SHARE
TWEET

SessionModule.class.php

a guest Jan 12th, 2017 64 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3.   /**
  4.    * @author: Kevin Olinger <https://kevyn.lu>, 2017-01-11
  5.    * @copyright: 2017+ Kevin Olinger
  6.    *
  7.    * Last modified: 2017-01-12
  8.    */
  9.  
  10.   namespace core\modules;
  11.   use core\modules\session\SecureHandler;
  12.   use core\Core;
  13.  
  14.   class SessionModule {
  15.  
  16.     protected $name, $cookie;
  17.  
  18.     protected static $secHandler = null;
  19.  
  20.     //Set up session
  21.     public function __construct() {
  22.       if(!extension_loaded("openssl")) Core::End("The OpenSSL extension must be installed to use the session module.");
  23.       if(!extension_loaded("mbstring")) Core::End("The Multibytes extension must be installed to use the session module.");
  24.  
  25.       $this->name = str_replace(" ", "_", APPLICATION);
  26.  
  27.       ini_set("session.entropy_file", "/dev/urandom");
  28.       ini_set("session.entropy_length", 16);
  29.  
  30.       ini_set("session.hash_function", "sha256");
  31.  
  32.       ini_set("session.use_cookies", 1);
  33.       ini_set("session.use_only_cookies", 1);
  34.       ini_set("session.use_trans_sid", 0);
  35.  
  36.       ini_set("session.save_handler", "files");
  37.  
  38.       ini_set("session.cookie_httponly", 1);
  39.       ini_set("session.cookie_secure", isset($_SERVER["HTTPS"]));
  40.  
  41.       ini_set("session.referer_check", 0);
  42.  
  43.       self::$secHandler = new SecureHandler();
  44.  
  45.       session_set_save_handler(self::$secHandler, true);
  46.       session_save_path(sys_get_temp_dir());
  47.       session_name($this->name);
  48.       session_set_cookie_params(
  49.         $this->cookie["lifetime"],
  50.         $this->cookie["path"],
  51.         $this->cookie["domain"],
  52.         $this->cookie["secure"],
  53.         $this->cookie["httponly"]
  54.       );
  55.     }
  56.  
  57.     //Start and validate session
  58.     public function __run() {
  59.       if($this->start()) Core::End("An error occured while trying to start the session.");
  60.       if(!$this->isValid()) $this->forget();
  61.     }
  62.  
  63.     //Basic session management
  64.     public function start(): bool {
  65.       if(session_id() === "") {
  66.         if(session_start()) return mt_rand(0, 4) === 0 ? $this->refresh() : true;
  67.       }
  68.  
  69.       return false;
  70.     }
  71.  
  72.     public function refresh(): bool {
  73.       return session_regenerate_id(true);
  74.     }
  75.  
  76.     public function forget(): bool {
  77.       if(session_id() === "") return false;
  78.  
  79.       $_SESSION = array();
  80.  
  81.       setcookie(
  82.         $this->name,
  83.         "",
  84.         time() - 42000,
  85.         $this->cookie["path"],
  86.         $this->cookie["domain"],
  87.         $this->cookie["secure"],
  88.         $this->cookie["httponly"]
  89.       );
  90.  
  91.       setcookie(
  92.         "KEY_". $this->name,
  93.         "",
  94.         time() - 42000,
  95.         $this->cookie["path"],
  96.         $this->cookie["domain"],
  97.         $this->cookie["secure"],
  98.         $this->cookie["httponly"]
  99.       );
  100.  
  101.       return session_destroy();
  102.     }
  103.  
  104.     //Validation related methods
  105.     public function updateValidationData($hash = null) {
  106.       if(!isset($_SESSION["_fingerprint"]) && !$hash) {
  107.         $hash = $hash ?? hash("sha384", $_SERVER["HTTP_USER_AGENT"] . $_SERVER["REMOTE_ADDR"]);
  108.  
  109.         $_SESSION["_fingerprint"] = $hash;
  110.       }
  111.  
  112.       $_SESSION["_last_activity"] = time();
  113.     }
  114.  
  115.     public function isValid($ttl = 1): bool {
  116.       $return = true;
  117.  
  118.       $last = isset($_SESSION["_last_activity"]) ? $_SESSION["_last_activity"] : false;
  119.       $hash = hash("sha384", $_SERVER["HTTP_USER_AGENT"] . $_SERVER["REMOTE_ADDR"]);
  120.  
  121.       if($last !== false && time() - $last > $ttl * 60) return false;
  122.       if(isset($_SESSION["_fingerprint"])) $return = hash_equals($hash, $_SESSION["_fingerprint"]);
  123.       if($return) $this->updateValidationData($hash);
  124.  
  125.       return $return;
  126.     }
  127.  
  128.   }
RAW Paste Data
Top