MediaWiki REL1_40
MediaWiki\Session\SessionProvider Class Reference

A SessionProvider provides SessionInfo and support for Session. More...

Inherits MediaWiki\Session\SessionProviderInterface.

Inherited by InstallerSessionProvider, MediaWiki\Session\CookieSessionProvider, and MediaWiki\Session\ImmutableSessionProviderWithCookie.

Collaboration diagram for MediaWiki\Session\SessionProvider:

Public Member Functions

 __construct ()
 
 __toString ()
 
 canChangeUser ()
 Indicate whether the user associated with the request can be changed.
 
 describe (Language $lang)
 Return an identifier for this session type.
Parameters
Language$langLanguage to use.
Returns
string

 
 getAllowedUserRights (SessionBackend $backend)
 Fetch the rights allowed the user when the specified session is active.
 
 getManager ()
 Get the session manager.
 
 getRememberUserDuration ()
 Returns the duration (in seconds) for which users will be remembered when Session::setRememberUser() is set.
 
 getVaryCookies ()
 Return the list of cookies that need varying on.
 
 getVaryHeaders ()
 Return the HTTP headers that need varying on.
 
 init (LoggerInterface $logger, Config $config, SessionManager $manager, HookContainer $hookContainer, UserNameUtils $userNameUtils)
 Initialise with dependencies of a SessionProvider.
 
 invalidateSessionsForUser (User $user)
 Invalidate existing sessions for a user.
 
 mergeMetadata (array $savedMetadata, array $providedMetadata)
 Merge saved session provider metadata.
 
 newSessionInfo ( $id=null)
 Provide session info for a new, empty session.
 
 persistSession (SessionBackend $session, WebRequest $request)
 Persist a session into a request/response.
 
 persistsSessionId ()
 Indicate whether self::persistSession() can save arbitrary session IDs.
 
 preventSessionsForUser ( $username)
 Prevent future sessions for the user.
 
 provideSessionInfo (WebRequest $request)
 Provide session info for a request.
 
 refreshSessionInfo (SessionInfo $info, WebRequest $request, &$metadata)
 Validate a loaded SessionInfo and refresh provider metadata.
 
 safeAgainstCsrf ()
 Most session providers require protection against CSRF attacks (usually via CSRF tokens)
 
 sessionIdWasReset (SessionBackend $session, $oldId)
 Notification that the session ID was reset.
 
 setConfig (Config $config)
 Set configuration.
 
 setHookContainer ( $hookContainer)
 
 setLogger (LoggerInterface $logger)
 Sets a logger instance on the object.
 
 setManager (SessionManager $manager)
 Set the session manager.
 
 suggestLoginUsername (WebRequest $request)
 Get a suggested username for the login form.
 
 unpersistSession (WebRequest $request)
 Remove any persisted session from a request/response.
 
 whyNoSession ()
 Return a Message for why sessions might not be being persisted.For example, "check whether you're blocking our cookies".
Returns
Message|null

 

Protected Member Functions

 describeMessage ()
 Return a Message identifying this session type.
 
 getConfig ()
 Get the config.
 
 getHookContainer ()
 Get the HookContainer.
 
 getHookRunner ()
 Get the HookRunner.
 
 hashToSessionId ( $data, $key=null)
 Hash data as a session ID.
 
 postInitSetup ()
 A provider can override this to do any necessary setup after init() is called.
 

Protected Attributes

Config $config
 
LoggerInterface $logger
 
SessionManager $manager
 
int $priority
 Session priority.
 
UserNameUtils $userNameUtils
 

Detailed Description

A SessionProvider provides SessionInfo and support for Session.

A SessionProvider is responsible for taking a WebRequest and determining the authenticated session that it's a part of. It does this by returning an SessionInfo object with basic information about the session it thinks is associated with the request, namely the session ID and possibly the authenticated user the session belongs to.

The SessionProvider also provides for updating the WebResponse with information necessary to provide the client with data that the client will send with later requests, and for populating the Vary and Key headers with the data necessary to correctly vary the cache on these client requests.

An important part of the latter is indicating whether it even can tell the client to include such data in future requests, via the persistsSessionId() and canChangeUser() methods. The cases are (in order of decreasing commonness):

  • Cannot persist ID, no changing User: The request identifies and authenticates a particular local user, and the client cannot be instructed to include an arbitrary session ID with future requests. For example, OAuth or SSL certificate auth.
  • Can persist ID and can change User: The client can be instructed to return at least one piece of arbitrary data, that being the session ID. The user identity might also be given to the client, otherwise it's saved in the session data. For example, cookie-based sessions.
  • Can persist ID but no changing User: The request uniquely identifies and authenticates a local user, and the client can be instructed to return an arbitrary session ID with future requests. For example, HTTP Digest authentication might somehow use the 'opaque' field as a session ID (although getting MediaWiki to return 401 responses without breaking other stuff might be a challenge).
  • Cannot persist ID but can change User: I can't think of a way this would make sense.

Note that many methods that are technically "cannot persist ID" could be turned into "can persist ID but not change User" using a session cookie, as implemented by ImmutableSessionProviderWithCookie. If doing so, different session cookie names should be used for different providers to avoid collisions.

Stability: stable
to extend
Since
1.27
See also
https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager

Definition at line 82 of file SessionProvider.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Session\SessionProvider::__construct ( )
Stability: stable
to call

Definition at line 110 of file SessionProvider.php.

References MediaWiki\Session\SessionInfo\MIN_PRIORITY.

Member Function Documentation

◆ __toString()

MediaWiki\Session\SessionProvider::__toString ( )
Note
Only override this if it makes sense to instantiate multiple instances of the provider. Value returned must be unique across configured providers. If you override this, you'll likely need to override self::describeMessage() as well.
Returns
string

Definition at line 595 of file SessionProvider.php.

◆ canChangeUser()

MediaWiki\Session\SessionProvider::canChangeUser ( )
abstract

Indicate whether the user associated with the request can be changed.

If false, any session passed to self::persistSession() will have a user that was originally provided by self::provideSessionInfo(). Further, self::provideSessionInfo() may only provide sessions that have a user already set.

If true, the provider may be passed sessions with arbitrary users, and will be expected to manipulate the request in such a way that future requests will cause self::provideSessionInfo() to provide a SessionInfo with that ID. This can be as simple as not passing any 'userInfo' into SessionInfo's constructor, in which case SessionInfo will load the user from the saved session's metadata.

For example, a session provider for OAuth or SSL client certificates would function by matching the OAuth headers or certificate to a particular user, and thus would return false here since it can't arbitrarily assign those OAuth credentials or that certificate to a different user. A session provider that shoves information into cookies, on the other hand, could easily do so.

Note
For use by \MediaWiki\Session\SessionBackend only
Returns
bool

Reimplemented in InstallerSessionProvider, MediaWiki\Session\CookieSessionProvider, and MediaWiki\Session\ImmutableSessionProviderWithCookie.

◆ describe()

MediaWiki\Session\SessionProvider::describe ( Language $lang)

Return an identifier for this session type.

Parameters
Language$langLanguage to use.
Returns
string

Stability: stable
to override

Implements MediaWiki\Session\SessionProviderInterface.

Definition at line 625 of file SessionProvider.php.

References $lang, and wfMessage().

◆ describeMessage()

MediaWiki\Session\SessionProvider::describeMessage ( )
protected

Return a Message identifying this session type.

This default implementation takes the class name, lowercases it, replaces backslashes with dashes, and prefixes 'sessionprovider-' to determine the message key. For example, MediaWiki\Session\CookieSessionProvider produces 'sessionprovider-mediawiki-session-cookiesessionprovider'.

Stability: stable
to override
Note
If self::__toString() is overridden, this will likely need to be overridden as well.
Warning
This will be called early during MediaWiki startup. Do not use $wgUser, $wgLang, $wgOut, the global Parser, or their equivalents via RequestContext from this method!
Returns
\Message

Definition at line 615 of file SessionProvider.php.

References wfMessage().

◆ getAllowedUserRights()

MediaWiki\Session\SessionProvider::getAllowedUserRights ( SessionBackend $backend)

Fetch the rights allowed the user when the specified session is active.

This is mainly meant for allowing the user to restrict access to the account by certain methods; you probably want to use this with GrantsInfo. The returned rights will be intersected with the user's actual rights.

Stability: stable
to override
Parameters
SessionBackend$backend
Returns
null|string[] Allowed user rights, or null to allow all.

Reimplemented in MediaWiki\Session\BotPasswordSessionProvider.

Definition at line 579 of file SessionProvider.php.

References MediaWiki\Session\SessionBackend\getProvider().

◆ getConfig()

◆ getHookContainer()

MediaWiki\Session\SessionProvider::getHookContainer ( )
protected

Get the HookContainer.

Returns
HookContainer

Definition at line 240 of file SessionProvider.php.

◆ getHookRunner()

MediaWiki\Session\SessionProvider::getHookRunner ( )
protected

Get the HookRunner.

Access: internal
This is for use by core only. Hook interfaces may be removed without notice.
Since
1.35
Returns
HookRunner

Definition at line 252 of file SessionProvider.php.

◆ getManager()

MediaWiki\Session\SessionProvider::getManager ( )

Get the session manager.

Returns
SessionManager

Definition at line 215 of file SessionProvider.php.

References MediaWiki\Session\SessionProvider\$manager.

Referenced by MediaWiki\Session\BotPasswordSessionProvider\newSessionForRequest().

◆ getRememberUserDuration()

MediaWiki\Session\SessionProvider::getRememberUserDuration ( )

Returns the duration (in seconds) for which users will be remembered when Session::setRememberUser() is set.

Null means setting the remember flag will have no effect (and endpoints should not offer that option).

Stability: stable
to override
Returns
int|null

Reimplemented in MediaWiki\Session\CookieSessionProvider.

Definition at line 422 of file SessionProvider.php.

◆ getVaryCookies()

MediaWiki\Session\SessionProvider::getVaryCookies ( )

Return the list of cookies that need varying on.

Stability: stable
to override
Note
For use by \MediaWiki\Session\SessionManager only
Returns
string[]

Reimplemented in MediaWiki\Session\CookieSessionProvider, and MediaWiki\Session\ImmutableSessionProviderWithCookie.

Definition at line 553 of file SessionProvider.php.

◆ getVaryHeaders()

MediaWiki\Session\SessionProvider::getVaryHeaders ( )

Return the HTTP headers that need varying on.

The return value is such that someone could theoretically do this:

foreach ( $provider->getVaryHeaders() as $header => $options ) {
$outputPage->addVaryHeader( $header, $options );
}
$header

Note that the $options parameter to addVaryHeader has been deprecated since 1.34, and should be null or an empty array.

Stability: stable
to override
Note
For use by \MediaWiki\Session\SessionManager only
Returns
array

Definition at line 543 of file SessionProvider.php.

◆ hashToSessionId()

MediaWiki\Session\SessionProvider::hashToSessionId ( $data,
$key = null )
finalprotected

Hash data as a session ID.

Generally this will only be used when self::persistsSessionId() is false and the provider has to base the session ID on the verified user's identity or other static data. The SessionInfo should then typically have the 'forceUse' flag set to avoid persistent session failure if validation of the stored data fails.

Parameters
string$data
string | null$keyDefaults to $this->getConfig()->get( MainConfigNames::SecretKey )
Returns
string

Definition at line 665 of file SessionProvider.php.

◆ init()

MediaWiki\Session\SessionProvider::init ( LoggerInterface $logger,
Config $config,
SessionManager $manager,
HookContainer $hookContainer,
UserNameUtils $userNameUtils )

Initialise with dependencies of a SessionProvider.

Since
1.37
Access: internal
In production code SessionManager will initialize the SessionProvider, in tests SessionProviderTestTrait must be used.
Parameters
LoggerInterface$logger
Config$config
SessionManager$manager
HookContainer$hookContainer
UserNameUtils$userNameUtils

Definition at line 127 of file SessionProvider.php.

References MediaWiki\Session\SessionProvider\$config, MediaWiki\Session\SessionProvider\$logger, MediaWiki\Session\SessionProvider\$manager, MediaWiki\Session\SessionProvider\$userNameUtils, and MediaWiki\Session\SessionProvider\postInitSetup().

Referenced by MediaWiki\Session\SessionManager\getProviders().

◆ invalidateSessionsForUser()

MediaWiki\Session\SessionProvider::invalidateSessionsForUser ( User $user)

Invalidate existing sessions for a user.

If the provider has its own equivalent of CookieSessionProvider's Token cookie (and doesn't use User::getToken() to implement it), it should reset whatever token it does use here.

Stability: stable
to override
Note
For use by \MediaWiki\Session\SessionManager only
Parameters
User$user

Definition at line 523 of file SessionProvider.php.

◆ mergeMetadata()

MediaWiki\Session\SessionProvider::mergeMetadata ( array $savedMetadata,
array $providedMetadata )

Merge saved session provider metadata.

This method will be used to compare the metadata returned by provideSessionInfo() with the saved metadata (which has been returned by provideSessionInfo() the last time the session was saved), and merge the two into the new saved metadata, or abort if the current request is not a valid continuation of the session.

The default implementation checks that anything in both arrays is identical, then returns $providedMetadata.

Stability: stable
to override
Note
For use by \MediaWiki\Session\SessionManager only
Parameters
array$savedMetadataSaved provider metadata
array$providedMetadataProvided provider metadata (from the SessionInfo)
Returns
array Resulting metadata
Exceptions
MetadataMergeExceptionIf the metadata cannot be merged. Such exceptions will be handled by SessionManager and are a safe way of rejecting a suspicious or incompatible session. The provider is expected to write an appropriate message to its logger.

Definition at line 328 of file SessionProvider.php.

◆ newSessionInfo()

MediaWiki\Session\SessionProvider::newSessionInfo ( $id = null)

Provide session info for a new, empty session.

Return null if such a session cannot be created. This base implementation assumes that it only makes sense if a session ID can be persisted and changing users is allowed.

Stability: stable
to override
Note
For use by \MediaWiki\Session\SessionManager only
Parameters
string | null$idID to force for the new session
Returns
SessionInfo|null If non-null, must return true for $info->isIdSafe(); pass true for $data['idIsSafe'] to ensure this.

Reimplemented in MediaWiki\Session\BotPasswordSessionProvider.

Definition at line 294 of file SessionProvider.php.

◆ persistSession()

MediaWiki\Session\SessionProvider::persistSession ( SessionBackend $session,
WebRequest $request )
abstract

Persist a session into a request/response.

For example, you might set cookies for the session's ID, user ID, user name, and user token on the passed request.

To correctly persist a user independently of the session ID, the provider should persist both the user ID (or name, but preferably the ID) and the user token. When reading the data from the request, it should construct a User object from the ID/name and then verify that the User object's token matches the token included in the request. Should the tokens not match, an anonymous user must be passed to SessionInfo::__construct().

When persisting a user independently of the session ID, $session->shouldRememberUser() should be checked first. If this returns false, the user token must not be saved to cookies. The user name and/or ID may be persisted, and should be used to construct an unverified UserInfo to pass to SessionInfo::__construct().

A backend that cannot persist session ID or user info should implement this as a no-op.

Note
For use by \MediaWiki\Session\SessionBackend only
Parameters
SessionBackend$sessionSession to persist
WebRequest$requestRequest into which to persist the session

Reimplemented in InstallerSessionProvider, MediaWiki\Session\CookieSessionProvider, and MediaWiki\Session\ImmutableSessionProviderWithCookie.

◆ persistsSessionId()

MediaWiki\Session\SessionProvider::persistsSessionId ( )
abstract

Indicate whether self::persistSession() can save arbitrary session IDs.

If false, any session passed to self::persistSession() will have an ID that was originally provided by self::provideSessionInfo().

If true, the provider may be passed sessions with arbitrary session IDs, and will be expected to manipulate the request in such a way that future requests will cause self::provideSessionInfo() to provide a SessionInfo with that ID.

For example, a session provider for OAuth would function by matching the OAuth headers to a particular user, and then would use self::hashToSessionId() to turn the user and OAuth client ID (and maybe also the user token and client secret) into a session ID, and therefore can't easily assign that user+client a different ID. Similarly, a session provider for SSL client certificates would function by matching the certificate to a particular user, and then would use self::hashToSessionId() to turn the user and certificate fingerprint into a session ID, and therefore can't easily assign a different ID either. On the other hand, a provider that saves the session ID into a cookie can easily just set the cookie to a different value.

Note
For use by \MediaWiki\Session\SessionBackend only
Returns
bool

Reimplemented in InstallerSessionProvider, MediaWiki\Session\CookieSessionProvider, and MediaWiki\Session\ImmutableSessionProviderWithCookie.

◆ postInitSetup()

MediaWiki\Session\SessionProvider::postInitSetup ( )
protected

A provider can override this to do any necessary setup after init() is called.

Since
1.37
Stability: stable
to override

Reimplemented in MediaWiki\Session\CookieSessionProvider.

Definition at line 150 of file SessionProvider.php.

Referenced by MediaWiki\Session\SessionProvider\init().

◆ preventSessionsForUser()

MediaWiki\Session\SessionProvider::preventSessionsForUser ( $username)

Prevent future sessions for the user.

If the provider is capable of returning a SessionInfo with a verified UserInfo for the named user in some manner other than by validating against $user->getToken(), steps must be taken to prevent that from occurring in the future. This might add the username to a list, or it might just delete whatever authentication credentials would allow such a session in the first place (e.g. remove all OAuth grants or delete record of the SSL client certificate).

The intention is that the named account will never again be usable for normal login (i.e. there is no way to undo the prevention of access).

Note that the passed user name might not exist locally (i.e. UserIdentity::getId() === 0); the name should still be prevented, if applicable.

Stability: stable
to override
Note
For use by \MediaWiki\Session\SessionManager only
Parameters
string$username

Reimplemented in MediaWiki\Session\BotPasswordSessionProvider.

Definition at line 504 of file SessionProvider.php.

◆ provideSessionInfo()

MediaWiki\Session\SessionProvider::provideSessionInfo ( WebRequest $request)
abstract

Provide session info for a request.

If no session exists for the request, return null. Otherwise return an SessionInfo object identifying the session.

If multiple SessionProviders provide sessions, the one with highest priority wins. In case of a tie, an exception is thrown. SessionProviders are encouraged to make priorities user-configurable unless only max-priority makes sense.

Warning
This will be called early in the MediaWiki setup process, before $wgUser, $wgLang, $wgOut, $wgTitle, the global parser, and corresponding pieces of the main RequestContext are set up! If you try to use these, things will break.
Note
The SessionProvider must not attempt to auto-create users. MediaWiki will do this later (when it's safe) if the chosen session has a user with a valid name but no ID.
For use by \MediaWiki\Session\SessionManager only
Parameters
WebRequest$request
Returns
SessionInfo|null

Reimplemented in InstallerSessionProvider, MediaWiki\Session\BotPasswordSessionProvider, and MediaWiki\Session\CookieSessionProvider.

◆ refreshSessionInfo()

MediaWiki\Session\SessionProvider::refreshSessionInfo ( SessionInfo $info,
WebRequest $request,
& $metadata )

Validate a loaded SessionInfo and refresh provider metadata.

This is similar in purpose to the 'SessionCheckInfo' hook, and also allows for updating the provider metadata. On failure, the provider is expected to write an appropriate message to its logger.

Stability: stable
to override
Note
For use by \MediaWiki\Session\SessionManager only
Parameters
SessionInfo$infoAny changes by mergeMetadata() will already be reflected here.
WebRequest$request
array | null&$metadataProvider metadata, may be altered.
Returns
bool Return false to reject the SessionInfo after all.

Reimplemented in MediaWiki\Session\BotPasswordSessionProvider.

Definition at line 356 of file SessionProvider.php.

◆ safeAgainstCsrf()

MediaWiki\Session\SessionProvider::safeAgainstCsrf ( )

Most session providers require protection against CSRF attacks (usually via CSRF tokens)

Stability: stable
to override
Returns
bool false

Implements MediaWiki\Session\SessionProviderInterface.

Definition at line 648 of file SessionProvider.php.

◆ sessionIdWasReset()

MediaWiki\Session\SessionProvider::sessionIdWasReset ( SessionBackend $session,
$oldId )

Notification that the session ID was reset.

No need to persist here, persistSession() will be called if appropriate.

Stability: stable
to override
Note
For use by \MediaWiki\Session\SessionBackend only
Parameters
SessionBackend$sessionSession to persist
string$oldIdOld session ID

Definition at line 437 of file SessionProvider.php.

◆ setConfig()

MediaWiki\Session\SessionProvider::setConfig ( Config $config)

Set configuration.

Deprecated
since 1.37. For extension-defined session providers that were using this method to trigger other work, please override SessionProvider::postInitSetup instead. If your extension was using this to explicitly change the Config of an existing SessionProvider object, please file a report on phabricator
  • there is no non-deprecated way to do this anymore.
Parameters
Config$config

Definition at line 180 of file SessionProvider.php.

References MediaWiki\Session\SessionProvider\$config, and wfDeprecated().

◆ setHookContainer()

MediaWiki\Session\SessionProvider::setHookContainer ( $hookContainer)
Access: internal
Deprecated
since 1.37. For extension-defined session providers that were using this method to trigger other work, please override SessionProvider::postInitSetup instead. If your extension was using this to explicitly change the HookContainer of an existing SessionProvider object, please file a report on phabricator
  • there is no non-deprecated way to do this anymore.
Parameters
HookContainer$hookContainer

Definition at line 229 of file SessionProvider.php.

References wfDeprecated().

◆ setLogger()

MediaWiki\Session\SessionProvider::setLogger ( LoggerInterface $logger)

Sets a logger instance on the object.

Deprecated
since 1.37. For extension-defined session providers that were using this method to trigger other work, please override SessionProvider::postInitSetup instead. If your extension was using this to explicitly change the logger of an existing SessionProvider object, please file a report on phabricator
  • there is no non-deprecated way to do this anymore.
Parameters
LoggerInterface$logger

Definition at line 164 of file SessionProvider.php.

References MediaWiki\Session\SessionProvider\$logger, and wfDeprecated().

◆ setManager()

MediaWiki\Session\SessionProvider::setManager ( SessionManager $manager)

Set the session manager.

Deprecated
since 1.37. For extension-defined session providers that were using this method to trigger other work, please override SessionProvider::postInitSetup instead. If your extension was using this to explicitly change the SessionManager of an existing SessionProvider object, please file a report on phabricator
  • there is no non-deprecated way to do this anymore.
Parameters
SessionManager$manager

Definition at line 206 of file SessionProvider.php.

References MediaWiki\Session\SessionProvider\$manager, and wfDeprecated().

◆ suggestLoginUsername()

MediaWiki\Session\SessionProvider::suggestLoginUsername ( WebRequest $request)

Get a suggested username for the login form.

Stability: stable
to override
Note
For use by \MediaWiki\Session\SessionBackend only
Parameters
WebRequest$request
Returns
string|null

Reimplemented in MediaWiki\Session\CookieSessionProvider.

Definition at line 564 of file SessionProvider.php.

◆ unpersistSession()

MediaWiki\Session\SessionProvider::unpersistSession ( WebRequest $request)
abstract

Remove any persisted session from a request/response.

For example, blank and expire any cookies set by self::persistSession().

A backend that cannot persist session ID or user info should implement this as a no-op.

Note
For use by \MediaWiki\Session\SessionManager only
Parameters
WebRequest$requestRequest from which to remove any session data

Reimplemented in InstallerSessionProvider, MediaWiki\Session\CookieSessionProvider, and MediaWiki\Session\ImmutableSessionProviderWithCookie.

◆ whyNoSession()

MediaWiki\Session\SessionProvider::whyNoSession ( )

Return a Message for why sessions might not be being persisted.For example, "check whether you're blocking our cookies".

Returns
Message|null

Stability: stable
to override

Implements MediaWiki\Session\SessionProviderInterface.

Reimplemented in MediaWiki\Session\CookieSessionProvider, and MediaWiki\Session\ImmutableSessionProviderWithCookie.

Definition at line 638 of file SessionProvider.php.

Member Data Documentation

◆ $config

Config MediaWiki\Session\SessionProvider::$config
protected

◆ $logger

LoggerInterface MediaWiki\Session\SessionProvider::$logger
protected

◆ $manager

◆ $priority

int MediaWiki\Session\SessionProvider::$priority
protected

Session priority.

Used for the default newSessionInfo(), but could be used by subclasses too.

Definition at line 105 of file SessionProvider.php.

◆ $userNameUtils

UserNameUtils MediaWiki\Session\SessionProvider::$userNameUtils
protected

Definition at line 100 of file SessionProvider.php.

Referenced by MediaWiki\Session\SessionProvider\init().


The documentation for this class was generated from the following file: