Session.php 37 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073
  1. <?php
  2. /**
  3. * @link https://www.yiiframework.com/
  4. * @copyright Copyright (c) 2008 Yii Software LLC
  5. * @license https://www.yiiframework.com/license/
  6. */
  7. namespace yii\web;
  8. use Yii;
  9. use yii\base\Component;
  10. use yii\base\InvalidArgumentException;
  11. use yii\base\InvalidConfigException;
  12. /**
  13. * Session provides session data management and the related configurations.
  14. *
  15. * Session is a Web application component that can be accessed via `Yii::$app->session`.
  16. *
  17. * To start the session, call [[open()]]; To complete and send out session data, call [[close()]];
  18. * To destroy the session, call [[destroy()]].
  19. *
  20. * Session can be used like an array to set and get session data. For example,
  21. *
  22. * ```php
  23. * $session = new Session;
  24. * $session->open();
  25. * $value1 = $session['name1']; // get session variable 'name1'
  26. * $value2 = $session['name2']; // get session variable 'name2'
  27. * foreach ($session as $name => $value) // traverse all session variables
  28. * $session['name3'] = $value3; // set session variable 'name3'
  29. * ```
  30. *
  31. * Session can be extended to support customized session storage.
  32. * To do so, override [[useCustomStorage]] so that it returns true, and
  33. * override these methods with the actual logic about using custom storage:
  34. * [[openSession()]], [[closeSession()]], [[readSession()]], [[writeSession()]],
  35. * [[destroySession()]] and [[gcSession()]].
  36. *
  37. * Session also supports a special type of session data, called *flash messages*.
  38. * A flash message is available only in the current request and the next request.
  39. * After that, it will be deleted automatically. Flash messages are particularly
  40. * useful for displaying confirmation messages. To use flash messages, simply
  41. * call methods such as [[setFlash()]], [[getFlash()]].
  42. *
  43. * For more details and usage information on Session, see the [guide article on sessions](guide:runtime-sessions-cookies).
  44. *
  45. * @property-read array $allFlashes Flash messages (key => message or key => [message1, message2]).
  46. * @property-read string $cacheLimiter Current cache limiter.
  47. * @property-read array $cookieParams The session cookie parameters.
  48. * @property-read int $count The number of session variables.
  49. * @property-write string $flash The key identifying the flash message. Note that flash messages and normal
  50. * session variables share the same name space. If you have a normal session variable using the same name, its
  51. * value will be overwritten by this method.
  52. * @property float $gCProbability The probability (percentage) that the GC (garbage collection) process is
  53. * started on every session initialization.
  54. * @property bool $hasSessionId Whether the current request has sent the session ID.
  55. * @property string $id The current session ID.
  56. * @property-read bool $isActive Whether the session has started.
  57. * @property-read SessionIterator $iterator An iterator for traversing the session variables.
  58. * @property string $name The current session name.
  59. * @property string $savePath The current session save path, defaults to '/tmp'.
  60. * @property int $timeout The number of seconds after which data will be seen as 'garbage' and cleaned up. The
  61. * default value is 1440 seconds (or the value of "session.gc_maxlifetime" set in php.ini).
  62. * @property bool|null $useCookies The value indicating whether cookies should be used to store session IDs.
  63. * @property-read bool $useCustomStorage Whether to use custom storage.
  64. * @property bool $useStrictMode Whether strict mode is enabled or not.
  65. * @property bool $useTransparentSessionID Whether transparent sid support is enabled or not, defaults to
  66. * false.
  67. *
  68. * @author Qiang Xue <qiang.xue@gmail.com>
  69. * @since 2.0
  70. */
  71. class Session extends Component implements \IteratorAggregate, \ArrayAccess, \Countable
  72. {
  73. /**
  74. * @var string|null Holds the original session module (before a custom handler is registered) so that it can be
  75. * restored when a Session component without custom handler is used after one that has.
  76. */
  77. static protected $_originalSessionModule = null;
  78. /**
  79. * Polyfill for ini directive session.use-strict-mode for PHP < 5.5.2.
  80. */
  81. static private $_useStrictModePolyfill = false;
  82. /**
  83. * @var string the name of the session variable that stores the flash message data.
  84. */
  85. public $flashParam = '__flash';
  86. /**
  87. * @var \SessionHandlerInterface|array an object implementing the SessionHandlerInterface or a configuration array. If set, will be used to provide persistency instead of build-in methods.
  88. */
  89. public $handler;
  90. /**
  91. * @var string|null Holds the session id in case useStrictMode is enabled and the session id needs to be regenerated
  92. */
  93. protected $_forceRegenerateId = null;
  94. /**
  95. * @var array parameter-value pairs to override default session cookie parameters that are used for session_set_cookie_params() function
  96. * Array may have the following possible keys: 'lifetime', 'path', 'domain', 'secure', 'httponly'
  97. * @see https://www.php.net/manual/en/function.session-set-cookie-params.php
  98. */
  99. private $_cookieParams = ['httponly' => true];
  100. /**
  101. * @var array|null is used for saving session between recreations due to session parameters update.
  102. */
  103. private $frozenSessionData;
  104. /**
  105. * Initializes the application component.
  106. * This method is required by IApplicationComponent and is invoked by application.
  107. */
  108. public function init()
  109. {
  110. parent::init();
  111. register_shutdown_function([$this, 'close']);
  112. if ($this->getIsActive()) {
  113. Yii::warning('Session is already started', __METHOD__);
  114. $this->updateFlashCounters();
  115. }
  116. }
  117. /**
  118. * Returns a value indicating whether to use custom session storage.
  119. * This method should be overridden to return true by child classes that implement custom session storage.
  120. * To implement custom session storage, override these methods: [[openSession()]], [[closeSession()]],
  121. * [[readSession()]], [[writeSession()]], [[destroySession()]] and [[gcSession()]].
  122. * @return bool whether to use custom storage.
  123. */
  124. public function getUseCustomStorage()
  125. {
  126. return false;
  127. }
  128. /**
  129. * Starts the session.
  130. */
  131. public function open()
  132. {
  133. if ($this->getIsActive()) {
  134. return;
  135. }
  136. $this->registerSessionHandler();
  137. $this->setCookieParamsInternal();
  138. YII_DEBUG ? session_start() : @session_start();
  139. if ($this->getUseStrictMode() && $this->_forceRegenerateId) {
  140. $this->regenerateID();
  141. $this->_forceRegenerateId = null;
  142. }
  143. if ($this->getIsActive()) {
  144. Yii::info('Session started', __METHOD__);
  145. $this->updateFlashCounters();
  146. } else {
  147. $error = error_get_last();
  148. $message = isset($error['message']) ? $error['message'] : 'Failed to start session.';
  149. Yii::error($message, __METHOD__);
  150. }
  151. }
  152. /**
  153. * Registers session handler.
  154. * @throws \yii\base\InvalidConfigException
  155. */
  156. protected function registerSessionHandler()
  157. {
  158. $sessionModuleName = session_module_name();
  159. if (static::$_originalSessionModule === null) {
  160. static::$_originalSessionModule = $sessionModuleName;
  161. }
  162. if ($this->handler !== null) {
  163. if (!is_object($this->handler)) {
  164. $this->handler = Yii::createObject($this->handler);
  165. }
  166. if (!$this->handler instanceof \SessionHandlerInterface) {
  167. throw new InvalidConfigException('"' . get_class($this) . '::handler" must implement the SessionHandlerInterface.');
  168. }
  169. YII_DEBUG ? session_set_save_handler($this->handler, false) : @session_set_save_handler($this->handler, false);
  170. } elseif ($this->getUseCustomStorage()) {
  171. if (YII_DEBUG) {
  172. session_set_save_handler(
  173. [$this, 'openSession'],
  174. [$this, 'closeSession'],
  175. [$this, 'readSession'],
  176. [$this, 'writeSession'],
  177. [$this, 'destroySession'],
  178. [$this, 'gcSession']
  179. );
  180. } else {
  181. @session_set_save_handler(
  182. [$this, 'openSession'],
  183. [$this, 'closeSession'],
  184. [$this, 'readSession'],
  185. [$this, 'writeSession'],
  186. [$this, 'destroySession'],
  187. [$this, 'gcSession']
  188. );
  189. }
  190. } elseif (
  191. $sessionModuleName !== static::$_originalSessionModule
  192. && static::$_originalSessionModule !== null
  193. && static::$_originalSessionModule !== 'user'
  194. ) {
  195. session_module_name(static::$_originalSessionModule);
  196. }
  197. }
  198. /**
  199. * Ends the current session and store session data.
  200. */
  201. public function close()
  202. {
  203. if ($this->getIsActive()) {
  204. YII_DEBUG ? session_write_close() : @session_write_close();
  205. }
  206. $this->_forceRegenerateId = null;
  207. }
  208. /**
  209. * Frees all session variables and destroys all data registered to a session.
  210. *
  211. * This method has no effect when session is not [[getIsActive()|active]].
  212. * Make sure to call [[open()]] before calling it.
  213. * @see open()
  214. * @see isActive
  215. */
  216. public function destroy()
  217. {
  218. if ($this->getIsActive()) {
  219. $sessionId = session_id();
  220. $this->close();
  221. $this->setId($sessionId);
  222. $this->open();
  223. session_unset();
  224. session_destroy();
  225. $this->setId($sessionId);
  226. }
  227. }
  228. /**
  229. * @return bool whether the session has started
  230. */
  231. public function getIsActive()
  232. {
  233. return session_status() === PHP_SESSION_ACTIVE;
  234. }
  235. private $_hasSessionId;
  236. /**
  237. * Returns a value indicating whether the current request has sent the session ID.
  238. * The default implementation will check cookie and $_GET using the session name.
  239. * If you send session ID via other ways, you may need to override this method
  240. * or call [[setHasSessionId()]] to explicitly set whether the session ID is sent.
  241. * @return bool whether the current request has sent the session ID.
  242. */
  243. public function getHasSessionId()
  244. {
  245. if ($this->_hasSessionId === null) {
  246. $name = $this->getName();
  247. $request = Yii::$app->getRequest();
  248. if (!empty($_COOKIE[$name]) && ini_get('session.use_cookies')) {
  249. $this->_hasSessionId = true;
  250. } elseif (!ini_get('session.use_only_cookies') && ini_get('session.use_trans_sid')) {
  251. $this->_hasSessionId = $request->get($name) != '';
  252. } else {
  253. $this->_hasSessionId = false;
  254. }
  255. }
  256. return $this->_hasSessionId;
  257. }
  258. /**
  259. * Sets the value indicating whether the current request has sent the session ID.
  260. * This method is provided so that you can override the default way of determining
  261. * whether the session ID is sent.
  262. * @param bool $value whether the current request has sent the session ID.
  263. */
  264. public function setHasSessionId($value)
  265. {
  266. $this->_hasSessionId = $value;
  267. }
  268. /**
  269. * Gets the session ID.
  270. * This is a wrapper for [PHP session_id()](https://www.php.net/manual/en/function.session-id.php).
  271. * @return string the current session ID
  272. */
  273. public function getId()
  274. {
  275. return session_id();
  276. }
  277. /**
  278. * Sets the session ID.
  279. * This is a wrapper for [PHP session_id()](https://www.php.net/manual/en/function.session-id.php).
  280. * @param string $value the session ID for the current session
  281. */
  282. public function setId($value)
  283. {
  284. session_id($value);
  285. }
  286. /**
  287. * Updates the current session ID with a newly generated one.
  288. *
  289. * Please refer to <https://www.php.net/session_regenerate_id> for more details.
  290. *
  291. * This method has no effect when session is not [[getIsActive()|active]].
  292. * Make sure to call [[open()]] before calling it.
  293. *
  294. * @param bool $deleteOldSession Whether to delete the old associated session file or not.
  295. * @see open()
  296. * @see isActive
  297. */
  298. public function regenerateID($deleteOldSession = false)
  299. {
  300. if ($this->getIsActive()) {
  301. // add @ to inhibit possible warning due to race condition
  302. // https://github.com/yiisoft/yii2/pull/1812
  303. if (YII_DEBUG && !headers_sent()) {
  304. session_regenerate_id($deleteOldSession);
  305. } else {
  306. @session_regenerate_id($deleteOldSession);
  307. }
  308. }
  309. }
  310. /**
  311. * Gets the name of the current session.
  312. * This is a wrapper for [PHP session_name()](https://www.php.net/manual/en/function.session-name.php).
  313. * @return string the current session name
  314. */
  315. public function getName()
  316. {
  317. return session_name();
  318. }
  319. /**
  320. * Sets the name for the current session.
  321. * This is a wrapper for [PHP session_name()](https://www.php.net/manual/en/function.session-name.php).
  322. * @param string $value the session name for the current session, must be an alphanumeric string.
  323. * It defaults to "PHPSESSID".
  324. */
  325. public function setName($value)
  326. {
  327. $this->freeze();
  328. session_name($value);
  329. $this->unfreeze();
  330. }
  331. /**
  332. * Gets the current session save path.
  333. * This is a wrapper for [PHP session_save_path()](https://www.php.net/manual/en/function.session-save-path.php).
  334. * @return string the current session save path, defaults to '/tmp'.
  335. */
  336. public function getSavePath()
  337. {
  338. return session_save_path();
  339. }
  340. /**
  341. * Sets the current session save path.
  342. * This is a wrapper for [PHP session_save_path()](https://www.php.net/manual/en/function.session-save-path.php).
  343. * @param string $value the current session save path. This can be either a directory name or a [path alias](guide:concept-aliases).
  344. * @throws InvalidArgumentException if the path is not a valid directory
  345. */
  346. public function setSavePath($value)
  347. {
  348. $path = Yii::getAlias($value);
  349. if (is_dir($path)) {
  350. session_save_path($path);
  351. } else {
  352. throw new InvalidArgumentException("Session save path is not a valid directory: $value");
  353. }
  354. }
  355. /**
  356. * @return array the session cookie parameters.
  357. * @see https://www.php.net/manual/en/function.session-get-cookie-params.php
  358. */
  359. public function getCookieParams()
  360. {
  361. return array_merge(session_get_cookie_params(), array_change_key_case($this->_cookieParams));
  362. }
  363. /**
  364. * Sets the session cookie parameters.
  365. * The cookie parameters passed to this method will be merged with the result
  366. * of `session_get_cookie_params()`.
  367. * @param array $value cookie parameters, valid keys include: `lifetime`, `path`, `domain`, `secure` and `httponly`.
  368. * Starting with Yii 2.0.21 `sameSite` is also supported. It requires PHP version 7.3.0 or higher.
  369. * For securtiy, an exception will be thrown if `sameSite` is set while using an unsupported version of PHP.
  370. * To use this feature across different PHP versions check the version first. E.g.
  371. * ```php
  372. * [
  373. * 'sameSite' => PHP_VERSION_ID >= 70300 ? yii\web\Cookie::SAME_SITE_LAX : null,
  374. * ]
  375. * ```
  376. * See https://www.owasp.org/index.php/SameSite for more information about `sameSite`.
  377. *
  378. * @throws InvalidArgumentException if the parameters are incomplete.
  379. * @see https://www.php.net/manual/en/function.session-set-cookie-params.php
  380. */
  381. public function setCookieParams(array $value)
  382. {
  383. $this->_cookieParams = $value;
  384. }
  385. /**
  386. * Sets the session cookie parameters.
  387. * This method is called by [[open()]] when it is about to open the session.
  388. * @throws InvalidArgumentException if the parameters are incomplete.
  389. * @see https://www.php.net/manual/en/function.session-set-cookie-params.php
  390. */
  391. private function setCookieParamsInternal()
  392. {
  393. $data = $this->getCookieParams();
  394. if (isset($data['lifetime'], $data['path'], $data['domain'], $data['secure'], $data['httponly'])) {
  395. if (PHP_VERSION_ID >= 70300) {
  396. session_set_cookie_params($data);
  397. } else {
  398. if (!empty($data['samesite'])) {
  399. $data['path'] .= '; samesite=' . $data['samesite'];
  400. }
  401. session_set_cookie_params($data['lifetime'], $data['path'], $data['domain'], $data['secure'], $data['httponly']);
  402. }
  403. } else {
  404. throw new InvalidArgumentException('Please make sure cookieParams contains these elements: lifetime, path, domain, secure and httponly.');
  405. }
  406. }
  407. /**
  408. * Returns the value indicating whether cookies should be used to store session IDs.
  409. * @return bool|null the value indicating whether cookies should be used to store session IDs.
  410. * @see setUseCookies()
  411. */
  412. public function getUseCookies()
  413. {
  414. if (ini_get('session.use_cookies') === '0') {
  415. return false;
  416. } elseif (ini_get('session.use_only_cookies') === '1') {
  417. return true;
  418. }
  419. return null;
  420. }
  421. /**
  422. * Sets the value indicating whether cookies should be used to store session IDs.
  423. *
  424. * Three states are possible:
  425. *
  426. * - true: cookies and only cookies will be used to store session IDs.
  427. * - false: cookies will not be used to store session IDs.
  428. * - null: if possible, cookies will be used to store session IDs; if not, other mechanisms will be used (e.g. GET parameter)
  429. *
  430. * @param bool|null $value the value indicating whether cookies should be used to store session IDs.
  431. */
  432. public function setUseCookies($value)
  433. {
  434. $this->freeze();
  435. if ($value === false) {
  436. ini_set('session.use_cookies', '0');
  437. ini_set('session.use_only_cookies', '0');
  438. } elseif ($value === true) {
  439. ini_set('session.use_cookies', '1');
  440. ini_set('session.use_only_cookies', '1');
  441. } else {
  442. ini_set('session.use_cookies', '1');
  443. ini_set('session.use_only_cookies', '0');
  444. }
  445. $this->unfreeze();
  446. }
  447. /**
  448. * @return float the probability (percentage) that the GC (garbage collection) process is started on every session initialization.
  449. */
  450. public function getGCProbability()
  451. {
  452. return (float) (ini_get('session.gc_probability') / ini_get('session.gc_divisor') * 100);
  453. }
  454. /**
  455. * @param float $value the probability (percentage) that the GC (garbage collection) process is started on every session initialization.
  456. * @throws InvalidArgumentException if the value is not between 0 and 100.
  457. */
  458. public function setGCProbability($value)
  459. {
  460. $this->freeze();
  461. if ($value >= 0 && $value <= 100) {
  462. // percent * 21474837 / 2147483647 ≈ percent * 0.01
  463. ini_set('session.gc_probability', floor($value * 21474836.47));
  464. ini_set('session.gc_divisor', 2147483647);
  465. } else {
  466. throw new InvalidArgumentException('GCProbability must be a value between 0 and 100.');
  467. }
  468. $this->unfreeze();
  469. }
  470. /**
  471. * @return bool whether transparent sid support is enabled or not, defaults to false.
  472. */
  473. public function getUseTransparentSessionID()
  474. {
  475. return ini_get('session.use_trans_sid') == 1;
  476. }
  477. /**
  478. * @param bool $value whether transparent sid support is enabled or not.
  479. */
  480. public function setUseTransparentSessionID($value)
  481. {
  482. $this->freeze();
  483. ini_set('session.use_trans_sid', $value ? '1' : '0');
  484. $this->unfreeze();
  485. }
  486. /**
  487. * @return int the number of seconds after which data will be seen as 'garbage' and cleaned up.
  488. * The default value is 1440 seconds (or the value of "session.gc_maxlifetime" set in php.ini).
  489. */
  490. public function getTimeout()
  491. {
  492. return (int) ini_get('session.gc_maxlifetime');
  493. }
  494. /**
  495. * @param int $value the number of seconds after which data will be seen as 'garbage' and cleaned up
  496. */
  497. public function setTimeout($value)
  498. {
  499. $this->freeze();
  500. ini_set('session.gc_maxlifetime', $value);
  501. $this->unfreeze();
  502. }
  503. /**
  504. * @param bool $value Whether strict mode is enabled or not.
  505. * When `true` this setting prevents the session component to use an uninitialized session ID.
  506. * Note: Enabling `useStrictMode` on PHP < 5.5.2 is only supported with custom storage classes.
  507. * Warning! Although enabling strict mode is mandatory for secure sessions, the default value of 'session.use-strict-mode' is `0`.
  508. * @see https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
  509. * @since 2.0.38
  510. */
  511. public function setUseStrictMode($value)
  512. {
  513. if (PHP_VERSION_ID < 50502) {
  514. if ($this->getUseCustomStorage() || !$value) {
  515. self::$_useStrictModePolyfill = $value;
  516. } else {
  517. throw new InvalidConfigException('Enabling `useStrictMode` on PHP < 5.5.2 is only supported with custom storage classes.');
  518. }
  519. } else {
  520. $this->freeze();
  521. ini_set('session.use_strict_mode', $value ? '1' : '0');
  522. $this->unfreeze();
  523. }
  524. }
  525. /**
  526. * @return bool Whether strict mode is enabled or not.
  527. * @see setUseStrictMode()
  528. * @since 2.0.38
  529. */
  530. public function getUseStrictMode()
  531. {
  532. if (PHP_VERSION_ID < 50502) {
  533. return self::$_useStrictModePolyfill;
  534. }
  535. return (bool)ini_get('session.use_strict_mode');
  536. }
  537. /**
  538. * Session open handler.
  539. * This method should be overridden if [[useCustomStorage]] returns true.
  540. * @internal Do not call this method directly.
  541. * @param string $savePath session save path
  542. * @param string $sessionName session name
  543. * @return bool whether session is opened successfully
  544. */
  545. public function openSession($savePath, $sessionName)
  546. {
  547. return true;
  548. }
  549. /**
  550. * Session close handler.
  551. * This method should be overridden if [[useCustomStorage]] returns true.
  552. * @internal Do not call this method directly.
  553. * @return bool whether session is closed successfully
  554. */
  555. public function closeSession()
  556. {
  557. return true;
  558. }
  559. /**
  560. * Session read handler.
  561. * This method should be overridden if [[useCustomStorage]] returns true.
  562. * @internal Do not call this method directly.
  563. * @param string $id session ID
  564. * @return string the session data
  565. */
  566. public function readSession($id)
  567. {
  568. return '';
  569. }
  570. /**
  571. * Session write handler.
  572. * This method should be overridden if [[useCustomStorage]] returns true.
  573. * @internal Do not call this method directly.
  574. * @param string $id session ID
  575. * @param string $data session data
  576. * @return bool whether session write is successful
  577. */
  578. public function writeSession($id, $data)
  579. {
  580. return true;
  581. }
  582. /**
  583. * Session destroy handler.
  584. * This method should be overridden if [[useCustomStorage]] returns true.
  585. * @internal Do not call this method directly.
  586. * @param string $id session ID
  587. * @return bool whether session is destroyed successfully
  588. */
  589. public function destroySession($id)
  590. {
  591. return true;
  592. }
  593. /**
  594. * Session GC (garbage collection) handler.
  595. * This method should be overridden if [[useCustomStorage]] returns true.
  596. * @internal Do not call this method directly.
  597. * @param int $maxLifetime the number of seconds after which data will be seen as 'garbage' and cleaned up.
  598. * @return bool whether session is GCed successfully
  599. */
  600. public function gcSession($maxLifetime)
  601. {
  602. return true;
  603. }
  604. /**
  605. * Returns an iterator for traversing the session variables.
  606. * This method is required by the interface [[\IteratorAggregate]].
  607. * @return SessionIterator an iterator for traversing the session variables.
  608. */
  609. #[\ReturnTypeWillChange]
  610. public function getIterator()
  611. {
  612. $this->open();
  613. return new SessionIterator();
  614. }
  615. /**
  616. * Returns the number of items in the session.
  617. * @return int the number of session variables
  618. */
  619. public function getCount()
  620. {
  621. $this->open();
  622. return count($_SESSION);
  623. }
  624. /**
  625. * Returns the number of items in the session.
  626. * This method is required by [[\Countable]] interface.
  627. * @return int number of items in the session.
  628. */
  629. #[\ReturnTypeWillChange]
  630. public function count()
  631. {
  632. return $this->getCount();
  633. }
  634. /**
  635. * Returns the session variable value with the session variable name.
  636. * If the session variable does not exist, the `$defaultValue` will be returned.
  637. * @param string $key the session variable name
  638. * @param mixed $defaultValue the default value to be returned when the session variable does not exist.
  639. * @return mixed the session variable value, or $defaultValue if the session variable does not exist.
  640. */
  641. public function get($key, $defaultValue = null)
  642. {
  643. $this->open();
  644. return isset($_SESSION[$key]) ? $_SESSION[$key] : $defaultValue;
  645. }
  646. /**
  647. * Adds a session variable.
  648. * If the specified name already exists, the old value will be overwritten.
  649. * @param string $key session variable name
  650. * @param mixed $value session variable value
  651. */
  652. public function set($key, $value)
  653. {
  654. $this->open();
  655. $_SESSION[$key] = $value;
  656. }
  657. /**
  658. * Removes a session variable.
  659. * @param string $key the name of the session variable to be removed
  660. * @return mixed the removed value, null if no such session variable.
  661. */
  662. public function remove($key)
  663. {
  664. $this->open();
  665. if (isset($_SESSION[$key])) {
  666. $value = $_SESSION[$key];
  667. unset($_SESSION[$key]);
  668. return $value;
  669. }
  670. return null;
  671. }
  672. /**
  673. * Removes all session variables.
  674. */
  675. public function removeAll()
  676. {
  677. $this->open();
  678. foreach (array_keys($_SESSION) as $key) {
  679. unset($_SESSION[$key]);
  680. }
  681. }
  682. /**
  683. * @param mixed $key session variable name
  684. * @return bool whether there is the named session variable
  685. */
  686. public function has($key)
  687. {
  688. $this->open();
  689. return isset($_SESSION[$key]);
  690. }
  691. /**
  692. * Updates the counters for flash messages and removes outdated flash messages.
  693. * This method should only be called once in [[init()]].
  694. */
  695. protected function updateFlashCounters()
  696. {
  697. $counters = $this->get($this->flashParam, []);
  698. if (is_array($counters)) {
  699. foreach ($counters as $key => $count) {
  700. if ($count > 0) {
  701. unset($counters[$key], $_SESSION[$key]);
  702. } elseif ($count == 0) {
  703. $counters[$key]++;
  704. }
  705. }
  706. $_SESSION[$this->flashParam] = $counters;
  707. } else {
  708. // fix the unexpected problem that flashParam doesn't return an array
  709. unset($_SESSION[$this->flashParam]);
  710. }
  711. }
  712. /**
  713. * Returns a flash message.
  714. * @param string $key the key identifying the flash message
  715. * @param mixed $defaultValue value to be returned if the flash message does not exist.
  716. * @param bool $delete whether to delete this flash message right after this method is called.
  717. * If false, the flash message will be automatically deleted in the next request.
  718. * @return mixed the flash message or an array of messages if addFlash was used
  719. * @see setFlash()
  720. * @see addFlash()
  721. * @see hasFlash()
  722. * @see getAllFlashes()
  723. * @see removeFlash()
  724. */
  725. public function getFlash($key, $defaultValue = null, $delete = false)
  726. {
  727. $counters = $this->get($this->flashParam, []);
  728. if (isset($counters[$key])) {
  729. $value = $this->get($key, $defaultValue);
  730. if ($delete) {
  731. $this->removeFlash($key);
  732. } elseif ($counters[$key] < 0) {
  733. // mark for deletion in the next request
  734. $counters[$key] = 1;
  735. $_SESSION[$this->flashParam] = $counters;
  736. }
  737. return $value;
  738. }
  739. return $defaultValue;
  740. }
  741. /**
  742. * Returns all flash messages.
  743. *
  744. * You may use this method to display all the flash messages in a view file:
  745. *
  746. * ```php
  747. * <?php
  748. * foreach (Yii::$app->session->getAllFlashes() as $key => $message) {
  749. * echo '<div class="alert alert-' . $key . '">' . $message . '</div>';
  750. * } ?>
  751. * ```
  752. *
  753. * With the above code you can use the [bootstrap alert][] classes such as `success`, `info`, `danger`
  754. * as the flash message key to influence the color of the div.
  755. *
  756. * Note that if you use [[addFlash()]], `$message` will be an array, and you will have to adjust the above code.
  757. *
  758. * [bootstrap alert]: https://getbootstrap.com/docs/3.4/components/#alerts
  759. *
  760. * @param bool $delete whether to delete the flash messages right after this method is called.
  761. * If false, the flash messages will be automatically deleted in the next request.
  762. * @return array flash messages (key => message or key => [message1, message2]).
  763. * @see setFlash()
  764. * @see addFlash()
  765. * @see getFlash()
  766. * @see hasFlash()
  767. * @see removeFlash()
  768. */
  769. public function getAllFlashes($delete = false)
  770. {
  771. $counters = $this->get($this->flashParam, []);
  772. $flashes = [];
  773. foreach (array_keys($counters) as $key) {
  774. if (array_key_exists($key, $_SESSION)) {
  775. $flashes[$key] = $_SESSION[$key];
  776. if ($delete) {
  777. unset($counters[$key], $_SESSION[$key]);
  778. } elseif ($counters[$key] < 0) {
  779. // mark for deletion in the next request
  780. $counters[$key] = 1;
  781. }
  782. } else {
  783. unset($counters[$key]);
  784. }
  785. }
  786. $_SESSION[$this->flashParam] = $counters;
  787. return $flashes;
  788. }
  789. /**
  790. * Sets a flash message.
  791. * A flash message will be automatically deleted after it is accessed in a request and the deletion will happen
  792. * in the next request.
  793. * If there is already an existing flash message with the same key, it will be overwritten by the new one.
  794. * @param string $key the key identifying the flash message. Note that flash messages
  795. * and normal session variables share the same name space. If you have a normal
  796. * session variable using the same name, its value will be overwritten by this method.
  797. * @param mixed $value flash message
  798. * @param bool $removeAfterAccess whether the flash message should be automatically removed only if
  799. * it is accessed. If false, the flash message will be automatically removed after the next request,
  800. * regardless if it is accessed or not. If true (default value), the flash message will remain until after
  801. * it is accessed.
  802. * @see getFlash()
  803. * @see addFlash()
  804. * @see removeFlash()
  805. */
  806. public function setFlash($key, $value = true, $removeAfterAccess = true)
  807. {
  808. $counters = $this->get($this->flashParam, []);
  809. $counters[$key] = $removeAfterAccess ? -1 : 0;
  810. $_SESSION[$key] = $value;
  811. $_SESSION[$this->flashParam] = $counters;
  812. }
  813. /**
  814. * Adds a flash message.
  815. * If there are existing flash messages with the same key, the new one will be appended to the existing message array.
  816. * @param string $key the key identifying the flash message.
  817. * @param mixed $value flash message
  818. * @param bool $removeAfterAccess whether the flash message should be automatically removed only if
  819. * it is accessed. If false, the flash message will be automatically removed after the next request,
  820. * regardless if it is accessed or not. If true (default value), the flash message will remain until after
  821. * it is accessed.
  822. * @see getFlash()
  823. * @see setFlash()
  824. * @see removeFlash()
  825. */
  826. public function addFlash($key, $value = true, $removeAfterAccess = true)
  827. {
  828. $counters = $this->get($this->flashParam, []);
  829. $counters[$key] = $removeAfterAccess ? -1 : 0;
  830. $_SESSION[$this->flashParam] = $counters;
  831. if (empty($_SESSION[$key])) {
  832. $_SESSION[$key] = [$value];
  833. } elseif (is_array($_SESSION[$key])) {
  834. $_SESSION[$key][] = $value;
  835. } else {
  836. $_SESSION[$key] = [$_SESSION[$key], $value];
  837. }
  838. }
  839. /**
  840. * Removes a flash message.
  841. * @param string $key the key identifying the flash message. Note that flash messages
  842. * and normal session variables share the same name space. If you have a normal
  843. * session variable using the same name, it will be removed by this method.
  844. * @return mixed the removed flash message. Null if the flash message does not exist.
  845. * @see getFlash()
  846. * @see setFlash()
  847. * @see addFlash()
  848. * @see removeAllFlashes()
  849. */
  850. public function removeFlash($key)
  851. {
  852. $counters = $this->get($this->flashParam, []);
  853. $value = isset($_SESSION[$key], $counters[$key]) ? $_SESSION[$key] : null;
  854. unset($counters[$key], $_SESSION[$key]);
  855. $_SESSION[$this->flashParam] = $counters;
  856. return $value;
  857. }
  858. /**
  859. * Removes all flash messages.
  860. * Note that flash messages and normal session variables share the same name space.
  861. * If you have a normal session variable using the same name, it will be removed
  862. * by this method.
  863. * @see getFlash()
  864. * @see setFlash()
  865. * @see addFlash()
  866. * @see removeFlash()
  867. */
  868. public function removeAllFlashes()
  869. {
  870. $counters = $this->get($this->flashParam, []);
  871. foreach (array_keys($counters) as $key) {
  872. unset($_SESSION[$key]);
  873. }
  874. unset($_SESSION[$this->flashParam]);
  875. }
  876. /**
  877. * Returns a value indicating whether there are flash messages associated with the specified key.
  878. * @param string $key key identifying the flash message type
  879. * @return bool whether any flash messages exist under specified key
  880. */
  881. public function hasFlash($key)
  882. {
  883. return $this->getFlash($key) !== null;
  884. }
  885. /**
  886. * This method is required by the interface [[\ArrayAccess]].
  887. * @param int|string $offset the offset to check on
  888. * @return bool
  889. */
  890. #[\ReturnTypeWillChange]
  891. public function offsetExists($offset)
  892. {
  893. $this->open();
  894. return isset($_SESSION[$offset]);
  895. }
  896. /**
  897. * This method is required by the interface [[\ArrayAccess]].
  898. * @param int|string $offset the offset to retrieve element.
  899. * @return mixed the element at the offset, null if no element is found at the offset
  900. */
  901. #[\ReturnTypeWillChange]
  902. public function offsetGet($offset)
  903. {
  904. $this->open();
  905. return isset($_SESSION[$offset]) ? $_SESSION[$offset] : null;
  906. }
  907. /**
  908. * This method is required by the interface [[\ArrayAccess]].
  909. * @param int|string $offset the offset to set element
  910. * @param mixed $item the element value
  911. */
  912. #[\ReturnTypeWillChange]
  913. public function offsetSet($offset, $item)
  914. {
  915. $this->open();
  916. $_SESSION[$offset] = $item;
  917. }
  918. /**
  919. * This method is required by the interface [[\ArrayAccess]].
  920. * @param int|string $offset the offset to unset element
  921. */
  922. #[\ReturnTypeWillChange]
  923. public function offsetUnset($offset)
  924. {
  925. $this->open();
  926. unset($_SESSION[$offset]);
  927. }
  928. /**
  929. * If session is started it's not possible to edit session ini settings. In PHP7.2+ it throws exception.
  930. * This function saves session data to temporary variable and stop session.
  931. * @since 2.0.14
  932. */
  933. protected function freeze()
  934. {
  935. if ($this->getIsActive()) {
  936. if (isset($_SESSION)) {
  937. $this->frozenSessionData = $_SESSION;
  938. }
  939. $this->close();
  940. Yii::info('Session frozen', __METHOD__);
  941. }
  942. }
  943. /**
  944. * Starts session and restores data from temporary variable
  945. * @since 2.0.14
  946. */
  947. protected function unfreeze()
  948. {
  949. if (null !== $this->frozenSessionData) {
  950. YII_DEBUG ? session_start() : @session_start();
  951. if ($this->getIsActive()) {
  952. Yii::info('Session unfrozen', __METHOD__);
  953. } else {
  954. $error = error_get_last();
  955. $message = isset($error['message']) ? $error['message'] : 'Failed to unfreeze session.';
  956. Yii::error($message, __METHOD__);
  957. }
  958. $_SESSION = $this->frozenSessionData;
  959. $this->frozenSessionData = null;
  960. }
  961. }
  962. /**
  963. * Set cache limiter
  964. *
  965. * @param string $cacheLimiter
  966. * @since 2.0.14
  967. */
  968. public function setCacheLimiter($cacheLimiter)
  969. {
  970. $this->freeze();
  971. session_cache_limiter($cacheLimiter);
  972. $this->unfreeze();
  973. }
  974. /**
  975. * Returns current cache limiter
  976. *
  977. * @return string current cache limiter
  978. * @since 2.0.14
  979. */
  980. public function getCacheLimiter()
  981. {
  982. return session_cache_limiter();
  983. }
  984. }