core/Session/SessionFingerprint.php


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

<?php
/**
 * Piwik - free/libre analytics platform
 *
 * @link http://piwik.org
 * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
 *
 */

namespace Piwik\Session;

use Piwik\Date;

/**
 * Manages session information that is used to identify who the session
 * is for.
 *
 * Once a session is authenticated using either a user name & password or
 * token auth, some information about the user is stored in the session.
 * This info includes the user name and the user agent
 * string of the user's client, and a random session secret.
 *
 * In subsequent requests that use this session, we use the above information
 * to verify that the session is allowed to be used by the person sending the
 * request.
 *
 * This is accomplished by checking the request's user agent
 * against what is stored in the session. If it doesn't then this is a
 * session hijacking attempt.
 *
 * We also check that a hash in the piwik_auth cookie matches the hash
 * of the time the user last changed their password + the session secret.
 * If they don't match, the password has been changed since this session
 * started, and is no longer valid.
 */
class SessionFingerprint
{
    const USER_NAME_SESSION_VAR_NAME = 'user.name';
    const SESSION_INFO_SESSION_VAR_NAME = 'session.info';

    public function getUser()
    {
        if (isset($_SESSION[self::USER_NAME_SESSION_VAR_NAME])) {
            return $_SESSION[self::USER_NAME_SESSION_VAR_NAME];
        }

        return null;
    }

    public function getUserInfo()
    {
        if (isset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME])) {
            return $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME];
        }

        return null;
    }

    public function initialize($userName, $time = null)
    {
        $_SESSION[self::USER_NAME_SESSION_VAR_NAME] = $userName;
        $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME] = [
            'ts' => $time ?: Date::now()->getTimestampUTC(),
        ];
    }

    public function clear()
    {
        unset($_SESSION[self::USER_NAME_SESSION_VAR_NAME]);
        unset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME]);
    }

    public function getSessionStartTime()
    {
        $userInfo = $this->getUserInfo();
        if (empty($userInfo)
            || empty($userInfo['ts'])
        ) {
            return null;
        }

        return $userInfo['ts'];
    }
}