1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
<?php
/**
* Matomo - free/libre analytics platform
*
* @link https://matomo.org
* @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
*/
namespace Piwik\Session;
use Piwik\Config;
use Piwik\Date;
/**
* Manages session information that is used to identify who the session
* is for.
*
* Once a session is authenticated using either a user name & password or
* token auth, some information about the user is stored in the session.
* This info includes the user name and the user agent
* string of the user's client, and a random session secret.
*
* In subsequent requests that use this session, we use the above information
* to verify that the session is allowed to be used by the person sending the
* request.
*
* This is accomplished by checking the request's user agent
* against what is stored in the session. If it doesn't then this is a
* session hijacking attempt.
*
* We also check that a hash in the matomo_auth cookie matches the hash
* of the time the user last changed their password + the session secret.
* If they don't match, the password has been changed since this session
* started, and is no longer valid.
*/
class SessionFingerprint
{
// used in case the global.ini.php becomes corrupt or doesn't update properly
public const DEFAULT_IDLE_TIMEOUT = 3600;
public const USER_NAME_SESSION_VAR_NAME = 'user.name';
public const SESSION_INFO_SESSION_VAR_NAME = 'session.info';
public const SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED = 'twofactorauth.verified';
public const SESSION_INFO_TEMP_TOKEN_AUTH = 'user.token_auth_temp';
public function getUser()
{
if (isset($_SESSION[self::USER_NAME_SESSION_VAR_NAME])) {
return $_SESSION[self::USER_NAME_SESSION_VAR_NAME];
}
return null;
}
public function getUserInfo()
{
if (isset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME])) {
return $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME];
}
return null;
}
public function getSessionTokenAuth()
{
if (!empty($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH])) {
return $_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH];
}
return null;
}
public function hasVerifiedTwoFactor()
{
if (isset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED])) {
return !empty($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED]);
}
return null;
}
public function setTwoFactorAuthenticationVerified()
{
$_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED] = 1;
}
public function initialize(
$userName,
#[\SensitiveParameter]
$tokenAuth,
$isRemembered = false,
$time = null
) {
$time = $time ?: Date::now()->getTimestampUTC();
$_SESSION[self::USER_NAME_SESSION_VAR_NAME] = $userName;
$_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED] = 0;
$_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH] = $tokenAuth;
$_SESSION[self::SESSION_INFO_SESSION_VAR_NAME] = [
'ts' => $time,
'remembered' => $isRemembered,
'expiration' => $this->getExpirationTimeFromNow($time),
];
}
public function clear()
{
if (isset($_SESSION[self::USER_NAME_SESSION_VAR_NAME])) { // may not be available during tests
unset($_SESSION[self::USER_NAME_SESSION_VAR_NAME]);
}
if (isset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME])) { // may not be available during tests
unset($_SESSION[self::SESSION_INFO_SESSION_VAR_NAME]);
}
if (isset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED])) { // may not be available during tests
unset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED]);
}
if (isset($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH])) { // may not be available during tests
unset($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH]);
}
}
public function getSessionStartTime()
{
$userInfo = $this->getUserInfo();
if (
empty($userInfo)
|| empty($userInfo['ts'])
) {
return null;
}
return $userInfo['ts'];
}
public function getExpirationTime()
{
$userInfo = $this->getUserInfo();
if (
empty($userInfo)
|| empty($userInfo['expiration'])
) {
return null;
}
return $userInfo['expiration'];
}
public function isRemembered()
{
$userInfo = $this->getUserInfo();
return !empty($userInfo['remembered']);
}
public function updateSessionExpirationTime()
{
$_SESSION[self::SESSION_INFO_SESSION_VAR_NAME]['expiration'] = $this->getExpirationTimeFromNow();
}
private function getExpirationTimeFromNow($time = null)
{
$time = $time ?: Date::now()->getTimestampUTC();
$general = Config::getInstance()->General;
if (
!isset($general['login_session_not_remembered_idle_timeout'])
|| (int) $general['login_session_not_remembered_idle_timeout'] <= 0
) {
$nonRememberedSessionExpireTime = self::DEFAULT_IDLE_TIMEOUT;
} else {
$nonRememberedSessionExpireTime = (int) $general['login_session_not_remembered_idle_timeout'];
}
$sessionCookieLifetime = $general['login_cookie_expire'];
if ($this->isRemembered()) {
$expireDuration = $sessionCookieLifetime;
} else {
$expireDuration = $nonRememberedSessionExpireTime;
}
return $time + $expireDuration;
}
}
|
