class SessionConfiguration

Same name and namespace in other branches
  1. 9 core/lib/Drupal/Core/Session/SessionConfiguration.php \Drupal\Core\Session\SessionConfiguration
  2. 8.9.x core/lib/Drupal/Core/Session/SessionConfiguration.php \Drupal\Core\Session\SessionConfiguration
  3. 11.x core/lib/Drupal/Core/Session/SessionConfiguration.php \Drupal\Core\Session\SessionConfiguration

Defines the default session configuration generator.

Hierarchy

Expanded class hierarchy of SessionConfiguration

1 string reference to 'SessionConfiguration'
core.services.yml in core/core.services.yml
core/core.services.yml
1 service uses SessionConfiguration
session_configuration in core/core.services.yml
Drupal\Core\Session\SessionConfiguration

File

core/lib/Drupal/Core/Session/SessionConfiguration.php, line 10

Namespace

Drupal\Core\Session
View source
class SessionConfiguration implements SessionConfigurationInterface {
  
  /**
   * An associative array of session ini settings.
   */
  protected $options;
  
  /**
   * Constructs a new session configuration instance.
   *
   * @param array $options
   *   An associative array of session ini settings.
   *
   * @see \Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage::__construct()
   * @see http://php.net/manual/session.configuration.php
   * @see https://www.php.net/manual/session.security.ini.php
   */
  public function __construct($options = []) {
    // Provide sensible defaults for sid_length, sid_bits_per_character and
    // name_suffix.
    // @see core/assets/scaffold/files/default.services.yml
    $this->options = $options + [
      'sid_length' => 48,
      'sid_bits_per_character' => 6,
      'name_suffix' => '',
    ];
  }
  
  /**
   * {@inheritdoc}
   */
  public function hasSession(Request $request) {
    return $request->cookies
      ->has($this->getName($request));
  }
  
  /**
   * {@inheritdoc}
   */
  public function getOptions(Request $request) {
    $options = $this->options;
    // Generate / validate the cookie domain.
    $options['cookie_domain'] = $this->getCookieDomain($request) ?: '';
    // If the site is accessed via SSL, ensure that the session cookie is
    // issued with the secure flag.
    $options['cookie_secure'] = $request->isSecure();
    // Set the session cookie name.
    $options['name'] = $this->getName($request);
    return $options;
  }
  
  /**
   * Returns the session cookie name.
   *
   * @param \Symfony\Component\HttpFoundation\Request $request
   *   The request.
   *
   * @return string
   *   The name of the session cookie.
   */
  protected function getName(Request $request) {
    // To prevent session cookies from being hijacked, a user can configure the
    // SSL version of their website to only transfer session cookies via SSL by
    // using PHP's session.cookie_secure setting. The browser will then use two
    // separate session cookies for the HTTPS and HTTP versions of the site. So
    // we must use different session identifiers for HTTPS and HTTP to prevent a
    // cookie collision.
    $prefix = $request->isSecure() ? 'SSESS' : 'SESS';
    return $prefix . $this->getUnprefixedName($request);
  }
  
  /**
   * Returns the session cookie name without the secure/insecure prefix.
   *
   * @param \Symfony\Component\HttpFoundation\Request $request
   *   The request.
   *
   * @return string
   *   The session name without the prefix (SESS/SSESS).
   */
  protected function getUnprefixedName(Request $request) {
    if ($test_prefix = $this->drupalValidTestUa()) {
      $session_name = $test_prefix;
    }
    elseif (isset($this->options['cookie_domain'])) {
      // If the user specifies the cookie domain, also use it for session name.
      $session_name = $this->options['cookie_domain'];
    }
    else {
      // Otherwise use $base_url as session name, without the protocol
      // to use the same session identifiers across HTTP and HTTPS.
      $session_name = $request->getHost() . $request->getBasePath() . $this->options['name_suffix'];
      // Replace "core" out of session_name so core scripts redirect properly,
      // specifically install.php.
      $session_name = preg_replace('#/core$#', '', $session_name);
    }
    return substr(hash('sha256', $session_name), 0, 32);
  }
  
  /**
   * Return the session cookie domain.
   *
   * The Set-Cookie response header and its domain attribute are defined in RFC
   * 2109, RFC 2965 and RFC 6265 each one superseding the previous version.
   *
   * @see http://tools.ietf.org/html/rfc2109
   * @see http://tools.ietf.org/html/rfc2965
   * @see http://tools.ietf.org/html/rfc6265
   *
   * @param \Symfony\Component\HttpFoundation\Request $request
   *   The request.
   *
   * @return string|null
   *   The session cookie domain, or NULL if the calculated value is invalid.
   */
  protected function getCookieDomain(Request $request) {
    if (isset($this->options['cookie_domain'])) {
      $cookie_domain = $this->options['cookie_domain'];
    }
    else {
      $host = $request->getHost();
      // To maximize compatibility and normalize the behavior across user
      // agents, the cookie domain should start with a dot.
      $cookie_domain = '.' . $host;
    }
    // Cookies for domains without an embedded dot will be rejected by user
    // agents in order to defeat malicious websites attempting to set cookies
    // for top-level domains. Also IP addresses may not be used in the domain
    // attribute of a Set-Cookie header. IPv6 addresses will not pass the first
    // test, so it's acceptable to bias the second test to IPv4.
    if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
      return $cookie_domain;
    }
  }
  
  /**
   * Wraps drupal_valid_test_ua().
   *
   * @return string|false
   *   Either the simpletest prefix (the string "simpletest" followed by any
   *   number of digits) or FALSE if the user agent does not contain a valid
   *   HMAC and timestamp.
   */
  protected function drupalValidTestUa() {
    return drupal_valid_test_ua();
  }

}

Members

Title Sort descending Modifiers Object type Summary Overriden Title
SessionConfiguration::$options protected property An associative array of session ini settings.
SessionConfiguration::drupalValidTestUa protected function Wraps drupal_valid_test_ua().
SessionConfiguration::getCookieDomain protected function Return the session cookie domain.
SessionConfiguration::getName protected function Returns the session cookie name.
SessionConfiguration::getOptions public function Returns a list of options suitable for passing to the session storage. Overrides SessionConfigurationInterface::getOptions
SessionConfiguration::getUnprefixedName protected function Returns the session cookie name without the secure/insecure prefix.
SessionConfiguration::hasSession public function Determines whether a session identifier is on the request. Overrides SessionConfigurationInterface::hasSession
SessionConfiguration::__construct public function Constructs a new session configuration instance.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.