2016-09-01 23:13:23 +02:00
|
|
|
<?php
|
|
|
|
/*****************************************************************************
|
|
|
|
* Session.php
|
|
|
|
* Contains the key class Session.
|
|
|
|
*
|
2023-11-20 20:59:35 +01:00
|
|
|
* Kabuki CMS (C) 2013-2023, Aaron van Geffen
|
2016-09-01 23:13:23 +02:00
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
class Session
|
|
|
|
{
|
2023-11-20 20:59:35 +01:00
|
|
|
public static function clear()
|
|
|
|
{
|
|
|
|
$_SESSION = [];
|
|
|
|
}
|
|
|
|
|
2016-09-01 23:13:23 +02:00
|
|
|
public static function start()
|
|
|
|
{
|
|
|
|
session_start();
|
|
|
|
|
2023-11-20 20:59:35 +01:00
|
|
|
if (!isset($_SESSION['session_token_key'], $_SESSION['session_token']))
|
|
|
|
self::generateSessionToken();
|
|
|
|
|
2016-09-01 23:13:23 +02:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2023-11-20 20:59:35 +01:00
|
|
|
public static function generateSessionToken()
|
2016-09-01 23:13:23 +02:00
|
|
|
{
|
|
|
|
$_SESSION['session_token'] = sha1(session_id() . mt_rand());
|
|
|
|
$_SESSION['session_token_key'] = substr(preg_replace('~^\d+~', '', sha1(mt_rand() . session_id() . mt_rand())), 0, rand(7, 12));
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2023-11-20 20:59:35 +01:00
|
|
|
public static function getSessionToken()
|
|
|
|
{
|
|
|
|
if (empty($_SESSION['session_token']))
|
|
|
|
trigger_error('Call to getSessionToken without a session token being set!', E_USER_ERROR);
|
|
|
|
|
|
|
|
return $_SESSION['session_token'];
|
|
|
|
}
|
|
|
|
|
|
|
|
public static function getSessionTokenKey()
|
|
|
|
{
|
|
|
|
if (empty($_SESSION['session_token_key']))
|
|
|
|
trigger_error('Call to getSessionTokenKey without a session token key being set!', E_USER_ERROR);
|
|
|
|
|
|
|
|
return $_SESSION['session_token_key'];
|
|
|
|
}
|
|
|
|
|
|
|
|
public static function resetSessionToken()
|
|
|
|
{
|
|
|
|
// Old interface; now always true.
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-09-01 23:13:23 +02:00
|
|
|
public static function validateSession($method = 'post')
|
|
|
|
{
|
|
|
|
// First, check whether the submitted token and key match the ones in storage.
|
|
|
|
if (($method === 'post' && (!isset($_POST[$_SESSION['session_token_key']]) || $_POST[$_SESSION['session_token_key']] !== $_SESSION['session_token'])) ||
|
|
|
|
($method === 'get' && (!isset($_GET[$_SESSION['session_token_key']]) || $_GET[$_SESSION['session_token_key']] !== $_SESSION['session_token'])))
|
2016-09-02 11:49:17 +02:00
|
|
|
throw new UserFacingException('Session failed to verify (' . $method . '). Please reload the page and try again.');
|
2016-09-01 23:13:23 +02:00
|
|
|
|
|
|
|
// Check the referring site, too -- should be the same site!
|
|
|
|
$referring_host = isset($_SERVER['HTTP_REFERER']) ? parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) : '';
|
|
|
|
if (!empty($referring_host))
|
|
|
|
{
|
|
|
|
if (strpos($_SERVER['HTTP_HOST'], ':') !== false)
|
|
|
|
$current_host = substr($_SERVER['HTTP_HOST'], 0, strpos($_SERVER['HTTP_HOST'], ':'));
|
|
|
|
else
|
|
|
|
$current_host = $_SERVER['HTTP_HOST'];
|
|
|
|
|
|
|
|
$base_url_host = parse_url(BASEURL, PHP_URL_HOST);
|
|
|
|
|
|
|
|
// The referring_host must match either the base_url_host or the current_host.
|
|
|
|
if (strtolower($referring_host) !== strtolower($base_url_host) && strtolower($referring_host) !== strtolower($current_host))
|
2016-09-02 11:49:17 +02:00
|
|
|
throw new UserFacingException('Invalid referring URL. Please reload the page and try again.');
|
2016-09-01 23:13:23 +02:00
|
|
|
}
|
|
|
|
|
2023-11-20 20:59:35 +01:00
|
|
|
// All looks good from here!
|
|
|
|
return true;
|
2016-09-01 23:13:23 +02:00
|
|
|
}
|
|
|
|
}
|