MediaWiki  1.28.0
SessionBackend.php
Go to the documentation of this file.
1 <?php
24 namespace MediaWiki\Session;
25 
28 use User;
30 
49 final class SessionBackend {
51  private $id;
52 
53  private $persist = false;
54  private $remember = false;
55  private $forceHTTPS = false;
56 
58  private $data = null;
59 
60  private $forcePersist = false;
61  private $metaDirty = false;
62  private $dataDirty = false;
63 
65  private $dataHash = null;
66 
68  private $store;
69 
71  private $logger;
72 
74  private $lifetime;
75 
77  private $user;
78 
79  private $curIndex = 0;
80 
82  private $requests = [];
83 
85  private $provider;
86 
88  private $providerMetadata = null;
89 
90  private $expires = 0;
91  private $loggedOut = 0;
92  private $delaySave = 0;
93 
94  private $usePhpSessionHandling = true;
96 
97  private $shutdown = false;
98 
106  public function __construct(
108  ) {
109  $phpSessionHandling = \RequestContext::getMain()->getConfig()->get( 'PHPSessionHandling' );
110  $this->usePhpSessionHandling = $phpSessionHandling !== 'disable';
111 
112  if ( $info->getUserInfo() && !$info->getUserInfo()->isVerified() ) {
113  throw new \InvalidArgumentException(
114  "Refusing to create session for unverified user {$info->getUserInfo()}"
115  );
116  }
117  if ( $info->getProvider() === null ) {
118  throw new \InvalidArgumentException( 'Cannot create session without a provider' );
119  }
120  if ( $info->getId() !== $id->getId() ) {
121  throw new \InvalidArgumentException( 'SessionId and SessionInfo don\'t match' );
122  }
123 
124  $this->id = $id;
125  $this->user = $info->getUserInfo() ? $info->getUserInfo()->getUser() : new User;
126  $this->store = $store;
127  $this->logger = $logger;
128  $this->lifetime = $lifetime;
129  $this->provider = $info->getProvider();
130  $this->persist = $info->wasPersisted();
131  $this->remember = $info->wasRemembered();
132  $this->forceHTTPS = $info->forceHTTPS();
133  $this->providerMetadata = $info->getProviderMetadata();
134 
135  $blob = $store->get( wfMemcKey( 'MWSession', (string)$this->id ) );
136  if ( !is_array( $blob ) ||
137  !isset( $blob['metadata'] ) || !is_array( $blob['metadata'] ) ||
138  !isset( $blob['data'] ) || !is_array( $blob['data'] )
139  ) {
140  $this->data = [];
141  $this->dataDirty = true;
142  $this->metaDirty = true;
143  $this->logger->debug(
144  'SessionBackend "{session}" is unsaved, marking dirty in constructor',
145  [
146  'session' => $this->id,
147  ] );
148  } else {
149  $this->data = $blob['data'];
150  if ( isset( $blob['metadata']['loggedOut'] ) ) {
151  $this->loggedOut = (int)$blob['metadata']['loggedOut'];
152  }
153  if ( isset( $blob['metadata']['expires'] ) ) {
154  $this->expires = (int)$blob['metadata']['expires'];
155  } else {
156  $this->metaDirty = true;
157  $this->logger->debug(
158  'SessionBackend "{session}" metadata dirty due to missing expiration timestamp',
159  [
160  'session' => $this->id,
161  ] );
162  }
163  }
164  $this->dataHash = md5( serialize( $this->data ) );
165  }
166 
172  public function getSession( WebRequest $request ) {
173  $index = ++$this->curIndex;
174  $this->requests[$index] = $request;
175  $session = new Session( $this, $index, $this->logger );
176  return $session;
177  }
178 
184  public function deregisterSession( $index ) {
185  unset( $this->requests[$index] );
186  if ( !$this->shutdown && !count( $this->requests ) ) {
187  $this->save( true );
188  $this->provider->getManager()->deregisterSessionBackend( $this );
189  }
190  }
191 
196  public function shutdown() {
197  $this->save( true );
198  $this->shutdown = true;
199  }
200 
205  public function getId() {
206  return (string)$this->id;
207  }
208 
214  public function getSessionId() {
215  return $this->id;
216  }
217 
222  public function resetId() {
223  if ( $this->provider->persistsSessionId() ) {
224  $oldId = (string)$this->id;
225  $restart = $this->usePhpSessionHandling && $oldId === session_id() &&
227 
228  if ( $restart ) {
229  // If this session is the one behind PHP's $_SESSION, we need
230  // to close then reopen it.
231  session_write_close();
232  }
233 
234  $this->provider->getManager()->changeBackendId( $this );
235  $this->provider->sessionIdWasReset( $this, $oldId );
236  $this->metaDirty = true;
237  $this->logger->debug(
238  'SessionBackend "{session}" metadata dirty due to ID reset (formerly "{oldId}")',
239  [
240  'session' => $this->id,
241  'oldId' => $oldId,
242  ] );
243 
244  if ( $restart ) {
245  session_id( (string)$this->id );
246  \MediaWiki\quietCall( 'session_start' );
247  }
248 
249  $this->autosave();
250 
251  // Delete the data for the old session ID now
252  $this->store->delete( wfMemcKey( 'MWSession', $oldId ) );
253  }
254  }
255 
260  public function getProvider() {
261  return $this->provider;
262  }
263 
271  public function isPersistent() {
272  return $this->persist;
273  }
274 
281  public function persist() {
282  if ( !$this->persist ) {
283  $this->persist = true;
284  $this->forcePersist = true;
285  $this->metaDirty = true;
286  $this->logger->debug(
287  'SessionBackend "{session}" force-persist due to persist()',
288  [
289  'session' => $this->id,
290  ] );
291  $this->autosave();
292  } else {
293  $this->renew();
294  }
295  }
296 
300  public function unpersist() {
301  if ( $this->persist ) {
302  // Close the PHP session, if we're the one that's open
303  if ( $this->usePhpSessionHandling && PHPSessionHandler::isEnabled() &&
304  session_id() === (string)$this->id
305  ) {
306  $this->logger->debug(
307  'SessionBackend "{session}" Closing PHP session for unpersist',
308  [ 'session' => $this->id ]
309  );
310  session_write_close();
311  session_id( '' );
312  }
313 
314  $this->persist = false;
315  $this->forcePersist = true;
316  $this->metaDirty = true;
317 
318  // Delete the session data, so the local cache-only write in
319  // self::save() doesn't get things out of sync with the backend.
320  $this->store->delete( wfMemcKey( 'MWSession', (string)$this->id ) );
321 
322  $this->autosave();
323  }
324  }
325 
331  public function shouldRememberUser() {
332  return $this->remember;
333  }
334 
340  public function setRememberUser( $remember ) {
341  if ( $this->remember !== (bool)$remember ) {
342  $this->remember = (bool)$remember;
343  $this->metaDirty = true;
344  $this->logger->debug(
345  'SessionBackend "{session}" metadata dirty due to remember-user change',
346  [
347  'session' => $this->id,
348  ] );
349  $this->autosave();
350  }
351  }
352 
358  public function getRequest( $index ) {
359  if ( !isset( $this->requests[$index] ) ) {
360  throw new \InvalidArgumentException( 'Invalid session index' );
361  }
362  return $this->requests[$index];
363  }
364 
369  public function getUser() {
370  return $this->user;
371  }
372 
377  public function getAllowedUserRights() {
378  return $this->provider->getAllowedUserRights( $this );
379  }
380 
385  public function canSetUser() {
386  return $this->provider->canChangeUser();
387  }
388 
396  public function setUser( $user ) {
397  if ( !$this->canSetUser() ) {
398  throw new \BadMethodCallException(
399  'Cannot set user on this session; check $session->canSetUser() first'
400  );
401  }
402 
403  $this->user = $user;
404  $this->metaDirty = true;
405  $this->logger->debug(
406  'SessionBackend "{session}" metadata dirty due to user change',
407  [
408  'session' => $this->id,
409  ] );
410  $this->autosave();
411  }
412 
418  public function suggestLoginUsername( $index ) {
419  if ( !isset( $this->requests[$index] ) ) {
420  throw new \InvalidArgumentException( 'Invalid session index' );
421  }
422  return $this->provider->suggestLoginUsername( $this->requests[$index] );
423  }
424 
429  public function shouldForceHTTPS() {
430  return $this->forceHTTPS;
431  }
432 
437  public function setForceHTTPS( $force ) {
438  if ( $this->forceHTTPS !== (bool)$force ) {
439  $this->forceHTTPS = (bool)$force;
440  $this->metaDirty = true;
441  $this->logger->debug(
442  'SessionBackend "{session}" metadata dirty due to force-HTTPS change',
443  [
444  'session' => $this->id,
445  ] );
446  $this->autosave();
447  }
448  }
449 
454  public function getLoggedOutTimestamp() {
455  return $this->loggedOut;
456  }
457 
462  public function setLoggedOutTimestamp( $ts = null ) {
463  $ts = (int)$ts;
464  if ( $this->loggedOut !== $ts ) {
465  $this->loggedOut = $ts;
466  $this->metaDirty = true;
467  $this->logger->debug(
468  'SessionBackend "{session}" metadata dirty due to logged-out-timestamp change',
469  [
470  'session' => $this->id,
471  ] );
472  $this->autosave();
473  }
474  }
475 
481  public function getProviderMetadata() {
483  }
484 
490  public function setProviderMetadata( $metadata ) {
491  if ( $metadata !== null && !is_array( $metadata ) ) {
492  throw new \InvalidArgumentException( '$metadata must be an array or null' );
493  }
494  if ( $this->providerMetadata !== $metadata ) {
495  $this->providerMetadata = $metadata;
496  $this->metaDirty = true;
497  $this->logger->debug(
498  'SessionBackend "{session}" metadata dirty due to provider metadata change',
499  [
500  'session' => $this->id,
501  ] );
502  $this->autosave();
503  }
504  }
505 
515  public function &getData() {
516  return $this->data;
517  }
518 
526  public function addData( array $newData ) {
527  $data = &$this->getData();
528  foreach ( $newData as $key => $value ) {
529  if ( !array_key_exists( $key, $data ) || $data[$key] !== $value ) {
530  $data[$key] = $value;
531  $this->dataDirty = true;
532  $this->logger->debug(
533  'SessionBackend "{session}" data dirty due to addData(): {callers}',
534  [
535  'session' => $this->id,
536  'callers' => wfGetAllCallers( 5 ),
537  ] );
538  }
539  }
540  }
541 
546  public function dirty() {
547  $this->dataDirty = true;
548  $this->logger->debug(
549  'SessionBackend "{session}" data dirty due to dirty(): {callers}',
550  [
551  'session' => $this->id,
552  'callers' => wfGetAllCallers( 5 ),
553  ] );
554  }
555 
562  public function renew() {
563  if ( time() + $this->lifetime / 2 > $this->expires ) {
564  $this->metaDirty = true;
565  $this->logger->debug(
566  'SessionBackend "{callers}" metadata dirty for renew(): {callers}',
567  [
568  'session' => $this->id,
569  'callers' => wfGetAllCallers( 5 ),
570  ] );
571  if ( $this->persist ) {
572  $this->forcePersist = true;
573  $this->logger->debug(
574  'SessionBackend "{session}" force-persist for renew(): {callers}',
575  [
576  'session' => $this->id,
577  'callers' => wfGetAllCallers( 5 ),
578  ] );
579  }
580  }
581  $this->autosave();
582  }
583 
591  public function delaySave() {
592  $this->delaySave++;
593  return new \Wikimedia\ScopedCallback( function () {
594  if ( --$this->delaySave <= 0 ) {
595  $this->delaySave = 0;
596  $this->save();
597  }
598  } );
599  }
600 
605  private function autosave() {
606  if ( $this->delaySave <= 0 ) {
607  $this->save();
608  }
609  }
610 
620  public function save( $closing = false ) {
621  $anon = $this->user->isAnon();
622 
623  if ( !$anon && $this->provider->getManager()->isUserSessionPrevented( $this->user->getName() ) ) {
624  $this->logger->debug(
625  'SessionBackend "{session}" not saving, user {user} was ' .
626  'passed to SessionManager::preventSessionsForUser',
627  [
628  'session' => $this->id,
629  'user' => $this->user,
630  ] );
631  return;
632  }
633 
634  // Ensure the user has a token
635  // @codeCoverageIgnoreStart
636  if ( !$anon && !$this->user->getToken( false ) ) {
637  $this->logger->debug(
638  'SessionBackend "{session}" creating token for user {user} on save',
639  [
640  'session' => $this->id,
641  'user' => $this->user,
642  ] );
643  $this->user->setToken();
644  if ( !wfReadOnly() ) {
645  // Promise that the token set here will be valid; save it at end of request
646  $user = $this->user;
648  $user->saveSettings();
649  } );
650  }
651  $this->metaDirty = true;
652  }
653  // @codeCoverageIgnoreEnd
654 
655  if ( !$this->metaDirty && !$this->dataDirty &&
656  $this->dataHash !== md5( serialize( $this->data ) )
657  ) {
658  $this->logger->debug(
659  'SessionBackend "{session}" data dirty due to hash mismatch, {expected} !== {got}',
660  [
661  'session' => $this->id,
662  'expected' => $this->dataHash,
663  'got' => md5( serialize( $this->data ) ),
664  ] );
665  $this->dataDirty = true;
666  }
667 
668  if ( !$this->metaDirty && !$this->dataDirty && !$this->forcePersist ) {
669  return;
670  }
671 
672  $this->logger->debug(
673  'SessionBackend "{session}" save: dataDirty={dataDirty} ' .
674  'metaDirty={metaDirty} forcePersist={forcePersist}',
675  [
676  'session' => $this->id,
677  'dataDirty' => (int)$this->dataDirty,
678  'metaDirty' => (int)$this->metaDirty,
679  'forcePersist' => (int)$this->forcePersist,
680  ] );
681 
682  // Persist or unpersist to the provider, if necessary
683  if ( $this->metaDirty || $this->forcePersist ) {
684  if ( $this->persist ) {
685  foreach ( $this->requests as $request ) {
686  $request->setSessionId( $this->getSessionId() );
687  $this->provider->persistSession( $this, $request );
688  }
689  if ( !$closing ) {
690  $this->checkPHPSession();
691  }
692  } else {
693  foreach ( $this->requests as $request ) {
694  if ( $request->getSessionId() === $this->id ) {
695  $this->provider->unpersistSession( $request );
696  }
697  }
698  }
699  }
700 
701  $this->forcePersist = false;
702 
703  if ( !$this->metaDirty && !$this->dataDirty ) {
704  return;
705  }
706 
707  // Save session data to store, if necessary
708  $metadata = $origMetadata = [
709  'provider' => (string)$this->provider,
710  'providerMetadata' => $this->providerMetadata,
711  'userId' => $anon ? 0 : $this->user->getId(),
712  'userName' => User::isValidUserName( $this->user->getName() ) ? $this->user->getName() : null,
713  'userToken' => $anon ? null : $this->user->getToken(),
714  'remember' => !$anon && $this->remember,
715  'forceHTTPS' => $this->forceHTTPS,
716  'expires' => time() + $this->lifetime,
717  'loggedOut' => $this->loggedOut,
718  'persisted' => $this->persist,
719  ];
720 
721  \Hooks::run( 'SessionMetadata', [ $this, &$metadata, $this->requests ] );
722 
723  foreach ( $origMetadata as $k => $v ) {
724  if ( $metadata[$k] !== $v ) {
725  throw new \UnexpectedValueException( "SessionMetadata hook changed metadata key \"$k\"" );
726  }
727  }
728 
730  $flags |= CachedBagOStuff::WRITE_SYNC; // write to all datacenters
731  $this->store->set(
732  wfMemcKey( 'MWSession', (string)$this->id ),
733  [
734  'data' => $this->data,
735  'metadata' => $metadata,
736  ],
737  $metadata['expires'],
738  $flags
739  );
740 
741  $this->metaDirty = false;
742  $this->dataDirty = false;
743  $this->dataHash = md5( serialize( $this->data ) );
744  $this->expires = $metadata['expires'];
745  }
746 
751  private function checkPHPSession() {
752  if ( !$this->checkPHPSessionRecursionGuard ) {
753  $this->checkPHPSessionRecursionGuard = true;
754  $reset = new \Wikimedia\ScopedCallback( function () {
755  $this->checkPHPSessionRecursionGuard = false;
756  } );
757 
758  if ( $this->usePhpSessionHandling && session_id() === '' && PHPSessionHandler::isEnabled() &&
759  SessionManager::getGlobalSession()->getId() === (string)$this->id
760  ) {
761  $this->logger->debug(
762  'SessionBackend "{session}" Taking over PHP session',
763  [
764  'session' => $this->id,
765  ] );
766  session_id( (string)$this->id );
767  \MediaWiki\quietCall( 'session_start' );
768  }
769  }
770  }
771 
772 }
getUser()
Returns the authenticated user for this session.
and how to run hooks for an and one after Each event has a preferably in CamelCase For ArticleDelete hook A clump of code and data that should be run when an event happens This can be either a function and a chunk of data
Definition: hooks.txt:6
getSessionId()
Fetch the SessionId object.
This is the actual workhorse for Session.
the array() calling protocol came about after MediaWiki 1.4rc1.
getProviderMetadata()
Fetch provider metadata.
getUserInfo()
Return the user.
getProvider()
Fetch the SessionProvider for this session.
getSession(WebRequest $request)
Return a new Session for this backend.
saveSettings()
Save this user's settings into the database.
Definition: User.php:3847
suggestLoginUsername($index)
Get a suggested username for the login form.
setProviderMetadata($metadata)
Set provider metadata.
Apache License January AND DISTRIBUTION Definitions License shall mean the terms and conditions for use
This code would result in ircNotify being run twice when an article is and once for brion Hooks can return three possible true was required This is the default since MediaWiki *some string
Definition: hooks.txt:177
$value
__construct(SessionId $id, SessionInfo $info, CachedBagOStuff $store, LoggerInterface $logger, $lifetime)
setRememberUser($remember)
Set whether the user should be remembered independently of the session ID.
it s the revision text itself In either if gzip is the revision text is gzipped $flags
Definition: hooks.txt:2703
getId()
Return the session ID.
delaySave()
Delay automatic saving while multiple updates are being made.
MediaWiki s SiteStore can be cached and stored in a flat in a json format If the SiteStore is frequently the file cache may provide a performance benefit over a database store
Definition: sitescache.txt:1
string $dataHash
Used to detect subarray modifications.
& getData()
Fetch the session data array.
WebRequest[] $requests
Session requests.
static isValidUserName($name)
Is the input a valid username?
Definition: User.php:804
setUser($user)
Set a new user for this session.
getAllowedUserRights()
Fetch the rights allowed the user when this session is active.
wfReadOnly()
Check whether the wiki is in read-only mode.
static getMain()
Static methods.
persist()
Make this session persisted across requests.
deregisterSession($index)
Deregister a Session.
getProvider()
Return the provider.
This document is intended to provide useful advice for parties seeking to redistribute MediaWiki to end users It s targeted particularly at maintainers for Linux since it s been observed that distribution packages of MediaWiki often break We ve consistently had to recommend that users seeking support use official tarballs instead of their distribution s and this often solves whatever problem the user is having It would be nice if this could such and we might be restricted by PHP settings such as safe mode or open_basedir We cannot assume that the software even has read access anywhere useful Many shared hosts run all users web applications under the same user
Wikitext formatted, in the key only.
Definition: distributors.txt:9
getLoggedOutTimestamp()
Fetch the "logged out" timestamp.
setLoggedOutTimestamp($ts=null)
Set the "logged out" timestamp.
const WRITE_SYNC
Bitfield constants for set()/merge()
Definition: BagOStuff.php:86
isPersistent()
Indicate whether this session is persisted across requests.
getId()
Returns the session ID.
Manages data for an an authenticated session.
Definition: Session.php:48
static run($event, array $args=[], $deprecatedVersion=null)
Call hook functions defined in Hooks::register and $wgHooks.
Definition: Hooks.php:131
getProviderMetadata()
Return provider metadata.
wasPersisted()
Return whether the session is persisted.
getRequest($index)
Returns the request associated with a Session.
This document is intended to provide useful advice for parties seeking to redistribute MediaWiki to end users It s targeted particularly at maintainers for Linux since it s been observed that distribution packages of MediaWiki often break We ve consistently had to recommend that users seeking support use official tarballs instead of their distribution s and this often solves whatever problem the user is having It would be nice if this could such as
Definition: distributors.txt:9
resetId()
Changes the session ID.
SessionProvider $provider
provider
shutdown()
Shut down a session.
wfGetAllCallers($limit=3)
Return a string consisting of callers in the stack.
save($closing=false)
Save the session.
const WRITE_CACHE_ONLY
Definition: BagOStuff.php:87
static isEnabled()
Test whether the handler is installed and enabled.
static getGlobalSession()
Get the "global" session.
injection txt This is an overview of how MediaWiki makes use of dependency injection The design described here grew from the discussion of RFC T384 The term dependency this means that anything an object needs to operate should be injected from the the object itself should only know narrow no concrete implementation of the logic it relies on The requirement to inject everything typically results in an architecture that based on two main types of and essentially stateless service objects that use other service objects to operate on the value objects As of the beginning MediaWiki is only starting to use the DI approach Much of the code still relies on global state or direct resulting in a highly cyclical dependency which acts as the top level factory for services in MediaWiki which can be used to gain access to default instances of various services MediaWikiServices however also allows new services to be defined and default services to be redefined Services are defined or redefined by providing a callback the instantiator that will return a new instance of the service When it will create an instance of MediaWikiServices and populate it with the services defined in the files listed by thereby bootstrapping the DI framework Per $wgServiceWiringFiles lists includes ServiceWiring php
Definition: injection.txt:35
array null $providerMetadata
provider-specified metadata
error also a ContextSource you ll probably need to make sure the header is varied on $request
Definition: hooks.txt:2573
Value object holding the session ID in a manner that can be globally updated.
Definition: SessionId.php:38
checkPHPSession()
For backwards compatibility, open the PHP session when the global session is persisted.
get($key, $flags=0, $oldFlags=null)
Get an item with the given key.
Definition: BagOStuff.php:179
autosave()
Save the session, unless delayed.
wfMemcKey()
Make a cache key for the local wiki.
static addCallableUpdate($callable, $stage=self::POSTSEND, IDatabase $dbw=null)
Add a callable update.
unpersist()
Make this session not persisted across requests.
serialize()
Definition: ApiMessage.php:94
shouldForceHTTPS()
Whether HTTPS should be forced.
setForceHTTPS($force)
Set whether HTTPS should be forced.
addData(array $newData)
Add data to the session.
forceHTTPS()
Whether this session should only be used over HTTPS.
canSetUser()
Indicate whether the session user info can be changed.
Value object returned by SessionProvider.
Definition: SessionInfo.php:34
shouldRememberUser()
Indicate whether the user should be remembered independently of the session ID.
wasRemembered()
Return whether the user was remembered.
renew()
Renew the session by resaving everything.