From acf3748621f37251a4eeb3f62d771ef91bcf5233 Mon Sep 17 00:00:00 2001 From: wn_ Date: Fri, 5 Jul 2024 16:25:58 +0000 Subject: Switch to the non-deprecated form of 'session_set_save_handler'. As of PHP 8.4 the form with more than 2 arguments is deprecated. This also does some initial work to make the functions behave closer to what SessionHandlerInterface describes. * https://php.watch/versions/8.4/session_set_save_handler-alt-signature-deprecated * https://wiki.php.net/rfc/deprecate_functions_with_overloaded_signatures * https://www.php.net/manual/en/class.sessionhandlerinterface.php --- include/sessions.php | 109 ++++++++++++++++++++++++--------------------------- 1 file changed, 51 insertions(+), 58 deletions(-) (limited to 'include') diff --git a/include/sessions.php b/include/sessions.php index abc99176f..00a0db081 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -72,79 +72,72 @@ return true; } - function ttrss_open(string $savePath, string $sessionName): bool { - return true; - } + if (\Config::get_schema_version() >= 0) { + // TODO: look into making these behave closer to what SessionHandlerInterface intends + session_set_save_handler(new class() implements \SessionHandlerInterface { + public function open(string $path, string $name): bool { + return true; + } - function ttrss_read(string $id): string { - global $session_expire; + public function close(): bool { + return true; + } + + /** + * @todo set return type to string|false, and remove ReturnTypeWillChange, when min supported is PHP 8 + * @return string|false + */ + #[\ReturnTypeWillChange] + public function read(string $id) { + global $session_expire; - $sth = \Db::pdo()->prepare("SELECT data FROM ttrss_sessions WHERE id=?"); - $sth->execute([$id]); + $sth = \Db::pdo()->prepare('SELECT data FROM ttrss_sessions WHERE id=?'); + $sth->execute([$id]); - if ($row = $sth->fetch()) { - return base64_decode($row["data"]); + if ($row = $sth->fetch()) { + return base64_decode($row['data']); + } - } else { $expire = time() + $session_expire; $sth = \Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire) VALUES (?, '', ?)"); - $sth->execute([$id, $expire]); - - return ""; - - } - - } - - function ttrss_write(string $id, string $data): bool { - global $session_expire; - - $data = base64_encode($data); - $expire = time() + $session_expire; - - $sth = \Db::pdo()->prepare("SELECT id FROM ttrss_sessions WHERE id=?"); - $sth->execute([$id]); - - if ($sth->fetch()) { - $sth = \Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?"); - $sth->execute([$data, $expire, $id]); - } else { - $sth = \Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire) - VALUES (?, ?, ?)"); - $sth->execute([$id, $data, $expire]); - } + return $sth->execute([$id, $expire]) ? '' : false; + } - return true; - } + public function write(string $id, string $data): bool { + global $session_expire; - function ttrss_close(): bool { - return true; - } + $data = base64_encode($data); + $expire = time() + $session_expire; - function ttrss_destroy(string $id): bool { - $sth = \Db::pdo()->prepare("DELETE FROM ttrss_sessions WHERE id = ?"); - $sth->execute([$id]); + $sth = \Db::pdo()->prepare('SELECT id FROM ttrss_sessions WHERE id=?'); + $sth->execute([$id]); - return true; - } + if ($sth->fetch()) { + $sth = \Db::pdo()->prepare('UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?'); + return $sth->execute([$data, $expire, $id]); + } - function ttrss_gc(int $lifetime): bool { - \Db::pdo()->query("DELETE FROM ttrss_sessions WHERE expire < " . time()); + $sth = \Db::pdo()->prepare('INSERT INTO ttrss_sessions (id, data, expire) VALUES (?, ?, ?)'); + return $sth->execute([$id, $data, $expire]); + } - return true; - } + public function destroy(string $id): bool { + $sth = \Db::pdo()->prepare('DELETE FROM ttrss_sessions WHERE id = ?'); + return $sth->execute([$id]); + } - if (\Config::get_schema_version() >= 0) { - session_set_save_handler('\Sessions\ttrss_open', - '\Sessions\ttrss_close', '\Sessions\ttrss_read', - '\Sessions\ttrss_write', '\Sessions\ttrss_destroy', - '\Sessions\ttrss_gc'); // @phpstan-ignore-line - // PHPStan complains about '\Sessions\ttrss_gc' if its $lifetime param isn't marked as string, - // but the docs say it's an int. If it is actually a string it'll get coerced to an int. - - register_shutdown_function('session_write_close'); + /** + * @todo set return type to int|false, and remove ReturnTypeWillChange, when min supported is PHP 8 + * @return int|false the number of deleted sessions on success, or false on failure + */ + #[\ReturnTypeWillChange] + public function gc(int $max_lifetime) { + $result = \Db::pdo()->query('DELETE FROM ttrss_sessions WHERE expire < ' . time()); + return $result === false ? false : $result->rowCount(); + } + }); if (!defined('NO_SESSION_AUTOSTART')) { if (isset($_COOKIE[session_name()])) { -- cgit v1.2.3-54-g00ecf From c7cc3c92baae4b34438819fa66d971edc50faaaa Mon Sep 17 00:00:00 2001 From: wn_ Date: Thu, 11 Jul 2024 12:14:53 +0000 Subject: Add and use the 'Sessions' class. --- api/index.php | 2 +- backend.php | 2 +- classes/Sessions.php | 135 +++++++++++++++++++++++++++++++++++++++++++ classes/UserHelper.php | 2 +- include/sessions.php | 152 ++++--------------------------------------------- 5 files changed, 149 insertions(+), 144 deletions(-) create mode 100644 classes/Sessions.php (limited to 'include') diff --git a/api/index.php b/api/index.php index a061e8020..c468823e1 100644 --- a/api/index.php +++ b/api/index.php @@ -30,7 +30,7 @@ if (!init_plugins()) return; if (!empty($_SESSION["uid"])) { - if (!\Sessions\validate_session()) { + if (!Sessions::validate_session()) { header("Content-Type: text/json"); print json_encode([ diff --git a/backend.php b/backend.php index 14d461c9f..a56847111 100644 --- a/backend.php +++ b/backend.php @@ -44,7 +44,7 @@ } if (!empty($_SESSION["uid"])) { - if (!\Sessions\validate_session()) { + if (!Sessions::validate_session()) { header("Content-Type: text/json"); print Errors::to_json(Errors::E_UNAUTHORIZED); diff --git a/classes/Sessions.php b/classes/Sessions.php new file mode 100644 index 000000000..7bd050d32 --- /dev/null +++ b/classes/Sessions.php @@ -0,0 +1,135 @@ +session_expire = min(2147483647 - time() - 1, max(\Config::get(\Config::SESSION_COOKIE_LIFETIME), 86400)); + $this->session_name = \Config::get(\Config::SESSION_NAME); + + if (\Config::is_server_https()) { + ini_set('session.cookie_secure', 'true'); + } + + ini_set('session.gc_probability', '75'); + ini_set('session.name', $this->session_name); + ini_set('session.use_only_cookies', 'true'); + ini_set('session.gc_maxlifetime', $this->session_expire); + ini_set('session.cookie_lifetime', '0'); + + // prolong PHP session cookie + if (isset($_COOKIE[$this->session_name])) { + setcookie($this->session_name, + $_COOKIE[$this->session_name], + time() + $this->session_expire, + ini_get('session.cookie_path'), + ini_get('session.cookie_domain'), + ini_get('session.cookie_secure'), + ini_get('session.cookie_httponly')); + } + } + + public function open(string $path, string $name): bool { + return true; + } + + public function close(): bool { + return true; + } + + /** + * @todo set return type to string|false, and remove ReturnTypeWillChange, when min supported is PHP 8 + * @return string|false + */ + #[\ReturnTypeWillChange] + public function read(string $id) { + $sth = Db::pdo()->prepare('SELECT data FROM ttrss_sessions WHERE id=?'); + $sth->execute([$id]); + + if ($row = $sth->fetch()) { + return base64_decode($row['data']); + } + + $expire = time() + $this->session_expire; + + $sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire) + VALUES (?, '', ?)"); + return $sth->execute([$id, $expire]) ? '' : false; + } + + public function write(string $id, string $data): bool { + $data = base64_encode($data); + $expire = time() + $this->session_expire; + + $sth = Db::pdo()->prepare('SELECT id FROM ttrss_sessions WHERE id=?'); + $sth->execute([$id]); + + if ($sth->fetch()) { + $sth = Db::pdo()->prepare('UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?'); + return $sth->execute([$data, $expire, $id]); + } + + $sth = Db::pdo()->prepare('INSERT INTO ttrss_sessions (id, data, expire) VALUES (?, ?, ?)'); + return $sth->execute([$id, $data, $expire]); + } + + public function destroy(string $id): bool { + $sth = Db::pdo()->prepare('DELETE FROM ttrss_sessions WHERE id = ?'); + return $sth->execute([$id]); + } + + /** + * @todo set return type to int|false, and remove ReturnTypeWillChange, when min supported is PHP 8 + * @return int|false the number of deleted sessions on success, or false on failure + */ + #[\ReturnTypeWillChange] + public function gc(int $max_lifetime) { + $result = Db::pdo()->query('DELETE FROM ttrss_sessions WHERE expire < ' . time()); + return $result === false ? false : $result->rowCount(); + } + + public static function validate_session(): bool { + if (Config::get(Config::SINGLE_USER_MODE)) return true; + + $pdo = Db::pdo(); + + if (!empty($_SESSION['uid'])) { + $user = ORM::for_table('ttrss_users')->find_one($_SESSION['uid']); + + if ($user) { + if ($user->pwd_hash != $_SESSION['pwd_hash']) { + $_SESSION['login_error_msg'] = __('Session failed to validate (password changed)'); + return false; + } + + if ($user->access_level == UserHelper::ACCESS_LEVEL_DISABLED) { + $_SESSION['login_error_msg'] = __('Session failed to validate (account is disabled)'); + return false; + } + + // default to true because there might not be any hooks and this is our last check + $hook_result = true; + + PluginHost::getInstance()->chain_hooks_callback(PluginHost::HOOK_VALIDATE_SESSION, + function ($result) use (&$hook_result) { + $hook_result = $result; + + if (!$result) { + return true; + } + }); + + return $hook_result; + + } else { + $_SESSION['login_error_msg'] = __('Session failed to validate (user not found)'); + return false; + } + } + + return true; + } +} diff --git a/classes/UserHelper.php b/classes/UserHelper.php index 7cc7b3150..92c397764 100644 --- a/classes/UserHelper.php +++ b/classes/UserHelper.php @@ -156,7 +156,7 @@ class UserHelper { startup_gettext(); self::load_user_plugins($_SESSION["uid"]); } else { - if (!\Sessions\validate_session()) + if (!Sessions::validate_session()) $_SESSION["uid"] = null; if (empty($_SESSION["uid"])) { diff --git a/include/sessions.php b/include/sessions.php index 00a0db081..cee2702be 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -1,148 +1,18 @@ = 0) { + session_set_save_handler($sessions); - if (\Config::is_server_https()) { - ini_set("session.cookie_secure", "true"); - } - - ini_set("session.gc_probability", "75"); - ini_set("session.name", $session_name); - ini_set("session.use_only_cookies", "true"); - ini_set("session.gc_maxlifetime", $session_expire); - ini_set("session.cookie_lifetime", "0"); - - // prolong PHP session cookie - if (isset($_COOKIE[$session_name])) - setcookie($session_name, - $_COOKIE[$session_name], - time() + $session_expire, - ini_get("session.cookie_path"), - ini_get("session.cookie_domain"), - ini_get("session.cookie_secure"), - ini_get("session.cookie_httponly")); - - function validate_session(): bool { - if (\Config::get(\Config::SINGLE_USER_MODE)) return true; - - $pdo = \Db::pdo(); - - if (!empty($_SESSION["uid"])) { - $user = \ORM::for_table('ttrss_users')->find_one($_SESSION["uid"]); - - if ($user) { - if ($user->pwd_hash != $_SESSION["pwd_hash"]) { - $_SESSION["login_error_msg"] = __("Session failed to validate (password changed)"); - return false; - } - - if ($user->access_level == UserHelper::ACCESS_LEVEL_DISABLED) { - $_SESSION["login_error_msg"] = __("Session failed to validate (account is disabled)"); - return false; - } - - // default to true because there might not be any hooks and this is our last check - $hook_result = true; - - \PluginHost::getInstance()->chain_hooks_callback(\PluginHost::HOOK_VALIDATE_SESSION, - function ($result) use (&$hook_result) { - $hook_result = $result; - - if (!$result) { - return true; - } - }); - - return $hook_result; - - } else { - $_SESSION["login_error_msg"] = __("Session failed to validate (user not found)"); - return false; - } - } - - return true; - } - - if (\Config::get_schema_version() >= 0) { - // TODO: look into making these behave closer to what SessionHandlerInterface intends - session_set_save_handler(new class() implements \SessionHandlerInterface { - public function open(string $path, string $name): bool { - return true; - } - - public function close(): bool { - return true; - } - - /** - * @todo set return type to string|false, and remove ReturnTypeWillChange, when min supported is PHP 8 - * @return string|false - */ - #[\ReturnTypeWillChange] - public function read(string $id) { - global $session_expire; - - $sth = \Db::pdo()->prepare('SELECT data FROM ttrss_sessions WHERE id=?'); - $sth->execute([$id]); - - if ($row = $sth->fetch()) { - return base64_decode($row['data']); - } - - $expire = time() + $session_expire; - - $sth = \Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire) - VALUES (?, '', ?)"); - return $sth->execute([$id, $expire]) ? '' : false; - } - - public function write(string $id, string $data): bool { - global $session_expire; - - $data = base64_encode($data); - $expire = time() + $session_expire; - - $sth = \Db::pdo()->prepare('SELECT id FROM ttrss_sessions WHERE id=?'); - $sth->execute([$id]); - - if ($sth->fetch()) { - $sth = \Db::pdo()->prepare('UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?'); - return $sth->execute([$data, $expire, $id]); - } - - $sth = \Db::pdo()->prepare('INSERT INTO ttrss_sessions (id, data, expire) VALUES (?, ?, ?)'); - return $sth->execute([$id, $data, $expire]); - } - - public function destroy(string $id): bool { - $sth = \Db::pdo()->prepare('DELETE FROM ttrss_sessions WHERE id = ?'); - return $sth->execute([$id]); - } - - /** - * @todo set return type to int|false, and remove ReturnTypeWillChange, when min supported is PHP 8 - * @return int|false the number of deleted sessions on success, or false on failure - */ - #[\ReturnTypeWillChange] - public function gc(int $max_lifetime) { - $result = \Db::pdo()->query('DELETE FROM ttrss_sessions WHERE expire < ' . time()); - return $result === false ? false : $result->rowCount(); - } - }); - - if (!defined('NO_SESSION_AUTOSTART')) { - if (isset($_COOKIE[session_name()])) { - if (session_status() != PHP_SESSION_ACTIVE) - session_start(); - } + if (!defined('NO_SESSION_AUTOSTART')) { + if (isset($_COOKIE[session_name()])) { + if (session_status() != PHP_SESSION_ACTIVE) + session_start(); } } +} -- cgit v1.2.3-54-g00ecf From 44257b801650dddd65f01a0f20e0865d5184c3a3 Mon Sep 17 00:00:00 2001 From: wn_ Date: Fri, 12 Jul 2024 01:18:53 +0000 Subject: Move side effects out of the 'Sessions' constructor. --- classes/Sessions.php | 25 +++++++++++++++++++------ include/sessions.php | 2 ++ 2 files changed, 21 insertions(+), 6 deletions(-) (limited to 'include') diff --git a/classes/Sessions.php b/classes/Sessions.php index 7bd050d32..08c6b5855 100644 --- a/classes/Sessions.php +++ b/classes/Sessions.php @@ -1,16 +1,23 @@ session_expire = min(2147483647 - time() - 1, max(\Config::get(\Config::SESSION_COOKIE_LIFETIME), 86400)); - $this->session_name = \Config::get(\Config::SESSION_NAME); + $this->session_expire = min(2147483647 - time() - 1, max(Config::get(Config::SESSION_COOKIE_LIFETIME), 86400)); + $this->session_name = Config::get(Config::SESSION_NAME); + } - if (\Config::is_server_https()) { + /** + * Adjusts session-related PHP configuration options + */ + public function configure(): void { + if (Config::is_server_https()) { ini_set('session.cookie_secure', 'true'); } @@ -19,10 +26,15 @@ class Sessions implements \SessionHandlerInterface { ini_set('session.use_only_cookies', 'true'); ini_set('session.gc_maxlifetime', $this->session_expire); ini_set('session.cookie_lifetime', '0'); + } - // prolong PHP session cookie + /** + * Extend the validity of the PHP session cookie (if it exists) + * @return bool Whether the new cookie was set successfully + */ + public function extend_session(): bool { if (isset($_COOKIE[$this->session_name])) { - setcookie($this->session_name, + return setcookie($this->session_name, $_COOKIE[$this->session_name], time() + $this->session_expire, ini_get('session.cookie_path'), @@ -30,6 +42,7 @@ class Sessions implements \SessionHandlerInterface { ini_get('session.cookie_secure'), ini_get('session.cookie_httponly')); } + return false; } public function open(string $path, string $name): bool { diff --git a/include/sessions.php b/include/sessions.php index cee2702be..586eab7d5 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -5,6 +5,8 @@ require_once 'autoload.php'; require_once 'errorhandler.php'; $sessions = new \Sessions; +$sessions->configure(); +$sessions->extend_session(); if (\Config::get_schema_version() >= 0) { session_set_save_handler($sessions); -- cgit v1.2.3-54-g00ecf