oxsession.php

Go to the documentation of this file.

<?php

DEFINE('_DB_SESSION_HANDLER', getShopBasePath() . 'core/adodblite/session/adodb-session.php');

class oxSession extends oxSuperCfg
{
    protected $_sName = 'sid';

    protected $_sForcedPrefix = 'force_';

    protected  $_sId     = null;

    protected static $_blIsNewSession = false;

    protected static $_instance = null;

    protected static  $_oUser = null;

    protected $_blNewSession = false;

    protected $_blForceNewSession = false;

    protected $_sErrorMsg = null;

    protected $_oBasket = null;

    protected $_oBasketReservations = null;

    protected $_blStarted = false;

    protected $_aRequireSessionWithParams = array(
                       'cl' => array (
                            'register' => true,
                            'account'  => true,
                           ),
                       'fnc' => array (
                           'tobasket'         => true,
                           'login_noredirect' => true,
                           'tocomparelist'    => true,
                           ),
                       '_artperpage' => true,
                       'ldtype'      => true,
                       'listorderby' => true,
    );

    protected $_blSidNeeded = null;

    protected $_aPersistentParams = array("actshop", "lang", "currency", "language", "tpllanguage");

    public static function getInstance()
    {
        return oxRegistry::getSession();
    }

    public function getId()
    {
        return $this->_sId;
    }

    public function setId($sVal)
    {
        $this->_sId = $sVal;
    }

    public function setName($sVal)
    {
        $this->_sName = $sVal;
    }

    public function getForcedName()
    {
        return $this->_sForcedPrefix . $this->getName();
    }

    public function getName()
    {
        return $this->_sName;
    }

    public function start()
    {
        $myConfig = $this->getConfig();
        $sid = null;

        if ( $this->isAdmin() ) {
            $this->setName("admin_sid");
        } else {
            $this->setName("sid");
        }

        $sForceSidParam = $myConfig->getRequestParameter( $this->getForcedName() );
        $sSidParam = $myConfig->getRequestParameter( $this->getName() );

        //forcing sid for SSL<->nonSSL transitions
        if ($sForceSidParam) {
            $sid = $sForceSidParam;
        } elseif ($this->_getSessionUseCookies() && $this->_getCookieSid()) {
            $sid = $this->_getCookieSid();
        } elseif ($sSidParam) {
            $sid = $sSidParam;
        }

        //starting session if only we can
        if ( $this->_allowSessionStart() ) {

            //creating new sid
            if ( !$sid ) {
                self::$_blIsNewSession = true;
                $this->initNewSession();
            } else {
                self::$_blIsNewSession = false;
                $this->_setSessionId( $sid );
                $this->_sessionStart();
            }

            //special handling for new ZP cluster session, as in that case session_start() regenerates id
            if ( $this->_sId != session_id() ) {
                $this->_setSessionId( session_id() );
            }

            //checking for swapped client
            $blSwapped = $this->_isSwappedClient();
            if ( !self::$_blIsNewSession && $blSwapped ) {
                $this->initNewSession();

                // passing notification about session problems
                if ( $this->_sErrorMsg && $myConfig->getConfigParam( 'iDebug' ) ) {
                    oxRegistry::get("oxUtilsView")->addErrorToDisplay( oxNew( "oxException", $this->_sErrorMsg ) );
                }
            } elseif ( !$blSwapped ) {
                // transferring cookies between hosts
                oxRegistry::get("oxUtilsServer")->loadSessionCookies();
            }
        }
    }

    public function getRequestChallengeToken()
    {
        return preg_replace('/[^a-z0-9]/i', '', $this->getConfig()->getRequestParameter( 'stoken') );
    }

    public function getSessionChallengeToken()
    {
        $sRet = preg_replace('/[^a-z0-9]/i', '', $this->getVariable( 'sess_stoken' ) );
        if (!$sRet) {
            $this->_initNewSessionChallenge();
            $sRet = $this->getVariable( 'sess_stoken' );
        }
        return $sRet;
    }

    public function checkSessionChallenge()
    {
        $sToken = $this->getSessionChallengeToken();
        return $sToken && ($sToken == $this->getRequestChallengeToken());
    }

    protected function _initNewSessionChallenge()
    {
        $this->setVariable('sess_stoken', sprintf('%X', crc32(oxUtilsObject::getInstance()->generateUID())));
    }

    protected function _sessionStart()
    {
        $blSetNoCache = true;
        if ( $blSetNoCache ) {
            //enforcing no caching when session is started
            session_cache_limiter( 'nocache' );

            //cache limiter workaround for AOL browsers
            //as suggested at http://ilia.ws/archives/59-AOL-Browser-Woes.html
            if ( isset( $_SERVER['HTTP_USER_AGENT'] ) &&
                 strpos( $_SERVER['HTTP_USER_AGENT'], 'AOL' ) !== false ) {

                session_cache_limiter(false);
                header("Cache-Control: no-store, private, must-revalidate, proxy-revalidate, post-check=0, pre-check=0, max-age=0, s-maxage=0");
            }
        }

        // Including database session managing class if needed.
        if (oxRegistry::getConfig()->getConfigParam( 'blAdodbSessionHandler' ) ) {
            $oDB = oxDb::getDb();
            include_once _DB_SESSION_HANDLER;
        }

        $this->_blStarted = @session_start();
        if ( !$this->getSessionChallengeToken() ) {
            $this->_initNewSessionChallenge();
        }

        return $this->_blStarted;
    }

    public function initNewSession()
    {
        // starting session only if it was not started yet
        if ( self::$_blIsNewSession ) {
            $this->_sessionStart();
        }

        //saving persistent params if old session exists
        $aPersistent = array();
        foreach ( $this->_aPersistentParams as $sParam ) {
            if ( ( $sValue = $this->getVariable( $sParam ) ) ) {
                $aPersistent[$sParam] = $sValue;
            }
        }

        $this->_setSessionId( $this->_getNewSessionId() );

        //restoring persistent params to session
        foreach ( $aPersistent as $sKey => $sParam ) {
            $this->setVariable( $sKey, $aPersistent[$sKey] );
        }

        $this->_initNewSessionChallenge();

        // (re)setting actual user agent when initiating new session
        $this->setVariable( "sessionagent", oxRegistry::get("oxUtilsServer")->getServerVar( 'HTTP_USER_AGENT' ) );
    }

    public function regenerateSessionId()
    {
        // starting session only if it was not started yet
        if ( self::$_blIsNewSession ) {
            $this->_sessionStart();

            // (re)setting actual user agent when initiating new session
            $this->setVariable( "sessionagent", oxRegistry::get("oxUtilsServer")->getServerVar( 'HTTP_USER_AGENT' ) );
        }

        $this->_setSessionId( $this->_getNewSessionId( false ) );
        $this->_initNewSessionChallenge();
    }

    protected function _getNewSessionId( $blUnset = true )
    {
        $sOldId = session_id();
        @session_regenerate_id( ! oxRegistry::getConfig()->getConfigParam( 'blAdodbSessionHandler' ) );
        $sNewId = session_id();

        if ( $blUnset ) {
            session_unset();
        }

        if ( oxRegistry::getConfig()->getConfigParam( 'blAdodbSessionHandler' ) ) {
            $oDB = oxDb::getDb();
            $oDB->execute("UPDATE oxsessions SET SessionID = ".$oDB->quote( $sNewId )." WHERE SessionID = ".$oDB->quote( $sOldId ) );
        }

        return session_id();
    }

    public function freeze()
    {
        // storing basket ..
        $this->setVariable( $this->_getBasketName(), serialize( $this->getBasket() ) );

        session_write_close();
    }

    public function destroy()
    {
        //session_unset();
        unset($_SESSION);
        session_destroy();
    }

    public static function hasVar( $name )
    {
        return oxRegistry::getSession()->hasVariable( $name );
    }

    public function hasVariable( $name )
    {
        if ( defined( 'OXID_PHP_UNIT' ) ) {
            if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
                try {
                    $sVal = modSession::getInstance()->getVar( $name );
                    return isset( $sVal );
                } catch( Exception $e ) {
                    // if exception is thrown, use default
                }
            }
        }

        return isset( $_SESSION[$name] );
    }

    public static function setVar( $name, $value )
    {

        return oxRegistry::getSession()->setVariable( $name, $value );
    }

    public function setVariable( $name, $value )
    {
        if ( defined( 'OXID_PHP_UNIT' ) ) {
            if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
                try{
                    return modSession::getInstance()->setVar( $name, $value );
                } catch( Exception $e ) {
                    // if exception is thrown, use default
                }
            }
        }

        $_SESSION[$name] = $value;
        //logger( "set sessionvar : $name -> $value");
    }

    public static function getVar( $name )
    {
        return oxRegistry::getSession()->getVariable( $name );
    }

    public function getVariable( $name )
    {
        if ( defined( 'OXID_PHP_UNIT' ) ) {
            if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
                try{
                    return modSession::getInstance()->getVar( $name );
                } catch( Exception $e ) {
                    // if exception is thrown, use default
                }
            }
        }

        if ( isset( $_SESSION[$name] )) {
            return $_SESSION[$name];
        } else {
            return null;
        }
    }

    public static function deleteVar( $name )
    {
        oxRegistry::getSession()->deleteVariable( $name );
    }

    public function deleteVariable( $name )
    {
        if ( defined( 'OXID_PHP_UNIT' ) ) {
            if ( isset( modSession::$unitMOD ) && is_object( modSession::$unitMOD ) ) {
                try{
                    return modSession::getInstance()->setVar( $name, null );
                } catch( Exception $e ) {
                    // if exception is thrown, use default
                }
            }
        }

        $_SESSION[$name] = null;
        //logger( "delete sessionvar : $name");
        unset( $_SESSION[$name] );
    }

    public function sid( $blForceSid = false )
    {
        $myConfig     = $this->getConfig();
        $blUseCookies = $this->_getSessionUseCookies();
        $sRet         = '';

        $blDisableSid = oxRegistry::getUtils()->isSearchEngine()
                        && is_array($myConfig->getConfigParam( 'aCacheViews' ) )
                        && !$this->isAdmin();

        //no cookie?
        if (!$blDisableSid && $this->getId() && ( $blForceSid || !$blUseCookies || !$this->_getCookieSid())) {
            $sRet = ( $blForceSid ? $this->getForcedName() : $this->getName() )."=".$this->getId();
        }

        if ($this->isAdmin()) {
            // admin mode always has to have token
            if ($sRet) {
                $sRet .= '&amp;';
            }
            $sRet .= 'stoken='.$this->getSessionChallengeToken();
        }

        return $sRet;
    }

    public function hiddenSid()
    {
        $sSid = $sToken = '';
        if ($this->isSidNeeded()) {
             $sSid   = "<input type=\"hidden\" name=\"".$this->getForcedName()."\" value=\"". $this->getId() . "\" />";
        }
        if ($this->getId()) {
            $sToken = "<input type=\"hidden\" name=\"stoken\" value=\"".$this->getSessionChallengeToken(). "\" />";
        }
        return $sToken.$sSid;
    }

    public function getBasket()
    {
        if ( $this->_oBasket === null ) {
            $sBasket = $this->getVariable( $this->_getBasketName() );

            //init oxbasketitem class first
            //#1746
            oxNew('oxbasketitem');

            $oBasket = ( $sBasket && ( $oBasket = unserialize( $sBasket ) ) ) ? $oBasket : null;

            //#3908
            $oEmptyBasket = oxNew('oxbasket');
            if ( !$oBasket || ( get_class($oBasket) !== get_class($oEmptyBasket) ) ) {
                $oBasket = $oEmptyBasket;
            }

            $this->_validateBasket($oBasket);
            $this->setBasket( $oBasket );
        }

        return $this->_oBasket;
    }

    protected function _validateBasket(oxBasket $oBasket)
    {
        $aCurrContent = $oBasket->getContents();
        if (empty($aCurrContent)) {
            return;
        }

        $iCurrLang = oxRegistry::getLang()->getBaseLanguage();
        foreach ($aCurrContent as $oContent) {
            if ($oContent->getLanguageId() != $iCurrLang) {
                $oContent->setLanguageId($iCurrLang);
            }
        }
    }

    public function setBasket( $oBasket )
    {
        // sets basket session object
        $this->_oBasket = $oBasket;
    }

    public function delBasket()
    {
        $this->setBasket( null );
        $this->deleteVariable( $this->_getBasketName());
    }

    public function isNewSession()
    {
        return self::$_blIsNewSession;
    }

    public function setForceNewSession()
    {
        $this->_blForceNewSession = true;
    }

    public function isSidNeeded( $sUrl = null )
    {
        if ($this->isAdmin()) {
            return true;
        }

        $oConfig = $this->getConfig();

        if ( !$this->_getSessionUseCookies() || ( $sUrl && $this->_getCookieSid() && !$oConfig->isCurrentProtocol($sUrl) ) ) {
            // switching from ssl to non ssl or vice versa?
            return true;
        }

        if ( $sUrl && !$oConfig->isCurrentUrl( $sUrl ) ) {
            return true;
        } elseif ( $this->_blSidNeeded === null ) {
            // setting initial state
            $this->_blSidNeeded = false;

            // no SIDs for seach engines
            if ( !oxRegistry::getUtils()->isSearchEngine() ) {
                // cookie found - SID is not needed
                if ( oxRegistry::get("oxUtilsServer")->getOxCookie( $this->getName() ) ) {
                    $this->_blSidNeeded = false;
                } elseif ( $this->_forceSessionStart() ) {
                    $this->_blSidNeeded = true;
                } else {
                    // no cookie, so must check session
                    if ( $blSidNeeded = $this->getVariable( 'blSidNeeded' ) ) {
                        $this->_blSidNeeded = true;
                    } elseif ( $this->_isSessionRequiredAction() ) {

                        if (!count($_COOKIE)) {
                            $this->_blSidNeeded = true;

                            // storing to session, performance..
                            $this->setVariable( 'blSidNeeded', $this->_blSidNeeded  );
                        }
                    }
                }
            }
        }

        return $this->_blSidNeeded;
    }

    public function processUrl( $sUrl )
    {
        $blSid = $this->isSidNeeded( $sUrl );

        if ($blSid) {
            $sSid = $this->sid( $blSid );

            if ($sSid) {

                $oStr = getStr();
                $aUrlParts = explode( '#', $sUrl );
                if ( !$oStr->preg_match('/(\?|&(amp;)?)sid=/i', $aUrlParts[0]) && (false === $oStr->strpos($aUrlParts[0], $sSid))) {
                    if (!$oStr->preg_match('/(\?|&(amp;)?)$/', $sUrl)) {
                        $aUrlParts[0] .= ( $oStr->strstr( $aUrlParts[0], '?' ) !== false ?  '&amp;' : '?' );
                    }
                    $aUrlParts[0] .= $sSid . '&amp;';
                }
                $sUrl = join( '#', $aUrlParts );
            }
        }
        return $sUrl;
    }

    public function getRemoteAccessToken($blGenerateNew = true)
    {
        $sToken = $this->getVar('_rtoken');
        if (!$sToken && $blGenerateNew) {
            $sToken = md5(rand() . $this->getId());
            $sToken = substr($sToken, 0, 8);
            $this->setVariable( '_rtoken', $sToken );
        }

        return $sToken;
    }

    protected function _forceSessionStart()
    {
        return ( !oxRegistry::getUtils()->isSearchEngine() ) && ( (( bool ) $this->getConfig()->getConfigParam( 'blForceSessionStart' )) || $this->getConfig()->getRequestParameter( "su" ) || $this->_blForceNewSession );
    }

    protected function _allowSessionStart()
    {
        $blAllowSessionStart = true;
        $myConfig = $this->getConfig();

        // special handling only in non-admin mode
        if ( !$this->isAdmin() ) {
            if ( oxRegistry::getUtils()->isSearchEngine() || $myConfig->getRequestParameter( 'skipSession' ) ) {
                $blAllowSessionStart = false;
            } elseif (oxRegistry::get("oxUtilsServer")->getOxCookie( 'oxid_'.$myConfig->getShopId().'_autologin' ) === '1') {
                $blAllowSessionStart = true;
            } elseif ( !$this->_forceSessionStart() && !oxRegistry::get("oxUtilsServer")->getOxCookie( 'sid_key' ) ) {

                // session is not needed to start when it is not necessary:
                // - no sid in request and also user executes no session connected action
                // - no cookie set and user executes no session connected action
                if ( !oxRegistry::get("oxUtilsServer")->getOxCookie( $this->getName() ) &&
                     !( $myConfig->getRequestParameter( $this->getName() ) || $myConfig->getRequestParameter( $this->getForcedName() ) ) &&
                     !$this->_isSessionRequiredAction() ) {
                    $blAllowSessionStart = false;
                }
            }
        }

        return $blAllowSessionStart;
    }

    protected function _isSwappedClient()
    {
        $blSwapped = false;
        $myUtilsServer = oxRegistry::get("oxUtilsServer");

        // check only for non search engines
        if ( !oxRegistry::getUtils()->isSearchEngine() && !$myUtilsServer->isTrustedClientIp() && !$this->_isValidRemoteAccessToken()) {

            $myConfig = $this->getConfig();

            // checking if session user agent matches actual
            $blSwapped = $this->_checkUserAgent( $myUtilsServer->getServerVar( 'HTTP_USER_AGENT' ), $this->getVariable( 'sessionagent' ) );
            if ( !$blSwapped ) {
                if ( $myConfig->getConfigParam( 'blAdodbSessionHandler' ) ) {
                    $blSwapped = $this->_checkSid();
                }

                if ( !$blSwapped ) {
                    $blDisableCookieCheck = $myConfig->getConfigParam( 'blDisableCookieCheck' );
                    $blUseCookies         = $this->_getSessionUseCookies();
                    if ( !$blDisableCookieCheck && $blUseCookies ) {
                        $blSwapped = $this->_checkCookies( $myUtilsServer->getOxCookie( 'sid_key' ), $this->getVariable( "sessioncookieisset" ) );
                    }
                }
            }
        }

        return $blSwapped;
    }

    protected function _checkUserAgent( $sAgent, $sExistingAgent )
    {
        $blCheck = false;

        // processing
        $oUtils = oxRegistry::get("oxUtilsServer");
        $sAgent = $oUtils->processUserAgentInfo( $sAgent );
        $sExistingAgent = $oUtils->processUserAgentInfo( $sExistingAgent );

        if ( $sAgent && $sAgent !== $sExistingAgent ) {
            if ( $sExistingAgent ) {
                $this->_sErrorMsg = "Different browser ({$sExistingAgent}, {$sAgent}), creating new SID...<br>";
            }
            $blCheck = true;
        }

        return $blCheck;
    }

    protected function _checkSid()
    {
        $oDb = oxDb::getDb();
        //matze changed sesskey to SessionID because structure of oxsession changed!!
        $sSID = $oDb->getOne("select SessionID from oxsessions where SessionID = ".$oDb->quote( $this->getId() ));

        //2007-05-14
        //we check _blNewSession as well as this may be actually new session not written to db yet
        if ( !$this->_blNewSession && (!isset( $sSID) || !$sSID)) {
            // this means, that this session has expired in the past and someone uses this sid to reactivate it
            $this->_sErrorMsg = "Session has expired in the past and someone uses this sid to reactivate it, creating new SID...<br>";
            return true;
        }
        return false;
    }

    protected function _checkCookies( $sCookieSid, $aSessCookieSetOnce )
    {
        $blSwapped = false;
        $myConfig  = $this->getConfig();
        $sCurrUrl  = $myConfig->isSsl() ? $myConfig->getSslShopUrl() : $myConfig->getShopUrl();

        $blSessCookieSetOnce = false;
        if ( is_array($aSessCookieSetOnce) && isset( $aSessCookieSetOnce[$sCurrUrl] ) ) {
            $blSessCookieSetOnce = $aSessCookieSetOnce[$sCurrUrl];
        }

        //if cookie was there once but now is gone it means we have to reset
        if ( $blSessCookieSetOnce && !$sCookieSid ) {
            if ( $myConfig->getConfigParam( 'iDebug' ) ) {
                $this->_sErrorMsg  = "Cookie not found, creating new SID...<br>";
                $this->_sErrorMsg .= "Cookie: $sCookieSid<br>";
                $this->_sErrorMsg .= "Session: $blSessCookieSetOnce<br>";
                $this->_sErrorMsg .= "URL: ".$sCurrUrl."<br>";
            }
            $blSwapped = true;
        }

        //if we detect the cookie then set session var for possible later use
        if ( $sCookieSid == "oxid" && !$blSessCookieSetOnce ) {
            if (!is_array($aSessCookieSetOnce)) {
                $aSessCookieSetOnce = array();
            }

            $aSessCookieSetOnce[$sCurrUrl] = "ox_true";
            $this->setVariable( "sessioncookieisset", $aSessCookieSetOnce );
        }

        //if we have no cookie then try to set it
        if ( !$sCookieSid ) {
            oxRegistry::get("oxUtilsServer")->setOxCookie( 'sid_key', 'oxid' );
        }
        return $blSwapped;
    }

    protected function _setSessionId($sSessId)
    {
        //marking this session as new one, as it might be not writen to db yet
        if ( $sSessId && session_id() != $sSessId ) {
            $this->_blNewSession = true;
        }

        session_id( $sSessId );

        $this->setId( $sSessId );

        $blUseCookies = $this->_getSessionUseCookies();

        if ( !$this->_allowSessionStart() ) {
            if ( $blUseCookies ) {
                oxRegistry::get("oxUtilsServer")->setOxCookie( $this->getName(), null );
            }
            return;
        }

        if ( $blUseCookies ) {
            //setting session cookie
            oxRegistry::get("oxUtilsServer")->setOxCookie( $this->getName(), $sSessId );
        }
    }

    protected function _getBasketName()
    {
        $myConfig = $this->getConfig();
        if ( $myConfig->getConfigParam( 'blMallSharedBasket' ) == 0 ) {
            return $myConfig->getShopId()."_basket";
        }
        return "basket";
    }

    protected function _getCookieSid()
    {
        return oxRegistry::get("oxUtilsServer")->getOxCookie($this->getName());
    }

    protected function _getRequireSessionWithParams()
    {
        $aCfgArray = $this->getConfig()->getConfigParam('aRequireSessionWithParams');
        if (is_array($aCfgArray)) {
            $aDefault = $this->_aRequireSessionWithParams;
            foreach ($aCfgArray as $key => $val) {
                if (!is_array($val) && $val) {
                    unset($aDefault[$key]);
                }
            }
            return array_merge_recursive($aCfgArray, $aDefault);
        }
        return $this->_aRequireSessionWithParams;
    }

    protected function _isSessionRequiredAction()
    {
        foreach ($this->_getRequireSessionWithParams() as $sParam => $aValues) {
            $sValue = $this->getConfig()->getRequestParameter( $sParam );
            if (isset($sValue)) {
                if (is_array($aValues)) {
                    if (isset($aValues[$sValue]) && $aValues[$sValue]) {
                        return true;
                    }
                } elseif ($aValues) {
                    return true;
                }
            }
        }

        return ( isset( $_SERVER['REQUEST_METHOD'] ) && $_SERVER['REQUEST_METHOD'] == 'POST');
    }

    protected function _getSessionUseCookies()
    {
        return $this->isAdmin() || $this->getConfig()->getConfigParam( 'blSessionUseCookies');
    }

    protected function _isValidRemoteAccessToken()
    {
        $sInputToken = $this->getConfig()->getRequestParameter( 'rtoken' );
        $sToken = $this->getRemoteAccessToken(false);
        $blTokenEqual = !(bool)strcmp($sInputToken, $sToken);
        $blValid = $sInputToken && $blTokenEqual;

        return $blValid;
    }

    public function getBasketReservations()
    {
        if (!$this->_oBasketReservations) {
            $this->_oBasketReservations = oxNew('oxBasketReservation');
        }
        return $this->_oBasketReservations;
    }

    public function isHeaderSent()
    {
        return headers_sent();
    }

    public function isSessionStarted()
    {
        return $this->_blStarted;
    }


}