Completed
Push — master ( 4ad6bd...3873e4 )
by Ingo
11:53
created

Session::init()   A

Complexity

Conditions 4
Paths 6

Size

Total Lines 15
Code Lines 8

Duplication

Lines 0
Ratio 0 %

Importance

Changes 0
Metric Value
cc 4
eloc 8
nc 6
nop 0
dl 0
loc 15
rs 9.2
c 0
b 0
f 0
1
<?php
2
3
namespace SilverStripe\Control;
4
5
use BadMethodCallException;
6
use SilverStripe\Core\Config\Configurable;
7
8
/**
9
 * Handles all manipulation of the session.
10
 *
11
 * The static methods are used to manipulate the currently active controller's session.
12
 * The instance methods are used to manipulate a particular session.  There can be more than one of these created.
13
 *
14
 * In order to support things like testing, the session is associated with a particular Controller.  In normal usage,
15
 * this is loaded from and saved to the regular PHP session, but for things like static-page-generation and
16
 * unit-testing, you can create multiple Controllers, each with their own session.
17
 *
18
 * The instance object is basically just a way of manipulating a set of nested maps, and isn't specific to session
19
 * data.
20
 *
21
 * <b>Saving Data</b>
22
 *
23
 * You can write a value to a users session from your PHP code using the static function {@link Session::set()}. You
24
 * can add this line in any function or file you wish to save the value.
25
 *
26
 * <code>
27
 *  Session::set('MyValue', 6);
28
 * </code>
29
 *
30
 * Saves the value of "6" to the MyValue session data. You can also save arrays or serialized objects in session (but
31
 * note there may be size restrictions as to how much you can save)
32
 *
33
 * <code>
34
 *  // save a variable
35
 *  $var = 1;
36
 *  Session::set('MyVar', $var);
37
 *
38
 *  // saves an array
39
 *  Session::set('MyArrayOfValues', array('1', '2', '3'));
40
 *
41
 *  // saves an object (you'll have to unserialize it back)
42
 *  $object = new Object();
43
 *
44
 *  Session::set('MyObject', serialize($object));
45
 * </code>
46
 *
47
 * <b>Accessing Data</b>
48
 *
49
 * Once you have saved a value to the Session you can access it by using the {@link Session::get()} function.
50
 * Like the {@link Session::set()} function you can use this anywhere in your PHP files.
51
 *
52
 * The values in the comments are the values stored from the previous example.
53
 *
54
 * <code>
55
 * public function bar() {
56
 *  $value = Session::get('MyValue'); // $value = 6
57
 *  $var   = Session::get('MyVar'); // $var = 1
58
 *  $array = Session::get('MyArrayOfValues'); // $array = array(1,2,3)
59
 *  $object = Session::get('MyObject', unserialize($object)); // $object = Object()
60
 * }
61
 * </code>
62
 *
63
 * You can also get all the values in the session at once. This is useful for debugging.
64
 *
65
 * <code>
66
 * Session::get_all(); // returns an array of all the session values.
67
 * </code>
68
 *
69
 * <b>Clearing Data</b>
70
 *
71
 * Once you have accessed a value from the Session it doesn't automatically wipe the value from the Session, you have
72
 * to specifically remove it. To clear a value you can either delete 1 session value by the name that you saved it
73
 *
74
 * <code>
75
 * Session::clear('MyValue'); // MyValue is no longer 6.
76
 * </code>
77
 *
78
 * Or you can clear every single value in the session at once. Note SilverStripe stores some of its own session data
79
 * including form and page comment information. None of this is vital but clear_all will clear everything.
80
 *
81
 * <code>
82
 *  Session::clear_all();
83
 * </code>
84
 *
85
 * @see Cookie
86
 * @todo This class is currently really basic and could do with a more well-thought-out implementation.
87
 */
88
class Session
89
{
90
    use Configurable;
91
92
    /**
93
     * Set session timeout in seconds.
94
     *
95
     * @var int
96
     * @config
97
     */
98
    private static $timeout = 0;
99
100
    /**
101
     * @config
102
     * @var array
103
     */
104
    private static $session_ips = array();
105
106
    /**
107
     * @config
108
     * @var string
109
     */
110
    private static $cookie_domain;
111
112
    /**
113
     * @config
114
     * @var string
115
     */
116
    private static $cookie_path;
117
118
    /**
119
     * @config
120
     * @var string
121
     */
122
    private static $session_store_path;
123
124
    /**
125
     * @config
126
     * @var boolean
127
     */
128
    private static $cookie_secure = false;
129
130
    /**
131
     * Session data.
132
     * Will be null if session has not been started
133
     *
134
     * @var array|null
135
     */
136
    protected $data = null;
137
138
    /**
139
     * @var array
140
     */
141
    protected $changedData = array();
142
143
    /**
144
     * Get user agent for this request
145
     *
146
     * @return string
147
     */
148
    protected function userAgent()
0 ignored issues
show
Coding Style introduced by
userAgent uses the super-global variable $_SERVER which is generally not recommended.

Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable:

// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
Loading history...
149
    {
150
        if (isset($_SERVER['HTTP_USER_AGENT'])) {
151
            return $_SERVER['HTTP_USER_AGENT'];
152
        } else {
153
            return '';
154
        }
155
    }
156
157
    /**
158
     * Start PHP session, then create a new Session object with the given start data.
159
     *
160
     * @param array|null|Session $data Can be an array of data (such as $_SESSION) or another Session object to clone.
161
     * If null, this session is treated as unstarted.
162
     */
163
    public function __construct($data)
164
    {
165
        if ($data instanceof Session) {
166
            $data = $data->getAll();
167
        }
168
169
        $this->data = $data;
170
    }
171
172
    /**
173
     * Init this session instance before usage
174
     */
175
    public function init()
176
    {
177
        if (!$this->isStarted()) {
178
            $this->start();
179
        }
180
181
        // Funny business detected!
182
        if (isset($this->data['HTTP_USER_AGENT'])) {
183
            if ($this->data['HTTP_USER_AGENT'] !== $this->userAgent()) {
184
                $this->clearAll();
185
                $this->destroy();
186
                $this->start();
187
            }
188
        }
189
    }
190
191
    /**
192
     * Destroy existing session and restart
193
     */
194
    public function restart()
195
    {
196
        $this->destroy();
197
        $this->init();
198
    }
199
200
    /**
201
     * Determine if this session has started
202
     *
203
     * @return bool
204
     */
205
    public function isStarted()
206
    {
207
        return isset($this->data);
208
    }
209
210
    /**
211
     * Begin session
212
     *
213
     * @param string $sid
214
     */
215
    public function start($sid = null)
0 ignored issues
show
Coding Style introduced by
start uses the super-global variable $_SESSION which is generally not recommended.

Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable:

// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
Loading history...
216
    {
217
        if ($this->isStarted()) {
218
            throw new BadMethodCallException("Session has already started");
219
        }
220
221
        $path = $this->config()->get('cookie_path');
222
        if (!$path) {
223
            $path = Director::baseURL();
224
        }
225
        $domain = $this->config()->get('cookie_domain');
226
        $secure = Director::is_https() && $this->config()->get('cookie_secure');
227
        $session_path = $this->config()->get('session_store_path');
228
        $timeout = $this->config()->get('timeout');
229
230
        // Director::baseURL can return absolute domain names - this extracts the relevant parts
231
        // for the session otherwise we can get broken session cookies
232
        if (Director::is_absolute_url($path)) {
233
            $urlParts = parse_url($path);
234
            $path = $urlParts['path'];
235
            if (!$domain) {
236
                $domain = $urlParts['host'];
237
            }
238
        }
239
240
        if (!session_id() && !headers_sent()) {
241
            if ($domain) {
242
                session_set_cookie_params($timeout, $path, $domain, $secure, true);
243
            } else {
244
                session_set_cookie_params($timeout, $path, null, $secure, true);
245
            }
246
247
            // Allow storing the session in a non standard location
248
            if ($session_path) {
249
                session_save_path($session_path);
250
            }
251
252
            // If we want a secure cookie for HTTPS, use a seperate session name. This lets us have a
253
            // seperate (less secure) session for non-HTTPS requests
254
            if ($secure) {
255
                session_name('SECSESSID');
256
            }
257
258
            if ($sid) {
0 ignored issues
show
Bug Best Practice introduced by
The expression $sid of type string|null is loosely compared to true; this is ambiguous if the string can be empty. You might want to explicitly use !== null instead.

In PHP, under loose comparison (like ==, or !=, or switch conditions), values of different types might be equal.

For string values, the empty string '' is a special case, in particular the following results might be unexpected:

''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
Loading history...
259
                session_id($sid);
260
            }
261
            session_start();
262
263
            $this->data = isset($_SESSION) ? $_SESSION : array();
264
        } else {
265
            $this->data = [];
266
        }
267
268
        // Modify the timeout behaviour so it's the *inactive* time before the session expires.
269
        // By default it's the total session lifetime
270
        if ($timeout && !headers_sent()) {
271
            Cookie::set(session_name(), session_id(), $timeout/86400, $path, $domain ? $domain
272
                : null, $secure, true);
273
        }
274
    }
275
276
    /**
277
     * Destroy this session
278
     *
279
     * @param bool $removeCookie
280
     */
281
    public function destroy($removeCookie = true)
0 ignored issues
show
Coding Style introduced by
destroy uses the super-global variable $_SESSION which is generally not recommended.

Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable:

// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
Loading history...
282
    {
283
        if (session_id()) {
284
            if ($removeCookie) {
285
                $path = $this->config()->get('cookie_path') ?: Director::baseURL();
286
                $domain = $this->config()->get('cookie_domain');
287
                $secure = $this->config()->get('cookie_secure');
288
                Cookie::force_expiry(session_name(), $path, $domain, $secure, true);
289
            }
290
            session_destroy();
291
        }
292
        // Clean up the superglobal - session_destroy does not do it.
293
        // http://nz1.php.net/manual/en/function.session-destroy.php
294
        unset($_SESSION);
295
        $this->data = null;
296
    }
297
298
    /**
299
     * Set session value
300
     *
301
     * @param string $name
302
     * @param mixed $val
303
     * @return $this
304
     */
305
    public function set($name, $val)
306
    {
307
        if (!$this->isStarted()) {
308
            throw new BadMethodCallException("Session cannot be modified until it's started");
309
        }
310
311
        // Quicker execution path for "."-free names
312
        if (strpos($name, '.') === false) {
313
            $this->data[$name] = $val;
314
            $this->changedData[$name] = $val;
315
        } else {
316
            $names = explode('.', $name);
317
318
            // We still want to do this even if we have strict path checking for legacy code
319
            $var = &$this->data;
320
            $diffVar = &$this->changedData;
321
322
            // Iterate twice over the names - once to see if the value needs to be changed,
323
            // and secondly to get the changed data value. This is done to solve a problem
324
            // where iterating over the diff var would create empty arrays, and the value
325
            // would then not be set, inadvertently clearing session values.
326
            foreach ($names as $n) {
327
                $var = &$var[$n];
328
            }
329
330
            if ($var !== $val) {
331
                foreach ($names as $n) {
332
                    $diffVar = &$diffVar[$n];
333
                }
334
335
                $var = $val;
336
                $diffVar = $val;
337
            }
338
        }
339
        return $this;
340
    }
341
342
    /**
343
     * Merge value with array
344
     *
345
     * @param string $name
346
     * @param mixed $val
347
     */
348
    public function addToArray($name, $val)
349
    {
350
        if (!$this->isStarted()) {
351
            throw new BadMethodCallException("Session cannot be modified until it's started");
352
        }
353
354
        $names = explode('.', $name);
355
356
        // We still want to do this even if we have strict path checking for legacy code
357
        $var = &$this->data;
358
        $diffVar = &$this->changedData;
359
360
        foreach ($names as $n) {
361
            $var = &$var[$n];
362
            $diffVar = &$diffVar[$n];
363
        }
364
365
        $var[] = $val;
366
        $diffVar[sizeof($var)-1] = $val;
367
    }
368
369
    /**
370
     * Get session value
371
     *
372
     * @param string $name
373
     * @return mixed
374
     */
375
    public function get($name)
376
    {
377
        if (!$this->isStarted()) {
378
            throw new BadMethodCallException("Session cannot be accessed until it's started");
379
        }
380
381
        // Quicker execution path for "."-free names
382
        if (strpos($name, '.') === false) {
383
            if (isset($this->data[$name])) {
384
                return $this->data[$name];
385
            }
386
            return null;
387
        } else {
388
            $names = explode('.', $name);
389
390
            if (!isset($this->data)) {
391
                return null;
392
            }
393
394
            $var = $this->data;
395
396
            foreach ($names as $n) {
397
                if (!isset($var[$n])) {
398
                    return null;
399
                }
400
                $var = $var[$n];
401
            }
402
403
            return $var;
404
        }
405
    }
406
407
    /**
408
     * Clear session value
409
     *
410
     * @param string $name
411
     * @return $this
412
     */
413
    public function clear($name)
414
    {
415
        if (!$this->isStarted()) {
416
            throw new BadMethodCallException("Session cannot be modified until it's started");
417
        }
418
419
        $names = explode('.', $name);
420
421
        // We still want to do this even if we have strict path checking for legacy code
422
        $var = &$this->data;
423
        $diffVar = &$this->changedData;
424
425
        foreach ($names as $n) {
426
            // don't clear a record that doesn't exist
427
            if (!isset($var[$n])) {
428
                return $this;
429
            }
430
            $var = &$var[$n];
431
        }
432
433
        // only loop to find data within diffVar if var is proven to exist in the above loop
434
        foreach ($names as $n) {
435
            $diffVar = &$diffVar[$n];
436
        }
437
438
        if ($var !== null) {
439
            $var = null;
440
            $diffVar = null;
441
        }
442
        return $this;
443
    }
444
445
    /**
446
     * Clear all values
447
     */
448
    public function clearAll()
449
    {
450
        if (!$this->isStarted()) {
451
            throw new BadMethodCallException("Session cannot be modified until it's started");
452
        }
453
454
        if ($this->data && is_array($this->data)) {
455
            foreach (array_keys($this->data) as $key) {
456
                $this->clear($key);
457
            }
458
        }
459
    }
460
461
    /**
462
     * Get all values
463
     *
464
     * @return array|null
465
     */
466
    public function getAll()
467
    {
468
        return $this->data;
469
    }
470
471
    /**
472
     * Set user agent key
473
     */
474
    public function finalize()
475
    {
476
        $this->set('HTTP_USER_AGENT', $this->userAgent());
477
    }
478
479
    /**
480
     * Save data to session
481
     * Only save the changes, so that anyone manipulating $_SESSION directly doesn't get burned.
482
     */
483
    public function save()
0 ignored issues
show
Coding Style introduced by
save uses the super-global variable $_SESSION which is generally not recommended.

Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable:

// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
Loading history...
484
    {
485
        if ($this->changedData) {
0 ignored issues
show
Bug Best Practice introduced by
The expression $this->changedData of type array is implicitly converted to a boolean; are you sure this is intended? If so, consider using ! empty($expr) instead to make it clear that you intend to check for an array without elements.

This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent.

Consider making the comparison explicit by using empty(..) or ! empty(...) instead.

Loading history...
486
            $this->finalize();
487
488
            if (!$this->isStarted()) {
489
                $this->start();
490
            }
491
492
            $this->recursivelyApply($this->changedData, $_SESSION);
493
        }
494
    }
495
496
    /**
497
     * Recursively apply the changes represented in $data to $dest.
498
     * Used to update $_SESSION
499
     *
500
     * @param array $data
501
     * @param array $dest
502
     */
503
    protected function recursivelyApply($data, &$dest)
504
    {
505
        foreach ($data as $k => $v) {
506
            if (is_array($v)) {
507
                if (!isset($dest[$k]) || !is_array($dest[$k])) {
508
                    $dest[$k] = array();
509
                }
510
                $this->recursivelyApply($v, $dest[$k]);
511
            } else {
512
                $dest[$k] = $v;
513
            }
514
        }
515
    }
516
517
    /**
518
     * Return the changed data, for debugging purposes.
519
     *
520
     * @return array
521
     */
522
    public function changedData()
523
    {
524
        return $this->changedData;
525
    }
526
}
527