zoneminder/web/includes/session.php

<?php
// ZM session start function support timestamp management
function zm_session_start() {

  if ( ini_get('session.name') != 'ZMSESSID' ) {
    // Make sure use_strict_mode is enabled.
    // use_strict_mode is mandatory for security reasons.
    ini_set('session.use_strict_mode', 1);

    $currentCookieParams = session_get_cookie_params(); 
    $currentCookieParams['lifetime'] = ZM_COOKIE_LIFETIME;
    $currentCookieParams['httponly'] = true;
    if ( version_compare(phpversion(), '7.3.0', '<') ) {
      session_set_cookie_params(
        $currentCookieParams['lifetime'],
        $currentCookieParams['path'],
        $currentCookieParams['domain'],
        $currentCookieParams['secure'],
        $currentCookieParams['httponly']
      );
    } else {
      # samesite was introduced in 7.3.0
      $currentCookieParams['samesite'] = 'Strict';
      session_set_cookie_params($currentCookieParams);
    }

    ini_set('session.name', 'ZMSESSID');
    ZM\Logger::Debug('Setting cookie parameters to '.print_r($currentCookieParams, true));
  }
  session_start();
  $_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR']; // To help prevent session hijacking
  $now = time();
  // Do not allow to use expired session ID
  if ( !empty($_SESSION['last_time']) && ($_SESSION['last_time'] < ($now - 180)) ) {
    ZM\Info('Destroying session due to timeout.');
    session_destroy();
    session_start();
  } else if ( !empty($_SESSION['generated_at']) ) {
    if ( $_SESSION['generated_at']<($now-(ZM_COOKIE_LIFETIME/2)) ) {
      ZM\Logger::Debug('Regenerating session because generated_at ' . $_SESSION['generated_at'] . ' < ' . $now . '-'.ZM_COOKIE_LIFETIME.'/2 = '.($now-ZM_COOKIE_LIFETIME/2));
      zm_session_regenerate_id();
    }
  }
} // function zm_session_start()

// session regenerate id function
// Assumes that zm_session_start has been called previously
function zm_session_regenerate_id() {
  if ( session_status() != PHP_SESSION_ACTIVE ) {
    session_start();
  }

  // Set deleted timestamp. Session data must not be deleted immediately for reasons.
  $_SESSION['last_time'] = time();
  // Finish session
  session_write_close();

  session_start();
  session_regenerate_id();
  unset($_SESSION['last_time']);
  $_SESSION['generated_at'] = time();
} // function zm_session_regenerate_id()

function is_session_started() {
  if ( php_sapi_name() !== 'cli' ) {
    if ( version_compare(phpversion(), '5.4.0', '>=') ) {
      return session_status() === PHP_SESSION_ACTIVE ? TRUE : FALSE;
    } else {
      return session_id() === '' ? FALSE : TRUE;
    }
  } else {
    Warning("php_sapi_name === 'cli'");
  }
  return FALSE;
} // function is_session_started()

function zm_session_clear() {
  session_start();
  $_SESSION = array();
  if ( ini_get('session.use_cookies') ) {
    $p = session_get_cookie_params();
    # Update the cookie to expire in the past.
    setcookie(session_name(), '', time() - 31536000, $p['path'], $p['domain'], $p['secure'], $p['httponly']);
  }
  session_unset();
  session_destroy();
  session_write_close();
  session_start();
} // function zm_session_clear()
?>
remove duplicate line 2019-01-31 00:05:43 +08:00			`<?php`
			`// ZM session start function support timestamp management`
			`function zm_session_start() {`

set SameSite on session cookie. 2020-08-03 22:55:54 +08:00			`if ( ini_get('session.name') != 'ZMSESSID' ) {`
			`// Make sure use_strict_mode is enabled.`
			`// use_strict_mode is mandatory for security reasons.`
			`ini_set('session.use_strict_mode', 1);`
remove duplicate line 2019-01-31 00:05:43 +08:00
set SameSite on session cookie. 2020-08-03 22:55:54 +08:00			`$currentCookieParams = session_get_cookie_params();`
			`$currentCookieParams['lifetime'] = ZM_COOKIE_LIFETIME;`
			`$currentCookieParams['httponly'] = true;`
this version of set_cookie_params was introduced in 7.3. So put back code for previous versions of php which unfortunately do not support the samesite parameter. Fixes #3009 2020-08-08 21:58:18 +08:00			`if ( version_compare(phpversion(), '7.3.0', '<') ) {`
			`session_set_cookie_params(`
			`$currentCookieParams['lifetime'],`
			`$currentCookieParams['path'],`
			`$currentCookieParams['domain'],`
			`$currentCookieParams['secure'],`
remove extra , 2020-08-09 02:27:37 +08:00			`$currentCookieParams['httponly']`
this version of set_cookie_params was introduced in 7.3. So put back code for previous versions of php which unfortunately do not support the samesite parameter. Fixes #3009 2020-08-08 21:58:18 +08:00			`);`
			`} else {`
			`# samesite was introduced in 7.3.0`
			`$currentCookieParams['samesite'] = 'Strict';`
			`session_set_cookie_params($currentCookieParams);`
			`}`
remove duplicate line 2019-01-31 00:05:43 +08:00
set SameSite on session cookie. 2020-08-03 22:55:54 +08:00			`ini_set('session.name', 'ZMSESSID');`
			`ZM\Logger::Debug('Setting cookie parameters to '.print_r($currentCookieParams, true));`
			`}`
remove duplicate line 2019-01-31 00:05:43 +08:00			`session_start();`
Fix token auth sessions (#2676) * If token is present do token based auth and do not do anything with session * update HostController. Use config constants, don't use sessions * Remove Session from the components list * spacing * Remove Session from App Components list. * Move APIEnabled check to the api from auth.php * Rework auth. login using username and password only occurs on login action now. Including auth.php should not touch the session. auth_hash logins no longer touch the session. replace userLogin with a function called validateUser which matches the semantics of validateToken. * remove debugging * Add session storage if stateful query param is on, but only for LEGACY_API_AUTH * fix mUser to username, etc. * shuffle lines * use instead of session when generating auth hash. * Add docs regarding the use of cookies and stateful query param * Only open/close session if we are clearing a session var * Use zm_session_start instead of session_start * Should use zm_session_start instead of session_start * document that zm_session_start should be called previously to session_regenerate_id * Don't actually write out the session when generating auth hashes. Means they should never actually persist. * More backticking of SQL * add .. to fix #2686 * Use material icons for sort because they look nicer * fix typo * have to add authhash to session on login * restore username&password login for all urls * fix * fixes 2019-08-20 21:46:53 +08:00			`$_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR']; // To help prevent session hijacking`
Fix auth timing out due to cookie timing out and getting deleted. 2019-09-05 00:14:32 +08:00			`$now = time();`
Use session_regenerate_id instead of our broken code to do the same 2019-02-06 00:45:09 +08:00			`// Do not allow to use expired session ID`
Fix auth timing out due to cookie timing out and getting deleted. 2019-09-05 00:14:32 +08:00			`if ( !empty($_SESSION['last_time']) && ($_SESSION['last_time'] < ($now - 180)) ) {`
set SameSite on session cookie. 2020-08-03 22:55:54 +08:00			`ZM\Info('Destroying session due to timeout.');`
remove duplicate line 2019-01-31 00:05:43 +08:00			`session_destroy();`
			`session_start();`
Fix auth timing out due to cookie timing out and getting deleted. 2019-09-05 00:14:32 +08:00			`} else if ( !empty($_SESSION['generated_at']) ) {`
			`if ( $_SESSION['generated_at']<($now-(ZM_COOKIE_LIFETIME/2)) ) {`
set SameSite on session cookie. 2020-08-03 22:55:54 +08:00			`ZM\Logger::Debug('Regenerating session because generated_at ' . $_SESSION['generated_at'] . ' < ' . $now . '-'.ZM_COOKIE_LIFETIME.'/2 = '.($now-ZM_COOKIE_LIFETIME/2));`
Fix auth timing out due to cookie timing out and getting deleted. 2019-09-05 00:14:32 +08:00			`zm_session_regenerate_id();`
			`}`
remove duplicate line 2019-01-31 00:05:43 +08:00			`}`
Use session_regenerate_id instead of our broken code to do the same 2019-02-06 00:45:09 +08:00			`} // function zm_session_start()`
remove duplicate line 2019-01-31 00:05:43 +08:00
Fix token auth sessions (#2676) * If token is present do token based auth and do not do anything with session * update HostController. Use config constants, don't use sessions * Remove Session from the components list * spacing * Remove Session from App Components list. * Move APIEnabled check to the api from auth.php * Rework auth. login using username and password only occurs on login action now. Including auth.php should not touch the session. auth_hash logins no longer touch the session. replace userLogin with a function called validateUser which matches the semantics of validateToken. * remove debugging * Add session storage if stateful query param is on, but only for LEGACY_API_AUTH * fix mUser to username, etc. * shuffle lines * use instead of session when generating auth hash. * Add docs regarding the use of cookies and stateful query param * Only open/close session if we are clearing a session var * Use zm_session_start instead of session_start * Should use zm_session_start instead of session_start * document that zm_session_start should be called previously to session_regenerate_id * Don't actually write out the session when generating auth hashes. Means they should never actually persist. * More backticking of SQL * add .. to fix #2686 * Use material icons for sort because they look nicer * fix typo * have to add authhash to session on login * restore username&password login for all urls * fix * fixes 2019-08-20 21:46:53 +08:00			`// session regenerate id function`
			`// Assumes that zm_session_start has been called previously`
remove duplicate line 2019-01-31 00:05:43 +08:00			`function zm_session_regenerate_id() {`
			`if ( session_status() != PHP_SESSION_ACTIVE ) {`
			`session_start();`
			`}`
use session_regenerate_id instead of other strange code 2019-01-31 05:08:09 +08:00
remove duplicate line 2019-01-31 00:05:43 +08:00			`// Set deleted timestamp. Session data must not be deleted immediately for reasons.`
			`$_SESSION['last_time'] = time();`
			`// Finish session`
use session_regenerate_id instead of other strange code 2019-01-31 05:08:09 +08:00			`session_write_close();`

remove duplicate line 2019-01-31 00:05:43 +08:00			`session_start();`
use session_regenerate_id instead of other strange code 2019-01-31 05:08:09 +08:00			`session_regenerate_id();`
Use session_regenerate_id instead of our broken code to do the same 2019-02-06 00:45:09 +08:00			`unset($_SESSION['last_time']);`
Fix auth timing out due to cookie timing out and getting deleted. 2019-09-05 00:14:32 +08:00			`$_SESSION['generated_at'] = time();`
Use session_regenerate_id instead of our broken code to do the same 2019-02-06 00:45:09 +08:00			`} // function zm_session_regenerate_id()`
remove duplicate line 2019-01-31 00:05:43 +08:00
Move is_session_open to session.php. Move code to clear a session into session.php 2019-01-31 01:52:01 +08:00			`function is_session_started() {`
			`if ( php_sapi_name() !== 'cli' ) {`
			`if ( version_compare(phpversion(), '5.4.0', '>=') ) {`
			`return session_status() === PHP_SESSION_ACTIVE ? TRUE : FALSE;`
			`} else {`
			`return session_id() === '' ? FALSE : TRUE;`
			`}`
			`} else {`
			`Warning("php_sapi_name === 'cli'");`
			`}`
			`return FALSE;`
Use session_regenerate_id instead of our broken code to do the same 2019-02-06 00:45:09 +08:00			`} // function is_session_started()`
Move is_session_open to session.php. Move code to clear a session into session.php 2019-01-31 01:52:01 +08:00
			`function zm_session_clear() {`
			`session_start();`
			`$_SESSION = array();`
			`if ( ini_get('session.use_cookies') ) {`
			`$p = session_get_cookie_params();`
			`# Update the cookie to expire in the past.`
			`setcookie(session_name(), '', time() - 31536000, $p['path'], $p['domain'], $p['secure'], $p['httponly']);`
			`}`
			`session_unset();`
			`session_destroy();`
Fix token auth sessions (#2676) * If token is present do token based auth and do not do anything with session * update HostController. Use config constants, don't use sessions * Remove Session from the components list * spacing * Remove Session from App Components list. * Move APIEnabled check to the api from auth.php * Rework auth. login using username and password only occurs on login action now. Including auth.php should not touch the session. auth_hash logins no longer touch the session. replace userLogin with a function called validateUser which matches the semantics of validateToken. * remove debugging * Add session storage if stateful query param is on, but only for LEGACY_API_AUTH * fix mUser to username, etc. * shuffle lines * use instead of session when generating auth hash. * Add docs regarding the use of cookies and stateful query param * Only open/close session if we are clearing a session var * Use zm_session_start instead of session_start * Should use zm_session_start instead of session_start * document that zm_session_start should be called previously to session_regenerate_id * Don't actually write out the session when generating auth hashes. Means they should never actually persist. * More backticking of SQL * add .. to fix #2686 * Use material icons for sort because they look nicer * fix typo * have to add authhash to session on login * restore username&password login for all urls * fix * fixes 2019-08-20 21:46:53 +08:00			`session_write_close();`
			`session_start();`
Use session_regenerate_id instead of our broken code to do the same 2019-02-06 00:45:09 +08:00			`} // function zm_session_clear()`
remove duplicate line 2019-01-31 00:05:43 +08:00			`?>`