MediaWiki REL1_32
SessionManager.php
Go to the documentation of this file.
1<?php
24namespace MediaWiki\Session;
25
26use MediaWiki\MediaWikiServices;
27use MWException;
28use Psr\Log\LoggerInterface;
29use BagOStuff;
30use CachedBagOStuff;
31use Config;
32use FauxRequest;
33use User;
34use WebRequest;
35use Wikimedia\ObjectFactory;
36
50final class SessionManager implements SessionManagerInterface {
52 private static $instance = null;
53
55 private static $globalSession = null;
56
58 private static $globalSessionRequest = null;
59
61 private $logger;
62
64 private $config;
65
67 private $store;
68
70 private $sessionProviders = null;
71
73 private $varyCookies = null;
74
76 private $varyHeaders = null;
77
79 private $allSessionBackends = [];
80
82 private $allSessionIds = [];
83
85 private $preventUsers = [];
86
92 public static function singleton() {
93 if ( self::$instance === null ) {
94 self::$instance = new self();
95 }
96 return self::$instance;
97 }
98
107 public static function getGlobalSession() {
108 if ( !PHPSessionHandler::isEnabled() ) {
109 $id = '';
110 } else {
111 $id = session_id();
112 }
113
114 $request = \RequestContext::getMain()->getRequest();
115 if (
116 !self::$globalSession // No global session is set up yet
117 || self::$globalSessionRequest !== $request // The global WebRequest changed
118 || $id !== '' && self::$globalSession->getId() !== $id // Someone messed with session_id()
119 ) {
120 self::$globalSessionRequest = $request;
121 if ( $id === '' ) {
122 // session_id() wasn't used, so fetch the Session from the WebRequest.
123 // We use $request->getSession() instead of $singleton->getSessionForRequest()
124 // because doing the latter would require a public
125 // "$request->getSessionId()" method that would confuse end
126 // users by returning SessionId|null where they'd expect it to
127 // be short for $request->getSession()->getId(), and would
128 // wind up being a duplicate of the code in
129 // $request->getSession() anyway.
130 self::$globalSession = $request->getSession();
131 } else {
132 // Someone used session_id(), so we need to follow suit.
133 // Note this overwrites whatever session might already be
134 // associated with $request with the one for $id.
135 self::$globalSession = self::singleton()->getSessionById( $id, true, $request )
136 ?: $request->getSession();
137 }
138 }
139 return self::$globalSession;
140 }
141
148 public function __construct( $options = [] ) {
149 if ( isset( $options['config'] ) ) {
150 $this->config = $options['config'];
151 if ( !$this->config instanceof Config ) {
152 throw new \InvalidArgumentException(
153 '$options[\'config\'] must be an instance of Config'
154 );
155 }
156 } else {
157 $this->config = MediaWikiServices::getInstance()->getMainConfig();
158 }
159
160 if ( isset( $options['logger'] ) ) {
161 if ( !$options['logger'] instanceof LoggerInterface ) {
162 throw new \InvalidArgumentException(
163 '$options[\'logger\'] must be an instance of LoggerInterface'
164 );
165 }
166 $this->setLogger( $options['logger'] );
167 } else {
168 $this->setLogger( \MediaWiki\Logger\LoggerFactory::getInstance( 'session' ) );
169 }
170
171 if ( isset( $options['store'] ) ) {
172 if ( !$options['store'] instanceof BagOStuff ) {
173 throw new \InvalidArgumentException(
174 '$options[\'store\'] must be an instance of BagOStuff'
175 );
176 }
177 $store = $options['store'];
178 } else {
179 $store = \ObjectCache::getInstance( $this->config->get( 'SessionCacheType' ) );
180 }
181 $this->store = $store instanceof CachedBagOStuff ? $store : new CachedBagOStuff( $store );
182
183 register_shutdown_function( [ $this, 'shutdown' ] );
184 }
185
186 public function setLogger( LoggerInterface $logger ) {
187 $this->logger = $logger;
188 }
189
190 public function getSessionForRequest( WebRequest $request ) {
191 $info = $this->getSessionInfoForRequest( $request );
192
193 if ( !$info ) {
194 $session = $this->getEmptySession( $request );
195 } else {
196 $session = $this->getSessionFromInfo( $info, $request );
197 }
198 return $session;
199 }
200
201 public function getSessionById( $id, $create = false, WebRequest $request = null ) {
202 if ( !self::validateSessionId( $id ) ) {
203 throw new \InvalidArgumentException( 'Invalid session ID' );
204 }
205 if ( !$request ) {
206 $request = new FauxRequest;
207 }
208
209 $session = null;
210 $info = new SessionInfo( SessionInfo::MIN_PRIORITY, [ 'id' => $id, 'idIsSafe' => true ] );
211
212 // If we already have the backend loaded, use it directly
213 if ( isset( $this->allSessionBackends[$id] ) ) {
214 return $this->getSessionFromInfo( $info, $request );
215 }
216
217 // Test if the session is in storage, and if so try to load it.
218 $key = $this->store->makeKey( 'MWSession', $id );
219 if ( is_array( $this->store->get( $key ) ) ) {
220 $create = false; // If loading fails, don't bother creating because it probably will fail too.
221 if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
222 $session = $this->getSessionFromInfo( $info, $request );
223 }
224 }
225
226 if ( $create && $session === null ) {
227 $ex = null;
228 try {
229 $session = $this->getEmptySessionInternal( $request, $id );
230 } catch ( \Exception $ex ) {
231 $this->logger->error( 'Failed to create empty session: {exception}',
232 [
233 'method' => __METHOD__,
234 'exception' => $ex,
235 ] );
236 $session = null;
237 }
238 }
239
240 return $session;
241 }
242
243 public function getEmptySession( WebRequest $request = null ) {
244 return $this->getEmptySessionInternal( $request );
245 }
246
253 private function getEmptySessionInternal( WebRequest $request = null, $id = null ) {
254 if ( $id !== null ) {
255 if ( !self::validateSessionId( $id ) ) {
256 throw new \InvalidArgumentException( 'Invalid session ID' );
257 }
258
259 $key = $this->store->makeKey( 'MWSession', $id );
260 if ( is_array( $this->store->get( $key ) ) ) {
261 throw new \InvalidArgumentException( 'Session ID already exists' );
262 }
263 }
264 if ( !$request ) {
265 $request = new FauxRequest;
266 }
267
268 $infos = [];
269 foreach ( $this->getProviders() as $provider ) {
270 $info = $provider->newSessionInfo( $id );
271 if ( !$info ) {
272 continue;
273 }
274 if ( $info->getProvider() !== $provider ) {
275 throw new \UnexpectedValueException(
276 "$provider returned an empty session info for a different provider: $info"
277 );
278 }
279 if ( $id !== null && $info->getId() !== $id ) {
280 throw new \UnexpectedValueException(
281 "$provider returned empty session info with a wrong id: " .
282 $info->getId() . ' != ' . $id
283 );
284 }
285 if ( !$info->isIdSafe() ) {
286 throw new \UnexpectedValueException(
287 "$provider returned empty session info with id flagged unsafe"
288 );
289 }
290 $compare = $infos ? SessionInfo::compare( $infos[0], $info ) : -1;
291 if ( $compare > 0 ) {
292 continue;
293 }
294 if ( $compare === 0 ) {
295 $infos[] = $info;
296 } else {
297 $infos = [ $info ];
298 }
299 }
300
301 // Make sure there's exactly one
302 if ( count( $infos ) > 1 ) {
303 throw new \UnexpectedValueException(
304 'Multiple empty sessions tied for top priority: ' . implode( ', ', $infos )
305 );
306 } elseif ( count( $infos ) < 1 ) {
307 throw new \UnexpectedValueException( 'No provider could provide an empty session!' );
308 }
309
310 return $this->getSessionFromInfo( $infos[0], $request );
311 }
312
313 public function invalidateSessionsForUser( User $user ) {
314 $user->setToken();
315 $user->saveSettings();
316
317 $authUser = \MediaWiki\Auth\AuthManager::callLegacyAuthPlugin( 'getUserInstance', [ &$user ] );
318 if ( $authUser ) {
319 $authUser->resetAuthToken();
320 }
321
322 foreach ( $this->getProviders() as $provider ) {
323 $provider->invalidateSessionsForUser( $user );
324 }
325 }
326
327 public function getVaryHeaders() {
328 // @codeCoverageIgnoreStart
329 if ( defined( 'MW_NO_SESSION' ) && MW_NO_SESSION !== 'warn' ) {
330 return [];
331 }
332 // @codeCoverageIgnoreEnd
333 if ( $this->varyHeaders === null ) {
334 $headers = [];
335 foreach ( $this->getProviders() as $provider ) {
336 foreach ( $provider->getVaryHeaders() as $header => $options ) {
337 if ( !isset( $headers[$header] ) ) {
338 $headers[$header] = [];
339 }
340 if ( is_array( $options ) ) {
341 $headers[$header] = array_unique( array_merge( $headers[$header], $options ) );
342 }
343 }
344 }
345 $this->varyHeaders = $headers;
346 }
347 return $this->varyHeaders;
348 }
349
350 public function getVaryCookies() {
351 // @codeCoverageIgnoreStart
352 if ( defined( 'MW_NO_SESSION' ) && MW_NO_SESSION !== 'warn' ) {
353 return [];
354 }
355 // @codeCoverageIgnoreEnd
356 if ( $this->varyCookies === null ) {
357 $cookies = [];
358 foreach ( $this->getProviders() as $provider ) {
359 $cookies = array_merge( $cookies, $provider->getVaryCookies() );
360 }
361 $this->varyCookies = array_values( array_unique( $cookies ) );
362 }
363 return $this->varyCookies;
364 }
365
371 public static function validateSessionId( $id ) {
372 return is_string( $id ) && preg_match( '/^[a-zA-Z0-9_-]{32,}$/', $id );
373 }
374
388 public static function autoCreateUser( User $user ) {
389 wfDeprecated( __METHOD__, '1.27' );
390 return \MediaWiki\Auth\AuthManager::singleton()->autoCreateUser(
391 $user,
392 \MediaWiki\Auth\AuthManager::AUTOCREATE_SOURCE_SESSION,
393 false
394 )->isGood();
395 }
396
406 public function preventSessionsForUser( $username ) {
407 $this->preventUsers[$username] = true;
408
409 // Instruct the session providers to kill any other sessions too.
410 foreach ( $this->getProviders() as $provider ) {
411 $provider->preventSessionsForUser( $username );
412 }
413 }
414
421 public function isUserSessionPrevented( $username ) {
422 return !empty( $this->preventUsers[$username] );
423 }
424
429 protected function getProviders() {
430 if ( $this->sessionProviders === null ) {
431 $this->sessionProviders = [];
432 foreach ( $this->config->get( 'SessionProviders' ) as $spec ) {
433 $provider = ObjectFactory::getObjectFromSpec( $spec );
434 $provider->setLogger( $this->logger );
435 $provider->setConfig( $this->config );
436 $provider->setManager( $this );
437 if ( isset( $this->sessionProviders[(string)$provider] ) ) {
438 throw new \UnexpectedValueException( "Duplicate provider name \"$provider\"" );
439 }
440 $this->sessionProviders[(string)$provider] = $provider;
441 }
442 }
443 return $this->sessionProviders;
444 }
445
456 public function getProvider( $name ) {
457 $providers = $this->getProviders();
458 return $providers[$name] ?? null;
459 }
460
465 public function shutdown() {
466 if ( $this->allSessionBackends ) {
467 $this->logger->debug( 'Saving all sessions on shutdown' );
468 if ( session_id() !== '' ) {
469 // @codeCoverageIgnoreStart
470 session_write_close();
471 }
472 // @codeCoverageIgnoreEnd
473 foreach ( $this->allSessionBackends as $backend ) {
474 $backend->shutdown();
475 }
476 }
477 }
478
484 private function getSessionInfoForRequest( WebRequest $request ) {
485 // Call all providers to fetch "the" session
486 $infos = [];
487 foreach ( $this->getProviders() as $provider ) {
488 $info = $provider->provideSessionInfo( $request );
489 if ( !$info ) {
490 continue;
491 }
492 if ( $info->getProvider() !== $provider ) {
493 throw new \UnexpectedValueException(
494 "$provider returned session info for a different provider: $info"
495 );
496 }
497 $infos[] = $info;
498 }
499
500 // Sort the SessionInfos. Then find the first one that can be
501 // successfully loaded, and then all the ones after it with the same
502 // priority.
503 usort( $infos, 'MediaWiki\\Session\\SessionInfo::compare' );
504 $retInfos = [];
505 while ( $infos ) {
506 $info = array_pop( $infos );
507 if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
508 $retInfos[] = $info;
509 while ( $infos ) {
510 $info = array_pop( $infos );
511 if ( SessionInfo::compare( $retInfos[0], $info ) ) {
512 // We hit a lower priority, stop checking.
513 break;
514 }
515 if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
516 // This is going to error out below, but we want to
517 // provide a complete list.
518 $retInfos[] = $info;
519 } else {
520 // Session load failed, so unpersist it from this request
521 $info->getProvider()->unpersistSession( $request );
522 }
523 }
524 } else {
525 // Session load failed, so unpersist it from this request
526 $info->getProvider()->unpersistSession( $request );
527 }
528 }
529
530 if ( count( $retInfos ) > 1 ) {
531 $ex = new \OverflowException(
532 'Multiple sessions for this request tied for top priority: ' . implode( ', ', $retInfos )
533 );
534 $ex->sessionInfos = $retInfos;
535 throw $ex;
536 }
537
538 return $retInfos ? $retInfos[0] : null;
539 }
540
548 private function loadSessionInfoFromStore( SessionInfo &$info, WebRequest $request ) {
549 $key = $this->store->makeKey( 'MWSession', $info->getId() );
550 $blob = $this->store->get( $key );
551
552 // If we got data from the store and the SessionInfo says to force use,
553 // "fail" means to delete the data from the store and retry. Otherwise,
554 // "fail" is just return false.
555 if ( $info->forceUse() && $blob !== false ) {
556 $failHandler = function () use ( $key, &$info, $request ) {
557 $this->store->delete( $key );
558 return $this->loadSessionInfoFromStore( $info, $request );
559 };
560 } else {
561 $failHandler = function () {
562 return false;
563 };
564 }
565
566 $newParams = [];
567
568 if ( $blob !== false ) {
569 // Sanity check: blob must be an array, if it's saved at all
570 if ( !is_array( $blob ) ) {
571 $this->logger->warning( 'Session "{session}": Bad data', [
572 'session' => $info,
573 ] );
574 $this->store->delete( $key );
575 return $failHandler();
576 }
577
578 // Sanity check: blob has data and metadata arrays
579 if ( !isset( $blob['data'] ) || !is_array( $blob['data'] ) ||
580 !isset( $blob['metadata'] ) || !is_array( $blob['metadata'] )
581 ) {
582 $this->logger->warning( 'Session "{session}": Bad data structure', [
583 'session' => $info,
584 ] );
585 $this->store->delete( $key );
586 return $failHandler();
587 }
588
589 $data = $blob['data'];
590 $metadata = $blob['metadata'];
591
592 // Sanity check: metadata must be an array and must contain certain
593 // keys, if it's saved at all
594 if ( !array_key_exists( 'userId', $metadata ) ||
595 !array_key_exists( 'userName', $metadata ) ||
596 !array_key_exists( 'userToken', $metadata ) ||
597 !array_key_exists( 'provider', $metadata )
598 ) {
599 $this->logger->warning( 'Session "{session}": Bad metadata', [
600 'session' => $info,
601 ] );
602 $this->store->delete( $key );
603 return $failHandler();
604 }
605
606 // First, load the provider from metadata, or validate it against the metadata.
607 $provider = $info->getProvider();
608 if ( $provider === null ) {
609 $newParams['provider'] = $provider = $this->getProvider( $metadata['provider'] );
610 if ( !$provider ) {
611 $this->logger->warning(
612 'Session "{session}": Unknown provider ' . $metadata['provider'],
613 [
614 'session' => $info,
615 ]
616 );
617 $this->store->delete( $key );
618 return $failHandler();
619 }
620 } elseif ( $metadata['provider'] !== (string)$provider ) {
621 $this->logger->warning( 'Session "{session}": Wrong provider ' .
622 $metadata['provider'] . ' !== ' . $provider,
623 [
624 'session' => $info,
625 ] );
626 return $failHandler();
627 }
628
629 // Load provider metadata from metadata, or validate it against the metadata
630 $providerMetadata = $info->getProviderMetadata();
631 if ( isset( $metadata['providerMetadata'] ) ) {
632 if ( $providerMetadata === null ) {
633 $newParams['metadata'] = $metadata['providerMetadata'];
634 } else {
635 try {
636 $newProviderMetadata = $provider->mergeMetadata(
637 $metadata['providerMetadata'], $providerMetadata
638 );
639 if ( $newProviderMetadata !== $providerMetadata ) {
640 $newParams['metadata'] = $newProviderMetadata;
641 }
642 } catch ( MetadataMergeException $ex ) {
643 $this->logger->warning(
644 'Session "{session}": Metadata merge failed: {exception}',
645 [
646 'session' => $info,
647 'exception' => $ex,
648 ] + $ex->getContext()
649 );
650 return $failHandler();
651 }
652 }
653 }
654
655 // Next, load the user from metadata, or validate it against the metadata.
656 $userInfo = $info->getUserInfo();
657 if ( !$userInfo ) {
658 // For loading, id is preferred to name.
659 try {
660 if ( $metadata['userId'] ) {
661 $userInfo = UserInfo::newFromId( $metadata['userId'] );
662 } elseif ( $metadata['userName'] !== null ) { // Shouldn't happen, but just in case
663 $userInfo = UserInfo::newFromName( $metadata['userName'] );
664 } else {
665 $userInfo = UserInfo::newAnonymous();
666 }
667 } catch ( \InvalidArgumentException $ex ) {
668 $this->logger->error( 'Session "{session}": {exception}', [
669 'session' => $info,
670 'exception' => $ex,
671 ] );
672 return $failHandler();
673 }
674 $newParams['userInfo'] = $userInfo;
675 } else {
676 // User validation passes if user ID matches, or if there
677 // is no saved ID and the names match.
678 if ( $metadata['userId'] ) {
679 if ( $metadata['userId'] !== $userInfo->getId() ) {
680 $this->logger->warning(
681 'Session "{session}": User ID mismatch, {uid_a} !== {uid_b}',
682 [
683 'session' => $info,
684 'uid_a' => $metadata['userId'],
685 'uid_b' => $userInfo->getId(),
686 ] );
687 return $failHandler();
688 }
689
690 // If the user was renamed, probably best to fail here.
691 if ( $metadata['userName'] !== null &&
692 $userInfo->getName() !== $metadata['userName']
693 ) {
694 $this->logger->warning(
695 'Session "{session}": User ID matched but name didn\'t (rename?), {uname_a} !== {uname_b}',
696 [
697 'session' => $info,
698 'uname_a' => $metadata['userName'],
699 'uname_b' => $userInfo->getName(),
700 ] );
701 return $failHandler();
702 }
703
704 } elseif ( $metadata['userName'] !== null ) { // Shouldn't happen, but just in case
705 if ( $metadata['userName'] !== $userInfo->getName() ) {
706 $this->logger->warning(
707 'Session "{session}": User name mismatch, {uname_a} !== {uname_b}',
708 [
709 'session' => $info,
710 'uname_a' => $metadata['userName'],
711 'uname_b' => $userInfo->getName(),
712 ] );
713 return $failHandler();
714 }
715 } elseif ( !$userInfo->isAnon() ) {
716 // Metadata specifies an anonymous user, but the passed-in
717 // user isn't anonymous.
718 $this->logger->warning(
719 'Session "{session}": Metadata has an anonymous user, but a non-anon user was provided',
720 [
721 'session' => $info,
722 ] );
723 return $failHandler();
724 }
725 }
726
727 // And if we have a token in the metadata, it must match the loaded/provided user.
728 if ( $metadata['userToken'] !== null &&
729 $userInfo->getToken() !== $metadata['userToken']
730 ) {
731 $this->logger->warning( 'Session "{session}": User token mismatch', [
732 'session' => $info,
733 ] );
734 return $failHandler();
735 }
736 if ( !$userInfo->isVerified() ) {
737 $newParams['userInfo'] = $userInfo->verified();
738 }
739
740 if ( !empty( $metadata['remember'] ) && !$info->wasRemembered() ) {
741 $newParams['remembered'] = true;
742 }
743 if ( !empty( $metadata['forceHTTPS'] ) && !$info->forceHTTPS() ) {
744 $newParams['forceHTTPS'] = true;
745 }
746 if ( !empty( $metadata['persisted'] ) && !$info->wasPersisted() ) {
747 $newParams['persisted'] = true;
748 }
749
750 if ( !$info->isIdSafe() ) {
751 $newParams['idIsSafe'] = true;
752 }
753 } else {
754 // No metadata, so we can't load the provider if one wasn't given.
755 if ( $info->getProvider() === null ) {
756 $this->logger->warning(
757 'Session "{session}": Null provider and no metadata',
758 [
759 'session' => $info,
760 ] );
761 return $failHandler();
762 }
763
764 // If no user was provided and no metadata, it must be anon.
765 if ( !$info->getUserInfo() ) {
766 if ( $info->getProvider()->canChangeUser() ) {
767 $newParams['userInfo'] = UserInfo::newAnonymous();
768 } else {
769 $this->logger->info(
770 'Session "{session}": No user provided and provider cannot set user',
771 [
772 'session' => $info,
773 ] );
774 return $failHandler();
775 }
776 } elseif ( !$info->getUserInfo()->isVerified() ) {
777 // probably just a session timeout
778 $this->logger->info(
779 'Session "{session}": Unverified user provided and no metadata to auth it',
780 [
781 'session' => $info,
782 ] );
783 return $failHandler();
784 }
785
786 $data = false;
787 $metadata = false;
788
789 if ( !$info->getProvider()->persistsSessionId() && !$info->isIdSafe() ) {
790 // The ID doesn't come from the user, so it should be safe
791 // (and if not, nothing we can do about it anyway)
792 $newParams['idIsSafe'] = true;
793 }
794 }
795
796 // Construct the replacement SessionInfo, if necessary
797 if ( $newParams ) {
798 $newParams['copyFrom'] = $info;
799 $info = new SessionInfo( $info->getPriority(), $newParams );
800 }
801
802 // Allow the provider to check the loaded SessionInfo
803 $providerMetadata = $info->getProviderMetadata();
804 if ( !$info->getProvider()->refreshSessionInfo( $info, $request, $providerMetadata ) ) {
805 return $failHandler();
806 }
807 if ( $providerMetadata !== $info->getProviderMetadata() ) {
808 $info = new SessionInfo( $info->getPriority(), [
809 'metadata' => $providerMetadata,
810 'copyFrom' => $info,
811 ] );
812 }
813
814 // Give hooks a chance to abort. Combined with the SessionMetadata
815 // hook, this can allow for tying a session to an IP address or the
816 // like.
817 $reason = 'Hook aborted';
818 if ( !\Hooks::run(
819 'SessionCheckInfo',
820 [ &$reason, $info, $request, $metadata, $data ]
821 ) ) {
822 $this->logger->warning( 'Session "{session}": ' . $reason, [
823 'session' => $info,
824 ] );
825 return $failHandler();
826 }
827
828 return true;
829 }
830
839 public function getSessionFromInfo( SessionInfo $info, WebRequest $request ) {
840 // @codeCoverageIgnoreStart
841 if ( defined( 'MW_NO_SESSION' ) ) {
842 if ( MW_NO_SESSION === 'warn' ) {
843 // Undocumented safety case for converting existing entry points
844 $this->logger->error( 'Sessions are supposed to be disabled for this entry point', [
845 'exception' => new \BadMethodCallException( 'Sessions are disabled for this entry point' ),
846 ] );
847 } else {
848 throw new \BadMethodCallException( 'Sessions are disabled for this entry point' );
849 }
850 }
851 // @codeCoverageIgnoreEnd
852
853 $id = $info->getId();
854
855 if ( !isset( $this->allSessionBackends[$id] ) ) {
856 if ( !isset( $this->allSessionIds[$id] ) ) {
857 $this->allSessionIds[$id] = new SessionId( $id );
858 }
859 $backend = new SessionBackend(
860 $this->allSessionIds[$id],
861 $info,
862 $this->store,
863 $this->logger,
864 $this->config->get( 'ObjectCacheSessionExpiry' )
865 );
866 $this->allSessionBackends[$id] = $backend;
867 $delay = $backend->delaySave();
868 } else {
869 $backend = $this->allSessionBackends[$id];
870 $delay = $backend->delaySave();
871 if ( $info->wasPersisted() ) {
872 $backend->persist();
873 }
874 if ( $info->wasRemembered() ) {
875 $backend->setRememberUser( true );
876 }
877 }
878
879 $request->setSessionId( $backend->getSessionId() );
880 $session = $backend->getSession( $request );
881
882 if ( !$info->isIdSafe() ) {
883 $session->resetId();
884 }
885
886 \Wikimedia\ScopedCallback::consume( $delay );
887 return $session;
888 }
889
895 public function deregisterSessionBackend( SessionBackend $backend ) {
896 $id = $backend->getId();
897 if ( !isset( $this->allSessionBackends[$id] ) || !isset( $this->allSessionIds[$id] ) ||
898 $this->allSessionBackends[$id] !== $backend ||
899 $this->allSessionIds[$id] !== $backend->getSessionId()
900 ) {
901 throw new \InvalidArgumentException( 'Backend was not registered with this SessionManager' );
902 }
903
904 unset( $this->allSessionBackends[$id] );
905 // Explicitly do not unset $this->allSessionIds[$id]
906 }
907
913 public function changeBackendId( SessionBackend $backend ) {
914 $sessionId = $backend->getSessionId();
915 $oldId = (string)$sessionId;
916 if ( !isset( $this->allSessionBackends[$oldId] ) || !isset( $this->allSessionIds[$oldId] ) ||
917 $this->allSessionBackends[$oldId] !== $backend ||
918 $this->allSessionIds[$oldId] !== $sessionId
919 ) {
920 throw new \InvalidArgumentException( 'Backend was not registered with this SessionManager' );
921 }
922
923 $newId = $this->generateSessionId();
924
925 unset( $this->allSessionBackends[$oldId], $this->allSessionIds[$oldId] );
926 $sessionId->setId( $newId );
927 $this->allSessionBackends[$newId] = $backend;
928 $this->allSessionIds[$newId] = $sessionId;
929 }
930
935 public function generateSessionId() {
936 do {
937 $id = \Wikimedia\base_convert( \MWCryptRand::generateHex( 40 ), 16, 32, 32 );
938 $key = $this->store->makeKey( 'MWSession', $id );
939 } while ( isset( $this->allSessionIds[$id] ) || is_array( $this->store->get( $key ) ) );
940 return $id;
941 }
942
948 public function setupPHPSessionHandler( PHPSessionHandler $handler ) {
949 $handler->setManager( $this, $this->store, $this->logger );
950 }
951
956 public static function resetCache() {
957 if ( !defined( 'MW_PHPUNIT_TEST' ) ) {
958 // @codeCoverageIgnoreStart
959 throw new MWException( __METHOD__ . ' may only be called from unit tests!' );
960 // @codeCoverageIgnoreEnd
961 }
962
963 self::$globalSession = null;
964 self::$globalSessionRequest = null;
965 }
966
969}
use
Apache License January AND DISTRIBUTION Definitions License shall mean the terms and conditions for use
Definition APACHE-LICENSE-2.0.txt:10
wfDeprecated
wfDeprecated( $function, $version=false, $component=false, $callerOffset=2)
Throws a warning that $function is deprecated.
Definition GlobalFunctions.php:1130
BagOStuff
Class representing a cache/ephemeral data store.
Definition BagOStuff.php:58
CachedBagOStuff
Wrapper around a BagOStuff that caches data in memory.
Definition CachedBagOStuff.php:36
FauxRequest
WebRequest clone which takes values from a provided array.
Definition FauxRequest.php:33
MWCryptRand\generateHex
static generateHex( $chars)
Generate a run of cryptographically random data and return it in hexadecimal string format.
Definition MWCryptRand.php:71
MWException
MediaWiki exception.
Definition MWException.php:26
MediaWiki\MediaWikiServices
MediaWikiServices is the service locator for the application scope of MediaWiki.
Definition MediaWikiServices.php:99
MediaWiki\MediaWikiServices\getInstance
static getInstance()
Returns the global default instance of the top level service locator.
Definition MediaWikiServices.php:120
MediaWiki\Session\MetadataMergeException
Subclass of UnexpectedValueException that can be annotated with additional data for debug logging.
Definition MetadataMergeException.php:35
MediaWiki\Session\PHPSessionHandler
Adapter for PHP's session handling.
Definition PHPSessionHandler.php:34
MediaWiki\Session\PHPSessionHandler\isEnabled
static isEnabled()
Test whether the handler is installed and enabled.
Definition PHPSessionHandler.php:100
MediaWiki\Session\SessionBackend
This is the actual workhorse for Session.
Definition SessionBackend.php:49
MediaWiki\Session\SessionBackend\getSessionId
getSessionId()
Fetch the SessionId object.
Definition SessionBackend.php:214
MediaWiki\Session\SessionBackend\getId
getId()
Returns the session ID.
Definition SessionBackend.php:205
MediaWiki\Session\SessionId
Value object holding the session ID in a manner that can be globally updated.
Definition SessionId.php:38
MediaWiki\Session\SessionInfo
Value object returned by SessionProvider.
Definition SessionInfo.php:34
MediaWiki\Session\SessionInfo\forceUse
forceUse()
Force use of this SessionInfo if validation fails.
Definition SessionInfo.php:209
MediaWiki\Session\SessionInfo\getProviderMetadata
getProviderMetadata()
Return provider metadata.
Definition SessionInfo.php:241
MediaWiki\Session\SessionInfo\getId
getId()
Return the session ID.
Definition SessionInfo.php:178
MediaWiki\Session\SessionInfo\getProvider
getProvider()
Return the provider.
Definition SessionInfo.php:170
MediaWiki\Session\SessionInfo\isIdSafe
isIdSafe()
Indicate whether the ID is "safe".
Definition SessionInfo.php:194
MediaWiki\Session\SessionInfo\getUserInfo
getUserInfo()
Return the user.
Definition SessionInfo.php:225
MediaWiki\Session\SessionInfo\wasPersisted
wasPersisted()
Return whether the session is persisted.
Definition SessionInfo.php:233
MediaWiki\Session\SessionInfo\MIN_PRIORITY
const MIN_PRIORITY
Minimum allowed priority.
Definition SessionInfo.php:36
MediaWiki\Session\SessionInfo\getPriority
getPriority()
Return the priority.
Definition SessionInfo.php:217
MediaWiki\Session\SessionInfo\wasRemembered
wasRemembered()
Return whether the user was remembered.
Definition SessionInfo.php:260
MediaWiki\Session\SessionInfo\forceHTTPS
forceHTTPS()
Whether this session should only be used over HTTPS.
Definition SessionInfo.php:268
MediaWiki\Session\SessionInfo\compare
static compare( $a, $b)
Compare two SessionInfo objects by priority.
Definition SessionInfo.php:284
MediaWiki\Session\SessionManager
This serves as the entry point to the MediaWiki session handling system.
Definition SessionManager.php:50
MediaWiki\Session\SessionManager\resetCache
static resetCache()
Reset the internal caching for unit testing.
Definition SessionManager.php:956
MediaWiki\Session\SessionManager\getVaryHeaders
getVaryHeaders()
Return the HTTP headers that need varying on.
Definition SessionManager.php:327
MediaWiki\Session\SessionManager\deregisterSessionBackend
deregisterSessionBackend(SessionBackend $backend)
Deregister a SessionBackend.
Definition SessionManager.php:895
MediaWiki\Session\SessionManager\invalidateSessionsForUser
invalidateSessionsForUser(User $user)
Invalidate sessions for a user.
Definition SessionManager.php:313
MediaWiki\Session\SessionManager\$globalSessionRequest
static WebRequest null $globalSessionRequest
Definition SessionManager.php:58
MediaWiki\Session\SessionManager\loadSessionInfoFromStore
loadSessionInfoFromStore(SessionInfo &$info, WebRequest $request)
Load and verify the session info against the store.
Definition SessionManager.php:548
MediaWiki\Session\SessionManager\getVaryCookies
getVaryCookies()
Return the list of cookies that need varying on.
Definition SessionManager.php:350
MediaWiki\Session\SessionManager\setupPHPSessionHandler
setupPHPSessionHandler(PHPSessionHandler $handler)
Call setters on a PHPSessionHandler.
Definition SessionManager.php:948
MediaWiki\Session\SessionManager\getEmptySessionInternal
getEmptySessionInternal(WebRequest $request=null, $id=null)
Definition SessionManager.php:253
MediaWiki\Session\SessionManager\$instance
static SessionManager null $instance
Definition SessionManager.php:52
MediaWiki\Session\SessionManager\getEmptySession
getEmptySession(WebRequest $request=null)
Create a new, empty session.
Definition SessionManager.php:243
MediaWiki\Session\SessionManager\getGlobalSession
static getGlobalSession()
Get the "global" session.
Definition SessionManager.php:107
MediaWiki\Session\SessionManager\getSessionInfoForRequest
getSessionInfoForRequest(WebRequest $request)
Fetch the SessionInfo(s) for a request.
Definition SessionManager.php:484
MediaWiki\Session\SessionManager\preventSessionsForUser
preventSessionsForUser( $username)
Prevent future sessions for the user.
Definition SessionManager.php:406
MediaWiki\Session\SessionManager\shutdown
shutdown()
Save all active sessions on shutdown.
Definition SessionManager.php:465
MediaWiki\Session\SessionManager\getSessionById
getSessionById( $id, $create=false, WebRequest $request=null)
Fetch a session by ID.
Definition SessionManager.php:201
MediaWiki\Session\SessionManager\getProvider
getProvider( $name)
Get a session provider by name.
Definition SessionManager.php:456
MediaWiki\Session\SessionManager\autoCreateUser
static autoCreateUser(User $user)
Auto-create the given user, if necessary.
Definition SessionManager.php:388
MediaWiki\Session\SessionManager\validateSessionId
static validateSessionId( $id)
Validate a session ID.
Definition SessionManager.php:371
MediaWiki\Session\SessionManager\getProviders
getProviders()
Get the available SessionProviders.
Definition SessionManager.php:429
MediaWiki\Session\SessionManager\singleton
static singleton()
Get the global SessionManager.
Definition SessionManager.php:92
MediaWiki\Session\SessionManager\changeBackendId
changeBackendId(SessionBackend $backend)
Change a SessionBackend's ID.
Definition SessionManager.php:913
MediaWiki\Session\SessionManager\generateSessionId
generateSessionId()
Generate a new random session ID.
Definition SessionManager.php:935
MediaWiki\Session\SessionManager\setLogger
setLogger(LoggerInterface $logger)
Definition SessionManager.php:186
MediaWiki\Session\SessionManager\getSessionFromInfo
getSessionFromInfo(SessionInfo $info, WebRequest $request)
Create a Session corresponding to the passed SessionInfo.
Definition SessionManager.php:839
MediaWiki\Session\SessionManager\getSessionForRequest
getSessionForRequest(WebRequest $request)
Fetch the session for a request (or a new empty session if none is attached to it)
Definition SessionManager.php:190
MediaWiki\Session\SessionManager\isUserSessionPrevented
isUserSessionPrevented( $username)
Test if a user is prevented.
Definition SessionManager.php:421
MediaWiki\Session\SessionProvider
A SessionProvider provides SessionInfo and support for Session.
Definition SessionProvider.php:78
MediaWiki\Session\Session
Manages data for an an authenticated session.
Definition Session.php:48
MediaWiki\Session\UserInfo\newFromName
static newFromName( $name, $verified=false)
Create an instance for a logged-in user by name.
Definition UserInfo.php:102
MediaWiki\Session\UserInfo\newAnonymous
static newAnonymous()
Create an instance for an anonymous (i.e.
Definition UserInfo.php:74
MediaWiki\Session\UserInfo\newFromId
static newFromId( $id, $verified=false)
Create an instance for a logged-in user by ID.
Definition UserInfo.php:84
User
The User object encapsulates all of the user-specific settings (user_id, name, rights,...
Definition User.php:47
WebRequest
The WebRequest class encapsulates getting at data passed in the URL or via a POSTed form stripping il...
Definition WebRequest.php:41
as
This document is intended to provide useful advice for parties seeking to redistribute MediaWiki to end users It s targeted particularly at maintainers for Linux since it s been observed that distribution packages of MediaWiki often break We ve consistently had to recommend that users seeking support use official tarballs instead of their distribution s and this often solves whatever problem the user is having It would be nice if this could such as
Definition distributors.txt:22
$request
do that in ParserLimitReportFormat instead use this to modify the parameters of the image all existing parser cache entries will be invalid To avoid you ll need to handle that somehow(e.g. with the RejectParserCacheValue hook) because MediaWiki won 't do it for you. & $defaults also a ContextSource after deleting those rows but within the same transaction you ll probably need to make sure the header is varied on $request
Definition hooks.txt:2880
string
This code would result in ircNotify being run twice when an article is and once for brion Hooks can return three possible true was required This is the default since MediaWiki *some string
Definition hooks.txt:181
$options
null means default in associative array with keys and values unescaped Should be merged with default with a value of false meaning to suppress the attribute in associative array with keys and values unescaped & $options
Definition hooks.txt:2050
$name
Allows to change the fields on the form that will be generated $name
Definition hooks.txt:302
$username
this hook is for auditing only or null if authentication failed before getting that far $username
Definition hooks.txt:815
$handler
this hook is for auditing only or null if authentication failed before getting that far or null if we can t even determine that probably a stub it is not rendered in wiki pages or galleries in category pages allow injecting custom HTML after the section Any uses of the hook need to handle escaping see BaseTemplate::getToolbox and BaseTemplate::makeListItem for details on the format of individual items inside of this array or by returning and letting standard HTTP rendering take place modifiable or by returning false and taking over the output modifiable modifiable after all normalizations have been except for the $wgMaxImageArea check set to true or false to override the $wgMaxImageArea check result gives extension the possibility to transform it themselves $handler
Definition hooks.txt:933
$user
please add to it if you re going to add events to the MediaWiki code where normally authentication against an external auth plugin would be creating a local account $user
Definition hooks.txt:247
php
injection txt This is an overview of how MediaWiki makes use of dependency injection The design described here grew from the discussion of RFC T384 The term dependency this means that anything an object needs to operate should be injected from the the object itself should only know narrow no concrete implementation of the logic it relies on The requirement to inject everything typically results in an architecture that based on two main types of and essentially stateless service objects that use other service objects to operate on the value objects As of the beginning MediaWiki is only starting to use the DI approach Much of the code still relies on global state or direct resulting in a highly cyclical dependency which acts as the top level factory for services in MediaWiki which can be used to gain access to default instances of various services MediaWikiServices however also allows new services to be defined and default services to be redefined Services are defined or redefined by providing a callback the instantiator that will return a new instance of the service When it will create an instance of MediaWikiServices and populate it with the services defined in the files listed by thereby bootstrapping the DI framework Per $wgServiceWiringFiles lists includes ServiceWiring php
Definition injection.txt:37
Config
Interface for configuration instances.
Definition Config.php:28
MediaWiki\Session\SessionManagerInterface
This exists to make IDEs happy, so they don't see the internal-but-required-to-be-public methods on S...
Definition SessionManagerInterface.php:37
MW_NO_SESSION
const MW_NO_SESSION
Definition load.php:30
array
The wiki should then use memcached to cache various data To use multiple just add more items to the array To increase the weight of a make its entry a array("192.168.0.1:11211", 2))
MediaWiki
A helper class for throttling authentication attempts.
store
MediaWiki s SiteStore can be cached and stored in a flat in a json format If the SiteStore is frequently the file cache may provide a performance benefit over a database store
Definition sitescache.txt:4
$header
$header
Definition updateCredits.php:35