| | |
| | | <?php |
| | | |
| | | /* |
| | | /** |
| | | +-----------------------------------------------------------------------+ |
| | | | This file is part of the Roundcube Webmail client | |
| | | | Copyright (C) 2005-2012, The Roundcube Dev Team | |
| | | | Copyright (C) 2005-2014, The Roundcube Dev Team | |
| | | | Copyright (C) 2011, Kolab Systems AG | |
| | | | | |
| | | | Licensed under the GNU General Public License version 3 or | |
| | |
| | | +-----------------------------------------------------------------------+ |
| | | | Author: Thomas Bruederli <roundcube@gmail.com> | |
| | | | Author: Aleksander Machniak <alec@alec.pl> | |
| | | | Author: Cor Bosman <cor@roundcu.be> | |
| | | +-----------------------------------------------------------------------+ |
| | | */ |
| | | |
| | | /** |
| | | * Class to provide database supported session storage |
| | | * Abstract class to provide database supported session storage |
| | | * |
| | | * @package Framework |
| | | * @subpackage Core |
| | | * @author Thomas Bruederli <roundcube@gmail.com> |
| | | * @author Aleksander Machniak <alec@alec.pl> |
| | | */ |
| | | class rcube_session |
| | | abstract class rcube_session |
| | | { |
| | | private $db; |
| | | private $ip; |
| | | private $start; |
| | | private $changed; |
| | | private $time_diff = 0; |
| | | private $reloaded = false; |
| | | private $unsets = array(); |
| | | private $gc_handlers = array(); |
| | | private $cookiename = 'roundcube_sessauth'; |
| | | private $vars; |
| | | private $key; |
| | | private $now; |
| | | private $secret = ''; |
| | | private $ip_check = false; |
| | | private $logging = false; |
| | | private $storage; |
| | | private $memcache; |
| | | protected $config; |
| | | protected $key; |
| | | protected $ip; |
| | | protected $changed; |
| | | protected $start; |
| | | protected $vars; |
| | | protected $now; |
| | | protected $time_diff = 0; |
| | | protected $reloaded = false; |
| | | protected $appends = array(); |
| | | protected $unsets = array(); |
| | | protected $gc_enabled = 0; |
| | | protected $gc_handlers = array(); |
| | | protected $cookiename = 'roundcube_sessauth'; |
| | | protected $ip_check = false; |
| | | protected $logging = false; |
| | | |
| | | |
| | | /** |
| | | * Default constructor |
| | | * Blocks session data from being written to database. |
| | | * Can be used if write-race conditions are to be expected |
| | | * @var boolean |
| | | */ |
| | | public function __construct($db, $config) |
| | | public $nowrite = false; |
| | | |
| | | /** |
| | | * Factory, returns driver-specific instance of the class |
| | | * |
| | | * @param object $config |
| | | * @return Object rcube_session |
| | | */ |
| | | public static function factory($config) |
| | | { |
| | | $this->db = $db; |
| | | $this->start = microtime(true); |
| | | $this->ip = rcube_utils::remote_addr(); |
| | | $this->logging = $config->get('log_session', false); |
| | | // get session storage driver |
| | | $storage = $config->get('session_storage', 'db'); |
| | | |
| | | $lifetime = $config->get('session_lifetime', 1) * 60; |
| | | $this->set_lifetime($lifetime); |
| | | // class name for this storage |
| | | $class = "rcube_session_" . $storage; |
| | | |
| | | // use memcache backend |
| | | $this->storage = $config->get('session_storage', 'db'); |
| | | if ($this->storage == 'memcache') { |
| | | $this->memcache = rcube::get_instance()->get_memcache(); |
| | | |
| | | // set custom functions for PHP session management if memcache is available |
| | | if ($this->memcache) { |
| | | ini_set('session.serialize_handler', 'php'); |
| | | |
| | | session_set_save_handler( |
| | | array($this, 'open'), |
| | | array($this, 'close'), |
| | | array($this, 'mc_read'), |
| | | array($this, 'mc_write'), |
| | | array($this, 'mc_destroy'), |
| | | array($this, 'gc')); |
| | | } |
| | | else { |
| | | rcube::raise_error(array('code' => 604, 'type' => 'db', |
| | | 'line' => __LINE__, 'file' => __FILE__, |
| | | 'message' => "Failed to connect to memcached. Please check configuration"), |
| | | true, true); |
| | | } |
| | | // try to instantiate class |
| | | if (class_exists($class)) { |
| | | return new $class($config); |
| | | } |
| | | else if ($this->storage != 'php') { |
| | | ini_set('session.serialize_handler', 'php'); |
| | | |
| | | // set custom functions for PHP session management |
| | | session_set_save_handler( |
| | | array($this, 'open'), |
| | | array($this, 'close'), |
| | | array($this, 'db_read'), |
| | | array($this, 'db_write'), |
| | | array($this, 'db_destroy'), |
| | | array($this, 'gc')); |
| | | // no storage found, raise error |
| | | rcube::raise_error(array('code' => 604, 'type' => 'session', |
| | | 'line' => __LINE__, 'file' => __FILE__, |
| | | 'message' => "Failed to find session driver. Check session_storage config option"), |
| | | true, true); |
| | | } |
| | | |
| | | /** |
| | | * @param Object $config |
| | | */ |
| | | public function __construct($config) |
| | | { |
| | | $this->config = $config; |
| | | |
| | | // set ip check |
| | | $this->set_ip_check($this->config->get('ip_check')); |
| | | |
| | | // set cookie name |
| | | if ($this->config->get('session_auth_name')) { |
| | | $this->set_cookiename($this->config->get('session_auth_name')); |
| | | } |
| | | } |
| | | |
| | | /** |
| | | * register session handler |
| | | */ |
| | | public function register_session_handler() |
| | | { |
| | | ini_set('session.serialize_handler', 'php'); |
| | | |
| | | // set custom functions for PHP session management |
| | | session_set_save_handler( |
| | | array($this, 'open'), |
| | | array($this, 'close'), |
| | | array($this, 'read'), |
| | | array($this, 'sess_write'), |
| | | array($this, 'destroy'), |
| | | array($this, 'gc') |
| | | ); |
| | | } |
| | | |
| | | /** |
| | | * Wrapper for session_start() |
| | | */ |
| | | public function start() |
| | | { |
| | | $this->start = microtime(true); |
| | | $this->ip = rcube_utils::remote_addr(); |
| | | $this->logging = $this->config->get('log_session', false); |
| | | |
| | | $lifetime = $this->config->get('session_lifetime', 1) * 60; |
| | | $this->set_lifetime($lifetime); |
| | | |
| | | session_start(); |
| | | |
| | | // copy some session properties to object vars |
| | | if ($this->storage == 'php') { |
| | | $this->key = session_id(); |
| | | $this->ip = $_SESSION['__IP']; |
| | | $this->changed = $_SESSION['__MTIME']; |
| | | } |
| | | } |
| | | |
| | | |
| | | public function open($save_path, $session_name) |
| | | { |
| | | return true; |
| | | } |
| | | |
| | | |
| | | public function close() |
| | | { |
| | | return true; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Delete session data for the given key |
| | | * |
| | | * @param string Session ID |
| | | * Abstract methods should be implemented by driver classes |
| | | */ |
| | | public function destroy($key) |
| | | { |
| | | return $this->memcache ? $this->mc_destroy($key) : $this->db_destroy($key); |
| | | } |
| | | abstract function open($save_path, $session_name); |
| | | abstract function close(); |
| | | abstract function destroy($key); |
| | | abstract function read($key); |
| | | abstract function write($key, $vars); |
| | | abstract function update($key, $newvars, $oldvars); |
| | | |
| | | /** |
| | | * session write handler. This calls the implementation methods for write/update after some initial checks. |
| | | * |
| | | * @param $key |
| | | * @param $vars |
| | | * |
| | | * @return bool |
| | | */ |
| | | public function sess_write($key, $vars) |
| | | { |
| | | if ($this->nowrite) { |
| | | return true; |
| | | } |
| | | |
| | | // check cache |
| | | $oldvars = $this->get_cache($key); |
| | | |
| | | // if there are cached vars, update store, else insert new data |
| | | if ($oldvars) { |
| | | $newvars = $this->_fixvars($vars, $oldvars); |
| | | return $this->update($key, $newvars, $oldvars); |
| | | } |
| | | else { |
| | | return $this->write($key, $vars); |
| | | } |
| | | } |
| | | |
| | | /** |
| | | * Wrapper for session_write_close() |
| | | */ |
| | | public function write_close() |
| | | { |
| | | if ($this->storage == 'php') { |
| | | $_SESSION['__IP'] = $this->ip; |
| | | $_SESSION['__MTIME'] = time(); |
| | | } |
| | | |
| | | session_write_close(); |
| | | |
| | | // write_close() is called on script shutdown, see rcube::shutdown() |
| | |
| | | $this->gc_shutdown(); |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Read session data from database |
| | | * |
| | | * @param string Session ID |
| | | * |
| | | * @return string Session vars |
| | | */ |
| | | public function db_read($key) |
| | | { |
| | | $sql_result = $this->db->query( |
| | | "SELECT vars, ip, changed, " . $this->db->now() . " AS ts" |
| | | . " FROM " . $this->db->table_name('session') |
| | | . " WHERE sess_id = ?", $key); |
| | | |
| | | if ($sql_result && ($sql_arr = $this->db->fetch_assoc($sql_result))) { |
| | | $this->time_diff = time() - strtotime($sql_arr['ts']); |
| | | $this->changed = strtotime($sql_arr['changed']); |
| | | $this->ip = $sql_arr['ip']; |
| | | $this->vars = base64_decode($sql_arr['vars']); |
| | | $this->key = $key; |
| | | |
| | | return !empty($this->vars) ? (string) $this->vars : ''; |
| | | } |
| | | |
| | | return null; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Save session data. |
| | | * handler for session_read() |
| | | * |
| | | * @param string Session ID |
| | | * @param string Serialized session vars |
| | | * |
| | | * @return boolean True on success |
| | | */ |
| | | public function db_write($key, $vars) |
| | | { |
| | | $now = $this->db->now(); |
| | | $table = $this->db->table_name('session'); |
| | | $ts = microtime(true); |
| | | |
| | | // no session row in DB (db_read() returns false) |
| | | if (!$this->key) { |
| | | $oldvars = null; |
| | | } |
| | | // use internal data from read() for fast requests (up to 0.5 sec.) |
| | | else if ($key == $this->key && (!$this->vars || $ts - $this->start < 0.5)) { |
| | | $oldvars = $this->vars; |
| | | } |
| | | else { // else read data again from DB |
| | | $oldvars = $this->db_read($key); |
| | | } |
| | | |
| | | if ($oldvars !== null) { |
| | | $newvars = $this->_fixvars($vars, $oldvars); |
| | | |
| | | if ($newvars !== $oldvars) { |
| | | $this->db->query("UPDATE $table " |
| | | . "SET changed = $now, vars = ? WHERE sess_id = ?", |
| | | base64_encode($newvars), $key); |
| | | } |
| | | else if ($ts - $this->changed + $this->time_diff > $this->lifetime / 2) { |
| | | $this->db->query("UPDATE $table SET changed = $now" |
| | | . " WHERE sess_id = ?", $key); |
| | | } |
| | | } |
| | | else { |
| | | $this->db->query("INSERT INTO $table (sess_id, vars, ip, created, changed)" |
| | | . " VALUES (?, ?, ?, $now, $now)", |
| | | $key, base64_encode($vars), (string)$this->ip); |
| | | } |
| | | |
| | | return true; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Merge vars with old vars and apply unsets |
| | | */ |
| | | private function _fixvars($vars, $oldvars) |
| | | protected function _fixvars($vars, $oldvars) |
| | | { |
| | | if ($oldvars !== null) { |
| | | $a_oldvars = $this->unserialize($oldvars); |
| | |
| | | return $newvars; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Handler for session_destroy() |
| | | * |
| | | * @param string Session ID |
| | | * |
| | | * @return boolean True on success |
| | | */ |
| | | public function db_destroy($key) |
| | | { |
| | | if ($key) { |
| | | $this->db->query(sprintf("DELETE FROM %s WHERE sess_id = ?", |
| | | $this->db->table_name('session')), $key); |
| | | } |
| | | |
| | | return true; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Read session data from memcache |
| | | * |
| | | * @param string Session ID |
| | | * @return string Session vars |
| | | */ |
| | | public function mc_read($key) |
| | | { |
| | | if ($value = $this->memcache->get($key)) { |
| | | $arr = unserialize($value); |
| | | $this->changed = $arr['changed']; |
| | | $this->ip = $arr['ip']; |
| | | $this->vars = $arr['vars']; |
| | | $this->key = $key; |
| | | |
| | | return !empty($this->vars) ? (string) $this->vars : ''; |
| | | } |
| | | |
| | | return null; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Save session data. |
| | | * handler for session_read() |
| | | * |
| | | * @param string Session ID |
| | | * @param string Serialized session vars |
| | | * |
| | | * @return boolean True on success |
| | | */ |
| | | public function mc_write($key, $vars) |
| | | { |
| | | $ts = microtime(true); |
| | | |
| | | // no session data in cache (mc_read() returns false) |
| | | if (!$this->key) |
| | | $oldvars = null; |
| | | // use internal data for fast requests (up to 0.5 sec.) |
| | | else if ($key == $this->key && (!$this->vars || $ts - $this->start < 0.5)) |
| | | $oldvars = $this->vars; |
| | | else // else read data again |
| | | $oldvars = $this->mc_read($key); |
| | | |
| | | $newvars = $oldvars !== null ? $this->_fixvars($vars, $oldvars) : $vars; |
| | | |
| | | if ($newvars !== $oldvars || $ts - $this->changed > $this->lifetime / 2) { |
| | | return $this->memcache->set($key, serialize(array('changed' => time(), 'ip' => $this->ip, 'vars' => $newvars)), |
| | | MEMCACHE_COMPRESSED, $this->lifetime); |
| | | } |
| | | |
| | | return true; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Handler for session_destroy() with memcache backend |
| | | * |
| | | * @param string Session ID |
| | | * |
| | | * @return boolean True on success |
| | | */ |
| | | public function mc_destroy($key) |
| | | { |
| | | if ($key) { |
| | | // #1488592: use 2nd argument |
| | | $this->memcache->delete($key, 0); |
| | | } |
| | | |
| | | return true; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Execute registered garbage collector routines |
| | | */ |
| | |
| | | { |
| | | // move gc execution to the script shutdown function |
| | | // see rcube::shutdown() and rcube_session::write_close() |
| | | return $this->gc_enabled = $maxlifetime; |
| | | } |
| | | $this->gc_enabled = $maxlifetime; |
| | | |
| | | return true; |
| | | } |
| | | |
| | | /** |
| | | * Register additional garbage collector functions |
| | |
| | | $this->gc_handlers[] = $func; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Garbage collector handler to run on script shutdown |
| | | */ |
| | | protected function gc_shutdown() |
| | | { |
| | | if ($this->gc_enabled) { |
| | | // just delete all expired sessions |
| | | if ($this->storage == 'db') { |
| | | $this->db->query("DELETE FROM " . $this->db->table_name('session') |
| | | . " WHERE changed < " . $this->db->now(-$this->gc_enabled)); |
| | | } |
| | | |
| | | foreach ($this->gc_handlers as $fct) { |
| | | call_user_func($fct); |
| | | } |
| | | } |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Generate and set new session id |
| | | * |
| | | * @param boolean $destroy If enabled the current session will be destroyed |
| | | * @return bool |
| | | */ |
| | | public function regenerate_id($destroy=true) |
| | | { |
| | |
| | | return true; |
| | | } |
| | | |
| | | /** |
| | | * See if we have vars of this key already cached, and if so, return them. |
| | | * |
| | | * @param string $key Session ID |
| | | * |
| | | * @return string |
| | | */ |
| | | protected function get_cache($key) |
| | | { |
| | | // no session data in cache (read() returns false) |
| | | if (!$this->key) { |
| | | $cache = null; |
| | | } |
| | | // use internal data for fast requests (up to 0.5 sec.) |
| | | else if ($key == $this->key && (!$this->vars || $ts - $this->start < 0.5)) { |
| | | $cache = $this->vars; |
| | | } |
| | | else { // else read data again |
| | | $cache = $this->read($key); |
| | | } |
| | | |
| | | return $cache; |
| | | } |
| | | |
| | | /** |
| | | * Append the given value to the certain node in the session data array |
| | | * |
| | | * Warning: Do not use if you already modified $_SESSION in the same request (#1490608) |
| | | * |
| | | * @param string Path denoting the session variable where to append the value |
| | | * @param string Key name under which to append the new value (use null for appending to an indexed list) |
| | |
| | | |
| | | $node = &$this->get_node(explode('.', $path), $_SESSION); |
| | | |
| | | if ($key !== null) $node[$key] = $value; |
| | | else $node[] = $value; |
| | | } |
| | | if ($key !== null) { |
| | | $node[$key] = $value; |
| | | $path .= '.' . $key; |
| | | } |
| | | else { |
| | | $node[] = $value; |
| | | } |
| | | |
| | | $this->appends[] = $path; |
| | | |
| | | // when overwriting a previously unset variable |
| | | if ($this->unsets[$path]) { |
| | | unset($this->unsets[$path]); |
| | | } |
| | | } |
| | | |
| | | /** |
| | | * Unset a session variable |
| | |
| | | return true; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Kill this session |
| | | */ |
| | | public function kill() |
| | | { |
| | | $this->vars = null; |
| | | $this->ip = rcube_utils::remote_addr(); // update IP (might have changed) |
| | | $this->ip = rcube_utils::remote_addr(); // update IP (might have changed) |
| | | $this->destroy(session_id()); |
| | | rcube_utils::setcookie($this->cookiename, '-del-', time() - 60); |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Re-read session data from storage backend |
| | | */ |
| | | public function reload() |
| | | { |
| | | if ($this->key && $this->memcache) |
| | | $data = $this->mc_read($this->key); |
| | | else if ($this->key) |
| | | $data = $this->db_read($this->key); |
| | | // collect updated data from previous appends |
| | | $merge_data = array(); |
| | | foreach ((array)$this->appends as $var) { |
| | | $path = explode('.', $var); |
| | | $value = $this->get_node($path, $_SESSION); |
| | | $k = array_pop($path); |
| | | $node = &$this->get_node($path, $merge_data); |
| | | $node[$k] = $value; |
| | | } |
| | | |
| | | if ($data) |
| | | if ($this->key) { |
| | | $data = $this->read($this->key); |
| | | } |
| | | |
| | | if ($data) { |
| | | session_decode($data); |
| | | |
| | | // apply appends and unsets to reloaded data |
| | | $_SESSION = array_merge_recursive($_SESSION, $merge_data); |
| | | |
| | | foreach ((array)$this->unsets as $var) { |
| | | if (isset($_SESSION[$var])) { |
| | | unset($_SESSION[$var]); |
| | | } |
| | | else { |
| | | $path = explode('.', $var); |
| | | $k = array_pop($path); |
| | | $node = &$this->get_node($path, $_SESSION); |
| | | unset($node[$k]); |
| | | } |
| | | } |
| | | } |
| | | } |
| | | |
| | | /** |
| | | * Returns a reference to the node in data array referenced by the given path. |
| | | * e.g. ['compose','attachments'] will return $_SESSION['compose']['attachments'] |
| | | */ |
| | | private function &get_node($path, &$data_arr) |
| | | protected function &get_node($path, &$data_arr) |
| | | { |
| | | $node = &$data_arr; |
| | | if (!empty($path)) { |
| | |
| | | /** |
| | | * Serialize session data |
| | | */ |
| | | private function serialize($vars) |
| | | protected function serialize($vars) |
| | | { |
| | | $data = ''; |
| | | if (is_array($vars)) { |
| | |
| | | return $data; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Unserialize session data |
| | | * http://www.php.net/manual/en/function.session-decode.php#56106 |
| | | */ |
| | | private function unserialize($str) |
| | | protected function unserialize($str) |
| | | { |
| | | $str = (string)$str; |
| | | $endptr = strlen($str); |
| | |
| | | return unserialize( 'a:' . $items . ':{' . $serialized . '}' ); |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Setter for session lifetime |
| | | */ |
| | |
| | | $this->now = $now - ($now % ($this->lifetime / 2)); |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Getter for remote IP saved with this session |
| | | */ |
| | |
| | | return $this->ip; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Setter for cookie encryption secret |
| | | */ |
| | | function set_secret($secret) |
| | | function set_secret($secret = null) |
| | | { |
| | | $this->secret = $secret; |
| | | } |
| | | // generate random hash and store in session |
| | | if (!$secret) { |
| | | if (!empty($_SESSION['auth_secret'])) { |
| | | $secret = $_SESSION['auth_secret']; |
| | | } |
| | | else { |
| | | $secret = rcube_utils::random_bytes(strlen($this->key)); |
| | | } |
| | | } |
| | | |
| | | $_SESSION['auth_secret'] = $secret; |
| | | } |
| | | |
| | | /** |
| | | * Enable/disable IP check |
| | |
| | | { |
| | | $this->ip_check = $check; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Setter for the cookie name used for session cookie |
| | |
| | | $this->cookiename = $cookiename; |
| | | } |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Check session authentication cookie |
| | |
| | | return $result; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Set session authentication cookie |
| | | */ |
| | | function set_auth_cookie() |
| | | public function set_auth_cookie() |
| | | { |
| | | $this->cookie = $this->_mkcookie($this->now); |
| | | rcube_utils::setcookie($this->cookiename, $this->cookie, 0); |
| | | $_COOKIE[$this->cookiename] = $this->cookie; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Create session cookie from session data |
| | | * Create session cookie for specified time slot. |
| | | * |
| | | * @param int Time slot to use |
| | | * |
| | | * @return string |
| | | */ |
| | | function _mkcookie($timeslot) |
| | | protected function _mkcookie($timeslot) |
| | | { |
| | | $auth_string = "$this->key,$this->secret,$timeslot"; |
| | | return "S" . (function_exists('sha1') ? sha1($auth_string) : md5($auth_string)); |
| | | // make sure the secret key exists |
| | | $this->set_secret(); |
| | | |
| | | // no need to hash this, it's just a random string |
| | | return $_SESSION['auth_secret'] . '-' . $timeslot; |
| | | } |
| | | |
| | | /** |