private static function print_log_runtime() { //-- $log = ''; //-- $log .= '<div class="smartframework_debugbar_status smartframework_debugbar_status_head"><font size="4"><b>Client / Server :: RUNTIME Log</b></font></div>'; //-- $log .= '<div class="smartframework_debugbar_status smartframework_debugbar_status_highlight" style="width:450px;"><b>App Runtime - Powered by</b></div>'; $log .= '<div class="smartframework_debugbar_inforow">' . SmartComponents::draw_powered_info('yes') . '</div>'; //-- if (SMART_FRAMEWORK_ADMIN_AREA === true) { $the_area = 'admin'; } else { $the_area = 'index'; } //end if else //-- $arr = ['Server Runtime: Smart.Framework' => ['Smart.Framework Middleware Area' => $the_area, 'Smart.Framework Release / Tag / Branch' => SMART_FRAMEWORK_RELEASE_VERSION . ' / ' . SMART_FRAMEWORK_RELEASE_TAGVERSION . ' / ' . SMART_FRAMEWORK_VERSION, 'Smart.Framework Encoding: Internal / DB' => SMART_FRAMEWORK_CHARSET . ' / ' . SMART_FRAMEWORK_DBSQL_CHARSET], 'Server Runtime: PHP' => ['PHP OS' => (string) PHP_OS, 'PHP Version' => 'PHP ' . PHP_VERSION . ' / ' . @php_sapi_name(), 'PHP Locales: ' => (string) setlocale(LC_ALL, 0), 'PHP Encoding: Internal / MBString' => ini_get('default_charset') . ' / ' . @mb_internal_encoding(), 'PHP Memory' => (string) ini_get('memory_limit'), 'PHP Loaded Modules' => (string) strtolower(implode(', ', (array) @get_loaded_extensions()))], 'Server Domain Info' => ['Server Full URL' => SmartUtils::get_server_current_url(), 'Server Script' => SmartUtils::get_server_current_script(), 'Server IP' => SmartUtils::get_server_current_ip(), 'Server Port' => SmartUtils::get_server_current_port(), 'Server Protocol' => SmartUtils::get_server_current_protocol(), 'Server Path' => SmartUtils::get_server_current_path(), 'Server Domain' => SmartUtils::get_server_current_domain_name(), 'Server Base Domain' => SmartUtils::get_server_current_basedomain_name()], 'Client Runtime' => (string) $_SERVER['HTTP_USER_AGENT'] . ' # ' . SmartUtils::get_ip_client() . ' # ' . SmartUtils::get_ip_proxyclient()]; //-- foreach ($arr as $debug_key => $debug_val) { $log .= '<div class="smartframework_debugbar_status smartframework_debugbar_status_highlight" style="width:450px;"><b>' . Smart::escape_html($debug_key) . '</b></div>'; if (is_array($debug_val)) { $log .= '<table cellspacing="0" cellpadding="2" width="100%">'; foreach ($debug_val as $key => $val) { $log .= '<tr valign="top"><td width="295"><div class="smartframework_debugbar_inforow"><b>' . Smart::escape_html($key) . '</b></div></td><td><div class="smartframework_debugbar_inforow">' . Smart::escape_html(self::print_value_by_type($val)) . '</div></td></tr>'; } //end foreach $log .= '</table>'; } else { $log .= '<div class="smartframework_debugbar_inforow">' . Smart::escape_html((string) $debug_val) . '</div>'; } //end if else } //end while //-- return $log; //-- }
/** * Start the Session on request * */ public static function start() { //===== //-- if (self::$started !== false) { return; // avoid start session if already started ... } //end if self::$started = true; // avoid run start again //-- //===== //-- $browser_os_ip_identification = SmartUtils::get_os_browser_ip(); // get browser and os identification //-- if ((string) $browser_os_ip_identification['bw'] == '@s#' or (string) $browser_os_ip_identification['bw'] == 'bot') { return; // in this case start no session for robots or the self browser (as they do not need to share info between many visits) ; if the self browser fail to identify will be at least identified as robot in the worst case } //end if //-- //===== //-- no log as the cookies can be dissalowed by the browser if ((string) SMART_APP_VISITOR_COOKIE == '') { return; // session need cookies } //end if //-- //===== //-- $sf_sess_mode = 'files'; $sf_sess_area = 'default-sess'; $sf_sess_ns = 'unknown'; $sf_sess_dir = 'tmp/sess'; //-- //===== if (!defined('SMART_FRAMEWORK_SESSION_PREFIX')) { Smart::log_warning('FATAL ERROR: Invalid Session Prefix :: SMART_FRAMEWORK_SESSION_PREFIX'); return; } //end if if (strlen(SMART_FRAMEWORK_SESSION_PREFIX) < 3 or strlen(SMART_FRAMEWORK_SESSION_PREFIX) > 9) { Smart::log_warning('WARNING: Session Prefix must have a length between 3 and 9 characters :: SMART_FRAMEWORK_SESSION_PREFIX'); return; } //end if if (!preg_match('/^[a-z\\-]+$/', (string) SMART_FRAMEWORK_SESSION_PREFIX)) { Smart::log_warning('WARNING: Session Prefix contains invalid characters :: SMART_FRAMEWORK_SESSION_PREFIX'); return; } //end if //-- if (!defined('SMART_FRAMEWORK_SESSION_NAME')) { Smart::log_warning('FATAL ERROR: Invalid Session Name :: SMART_FRAMEWORK_SESSION_NAME'); return; } //end if if (strlen(SMART_FRAMEWORK_SESSION_NAME) < 10 or strlen(SMART_FRAMEWORK_SESSION_NAME) > 25) { Smart::log_warning('WARNING: Session Name must have a length between 10 and 25 characters :: SMART_FRAMEWORK_SESSION_NAME'); return; } //end if if (!preg_match('/^[_A-Za-z0-9]+$/', (string) SMART_FRAMEWORK_SESSION_NAME)) { Smart::log_warning('WARNING: Session Name contains invalid characters :: SMART_FRAMEWORK_SESSION_NAME'); return; } //end if if (!SmartFrameworkSecurity::ValidateVariableName(strtolower(SMART_FRAMEWORK_SESSION_NAME))) { Smart::log_warning('WARNING: Session Name have an invalid value :: SMART_FRAMEWORK_SESSION_NAME'); return; } //end if //-- if (!defined('SMART_FRAMEWORK_SESSION_LIFETIME')) { Smart::log_warning('FATAL ERROR: Invalid Session GC Lifetime :: SMART_FRAMEWORK_SESSION_LIFETIME'); return; } //end if if (!is_int(SMART_FRAMEWORK_SESSION_LIFETIME)) { Smart::log_warning('Invalid INIT constant value for SMART_FRAMEWORK_SESSION_LIFETIME'); return; } //end if //-- if (!is_dir('tmp/sessions/')) { Smart::log_warning('FATAL ERROR: The Folder \'tmp/sessions/\' does not exists for use with Session !'); return; } //end if //-- $detected_session_mode = (string) ini_get('session.save_handler'); if ((string) $detected_session_mode === 'files') { if ((string) SMART_FRAMEWORK_SESSION_HANDLER !== 'files') { Smart::log_warning('FATAL ERROR: The value set for SMART_FRAMEWORK_SESSION_HANDLER is not set to: files / but the value found in session.save_handler is: ' . $detected_session_mode); return; } //end if } elseif ((string) $detected_session_mode === 'user') { if ((string) SMART_FRAMEWORK_SESSION_HANDLER === 'files') { Smart::log_warning('FATAL ERROR: The value set for SMART_FRAMEWORK_SESSION_HANDLER is set to: files / but the value found in session.save_handler is: ' . $detected_session_mode); return; } //end if } else { Smart::log_warning('FATAL ERROR: The value set for session.save_handler must be set to one of these modes: files or user'); return; } //end if //-- //===== //-- generate a the client private key based on it's IP and Browser $the_sess_client_uuid = SmartUtils::unique_client_private_key(); // SHA512 key to protect session data agains forgers //-- a very secure approach based on a chain, derived with a secret salt from the framework security key: // (1) an almost unique client private key lock based on it's IP and Browser // (2) an entropy derived from the client random cookie combined with the (1) // (3) a unique session name suffix derived from (1) and (2) // (4) a unique session id composed from (1) and (2) //-- thus the correlation between the random public client cookie, the session name suffix and the session id makes impossible to forge it as it locks to IP+Browser, using a public entropy cookie all encrypted with a secret key and derived and related, finally composed. $the_sess_client_lock = SmartHashCrypto::sha1(SMART_FRAMEWORK_SECURITY_KEY . '#' . $the_sess_client_uuid); $the_sess_client_entropy = SmartHashCrypto::sha1(SMART_APP_VISITOR_COOKIE . '*' . $the_sess_client_uuid . '%' . SMART_FRAMEWORK_SECURITY_KEY); $the_sess_nsuffix = SmartHashCrypto::sha1($the_sess_client_uuid . ':' . SMART_FRAMEWORK_SECURITY_KEY . '^' . $the_sess_client_entropy . '+' . $the_sess_client_lock . '$' . SMART_APP_VISITOR_COOKIE); $the_sess_id = $the_sess_client_entropy . '-' . $the_sess_client_lock; // session ID combines the secret client key based on it's IP / Browser and the Client Entropy Cookie //-- $sf_sess_area = Smart::safe_filename((string) SMART_FRAMEWORK_SESSION_PREFIX); $sf_sess_dpfx = substr($the_sess_client_entropy, 0, 1) . '-' . substr($the_sess_client_lock, 0, 1); // this come from hexa so 3 chars are 16x16x16=4096 dirs //-- if ((string) $browser_os_ip_identification['bw'] == '@s#') { $sf_sess_ns = '@sr-' . $sf_sess_dpfx; } elseif ((string) $browser_os_ip_identification['bw'] == 'bot') { $sf_sess_ns = 'r0-' . $sf_sess_dpfx; // we just need a short prefix for robots (on disk is costly for GC to keep separate folders, but of course, not so safe) } else { $sf_sess_ns = 'c-' . substr($browser_os_ip_identification['bw'], 0, 3) . '-' . $sf_sess_dpfx; // we just need a short prefix for clients (on disk is costly for GC to keep separate folders, but of course, not so safe) } //end if else $sf_sess_ns = Smart::safe_filename($sf_sess_ns); //-- by default set for files $sf_sess_mode = 'files'; $sf_sess_dir = 'tmp/sessions/' . $sf_sess_area . '/' . $sf_sess_ns . '/'; if ((string) $detected_session_mode === 'user') { if (class_exists('SmartCustomSession')) { if ((string) get_parent_class('SmartCustomSession') == 'SmartAbstractCustomSession') { $sf_sess_mode = 'user-custom'; $sf_sess_dir = 'tmp/sessions/' . $sf_sess_area . '/'; // here the NS is saved in DB so we do not need to complicate paths } else { Smart::log_warning('SESSION INIT ERROR: Invalid Custom Session Handler. The class SmartCustomSession must be extended from class SmartAbstractCustomSession ...'); return; } //end if else } else { Smart::log_warning('SESSION INIT ERROR: Custom Session Handler requires the class SmartCustomSession ...'); return; } //end if } //end if $sf_sess_dir = Smart::safe_pathname($sf_sess_dir); //-- if (!is_dir($sf_sess_dir)) { SmartFileSystem::dir_recursive_create($sf_sess_dir); } //end if SmartFileSystem::write_if_not_exists('tmp/sessions/' . $sf_sess_area . '/' . 'index.html', ''); //===== //-- @session_save_path($sf_sess_dir); @session_cache_limiter('nocache'); //-- $the_name_of_session = (string) SMART_FRAMEWORK_SESSION_NAME . '__Key_' . $the_sess_nsuffix; // protect session name data agains forgers //-- @session_id((string) $the_sess_id); @session_name((string) $the_name_of_session); //-- $tmp_exp_seconds = Smart::format_number_int(SMART_FRAMEWORK_SESSION_LIFETIME, '+'); if ($tmp_exp_seconds > 0) { @session_set_cookie_params((int) $tmp_exp_seconds, '/'); // session cookie expire and the path } // end if //-- be sure that session_write_close() is executed at the end of script if script if die('') premature and before pgsql shutdown register in the case of DB sessions register_shutdown_function('session_write_close'); //-- handle custom session handler if ((string) $sf_sess_mode === 'user-custom') { //-- $sess_obj = new SmartCustomSession(); $sess_obj->sess_area = (string) $sf_sess_area; $sess_obj->sess_ns = (string) $sf_sess_ns; $sess_obj->sess_expire = (int) $tmp_exp_seconds; //-- session_set_save_handler(array($sess_obj, 'open'), array($sess_obj, 'close'), array($sess_obj, 'read'), array($sess_obj, 'write'), array($sess_obj, 'destroy'), array($sess_obj, 'gc')); //-- } //end if else //-- start session @session_start(); //-- if ((string) $_SESSION['SoftwareFramework_VERSION'] != (string) SMART_FRAMEWORK_VERSION or (string) $_SESSION['website_ID'] != (string) SMART_SOFTWARE_NAMESPACE or strlen($_SESSION['session_ID']) < 32) { //-- $_SESSION['SoftwareFramework_VERSION'] = (string) SMART_FRAMEWORK_VERSION; // software version $_SESSION['SoftwareFramework_SessionMode'] = (string) $sf_sess_mode; // session mode $_SESSION['website_ID'] = (string) SMART_SOFTWARE_NAMESPACE; // the website ID $_SESSION['uniqbrowser_ID'] = (string) $the_sess_client_uuid; // a true unique browser ID (this is a protection against sessionID forgers) $_SESSION['session_ID'] = (string) @session_id(); // read current session ID $_SESSION['session_STARTED'] = (string) date('Y-m-d H:i:s O'); // read current session ID //-- } //end if //-- if (!isset($_SESSION['visit_COUNTER'])) { $_SESSION['visit_COUNTER'] = 1; } else { $_SESSION['visit_COUNTER'] += 1; } //end if else //-- $_SESSION['SmartFramework__Browser__Identification__Data'] = (array) $browser_os_ip_identification; //-- if ((string) $_SESSION['uniqbrowser_ID'] != (string) $the_sess_client_uuid) { // we need at least a md5 session //-- log, then unset old session (these are not well tested ...) Smart::log_notice('Session Security Breakpoint :: Session-BrowserUniqueID = ' . $_SESSION['uniqbrowser_ID'] . "\n" . 'SessionSecurityUniqueID = ' . $the_sess_client_uuid . "\n" . 'Browser Ident = ' . $browser_os_ip_identification['bw'] . "\n" . 'Cookies = ' . print_r($_COOKIE, 1) . "\n" . 'SessID = ' . $_SESSION['session_ID'] . "\n" . 'ClientIP = ' . SmartUtils::get_ip_client() . ' @ ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'UserAgent = ' . $_SERVER['HTTP_USER_AGENT']); $_SESSION = array(); // reset it //-- unset the cookie (from this below is tested) @setcookie($the_name_of_session, 'EXPIRED', 1, '/'); //-- stop execution with message Smart::raise_error('SESSION // SECURITY BREAK POINT: Possible Session Forgery Detected ...', 'SESSION // SECURITY BREAK POINT: Possible Session Forgery Detected ! Please refresh the page ... A new session will be assigned ! If you are not trying to forge another user\' session this situation can occur also if you are behind a proxy and some of your navigation parameters has been changed ! If this problem persist try to restart your browser or use other browser. If still persist, contact the website administrator'); die(''); // just in case return; // or is better to silent discard it ? //-- } //end if //-- self::$active = time(); // successfuly started //-- }