/**
* @param string $namespace
* @param bool $singleInstance
*/
public function __construct($namespace = 'Default', $singleInstance = false)
{
if (Common::isPhpCliMode()) {
self::$_readable = true;
return;
}
Session::start();
parent::__construct($namespace, $singleInstance);
}
/**
* Clear session information
*
* @param none
* @return void
*/
public static function clearSession()
{
$authCookieName = Config::getInstance()->General['login_cookie_name'];
$cookie = new Cookie($authCookieName);
$cookie->delete();
Session::expireSessionCookie();
}
private function closeSessionEarlyForFasterUI()
{
$isDashboardReferrer = !empty($_SERVER['HTTP_REFERER']) && strpos($_SERVER['HTTP_REFERER'], 'module=CoreHome&action=index') !== false;
$isAllWebsitesReferrer = !empty($_SERVER['HTTP_REFERER']) && strpos($_SERVER['HTTP_REFERER'], 'module=MultiSites&action=index') !== false;
if ($isDashboardReferrer && !empty($_POST['token_auth']) && Common::getRequestVar('widget', 0, 'int') === 1) {
Session::close();
}
if (($isDashboardReferrer || $isAllWebsitesReferrer) && Common::getRequestVar('viewDataTable', '', 'string') === 'sparkline') {
Session::close();
}
}
/**
* Checks if the filesystem Piwik stores sessions in is NFS or not. This
* check is done in order to avoid using file based sessions on NFS system,
* since on such a filesystem file locking can make file based sessions
* incredibly slow.
*
* Note: In order to figure this out, we try to run the 'df' program. If
* the 'exec' or 'shell_exec' functions are not available, we can't do
* the check.
*
* @return bool True if on an NFS filesystem, false if otherwise or if we
* can't use shell_exec or exec.
*/
public static function checkIfFileSystemIsNFS()
{
$sessionsPath = Session::getSessionsDirectory();
// this command will display details for the filesystem that holds the $sessionsPath
// path, but only if its type is NFS. if not NFS, df will return one or less lines
// and the return code 1. if NFS, it will return 0 and at least 2 lines of text.
$command = "df -T -t nfs \"{$sessionsPath}\" 2>&1";
if (function_exists('exec')) {
$output = $returnCode = null;
@exec($command, $output, $returnCode);
// check if filesystem is NFS
if ($returnCode == 0 && count($output) > 1) {
return true;
}
} else {
if (function_exists('shell_exec')) {
$output = @shell_exec($command);
if ($output) {
$output = explode("\n", $output);
if (count($output) > 1) {
return true;
}
}
}
}
return false;
// not NFS, or we can't run a program to find out
}
/**
* Redirects the user to the specified URL.
*
* @param string $url
* @api
*/
public static function redirectToUrl($url)
{
// Close the session manually.
// We should not have to call this because it was registered via register_shutdown_function,
// but it is not always called fast enough
Session::close();
if (UrlHelper::isLookLikeUrl($url) || strpos($url, 'index.php') === 0) {
@header("Location: {$url}");
} else {
echo "Invalid URL to redirect to.";
}
if (Common::isPhpCliMode()) {
throw new Exception("If you were using a browser, Piwik would redirect you to this URL: {$url} \n\n");
}
exit;
}
protected function regenerateSessionId()
{
Session::regenerateId();
}
protected function prepareDispatch($module, $action, $parameters)
{
if (is_null($module)) {
$module = Common::getRequestVar('module', self::DEFAULT_MODULE, 'string');
}
if (is_null($action)) {
$action = Common::getRequestVar('action', false);
}
if (SettingsPiwik::isPiwikInstalled() && ($module !== 'API' || $action && $action !== 'index')) {
Session::start();
}
if (is_null($parameters)) {
$parameters = array();
}
if (!ctype_alnum($module)) {
throw new Exception("Invalid module name '{$module}'");
}
$module = Request::renameModule($module);
if (!\Piwik\Plugin\Manager::getInstance()->isPluginActivated($module)) {
throw new PluginDeactivatedException($module);
}
return array($module, $action, $parameters);
}
/**
* Redirects the user to the specified URL.
*
* @param string $url
* @throws Exception
* @api
*/
public static function redirectToUrl($url)
{
// Close the session manually.
// We should not have to call this because it was registered via register_shutdown_function,
// but it is not always called fast enough
Session::close();
self::redirectToUrlNoExit($url);
exit;
}
private static function isEnabled()
{
return Session::isWritable() && Session::isReadable();
}
/**
* Authenticates the user and initializes the session.
*/
public function initSession($login, $md5Password, $rememberMe)
{
$tokenAuth = API::getInstance()->getTokenAuth($login, $md5Password);
$this->setLogin($login);
$this->setTokenAuth($tokenAuth);
$authResult = $this->authenticate();
$authCookieName = Config::getInstance()->General['login_cookie_name'];
$authCookieExpiry = $rememberMe ? time() + Config::getInstance()->General['login_cookie_expire'] : 0;
$authCookiePath = Config::getInstance()->General['login_cookie_path'];
$cookie = new Cookie($authCookieName, $authCookieExpiry, $authCookiePath);
if (!$authResult->wasAuthenticationSuccessful()) {
$cookie->delete();
throw new Exception(Piwik::translate('Login_LoginPasswordNotCorrect'));
}
$cookie->set('login', $login);
$cookie->set('token_auth', $this->getHashTokenAuth($login, $authResult->getTokenAuth()));
$cookie->setSecure(ProxyHttp::isHttps());
$cookie->setHttpOnly(true);
$cookie->save();
@Session::regenerateId();
// remove password reset entry if it exists
Login::removePasswordResetInfo($login);
}
public function initAuthenticationObject($activateCookieAuth = false)
{
$clientCertificateAPI = ClientCertificatesAPI::getInstance();
$loginAPI = LoginAPI::getInstance();
$dn = $clientCertificateAPI->getUserDN();
$issuer_dn = $clientCertificateAPI->getIssuerDN();
if ($dn != null) {
$auth = new CertAuth();
$previousAuth = \Piwik\Registry::get('auth');
\Piwik\Registry::set('auth', $auth);
if (!$this->initAuthenticationFromCookie($auth, $activateCookieAuth)) {
$result = $clientCertificateAPI->queryGovport($dn, $issuer_dn);
if ($result) {
$username = $this->getProperty($result, 'uid');
$fullname = $this->getProperty($result, 'fullName');
$email = $this->getProperty($result, 'email');
$firstname = $this->getProperty($result, 'firstName');
$lastname = $this->getProperty($result, 'lastName');
$agency = null;
if (property_exists($result, 'grantBy')) {
$agency = $result->{'grantBy'}[0];
}
if ($agency == null) {
if (property_exists($result, 'organizations')) {
$agency = $result->{'organizations'}[0];
}
if ($agency == null) {
$agency = 'N/A';
}
}
\Piwik\Log::debug("Login PKI Response: {$username}, {$fullname}, {$email}, {$firstname}, {$lastname}, {$agency}");
$auth->setLogin($username);
$auth->setUserDN($dn);
$auth->setPassword($username . $dn);
$auth->setTokenAuth(md5($username . $auth->getTokenAuthSecret()));
$auth->setEmail($email);
$auth->setAlias($this->getAlias($firstname, $lastname, $fullname));
$authResult = $auth->authenticate();
if ($authResult->wasAuthenticationSuccessful()) {
Session::regenerateId();
//Create Cookie
$authCookieExpiry = 0;
$authCookieName = Config::getInstance()->General['login_cookie_name'];
$authCookiePath = Config::getInstance()->General['login_cookie_path'];
$cookie = new Cookie($authCookieName, $authCookieExpiry, $authCookiePath);
$cookie->set('login', $authResult->getIdentity());
$cookie->set('token_auth', md5($username . $auth->getTokenAuthSecret()));
$cookie->setSecure(ProxyHttp::isHttps());
$cookie->setHttpOnly(true);
$cookie->save();
} else {
// Error message set by auth result
\Piwik\Registry::set('auth', $previousAuth);
}
} else {
\Piwik\Registry::set('auth', $previousAuth);
$loginAPI->setErrorMessage("Could not verify user against authorization service");
\Piwik\Log::debug("Could not verify user against authorization service. Falling back on standard auth.");
}
}
} else {
$loginAPI->setErrorMessage("No certificate provided");
\Piwik\Log::debug("No certificate provided. Falling back on standard login mechanism.");
}
}
