MediaWiki  1.27.1
SessionBackend.php
Go to the documentation of this file.
1 <?php
24 namespace MediaWiki\Session;
25 
28 use User;
30 
49 final class SessionBackend {
51  private $id;
52 
53  private $persist = false;
54  private $remember = false;
55  private $forceHTTPS = false;
56 
58  private $data = null;
59 
60  private $forcePersist = false;
61  private $metaDirty = false;
62  private $dataDirty = false;
63 
65  private $dataHash = null;
66 
68  private $store;
69 
71  private $logger;
72 
74  private $lifetime;
75 
77  private $user;
78 
79  private $curIndex = 0;
80 
82  private $requests = [];
83 
85  private $provider;
86 
88  private $providerMetadata = null;
89 
90  private $expires = 0;
91  private $loggedOut = 0;
92  private $delaySave = 0;
93 
94  private $usePhpSessionHandling = true;
96 
97  private $shutdown = false;
98 
106  public function __construct(
108  ) {
109  $phpSessionHandling = \RequestContext::getMain()->getConfig()->get( 'PHPSessionHandling' );
110  $this->usePhpSessionHandling = $phpSessionHandling !== 'disable';
111 
112  if ( $info->getUserInfo() && !$info->getUserInfo()->isVerified() ) {
113  throw new \InvalidArgumentException(
114  "Refusing to create session for unverified user {$info->getUserInfo()}"
115  );
116  }
117  if ( $info->getProvider() === null ) {
118  throw new \InvalidArgumentException( 'Cannot create session without a provider' );
119  }
120  if ( $info->getId() !== $id->getId() ) {
121  throw new \InvalidArgumentException( 'SessionId and SessionInfo don\'t match' );
122  }
123 
124  $this->id = $id;
125  $this->user = $info->getUserInfo() ? $info->getUserInfo()->getUser() : new User;
126  $this->store = $store;
127  $this->logger = $logger;
128  $this->lifetime = $lifetime;
129  $this->provider = $info->getProvider();
130  $this->persist = $info->wasPersisted();
131  $this->remember = $info->wasRemembered();
132  $this->forceHTTPS = $info->forceHTTPS();
133  $this->providerMetadata = $info->getProviderMetadata();
134 
135  $blob = $store->get( wfMemcKey( 'MWSession', (string)$this->id ) );
136  if ( !is_array( $blob ) ||
137  !isset( $blob['metadata'] ) || !is_array( $blob['metadata'] ) ||
138  !isset( $blob['data'] ) || !is_array( $blob['data'] )
139  ) {
140  $this->data = [];
141  $this->dataDirty = true;
142  $this->metaDirty = true;
143  $this->logger->debug(
144  'SessionBackend "{session}" is unsaved, marking dirty in constructor',
145  [
146  'session' => $this->id,
147  ] );
148  } else {
149  $this->data = $blob['data'];
150  if ( isset( $blob['metadata']['loggedOut'] ) ) {
151  $this->loggedOut = (int)$blob['metadata']['loggedOut'];
152  }
153  if ( isset( $blob['metadata']['expires'] ) ) {
154  $this->expires = (int)$blob['metadata']['expires'];
155  } else {
156  $this->metaDirty = true;
157  $this->logger->debug(
158  'SessionBackend "{session}" metadata dirty due to missing expiration timestamp',
159  [
160  'session' => $this->id,
161  ] );
162  }
163  }
164  $this->dataHash = md5( serialize( $this->data ) );
165  }
166 
172  public function getSession( WebRequest $request ) {
173  $index = ++$this->curIndex;
174  $this->requests[$index] = $request;
175  $session = new Session( $this, $index, $this->logger );
176  return $session;
177  }
178 
184  public function deregisterSession( $index ) {
185  unset( $this->requests[$index] );
186  if ( !$this->shutdown && !count( $this->requests ) ) {
187  $this->save( true );
188  $this->provider->getManager()->deregisterSessionBackend( $this );
189  }
190  }
191 
196  public function shutdown() {
197  $this->save( true );
198  $this->shutdown = true;
199  }
200 
205  public function getId() {
206  return (string)$this->id;
207  }
208 
214  public function getSessionId() {
215  return $this->id;
216  }
217 
222  public function resetId() {
223  if ( $this->provider->persistsSessionId() ) {
224  $oldId = (string)$this->id;
225  $restart = $this->usePhpSessionHandling && $oldId === session_id() &&
227 
228  if ( $restart ) {
229  // If this session is the one behind PHP's $_SESSION, we need
230  // to close then reopen it.
231  session_write_close();
232  }
233 
234  $this->provider->getManager()->changeBackendId( $this );
235  $this->provider->sessionIdWasReset( $this, $oldId );
236  $this->metaDirty = true;
237  $this->logger->debug(
238  'SessionBackend "{session}" metadata dirty due to ID reset (formerly "{oldId}")',
239  [
240  'session' => $this->id,
241  'oldId' => $oldId,
242  ] );
243 
244  if ( $restart ) {
245  session_id( (string)$this->id );
246  \MediaWiki\quietCall( 'session_start' );
247  }
248 
249  $this->autosave();
250 
251  // Delete the data for the old session ID now
252  $this->store->delete( wfMemcKey( 'MWSession', $oldId ) );
253  }
254  }
255 
260  public function getProvider() {
261  return $this->provider;
262  }
263 
271  public function isPersistent() {
272  return $this->persist;
273  }
274 
281  public function persist() {
282  if ( !$this->persist ) {
283  $this->persist = true;
284  $this->forcePersist = true;
285  $this->metaDirty = true;
286  $this->logger->debug(
287  'SessionBackend "{session}" force-persist due to persist()',
288  [
289  'session' => $this->id,
290  ] );
291  $this->autosave();
292  } else {
293  $this->renew();
294  }
295  }
296 
300  public function unpersist() {
301  if ( $this->persist ) {
302  // Close the PHP session, if we're the one that's open
303  if ( $this->usePhpSessionHandling && PHPSessionHandler::isEnabled() &&
304  session_id() === (string)$this->id
305  ) {
306  $this->logger->debug(
307  'SessionBackend "{session}" Closing PHP session for unpersist',
308  [ 'session' => $this->id ]
309  );
310  session_write_close();
311  session_id( '' );
312  }
313 
314  $this->persist = false;
315  $this->forcePersist = true;
316  $this->metaDirty = true;
317 
318  // Delete the session data, so the local cache-only write in
319  // self::save() doesn't get things out of sync with the backend.
320  $this->store->delete( wfMemcKey( 'MWSession', (string)$this->id ) );
321 
322  $this->autosave();
323  }
324  }
325 
331  public function shouldRememberUser() {
332  return $this->remember;
333  }
334 
340  public function setRememberUser( $remember ) {
341  if ( $this->remember !== (bool)$remember ) {
342  $this->remember = (bool)$remember;
343  $this->metaDirty = true;
344  $this->logger->debug(
345  'SessionBackend "{session}" metadata dirty due to remember-user change',
346  [
347  'session' => $this->id,
348  ] );
349  $this->autosave();
350  }
351  }
352 
358  public function getRequest( $index ) {
359  if ( !isset( $this->requests[$index] ) ) {
360  throw new \InvalidArgumentException( 'Invalid session index' );
361  }
362  return $this->requests[$index];
363  }
364 
369  public function getUser() {
370  return $this->user;
371  }
372 
377  public function getAllowedUserRights() {
378  return $this->provider->getAllowedUserRights( $this );
379  }
380 
385  public function canSetUser() {
386  return $this->provider->canChangeUser();
387  }
388 
396  public function setUser( $user ) {
397  if ( !$this->canSetUser() ) {
398  throw new \BadMethodCallException(
399  'Cannot set user on this session; check $session->canSetUser() first'
400  );
401  }
402 
403  $this->user = $user;
404  $this->metaDirty = true;
405  $this->logger->debug(
406  'SessionBackend "{session}" metadata dirty due to user change',
407  [
408  'session' => $this->id,
409  ] );
410  $this->autosave();
411  }
412 
418  public function suggestLoginUsername( $index ) {
419  if ( !isset( $this->requests[$index] ) ) {
420  throw new \InvalidArgumentException( 'Invalid session index' );
421  }
422  return $this->provider->suggestLoginUsername( $this->requests[$index] );
423  }
424 
429  public function shouldForceHTTPS() {
430  return $this->forceHTTPS;
431  }
432 
437  public function setForceHTTPS( $force ) {
438  if ( $this->forceHTTPS !== (bool)$force ) {
439  $this->forceHTTPS = (bool)$force;
440  $this->metaDirty = true;
441  $this->logger->debug(
442  'SessionBackend "{session}" metadata dirty due to force-HTTPS change',
443  [
444  'session' => $this->id,
445  ] );
446  $this->autosave();
447  }
448  }
449 
454  public function getLoggedOutTimestamp() {
455  return $this->loggedOut;
456  }
457 
462  public function setLoggedOutTimestamp( $ts = null ) {
463  $ts = (int)$ts;
464  if ( $this->loggedOut !== $ts ) {
465  $this->loggedOut = $ts;
466  $this->metaDirty = true;
467  $this->logger->debug(
468  'SessionBackend "{session}" metadata dirty due to logged-out-timestamp change',
469  [
470  'session' => $this->id,
471  ] );
472  $this->autosave();
473  }
474  }
475 
481  public function getProviderMetadata() {
483  }
484 
490  public function setProviderMetadata( $metadata ) {
491  if ( $metadata !== null && !is_array( $metadata ) ) {
492  throw new \InvalidArgumentException( '$metadata must be an array or null' );
493  }
494  if ( $this->providerMetadata !== $metadata ) {
495  $this->providerMetadata = $metadata;
496  $this->metaDirty = true;
497  $this->logger->debug(
498  'SessionBackend "{session}" metadata dirty due to provider metadata change',
499  [
500  'session' => $this->id,
501  ] );
502  $this->autosave();
503  }
504  }
505 
515  public function &getData() {
516  return $this->data;
517  }
518 
526  public function addData( array $newData ) {
527  $data = &$this->getData();
528  foreach ( $newData as $key => $value ) {
529  if ( !array_key_exists( $key, $data ) || $data[$key] !== $value ) {
530  $data[$key] = $value;
531  $this->dataDirty = true;
532  $this->logger->debug(
533  'SessionBackend "{session}" data dirty due to addData(): {callers}',
534  [
535  'session' => $this->id,
536  'callers' => wfGetAllCallers( 5 ),
537  ] );
538  }
539  }
540  }
541 
546  public function dirty() {
547  $this->dataDirty = true;
548  $this->logger->debug(
549  'SessionBackend "{session}" data dirty due to dirty(): {callers}',
550  [
551  'session' => $this->id,
552  'callers' => wfGetAllCallers( 5 ),
553  ] );
554  }
555 
562  public function renew() {
563  if ( time() + $this->lifetime / 2 > $this->expires ) {
564  $this->metaDirty = true;
565  $this->logger->debug(
566  'SessionBackend "{callers}" metadata dirty for renew(): {callers}',
567  [
568  'session' => $this->id,
569  'callers' => wfGetAllCallers( 5 ),
570  ] );
571  if ( $this->persist ) {
572  $this->forcePersist = true;
573  $this->logger->debug(
574  'SessionBackend "{session}" force-persist for renew(): {callers}',
575  [
576  'session' => $this->id,
577  'callers' => wfGetAllCallers( 5 ),
578  ] );
579  }
580  }
581  $this->autosave();
582  }
583 
591  public function delaySave() {
592  $this->delaySave++;
593  return new \ScopedCallback( function () {
594  if ( --$this->delaySave <= 0 ) {
595  $this->delaySave = 0;
596  $this->save();
597  }
598  } );
599  }
600 
604  private function autosave() {
605  if ( $this->delaySave <= 0 ) {
606  $this->save();
607  }
608  }
609 
614  public function save( $closing = false ) {
615  $anon = $this->user->isAnon();
616 
617  if ( !$anon && $this->provider->getManager()->isUserSessionPrevented( $this->user->getName() ) ) {
618  $this->logger->debug(
619  'SessionBackend "{session}" not saving, user {user} was ' .
620  'passed to SessionManager::preventSessionsForUser',
621  [
622  'session' => $this->id,
623  'user' => $this->user,
624  ] );
625  return;
626  }
627 
628  // Ensure the user has a token
629  // @codeCoverageIgnoreStart
630  if ( !$anon && !$this->user->getToken( false ) ) {
631  $this->logger->debug(
632  'SessionBackend "{session}" creating token for user {user} on save',
633  [
634  'session' => $this->id,
635  'user' => $this->user,
636  ] );
637  $this->user->setToken();
638  if ( !wfReadOnly() ) {
639  $this->user->saveSettings();
640  }
641  $this->metaDirty = true;
642  }
643  // @codeCoverageIgnoreEnd
644 
645  if ( !$this->metaDirty && !$this->dataDirty &&
646  $this->dataHash !== md5( serialize( $this->data ) )
647  ) {
648  $this->logger->debug(
649  'SessionBackend "{session}" data dirty due to hash mismatch, {expected} !== {got}',
650  [
651  'session' => $this->id,
652  'expected' => $this->dataHash,
653  'got' => md5( serialize( $this->data ) ),
654  ] );
655  $this->dataDirty = true;
656  }
657 
658  if ( !$this->metaDirty && !$this->dataDirty && !$this->forcePersist ) {
659  return;
660  }
661 
662  $this->logger->debug(
663  'SessionBackend "{session}" save: dataDirty={dataDirty} ' .
664  'metaDirty={metaDirty} forcePersist={forcePersist}',
665  [
666  'session' => $this->id,
667  'dataDirty' => (int)$this->dataDirty,
668  'metaDirty' => (int)$this->metaDirty,
669  'forcePersist' => (int)$this->forcePersist,
670  ] );
671 
672  // Persist or unpersist to the provider, if necessary
673  if ( $this->metaDirty || $this->forcePersist ) {
674  if ( $this->persist ) {
675  foreach ( $this->requests as $request ) {
676  $request->setSessionId( $this->getSessionId() );
677  $this->provider->persistSession( $this, $request );
678  }
679  if ( !$closing ) {
680  $this->checkPHPSession();
681  }
682  } else {
683  foreach ( $this->requests as $request ) {
684  if ( $request->getSessionId() === $this->id ) {
685  $this->provider->unpersistSession( $request );
686  }
687  }
688  }
689  }
690 
691  $this->forcePersist = false;
692 
693  if ( !$this->metaDirty && !$this->dataDirty ) {
694  return;
695  }
696 
697  // Save session data to store, if necessary
698  $metadata = $origMetadata = [
699  'provider' => (string)$this->provider,
700  'providerMetadata' => $this->providerMetadata,
701  'userId' => $anon ? 0 : $this->user->getId(),
702  'userName' => User::isValidUserName( $this->user->getName() ) ? $this->user->getName() : null,
703  'userToken' => $anon ? null : $this->user->getToken(),
704  'remember' => !$anon && $this->remember,
705  'forceHTTPS' => $this->forceHTTPS,
706  'expires' => time() + $this->lifetime,
707  'loggedOut' => $this->loggedOut,
708  'persisted' => $this->persist,
709  ];
710 
711  \Hooks::run( 'SessionMetadata', [ $this, &$metadata, $this->requests ] );
712 
713  foreach ( $origMetadata as $k => $v ) {
714  if ( $metadata[$k] !== $v ) {
715  throw new \UnexpectedValueException( "SessionMetadata hook changed metadata key \"$k\"" );
716  }
717  }
718 
719  $this->store->set(
720  wfMemcKey( 'MWSession', (string)$this->id ),
721  [
722  'data' => $this->data,
723  'metadata' => $metadata,
724  ],
725  $metadata['expires'],
727  );
728 
729  $this->metaDirty = false;
730  $this->dataDirty = false;
731  $this->dataHash = md5( serialize( $this->data ) );
732  $this->expires = $metadata['expires'];
733  }
734 
739  private function checkPHPSession() {
740  if ( !$this->checkPHPSessionRecursionGuard ) {
741  $this->checkPHPSessionRecursionGuard = true;
742  $reset = new \ScopedCallback( function () {
743  $this->checkPHPSessionRecursionGuard = false;
744  } );
745 
746  if ( $this->usePhpSessionHandling && session_id() === '' && PHPSessionHandler::isEnabled() &&
747  SessionManager::getGlobalSession()->getId() === (string)$this->id
748  ) {
749  $this->logger->debug(
750  'SessionBackend "{session}" Taking over PHP session',
751  [
752  'session' => $this->id,
753  ] );
754  session_id( (string)$this->id );
755  \MediaWiki\quietCall( 'session_start' );
756  }
757  }
758  }
759 
760 }
getUser()
Returns the authenticated user for this session.
and how to run hooks for an and one after Each event has a preferably in CamelCase For ArticleDelete hook A clump of code and data that should be run when an event happens This can be either a function and a chunk of data
Definition: hooks.txt:6
getSessionId()
Fetch the SessionId object.
This is the actual workhorse for Session.
the array() calling protocol came about after MediaWiki 1.4rc1.
getProviderMetadata()
Fetch provider metadata.
getUserInfo()
Return the user.
magic word the default is to use $key to get the and $key value or $key value text $key value html to format the value $key
Definition: hooks.txt:2321
getProvider()
Fetch the SessionProvider for this session.
getSession(WebRequest $request)
Return a new Session for this backend.
suggestLoginUsername($index)
Get a suggested username for the login form.
setProviderMetadata($metadata)
Set provider metadata.
Apache License January AND DISTRIBUTION Definitions License shall mean the terms and conditions for use
This code would result in ircNotify being run twice when an article is and once for brion Hooks can return three possible true was required This is the default since MediaWiki *some string
Definition: hooks.txt:177
$value
__construct(SessionId $id, SessionInfo $info, CachedBagOStuff $store, LoggerInterface $logger, $lifetime)
setRememberUser($remember)
Set whether the user should be remembered independently of the session ID.
getId()
Return the session ID.
delaySave()
Delay automatic saving while multiple updates are being made.
MediaWiki s SiteStore can be cached and stored in a flat in a json format If the SiteStore is frequently the file cache may provide a performance benefit over a database store
Definition: sitescache.txt:1
string $dataHash
Used to detect subarray modifications.
& getData()
Fetch the session data array.
WebRequest[] $requests
Session requests.
static isValidUserName($name)
Is the input a valid username?
Definition: User.php:846
setUser($user)
Set a new user for this session.
getAllowedUserRights()
Fetch the rights allowed the user when this session is active.
wfReadOnly()
Check whether the wiki is in read-only mode.
static getMain()
Static methods.
persist()
Make this session persisted across requests.
deregisterSession($index)
Deregister a Session.
getProvider()
Return the provider.
This document is intended to provide useful advice for parties seeking to redistribute MediaWiki to end users It s targeted particularly at maintainers for Linux since it s been observed that distribution packages of MediaWiki often break We ve consistently had to recommend that users seeking support use official tarballs instead of their distribution s and this often solves whatever problem the user is having It would be nice if this could such and we might be restricted by PHP settings such as safe mode or open_basedir We cannot assume that the software even has read access anywhere useful Many shared hosts run all users web applications under the same user
Wikitext formatted, in the key only.
Definition: distributors.txt:9
getLoggedOutTimestamp()
Fetch the "logged out" timestamp.
setLoggedOutTimestamp($ts=null)
Set the "logged out" timestamp.
isPersistent()
Indicate whether this session is persisted across requests.
getId()
Returns the session ID.
Manages data for an an authenticated session.
Definition: Session.php:48
static run($event, array $args=[], $deprecatedVersion=null)
Call hook functions defined in Hooks::register and $wgHooks.
Definition: Hooks.php:131
getProviderMetadata()
Return provider metadata.
wasPersisted()
Return whether the session is persisted.
getRequest($index)
Returns the request associated with a Session.
This document is intended to provide useful advice for parties seeking to redistribute MediaWiki to end users It s targeted particularly at maintainers for Linux since it s been observed that distribution packages of MediaWiki often break We ve consistently had to recommend that users seeking support use official tarballs instead of their distribution s and this often solves whatever problem the user is having It would be nice if this could such as
Definition: distributors.txt:9
resetId()
Changes the session ID.
SessionProvider $provider
provider
shutdown()
Shut down a session.
wfGetAllCallers($limit=3)
Return a string consisting of callers in the stack.
save($closing=false)
Save and persist session data.
const WRITE_CACHE_ONLY
Definition: BagOStuff.php:84
static isEnabled()
Test whether the handler is installed and enabled.
static getGlobalSession()
Get the "global" session.
injection txt This is an overview of how MediaWiki makes use of dependency injection The design described here grew from the discussion of RFC T384 The term dependency this means that anything an object needs to operate should be injected from the the object itself should only know narrow no concrete implementation of the logic it relies on The requirement to inject everything typically results in an architecture that based on two main types of and essentially stateless service objects that use other service objects to operate on the value objects As of the beginning MediaWiki is only starting to use the DI approach Much of the code still relies on global state or direct resulting in a highly cyclical dependency which acts as the top level factory for services in MediaWiki which can be used to gain access to default instances of various services MediaWikiServices however also allows new services to be defined and default services to be redefined Services are defined or redefined by providing a callback the instantiator that will return a new instance of the service When it will create an instance of MediaWikiServices and populate it with the services defined in the files listed by thereby bootstrapping the DI framework Per $wgServiceWiringFiles lists includes ServiceWiring php
Definition: injection.txt:35
array null $providerMetadata
provider-specified metadata
error also a ContextSource you ll probably need to make sure the header is varied on $request
Definition: hooks.txt:2418
Value object holding the session ID in a manner that can be globally updated.
Definition: SessionId.php:38
checkPHPSession()
For backwards compatibility, open the PHP session when the global session is persisted.
get($key, $flags=0, $oldFlags=null)
Get an item with the given key.
Definition: BagOStuff.php:173
autosave()
Save and persist session data, unless delayed.
wfMemcKey()
Make a cache key for the local wiki.
unpersist()
Make this session not persisted across requests.
serialize()
Definition: ApiMessage.php:94
shouldForceHTTPS()
Whether HTTPS should be forced.
setForceHTTPS($force)
Set whether HTTPS should be forced.
addData(array $newData)
Add data to the session.
forceHTTPS()
Whether this session should only be used over HTTPS.
canSetUser()
Indicate whether the session user info can be changed.
Value object returned by SessionProvider.
Definition: SessionInfo.php:34
shouldRememberUser()
Indicate whether the user should be remembered independently of the session ID.
wasRemembered()
Return whether the user was remembered.
renew()
Renew the session by resaving everything.