forked from pantheon-systems/wp-native-php-sessions
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pantheon-sessions.php
206 lines (169 loc) · 6.77 KB
/
pantheon-sessions.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
<?php
/*
Plugin Name: Pantheon Sessions for WordPress
Version: 0.1-alpha
Description: Offload PHP sessions to your database for multi-server compatibility.
Author: Pantheon
Author URI: https://www.getpantheon.com/
Plugin URI: https://www.getpantheon.com/
Text Domain: pantheon-sessions
Domain Path: /languages
*/
class Pantheon_Sessions {
private static $instance;
public static function get_instance() {
if ( ! isset( self::$instance ) ) {
self::$instance = new Pantheon_Sessions;
self::$instance->load();
}
}
/**
* Load the plugin
*/
private function load() {
$this->define_constants();
$this->require_files();
if ( PANTHEON_SESSIONS_ENABLED ) {
$this->setup_database();
$this->set_ini_values();
$this->initialize_session_override();
}
}
/**
* Define our constants
*/
private function define_constants() {
define( 'PANTHEON_SESSIONS_VERSION', '0.1-alpha' );
if ( ! defined( 'PANTHEON_SESSIONS_ENABLED' ) ) {
define( 'PANTHEON_SESSIONS_ENABLED', 1 );
}
}
/**
* Load required files
*/
private function require_files() {
if ( defined( 'WP_CLI' ) && WP_CLI ) {
require_once dirname( __FILE__ ) . '/inc/class-cli-command.php';
}
require_once dirname( __FILE__ ) . '/callbacks.php';
if ( is_admin() ) {
require_once dirname( __FILE__ ) . '/inc/class-admin.php';
$this->admin = Pantheon_Sessions\Admin::get_instance();
}
}
/**
* Set the PHP ini settings for the session implementation to work properly
*
* Largely adopted from Drupal 7's implementation
*/
private function set_ini_values() {
// If the user specifies the cookie domain, also use it for session name.
if ( defined( 'COOKIE_DOMAIN' ) && constant( 'COOKIE_DOMAIN' ) ) {
$session_name = $cookie_domain = constant( 'COOKIE_DOMAIN' );
} else {
$session_name = parse_url( home_url(), PHP_URL_HOST );
$cookie_domain = ltrim( $session_name, '.' );
// Strip leading periods, www., and port numbers from cookie domain.
if ( strpos( $cookie_domain, 'www.' ) === 0 ) {
$cookie_domain = substr( $cookie_domain, 4 );
}
$cookie_domain = explode( ':', $cookie_domain );
$cookie_domain = '.' . $cookie_domain[0];
}
// Per RFC 2109, cookie domains must contain at least one dot other than the
// first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.
if ( count( explode( '.', $cookie_domain ) ) > 2 && ! is_numeric( str_replace( '.', '', $cookie_domain ) ) ) {
ini_set( 'session.cookie_domain', $cookie_domain );
}
// To prevent session cookies from being hijacked, a user can configure the
// SSL version of their website to only transfer session cookies via SSL by
// using PHP's session.cookie_secure setting. The browser will then use two
// separate session cookies for the HTTPS and HTTP versions of the site. So we
// must use different session identifiers for HTTPS and HTTP to prevent a
// cookie collision.
if ( is_ssl() ) {
ini_set( 'session.cookie_secure', TRUE );
}
$prefix = ini_get( 'session.cookie_secure' ) ? 'SSESS' : 'SESS';
session_name( $prefix . substr( hash( 'sha256', $session_name ), 0, 32 ) );
// Use session cookies, not transparent sessions that puts the session id in
// the query string.
ini_set( 'session.use_cookies', '1' );
ini_set( 'session.use_only_cookies', '1' );
ini_set( 'session.use_trans_sid', '0' );
// Don't send HTTP headers using PHP's session handler.
// An empty string is used here to disable the cache limiter.
ini_set( 'session.cache_limiter', '' );
// Use httponly session cookies. Limits use by JavaScripts
ini_set( 'session.cookie_httponly', '1' );
}
/**
* Override the default sessions implementation with our own
*
* Largely adopted from Drupal 7's implementation
*/
private function initialize_session_override() {
session_set_save_handler( '_pantheon_session_open', '_pantheon_session_close', '_pantheon_session_read', '_pantheon_session_write', '_pantheon_session_destroy', '_pantheon_session_garbage_collection' );
require_once dirname( __FILE__ ) . '/inc/class-session.php';
// We use !empty() in the following check to ensure that blank session IDs are not valid.
if ( ! empty( $_COOKIE[ session_name() ] ) || ( is_ssl() && ! empty( $_COOKIE[ substr(session_name(), 1) ] ) ) ) {
// If a session cookie exists, initialize the session. Otherwise the
// session is only started on demand in _pantheon_session_write(), making
// anonymous users not use a session cookie unless something is stored in
// $_SESSION. This allows HTTP proxies to cache anonymous pageviews.
if ( get_current_user_id() || ! empty( $_SESSION ) ) {
nocache_headers();
}
} else {
// Set a session identifier for this request. This is necessary because
// we lazily start sessions at the end of this request
session_id( $this->get_random_key() );
if ( is_ssl() ) {
$insecure_session_name = substr( session_name(), 1 );
$session_id = $this->get_random_key();
$_COOKIE[ $insecure_session_name ] = $session_id;
}
}
}
/**
* Set up the database
*/
private function setup_database() {
global $wpdb, $table_prefix;
$table_name = "{$table_prefix}pantheon_sessions";
$wpdb->pantheon_sessions = $table_name;
$wpdb->tables[] = $table_name;
if ( get_option( 'pantheon_session_version' ) ) {
return;
}
$create_statement = "CREATE TABLE IF NOT EXISTS `{$table_name}` (
`user_id` bigint(20) unsigned NOT NULL COMMENT 'The user_id corresponding to a session, or 0 for anonymous user.',
`session_id` varchar(128) NOT NULL DEFAULT '' COMMENT 'A session ID. The value is generated by plugin''s session handlers.',
`secure_session_id` varchar(128) NOT NULL DEFAULT '' COMMENT 'Secure session ID. The value is generated by plugin''s session handlers.',
`ip_address` varchar(128) NOT NULL DEFAULT '' COMMENT 'The IP address that last used this session ID.',
`datetime` datetime DEFAULT NULL COMMENT 'The datetime value when this session last requested a page. Old records are purged by PHP automatically.',
`data` blob COMMENT 'The serialized contents of \$_SESSION, an array of name/value pairs that persists across page requests by this session ID. Plugin loads \$_SESSION from here at the start of each request and saves it at the end.',
KEY `session_id` (`session_id`),
KEY `secure_session_id` (`secure_session_id`)
)";
$wpdb->query( $create_statement );
update_option( 'pantheon_session_version', PANTHEON_SESSIONS_VERSION );
}
/**
* Get a randomized key
*
* @return string
*/
public function get_random_key() {
require_once( ABSPATH . 'wp-includes/class-phpass.php');
$hasher = new PasswordHash( 8, false );
return md5( $hasher->get_random_bytes( 32 ) );
}
}
/**
* Release the kraken!
*/
function Pantheon_Sessions() {
return Pantheon_Sessions::get_instance();
}
Pantheon_Sessions();