XoopsSessionHandler

Complexity

Total Complexity

31

Size/Duplication

Total Lines	275
Duplicated Lines	0 %

Importance

Changes	1
Bugs	0	Features	1

10 Methods

Rating	Name	Duplication	Size	Complexity
A	open()	0	3	1
A	__construct()	0	22	4
A	close()	0	4	1
A	read()	0	25	5
A	gc_force()	0	6	3
A	gc()	0	14	3
B	update_cookie()	0	26	8
A	write()	0	23	1
A	destroy()	0	11	2
A	regenerate_id()	0	14	3

<?php
/**
 * XOOPS session handler
 *
 * You may not change or alter any portion of this comment or credits
 * of supporting developers from this source code or any supporting source code
 * which is considered copyrighted (c) material of the original comment or credit authors.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 *
 * @copyright       (c) 2000-2025 XOOPS Project (https://xoops.org)
 * @license             GNU GPL 2 (https://www.gnu.org/licenses/gpl-2.0.html)
 * @package             kernel
 * @since               2.0.0
 * @author              Kazumi Ono (AKA onokazu) http://www.myweb.ne.jp/, http://jp.xoops.org/
 * @author              Taiwen Jiang <phppp@users.sourceforge.net>
 */

defined('XOOPS_ROOT_PATH') || exit('Restricted access');

/**
 * Handler for a session
 * @package             kernel
 *
 * @author              Kazumi Ono    <onokazu@xoops.org>
 * @author              Taiwen Jiang <phppp@users.sourceforge.net>
 * @copyright       (c) 2000-2025 XOOPS Project (https://xoops.org)
 */
class XoopsSessionHandler implements SessionHandlerInterface
{
    /**
     * Database connection
     *
     * @var object
     * @access    private
     */
    public $db;

    /**
     * Security checking level
     *
     * Possible value:
     *    0 - no check;
     *    1 - check browser characteristics (HTTP_USER_AGENT/HTTP_ACCEPT_LANGUAGE), to be implemented in the future now;
     *    2 - check browser and IP A.B;
     *    3 - check browser and IP A.B.C, recommended;
     *    4 - check browser and IP A.B.C.D;
     *
     * @var int
     * @access    public
     */
    public $securityLevel = 3;

    protected $bitMasks = [
        2 => ['v4' => 16, 'v6' => 64],
        3 => ['v4' => 24, 'v6' => 56],
        4 => ['v4' => 32, 'v6' => 128],
    ];

    /**
     * Enable regenerate_id
     *
     * @var bool
     * @access    public
     */
    public $enableRegenerateId = true;

    /**
     * Constructor
     *
     * @param XoopsDatabase $db reference to the {@link XoopsDatabase} object
     *
     */
    public function __construct(XoopsDatabase $db)
    {
        global $xoopsConfig;

        $this->db = $db;
        // after php 7.3 we just let php handle the session cookie
        $lifetime = ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '')
            ? $xoopsConfig['session_expire'] * 60
            : ini_get('session.cookie_lifetime');
        $secure = (XOOPS_PROT === 'https://');
        if (PHP_VERSION_ID >= 70300) {
            $options = [
                'lifetime' => $lifetime,
                'path'     => '/',
                'domain'   => XOOPS_COOKIE_DOMAIN,
                'secure'   => $secure,
                'httponly' => true,
                'samesite' => 'Lax',
            ];
            session_set_cookie_params($options);
        } else {
            session_set_cookie_params($lifetime, '/', XOOPS_COOKIE_DOMAIN, $secure, true);

It seems like $lifetime can also be of type string; however, parameter $lifetime_or_options of session_set_cookie_params() does only seem to accept array|integer, maybe add an additional type check?

        }
    }

    /**
     * Open a session
     *
     * @param string $savePath
     * @param string $sessionName
     *
     * @return bool
     */
    public function open($savePath, $sessionName): bool
    {
        return true;
    }

    /**
     * Close a session
     *
     * @return bool
     */
    public function close(): bool
    {
        $this->gc_force();
        return true;
    }

    /**
     * Read a session from the database
     *
     * @param string $sessionId ID of the session
     *
     * @return string Session data (empty string if no data or failure)
     */
    public function read($sessionId): string
    {
        $ip = \Xmf\IPAddress::fromRequest();
        $sql = sprintf(
            'SELECT sess_data, sess_ip FROM %s WHERE sess_id = %s',
            $this->db->prefix('session'),
            $this->db->quoteString($sessionId)
        );

        $result = $this->db->queryF($sql);
        if ($this->db->isResultSet($result)) {
            if ([$sess_data, $sess_ip] = $this->db->fetchRow($result)) {
                if ($this->securityLevel > 1) {
                    if (false === $ip->sameSubnet(
                            $sess_ip,
                            $this->bitMasks[$this->securityLevel]['v4'],
                            $this->bitMasks[$this->securityLevel]['v6']
                        )) {
                        $sess_data = '';
                    }
                }
                return $sess_data;
            }
        }
        return '';
    }

    /**
     * Write a session to the database
     *
     * @param string $sessionId
     * @param string $data
     *
     * @return bool
     */
    public function write($sessionId, $data): bool
    {
        $myReturn = true;

The assignment to $myReturn is dead and can be removed.

        $remoteAddress = \Xmf\IPAddress::fromRequest()->asReadable();
        $sessionId = $this->db->quoteString($sessionId);
        
        $sql= sprintf('INSERT INTO %s (sess_id, sess_updated, sess_ip, sess_data)
        VALUES (%s, %u, %s, %s)
        ON DUPLICATE KEY UPDATE
        sess_updated = %u, 
        sess_data = %s
        ',
              $this->db->prefix('session'),
              $sessionId,
              time(),
              $this->db->quote($remoteAddress),
              $this->db->quote($data),
              time(),
              $this->db->quote($data),
        );
        $myReturn = $this->db->queryF($sql);
        $this->update_cookie();
        return $myReturn;
    }

    /**
     * Destroy a session
     *
     * @param string $sessionId
     *
     * @return bool
     */
    public function destroy($sessionId): bool
    {
        $sql = sprintf(
            'DELETE FROM %s WHERE sess_id = %s',
            $this->db->prefix('session'),
            $this->db->quoteString($sessionId)
        );
        if (!$result = $this->db->queryF($sql)) {

The assignment to $result is dead and can be removed.

            return false;
        }
        return true;
    }

    /**
     * Garbage Collector
     *
     * @param int $expire Time in seconds until a session expires
     * @return int|bool The number of deleted sessions on success, or false on failure
     */
    #[\ReturnTypeWillChange]
    public function gc($expire)
    {
        if (empty($expire)) {
            return 0;

The expression return 0 returns the type integer which is incompatible with the return type mandated by SessionHandlerInterface::gc() of boolean.

        }

        $mintime = time() - (int)$expire;
        $sql = sprintf('DELETE FROM %s WHERE sess_updated < %u', $this->db->prefix('session'), $mintime);

        if ($this->db->queryF($sql)) {
            return $this->db->getAffectedRows();
        }
        return false;
    }

    /**
     * Force gc for situations where gc is registered but not executed
     **/
    public function gc_force()
    {
        if (mt_rand(1, 100) < 11) {
            $expire = @ini_get('session.gc_maxlifetime');
            $expire = ($expire > 0) ? $expire : 900;
            $this->gc($expire);

It seems like $expire can also be of type false and string; however, parameter $expire of XoopsSessionHandler::gc() does only seem to accept integer, maybe add an additional type check?

        }
    }

    /**
     * Update the current session id with a newly generated one
     *
     * To be refactored
     *
     * @param  bool $delete_old_session
     * @return bool
     **/
    public function regenerate_id($delete_old_session = false)
    {
        if (!$this->enableRegenerateId) {
            $success = true;
        } else {
            $success = session_regenerate_id($delete_old_session);
        }

        // Force updating cookie for session cookie
        if ($success) {
            $this->update_cookie();
        }

        return $success;
    }

    /**
     * Update cookie status for current session
     *
     * To be refactored
     * FIXME: how about $xoopsConfig['use_ssl'] is enabled?
     *
     * @param  string $sess_id session ID
     * @param  int    $expire  Time in seconds until a session expires
     * @return bool
     **/
    public function update_cookie($sess_id = null, $expire = null)
    {
        if (PHP_VERSION_ID < 70300) {
            global $xoopsConfig;
            $session_name = session_name();
            $session_expire = null !== $expire
                ? (int)$expire
                : (
                    ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '')
                    ? $xoopsConfig['session_expire'] * 60
                    : ini_get('session.cookie_lifetime')
                );
            $session_id = empty($sess_id) ? session_id() : $sess_id;
            $cookieDomain = XOOPS_COOKIE_DOMAIN;
            if (2 > substr_count($cookieDomain, '.')) {
                $cookieDomain  = '.' . $cookieDomain ;
            }

            xoops_setcookie(
                $session_name,
                $session_id,
                $session_expire ? time() + $session_expire : 0,
                '/',
                $cookieDomain,
                (XOOPS_PROT === 'https://'),
                true,
            );
        }
    }
}