values * @param array $new New set of variable => value * @return void */ protected static function _overwrite(&$old, $new) { if (!empty($old)) { foreach ($old as $key => $var) { if (!isset($new[$key])) { unset($old[$key]); } } } foreach ($new as $key => $var) { $old[$key] = $var; } } /** * Return error description for given error number. * * @param integer $errorNumber Error to set * @return string Error as string */ protected static function _error($errorNumber) { if (!is_array(self::$error) || !array_key_exists($errorNumber, self::$error)) { return false; } return self::$error[$errorNumber]; } /** * Returns last occurred error as a string, if any. * * @return mixed Error description as a string, or false. */ public static function error() { if (self::$lastError) { return self::_error(self::$lastError); } return false; } /** * Returns true if session is valid. * * @return boolean Success */ public static function valid() { if (self::read('Config')) { if (self::_validAgentAndTime() && self::$error === false) { self::$valid = true; } else { self::$valid = false; self::_setError(1, 'Session Highjacking Attempted !!!'); } } return self::$valid; } /** * Tests that the user agent is valid and that the session hasn't 'timed out'. * Since timeouts are implemented in CakeSession it checks the current self::$time * against the time the session is set to expire. The User agent is only checked * if Session.checkAgent == true. * * @return boolean */ protected static function _validAgentAndTime() { $config = self::read('Config'); $validAgent = ( Configure::read('Session.checkAgent') === false || self::$_userAgent == $config['userAgent'] ); return ($validAgent && self::$time <= $config['time']); } /** * Get / Set the user agent * * @param string $userAgent Set the user agent * @return string Current user agent */ public static function userAgent($userAgent = null) { if ($userAgent) { self::$_userAgent = $userAgent; } if (empty(self::$_userAgent)) { CakeSession::init(self::$path); } return self::$_userAgent; } /** * Returns given session variable, or all of them, if no parameters given. * * @param string|array $name The name of the session variable (or a path as sent to Set.extract) * @return mixed The value of the session variable */ public static function read($name = null) { if (!self::start()) { return false; } if ($name === null) { return self::_returnSessionVars(); } if (empty($name)) { return false; } $result = Hash::get($_SESSION, $name); if (isset($result)) { return $result; } return null; } /** * Returns all session variables. * * @return mixed Full $_SESSION array, or false on error. */ protected static function _returnSessionVars() { if (!empty($_SESSION)) { return $_SESSION; } self::_setError(2, 'No Session vars set'); return false; } /** * Writes value to given session variable name. * * @param string|array $name Name of variable * @param string $value Value to write * @return boolean True if the write was successful, false if the write failed */ public static function write($name, $value = null) { if (!self::start()) { return false; } if (empty($name)) { return false; } $write = $name; if (!is_array($name)) { $write = array($name => $value); } foreach ($write as $key => $val) { self::_overwrite($_SESSION, Hash::insert($_SESSION, $key, $val)); if (Hash::get($_SESSION, $key) !== $val) { return false; } } return true; } /** * Helper method to destroy invalid sessions. * * @return void */ public static function destroy() { if (!self::started()) { self::_startSession(); } session_destroy(); $_SESSION = null; self::$id = null; } /** * Clears the session, the session id, and renews the session. * * @return void */ public static function clear() { $_SESSION = null; self::$id = null; self::renew(); } /** * Helper method to initialize a session, based on CakePHP core settings. * * Sessions can be configured with a few shortcut names as well as have any number of ini settings declared. * * @return void * @throws CakeSessionException Throws exceptions when ini_set() fails. */ protected static function _configureSession() { $sessionConfig = Configure::read('Session'); if (isset($sessionConfig['defaults'])) { $defaults = self::_defaultConfig($sessionConfig['defaults']); if ($defaults) { $sessionConfig = Hash::merge($defaults, $sessionConfig); } } if (!isset($sessionConfig['ini']['session.cookie_secure']) && env('HTTPS')) { $sessionConfig['ini']['session.cookie_secure'] = 1; } if (isset($sessionConfig['timeout']) && !isset($sessionConfig['cookieTimeout'])) { $sessionConfig['cookieTimeout'] = $sessionConfig['timeout']; } if (!isset($sessionConfig['ini']['session.cookie_lifetime'])) { $sessionConfig['ini']['session.cookie_lifetime'] = $sessionConfig['cookieTimeout'] * 60; } if (!isset($sessionConfig['ini']['session.name'])) { $sessionConfig['ini']['session.name'] = $sessionConfig['cookie']; } if (!empty($sessionConfig['handler'])) { $sessionConfig['ini']['session.save_handler'] = 'user'; } if (!isset($sessionConfig['ini']['session.gc_maxlifetime'])) { $sessionConfig['ini']['session.gc_maxlifetime'] = $sessionConfig['timeout'] * 60; } if (!isset($sessionConfig['ini']['session.cookie_httponly'])) { $sessionConfig['ini']['session.cookie_httponly'] = 1; } if (empty($_SESSION)) { if (!empty($sessionConfig['ini']) && is_array($sessionConfig['ini'])) { foreach ($sessionConfig['ini'] as $setting => $value) { if (ini_set($setting, $value) === false) { throw new CakeSessionException(__d('cake_dev', 'Unable to configure the session, setting %s failed.', $setting)); } } } } if (!empty($sessionConfig['handler']) && !isset($sessionConfig['handler']['engine'])) { call_user_func_array('session_set_save_handler', $sessionConfig['handler']); } if (!empty($sessionConfig['handler']['engine'])) { $handler = self::_getHandler($sessionConfig['handler']['engine']); session_set_save_handler( array($handler, 'open'), array($handler, 'close'), array($handler, 'read'), array($handler, 'write'), array($handler, 'destroy'), array($handler, 'gc') ); } Configure::write('Session', $sessionConfig); self::$sessionTime = self::$time + ($sessionConfig['timeout'] * 60); } /** * Find the handler class and make sure it implements the correct interface. * * @param string $handler * @return void * @throws CakeSessionException */ protected static function _getHandler($handler) { list($plugin, $class) = pluginSplit($handler, true); App::uses($class, $plugin . 'Model/Datasource/Session'); if (!class_exists($class)) { throw new CakeSessionException(__d('cake_dev', 'Could not load %s to handle the session.', $class)); } $handler = new $class(); if ($handler instanceof CakeSessionHandlerInterface) { return $handler; } throw new CakeSessionException(__d('cake_dev', 'Chosen SessionHandler does not implement CakeSessionHandlerInterface it cannot be used with an engine key.')); } /** * Get one of the prebaked default session configurations. * * @param string $name * @return boolean|array */ protected static function _defaultConfig($name) { $defaults = array( 'php' => array( 'cookie' => 'CAKEPHP', 'timeout' => 240, 'ini' => array( 'session.use_trans_sid' => 0, 'session.cookie_path' => self::$path ) ), 'cake' => array( 'cookie' => 'CAKEPHP', 'timeout' => 240, 'ini' => array( 'session.use_trans_sid' => 0, 'url_rewriter.tags' => '', 'session.serialize_handler' => 'php', 'session.use_cookies' => 1, 'session.cookie_path' => self::$path, 'session.save_path' => TMP . 'sessions', 'session.save_handler' => 'files' ) ), 'cache' => array( 'cookie' => 'CAKEPHP', 'timeout' => 240, 'ini' => array( 'session.use_trans_sid' => 0, 'url_rewriter.tags' => '', 'session.use_cookies' => 1, 'session.cookie_path' => self::$path, 'session.save_handler' => 'user', ), 'handler' => array( 'engine' => 'CacheSession', 'config' => 'default' ) ), 'database' => array( 'cookie' => 'CAKEPHP', 'timeout' => 240, 'ini' => array( 'session.use_trans_sid' => 0, 'url_rewriter.tags' => '', 'session.use_cookies' => 1, 'session.cookie_path' => self::$path, 'session.save_handler' => 'user', 'session.serialize_handler' => 'php', ), 'handler' => array( 'engine' => 'DatabaseSession', 'model' => 'Session' ) ) ); if (isset($defaults[$name])) { return $defaults[$name]; } return false; } /** * Helper method to start a session * * @return boolean Success */ protected static function _startSession() { self::init(); session_write_close(); self::_configureSession(); if (headers_sent()) { if (empty($_SESSION)) { $_SESSION = array(); } } else { // For IE<=8 session_cache_limiter("must-revalidate"); session_start(); } return true; } /** * Helper method to create a new session. * * @return void */ protected static function _checkValid() { $config = self::read('Config'); if ($config) { $sessionConfig = Configure::read('Session'); if (self::valid()) { self::write('Config.time', self::$sessionTime); if (isset($sessionConfig['autoRegenerate']) && $sessionConfig['autoRegenerate'] === true) { $check = $config['countdown']; $check -= 1; self::write('Config.countdown', $check); if ($check < 1) { self::renew(); self::write('Config.countdown', self::$requestCountdown); } } } else { $_SESSION = array(); self::destroy(); self::_setError(1, 'Session Highjacking Attempted !!!'); self::_startSession(); self::_writeConfig(); } } else { self::_writeConfig(); } } /** * Writes configuration variables to the session * * @return void */ protected static function _writeConfig() { self::write('Config.userAgent', self::$_userAgent); self::write('Config.time', self::$sessionTime); self::write('Config.countdown', self::$requestCountdown); } /** * Restarts this session. * * @return void */ public static function renew() { if (session_id()) { if (session_id() || isset($_COOKIE[session_name()])) { setcookie(Configure::read('Session.cookie'), '', time() - 42000, self::$path); } session_regenerate_id(true); } } /** * Helper method to set an internal error message. * * @param integer $errorNumber Number of the error * @param string $errorMessage Description of the error * @return void */ protected static function _setError($errorNumber, $errorMessage) { if (self::$error === false) { self::$error = array(); } self::$error[$errorNumber] = $errorMessage; self::$lastError = $errorNumber; } }