Difference between revisions for Users / Eo Ny / dev
Additions:
{{toc numerate=1}}
====Public Properties====
====Private Properties====
=== Constructor ===
**Purpose:** Initializes the Http object and sets up HTTP session
handling.
**Parameters:**
- ##$db## - Database object reference
**Initialization Steps:**
1. Stores database reference
2. Extracts and normalizes REQUEST_URI
3. Detects TLS/HTTPS session status
4. Determines client's real IP address
5. Sets up TLS mark cookie name
6. Enforces TLS session upgrade if needed
**Example:**
=== Core Methods ===
==== Session Management ====
===== ##session($route): void## =====
Initializes the session handler (file-based or database-based).
**Parameters:**
- ##$route## (int) - Routing flag:
- Bit 2 (##$route & 2##): Enable static mode for files/freecap
(disables replay prevention and ID regeneration)
**Features:**
- Selects storage backend (file or database)
- Configures cookie settings (security, path, httponly)
- Binds IP and TLS validation
- Recovers diagnostic logs from previous session
**Example:**
==== Caching System ====
===== ##check_cache($page, $method): void## =====
Determines if a page can be cached and prepares the cache check.
**Parameters:**
- ##$page## (string) - Page name to cache
- ##$method## (string) - Request method/action (e.g.,
'show', 'edit')
**Caching Rules:**
- ✅ Enabled for GET requests only
- ✅ Disabled for POST requests
- ❌ Never cached for 'edit' or 'watch' methods
- ✅ Only cached for anonymous users (no logged-in users)
**Example:**
===== ##store_cache(): void## =====
Saves the generated page content to cache file.
**Features:**
- Retrieves output buffer content
- Saves to cache file with proper permissions
- Records cache metadata in database
- Only executes if caching flag is set and user is anonymous
**Example:**
===== ##invalidate_page($page): int## =====
Invalidates all cached versions of a page.
**Parameters:**
- ##$page## (string) - Page name to invalidate
**Returns:**
- Number of cache entries invalidated
**Process:**
1. Finds all cached versions (different methods/languages)
2. Touches files to past timestamp (faster than deletion)
3. Removes entries from cache metadata table
4. Returns count of invalidated caches
**Example:**
==== TLS/HTTPS Security ====
===== ##secure_base_url(): void## =====
Switches base URL from HTTP to HTTPS.
**Purpose:**
- Ensures all subsequent URLs use HTTPS
- Stores original HTTP URL for fallback
- Called when TLS session is detected
**Example:**
===== ##ensure_tls($url): void## =====
Enforces HTTPS for a specific URL and redirects if necessary.
**Parameters:**
- ##$url## (string) - URL to secure
**Behavior:**
- If not already HTTPS and TLS is enabled, forces HTTPS redirect
- Handles both relative and absolute URLs
- Converts relative URLs using current server name
**Example:**
==== IP Address Detection ====
===== ##real_ip(): string## (Private) =====
Detects client's real IP address accounting for proxies.
**Proxy Headers Checked (in order):**
1. ##HTTP_X_CLUSTER_CLIENT_IP##
2. ##HTTP_X_FORWARDED_FOR## (or custom header)
3. ##HTTP_CLIENT_IP##
4. ##HTTP_X_REMOTE_ADDR##
5. ##REMOTE_ADDR## (fallback)
**Features:**
- Filters out private/reserved IP ranges
- Respects configured reverse proxy addresses
- Returns ##'0.0.0.0'## as fallback
**Configuration in Database:**
- ##reverse_proxy_addresses## - Comma/space-separated proxy IPs
- ##reverse_proxy_header## - Custom header name (default:
##X-Forwarded-For##)
**Example:**
==== HTTPS Detection ====
===== ##tls_session(): bool## (Private) =====
Detects if current connection uses HTTPS/TLS.
**Checks (any being true = HTTPS):**
- ##$_SERVER['HTTPS']## is 'on'
- ##$_SERVER['SERVER_PORT']## is 443
- ##$_SERVER['HTTP_X_FORWARDED_PROTO']## is
'https'
- ##$_SERVER['HTTP_X_FORWARDED_SSL']## is 'on'
- ##$_SERVER['HTTP_X_FORWARDED_PORT']## is 443
==== Security Headers ====
=====##http_security_headers(): void##=====
Sets security-related HTTP headers.
**Headers Set:**
*| Header | Purpose | Config Key |*
**CSP Configuration Options:**
- ##0## - Disabled
- ##1## - Default policy (from ##csp.conf##)
- ##2## - Custom policy (from ##csp_custom.conf##)
**Example:**
==== HTTP Methods ====
===== ##redirect($url, $permanent = false): void## =====
Performs an HTTP redirect.
**Parameters:**
- ##$url## (string) - Target URL
- ##$permanent## (bool) - Use 301 (permanent) vs 302 (temporary)
**Features:**
- Decodes ##&## entities to prevent broken redirects
- Only works if headers not yet sent
- Uses output buffering to work anywhere in page processing
**Example:**
===== ##terminate(): void## =====
Safe exit/die with cleanup.
**Cleanup Operations:**
- Saves diagnostic logs to session flash data
- Ends script execution
**Example:**
===== ##status($code): void## =====
Sets HTTP response status code.
**Supported Status Codes:**
**Example:**
==== Caching Control ====
===== ##no_cache($client_only = true): void## =====
Disables caching of the current page.
**Parameters:**
- ##$client_only## (bool, default: TRUE)
- ##TRUE##: Disable browser cache only
- ##FALSE##: Disable both browser and server cache
**Headers Set:**
- ##Last-Modified: <current-time>## (always fresh)
- ##Cache-Control: no-store##
**Example:**
===== ##cache_promisc(): void## =====
Marks page as publicly cacheable.
**Headers Set:**
- ##Cache-Control: public##
**Example:**
==== Language Negotiation ====
===== ##user_agent_language(): string## =====
Determines best language based on browser preferences.
**Features:**
- Follows RFC 9110 section 12.5.4 (HTTP Accept-Language)
- Parses ##Accept-Language## header with quality factors
- Attempts exact match first, then language fallback
- Falls back to default system language
**Example Header:**
**Returns:**
- Language code (e.g., 'en', 'en-US',
'de')
===== ##available_languages($subset = true): array## =====
Returns list of available language translations.
**Parameters:**
- ##$subset## (bool, default: TRUE)
- ##TRUE##: Only allowed languages
- ##FALSE##: All available languages
**Features:**
- Scans ##LANG_DIR## for language files
- Filters by ##allowed_languages## config if set
- Caches result in session
- System language always included
**Returns:**
- Associative array: ##['en' => 'en',
'de' => 'de', ...]##
**Example:**
==== File Serving ====
===== ##sendfile($path, $filename = null, $age = null): void## =====
Serves files with proper HTTP headers and caching.
**Parameters:**
- ##$path## (string) - File path (or HTTP_XXX constant for error
pages)
- ##$filename## (string, optional) - Custom download filename
- ##$age## (int, optional) - Cache age in days
**Features:**
- HTTP range request support (partial file downloads)
- ETag and Last-Modified conditional requests
- Proper MIME type detection
- Content-Security-Policy for special file types
- Streaming for large files
- GZip compression for text files
**Special Paths:**
**Example:**
===== ##mime_type($path): string## =====
Returns MIME type for a file.
**Returns:**
- MIME type string (e.g., 'application/pdf')
- Default: ##'application/octet-stream'##
**Example:**
===== ##mime_types(): array## (Private) =====
Loads and caches MIME types from configuration.
**Features:**
- Reads from ##config/mime.types##
- Caches to ##cache/config/mime.types##
- Reloads if config is updated
==== Compression ====
===== ##gzip(): void## =====
Compresses HTTP response with gzip/x-gzip.
**Features:**
- Manually implements gzip (not relying on zlib.output_compression)
- Produces correct ##Content-Length## header
- Only compresses if:
- 860 bytes < content < 1 MB
- Client accepts compression
- Headers not already sent
**Example:**
==== Utility Methods ====
===== ##parse_str($str): array## (Private) =====
Parses URL-encoded strings with special character handling.
**Purpose:**
- Safely handles special characters in query/form data
- Converts encoding properly
**Example:**
===== ##request_uri(): string## (Private) =====
Extracts and normalizes REQUEST_URI from server.
**Normalization:**
- Removes base URL prefix
- Removes spaces
- Collapses multiple slashes
- Removes ##..## path traversal attempts
- Removes leading/trailing slashes
===== ##cut_prefix($prefix, $path): string## (Private) =====
Removes prefix from path (case-insensitive).
===== ##get_header_conf($file_name): string## (Private) =====
Loads security header configuration from files.
**Files Supported:**
- ##csp.conf## / ##csp_custom.conf##
- ##permissions_policy.conf## / ##permissions_policy_custom.conf##
===Configuration Dependencies===
The class relies on these database configuration settings:
*| Setting | Type | Purpose |*
===Constants Used===
*| Constant | Type | Purpose |*
====Example 1: Handling a GET Request====
%%(hl php)
Deletions:
==== Public Properties ==== || ==== Private Properties ==== || || Property | Type | Description || || ---------- | ------ | ------------- || || ---- || || === Constructor === || || %%php %% || || **Purpose:** Initializes the Http object and sets up HTTP session handling. || || **Parameters:** || || - ##$db## - Database object reference || || **Initialization Steps:** || || 1. Stores database reference || || 2. Extracts and normalizes REQUEST_URI || || 3. Detects TLS/HTTPS session status || || 4. Determines client's real IP address || || 5. Sets up TLS mark cookie name || || 6. Enforces TLS session upgrade if needed || || **Example:** || || %%php %% || || ---- || || === Core Methods === || || ==== Session Management ==== || || ===== ##session($route): void## ===== || || Initializes the session handler (file-based or database-based). || || **Parameters:** || || - ##$route## (int) - Routing flag: || || - Bit 2 (##$route & 2##): Enable static mode for files/freecap (disables replay prevention and ID regeneration) || || **Features:** || || - Selects storage backend (file or database) || || - Configures cookie settings (security, path, httponly) || || - Binds IP and TLS validation || || - Recovers diagnostic logs from previous session || || **Example:** || || %%php %% || || ---- || || ==== Caching System ==== || || ===== ##check_cache($page, $method): void## ===== || || Determines if a page can be cached and prepares the cache check. || || **Parameters:** || || - ##$page## (string) - Page name to cache || || - ##$method## (string) - Request method/action (e.g., 'show', 'edit') || || **Caching Rules:** || || - ✅ Enabled for GET requests only || || - ✅ Disabled for POST requests || || - ❌ Never cached for 'edit' or 'watch' methods || || - ✅ Only cached for anonymous users (no logged-in users) || || **Example:** || || %%php %% || || ---- || || ===== ##store_cache(): void## ===== || || Saves the generated page content to cache file. || || **Features:** || || - Retrieves output buffer content || || - Saves to cache file with proper permissions || || - Records cache metadata in database || || - Only executes if caching flag is set and user is anonymous || || **Example:** || || %%php %% || || ---- || || ===== ##invalidate_page($page): int## ===== || || Invalidates all cached versions of a page. || || **Parameters:** || || - ##$page## (string) - Page name to invalidate || || **Returns:** || || - Number of cache entries invalidated || || **Process:** || || 1. Finds all cached versions (different methods/languages) || || 2. Touches files to past timestamp (faster than deletion) || || 3. Removes entries from cache metadata table || || 4. Returns count of invalidated caches || || **Example:** || || %%php %% || || ---- || || ==== TLS/HTTPS Security ==== || || ===== ##secure_base_url(): void## ===== || || Switches base URL from HTTP to HTTPS. || || **Purpose:** || || - Ensures all subsequent URLs use HTTPS || || - Stores original HTTP URL for fallback || || - Called when TLS session is detected || || **Example:** || || %%php %% || || ---- || || ===== ##ensure_tls($url): void## ===== || || Enforces HTTPS for a specific URL and redirects if necessary. || || **Parameters:** || || - ##$url## (string) - URL to secure || || **Behavior:** || || - If not already HTTPS and TLS is enabled, forces HTTPS redirect || || - Handles both relative and absolute URLs || || - Converts relative URLs using current server name || || **Example:** || || %%php %% || || ---- || || ==== IP Address Detection ==== || || ===== ##real_ip(): string## (Private) ===== || || Detects client's real IP address accounting for proxies. || || **Proxy Headers Checked (in order):** || || 1. ##HTTP_X_CLUSTER_CLIENT_IP## || || 2. ##HTTP_X_FORWARDED_FOR## (or custom header) || || 3. ##HTTP_CLIENT_IP## || || 4. ##HTTP_X_REMOTE_ADDR## || || 5. ##REMOTE_ADDR## (fallback) || || **Features:** || || - Filters out private/reserved IP ranges || || - Respects configured reverse proxy addresses || || - Returns ##'0.0.0.0'## as fallback || || **Configuration in Database:** || || - ##reverse_proxy_addresses## - Comma/space-separated proxy IPs || || - ##reverse_proxy_header## - Custom header name (default: ##X-Forwarded-For##) || || **Example:** || || %%php %% || || ---- || || ==== HTTPS Detection ==== || || ===== ##tls_session(): bool## (Private) ===== || || Detects if current connection uses HTTPS/TLS. || || **Checks (any being true = HTTPS):** || || - ##$_SERVER['HTTPS']## is 'on' || || - ##$_SERVER['SERVER_PORT']## is 443 || || - ##$_SERVER['HTTP_X_FORWARDED_PROTO']## is 'https' || || - ##$_SERVER['HTTP_X_FORWARDED_SSL']## is 'on' || || - ##$_SERVER['HTTP_X_FORWARDED_PORT']## is 443 || || ---- || || ==== Security Headers ==== || || ===== ##http_security_headers(): void## ===== || || Sets security-related HTTP headers. || || **Headers Set:** || || Header | Purpose | Config Key || || -------- | --------- | ------------ || || **CSP Configuration Options:** || || - ##0## - Disabled || || - ##1## - Default policy (from ##csp.conf##) || || - ##2## - Custom policy (from ##csp_custom.conf##) || || **Example:** || || %%php %% || || ---- || || ==== HTTP Methods ==== || || ===== ##redirect($url, $permanent = false): void## ===== || || Performs an HTTP redirect. || || **Parameters:** || || - ##$url## (string) - Target URL || || - ##$permanent## (bool) - Use 301 (permanent) vs 302 (temporary) || || **Features:** || || - Decodes ##&## entities to prevent broken redirects || || - Only works if headers not yet sent || || - Uses output buffering to work anywhere in page processing || || **Example:** || || %%php %% || || ---- || || ===== ##terminate(): void## ===== || || Safe exit/die with cleanup. || || **Cleanup Operations:** || || - Saves diagnostic logs to session flash data || || - Ends script execution || || **Example:** || || %%php %% || || ---- || || ===== ##status($code): void## ===== || || Sets HTTP response status code. || || **Supported Status Codes:** || || %%php %% || || **Example:** || || %%php %% || || ---- || || ==== Caching Control ==== || || ===== ##no_cache($client_only = true): void## ===== || || Disables caching of the current page. || || **Parameters:** || || - ##$client_only## (bool, default: TRUE) || || - ##TRUE##: Disable browser cache only || || - ##FALSE##: Disable both browser and server cache || || **Headers Set:** || || - ##Last-Modified: <current-time>## (always fresh) || || - ##Cache-Control: no-store## || || **Example:** || || %%php %% || || ---- || || ===== ##cache_promisc(): void## ===== || || Marks page as publicly cacheable. || || **Headers Set:** || || - ##Cache-Control: public## || || **Example:** || || %%php %% || || ---- || || ==== Language Negotiation ==== || || ===== ##user_agent_language(): string## ===== || || Determines best language based on browser preferences. || || **Features:** || || - Follows RFC 9110 section 12.5.4 (HTTP Accept-Language) || || - Parses ##Accept-Language## header with quality factors || || - Attempts exact match first, then language fallback || || - Falls back to default system language || || **Example Header:** || || %% %% || || **Returns:** || || - Language code (e.g., 'en', 'en-US', 'de') || || ---- || || ===== ##available_languages($subset = true): array## ===== || || Returns list of available language translations. || || **Parameters:** || || - ##$subset## (bool, default: TRUE) || || - ##TRUE##: Only allowed languages || || - ##FALSE##: All available languages || || **Features:** || || - Scans ##LANG_DIR## for language files || || - Filters by ##allowed_languages## config if set || || - Caches result in session || || - System language always included || || **Returns:** || || - Associative array: ##['en' => 'en', 'de' => 'de', ...]## || || **Example:** || || %%php %% || || ---- || || ==== File Serving ==== || || ===== ##sendfile($path, $filename = null, $age = null): void## ===== || || Serves files with proper HTTP headers and caching. || || **Parameters:** || || - ##$path## (string) - File path (or HTTP_XXX constant for error pages) || || - ##$filename## (string, optional) - Custom download filename || || - ##$age## (int, optional) - Cache age in days || || **Features:** || || - HTTP range request support (partial file downloads) || || - ETag and Last-Modified conditional requests || || - Proper MIME type detection || || - Content-Security-Policy for special file types || || - Streaming for large files || || - GZip compression for text files || || **Special Paths:** || || %%php %% || || **Example:** || || %%php %% || || ---- || || ===== ##mime_type($path): string## ===== || || Returns MIME type for a file. || || **Returns:** || || - MIME type string (e.g., 'application/pdf') || || - Default: ##'application/octet-stream'## || || **Example:** || || %%php %% || || ---- || || ===== ##mime_types(): array## (Private) ===== || || Loads and caches MIME types from configuration. || || **Features:** || || - Reads from ##config/mime.types## || || - Caches to ##cache/config/mime.types## || || - Reloads if config is updated || || ---- || || ==== Compression ==== || || ===== ##gzip(): void## ===== || || Compresses HTTP response with gzip/x-gzip. || || **Features:** || || - Manually implements gzip (not relying on zlib.output_compression) || || - Produces correct ##Content-Length## header || || - Only compresses if: || || - 860 bytes < content < 1 MB || || - Client accepts compression || || - Headers not already sent || || **Example:** || || %%php %% || || ---- || || ==== Utility Methods ==== || || ===== ##parse_str($str): array## (Private) ===== || || Parses URL-encoded strings with special character handling. || || **Purpose:** || || - Safely handles special characters in query/form data || || - Converts encoding properly || || **Example:** || || %%php %% || || ---- || || ===== ##request_uri(): string## (Private) ===== || || Extracts and normalizes REQUEST_URI from server. || || **Normalization:** || || - Removes base URL prefix || || - Removes spaces || || - Collapses multiple slashes || || - Removes ##..## path traversal attempts || || - Removes leading/trailing slashes || || ---- || || ===== ##cut_prefix($prefix, $path): string## (Private) ===== || || Removes prefix from path (case-insensitive). || || ---- || || ===== ##get_header_conf($file_name): string## (Private) ===== || || Loads security header configuration from files. || || **Files Supported:** || || - ##csp.conf## / ##csp_custom.conf## || || - ##permissions_policy.conf## / ##permissions_policy_custom.conf## || || ---- || || === Configuration Dependencies === || || The class relies on these database configuration settings: || || Setting | Type | Purpose || || --------- | ------ | --------- || || ---- || || === Constants Used === || || Constant | Type | Purpose || || ---------- | ------ | --------- || ==== Example 1: Handling a GET Request ====