1.39.10/php/Session_8php_source.html

<?php

namespace MediaWiki\Session;


use MediaWiki\MainConfigNames;

use MediaWiki\MediaWikiServices;

use Psr\Log\LoggerInterface;

use User;

use WebRequest;


class Session implements \Countable, \Iterator, \ArrayAccess {

    private static $encryptionAlgorithm = null;


    private $backend;


    private $index;


    private $logger;


    public function __construct( SessionBackend $backend, $index, LoggerInterface $logger ) {

        $this->backend = $backend;

        $this->index = $index;

        $this->logger = $logger;

    }


    public function __destruct() {

        $this->backend->deregisterSession( $this->index );

    }


    public function getId() {

        return $this->backend->getId();

    }


    public function getSessionId() {

        return $this->backend->getSessionId();

    }


    public function resetId() {

        return $this->backend->resetId();

    }


    public function getProvider() {

        return $this->backend->getProvider();

    }


    public function isPersistent() {

        return $this->backend->isPersistent();

    }


    public function persist() {

        $this->backend->persist();

    }


    public function unpersist() {

        $this->backend->unpersist();

    }


    public function shouldRememberUser() {

        return $this->backend->shouldRememberUser();

    }


    public function setRememberUser( $remember ) {

        $this->backend->setRememberUser( $remember );

    }


    public function getRequest() {

        return $this->backend->getRequest( $this->index );

    }


    public function getUser() {

        return $this->backend->getUser();

    }


    public function getAllowedUserRights() {

        return $this->backend->getAllowedUserRights();

    }


    public function canSetUser() {

        return $this->backend->canSetUser();

    }


    public function setUser( $user ) {

        $this->backend->setUser( $user );

    }


    public function suggestLoginUsername() {

        return $this->backend->suggestLoginUsername( $this->index );

    }


    public function shouldForceHTTPS() {

        return $this->backend->shouldForceHTTPS();

    }


    public function setForceHTTPS( $force ) {

        $this->backend->setForceHTTPS( $force );

    }


    public function getLoggedOutTimestamp() {

        return $this->backend->getLoggedOutTimestamp();

    }


    public function setLoggedOutTimestamp( $ts ) {

        $this->backend->setLoggedOutTimestamp( $ts );

    }


    public function getProviderMetadata() {

        return $this->backend->getProviderMetadata();

    }


    public function clear() {

        $data = &$this->backend->getData();

        if ( $data ) {

            $data = [];

            $this->backend->dirty();

        }

        if ( $this->backend->canSetUser() ) {

            $this->backend->setUser( new User );

        }

        $this->backend->save();

    }


    public function renew() {

        $this->backend->renew();

    }


    public function sessionWithRequest( WebRequest $request ) {

        $request->setSessionId( $this->backend->getSessionId() );

        return $this->backend->getSession( $request );

    }


    public function get( $key, $default = null ) {

        $data = &$this->backend->getData();

        return array_key_exists( $key, $data ) ? $data[$key] : $default;

    }


    public function exists( $key ) {

        $data = &$this->backend->getData();

        return array_key_exists( $key, $data );

    }


    public function set( $key, $value ) {

        $data = &$this->backend->getData();

        if ( !array_key_exists( $key, $data ) || $data[$key] !== $value ) {

            $data[$key] = $value;

            $this->backend->dirty();

        }

    }


    public function remove( $key ) {

        $data = &$this->backend->getData();

        if ( array_key_exists( $key, $data ) ) {

            unset( $data[$key] );

            $this->backend->dirty();

        }

    }


    public function hasToken( string $key = 'default' ): bool {

        $secrets = $this->get( 'wsTokenSecrets' );

        if ( !is_array( $secrets ) ) {

            return false;

        }

        return isset( $secrets[$key] ) && is_string( $secrets[$key] );

    }


    public function getToken( $salt = '', $key = 'default' ) {

        $new = false;

        $secrets = $this->get( 'wsTokenSecrets' );

        if ( !is_array( $secrets ) ) {

            $secrets = [];

        }

        if ( isset( $secrets[$key] ) && is_string( $secrets[$key] ) ) {

            $secret = $secrets[$key];

        } else {

            $secret = \MWCryptRand::generateHex( 32 );

            $secrets[$key] = $secret;

            $this->set( 'wsTokenSecrets', $secrets );

            $new = true;

        }

        if ( is_array( $salt ) ) {

            $salt = implode( '|', $salt );

        }

        return new Token( $secret, (string)$salt, $new );

    }


    public function resetToken( $key = 'default' ) {

        $secrets = $this->get( 'wsTokenSecrets' );

        if ( is_array( $secrets ) && isset( $secrets[$key] ) ) {

            unset( $secrets[$key] );

            $this->set( 'wsTokenSecrets', $secrets );

        }

    }


    public function resetAllTokens() {

        $this->remove( 'wsTokenSecrets' );

    }


    private function getSecretKeys() {

        $mainConfig = MediaWikiServices::getInstance()->getMainConfig();

        $sessionSecret = $mainConfig->get( MainConfigNames::SessionSecret );

        $secretKey = $mainConfig->get( MainConfigNames::SecretKey );

        $sessionPbkdf2Iterations = $mainConfig->get( MainConfigNames::SessionPbkdf2Iterations );

        $wikiSecret = $sessionSecret ?: $secretKey;

        $userSecret = $this->get( 'wsSessionSecret', null );

        if ( $userSecret === null ) {

            $userSecret = \MWCryptRand::generateHex( 32 );

            $this->set( 'wsSessionSecret', $userSecret );

        }

        $iterations = $this->get( 'wsSessionPbkdf2Iterations', null );

        if ( $iterations === null ) {

            $iterations = $sessionPbkdf2Iterations;

            $this->set( 'wsSessionPbkdf2Iterations', $iterations );

        }


        $keymats = hash_pbkdf2( 'sha256', $wikiSecret, $userSecret, $iterations, 64, true );

        return [

            substr( $keymats, 0, 32 ),

            substr( $keymats, 32, 32 ),

        ];

    }


    private static function getEncryptionAlgorithm() {

        $sessionInsecureSecrets = MediaWikiServices::getInstance()->getMainConfig()

            ->get( MainConfigNames::SessionInsecureSecrets );


        if ( self::$encryptionAlgorithm === null ) {

            if ( function_exists( 'openssl_encrypt' ) ) {

                $methods = openssl_get_cipher_methods();

                if ( in_array( 'aes-256-ctr', $methods, true ) ) {

                    self::$encryptionAlgorithm = [ 'openssl', 'aes-256-ctr' ];

                    return self::$encryptionAlgorithm;

                }

                if ( in_array( 'aes-256-cbc', $methods, true ) ) {

                    self::$encryptionAlgorithm = [ 'openssl', 'aes-256-cbc' ];

                    return self::$encryptionAlgorithm;

                }

            }


            if ( $sessionInsecureSecrets ) {

                // @todo: import a pure-PHP library for AES instead of this

                self::$encryptionAlgorithm = [ 'insecure' ];

                return self::$encryptionAlgorithm;

            }


            throw new \BadMethodCallException(

                'Encryption is not available. You really should install the PHP OpenSSL extension. ' .

                'But if you really can\'t and you\'re willing ' .

                'to accept insecure storage of sensitive session data, set ' .

                '$wgSessionInsecureSecrets = true in LocalSettings.php to make this exception go away.'

            );

        }


        return self::$encryptionAlgorithm;

    }


    public function setSecret( $key, $value ) {

        list( $encKey, $hmacKey ) = $this->getSecretKeys();

        $serialized = serialize( $value );


        // The code for encryption (with OpenSSL) and sealing is taken from

        // Chris Steipp's OATHAuthUtils class in Extension::OATHAuth.


        // Encrypt

        // @todo: import a pure-PHP library for AES instead of doing $wgSessionInsecureSecrets

        $iv = random_bytes( 16 );

        $algorithm = self::getEncryptionAlgorithm();

        switch ( $algorithm[0] ) {

            case 'openssl':

                $ciphertext = openssl_encrypt( $serialized, $algorithm[1], $encKey, OPENSSL_RAW_DATA, $iv );

                if ( $ciphertext === false ) {

                    throw new \UnexpectedValueException( 'Encryption failed: ' . openssl_error_string() );

                }

                break;

            case 'insecure':

                $ex = new \Exception( 'No encryption is available, storing data as plain text' );

                $this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );

                $ciphertext = $serialized;

                break;

            default:

                throw new \LogicException( 'invalid algorithm' );

        }


        // Seal

        $sealed = base64_encode( $iv ) . '.' . base64_encode( $ciphertext );

        $hmac = hash_hmac( 'sha256', $sealed, $hmacKey, true );

        $encrypted = base64_encode( $hmac ) . '.' . $sealed;


        // Store

        $this->set( $key, $encrypted );

    }


    public function getSecret( $key, $default = null ) {

        // Fetch

        $encrypted = $this->get( $key, null );

        if ( $encrypted === null ) {

            return $default;

        }


        // The code for unsealing, checking, and decrypting (with OpenSSL) is

        // taken from Chris Steipp's OATHAuthUtils class in

        // Extension::OATHAuth.


        // Unseal and check

        $pieces = explode( '.', $encrypted, 4 );

        if ( count( $pieces ) !== 3 ) {

            $ex = new \Exception( 'Invalid sealed-secret format' );

            $this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );

            return $default;

        }

        list( $hmac, $iv, $ciphertext ) = $pieces;

        list( $encKey, $hmacKey ) = $this->getSecretKeys();

        $integCalc = hash_hmac( 'sha256', $iv . '.' . $ciphertext, $hmacKey, true );

        if ( !hash_equals( $integCalc, base64_decode( $hmac ) ) ) {

            $ex = new \Exception( 'Sealed secret has been tampered with, aborting.' );

            $this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );

            return $default;

        }


        // Decrypt

        $algorithm = self::getEncryptionAlgorithm();

        switch ( $algorithm[0] ) {

            case 'openssl':

                $serialized = openssl_decrypt( base64_decode( $ciphertext ), $algorithm[1], $encKey,

                    OPENSSL_RAW_DATA, base64_decode( $iv ) );

                if ( $serialized === false ) {

                    $ex = new \Exception( 'Decyption failed: ' . openssl_error_string() );

                    $this->logger->debug( $ex->getMessage(), [ 'exception' => $ex ] );

                    return $default;

                }

                break;

            case 'insecure':

                $ex = new \Exception(

                    'No encryption is available, retrieving data that was stored as plain text'

                );

                $this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );

                $serialized = base64_decode( $ciphertext );

                break;

            default:

                throw new \LogicException( 'invalid algorithm' );

        }


        $value = unserialize( $serialized );

        if ( $value === false && $serialized !== serialize( false ) ) {

            $value = $default;

        }

        return $value;

    }


    public function delaySave() {

        return $this->backend->delaySave();

    }


    public function save() {

        $this->backend->save();

    }


    // region   Interface methods


    public function count(): int {

        $data = &$this->backend->getData();

        return count( $data );

    }


    #[\ReturnTypeWillChange]


    public function current() {

        $data = &$this->backend->getData();

        return current( $data );

    }


    #[\ReturnTypeWillChange]


    public function key() {

        $data = &$this->backend->getData();

        return key( $data );

    }


    public function next(): void {

        $data = &$this->backend->getData();

        next( $data );

    }


    public function rewind(): void {

        $data = &$this->backend->getData();

        reset( $data );

    }


    public function valid(): bool {

        $data = &$this->backend->getData();

        return key( $data ) !== null;

    }


    public function offsetExists( $offset ): bool {

        $data = &$this->backend->getData();

        return isset( $data[$offset] );

    }


    #[\ReturnTypeWillChange]


    public function &offsetGet( $offset ) {

        $data = &$this->backend->getData();

        if ( !array_key_exists( $offset, $data ) ) {

            $ex = new \Exception( "Undefined index (auto-adds to session with a null value): $offset" );

            $this->logger->debug( $ex->getMessage(), [ 'exception' => $ex ] );

        }

        return $data[$offset];

    }


    public function offsetSet( $offset, $value ): void {

        $this->set( $offset, $value );

    }


    public function offsetUnset( $offset ): void {

        $this->remove( $offset );

    }


    // endregion  -- end of Interface methods

}


serialize
serialize()
Definition ApiMessageTrait.php:138

unserialize
unserialize( $serialized)
Definition ApiMessageTrait.php:150

MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:23

MediaWiki\MainConfigNames\SessionSecret
const SessionSecret
Name constant for the SessionSecret setting, for use with Config::get()
Definition MainConfigNames.php:3051

MediaWiki\MainConfigNames\SessionPbkdf2Iterations
const SessionPbkdf2Iterations
Name constant for the SessionPbkdf2Iterations setting, for use with Config::get()
Definition MainConfigNames.php:1534

MediaWiki\MainConfigNames\SessionInsecureSecrets
const SessionInsecureSecrets
Name constant for the SessionInsecureSecrets setting, for use with Config::get()
Definition MainConfigNames.php:3057

MediaWiki\MainConfigNames\SecretKey
const SecretKey
Name constant for the SecretKey setting, for use with Config::get()
Definition MainConfigNames.php:2967

MediaWiki\MediaWikiServices
Service locator for MediaWiki core services.
Definition MediaWikiServices.php:212

MediaWiki\MediaWikiServices\getInstance
static getInstance()
Returns the global default instance of the top level service locator.
Definition MediaWikiServices.php:273

MediaWiki\Session\SessionBackend
This is the actual workhorse for Session.
Definition SessionBackend.php:54

MediaWiki\Session\Session
Manages data for an authenticated session.
Definition Session.php:50

MediaWiki\Session\Session\offsetSet
offsetSet( $offset, $value)
Definition Session.php:674

MediaWiki\Session\Session\delaySave
delaySave()
Delay automatic saving while multiple updates are being made.
Definition Session.php:590

MediaWiki\Session\Session\offsetExists
offsetExists( $offset)
Definition Session.php:650

MediaWiki\Session\Session\offsetUnset
offsetUnset( $offset)
Definition Session.php:679

MediaWiki\Session\Session\suggestLoginUsername
suggestLoginUsername()
Get a suggested username for the login form.
Definition Session.php:209

MediaWiki\Session\Session\offsetGet
& offsetGet( $offset)
Definition Session.php:664

MediaWiki\Session\Session\valid
valid()
Definition Session.php:640

MediaWiki\Session\Session\setForceHTTPS
setForceHTTPS( $force)
Set the value of the forceHTTPS cookie.
Definition Session.php:231

MediaWiki\Session\Session\getToken
getToken( $salt='', $key='default')
Fetch a CSRF token from the session.
Definition Session.php:368

MediaWiki\Session\Session\setSecret
setSecret( $key, $value)
Set a value in the session, encrypted.
Definition Session.php:484

MediaWiki\Session\Session\next
next()
Definition Session.php:628

MediaWiki\Session\Session\persist
persist()
Make this session persisted across requests.
Definition Session.php:128

MediaWiki\Session\Session\shouldForceHTTPS
shouldForceHTTPS()
Get the expected value of the forceHTTPS cookie.
Definition Session.php:220

MediaWiki\Session\Session\renew
renew()
Resets the TTL in the backend store if the session is near expiring, and re-persists the session to a...
Definition Session.php:278

MediaWiki\Session\Session\getSecret
getSecret( $key, $default=null)
Fetch a value from the session that was set with self::setSecret()
Definition Session.php:526

MediaWiki\Session\Session\resetId
resetId()
Changes the session ID.
Definition Session.php:99

MediaWiki\Session\Session\getProvider
getProvider()
Fetch the SessionProvider for this session.
Definition Session.php:107

MediaWiki\Session\Session\isPersistent
isPersistent()
Indicate whether this session is persisted across requests.
Definition Session.php:118

MediaWiki\Session\Session\getRequest
getRequest()
Returns the request associated with this session.
Definition Session.php:166

MediaWiki\Session\Session\getProviderMetadata
getProviderMetadata()
Fetch provider metadata.
Definition Session.php:255

MediaWiki\Session\Session\resetToken
resetToken( $key='default')
Remove a CSRF token from the session.
Definition Session.php:395

MediaWiki\Session\Session\__destruct
__destruct()
Definition Session.php:74

MediaWiki\Session\Session\sessionWithRequest
sessionWithRequest(WebRequest $request)
Fetch a copy of this session attached to an alternative WebRequest.
Definition Session.php:291

MediaWiki\Session\Session\save
save()
This will update the backend data and might re-persist the session if needed.
Definition Session.php:598

MediaWiki\Session\Session\count
count()
Definition Session.php:608

MediaWiki\Session\Session\unpersist
unpersist()
Make this session not be persisted across requests.
Definition Session.php:140

MediaWiki\Session\Session\canSetUser
canSetUser()
Indicate whether the session user info can be changed.
Definition Session.php:190

MediaWiki\Session\Session\exists
exists( $key)
Test if a value exists in the session.
Definition Session.php:313

MediaWiki\Session\Session\getLoggedOutTimestamp
getLoggedOutTimestamp()
Fetch the "logged out" timestamp.
Definition Session.php:239

MediaWiki\Session\Session\getUser
getUser()
Returns the authenticated user for this session.
Definition Session.php:174

MediaWiki\Session\Session\getId
getId()
Returns the session ID.
Definition Session.php:82

MediaWiki\Session\Session\setRememberUser
setRememberUser( $remember)
Set whether the user should be remembered independently of the session ID.
Definition Session.php:158

MediaWiki\Session\Session\resetAllTokens
resetAllTokens()
Remove all CSRF tokens from the session.
Definition Session.php:406

MediaWiki\Session\Session\key
key()
Definition Session.php:622

MediaWiki\Session\Session\get
get( $key, $default=null)
Fetch a value from the session.
Definition Session.php:302

MediaWiki\Session\Session\hasToken
hasToken(string $key='default')
Check if a CSRF token is set for the session.
Definition Session.php:350

MediaWiki\Session\Session\clear
clear()
Delete all session data and clear the user (if possible)
Definition Session.php:262

MediaWiki\Session\Session\shouldRememberUser
shouldRememberUser()
Indicate whether the user should be remembered independently of the session ID.
Definition Session.php:149

MediaWiki\Session\Session\rewind
rewind()
Definition Session.php:634

MediaWiki\Session\Session\current
current()
Definition Session.php:615

MediaWiki\Session\Session\setLoggedOutTimestamp
setLoggedOutTimestamp( $ts)
Definition Session.php:246

MediaWiki\Session\Session\setUser
setUser( $user)
Set a new user for this session.
Definition Session.php:201

MediaWiki\Session\Session\getSessionId
getSessionId()
Returns the SessionId object.
Definition Session.php:91

MediaWiki\Session\Session\getAllowedUserRights
getAllowedUserRights()
Fetch the rights allowed the user when this session is active.
Definition Session.php:182

MediaWiki\Session\Session\__construct
__construct(SessionBackend $backend, $index, LoggerInterface $logger)
Definition Session.php:68

MediaWiki\Session\Token
Value object representing a CSRF token.
Definition Token.php:32

User
internal since 1.36
Definition User.php:70

WebRequest
The WebRequest class encapsulates getting at data passed in the URL or via a POSTed form stripping il...
Definition WebRequest.php:44

WebRequest\setSessionId
setSessionId(SessionId $sessionId)
Set the session for this request.
Definition WebRequest.php:852

MediaWiki\Session
Definition BotPasswordSessionProvider.php:24

$serialized
foreach( $res as $row) $serialized
Definition testCompression.php:88