_config['save_path'])) { $this->_config['save_path'] = rtrim($this->_config['save_path'], '/\\'); ini_set('session.save_path', $this->_config['save_path']); } else { log_message('debug', 'Session: "sess_save_path" is empty; using "session.save_path" value from php.ini.'); $this->_config['save_path'] = rtrim(ini_get('session.save_path'), '/\\'); } $this->_sid_regexp = $this->_config['_sid_regexp']; isset(self::$func_overload) or self::$func_overload = (! is_php('8.0') && extension_loaded('mbstring') && @ini_get('mbstring.func_overload')); } // ------------------------------------------------------------------------ /** * Open * * Sanitizes the save_path directory. * * @param string $save_path Path to session files' directory * @param string $name Session cookie name * @return bool */ public function open($save_path, $name) { if (! is_dir($save_path)) { if (! mkdir($save_path, 0700, true)) { log_message('error', "Session: Configured save path '" . $this->_config['save_path'] . "' is not a directory, doesn't exist or cannot be created."); return $this->_failure; } } elseif (! is_writable($save_path)) { log_message('error', "Session: Configured save path '" . $this->_config['save_path'] . "' is not writable by the PHP process."); return $this->_failure; } $this->_config['save_path'] = $save_path; $this->_file_path = $this->_config['save_path'] . DIRECTORY_SEPARATOR . $name // we'll use the session cookie name as a prefix to avoid collisions . ($this->_config['match_ip'] ? md5($_SERVER['REMOTE_ADDR']) : ''); $this->php5_validate_id(); return $this->_success; } // ------------------------------------------------------------------------ /** * Read * * Reads session data and acquires a lock * * @param string $session_id Session ID * @return string Serialized session data */ public function read($session_id) { // This might seem weird, but PHP 5.6 introduces session_reset(), // which re-reads session data if ($this->_file_handle === null) { $this->_file_new = ! file_exists($this->_file_path . $session_id); if (($this->_file_handle = fopen($this->_file_path . $session_id, 'c+b')) === false) { log_message('error', "Session: Unable to open file '" . $this->_file_path . $session_id . "'."); return $this->_failure; } if (flock($this->_file_handle, LOCK_EX) === false) { log_message('error', "Session: Unable to obtain lock for file '" . $this->_file_path . $session_id . "'."); fclose($this->_file_handle); $this->_file_handle = null; return $this->_failure; } // Needed by write() to detect session_regenerate_id() calls $this->_session_id = $session_id; if ($this->_file_new) { chmod($this->_file_path . $session_id, 0600); $this->_fingerprint = md5(''); return ''; } // Prevent possible data corruption // See https://github.com/bcit-ci/CodeIgniter/issues/5857 clearstatcache(true, $this->_file_path . $session_id); } // We shouldn't need this, but apparently we do ... // See https://github.com/bcit-ci/CodeIgniter/issues/4039 elseif ($this->_file_handle === false) { return $this->_failure; } else { rewind($this->_file_handle); } $session_data = ''; for ($read = 0, $length = filesize($this->_file_path . $session_id); $read < $length; $read += self::strlen($buffer)) { if (($buffer = fread($this->_file_handle, $length - $read)) === false) { break; } $session_data .= $buffer; } $this->_fingerprint = md5($session_data); return $session_data; } // ------------------------------------------------------------------------ /** * Write * * Writes (create / update) session data * * @param string $session_id Session ID * @param string $session_data Serialized session data * @return bool */ public function write($session_id, $session_data) { // If the two IDs don't match, we have a session_regenerate_id() call // and we need to close the old handle and open a new one if ($session_id !== $this->_session_id && ($this->close() === $this->_failure or $this->read($session_id) === $this->_failure)) { return $this->_failure; } if (! is_resource($this->_file_handle)) { return $this->_failure; } elseif ($this->_fingerprint === md5($session_data)) { return (! $this->_file_new && ! touch($this->_file_path . $session_id)) ? $this->_failure : $this->_success; } if (! $this->_file_new) { ftruncate($this->_file_handle, 0); rewind($this->_file_handle); } if (($length = strlen($session_data)) > 0) { for ($written = 0; $written < $length; $written += $result) { if (($result = fwrite($this->_file_handle, substr($session_data, $written))) === false) { break; } } if (! is_int($result)) { $this->_fingerprint = md5(substr($session_data, 0, $written)); log_message('error', 'Session: Unable to write data.'); return $this->_failure; } } $this->_fingerprint = md5($session_data); return $this->_success; } // ------------------------------------------------------------------------ /** * Close * * Releases locks and closes file descriptor. * * @return bool */ public function close() { if (is_resource($this->_file_handle)) { flock($this->_file_handle, LOCK_UN); fclose($this->_file_handle); $this->_file_handle = $this->_file_new = $this->_session_id = null; } return $this->_success; } // ------------------------------------------------------------------------ /** * Destroy * * Destroys the current session. * * @param string $session_id Session ID * @return bool */ public function destroy($session_id) { if ($this->close() === $this->_success) { if (file_exists($this->_file_path . $session_id)) { $this->_cookie_destroy(); return unlink($this->_file_path . $session_id) ? $this->_success : $this->_failure; } return $this->_success; } elseif ($this->_file_path !== null) { clearstatcache(); if (file_exists($this->_file_path . $session_id)) { $this->_cookie_destroy(); return unlink($this->_file_path . $session_id) ? $this->_success : $this->_failure; } return $this->_success; } return $this->_failure; } // ------------------------------------------------------------------------ /** * Garbage Collector * * Deletes expired sessions * * @param int $maxlifetime Maximum lifetime of sessions * @return bool */ public function gc($maxlifetime) { if (! is_dir($this->_config['save_path']) or ($directory = opendir($this->_config['save_path'])) === false) { log_message('debug', "Session: Garbage collector couldn't list files under directory '" . $this->_config['save_path'] . "'."); return $this->_failure; } $ts = time() - $maxlifetime; $pattern = ($this->_config['match_ip'] === true) ? '[0-9a-f]{32}' : ''; $pattern = sprintf( '#\A%s' . $pattern . $this->_sid_regexp . '\z#', preg_quote($this->_config['cookie_name']) ); while (($file = readdir($directory)) !== false) { // If the filename doesn't match this pattern, it's either not a session file or is not ours if ( ! preg_match($pattern, $file) or ! is_file($this->_config['save_path'] . DIRECTORY_SEPARATOR . $file) or ($mtime = filemtime($this->_config['save_path'] . DIRECTORY_SEPARATOR . $file)) === false or $mtime > $ts ) { continue; } unlink($this->_config['save_path'] . DIRECTORY_SEPARATOR . $file); } closedir($directory); return $this->_success; } // -------------------------------------------------------------------- /** * Update Timestamp * * Update session timestamp without modifying data * * @param string $id Session ID * @param string $data Unknown & unused * @return bool */ public function updateTimestamp($id, $unknown) { return touch($this->_file_path . $id); } // -------------------------------------------------------------------- /** * Validate ID * * Checks whether a session ID record exists server-side, * to enforce session.use_strict_mode. * * @param string $id Session ID * @return bool */ public function validateId($id) { $result = is_file($this->_file_path . $id); clearstatcache(true, $this->_file_path . $id); return $result; } // -------------------------------------------------------------------- /** * Byte-safe strlen() * * @param string $str * @return int */ protected static function strlen($str) { return (self::$func_overload) ? mb_strlen($str, '8bit') : strlen($str); } }