XoopsSessionHandler::gc_force() - Code Metrics - Inspection of "fix for XOOPS_COOKIE_DOMAIN" - XOOPS/XoopsCore25 - Measure and Improve Code Quality continuously with Scrutinizer

Passed
Pull Request — master (#1578)

by Michael
created 2025-10-01 10:03 UTC
XoopsSessionHandler::gc_force() A

↳ Parent: XoopsSessionHandler
Complexity

Conditions	3
Paths	3
Size

Total Lines	6
Code Lines	4
Duplication

Lines	0
Ratio	0 %
Importance

Changes
Metric	Value
eloc	4
dl	0
loc	6
rs	10
c	0
b	0
f	0
cc	3
nc	3
nop	0
<?php
/**
 * XOOPS session handler
 *
 * You may not change or alter any portion of this comment or credits
 * of supporting developers from this source code or any supporting source code
 * which is considered copyrighted (c) material of the original comment or credit authors.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 *
 * @copyright       (c) 2000-2025 XOOPS Project (https://xoops.org)
 * @license             GNU GPL 2 (https://www.gnu.org/licenses/gpl-2.0.html)
 * @package             kernel
 * @since               2.0.0
 * @author              Kazumi Ono (AKA onokazu) http://www.myweb.ne.jp/, http://jp.xoops.org/
 * @author              Taiwen Jiang <[email protected]>
 */

defined('XOOPS_ROOT_PATH') || exit('Restricted access');

/**
 * Handler for a session
 * @package             kernel
 *
 * @author              Kazumi Ono    <[email protected]>
 * @author              Taiwen Jiang <[email protected]>
 * @copyright       (c) 2000-2025 XOOPS Project (https://xoops.org)
 */
class XoopsSessionHandler implements SessionHandlerInterface
{
    /**
     * Database connection
     *
     * @var object
     * @access    private
     */
    public $db;

    /**
     * Security checking level
     *
     * Possible value:
     *    0 - no check;
     *    1 - check browser characteristics (HTTP_USER_AGENT/HTTP_ACCEPT_LANGUAGE), to be implemented in the future now;
     *    2 - check browser and IP A.B;
     *    3 - check browser and IP A.B.C, recommended;
     *    4 - check browser and IP A.B.C.D;
     *
     * @var int
     * @access    public
     */
    public $securityLevel = 3;

    protected $bitMasks = [
        2 => ['v4' => 16, 'v6' => 64],
        3 => ['v4' => 24, 'v6' => 56],
        4 => ['v4' => 32, 'v6' => 128],
    ];

    /**
     * Enable regenerate_id
     *
     * @var bool
     * @access    public
     */
    public $enableRegenerateId = true;

    /**
     * Constructor
     *
     * @param XoopsDatabase $db reference to the {@link XoopsDatabase} object
     *
     */
    public function __construct(XoopsDatabase $db)
    {
        global $xoopsConfig;

        $this->db = $db;
        // after php 7.3 we just let php handle the session cookie
        $lifetime = ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '')
            ? $xoopsConfig['session_expire'] * 60
            : ini_get('session.cookie_lifetime');
        $secure = (XOOPS_PROT === 'https://');
// --- START: New Domain Validation Logic ---
        $host = $_SERVER['HTTP_HOST'] ?? '';
        $cookieDomain = XOOPS_COOKIE_DOMAIN;
        if (class_exists('\Xoops\RegDom\RegisteredDomain')) {
            if (!\Xoops\RegDom\RegisteredDomain::domainMatches($host, $cookieDomain)) {
                $cookieDomain = ''; // The corrected, safe domain
            }
        }
// --- END: New Domain Validation Logic ---

        if (PHP_VERSION_ID >= 70300) {
            $options = [
                'lifetime' => $lifetime,
                'path' => '/',
                'domain' => $cookieDomain,
                'secure' => $secure,
                'httponly' => true,
                'samesite' => 'Lax',
            ];
            session_set_cookie_params($options);
        } else {
            session_set_cookie_params($lifetime, '/', $cookieDomain, $secure, true);
            session_set_cookie_params(/** @scrutinizer ignore-type */ $lifetime, '/', $cookieDomain, $secure, true);
        }
    }


    /**
     * Open a session
     *
     * @param string $savePath
     * @param string $sessionName
     *
     * @return bool
     */
    public function open($savePath, $sessionName): bool
    {
        return true;
    }

    /**
     * Close a session
     *
     * @return bool
     */
    public function close(): bool
    {
        $this->gc_force();
        return true;
    }

    /**
     * Read a session from the database
     *
     * @param string $sessionId ID of the session
     *
     * @return string Session data (empty string if no data or failure)
     */
    public function read($sessionId): string
    {
        $ip = \Xmf\IPAddress::fromRequest();
        $sql = sprintf(
            'SELECT sess_data, sess_ip FROM %s WHERE sess_id = %s',
            $this->db->prefix('session'),
            $this->db->quote($sessionId)
        );

        $result = $this->db->queryF($sql);
        if ($this->db->isResultSet($result)) {
            if ([$sess_data, $sess_ip] = $this->db->fetchRow($result)) {
                if ($this->securityLevel > 1) {
                    if (false === $ip->sameSubnet(
                            $sess_ip,
                            $this->bitMasks[$this->securityLevel]['v4'],
                            $this->bitMasks[$this->securityLevel]['v6']
                        )) {
                        $sess_data = '';
                    }
                }
                return $sess_data;
            }
        }
        return '';
    }

    /**
     * Write a session to the database
     *
     * @param string $sessionId
     * @param string $data
     *
     * @return bool
     */
    public function write($sessionId, $data): bool
    {
        $myReturn = true;

        $remoteAddress = \Xmf\IPAddress::fromRequest()->asReadable();
        $sessionId = $this->db->quote($sessionId);
        
        $sql= sprintf('INSERT INTO %s (sess_id, sess_updated, sess_ip, sess_data)
        VALUES (%s, %u, %s, %s)
        ON DUPLICATE KEY UPDATE
        sess_updated = %u, 
        sess_data = %s
        ',
              $this->db->prefix('session'),
              $sessionId,
              time(),
              $this->db->quote($remoteAddress),
              $this->db->quote($data),
              time(),
              $this->db->quote($data),
        );
        $myReturn = $this->db->queryF($sql);
        $this->update_cookie();
        return $myReturn;
    }

    /**
     * Destroy a session
     *
     * @param string $sessionId
     *
     * @return bool
     */
    public function destroy($sessionId): bool
    {
        $sql = sprintf(
            'DELETE FROM %s WHERE sess_id = %s',
            $this->db->prefix('session'),
            $this->db->quote($sessionId)
        );
        if (!$result = $this->db->queryF($sql)) {

            return false;
        }
        return true;
    }

    /**
     * Garbage Collector
     *
     * @param int $expire Time in seconds until a session expires
     * @return int|bool The number of deleted sessions on success, or false on failure
     */
    #[\ReturnTypeWillChange]
    public function gc($expire)
    {
        if (empty($expire)) {
            return 0;
interface HasName {
    /** @return string */
    public function getName();
}

class Name {
    public $name;
}

class User implements HasName {
    /** @return string|Name */
    public function getName() {
        return new Name('foo'); // This is a violation of the ``HasName`` interface
                                // which only allows a string value to be returned.
    }
}
        }

        $mintime = time() - (int)$expire;
        $sql = sprintf('DELETE FROM %s WHERE sess_updated < %u', $this->db->prefix('session'), $mintime);

        if ($this->db->queryF($sql)) {
            return $this->db->getAffectedRows();
        }
        return false;
    }

    /**
     * Force gc for situations where gc is registered but not executed
     **/
    public function gc_force()
    {
        if (mt_rand(1, 100) < 11) {
            $expire = @ini_get('session.gc_maxlifetime');
            $expire = ($expire > 0) ? $expire : 900;
            $this->gc($expire);
            $this->gc(/** @scrutinizer ignore-type */ $expire);
        }
    }

    /**
     * Update the current session id with a newly generated one
     *
     * To be refactored
     *
     * @param  bool $delete_old_session
     * @return bool
     **/
    public function regenerate_id($delete_old_session = false)
    {
        if (!$this->enableRegenerateId) {
            $success = true;
        } else {
            $success = session_regenerate_id($delete_old_session);
        }

        // Force updating cookie for session cookie
        if ($success) {
            $this->update_cookie();
        }

        return $success;
    }

    /**
     * Update cookie status for current session
     *
     * To be refactored
     * FIXME: how about $xoopsConfig['use_ssl'] is enabled?
     *
     * @param  string $sess_id session ID
     * @param  int    $expire  Time in seconds until a session expires
     * @return bool
     **/
    public function update_cookie($sess_id = null, $expire = null)
    {
        if (PHP_VERSION_ID < 70300) {
            global $xoopsConfig;
            $session_name = session_name();
            $session_expire = null !== $expire
                ? (int)$expire
                : (
                    ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '')
                    ? $xoopsConfig['session_expire'] * 60
                    : ini_get('session.cookie_lifetime')
                );
            $session_id = empty($sess_id) ? session_id() : $sess_id;
            $cookieDomain = XOOPS_COOKIE_DOMAIN;
            if (2 > substr_count($cookieDomain, '.')) {
                $cookieDomain  = '.' . $cookieDomain ;
            }

            xoops_setcookie(
                $session_name,
                $session_id,
                $session_expire ? time() + $session_expire : 0,
                '/',
                $cookieDomain,
                (XOOPS_PROT === 'https://'),
                true,
            );
        }
    }
}

XOOPS / XoopsCore25

Pull Request — master (#1578)

XoopsSessionHandler::gc_force() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like
