCheck = true;
00851 }
00852
00853 return $blCheck;
00854 }
00855
00861 protected function _checkSid()
00862 {
00863 $oDb = oxDb::getDb();
00864
00865 $sSID = $oDb->GetOne("select SessionID from oxsessions where SessionID = ".$oDb->quote( $this->getId() ));
00866
00867
00868
00869 if ( !$this->_blNewSession && (!isset( $sSID) || !$sSID)) {
00870
00871 $this->_sErrorMsg = "Session has expired in the past and someone uses this sid to reactivate it, creating new SID...<br>";
00872 return true;
00873 }
00874 return false;
00875 }
00876
00886 protected function _checkCookies( $sCookieSid, $aSessCookieSetOnce )
00887 {
00888 $blSwapped = false;
00889 $myConfig = $this->getConfig();
00890 $sCurrUrl = $myConfig->isSsl() ? $myConfig->getSslShopUrl( 0 ) : $myConfig->getShopUrl( 0 );
00891
00892 $blSessCookieSetOnce = false;
00893 if ( isset( $aSessCookieSetOnce[$sCurrUrl] ) ) {
00894 $blSessCookieSetOnce = $aSessCookieSetOnce[$sCurrUrl];
00895 }
00896
00897
00898 if ( $blSessCookieSetOnce && !$sCookieSid ) {
00899 if ( $myConfig->getConfigParam( 'iDebug' ) ) {
00900 $this->_sErrorMsg = "Cookie not found, creating new SID...<br>";
00901 $this->_sErrorMsg .= "Cookie: $sCookieSid<br>";
00902 $this->_sErrorMsg .= "Session: $blSessCookieSetOnce<br>";
00903 $this->_sErrorMsg .= "URL: ".$sCurrUrl."<br>";
00904 }
00905 $blSwapped = true;
00906 }
00907
00908
00909 if ( $sCookieSid == "oxid" && !$blSessCookieSetOnce ) {
00910 $aSessCookieSetOnce[$sCurrUrl] = "ox_true";
00911 self::setVar( "sessioncookieisset", $aSessCookieSetOnce );
00912 }
00913
00914
00915 if ( !$sCookieSid ) {
00916 oxUtilsServer::getInstance()->setOxCookie( 'sid_key', 'oxid' );
00917 }
00918 return $blSwapped;
00919 }
00920
00928 protected function _setSessionId($sSessId)
00929 {
00930
00931 if ( $sSessId && session_id() != $sSessId ) {
00932 $this->_blNewSession = true;
00933 }
00934
00935 session_id( $sSessId );
00936
00937 $this->setId( $sSessId );
00938
00939 $blUseCookies = $this->_getSessionUseCookies();
00940
00941 if ( !$this->_allowSessionStart() ) {
00942 if ( $blUseCookies ) {
00943 oxUtilsServer::getInstance()->setOxCookie( $this->getName(), null );
00944 }
00945 return;
00946 }
00947
00948 if ( $blUseCookies ) {
00949
00950 oxUtilsServer::getInstance()->setOxCookie( $this->getName(), $sSessId );
00951 }
00952 }
00953
00959 protected function _getBasketName()
00960 {
00961 $myConfig = $this->getConfig();
00962 if ( $myConfig->getConfigParam( 'blMallSharedBasket' ) == 0 ) {
00963 return $myConfig->getShopId()."_basket";
00964 }
00965 return "basket";
00966 }
00967
00973 protected function _getCookieSid()
00974 {
00975 return oxUtilsServer::getInstance()->getOxCookie($this->getName());
00976 }
00977
00984 protected function _getRequireSessionWithParams()
00985 {
00986 $aCfgArray = $this->getConfig()->getConfigParam('aRequireSessionWithParams');
00987 if (is_array($aCfgArray)) {
00988 $aDefault = $this->_aRequireSessionWithParams;
00989 foreach ($aCfgArray as $key => $val) {
00990 if (!is_array($val) && $val) {
00991 unset($aDefault[$key]);
00992 }
00993 }
00994 return array_merge_recursive($aCfgArray, $aDefault);
00995 }
00996 return $this->_aRequireSessionWithParams;
00997 }
00998
01004 protected function _isSessionRequiredAction()
01005 {
01006 foreach ($this->_getRequireSessionWithParams() as $sParam => $aValues) {
01007 $sValue = oxConfig::getParameter( $sParam );
01008 if (isset($sValue)) {
01009 if (is_array($aValues)) {
01010 if (isset($aValues[$sValue]) && $aValues[$sValue]) {
01011 return true;
01012 }
01013 } elseif ($aValues) {
01014 return true;
01015 }
01016 }
01017 }
01018
01019 return ( isset( $_SERVER['REQUEST_METHOD'] ) && $_SERVER['REQUEST_METHOD'] == 'POST');
01020 }
01021
01027 protected function _getSessionUseCookies()
01028 {
01029 return $this->isAdmin() || $this->getConfig()->getConfigParam( 'blSessionUseCookies');
01030 }
01031
01037 protected function _isValidRemoteAccessToken()
01038 {
01039 $sInputToken = oxConfig::getParameter('rtoken');
01040 $sToken = $this->getRemoteAccessToken(false);
01041 $blTokenEqual = !(bool)strcmp($sInputToken, $sToken);
01042 $blValid = $sInputToken && $blTokenEqual;
01043
01044 return $blValid;
01045 }
01046
01052 public function getBasketReservations()
01053 {
01054 if (!$this->_oBasketReservations) {
01055 $this->_oBasketReservations = oxNew('oxBasketReservation');
01056 }
01057 return $this->_oBasketReservations;
01058 }
01059
01065 public function isHeaderSent()
01066 {
01067 return headers_sent();
01068 }
01069
01075 public function isSessionStarted()
01076 {
01077 return $this->_blStarted;
01078 }
01079 }