public static function loadAviary()
{
if (Config::inst()->get('Aviary', 'LocalProcessing') && Config::inst()->get('Aviary', 'UseLocalLibrary') && ($libary = self::fetchLocalAviaryLibrary())) {
Requirements::javascript($libary);
} elseif (Director::is_https()) {
Requirements::javascript('https://dme0ih8comzn4.cloudfront.net/imaging/v3/editor.js');
} else {
Requirements::javascript('http://feather.aviary.com/imaging/v3/editor.js');
}
Requirements::javascript(AVIARY_DIR . '/javascript/aviary.js');
Requirements::css(AVIARY_DIR . '/css/aviary.css');
}
/**
* Returns an endpoint (a base Oembed URL) from first matching provider.
*
* @param $url Human-readable URL.
* @returns string/bool URL of an endpoint, or false if no matching provider exists.
*/
protected static function find_endpoint($url)
{
foreach (self::get_providers() as $scheme => $endpoint) {
if (self::matches_scheme($url, $scheme)) {
$protocol = Director::is_https() ? 'https' : 'http';
if (is_array($endpoint)) {
if (array_key_exists($protocol, $endpoint)) {
$endpoint = $endpoint[$protocol];
} else {
$endpoint = reset($endpoint);
}
}
return $endpoint;
}
}
return false;
}
/**
* Show the "login" page
*
* @return string Returns the "login" page as HTML code.
*/
public function login()
{
try {
if (!defined('OPENSTACKID_ENABLED') || OPENSTACKID_ENABLED == false) {
return parent::login();
}
$member = Member::currentUser();
if ($member) {
// user is already logged in
return $this->redirect(OpenStackIdCommon::getRedirectBackUrl());
}
if (!Director::is_https()) {
OpenStackIdCommon::redirectToSSL($_SERVER['REQUEST_URI']);
}
// Begin the OpenID authentication process.
$auth_request = $this->consumer->begin(IDP_OPENSTACKID_URL);
//remove jainrain nonce
unset($auth_request->return_to_args['janrain_nonce']);
// No auth request means we can't begin OpenID.
if (!$auth_request) {
throw new Exception("The OpenID authentication failed.");
}
if (Auth_OpenID_supportsSReg($auth_request->endpoint)) {
//SREG
$sreg_request = Auth_OpenID_SRegRequest::build(array('email', 'fullname'), array('country', 'language'));
if ($sreg_request) {
$auth_request->addExtension($sreg_request);
}
} else {
//AX
// Create attribute request object
// See http://code.google.com/apis/accounts/docs/OpenID.html#Parameters for parameters
// Usage: make($type_uri, $count=1, $required=false, $alias=null)
$attribute[] = Auth_OpenID_AX_AttrInfo::make('http://axschema.org/contact/email', 1, 1, 'email');
$attribute[] = Auth_OpenID_AX_AttrInfo::make('http://axschema.org/namePerson/first', 1, 1, 'firstname');
$attribute[] = Auth_OpenID_AX_AttrInfo::make('http://axschema.org/namePerson/last', 1, 1, 'lastname');
$attribute[] = Auth_OpenID_AX_AttrInfo::make('http://axschema.org/namePerson', 1, 1, 'fullname');
// Create AX fetch request
$ax = new Auth_OpenID_AX_FetchRequest();
// Add attributes to AX fetch request
foreach ($attribute as $attr) {
$ax->add($attr);
}
// Add AX fetch request to authentication request
$auth_request->addExtension($ax);
}
//Redirect the user to the OpenID server for authentication .
// Store the token for this authentication so we can verify the
// response.
// For OpenID 1, send a redirect. For OpenID 2, use a Javascript
// form to send a POST request to the server.
if ($auth_request->shouldSendRedirect()) {
$redirect_url = $auth_request->redirectURL($this->getTrustRoot(), $this->getReturnTo());
// If the redirect URL can't be built, display an error
// message.
if (Auth_OpenID::isFailure($redirect_url)) {
echo "Could not redirect to server: " . $redirect_url->message;
} else {
// Send redirect.
header("Location: " . $redirect_url);
}
} else {
// Generate form markup and render it.
$form_id = 'openid_message';
$form_html = $auth_request->htmlMarkup(OpenStackIdCommon::getTrustRoot(), OpenStackIdCommon::getReturnTo(), false, array('id' => $form_id));
// Display an error if the form markup couldn't be generated;
// otherwise, render the HTML.
if (Auth_OpenID::isFailure($form_html)) {
echo "Could not redirect to server: " . $form_html->message;
} else {
print $form_html;
}
}
exit;
} catch (Exception $ex) {
SS_Log::log($ex, SS_Log::WARN);
Session::set("Security.Message.message", $ex->getMessage());
Session::set("Security.Message.type", "bad");
return $this->redirect("Security/badlogin");
}
}
/**
* Is there a session ID in the request?
* @return bool
*/
public static function request_contains_session_id()
{
$secure = Director::is_https() && Config::inst()->get('Session', 'cookie_secure');
$name = $secure ? 'SECSESSID' : session_name();
return isset($_COOKIE[$name]) || isset($_REQUEST[$name]);
}
/**
* Add the appropriate caching headers to the response, including If-Modified-Since / 304 handling.
* Note that setting HTTP::$cache_age will overrule any cache headers set by PHP's
* session_cache_limiter functionality. It is your responsibility to ensure only cacheable data
* is in fact cached, and HTTP::$cache_age isn't set when the HTTP body contains session-specific content.
*
* @param SS_HTTPResponse $body The SS_HTTPResponse object to augment. Omitted the argument or passing a string is
* deprecated; in these cases, the headers are output directly.
*/
public static function add_cache_headers($body = null)
{
$cacheAge = self::$cache_age;
// Validate argument
if ($body && !$body instanceof SS_HTTPResponse) {
user_error("HTTP::add_cache_headers() must be passed an SS_HTTPResponse object", E_USER_WARNING);
$body = null;
}
// Development sites have frequently changing templates; this can get stuffed up by the code
// below.
if (Director::isDev()) {
$cacheAge = 0;
}
// The headers have been sent and we don't have an SS_HTTPResponse object to attach things to; no point in
// us trying.
if (headers_sent() && !$body) {
return;
}
// Populate $responseHeaders with all the headers that we want to build
$responseHeaders = array();
$config = Config::inst();
$cacheControlHeaders = Config::inst()->get('HTTP', 'cache_control');
// currently using a config setting to cancel this, seems to be so that the CMS caches ajax requests
if (function_exists('apache_request_headers') && $config->get(get_called_class(), 'cache_ajax_requests')) {
$requestHeaders = array_change_key_case(apache_request_headers(), CASE_LOWER);
if (isset($requestHeaders['x-requested-with']) && $requestHeaders['x-requested-with'] == 'XMLHttpRequest') {
$cacheAge = 0;
}
}
if ($cacheAge > 0) {
$cacheControlHeaders['max-age'] = self::$cache_age;
// Set empty pragma to avoid PHP's session_cache_limiter adding conflicting caching information,
// defaulting to "nocache" on most PHP configurations (see http://php.net/session_cache_limiter).
// Since it's a deprecated HTTP 1.0 option, all modern HTTP clients and proxies should
// prefer the caching information indicated through the "Cache-Control" header.
$responseHeaders["Pragma"] = "";
// To do: User-Agent should only be added in situations where you *are* actually
// varying according to user-agent.
$responseHeaders['Vary'] = 'Cookie, X-Forwarded-Protocol, User-Agent, Accept';
} else {
if ($body) {
// Grab header for checking. Unfortunately HTTPRequest uses a mistyped variant.
$contentDisposition = $body->getHeader('Content-disposition');
if (!$contentDisposition) {
$contentDisposition = $body->getHeader('Content-Disposition');
}
}
if ($body && Director::is_https() && isset($_SERVER['HTTP_USER_AGENT']) && strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE') == true && strstr($contentDisposition, 'attachment;') == true) {
// IE6-IE8 have problems saving files when https and no-cache are used
// (http://support.microsoft.com/kb/323308)
// Note: this is also fixable by ticking "Do not save encrypted pages to disk" in advanced options.
$cacheControlHeaders['max-age'] = 3;
// Set empty pragma to avoid PHP's session_cache_limiter adding conflicting caching information,
// defaulting to "nocache" on most PHP configurations (see http://php.net/session_cache_limiter).
// Since it's a deprecated HTTP 1.0 option, all modern HTTP clients and proxies should
// prefer the caching information indicated through the "Cache-Control" header.
$responseHeaders["Pragma"] = "";
} else {
$cacheControlHeaders['no-cache'] = "true";
}
}
foreach ($cacheControlHeaders as $header => $value) {
if (is_null($value)) {
unset($cacheControlHeaders[$header]);
} elseif (is_bool($value) && $value || $value === "true") {
$cacheControlHeaders[$header] = $header;
} else {
$cacheControlHeaders[$header] = $header . "=" . $value;
}
}
$responseHeaders['Cache-Control'] = implode(', ', $cacheControlHeaders);
unset($cacheControlHeaders, $header, $value);
if (self::$modification_date && $cacheAge > 0) {
$responseHeaders["Last-Modified"] = self::gmt_date(self::$modification_date);
// Chrome ignores Varies when redirecting back (http://code.google.com/p/chromium/issues/detail?id=79758)
// which means that if you log out, you get redirected back to a page which Chrome then checks against
// last-modified (which passes, getting a 304)
// when it shouldn't be trying to use that page at all because it's the "logged in" version.
// By also using and etag that includes both the modification date and all the varies
// values which we also check against we can catch this and not return a 304
$etagParts = array(self::$modification_date, serialize($_COOKIE));
$etagParts[] = Director::is_https() ? 'https' : 'http';
if (isset($_SERVER['HTTP_USER_AGENT'])) {
$etagParts[] = $_SERVER['HTTP_USER_AGENT'];
}
if (isset($_SERVER['HTTP_ACCEPT'])) {
$etagParts[] = $_SERVER['HTTP_ACCEPT'];
}
$etag = sha1(implode(':', $etagParts));
$responseHeaders["ETag"] = $etag;
// 304 response detection
if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
$ifModifiedSince = strtotime(stripslashes($_SERVER['HTTP_IF_MODIFIED_SINCE']));
// As above, only 304 if the last request had all the same varies values
// (or the etag isn't passed as part of the request - but with chrome it always is)
$matchesEtag = !isset($_SERVER['HTTP_IF_NONE_MATCH']) || $_SERVER['HTTP_IF_NONE_MATCH'] == $etag;
if ($ifModifiedSince >= self::$modification_date && $matchesEtag) {
if ($body) {
$body->setStatusCode(304);
$body->setBody('');
} else {
header('HTTP/1.0 304 Not Modified');
die;
}
}
}
$expires = time() + $cacheAge;
$responseHeaders["Expires"] = self::gmt_date($expires);
}
if (self::$etag) {
$responseHeaders['ETag'] = self::$etag;
}
// Now that we've generated them, either output them or attach them to the SS_HTTPResponse as appropriate
foreach ($responseHeaders as $k => $v) {
if ($body) {
// Set the header now if it's not already set.
if ($body->getHeader($k) === null) {
$body->addHeader($k, $v);
}
} elseif (!headers_sent()) {
header("{$k}: {$v}");
}
}
}
public function testIsHttps()
{
if (!TRUSTED_PROXY) {
$this->markTestSkipped('Test cannot be run without trusted proxy');
}
// nothing available
$headers = array('HTTP_X_FORWARDED_PROTOCOL', 'HTTPS', 'SSL');
$origServer = $_SERVER;
foreach ($headers as $header) {
if (isset($_SERVER[$header])) {
unset($_SERVER['HTTP_X_FORWARDED_PROTOCOL']);
}
}
$this->assertFalse(Director::is_https());
$_SERVER['HTTP_X_FORWARDED_PROTOCOL'] = 'https';
$this->assertTrue(Director::is_https());
$_SERVER['HTTP_X_FORWARDED_PROTOCOL'] = 'http';
$this->assertFalse(Director::is_https());
$_SERVER['HTTP_X_FORWARDED_PROTOCOL'] = 'ftp';
$this->assertFalse(Director::is_https());
$_SERVER['HTTP_X_FORWARDED_PROTO'] = 'https';
$this->assertTrue(Director::is_https());
$_SERVER['HTTP_X_FORWARDED_PROTO'] = 'http';
$this->assertFalse(Director::is_https());
$_SERVER['HTTP_X_FORWARDED_PROTO'] = 'ftp';
$this->assertFalse(Director::is_https());
$_SERVER['HTTP_FRONT_END_HTTPS'] = 'On';
$this->assertTrue(Director::is_https());
$_SERVER['HTTP_FRONT_END_HTTPS'] = 'Off';
$this->assertFalse(Director::is_https());
// https via HTTPS
$_SERVER['HTTPS'] = 'true';
$this->assertTrue(Director::is_https());
$_SERVER['HTTPS'] = '1';
$this->assertTrue(Director::is_https());
$_SERVER['HTTPS'] = 'off';
$this->assertFalse(Director::is_https());
// https via SSL
$_SERVER['SSL'] = '';
$this->assertTrue(Director::is_https());
$_SERVER = $origServer;
}
/**
* @param File|string $f - the string should be the Filename field of a File
* @param int $linkType [optional]
* @return string
*/
public function getLinkFor($f, $linkType = self::LINK_SMART)
{
switch ($linkType) {
case self::LINK_HTTP:
$field = 'baseURL';
break;
case self::LINK_HTTPS:
$field = 'secureURL';
break;
default:
$ssl = Director::is_https() && !empty($this->secureURL);
$field = $ssl ? 'secureURL' : 'baseURL';
}
$base = null;
if (count($this->{$field}) > 1 && is_object($f)) {
// If there are multiple urls, use cloud meta to remember
// which one we used so the url stays the same for any
// given image, allowing the image to still be cached
$base = $f->getCloudMeta($field);
if (!$base) {
$base = $this->roundRobinGet($field);
$f->setCloudMeta($field, $base);
$f->write();
}
} else {
// If there's only one, don't touch meta data
$base = $this->roundRobinGet($field);
}
return $base . $this->getRelativeLinkFor($f);
}
/**
*
* @param File $file
* @return void
*/
public function sendFileToBrowser($file)
{
$path = $file->getFullPath();
if (SapphireTest::is_running_test()) {
return file_get_contents($path);
}
$basename = basename($path);
$length = $file->getAbsoluteSize();
$type = HTTP::get_mime_type($file->getRelativePath());
//handling time limitation
if ($threshold = $this->config()->bandwidth_threshold) {
increase_time_limit_to((int) ($length / $threshold));
} else {
increase_time_limit_to();
}
// send header
header('Content-Description: File Transfer');
/*
* allow inline 'save as' popup, double quotation is present to prevent browser (eg. Firefox) from handling
* wrongly a file with a name with whitespace, through a file in SilverStripe should not contain any whitespace
* if the file is uploaded through SS interface
* http://kb.mozillazine.org/Filenames_with_spaces_are_truncated_upon_download
*/
header('Content-Type: ' . $type);
header('Content-Disposition: inline; filename=' . $basename);
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . $length);
/**
* issue fixes for IE6,7,8 when downloading a file over HTTPS (http://support.microsoft.com/kb/812935)
* http://www.dotvoid.com/2009/10/problem-with-downloading-files-with-internet-explorer-over-https/
*/
if (Director::is_https()) {
header('Pragma: ');
}
header('Expires: 0');
header('Cache-Control: must-revalidate');
/**
* unload the php session file
* see http://konrness.com/php5/how-to-prevent-blocking-php-requests
*/
session_write_close();
// if output buffering is active, we clear it to prevent the script from trying to to allocate memory for entire file.
while (ob_get_level() > 0) {
ob_end_clean();
}
flush();
readfile($path);
exit(0);
}
/**
* Add the appropriate caching headers to the response, including If-Modified-Since / 304 handling.
*
* @param SS_HTTPResponse The SS_HTTPResponse object to augment. Omitted the argument or passing a string is
* deprecated; in these cases, the headers are output directly.
*/
public static function add_cache_headers($body = null)
{
$cacheAge = self::$cache_age;
// Validate argument
if ($body && !$body instanceof SS_HTTPResponse) {
user_error("HTTP::add_cache_headers() must be passed an SS_HTTPResponse object", E_USER_WARNING);
$body = null;
}
// Development sites have frequently changing templates; this can get stuffed up by the code
// below.
if (Director::isDev()) {
$cacheAge = 0;
}
// The headers have been sent and we don't have an SS_HTTPResponse object to attach things to; no point in
// us trying.
if (headers_sent() && !$body) {
return;
}
// Popuplate $responseHeaders with all the headers that we want to build
$responseHeaders = array();
if (function_exists('apache_request_headers')) {
$requestHeaders = apache_request_headers();
if (isset($requestHeaders['X-Requested-With']) && $requestHeaders['X-Requested-With'] == 'XMLHttpRequest') {
$cacheAge = 0;
}
// bdc: now we must check for DUMB IE6:
if (isset($requestHeaders['x-requested-with']) && $requestHeaders['x-requested-with'] == 'XMLHttpRequest') {
$cacheAge = 0;
}
}
if ($cacheAge > 0) {
$responseHeaders["Cache-Control"] = "max-age={$cacheAge}, must-revalidate, no-transform";
$responseHeaders["Pragma"] = "";
// To do: User-Agent should only be added in situations where you *are* actually
// varying according to user-agent.
$responseHeaders['Vary'] = 'Cookie, X-Forwarded-Protocol, User-Agent, Accept';
} else {
if ($body) {
// Grab header for checking. Unfortunately HTTPRequest uses a mistyped variant.
$contentDisposition = $body->getHeader('Content-disposition');
if (!$contentDisposition) {
$contentDisposition = $body->getHeader('Content-Disposition');
}
}
if ($body && Director::is_https() && strstr($_SERVER["HTTP_USER_AGENT"], 'MSIE') == true && strstr($contentDisposition, 'attachment;') == true) {
// IE6-IE8 have problems saving files when https and no-cache are used
// (http://support.microsoft.com/kb/323308)
// Note: this is also fixable by ticking "Do not save encrypted pages to disk" in advanced options.
$responseHeaders["Cache-Control"] = "max-age=3, must-revalidate, no-transform";
$responseHeaders["Pragma"] = "";
} else {
$responseHeaders["Cache-Control"] = "no-cache, max-age=0, must-revalidate, no-transform";
}
}
if (self::$modification_date && $cacheAge > 0) {
$responseHeaders["Last-Modified"] = self::gmt_date(self::$modification_date);
// Chrome ignores Varies when redirecting back (http://code.google.com/p/chromium/issues/detail?id=79758)
// which means that if you log out, you get redirected back to a page which Chrome then checks against
// last-modified (which passes, getting a 304)
// when it shouldn't be trying to use that page at all because it's the "logged in" version.
// By also using and etag that includes both the modification date and all the varies
// values which we also check against we can catch this and not return a 304
$etagParts = array(self::$modification_date, serialize($_COOKIE));
$etagParts[] = Director::is_https() ? 'https' : 'http';
if (isset($_SERVER['HTTP_USER_AGENT'])) {
$etagParts[] = $_SERVER['HTTP_USER_AGENT'];
}
if (isset($_SERVER['HTTP_ACCEPT'])) {
$etagParts[] = $_SERVER['HTTP_ACCEPT'];
}
$etag = sha1(implode(':', $etagParts));
$responseHeaders["ETag"] = $etag;
// 304 response detection
if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
$ifModifiedSince = strtotime(stripslashes($_SERVER['HTTP_IF_MODIFIED_SINCE']));
// As above, only 304 if the last request had all the same varies values
// (or the etag isn't passed as part of the request - but with chrome it always is)
$matchesEtag = !isset($_SERVER['HTTP_IF_NONE_MATCH']) || $_SERVER['HTTP_IF_NONE_MATCH'] == $etag;
if ($ifModifiedSince >= self::$modification_date && $matchesEtag) {
if ($body) {
$body->setStatusCode(304);
$body->setBody('');
} else {
header('HTTP/1.0 304 Not Modified');
die;
}
}
}
$expires = time() + $cacheAge;
$responseHeaders["Expires"] = self::gmt_date($expires);
}
if (self::$etag) {
$responseHeaders['ETag'] = self::$etag;
}
// Now that we've generated them, either output them or attach them to the SS_HTTPResponse as appropriate
foreach ($responseHeaders as $k => $v) {
if ($body) {
$body->addHeader($k, $v);
} else {
if (!headers_sent()) {
header("{$k}: {$v}");
}
}
}
}
/**
* @param Object $originator
* @param SS_HTTPRequest $request
* @param SS_HTTPResponse $response
* @param DataModel $model
*/
public function applyToResponse($originator, SS_HTTPRequest $request, SS_HTTPResponse $response, DataModel $model)
{
$cacheAge = $this->cacheAge;
$vary = $this->vary;
$responseHeaders = array();
// Allow overriding max-age from the object hooked up to the policed controller.
if ($originator->hasMethod('getCacheAge')) {
$extendedCacheAge = $originator->getCacheAge($cacheAge);
if ($extendedCacheAge !== null) {
$cacheAge = $extendedCacheAge;
}
}
// Same for vary, but probably less useful.
if ($originator->hasMethod('getVary')) {
$extendedVary = $originator->getVary($vary);
if ($extendedVary !== null) {
$vary = $extendedVary;
}
}
if ($cacheAge > 0) {
// Note: must-revalidate means that the cache must revalidate AFTER the entry has gone stale.
$responseHeaders["Cache-Control"] = "max-age=" . $cacheAge . ", must-revalidate, no-transform";
$responseHeaders["Pragma"] = "";
$responseHeaders['Vary'] = $vary;
// Find out when the URI was last modified. Allows customisation, but fall back HTTP timestamp collector.
if ($originator->hasMethod('getModificationTimestamp')) {
$timestamp = $originator->getModificationTimestamp();
} else {
$timestamp = HTTP::$modification_date;
}
if ($timestamp) {
$responseHeaders["Last-Modified"] = self::gmt_date($timestamp);
// Chrome ignores Varies when redirecting back (http://code.google.com/p/chromium/issues/detail?id=79758)
// which means that if you log out, you get redirected back to a page which Chrome then checks against
// last-modified (which passes, getting a 304)
// when it shouldn't be trying to use that page at all because it's the "logged in" version.
// By also using and etag that includes both the modification date and all the varies
// values which we also check against we can catch this and not return a 304
$etagParts = array($timestamp, serialize($_COOKIE));
$etagParts[] = Director::is_https() ? 'https' : 'http';
if (isset($_SERVER['HTTP_USER_AGENT'])) {
$etagParts[] = $_SERVER['HTTP_USER_AGENT'];
}
if (isset($_SERVER['HTTP_ACCEPT'])) {
$etagParts[] = $_SERVER['HTTP_ACCEPT'];
}
$etag = sha1(implode(':', $etagParts));
$responseHeaders['ETag'] = $etag;
// 304 response detection
if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
$ifModifiedSince = strtotime(stripslashes($_SERVER['HTTP_IF_MODIFIED_SINCE']));
// As above, only 304 if the last request had all the same varies values
// (or the etag isn't passed as part of the request - but with chrome it always is)
$matchesEtag = !isset($_SERVER['HTTP_IF_NONE_MATCH']) || $_SERVER['HTTP_IF_NONE_MATCH'] == $etag;
if ($ifModifiedSince >= $timestamp && $matchesEtag) {
$response->setStatusCode(304);
$response->setBody('');
}
}
$expires = time() + $cacheAge;
$responseHeaders['Expires'] = self::gmt_date($expires);
}
}
if (self::$etag) {
$responseHeaders['ETag'] = self::$etag;
}
// Now that we've generated them, either output them or attach them to the SS_HTTPResponse as appropriate
foreach ($responseHeaders as $k => $v) {
$response->addHeader($k, $v);
}
}
/**
* Initialize session.
*
* @param string $sid Start the session with a specific ID
*/
public static function start($sid = null)
{
$path = Config::inst()->get('Session', 'cookie_path');
if (!$path) {
$path = Director::baseURL();
}
$domain = Config::inst()->get('Session', 'cookie_domain');
$secure = Director::is_https() && Config::inst()->get('Session', 'cookie_secure');
$session_path = Config::inst()->get('Session', 'session_store_path');
$timeout = Config::inst()->get('Session', 'timeout');
if (!session_id() && !headers_sent()) {
if ($domain) {
session_set_cookie_params($timeout, $path, $domain, $secure, true);
} else {
session_set_cookie_params($timeout, $path, null, $secure, true);
}
// Allow storing the session in a non standard location
if ($session_path) {
session_save_path($session_path);
}
// If we want a secure cookie for HTTPS, use a seperate session name. This lets us have a
// seperate (less secure) session for non-HTTPS requests
if ($secure) {
session_name('SECSESSID');
}
// @ is to supress win32 warnings/notices when session wasn't cleaned up properly
// There's nothing we can do about this, because it's an operating system function!
if ($sid) {
session_id($sid);
}
@session_start();
}
// Modify the timeout behaviour so it's the *inactive* time before the session expires.
// By default it's the total session lifetime
if ($timeout && !headers_sent()) {
Cookie::set(session_name(), session_id(), $timeout / 86400, $path, $domain ? $domain : null, $secure, true);
}
}
/**
* Return the Field that we will use in this protector
*
* @return string
*/
public function getFormField($name = "RecaptchaField", $title = "Captcha", $value = null)
{
$field = new RecaptchaField($name, $title, $value);
$field->useSSL = Director::is_https();
return $field;
}
/**
* Redirect users if found on incorrect domain
* Detects if $_GET['session'] is present, sets session
* and redirects back to "clean URL"
* Both _SECURE_URL and _STANDARD_URL must be defined,
* and include protocol (http(s)://mydomain.com) with no trailing slash
* @return null
*/
protected function secureHostSwitcher()
{
if (!DEFINED('_SECURE_URL') || !DEFINED('_STANDARD_URL')) {
return false;
}
$protocol = Director::is_https() ? 'https://' : 'http://';
$currentUrlFull = $protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
list($currentUrlFull) = explode('#', $currentUrlFull);
$currentUrlWithoutHost = $_SERVER['REQUEST_URI'];
//remove fragment...just to keep it simple...
list($currentUrlWithoutHost) = explode('#', $currentUrlWithoutHost);
$sessionPartOfURL = "";
$sessionID = session_id();
if ($sessionID) {
if (strpos($currentUrlWithoutHost, "?")) {
$sessionPartOfURL .= "&";
} else {
$sessionPartOfURL = "?";
}
$sessionPartOfURL .= "session=" . $sessionID;
$currentUrlWithoutHost .= $sessionPartOfURL;
}
$isSecure = $this->owner->isSecurePage();
if ($isSecure && !preg_match('/^' . preg_quote(_SECURE_URL, '/') . '/', $currentUrlFull)) {
return $this->owner->redirect(_SECURE_URL . $currentUrlWithoutHost);
} else {
if (!$isSecure && !preg_match('/^' . preg_quote(_STANDARD_URL, '/') . '/', $currentUrlFull)) {
return $this->owner->redirect(_STANDARD_URL . $currentUrlWithoutHost);
}
}
if ($sessionID = $this->owner->request->getVar('session')) {
$currentUrlFull = str_replace("?session=" . $sessionID, "", $currentUrlFull);
$currentUrlFull = str_replace("&session=" . $sessionID, "", $currentUrlFull);
/* force hard-coded session setting */
@session_write_close();
@session_id($sessionID);
@session_start();
header("location: " . $currentUrlFull, 302);
exit;
}
}
