FileMaster

Edit File: sessions_helper.php

<?php

class OsSessionsHelper {

private static $logged_in_customer_id = false;

public static function setcookie( $name, $value, $expire = 0, $secure = false, $httponly = false ) {
		if ( ! headers_sent() ) {
			setcookie( $name, $value, $expire, COOKIEPATH ? COOKIEPATH : '/', COOKIE_DOMAIN, $secure, $httponly );
		} elseif ( class_exists( 'Constants' ) && Constants::is_true( 'WP_DEBUG' ) ) {
			headers_sent( $file, $line );
			trigger_error( "{$name} cookie cannot be set - headers already sent by {$file} on line {$line}", E_USER_NOTICE ); // @codingStandardsIgnoreLine
		}
	}

public static function get_customer_session_cookie() {
		if ( isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) ) {
			return sanitize_text_field( wp_unslash( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) );
		} else {
			return false;
		}
	}

/**
	 * Generate secure, per-customer session token
	 *
	 * Uses WordPress auth salts + customer ID + installation seed for unique tokens
	 * Prevents session forgery by ensuring each customer has unpredictable token
	 *
	 * @since 5.1.0 Security fix for hardcoded session token
	 * @param int $customer_id Customer ID
	 * @return string Cryptographically secure token
	 */
	public static function get_customer_token( $customer_id ) {
		// Validate customer_id (prevent injection)
		$customer_id = absint( $customer_id );

if ( ! $customer_id ) {
			return '';  // Fail safely for invalid IDs
		}

return wp_hash( 'latepoint|' . $customer_id );
	}

public static function set_customer_session_cookie( $session, $expiration, $token ) {
		$to_hash = $session->id . '|' . $session->hash . '|' . $expiration . '|' . $token;
		// If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
		$algo         = function_exists( 'hash' ) ? 'sha256' : 'sha1';
		$cookie_hash  = hash_hmac( $algo, $to_hash, wp_hash( $to_hash ) );
		$cookie_value = $session->id . '||' . $expiration . '||' . $cookie_hash;

if ( ! isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) || $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] !== $cookie_value ) {
			self::setcookie( LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE, $cookie_value );
		}
	}

public static function get_customer_id_from_session() {
		if ( self::$logged_in_customer_id ) {
			return self::$logged_in_customer_id;
		}
		$cookie = self::get_customer_session_cookie();
		if ( ! $cookie ) {
			return false;
		}
		list($session_id, $expiration, $cookie_hash) = explode( '||', $cookie );
		if ( ! isset( $session_id ) || ! is_numeric( $session_id ) || ! isset( $expiration ) || ! isset( $cookie_hash ) ) {
			return false;
		}
		$session = new OsSessionModel( $session_id );
		if ( ! $session ) {
			return false;
		}

$token = self::get_customer_token( $session->session_key );

$to_hash = $session->id . '|' . $session->hash . '|' . $expiration . '|' . $token;

$algo         = function_exists( 'hash' ) ? 'sha256' : 'sha1';
		$control_hash = hash_hmac( $algo, $to_hash, wp_hash( $to_hash ) );
		// check if the cookie was altered by malicious user
		if ( ! hash_equals( $control_hash, $cookie_hash ) ) {
			OsAuthHelper::logout_customer();
			self::destroy_customer_session_cookie();
			return false;
		} else {
			self::$logged_in_customer_id = $session->session_key;
			return self::$logged_in_customer_id;
		}
	}

public static function start_or_use_session_for_customer( $customer_id ) {
		// find existing session for the customer
		$session_model = new OsSessionModel();
		$session       = $session_model->where( [ 'session_key' => $customer_id ] )->set_limit( 1 )->get_results_as_models();
		$token         = self::get_customer_token( $customer_id );
		if ( $session ) {
			// expired session, renew
			if ( $session->expiration < time() ) {
				$session->expiration = time() + 2 * DAY_IN_SECONDS;
				$session->save();
			}
		} else {
			$session                = new OsSessionModel();
			$session->session_key   = $customer_id;
			$session->expiration    = time() + 2 * DAY_IN_SECONDS;
			$session->session_value = maybe_serialize( [] );
			$session->hash          = wp_generate_password( 20, false, false );
			$session->save();
		}
		self::set_customer_session_cookie( $session, $session->expiration, $token );
		self::$logged_in_customer_id = $customer_id;
	}

public static function destroy_customer_session_cookie() {
		self::$logged_in_customer_id = false;
		if ( isset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] ) ) {
			unset( $_COOKIE[ LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE ] );
			setcookie( LATEPOINT_CUSTOMER_LOGGED_IN_COOKIE, '', time() - 3600, COOKIEPATH ? COOKIEPATH : '/', COOKIE_DOMAIN );
		}
	}
}

Back