JSession refactor Fixes #5088

joomla · Jul 11, 2015 · e36e879 · e36e879
1 parent 04f09d5
commit e36e879
Show file tree

Hide file tree

Showing 17 changed files with 2,022 additions and 141 deletions.
diff --git a/libraries/joomla/factory.php b/libraries/joomla/factory.php
@@ -587,14 +587,15 @@ protected static function createConfig($file, $type = 'PHP', $namespace = '')
 	 */
 	protected static function createSession(array $options = array())
 	{
-		// Get the editor configuration setting
-		$conf = self::getConfig();
+		// Get the Joomla configuration settings
+		$conf    = self::getConfig();
 		$handler = $conf->get('session_handler', 'none');
 
 		// Config time is in minutes
 		$options['expire'] = ($conf->get('lifetime')) ? $conf->get('lifetime') * 60 : 900;
 
-		$session = JSession::getInstance($handler, $options);
+		$sessionHandler = new JSessionHandlerJoomla($options);
+		$session        = JSession::getInstance($handler, $options, $sessionHandler);
 
 		if ($session->getState() == 'expired')
 		{

diff --git a/libraries/joomla/session/handler/interface.php b/libraries/joomla/session/handler/interface.php
@@ -0,0 +1,115 @@
+<?php
+/**
+ * @package     Joomla.Platform
+ * @subpackage  Session
+ *
+ * @copyright   Copyright (C) 2005 - 2014 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE
+ */
+
+defined('JPATH_PLATFORM') or die;
+
+/**
+ * Interface for managing HTTP sessions
+ *
+ * @since  3.5
+ */
+interface JSessionHandlerInterface
+{
+	/**
+	 * Starts the session.
+	 *
+	 * @return  boolean  True if started.
+	 *
+	 * @since   3.5
+	 * @throws  RuntimeException If something goes wrong starting the session.
+	 */
+	public function start();
+
+	/**
+	 * Checks if the session is started.
+	 *
+	 * @return  boolean  True if started, false otherwise.
+	 *
+	 * @since   3.5
+	 */
+	public function isStarted();
+
+	/**
+	 * Returns the session ID
+	 *
+	 * @return  string  The session ID
+	 *
+	 * @since   3.5
+	 */
+	public function getId();
+
+	/**
+	 * Sets the session ID
+	 *
+	 * @param   string  $id  The session ID
+	 *
+	 * @return  void
+	 *
+	 * @since   3.5
+	 */
+	public function setId($id);
+
+	/**
+	 * Returns the session name
+	 *
+	 * @return  mixed  The session name.
+	 *
+	 * @since   3.5
+	 */
+	public function getName();
+
+	/**
+	 * Sets the session name
+	 *
+	 * @param   string  $name  The name of the session
+	 *
+	 * @return  void
+	 *
+	 * @since   3.5
+	 */
+	public function setName($name);
+
+	/**
+	 * Regenerates ID that represents this storage.
+	 *
+	 * Note regenerate+destroy should not clear the session data in memory only delete the session data from persistent storage.
+	 *
+	 * @param   boolean  $destroy   Destroy session when regenerating?
+	 * @param   integer  $lifetime  Sets the cookie lifetime for the session cookie. A null value will leave the system settings unchanged,
+	 *                              0 sets the cookie to expire with browser session. Time is in seconds, and is not a Unix timestamp.
+	 *
+	 * @return  boolean  True if session regenerated, false if error
+	 *
+	 * @since   3.5
+	 */
+	public function regenerate($destroy = false, $lifetime = null);
+
+	/**
+	 * Force the session to be saved and closed.
+	 *
+	 * This method must invoke session_write_close() unless this interface is used for a storage object design for unit or functional testing where
+	 * a real PHP session would interfere with testing, in which case it should actually persist the session data if required.
+	 *
+	 * @return  void
+	 *
+	 * @see     session_write_close()
+	 * @since   3.5
+	 * @throws  RuntimeException  If the session is saved without being started, or if the session is already closed.
+	 */
+	public function save();
+
+	/**
+	 * Clear all session data in memory.
+	 *
+	 * @return  void
+	 *
+	 * @since   3.5
+	 */
+	public function clear();
+}
diff --git a/libraries/joomla/session/handler/joomla.php b/libraries/joomla/session/handler/joomla.php
@@ -0,0 +1,160 @@
+<?php
+/**
+ * @package     Joomla.Platform
+ * @subpackage  Session
+ *
+ * @copyright   Copyright (C) 2005 - 2014 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE
+ */
+
+defined('JPATH_PLATFORM') or die;
+
+/**
+ * Interface for managing HTTP sessions
+ *
+ * @since  3.5
+ */
+class JSessionHandlerJoomla extends JSessionHandlerNative
+{
+	/**
+	 * The input object
+	 *
+	 * @var    JInput
+	 * @since  3.5
+	 */
+	public $input = null;
+
+	/**
+	 * Force cookies to be SSL only
+	 *
+	 * @var    boolean
+	 * @since  3.5
+	 */
+	protected $force_ssl = false;
+
+	/**
+	 * Public constructor
+	 *
+	 * @param   array  $options  An array of configuration options
+	 *
+	 * @since   3.5
+	 */
+	public function __construct($options = array())
+	{
+		// Disable transparent sid support
+		ini_set('session.use_trans_sid', '0');
+
+		// Only allow the session ID to come from cookies and nothing else.
+		ini_set('session.use_only_cookies', '1');
+
+		// Set options
+		$this->setOptions($options);
+		$this->setCookieParams();
+	}
+
+	/**
+	 * Starts the session
+	 *
+	 * @return  boolean  True if started
+	 *
+	 * @since   3.5
+	 * @throws  RuntimeException If something goes wrong starting the session.
+	 */
+	public function start()
+	{
+		$session_name = $this->getName();
+
+		// Get the JInputCookie object
+		$cookie = $this->input->cookie;
+
+		if (is_null($cookie->get($session_name)))
+		{
+			$session_clean = $this->input->get($session_name, false, 'string');
+
+			if ($session_clean)
+			{
+				$this->setId($session_clean);
+				$cookie->set($session_name, '', time() - 3600);
+			}
+		}
+
+		return parent::start();
+	}
+
+	/**
+	 * Clear all session data in memory.
+	 *
+	 * @return  void
+	 *
+	 * @since   3.5
+	 */
+	public function clear()
+	{
+		$session_name = $this->getName();
+
+		/*
+		 * In order to kill the session altogether, such as to log the user out, the session id
+		 * must also be unset. If a cookie is used to propagate the session id (default behavior),
+		 * then the session cookie must be deleted.
+		 */
+		if (isset($_COOKIE[$session_name]))
+		{
+			$config        = JFactory::getConfig();
+			$cookie_domain = $config->get('cookie_domain', '');
+			$cookie_path   = $config->get('cookie_path', '/');
+			setcookie($session_name, '', time() - 42000, $cookie_path, $cookie_domain);
+		}
+
+		parent::clear();
+	}
+
+	/**
+	 * Set session cookie parameters
+	 *
+	 * @return  void
+	 *
+	 * @since   3.5
+	 */
+	protected function setCookieParams()
+	{
+		$cookie = session_get_cookie_params();
+
+		if ($this->force_ssl)
+		{
+			$cookie['secure'] = true;
+		}
+
+		$config = JFactory::getConfig();
+
+		if ($config->get('cookie_domain', '') != '')
+		{
+			$cookie['domain'] = $config->get('cookie_domain');
+		}
+
+		if ($config->get('cookie_path', '') != '')
+		{
+			$cookie['path'] = $config->get('cookie_path');
+		}
+
+		session_set_cookie_params($cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure'], true);
+	}
+
+	/**
+	 * Set additional session options
+	 *
+	 * @param   array  $options  List of parameter
+	 *
+	 * @return  boolean  True on success
+	 *
+	 * @since   3.5
+	 */
+	protected function setOptions(array $options)
+	{
+		if (isset($options['force_ssl']))
+		{
+			$this->force_ssl = (bool) $options['force_ssl'];
+		}
+
+		return true;
+	}
+}