<?php /** * Cookie Jar * * PHP class for handling cookies, as defined by the Netscape spec: * <http://curl.haxx.se/rfc/cookie_spec.html> * * This class should be used to handle cookies (storing cookies from HTTP response messages, and * sending out cookies in HTTP request messages). This has been adapted for FiveFilters.org * from the original version used in HTTP Navigator. See http://www.keyvan.net/code/http-navigator/ * * This class is mainly based on Cookies.pm <http://search.cpan.org/author/GAAS/libwww-perl-5.65/ * lib/HTTP/Cookies.pm> from the libwww-perl collection <http://www.linpro.no/lwp/>. * Unlike Cookies.pm, this class only supports the Netscape cookie spec, not RFC 2965. * * @version 0.5 * @date 2011-03-15 * @see http://php.net/HttpRequestPool * @author Keyvan Minoukadeh * @copyright 2011 Keyvan Minoukadeh * @license http://www.gnu.org/licenses/agpl-3.0.html AGPL v3 */ class CookieJar { /** * Cookies - array containing all cookies. * * <pre> * Cookies are stored like this: * [domain][path][name] = array * where array is: * 0 => value, 1 => secure, 2 => expires * </pre> * @var array * @access private */ public $cookies = array(); public $debug = false; /** * Constructor */ function __construct() { } protected function debug($msg, $file=null, $line=null) { if ($this->debug) { $mem = round(memory_get_usage()/1024, 2); $memPeak = round(memory_get_peak_usage()/1024, 2); echo '* ',$msg; if (isset($file, $line)) echo " ($file line $line)"; echo ' - mem used: ',$mem," (peak: $memPeak)\n"; ob_flush(); flush(); } } /** * Get matching cookies * * Only use this method if you cannot use add_cookie_header(), for example, if you want to use * this cookie jar class without using the request class. * * @param array $param associative array containing 'domain', 'path', 'secure' keys * @return string * @see add_cookie_header() */ public function getMatchingCookies($url) { if (($parts = @parse_url($url)) && isset($parts['scheme'], $parts['host'], $parts['path'])) { $param['domain'] = $parts['host']; $param['path'] = $parts['path']; $param['secure'] = (strtolower($parts['scheme']) == 'https'); unset($parts); } else { return false; } // RFC 2965 notes: // If multiple cookies satisfy the criteria above, they are ordered in // the Cookie header such that those with more specific Path attributes // precede those with less specific. Ordering with respect to other // attributes (e.g., Domain) is unspecified. $domain = $param['domain']; if (strpos($domain, '.') === false) $domain .= '.local'; $request_path = $param['path']; if ($request_path == '') $request_path = '/'; $request_secure = $param['secure']; $now = time(); $matched_cookies = array(); // domain - find matching domains $this->debug('Finding matching domains for '.$domain, __FILE__, __LINE__); while (strpos($domain, '.') !== false) { if (isset($this->cookies[$domain])) { $this->debug(' domain match found: '.$domain); $cookies =& $this->cookies[$domain]; } else { $domain = $this->_reduce_domain($domain); continue; } // paths - find matching paths starting from most specific $this->debug(' - Finding matching paths for '.$request_path); $paths = array_keys($cookies); usort($paths, array($this, '_cmp_length')); foreach ($paths as $path) { // continue to next cookie if request path does not path-match cookie path if (!$this->_path_match($request_path, $path)) continue; // loop through cookie names $this->debug(' path match found: '.$path); foreach ($cookies[$path] as $name => $values) { // if this cookie is secure but request isn't, continue to next cookie if ($values[1] && !$request_secure) continue; // if cookie is not a session cookie and has expired, continue to next cookie if (is_int($values[2]) && ($values[2] < $now)) continue; // cookie matches request $this->debug(' cookie match: '.$name.'='.$values[0]); $matched_cookies[] = $name.'='.$values[0]; } } $domain = $this->_reduce_domain($domain); } // return cookies return implode('; ', $matched_cookies); } /** * Parse Set-Cookie values. * * Only use this method if you cannot use extract_cookies(), for example, if you want to use * this cookie jar class without using the response class. * * @param array $set_cookies array holding 1 or more "Set-Cookie" header values * @param array $param associative array containing 'host', 'path' keys * @return void * @see extract_cookies() */ public function storeCookies($url, $set_cookies) { if (count($set_cookies) == 0) return; $param = @parse_url($url); if (!is_array($param) || !isset($param['host'])) return; $request_host = $param['host']; if (strpos($request_host, '.') === false) $request_host .= '.local'; $request_path = @$param['path']; if ($request_path == '') $request_path = '/'; // // loop through set-cookie headers // foreach ($set_cookies as $set_cookie) { $this->debug('Parsing: '.$set_cookie); // temporary cookie store (before adding to jar) $tmp_cookie = array(); $param = explode(';', $set_cookie); // loop through params for ($x=0; $x<count($param); $x++) { $key_val = explode('=', $param[$x], 2); if (count($key_val) != 2) { // if the first param isn't a name=value pair, continue to the next set-cookie // header if ($x == 0) continue 2; // check for secure flag if (strtolower(trim($key_val[0])) == 'secure') $tmp_cookie['secure'] = true; // continue to next param continue; } list($key, $val) = array_map('trim', $key_val); // first name=value pair is the cookie name and value // the name and value are stored under 'name' and 'value' to avoid conflicts // with later parameters. if ($x == 0) { $tmp_cookie = array('name'=>$key, 'value'=>$val); continue; } $key = strtolower($key); if (in_array($key, array('expires', 'path', 'domain', 'secure'))) { $tmp_cookie[$key] = $val; } } // // set cookie // // check domain if (isset($tmp_cookie['domain']) && ($tmp_cookie['domain'] != $request_host) && ($tmp_cookie['domain'] != ".$request_host")) { $domain = $tmp_cookie['domain']; if ((strpos($domain, '.') === false) && ($domain != 'local')) { $this->debug(' - domain "'.$domain.'" has no dot and is not a local domain'); continue; } if (preg_match('/\.[0-9]+$/', $domain)) { $this->debug(' - domain "'.$domain.'" appears to be an ip address'); continue; } if (substr($domain, 0, 1) != '.') $domain = ".$domain"; if (!$this->_domain_match($request_host, $domain)) { $this->debug(' - request host "'.$request_host.'" does not domain-match "'.$domain.'"'); continue; } } else { // if domain is not specified in the set-cookie header, domain will default to // the request host $domain = $request_host; } // check path if (isset($tmp_cookie['path']) && ($tmp_cookie['path'] != '')) { $path = urldecode($tmp_cookie['path']); if (!$this->_path_match($request_path, $path)) { $this->debug(' - request path "'.$request_path.'" does not path-match "'.$path.'"'); continue; } } else { $path = $request_path; $path = substr($path, 0, strrpos($path, '/')); if ($path == '') $path = '/'; } // check if secure $secure = (isset($tmp_cookie['secure'])) ? true : false; // check expiry if (isset($tmp_cookie['expires'])) { if (($expires = strtotime($tmp_cookie['expires'])) < 0) { $expires = null; } } else { $expires = null; } // set cookie $this->set_cookie($domain, $path, $tmp_cookie['name'], $tmp_cookie['value'], $secure, $expires); } } // return array of set-cookie values extracted from HTTP response headers (string $h) public function extractCookies($h) { $x = 0; $lines = 0; $headers = array(); $last_match = false; $h = explode("\n", $h); foreach ($h as $line) { $line = rtrim($line); $lines++; $trimmed_line = trim($line); if (isset($line_last)) { // check if we have \r\n\r\n (indicating the end of headers) // some servers will not use CRLF (\r\n), so we make CR (\r) optional. // if (preg_match('/\015?\012\015?\012/', $line_last.$line)) { // break; // } // As an alternative, we can check if the current trimmed line is empty if ($trimmed_line == '') { break; } // check for continuation line... // RFC 2616 Section 2.2 "Basic Rules": // HTTP/1.1 header field values can be folded onto multiple lines if the // continuation line begins with a space or horizontal tab. All linear // white space, including folding, has the same semantics as SP. A // recipient MAY replace any linear white space with a single SP before // interpreting the field value or forwarding the message downstream. if ($last_match && preg_match('/^\s+(.*)/', $line, $match)) { // append to previous header value $headers[$x-1] .= ' '.rtrim($match[1]); continue; } } $line_last = $line; // split header name and value if (preg_match('/^Set-Cookie\s*:\s*(.*)/i', $line, $match)) { $headers[$x++] = rtrim($match[1]); $last_match = true; } else { $last_match = false; } } return $headers; } /** * Set Cookie * @param string $domain * @param string $path * @param string $name cookie name * @param string $value cookie value * @param bool $secure * @param int $expires expiry time (null if session cookie, <= 0 will delete cookie) * @return void */ function set_cookie($domain, $path, $name, $value, $secure=false, $expires=null) { if ($domain == '') return; if ($path == '') return; if ($name == '') return; // check if cookie needs to go if (isset($expires) && ($expires <= 0)) { if (isset($this->cookies[$domain][$path][$name])) unset($this->cookies[$domain][$path][$name]); return; } if ($value == '') return; $this->cookies[$domain][$path][$name] = array($value, $secure, $expires); return; } /** * Clear cookies - [domain [,path [,name]]] - call method with no arguments to clear all cookies. * @param string $domain * @param string $path * @param string $name * @return void */ function clear($domain=null, $path=null, $name=null) { if (!isset($domain)) { $this->cookies = array(); } elseif (!isset($path)) { if (isset($this->cookies[$domain])) unset($this->cookies[$domain]); } elseif (!isset($name)) { if (isset($this->cookies[$domain][$path])) unset($this->cookies[$domain][$path]); } elseif (isset($name)) { if (isset($this->cookies[$domain][$path][$name])) unset($this->cookies[$domain][$path][$name]); } } /** * Compare string length - used for sorting * @access private * @return int */ function _cmp_length($a, $b) { $la = strlen($a); $lb = strlen($b); if ($la == $lb) return 0; return ($la > $lb) ? -1 : 1; } /** * Reduce domain * @param string $domain * @return string * @access private */ function _reduce_domain($domain) { if ($domain == '') return ''; if (substr($domain, 0, 1) == '.') return substr($domain, 1); return substr($domain, strpos($domain, '.')); } /** * Path match - check if path1 path-matches path2 * * From RFC 2965: * <i>For two strings that represent paths, P1 and P2, P1 path-matches P2 * if P2 is a prefix of P1 (including the case where P1 and P2 string- * compare equal). Thus, the string /tec/waldo path-matches /tec.</i> * @param string $path1 * @param string $path2 * @return bool * @access private */ function _path_match($path1, $path2) { return (substr($path1, 0, strlen($path2)) == $path2); } /** * Domain match - check if domain1 domain-matches domain2 * * A few extracts from RFC 2965: * - A Set-Cookie2 from request-host y.x.foo.com for Domain=.foo.com * would be rejected, because H is y.x and contains a dot. * * - A Set-Cookie2 from request-host x.foo.com for Domain=.foo.com * would be accepted. * * - A Set-Cookie2 with Domain=.com or Domain=.com., will always be * rejected, because there is no embedded dot. * * - A Set-Cookie2 from request-host example for Domain=.local will * be accepted, because the effective host name for the request- * host is example.local, and example.local domain-matches .local. * * I'm ignoring the first point for now (must check to see how other browsers handle * this rule for Set-Cookie headers) * * @param string $domain1 * @param string $domain2 * @return bool * @access private */ function _domain_match($domain1, $domain2) { $domain1 = strtolower($domain1); $domain2 = strtolower($domain2); while (strpos($domain1, '.') !== false) { if ($domain1 == $domain2) return true; $domain1 = $this->_reduce_domain($domain1); continue; } return false; } }