blob: 8b61c6281722f1bc21ee250e900a9635b25cdf6f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
<?php
/**
* Piwik - free/libre analytics platform
*
* @link http://piwik.org
* @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
*
*/
namespace Piwik\Session;
use Piwik\Date;
/**
* Manages session information that is used to identify who the session
* is for.
*
* Once a session is authenticated using either a user name & password or
* token auth, some information about the user is stored in the session.
* This info includes the user name and the user agent
* string of the user's client, and a random session secret.
*
* In subsequent requests that use this session, we use the above information
* to verify that the session is allowed to be used by the person sending the
* request.
*
* This is accomplished by checking the request's user agent
* against what is stored in the session. If it doesn't then this is a
* session hijacking attempt.
*
* We also check that a hash in the piwik_auth cookie matches the hash
* of the time the user last changed their password + the session secret.
* If they don't match, the password has been changed since this session
* started, and is no longer valid.
*/
class SessionFingerprint
{
const USER_NAME_SESSION_VAR_NAME = 'user.name';
const SESSION_INFO_SESSION_VAR_NAME = 'session.info';
public function getUser()
{
if (isset($_SESSION[self::USER_NAME_SESSION_VAR_NAME])) {
return $_SESSION[self::USER_NAME_SESSION_VAR_NAME];
}
return null;
}
public function getUserInfo()
{
if (isset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME])) {
return $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME];
}
return null;
}
public function initialize($userName, $time = null)
{
$_SESSION[self::USER_NAME_SESSION_VAR_NAME] = $userName;
$_SESSION[self::SESSION_INFO_SESSION_VAR_NAME] = [
'ts' => $time ?: Date::now()->getTimestampUTC(),
];
}
public function clear()
{
unset($_SESSION[self::USER_NAME_SESSION_VAR_NAME]);
unset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME]);
}
public function getSessionStartTime()
{
$userInfo = $this->getUserInfo();
if (empty($userInfo)
|| empty($userInfo['ts'])
) {
return null;
}
return $userInfo['ts'];
}
}
|