AbstractSessionHandler.php 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
  1. <?php
  2. /*
  3. * This file is part of the Symfony package.
  4. *
  5. * (c) Fabien Potencier <fabien@symfony.com>
  6. *
  7. * For the full copyright and license information, please view the LICENSE
  8. * file that was distributed with this source code.
  9. */
  10. namespace Symfony\Component\HttpFoundation\Session\Storage\Handler;
  11. use Symfony\Component\HttpFoundation\Session\SessionUtils;
  12. /**
  13. * This abstract session handler provides a generic implementation
  14. * of the PHP 7.0 SessionUpdateTimestampHandlerInterface,
  15. * enabling strict and lazy session handling.
  16. *
  17. * @author Nicolas Grekas <p@tchwork.com>
  18. */
  19. abstract class AbstractSessionHandler implements \SessionHandlerInterface, \SessionUpdateTimestampHandlerInterface
  20. {
  21. private $sessionName;
  22. private $prefetchId;
  23. private $prefetchData;
  24. private $newSessionId;
  25. private $igbinaryEmptyData;
  26. /**
  27. * @return bool
  28. */
  29. public function open($savePath, $sessionName)
  30. {
  31. $this->sessionName = $sessionName;
  32. if (!headers_sent() && !ini_get('session.cache_limiter') && '0' !== ini_get('session.cache_limiter')) {
  33. header(sprintf('Cache-Control: max-age=%d, private, must-revalidate', 60 * (int) ini_get('session.cache_expire')));
  34. }
  35. return true;
  36. }
  37. /**
  38. * @return string
  39. */
  40. abstract protected function doRead(string $sessionId);
  41. /**
  42. * @return bool
  43. */
  44. abstract protected function doWrite(string $sessionId, string $data);
  45. /**
  46. * @return bool
  47. */
  48. abstract protected function doDestroy(string $sessionId);
  49. /**
  50. * @return bool
  51. */
  52. public function validateId($sessionId)
  53. {
  54. $this->prefetchData = $this->read($sessionId);
  55. $this->prefetchId = $sessionId;
  56. if (\PHP_VERSION_ID < 70317 || (70400 <= \PHP_VERSION_ID && \PHP_VERSION_ID < 70405)) {
  57. // work around https://bugs.php.net/79413
  58. foreach (debug_backtrace(\DEBUG_BACKTRACE_IGNORE_ARGS) as $frame) {
  59. if (!isset($frame['class']) && isset($frame['function']) && \in_array($frame['function'], ['session_regenerate_id', 'session_create_id'], true)) {
  60. return '' === $this->prefetchData;
  61. }
  62. }
  63. }
  64. return '' !== $this->prefetchData;
  65. }
  66. /**
  67. * @return string
  68. */
  69. public function read($sessionId)
  70. {
  71. if (null !== $this->prefetchId) {
  72. $prefetchId = $this->prefetchId;
  73. $prefetchData = $this->prefetchData;
  74. $this->prefetchId = $this->prefetchData = null;
  75. if ($prefetchId === $sessionId || '' === $prefetchData) {
  76. $this->newSessionId = '' === $prefetchData ? $sessionId : null;
  77. return $prefetchData;
  78. }
  79. }
  80. $data = $this->doRead($sessionId);
  81. $this->newSessionId = '' === $data ? $sessionId : null;
  82. return $data;
  83. }
  84. /**
  85. * @return bool
  86. */
  87. public function write($sessionId, $data)
  88. {
  89. if (null === $this->igbinaryEmptyData) {
  90. // see https://github.com/igbinary/igbinary/issues/146
  91. $this->igbinaryEmptyData = \function_exists('igbinary_serialize') ? igbinary_serialize([]) : '';
  92. }
  93. if ('' === $data || $this->igbinaryEmptyData === $data) {
  94. return $this->destroy($sessionId);
  95. }
  96. $this->newSessionId = null;
  97. return $this->doWrite($sessionId, $data);
  98. }
  99. /**
  100. * @return bool
  101. */
  102. public function destroy($sessionId)
  103. {
  104. if (!headers_sent() && filter_var(ini_get('session.use_cookies'), \FILTER_VALIDATE_BOOLEAN)) {
  105. if (!$this->sessionName) {
  106. throw new \LogicException(sprintf('Session name cannot be empty, did you forget to call "parent::open()" in "%s"?.', static::class));
  107. }
  108. $cookie = SessionUtils::popSessionCookie($this->sessionName, $sessionId);
  109. /*
  110. * We send an invalidation Set-Cookie header (zero lifetime)
  111. * when either the session was started or a cookie with
  112. * the session name was sent by the client (in which case
  113. * we know it's invalid as a valid session cookie would've
  114. * started the session).
  115. */
  116. if (null === $cookie || isset($_COOKIE[$this->sessionName])) {
  117. if (\PHP_VERSION_ID < 70300) {
  118. setcookie($this->sessionName, '', 0, ini_get('session.cookie_path'), ini_get('session.cookie_domain'), filter_var(ini_get('session.cookie_secure'), \FILTER_VALIDATE_BOOLEAN), filter_var(ini_get('session.cookie_httponly'), \FILTER_VALIDATE_BOOLEAN));
  119. } else {
  120. $params = session_get_cookie_params();
  121. unset($params['lifetime']);
  122. setcookie($this->sessionName, '', $params);
  123. }
  124. }
  125. }
  126. return $this->newSessionId === $sessionId || $this->doDestroy($sessionId);
  127. }
  128. }