oxsession.php

Go to the documentation of this file.

<?php

DEFINE('_DB_SESSION_HANDLER', getShopBasePath() . 'core/adodblite/session/adodb-session.php');

class oxSession extends oxSuperCfg
{

    protected $_sName = 'sid';

    protected $_sForcedPrefix = 'force_';

    protected $_sId = null;

    protected static $_blIsNewSession = false;

    protected static $_oUser = null;

    protected $_blNewSession = false;

    protected $_blForceNewSession = false;

    protected $_sErrorMsg = null;

    protected $_oBasket = null;

    protected $_oBasketReservations = null;

    protected $_blStarted = false;

    protected $_aRequireSessionWithParams = array(
        'cl'          => array(
            'register' => true,
            'account'  => true,
        ),
        'fnc'         => array(
            'tobasket'         => true,
            'login_noredirect' => true,
            'tocomparelist'    => true,
        ),
        '_artperpage' => true,
        'ldtype'      => true,
        'listorderby' => true,
    );

    protected $_blSidNeeded = null;

    protected $_aPersistentParams = array("actshop", "lang", "currency", "language", "tpllanguage");

    public function getId()
    {
        return $this->_sId;
    }

    public function setId($sVal)
    {
        $this->_sId = $sVal;
    }

    public function setName($sVal)
    {
        $this->_sName = $sVal;
    }

    public function getForcedName()
    {
        return $this->_sForcedPrefix . $this->getName();
    }

    public function getName()
    {
        return $this->_sName;
    }

    public function start()
    {
        $myConfig = $this->getConfig();
        $sid = null;

        if ($this->isAdmin()) {
            $this->setName("admin_sid");
        } else {
            $this->setName("sid");
        }

        $sForceSidParam = $myConfig->getRequestParameter($this->getForcedName());
        $sSidParam = $myConfig->getRequestParameter($this->getName());

        //forcing sid for SSL<->nonSSL transitions
        if ($sForceSidParam) {
            $sid = $sForceSidParam;
        } elseif ($this->_getSessionUseCookies() && $this->_getCookieSid()) {
            $sid = $this->_getCookieSid();
        } elseif ($sSidParam) {
            $sid = $sSidParam;
        }

        //starting session if only we can
        if ($this->_allowSessionStart()) {

            //creating new sid
            if (!$sid) {
                self::$_blIsNewSession = true;
                $this->initNewSession();
            } else {
                self::$_blIsNewSession = false;
                $this->_setSessionId($sid);
                $this->_sessionStart();
            }

            //special handling for new ZP cluster session, as in that case session_start() regenerates id
            if ($this->_sId != session_id()) {
                $this->_setSessionId(session_id());
            }

            //checking for swapped client
            $blSwapped = $this->_isSwappedClient();
            if (!self::$_blIsNewSession && $blSwapped) {
                $this->initNewSession();

                // passing notification about session problems
                if ($this->_sErrorMsg && $myConfig->getConfigParam('iDebug')) {
                    oxRegistry::get("oxUtilsView")->addErrorToDisplay(oxNew("oxException", $this->_sErrorMsg));
                }
            } elseif (!$blSwapped) {
                // transferring cookies between hosts
                oxRegistry::get("oxUtilsServer")->loadSessionCookies();
            }
        }
    }

    public function getRequestChallengeToken()
    {
        return preg_replace('/[^a-z0-9]/i', '', $this->getConfig()->getRequestParameter('stoken'));
    }

    public function getSessionChallengeToken()
    {
        $sRet = preg_replace('/[^a-z0-9]/i', '', $this->getVariable('sess_stoken'));
        if (!$sRet) {
            $this->_initNewSessionChallenge();
            $sRet = $this->getVariable('sess_stoken');
        }

        return $sRet;
    }

    public function checkSessionChallenge()
    {
        $sToken = $this->getSessionChallengeToken();

        return $sToken && ($sToken == $this->getRequestChallengeToken());
    }

    protected function _initNewSessionChallenge()
    {
        $this->setVariable('sess_stoken', sprintf('%X', crc32(oxUtilsObject::getInstance()->generateUID())));
    }

    protected function _sessionStart()
    {
        $blSetNoCache = true;
        if ($blSetNoCache) {
            //enforcing no caching when session is started
            session_cache_limiter('nocache');

            //cache limiter workaround for AOL browsers
            //as suggested at http://ilia.ws/archives/59-AOL-Browser-Woes.html
            if (isset($_SERVER['HTTP_USER_AGENT']) &&
                strpos($_SERVER['HTTP_USER_AGENT'], 'AOL') !== false
            ) {

                session_cache_limiter(false);
                header("Cache-Control: no-store, private, must-revalidate, proxy-revalidate, post-check=0, pre-check=0, max-age=0, s-maxage=0");
            }
        }

        // Including database session managing class if needed.
        if (oxRegistry::getConfig()->getConfigParam('blAdodbSessionHandler')) {
            $oDB = oxDb::getDb();
            include_once _DB_SESSION_HANDLER;
        }

        $this->_blStarted = @session_start();
        if (!$this->getSessionChallengeToken()) {
            $this->_initNewSessionChallenge();
        }

        return $this->_blStarted;
    }

    public function initNewSession()
    {
        // starting session only if it was not started yet
        if (self::$_blIsNewSession) {
            $this->_sessionStart();
        }

        //saving persistent params if old session exists
        $aPersistent = array();
        foreach ($this->_aPersistentParams as $sParam) {
            if (($sValue = $this->getVariable($sParam))) {
                $aPersistent[$sParam] = $sValue;
            }
        }

        $this->_setSessionId($this->_getNewSessionId());

        //restoring persistent params to session
        foreach ($aPersistent as $sKey => $sParam) {
            $this->setVariable($sKey, $aPersistent[$sKey]);
        }

        $this->_initNewSessionChallenge();

        // (re)setting actual user agent when initiating new session
        $this->setVariable("sessionagent", oxRegistry::get("oxUtilsServer")->getServerVar('HTTP_USER_AGENT'));
    }

    public function regenerateSessionId()
    {
        // starting session only if it was not started yet
        if (self::$_blIsNewSession) {
            $this->_sessionStart();

            // (re)setting actual user agent when initiating new session
            $this->setVariable("sessionagent", oxRegistry::get("oxUtilsServer")->getServerVar('HTTP_USER_AGENT'));
        }

        $this->_setSessionId($this->_getNewSessionId(false));
        $this->_initNewSessionChallenge();
    }

    protected function _getNewSessionId($blUnset = true)
    {
        $sOldId = session_id();
        @session_regenerate_id(!oxRegistry::getConfig()->getConfigParam('blAdodbSessionHandler'));
        $sNewId = session_id();

        if ($blUnset) {
            session_unset();
        }

        if (oxRegistry::getConfig()->getConfigParam('blAdodbSessionHandler')) {
            $oDB = oxDb::getDb();
            $oDB->execute("UPDATE oxsessions SET SessionID = " . $oDB->quote($sNewId) . " WHERE SessionID = " . $oDB->quote($sOldId));
        }

        return session_id();
    }

    public function freeze()
    {
        // storing basket ..
        $this->setVariable($this->_getBasketName(), serialize($this->getBasket()));

        session_write_close();
    }

    public function destroy()
    {
        //session_unset();
        unset($_SESSION);
        session_destroy();
    }

    public function hasVariable($name)
    {
        if (defined('OXID_PHP_UNIT')) {
            if (isset(modSession::$unitMOD) && is_object(modSession::$unitMOD)) {
                try {
                    $sVal = modSession::getInstance()->getVar($name);

                    return isset($sVal);
                } catch (Exception $e) {
                    // if exception is thrown, use default
                }
            }
        }

        return isset($_SESSION[$name]);
    }

    public function setVariable($name, $value)
    {
        if (defined('OXID_PHP_UNIT')) {
            if (isset(modSession::$unitMOD) && is_object(modSession::$unitMOD)) {
                try {
                    return modSession::getInstance()->setVar($name, $value);
                } catch (Exception $e) {
                    // if exception is thrown, use default
                }
            }
        }

        $_SESSION[$name] = $value;
        //logger( "set sessionvar : $name -> $value");
    }

    public function getVariable($name)
    {
        if (defined('OXID_PHP_UNIT')) {
            if (isset(modSession::$unitMOD) && is_object(modSession::$unitMOD)) {
                try {
                    return modSession::getInstance()->getVar($name);
                } catch (Exception $e) {
                    // if exception is thrown, use default
                }
            }
        }

        if (isset($_SESSION[$name])) {
            return $_SESSION[$name];
        } else {
            return null;
        }
    }

    public function deleteVariable($name)
    {
        if (defined('OXID_PHP_UNIT')) {
            if (isset(modSession::$unitMOD) && is_object(modSession::$unitMOD)) {
                try {
                    return modSession::getInstance()->setVar($name, null);
                } catch (Exception $e) {
                    // if exception is thrown, use default
                }
            }
        }

        $_SESSION[$name] = null;
        //logger( "delete sessionvar : $name");
        unset($_SESSION[$name]);
    }

    public function sid($blForceSid = false)
    {
        $myConfig = $this->getConfig();
        $blUseCookies = $this->_getSessionUseCookies();
        $sRet = '';

        $blDisableSid = oxRegistry::getUtils()->isSearchEngine()
                        && is_array($myConfig->getConfigParam('aCacheViews'))
                        && !$this->isAdmin();

        //no cookie?
        if (!$blDisableSid && $this->getId() && ($blForceSid || !$blUseCookies || !$this->_getCookieSid())) {
            $sRet = ($blForceSid ? $this->getForcedName() : $this->getName()) . "=" . $this->getId();
        }

        if ($this->isAdmin()) {
            // admin mode always has to have token
            if ($sRet) {
                $sRet .= '&amp;';
            }
            $sRet .= 'stoken=' . $this->getSessionChallengeToken();
        }

        return $sRet;
    }

    public function hiddenSid()
    {
        $sSid = $sToken = '';
        if ($this->isSidNeeded()) {
            $sSid = "<input type=\"hidden\" name=\"" . $this->getForcedName() . "\" value=\"" . $this->getId() . "\" />";
        }
        if ($this->getId()) {
            $sToken = "<input type=\"hidden\" name=\"stoken\" value=\"" . $this->getSessionChallengeToken() . "\" />";
        }

        return $sToken . $sSid;
    }

    public function getBasket()
    {
        if ($this->_oBasket === null) {
            $sBasket = $this->getVariable($this->_getBasketName());

            //init oxbasketitem class first
            //#1746
            oxNew('oxbasketitem');

            // init oxbasket through oxNew and not oxAutoload, Mantis-Bug #0004262
            $oEmptyBasket = oxNew('oxbasket');

            $oBasket = ($sBasket && ($oBasket = unserialize($sBasket))) ? $oBasket : null;

            if (!$oBasket || (get_class($oBasket) !== get_class($oEmptyBasket))) {
                $oBasket = $oEmptyBasket;
            }

            $this->_validateBasket($oBasket);
            $this->setBasket($oBasket);
        }

        return $this->_oBasket;
    }

    protected function _validateBasket(oxBasket $oBasket)
    {
        $aCurrContent = $oBasket->getContents();
        if (empty($aCurrContent)) {
            return;
        }

        $iCurrLang = oxRegistry::getLang()->getBaseLanguage();
        foreach ($aCurrContent as $oContent) {
            if ($oContent->getLanguageId() != $iCurrLang) {
                $oContent->setLanguageId($iCurrLang);
            }
        }
    }

    public function setBasket($oBasket)
    {
        // sets basket session object
        $this->_oBasket = $oBasket;
    }

    public function delBasket()
    {
        $this->setBasket(null);
        $this->deleteVariable($this->_getBasketName());
    }

    public function isNewSession()
    {
        return self::$_blIsNewSession;
    }

    public function setForceNewSession()
    {
        $this->_blForceNewSession = true;
    }

    public function isSidNeeded($sUrl = null)
    {
        if ($this->isAdmin()) {
            return true;
        }

        $oConfig = $this->getConfig();

        if (!$this->_getSessionUseCookies() || ($sUrl && $this->_getCookieSid() && !$oConfig->isCurrentProtocol($sUrl))) {
            // switching from ssl to non ssl or vice versa?
            return true;
        }

        if ($sUrl && !$oConfig->isCurrentUrl($sUrl)) {
            return true;
        } elseif ($this->_blSidNeeded === null) {
            // setting initial state
            $this->_blSidNeeded = false;

            // no SIDs for search engines
            if (!oxRegistry::getUtils()->isSearchEngine()) {
                // cookie found - SID is not needed
                if (oxRegistry::get("oxUtilsServer")->getOxCookie($this->getName())) {
                    $this->_blSidNeeded = false;
                } elseif ($this->_forceSessionStart()) {
                    $this->_blSidNeeded = true;
                } else {
                    // no cookie, so must check session
                    if ($blSidNeeded = $this->getVariable('blSidNeeded')) {
                        $this->_blSidNeeded = true;
                    } elseif ($this->_isSessionRequiredAction()) {

                        if (!count($_COOKIE)) {
                            $this->_blSidNeeded = true;

                            // storing to session, performance..
                            $this->setVariable('blSidNeeded', $this->_blSidNeeded);
                        }
                    }
                }
            }
        }

        return $this->_blSidNeeded;
    }

    public function isActualSidInCookie()
    {
        $blReturn = (isset($_COOKIE[$this->getName()]) && ($_COOKIE[$this->getName()] == $this->getId()));

        return $blReturn;
    }

    public function processUrl($sUrl)
    {
        $blSid = $this->isSidNeeded($sUrl);

        if ($blSid) {
            $sSid = $this->sid($blSid);

            if ($sSid) {

                $oStr = getStr();
                $aUrlParts = explode('#', $sUrl);
                if (!$oStr->preg_match('/(\?|&(amp;)?)sid=/i', $aUrlParts[0]) && (false === $oStr->strpos($aUrlParts[0], $sSid))) {
                    if (!$oStr->preg_match('/(\?|&(amp;)?)$/', $sUrl)) {
                        $aUrlParts[0] .= ($oStr->strstr($aUrlParts[0], '?') !== false ? '&amp;' : '?');
                    }
                    $aUrlParts[0] .= $sSid . '&amp;';
                }
                $sUrl = join('#', $aUrlParts);
            }
        }

        return $sUrl;
    }

    public function getRemoteAccessToken($blGenerateNew = true)
    {
        $sToken = $this->getVariable('_rtoken');
        if (!$sToken && $blGenerateNew) {
            $sToken = md5(rand() . $this->getId());
            $sToken = substr($sToken, 0, 8);
            $this->setVariable('_rtoken', $sToken);
        }

        return $sToken;
    }

    protected function _forceSessionStart()
    {
        return (!oxRegistry::getUtils()->isSearchEngine()) && ((( bool ) $this->getConfig()->getConfigParam('blForceSessionStart')) || $this->getConfig()->getRequestParameter("su") || $this->_blForceNewSession);
    }

    protected function _allowSessionStart()
    {
        $blAllowSessionStart = true;
        $myConfig = $this->getConfig();

        // special handling only in non-admin mode
        if (!$this->isAdmin()) {
            if (oxRegistry::getUtils()->isSearchEngine() || $myConfig->getRequestParameter('skipSession')) {
                $blAllowSessionStart = false;
            } elseif (oxRegistry::get("oxUtilsServer")->getOxCookie('oxid_' . $myConfig->getShopId() . '_autologin') === '1') {
                $blAllowSessionStart = true;
            } elseif (!$this->_forceSessionStart() && !oxRegistry::get("oxUtilsServer")->getOxCookie('sid_key')) {

                // session is not needed to start when it is not necessary:
                // - no sid in request and also user executes no session connected action
                // - no cookie set and user executes no session connected action
                if (!oxRegistry::get("oxUtilsServer")->getOxCookie($this->getName()) &&
                    !($myConfig->getRequestParameter($this->getName()) || $myConfig->getRequestParameter($this->getForcedName())) &&
                    !$this->_isSessionRequiredAction()
                ) {
                    $blAllowSessionStart = false;
                }
            }
        }

        return $blAllowSessionStart;
    }

    protected function _isSwappedClient()
    {
        $blSwapped = false;
        $myUtilsServer = oxRegistry::get("oxUtilsServer");

        // check only for non search engines
        if (!oxRegistry::getUtils()->isSearchEngine() && !$myUtilsServer->isTrustedClientIp() && !$this->_isValidRemoteAccessToken()) {

            $myConfig = $this->getConfig();

            // checking if session user agent matches actual
            $blSwapped = $this->_checkUserAgent($myUtilsServer->getServerVar('HTTP_USER_AGENT'), $this->getVariable('sessionagent'));
            if (!$blSwapped) {
                if ($myConfig->getConfigParam('blAdodbSessionHandler')) {
                    $blSwapped = $this->_checkSid();
                }

                if (!$blSwapped) {
                    $blDisableCookieCheck = $myConfig->getConfigParam('blDisableCookieCheck');
                    $blUseCookies = $this->_getSessionUseCookies();
                    if (!$blDisableCookieCheck && $blUseCookies) {
                        $blSwapped = $this->_checkCookies($myUtilsServer->getOxCookie('sid_key'), $this->getVariable("sessioncookieisset"));
                    }
                }
            }
        }

        return $blSwapped;
    }

    protected function _checkUserAgent($sAgent, $sExistingAgent)
    {
        $blCheck = false;

        // processing
        $oUtils = oxRegistry::get("oxUtilsServer");
        $sAgent = $oUtils->processUserAgentInfo($sAgent);
        $sExistingAgent = $oUtils->processUserAgentInfo($sExistingAgent);

        if ($sAgent && $sAgent !== $sExistingAgent) {
            if ($sExistingAgent) {
                $this->_sErrorMsg = "Different browser ({$sExistingAgent}, {$sAgent}), creating new SID...<br>";
            }
            $blCheck = true;
        }

        return $blCheck;
    }

    protected function _checkSid()
    {
        $oDb = oxDb::getDb();
        //matze changed sesskey to SessionID because structure of oxsession changed!!
        $sSID = $oDb->getOne("select SessionID from oxsessions where SessionID = " . $oDb->quote($this->getId()));

        //2007-05-14
        //we check _blNewSession as well as this may be actually new session not written to db yet
        if (!$this->_blNewSession && (!isset($sSID) || !$sSID)) {
            // this means, that this session has expired in the past and someone uses this sid to reactivate it
            $this->_sErrorMsg = "Session has expired in the past and someone uses this sid to reactivate it, creating new SID...<br>";

            return true;
        }

        return false;
    }

    protected function _checkCookies($sCookieSid, $aSessCookieSetOnce)
    {
        $blSwapped = false;
        $myConfig = $this->getConfig();
        $sCurrUrl = $myConfig->isSsl() ? $myConfig->getSslShopUrl() : $myConfig->getShopUrl();

        $blSessCookieSetOnce = false;
        if (is_array($aSessCookieSetOnce) && isset($aSessCookieSetOnce[$sCurrUrl])) {
            $blSessCookieSetOnce = $aSessCookieSetOnce[$sCurrUrl];
        }

        //if cookie was there once but now is gone it means we have to reset
        if ($blSessCookieSetOnce && !$sCookieSid) {
            if ($myConfig->getConfigParam('iDebug')) {
                $this->_sErrorMsg = "Cookie not found, creating new SID...<br>";
                $this->_sErrorMsg .= "Cookie: $sCookieSid<br>";
                $this->_sErrorMsg .= "Session: $blSessCookieSetOnce<br>";
                $this->_sErrorMsg .= "URL: " . $sCurrUrl . "<br>";
            }
            $blSwapped = true;
        }

        //if we detect the cookie then set session var for possible later use
        if ($sCookieSid == "oxid" && !$blSessCookieSetOnce) {
            if (!is_array($aSessCookieSetOnce)) {
                $aSessCookieSetOnce = array();
            }

            $aSessCookieSetOnce[$sCurrUrl] = "ox_true";
            $this->setVariable("sessioncookieisset", $aSessCookieSetOnce);
        }

        //if we have no cookie then try to set it
        if (!$sCookieSid) {
            oxRegistry::get("oxUtilsServer")->setOxCookie('sid_key', 'oxid');
        }

        return $blSwapped;
    }

    protected function _setSessionId($sSessId)
    {
        //marking this session as new one, as it might be not writen to db yet
        if ($sSessId && session_id() != $sSessId) {
            $this->_blNewSession = true;
        }

        session_id($sSessId);

        $this->setId($sSessId);

        $blUseCookies = $this->_getSessionUseCookies();

        if (!$this->_allowSessionStart()) {
            if ($blUseCookies) {
                oxRegistry::get("oxUtilsServer")->setOxCookie($this->getName(), null);
            }

            return;
        }

        if ($blUseCookies) {
            //setting session cookie
            oxRegistry::get("oxUtilsServer")->setOxCookie($this->getName(), $sSessId);
        }
    }

    protected function _getBasketName()
    {
        $myConfig = $this->getConfig();
        if ($myConfig->getConfigParam('blMallSharedBasket') == 0) {
            return $myConfig->getShopId() . "_basket";
        }

        return "basket";
    }

    protected function _getCookieSid()
    {
        return oxRegistry::get("oxUtilsServer")->getOxCookie($this->getName());
    }

    protected function _getRequireSessionWithParams()
    {
        $aCfgArray = $this->getConfig()->getConfigParam('aRequireSessionWithParams');
        if (is_array($aCfgArray)) {
            $aDefault = $this->_aRequireSessionWithParams;
            foreach ($aCfgArray as $key => $val) {
                if (!is_array($val) && $val) {
                    unset($aDefault[$key]);
                }
            }

            return array_merge_recursive($aCfgArray, $aDefault);
        }

        return $this->_aRequireSessionWithParams;
    }

    protected function _isSessionRequiredAction()
    {
        foreach ($this->_getRequireSessionWithParams() as $sParam => $aValues) {
            $sValue = $this->getConfig()->getRequestParameter($sParam);
            if (isset($sValue)) {
                if (is_array($aValues)) {
                    if (isset($aValues[$sValue]) && $aValues[$sValue]) {
                        return true;
                    }
                } elseif ($aValues) {
                    return true;
                }
            }
        }

        return (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] == 'POST');
    }

    protected function _getSessionUseCookies()
    {
        return $this->isAdmin() || $this->getConfig()->getConfigParam('blSessionUseCookies');
    }

    protected function _isValidRemoteAccessToken()
    {
        $sInputToken = $this->getConfig()->getRequestParameter('rtoken');
        $sToken = $this->getRemoteAccessToken(false);
        $blTokenEqual = !(bool) strcmp($sInputToken, $sToken);
        $blValid = $sInputToken && $blTokenEqual;

        return $blValid;
    }

    public function getBasketReservations()
    {
        if (!$this->_oBasketReservations) {
            $this->_oBasketReservations = oxNew('oxBasketReservation');
        }

        return $this->_oBasketReservations;
    }

    public function isHeaderSent()
    {
        return headers_sent();
    }

    public function isSessionStarted()
    {
        return $this->_blStarted;
    }

}