Code Coverage for /Users/ericduran/Sites/drupal/drupal/core/lib/Drupal/Core/Session/SessionConfiguration.php

	Code Coverage
	Classes and Traits			Functions and Methods				Lines
Total	0.00% covered (danger)	0.00%	0 / 1	28.57% covered (danger)	28.57%	2 / 7	CRAP	28.00% covered (danger)	28.00%	7 / 25
SessionConfiguration	0.00% covered (danger)	0.00%	0 / 1	28.57% covered (danger)	28.57%	2 / 7	87.16	28.00% covered (danger)	28.00%	7 / 25
__construct				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	2 / 2
hasSession				0.00% covered (danger)	0.00%	0 / 1	2	0.00% covered (danger)	0.00%	0 / 1
getOptions				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	5 / 5
getName				0.00% covered (danger)	0.00%	0 / 1	6	0.00% covered (danger)	0.00%	0 / 2
getUnprefixedName				0.00% covered (danger)	0.00%	0 / 1	12	0.00% covered (danger)	0.00%	0 / 7
getCookieDomain				0.00% covered (danger)	0.00%	0 / 1	20	0.00% covered (danger)	0.00%	0 / 7
drupalValidTestUa				0.00% covered (danger)	0.00%	0 / 1	2	0.00% covered (danger)	0.00%	0 / 1

1	<?php
2
3	/**
4	* @file
5	* Contains \Drupal\Core\Session\SessionConfiguration.
6	*/
7
8	namespace Drupal\Core\Session;
9
10	use Symfony\Component\HttpFoundation\Request;
11
12	/**
13	* Defines the default session configuration generator.
14	*/
15	class SessionConfiguration implements SessionConfigurationInterface {
16
17	/**
18	* An associative array of session ini settings.
19	*/
20	protected $options;
21
22	/**
23	* Constructs a new session configuration instance.
24	*
25	* @param array $options
26	* An associative array of session ini settings.
27	*
28	* @see \Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage::__construct()
29	* @see http://php.net/manual/session.configuration.php
30	*/
31	public function __construct($options = []) {
32	$this->options = $options;
33	}
34
35	/**
36	* {@inheritdoc}
37	*/
38	public function hasSession(Request $request) {
39	return $request->cookies->has($this->getName($request));
40	}
41
42	/**
43	* {@inheritdoc}
44	*/
45	public function getOptions(Request $request) {
46	$options = $this->options;
47
48	// Generate / validate the cookie domain.
49	$options['cookie_domain'] = $this->getCookieDomain($request) ?: '';
50
51	// If the site is accessed via SSL, ensure that the session cookie is
52	// issued with the secure flag.
53	$options['cookie_secure'] = $request->isSecure();
54
55	// Set the session cookie name.
56	$options['name'] = $this->getName($request);
57
58	return $options;
59	}
60
61	/**
62	* Returns the session cookie name.
63	*
64	* @param \Symfony\Component\HttpFoundation\Request $request
65	* The request.
66	*
67	* @return string
68	* The name of the session cookie.
69	*/
70	protected function getName(Request $request) {
71	// To prevent session cookies from being hijacked, a user can configure the
72	// SSL version of their website to only transfer session cookies via SSL by
73	// using PHP's session.cookie_secure setting. The browser will then use two
74	// separate session cookies for the HTTPS and HTTP versions of the site. So
75	// we must use different session identifiers for HTTPS and HTTP to prevent a
76	// cookie collision.
77	$prefix = $request->isSecure() ? 'SSESS' : 'SESS';
78	return $prefix . $this->getUnprefixedName($request);
79	}
80
81	/**
82	* Returns the session cookie name without the secure/insecure prefix.
83	*
84	* @param \Symfony\Component\HttpFoundation\Request $request
85	* The request.
86	*
87	* @returns string
88	* The session name without the prefix (SESS/SSESS).
89	*/
90	protected function getUnprefixedName(Request $request) {
91	if ($test_prefix = $this->drupalValidTestUa()) {
92	$session_name = $test_prefix;
93	}
94	elseif (isset($this->options['cookie_domain'])) {
95	// If the user specifies the cookie domain, also use it for session name.
96	$session_name = $this->options['cookie_domain'];
97	}
98	else {
99	// Otherwise use $base_url as session name, without the protocol
100	// to use the same session identifiers across HTTP and HTTPS.
101	$session_name = $request->getHost() . $request->getBasePath();
102	// Replace "core" out of session_name so core scripts redirect properly,
103	// specifically install.php.
104	$session_name = preg_replace('#/core$#', '', $session_name);
105	}
106
107	return substr(hash('sha256', $session_name), 0, 32);
108	}
109
110	/**
111	* Return the session cookie domain.
112	*
113	* The Set-Cookie response header and its domain attribute are defined in RFC
114	* 2109, RFC 2965 and RFC 6265 each one superseeding the previous version.
115	*
116	* @see http://tools.ietf.org/html/rfc2109
117	* @see http://tools.ietf.org/html/rfc2965
118	* @see http://tools.ietf.org/html/rfc6265
119	*
120	* @param \Symfony\Component\HttpFoundation\Request $request
121	* The request.
122	*
123	* @returns string
124	* The session cookie domain.
125	*/
126	protected function getCookieDomain(Request $request) {
127	if (isset($this->options['cookie_domain'])) {
128	$cookie_domain = $this->options['cookie_domain'];
129	}
130	else {
131	$host = $request->getHost();
132	// To maximize compatibility and normalize the behavior across user
133	// agents, the cookie domain should start with a dot.
134	$cookie_domain = '.' . $host;
135	}
136
137	// Cookies for domains without an embedded dot will be rejected by user
138	// agents in order to defeat malicious websites attempting to set cookies
139	// for top-level domains. Also IP addresses may not be used in the domain
140	// attribute of a Set-Cookie header.
141	if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
142	return $cookie_domain;
143	}
144	}
145
146	/**
147	* Wraps drupal_valid_test_ua().
148	*
149	* @return string\|FALSE
150	* Either the simpletest prefix (the string "simpletest" followed by any
151	* number of digits) or FALSE if the user agent does not contain a valid
152	* HMAC and timestamp.
153	*/
154	protected function drupalValidTestUa() {
155	return drupal_valid_test_ua();
156	}
157
158	}