<?php
/**
 * EDD Session
 *
 * This is a wrapper class for WP_Session / PHP $_SESSION and handles the storage of cart items, purchase sessions, etc
 *
 * @package     EDD
 * @subpackage  Classes/Session
 * @copyright   Copyright (c) 2018, Easy Digital Downloads, LLC
 * @license     http://opensource.org/licenses/gpl-2.0.php GNU Public License
 * @since       1.5
 */

// Exit if accessed directly
defined( 'ABSPATH' ) || exit;

/**
 * EDD_Session Class
 *
 * @since 1.5
 */
class EDD_Session {

	/**
	 * Holds our session data.
	 *
	 * @var array
	 * @access private
	 * @since 1.5
	 */
	private $session;

	/**
	 * Whether to use PHP $_SESSION or WP_Session.
	 *
	 * @var bool
	 * @access private
	 * @since 1.5,1
	 */
	private $use_php_sessions = false;

	/**
	 * Session index prefix
	 *
	 * @var string
	 * @access private
	 * @since 2.3
	 */
	private $prefix = '';

	/**
	 * Constructor.
	 *
	 * Defines our WP_Session constants, includes the necessary libraries and
	 * retrieves the WP Session instance.
	 *
	 * @since 1.5
	 */
	public function __construct() {
		$this->use_php_sessions = $this->use_php_sessions();

		if ( $this->use_php_sessions ) {
			if ( is_multisite() ) {
				$this->prefix = '_' . get_current_blog_id();
			}

			// Use PHP SESSION (must be enabled via the EDD_USE_PHP_SESSIONS constant)
			add_action( 'init', array( $this, 'maybe_start_session' ), -2 );
		} else {
			if ( ! $this->should_start_session() ) {
				return;
			}

			// Use WP_Session (default)
			if ( ! defined( 'WP_SESSION_COOKIE' ) ) {
				define( 'WP_SESSION_COOKIE', 'edd_wp_session' );
			}

			if ( ! class_exists( 'Recursive_ArrayAccess' ) ) {
				require_once EDD_PLUGIN_DIR . 'includes/libraries/class-recursive-arrayaccess.php';
			}

			if ( ! class_exists( 'WP_Session' ) ) {
				require_once EDD_PLUGIN_DIR . 'includes/libraries/class-wp-session.php';
				require_once EDD_PLUGIN_DIR . 'includes/libraries/wp-session.php';
			}

			add_filter( 'wp_session_expiration_variant', array( $this, 'set_expiration_variant_time' ), 99999 );
			add_filter( 'wp_session_expiration',         array( $this, 'set_expiration_time'         ), 99999 );
		}

		// Based off our session handling, we need to use different hooks and priorities.
		if ( empty( $this->session ) && ! $this->use_php_sessions ) {
			$hook     = 'plugins_loaded';
			$priority = 10;
		} else {
			$hook     = 'init';
			$priority = -1;
		}

		add_action( $hook, array( $this, 'init' ), $priority );
	}

	/**
	 * Setup the WP_Session instance.
	 *
	 * @since 1.5
	 */
	public function init() {
		if ( $this->use_php_sessions ) {
			$key           = 'edd' . $this->prefix;
			$this->session = isset( $_SESSION[ $key ] ) && is_array( $_SESSION[ $key ] )
				? $_SESSION[ $key ]
				: array();
		} else {
			$this->session = WP_Session::get_instance();
		}

		$use_cookie = $this->use_cart_cookie();
		$cart       = $this->get( 'edd_cart'     );
		$purchase   = $this->get( 'edd_purchase' );

		if ( $use_cookie ) {
			if ( ! empty( $cart ) || ! empty( $purchase ) ) {
				$this->set_cart_cookie();
			} else {
				$this->set_cart_cookie( false );
			}
		}

		return $this->session;
	}

	/**
	 * Retrieve session ID.
	 *
	 * @since 1.6
	 *
	 * @return string Session ID
	 */
	public function get_id() {
		return $this->session->session_id;
	}

	/**
	 * Retrieve a session variable.
	 *
	 * @since 1.5
	 *
	 * @param string $key Session key.
	 * @return mixed Session variable.
	 */
	public function get( $key ) {
		$key    = sanitize_key( $key );
		$return = false;

		if ( isset( $this->session[ $key ] ) && ! empty( $this->session[ $key ] ) ) {
			preg_match( '/[oO]\s*:\s*\d+\s*:\s*"\s*(?!(?i)(stdClass))/', $this->session[ $key ], $matches );

			if ( ! empty( $matches ) ) {
				$this->set( $key, null );
				return false;
			}

			if ( is_numeric( $this->session[ $key ] ) ) {
				$return = $this->session[ $key ];
			} else {
				$maybe_json = json_decode( $this->session[ $key ] );

				// Since json_last_error is PHP 5.3+, we have to rely on a `null` value for failing to parse JSON.
				if ( is_null( $maybe_json ) ) {
					$is_serialized = is_serialized( $this->session[ $key ] );
					if ( $is_serialized ) {
						$value = @unserialize( $this->session[ $key ] );
						$this->set( $key, (array) $value );
						$return = $value;
					} else {
						$return = $this->session[ $key ];
					}
				} else {
					$return = json_decode( $this->session[ $key ], true );
				}
			}
		}

		return $return;
	}

	/**
	 * Set a session variable.
	 *
	 * @since 1.5
	 *
	 * @param string           $key   Session key.
	 * @param int|string|array $value Session variable.
	 *
	 * @return mixed Session variable
	 */
	public function set( $key, $value ) {
		$key = sanitize_key( $key );

		if ( is_array( $value ) ) {
			$this->session[ $key ] = wp_json_encode( $value );
		} else {
			$this->session[ $key ] = esc_attr( $value );
		}

		if ( $this->use_php_sessions ) {
			$_SESSION[ 'edd' . $this->prefix ] = $this->session;
		}

		return $this->session[ $key ];
	}

	/**
	 * Set a cookie to identify whether the cart is empty or not.
	 *
	 * This is for hosts and caching plugins to identify if caching should be disabled.
	 *
	 * @since 1.8
	 *
	 * @param bool $set Whether to set or destroy. Default true.
	 */
	public function set_cart_cookie( $set = true ) {

		// Bail if headers already sent.
		if ( headers_sent() ) {
			return;
		}

		if ( $set ) {
			@setcookie( 'edd_items_in_cart', '1', time() + 30 * 60, COOKIEPATH, COOKIE_DOMAIN, is_ssl() );
		} elseif ( isset( $_COOKIE['edd_items_in_cart'] ) ) {
			@setcookie( 'edd_items_in_cart', '', time() - 3600, COOKIEPATH, COOKIE_DOMAIN, is_ssl() );
		}
	}

	/**
	 * Force the cookie expiration variant time to 23 hours.
	 *
	 * @since 2.0
	 * @since 3.0 Set default value of $exp parameter to 1 as it is unused.
	 *
	 * @param int $exp Default expiration (1 hour).
	 * @return int Cookie expiration variant time.
	 */
	public function set_expiration_variant_time( $exp = 1 ) {
		return HOUR_IN_SECONDS * 23;
	}

	/**
	 * Force the cookie expiration time to 24 hours.
	 *
	 * @since 1.9
	 * @since 3.0 Set default value of $exp parameter to 1 as it is unused.
	 *
	 * @param int $exp Default expiration (1 hour).
	 * @return int Cookie expiration time.
	 */
	public function set_expiration_time( $exp = 1 ) {
		return HOUR_IN_SECONDS * 24;
	}

	/**
	 * Starts a new session if one hasn't started yet.
	 *
	 * Checks to see if the server supports PHP sessions
	 * or if the EDD_USE_PHP_SESSIONS constant is defined
	 *
	 * @since 2.1
	 * @return bool $ret True if we are using PHP sessions, false otherwise.
	 */
	public function use_php_sessions() {

		// Set default return value to false.
		$ret = false;

		// If the database variable is already set, no need to run autodetection.
		$edd_use_php_sessions = (bool) get_option( 'edd_use_php_sessions' );

		if ( ! $edd_use_php_sessions ) {

			// Attempt to detect if the server supports PHP sessions
			if ( function_exists( 'session_start' ) ) {
				$this->set( 'edd_use_php_sessions', 1 );

				if ( $this->get( 'edd_use_php_sessions' ) ) {
					$ret = true;

					// Set the database option
					update_option( 'edd_use_php_sessions', true );
				}
			}
		} else {
			$ret = $edd_use_php_sessions;
		}

		// Enable or disable PHP Sessions based on the EDD_USE_PHP_SESSIONS constant.
		if ( defined( 'EDD_USE_PHP_SESSIONS' ) && EDD_USE_PHP_SESSIONS ) {
			$ret = true;
		} else if ( defined( 'EDD_USE_PHP_SESSIONS' ) && ! EDD_USE_PHP_SESSIONS ) {
			$ret = false;
		}

		// Filter & return.
		return (bool) apply_filters( 'edd_use_php_sessions', $ret );
	}

	/**
	 * Determines if a user has set the EDD_USE_CART_COOKIE.
	 *
	 * @since 2.5
	 *
	 * @return bool If the store should use the edd_items_in_cart cookie to help avoid caching
	 */
	public function use_cart_cookie() {

		// Set default return value to true.
		$ret = true;

		if ( defined( 'EDD_USE_CART_COOKIE' ) && ! EDD_USE_CART_COOKIE ) {
			$ret = false;
		}

		// Filter & return.
		return (bool) apply_filters( 'edd_use_cart_cookie', $ret );
	}

	/**
	 * Determines if we should start sessions.
	 *
	 * @since 2.5.11
	 *
	 * @return bool True if sessions should start, false otherwise.
	 */
	public function should_start_session() {

		// Set default return value to true.
		$start_session = true;

		if ( ! empty( $_SERVER['REQUEST_URI'] ) ) {
			$blacklist = $this->get_blacklist();
			$uri       = ltrim( $_SERVER['REQUEST_URI'], '/' );
			$uri       = untrailingslashit( $uri );

			if ( in_array( $uri, $blacklist, true ) ) {
				$start_session = false;
			}

			if ( false !== strpos( $uri, 'feed=' ) ) {
				$start_session = false;
			}

			// We do not want to start sessions in the admin unless we're processing an ajax request.
			if ( is_admin() && false === strpos( $uri, 'wp-admin/admin-ajax.php' ) ) {
				$start_session = false;
			}

			// Starting sessions while saving the file editor can break the save process, so don't start.
			if ( false !== strpos( $uri, 'wp_scrape_key' ) ) {
				$start_session = false;
			}
		}

		// Filter & return.
		return (bool) apply_filters( 'edd_start_session', $start_session );
	}

	/**
	 * Retrieve the URI blacklist.
	 *
	 * These are the URIs where we never start sessions.
	 *
	 * @since 2.5.11
	 *
	 * @return array URI blacklist.
	 */
	public function get_blacklist() {
		$blacklist = apply_filters( 'edd_session_start_uri_blacklist', array(
			'feed',
			'feed/rss',
			'feed/rss2',
			'feed/rdf',
			'feed/atom',
			'comments/feed'
		) );

		// Look to see if WordPress is in a sub folder or this is a network site that uses sub folders
		$folder = str_replace( network_home_url(), '', get_site_url() );

		if ( ! empty( $folder ) ) {
			foreach ( $blacklist as $path ) {
				$blacklist[] = $folder . '/' . $path;
			}
		}

		return $blacklist;
	}

	/**
	 * Starts a new session if one hasn't started yet.
	 *
	 * @since 2.1.3
	 */
	public function maybe_start_session() {

		// Bail if should not start session.
		if ( ! $this->should_start_session() ) {
			return;
		}

		// Bail if headers already sent.
		if ( headers_sent() ) {
			return;
		}

		// Start if old version of PHP & no session ID exists.
		if ( version_compare( PHP_VERSION, '5.4', '<' ) && ! session_id() ) {
			session_start();

		// Start if modern PHP and session-status is not active.
		} elseif ( defined( 'PHP_SESSION_ACTIVE' ) && ( session_status() !== PHP_SESSION_ACTIVE ) ) {
			session_start();
		}
	}
}