SessionModule.class.php

1. <?php
2.  
3.   /**
4.    * @author: Kevin Olinger <https://kevyn.lu>, 2017-01-11
5.    * @copyright: 2017+ Kevin Olinger
6.    *
7.    * Last modified: 2017-01-12
8.    */
9.  
10.   namespace core\modules;
11.   use core\modules\session\SecureHandler;
12.   use core\Core;
13.  
14.   class SessionModule {
15.  
16.     protected $name, $cookie;
17.  
18.     protected static $secHandler = null;
19.  
20.     //Set up session
21.     public function __construct() {
22.       if(!extension_loaded("openssl")) Core::End("The OpenSSL extension must be installed to use the session module.");
23.       if(!extension_loaded("mbstring")) Core::End("The Multibytes extension must be installed to use the session module.");
24.  
25.       $this->name = str_replace(" ", "_", APPLICATION);
26.  
27.       ini_set("session.entropy_file", "/dev/urandom");
28.       ini_set("session.entropy_length", 16);
29.  
30.       ini_set("session.hash_function", "sha256");
31.  
32.       ini_set("session.use_cookies", 1);
33.       ini_set("session.use_only_cookies", 1);
34.       ini_set("session.use_trans_sid", 0);
35.  
36.       ini_set("session.save_handler", "files");
37.  
38.       ini_set("session.cookie_httponly", 1);
39.       ini_set("session.cookie_secure", isset($_SERVER["HTTPS"]));
40.  
41.       ini_set("session.referer_check", 0);
42.  
43.       self::$secHandler = new SecureHandler();
44.  
45.       session_set_save_handler(self::$secHandler, true);
46.       session_save_path(sys_get_temp_dir());
47.       session_name($this->name);
48.       session_set_cookie_params(
49.         $this->cookie["lifetime"],
50.         $this->cookie["path"],
51.         $this->cookie["domain"],
52.         $this->cookie["secure"],
53.         $this->cookie["httponly"]
54.       );
55.     }
56.  
57.     //Start and validate session
58.     public function __run() {
59.       if($this->start()) Core::End("An error occured while trying to start the session.");
60.       if(!$this->isValid()) $this->forget();
61.     }
62.  
63.     //Basic session management
64.     public function start(): bool {
65.       if(session_id() === "") {
66.         if(session_start()) return mt_rand(0, 4) === 0 ? $this->refresh() : true;
67.       }
68.  
69.       return false;
70.     }
71.  
72.     public function refresh(): bool {
73.       return session_regenerate_id(true);
74.     }
75.  
76.     public function forget(): bool {
77.       if(session_id() === "") return false;
78.  
79.       $_SESSION = array();
80.  
81.       setcookie(
82.         $this->name,
83.         "",
84.         time() - 42000,
85.         $this->cookie["path"],
86.         $this->cookie["domain"],
87.         $this->cookie["secure"],
88.         $this->cookie["httponly"]
89.       );
90.  
91.       setcookie(
92.         "KEY_". $this->name,
93.         "",
94.         time() - 42000,
95.         $this->cookie["path"],
96.         $this->cookie["domain"],
97.         $this->cookie["secure"],
98.         $this->cookie["httponly"]
99.       );
100.  
101.       return session_destroy();
102.     }
103.  
104.     //Validation related methods
105.     public function updateValidationData($hash = null) {
106.       if(!isset($_SESSION["_fingerprint"]) && !$hash) {
107.         $hash = $hash ?? hash("sha384", $_SERVER["HTTP_USER_AGENT"] . $_SERVER["REMOTE_ADDR"]);
108.  
109.         $_SESSION["_fingerprint"] = $hash;
110.       }
111.  
112.       $_SESSION["_last_activity"] = time();
113.     }
114.  
115.     public function isValid($ttl = 1): bool {
116.       $return = true;
117.  
118.       $last = isset($_SESSION["_last_activity"]) ? $_SESSION["_last_activity"] : false;
119.       $hash = hash("sha384", $_SERVER["HTTP_USER_AGENT"] . $_SERVER["REMOTE_ADDR"]);
120.  
121.       if($last !== false && time() - $last > $ttl * 60) return false;
122.       if(isset($_SESSION["_fingerprint"])) $return = hash_equals($hash, $_SESSION["_fingerprint"]);
123.       if($return) $this->updateValidationData($hash);
124.  
125.       return $return;
126.     }
127.  
128.   }