1: <?php
  2: /**
  3:  * Magento
  4:  *
  5:  * NOTICE OF LICENSE
  6:  *
  7:  * This source file is subject to the Open Software License (OSL 3.0)
  8:  * that is bundled with this package in the file LICENSE.txt.
  9:  * It is also available through the world-wide-web at this URL:
 10:  * http://opensource.org/licenses/osl-3.0.php
 11:  * If you did not receive a copy of the license and are unable to
 12:  * obtain it through the world-wide-web, please send an email
 13:  * to license@magentocommerce.com so we can send you a copy immediately.
 14:  *
 15:  * DISCLAIMER
 16:  *
 17:  * Do not edit or add to this file if you wish to upgrade Magento to newer
 18:  * versions in the future. If you wish to customize Magento for your
 19:  * needs please refer to http://www.magentocommerce.com for more information.
 20:  *
 21:  * @category    Mage
 22:  * @package     Mage_Core
 23:  * @copyright   Copyright (c) 2012 Magento Inc. (http://www.magentocommerce.com)
 24:  * @license     http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
 25:  */
 26: 
 27: 
 28: class Mage_Core_Model_Session_Abstract_Varien extends Varien_Object
 29: {
 30:     const VALIDATOR_KEY                         = '_session_validator_data';
 31:     const VALIDATOR_HTTP_USER_AGENT_KEY         = 'http_user_agent';
 32:     const VALIDATOR_HTTP_X_FORVARDED_FOR_KEY    = 'http_x_forwarded_for';
 33:     const VALIDATOR_HTTP_VIA_KEY                = 'http_via';
 34:     const VALIDATOR_REMOTE_ADDR_KEY             = 'remote_addr';
 35: 
 36:     /**
 37:      * Configure and start session
 38:      *
 39:      * @param string $sessionName
 40:      * @return Mage_Core_Model_Session_Abstract_Varien
 41:      */
 42:     public function start($sessionName=null)
 43:     {
 44:         if (isset($_SESSION)) {
 45:             return $this;
 46:         }
 47: 
 48:         switch($this->getSessionSaveMethod()) {
 49:             case 'db':
 50:                 ini_set('session.save_handler', 'user');
 51:                 $sessionResource = Mage::getResourceSingleton('core/session');
 52:                 /* @var $sessionResource Mage_Core_Model_Mysql4_Session */
 53:                 $sessionResource->setSaveHandler();
 54:                 break;
 55:             case 'memcache':
 56:                 ini_set('session.save_handler', 'memcache');
 57:                 session_save_path($this->getSessionSavePath());
 58:                 break;
 59:             case 'memcached':
 60:                 ini_set('session.save_handler', 'memcached');
 61:                 session_save_path($this->getSessionSavePath());
 62:                 break;
 63:             case 'eaccelerator':
 64:                 ini_set('session.save_handler', 'eaccelerator');
 65:                 break;
 66:             default:
 67:                 session_module_name($this->getSessionSaveMethod());
 68:                 if (is_writable($this->getSessionSavePath())) {
 69:                     session_save_path($this->getSessionSavePath());
 70:                 }
 71:                 break;
 72:         }
 73:         $cookie = $this->getCookie();
 74:         if (Mage::app()->getStore()->isAdmin()) {
 75:             $sessionMaxLifetime = Mage_Core_Model_Resource_Session::SEESION_MAX_COOKIE_LIFETIME;
 76:             $adminSessionLifetime = (int)Mage::getStoreConfig('admin/security/session_cookie_lifetime');
 77:             if ($adminSessionLifetime > $sessionMaxLifetime) {
 78:                 $adminSessionLifetime = $sessionMaxLifetime;
 79:             }
 80:             if ($adminSessionLifetime > 60) {
 81:                 $cookie->setLifetime($adminSessionLifetime);
 82:             }
 83:         }
 84: 
 85:         // session cookie params
 86:         $cookieParams = array(
 87:             'lifetime' => $cookie->getLifetime(),
 88:             'path'     => $cookie->getPath(),
 89:             'domain'   => $cookie->getConfigDomain(),
 90:             'secure'   => $cookie->isSecure(),
 91:             'httponly' => $cookie->getHttponly()
 92:         );
 93: 
 94:         if (!$cookieParams['httponly']) {
 95:             unset($cookieParams['httponly']);
 96:             if (!$cookieParams['secure']) {
 97:                 unset($cookieParams['secure']);
 98:                 if (!$cookieParams['domain']) {
 99:                     unset($cookieParams['domain']);
100:                 }
101:             }
102:         }
103: 
104:         if (isset($cookieParams['domain'])) {
105:             $cookieParams['domain'] = $cookie->getDomain();
106:         }
107: 
108:         call_user_func_array('session_set_cookie_params', $cookieParams);
109: 
110:         if (!empty($sessionName)) {
111:             $this->setSessionName($sessionName);
112:         }
113: 
114:         // potential custom logic for session id (ex. switching between hosts)
115:         $this->setSessionId();
116: 
117:         Varien_Profiler::start(__METHOD__.'/start');
118:         $sessionCacheLimiter = Mage::getConfig()->getNode('global/session_cache_limiter');
119:         if ($sessionCacheLimiter) {
120:             session_cache_limiter((string)$sessionCacheLimiter);
121:         }
122: 
123:         session_start();
124: 
125:         /**
126:         * Renew cookie expiration time if session id did not change
127:         */
128:         if ($cookie->get(session_name()) == $this->getSessionId()) {
129:             $cookie->renew(session_name());
130:         }
131:         Varien_Profiler::stop(__METHOD__.'/start');
132: 
133:         return $this;
134:     }
135: 
136:     /**
137:      * Retrieve cookie object
138:      *
139:      * @return Mage_Core_Model_Cookie
140:      */
141:     public function getCookie()
142:     {
143:         return Mage::getSingleton('core/cookie');
144:     }
145: 
146:     /**
147:      * Revalidate cookie
148:      * @deprecated after 1.4 cookie renew moved to session start method
149:      * @return Mage_Core_Model_Session_Abstract_Varien
150:      */
151:     public function revalidateCookie()
152:     {
153:         return $this;
154:     }
155: 
156:     /**
157:      * Init session with namespace
158:      *
159:      * @param string $namespace
160:      * @param string $sessionName
161:      * @return Mage_Core_Model_Session_Abstract_Varien
162:      */
163:     public function init($namespace, $sessionName=null)
164:     {
165:         if (!isset($_SESSION)) {
166:             $this->start($sessionName);
167:         }
168:         if (!isset($_SESSION[$namespace])) {
169:             $_SESSION[$namespace] = array();
170:         }
171: 
172:         $this->_data = &$_SESSION[$namespace];
173: 
174:         $this->validate();
175:         $this->revalidateCookie();
176: 
177:         return $this;
178:     }
179: 
180:     /**
181:      * Additional get data with clear mode
182:      *
183:      * @param string $key
184:      * @param bool $clear
185:      * @return mixed
186:      */
187:     public function getData($key='', $clear = false)
188:     {
189:         $data = parent::getData($key);
190:         if ($clear && isset($this->_data[$key])) {
191:             unset($this->_data[$key]);
192:         }
193:         return $data;
194:     }
195: 
196:     /**
197:      * Retrieve session Id
198:      *
199:      * @return string
200:      */
201:     public function getSessionId()
202:     {
203:         return session_id();
204:     }
205: 
206:     /**
207:      * Set custom session id
208:      *
209:      * @param string $id
210:      * @return Mage_Core_Model_Session_Abstract_Varien
211:      */
212:     public function setSessionId($id=null)
213:     {
214:         if (!is_null($id) && preg_match('#^[0-9a-zA-Z,-]+$#', $id)) {
215:             session_id($id);
216:         }
217:         return $this;
218:     }
219: 
220:     /**
221:      * Retrieve session name
222:      *
223:      * @return string
224:      */
225:     public function getSessionName()
226:     {
227:         return session_name();
228:     }
229: 
230:     /**
231:      * Set session name
232:      *
233:      * @param string $name
234:      * @return Mage_Core_Model_Session_Abstract_Varien
235:      */
236:     public function setSessionName($name)
237:     {
238:         session_name($name);
239:         return $this;
240:     }
241: 
242:     /**
243:      * Unset all data
244:      *
245:      * @return Mage_Core_Model_Session_Abstract_Varien
246:      */
247:     public function unsetAll()
248:     {
249:         $this->unsetData();
250:         return $this;
251:     }
252: 
253:     /**
254:      * Alias for unsetAll
255:      *
256:      * @return Mage_Core_Model_Session_Abstract_Varien
257:      */
258:     public function clear()
259:     {
260:         return $this->unsetAll();
261:     }
262: 
263:     /**
264:      * Retrieve session save method
265:      * Default files
266:      *
267:      * @return string
268:      */
269:     public function getSessionSaveMethod()
270:     {
271:         return 'files';
272:     }
273: 
274:     /**
275:      * Get sesssion save path
276:      *
277:      * @return string
278:      */
279:     public function getSessionSavePath()
280:     {
281:         return Mage::getBaseDir('session');
282:     }
283: 
284:     /**
285:      * Use REMOTE_ADDR in validator key
286:      *
287:      * @return bool
288:      */
289:     public function useValidateRemoteAddr()
290:     {
291:         return true;
292:     }
293: 
294:     /**
295:      * Use HTTP_VIA in validator key
296:      *
297:      * @return bool
298:      */
299:     public function useValidateHttpVia()
300:     {
301:         return true;
302:     }
303: 
304:     /**
305:      * Use HTTP_X_FORWARDED_FOR in validator key
306:      *
307:      * @return bool
308:      */
309:     public function useValidateHttpXForwardedFor()
310:     {
311:         return true;
312:     }
313: 
314:     /**
315:      * Use HTTP_USER_AGENT in validator key
316:      *
317:      * @return bool
318:      */
319:     public function useValidateHttpUserAgent()
320:     {
321:         return true;
322:     }
323: 
324:     /**
325:      * Retrieve skip User Agent validation strings (Flash etc)
326:      *
327:      * @return array
328:      */
329:     public function getValidateHttpUserAgentSkip()
330:     {
331:         return array();
332:     }
333: 
334:     /**
335:      * Validate session
336:      *
337:      * @param string $namespace
338:      * @return Mage_Core_Model_Session_Abstract_Varien
339:      */
340:     public function validate()
341:     {
342:         if (!isset($this->_data[self::VALIDATOR_KEY])) {
343:             $this->_data[self::VALIDATOR_KEY] = $this->getValidatorData();
344:         }
345:         else {
346:             if (!$this->_validate()) {
347:                 $this->getCookie()->delete(session_name());
348:                 // throw core session exception
349:                 throw new Mage_Core_Model_Session_Exception('');
350:             }
351:         }
352: 
353:         return $this;
354:     }
355: 
356:     /**
357:      * Validate data
358:      *
359:      * @return bool
360:      */
361:     protected function _validate()
362:     {
363:         $sessionData = $this->_data[self::VALIDATOR_KEY];
364:         $validatorData = $this->getValidatorData();
365: 
366:         if ($this->useValidateRemoteAddr()
367:                 && $sessionData[self::VALIDATOR_REMOTE_ADDR_KEY] != $validatorData[self::VALIDATOR_REMOTE_ADDR_KEY]) {
368:             return false;
369:         }
370:         if ($this->useValidateHttpVia()
371:                 && $sessionData[self::VALIDATOR_HTTP_VIA_KEY] != $validatorData[self::VALIDATOR_HTTP_VIA_KEY]) {
372:             return false;
373:         }
374: 
375:         $sessionValidateHttpXForwardedForKey = $sessionData[self::VALIDATOR_HTTP_X_FORVARDED_FOR_KEY];
376:         $validatorValidateHttpXForwardedForKey = $validatorData[self::VALIDATOR_HTTP_X_FORVARDED_FOR_KEY];
377:         if ($this->useValidateHttpXForwardedFor()
378:             && $sessionValidateHttpXForwardedForKey != $validatorValidateHttpXForwardedForKey ) {
379:             return false;
380:         }
381:         if ($this->useValidateHttpUserAgent()
382:             && $sessionData[self::VALIDATOR_HTTP_USER_AGENT_KEY] != $validatorData[self::VALIDATOR_HTTP_USER_AGENT_KEY]
383:         ) {
384:             $userAgentValidated = $this->getValidateHttpUserAgentSkip();
385:             foreach ($userAgentValidated as $agent) {
386:                 if (preg_match('/' . $agent . '/iu', $validatorData[self::VALIDATOR_HTTP_USER_AGENT_KEY])) {
387:                     return true;
388:                 }
389:             }
390:             return false;
391:         }
392: 
393:         return true;
394:     }
395: 
396:     /**
397:      * Retrieve unique user data for validator
398:      *
399:      * @return array
400:      */
401:     public function getValidatorData()
402:     {
403:         $parts = array(
404:             self::VALIDATOR_REMOTE_ADDR_KEY             => '',
405:             self::VALIDATOR_HTTP_VIA_KEY                => '',
406:             self::VALIDATOR_HTTP_X_FORVARDED_FOR_KEY    => '',
407:             self::VALIDATOR_HTTP_USER_AGENT_KEY         => ''
408:         );
409: 
410:         // collect ip data
411:         if (Mage::helper('core/http')->getRemoteAddr()) {
412:             $parts[self::VALIDATOR_REMOTE_ADDR_KEY] = Mage::helper('core/http')->getRemoteAddr();
413:         }
414:         if (isset($_ENV['HTTP_VIA'])) {
415:             $parts[self::VALIDATOR_HTTP_VIA_KEY] = (string)$_ENV['HTTP_VIA'];
416:         }
417:         if (isset($_ENV['HTTP_X_FORWARDED_FOR'])) {
418:             $parts[self::VALIDATOR_HTTP_X_FORVARDED_FOR_KEY] = (string)$_ENV['HTTP_X_FORWARDED_FOR'];
419:         }
420: 
421:         // collect user agent data
422:         if (isset($_SERVER['HTTP_USER_AGENT'])) {
423:             $parts[self::VALIDATOR_HTTP_USER_AGENT_KEY] = (string)$_SERVER['HTTP_USER_AGENT'];
424:         }
425: 
426:         return $parts;
427:     }
428: 
429:     /**
430:      * Regenerate session Id
431:      *
432:      * @return Mage_Core_Model_Session_Abstract_Varien
433:      */
434:     public function regenerateSessionId()
435:     {
436:         session_regenerate_id(true);
437:         return $this;
438:     }
439: }
440: