master/php/CookieSessionProvider_8php_source.html

<?php

namespace MediaWiki\Session;


use InvalidArgumentException;

use MediaWiki\MainConfigNames;

use MediaWiki\Request\WebRequest;

use MediaWiki\User\User;

use MediaWiki\User\UserRigorOptions;


class CookieSessionProvider extends SessionProvider {


    protected $params = [];


    protected $cookieOptions = [];


    public function __construct( $params = [] ) {

        parent::__construct();


        $params += [

            'cookieOptions' => [],

            // @codeCoverageIgnoreStart

        ];

        // @codeCoverageIgnoreEnd


        if ( !isset( $params['priority'] ) ) {

            throw new InvalidArgumentException( __METHOD__ . ': priority must be specified' );

        }

        if ( $params['priority'] < SessionInfo::MIN_PRIORITY ||

            $params['priority'] > SessionInfo::MAX_PRIORITY

        ) {

            throw new InvalidArgumentException( __METHOD__ . ': Invalid priority' );

        }


        if ( !is_array( $params['cookieOptions'] ) ) {

            throw new InvalidArgumentException( __METHOD__ . ': cookieOptions must be an array' );

        }


        $this->priority = $params['priority'];

        $this->cookieOptions = $params['cookieOptions'];

        $this->params = $params;

        unset( $this->params['priority'] );

        unset( $this->params['cookieOptions'] );

    }


    protected function postInitSetup() {

        $this->params += [

            'sessionName' =>

                $this->getConfig()->get( MainConfigNames::SessionName )

                ?: $this->getConfig()->get( MainConfigNames::CookiePrefix ) . '_session',

        ];


        $sameSite = $this->getConfig()->get( MainConfigNames::CookieSameSite );


        // @codeCoverageIgnoreStart

        $this->cookieOptions += [

            // @codeCoverageIgnoreEnd

            'prefix' => $this->getConfig()->get( MainConfigNames::CookiePrefix ),

            'path' => $this->getConfig()->get( MainConfigNames::CookiePath ),

            'domain' => $this->getConfig()->get( MainConfigNames::CookieDomain ),

            'secure' => $this->getConfig()->get( MainConfigNames::CookieSecure )

                || $this->getConfig()->get( MainConfigNames::ForceHTTPS ),

            'httpOnly' => $this->getConfig()->get( MainConfigNames::CookieHttpOnly ),

            'sameSite' => $sameSite,

        ];

    }


    public function provideSessionInfo( WebRequest $request ) {

        $sessionId = $this->getCookie( $request, $this->params['sessionName'], '' );

        $info = [

            'provider' => $this,

            'forceHTTPS' => $this->getCookie( $request, 'forceHTTPS', '', false )

        ];

        if ( SessionManager::validateSessionId( $sessionId ) ) {

            $info['id'] = $sessionId;

            $info['persisted'] = true;

        }


        [ $userId, $userName, $token ] = $this->getUserInfoFromCookies( $request );

        if ( $userId !== null ) {

            try {

                $userInfo = UserInfo::newFromId( $userId );

            } catch ( InvalidArgumentException $ex ) {

                return null;

            }


            if ( $userName !== null && $userInfo->getName() !== $userName ) {

                $this->logger->warning(

                    'Session "{session}" requested with mismatched UserID and UserName cookies.',

                    [

                        'session' => $sessionId,

                        'mismatch' => [

                            'userid' => $userId,

                            'cookie_username' => $userName,

                            'username' => $userInfo->getName(),

                        ],

                    ] );

                return null;

            }


            if ( $token !== null ) {

                if ( !hash_equals( $userInfo->getToken(), $token ) ) {

                    $this->logger->warning(

                        'Session "{session}" requested with invalid Token cookie.',

                        [

                            'session' => $sessionId,

                            'userid' => $userId,

                            'username' => $userInfo->getName(),

                        ] );

                    return null;

                }

                $info['userInfo'] = $userInfo->verified();

                $info['persisted'] = true; // If we have user+token, it should be

            } elseif ( isset( $info['id'] ) ) {

                $info['userInfo'] = $userInfo;

            } else {

                // No point in returning, loadSessionInfoFromStore() will

                // reject it anyway.

                return null;

            }

        } elseif ( isset( $info['id'] ) ) {

            // No UserID cookie, so insist that the session is anonymous.

            // Note: this event occurs for several normal activities:

            // * anon visits Special:UserLogin

            // * anon browsing after seeing Special:UserLogin

            // * anon browsing after edit or preview

            $this->logger->debug(

                'Session "{session}" requested without UserID cookie',

                [

                    'session' => $info['id'],

                ] );

            $info['userInfo'] = UserInfo::newAnonymous();

        } else {

            // No session ID and no user is the same as an empty session, so

            // there's no point.

            return null;

        }


        return new SessionInfo( $this->priority, $info );

    }


    public function persistsSessionId() {

        return true;

    }


    public function canChangeUser() {

        return true;

    }


    public function persistSession( SessionBackend $session, WebRequest $request ) {

        $response = $request->response();

        if ( $response->headersSent() ) {

            // Can't do anything now

            $this->logger->debug( __METHOD__ . ': Headers already sent' );

            return;

        }


        $user = $session->getUser();


        $cookies = $this->cookieDataToExport( $user, $session->shouldRememberUser() );

        $sessionData = $this->sessionDataToExport( $user );


        $options = $this->cookieOptions;


        $forceHTTPS = $session->shouldForceHTTPS() || $user->requiresHTTPS();

        if ( $forceHTTPS ) {

            $options['secure'] = $this->getConfig()->get( MainConfigNames::CookieSecure )

                || $this->getConfig()->get( MainConfigNames::ForceHTTPS );

        }


        $response->setCookie( $this->params['sessionName'], $session->getId(), null,

            [ 'prefix' => '' ] + $options

        );


        foreach ( $cookies as $key => $value ) {

            if ( $value === false ) {

                $response->clearCookie( $key, $options );

            } else {

                $expirationDuration = $this->getLoginCookieExpiration( $key, $session->shouldRememberUser() );

                $expiration = $expirationDuration ? $expirationDuration + time() : null;

                $response->setCookie( $key, (string)$value, $expiration, $options );

            }

        }


        $this->setForceHTTPSCookie( $forceHTTPS, $session, $request );

        $this->setLoggedOutCookie( $session->getLoggedOutTimestamp(), $request );


        if ( $sessionData ) {

            $session->addData( $sessionData );

        }

    }


    public function unpersistSession( WebRequest $request ) {

        $response = $request->response();

        if ( $response->headersSent() ) {

            // Can't do anything now

            $this->logger->debug( __METHOD__ . ': Headers already sent' );

            return;

        }


        $cookies = [

            'UserID' => false,

            'Token' => false,

        ];


        $response->clearCookie(

            $this->params['sessionName'], [ 'prefix' => '' ] + $this->cookieOptions

        );


        foreach ( $cookies as $key => $value ) {

            $response->clearCookie( $key, $this->cookieOptions );

        }


        $this->setForceHTTPSCookie( false, null, $request );

    }


    protected function setForceHTTPSCookie( $set, ?SessionBackend $backend, WebRequest $request ) {

        if ( $this->getConfig()->get( MainConfigNames::ForceHTTPS ) ) {

            // No need to send a cookie if the wiki is always HTTPS (T256095)

            return;

        }

        $response = $request->response();

        if ( $set ) {

            if ( $backend->shouldRememberUser() ) {

                $expirationDuration = $this->getLoginCookieExpiration(

                    'forceHTTPS',

                    true

                );

                $expiration = $expirationDuration ? $expirationDuration + time() : null;

            } else {

                $expiration = null;

            }

            $response->setCookie( 'forceHTTPS', 'true', $expiration,

                [ 'prefix' => '', 'secure' => false ] + $this->cookieOptions );

        } else {

            $response->clearCookie( 'forceHTTPS',

                [ 'prefix' => '', 'secure' => false ] + $this->cookieOptions );

        }

    }


    protected function setLoggedOutCookie( $loggedOut, WebRequest $request ) {

        if ( $loggedOut + 86400 > time() &&

            $loggedOut !== (int)$this->getCookie( $request, 'LoggedOut', $this->cookieOptions['prefix'] )

        ) {

            $request->response()->setCookie( 'LoggedOut', (string)$loggedOut, $loggedOut + 86400,

                $this->cookieOptions );

        }

    }


    public function getVaryCookies() {

        return [

            // Vary on token and session because those are the real authn

            // determiners. UserID and UserName don't matter without those.

            $this->cookieOptions['prefix'] . 'Token',

            $this->cookieOptions['prefix'] . 'LoggedOut',

            $this->params['sessionName'],

            'forceHTTPS',

        ];

    }


    public function suggestLoginUsername( WebRequest $request ) {

        $name = $this->getCookie( $request, 'UserName', $this->cookieOptions['prefix'] );

        if ( $name !== null ) {

            if ( $this->userNameUtils->isTemp( $name ) ) {

                $name = false;

            } else {

                $name = $this->userNameUtils->getCanonical( $name, UserRigorOptions::RIGOR_USABLE );

            }

        }

        return $name === false ? null : $name;

    }


    protected function getUserInfoFromCookies( $request ) {

        $prefix = $this->cookieOptions['prefix'];

        return [

            $this->getCookie( $request, 'UserID', $prefix ),

            $this->getCookie( $request, 'UserName', $prefix ),

            $this->getCookie( $request, 'Token', $prefix ),

        ];

    }


    protected function getCookie( $request, $key, $prefix, $default = null ) {

        $value = $request->getCookie( $key, $prefix, $default );

        if ( $value === 'deleted' ) {

            // PHP uses this value when deleting cookies. A legitimate cookie will never have

            // this value (usernames start with uppercase, token is longer, other auth cookies

            // are booleans or integers). Seeing this means that in a previous request we told the

            // client to delete the cookie, but it has poor cookie handling. Pretend the cookie is

            // not there to avoid invalidating the session.

            return null;

        }

        return $value;

    }


    protected function cookieDataToExport( $user, $remember ) {

        if ( $user->isAnon() ) {

            return [

                'UserID' => false,

                'Token' => false,

            ];

        } else {

            return [

                'UserID' => $user->getId(),

                'UserName' => $user->getName(),

                'Token' => $remember ? (string)$user->getToken() : false,

            ];

        }

    }


    protected function sessionDataToExport( $user ) {

        return [];

    }


    public function whyNoSession() {

        return wfMessage( 'sessionprovider-nocookies' );

    }


    public function getRememberUserDuration() {

        return min( $this->getLoginCookieExpiration( 'UserID', true ),

            $this->getLoginCookieExpiration( 'Token', true ) ) ?: null;

    }


    protected function getExtendedLoginCookies() {

        return [ 'UserID', 'UserName', 'Token' ];

    }


    protected function getLoginCookieExpiration( $cookieName, $shouldRememberUser ) {

        $extendedCookies = $this->getExtendedLoginCookies();

        $normalExpiration = $this->getConfig()->get( MainConfigNames::CookieExpiration );


        if ( $shouldRememberUser && in_array( $cookieName, $extendedCookies, true ) ) {

            $extendedExpiration = $this->getConfig()->get( MainConfigNames::ExtendedLoginCookieExpiration );


            return ( $extendedExpiration !== null ) ? (int)$extendedExpiration : (int)$normalExpiration;

        } else {

            return (int)$normalExpiration;

        }

    }


}


wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition GlobalFunctions.php:859

MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:22

MediaWiki\MainConfigNames\ForceHTTPS
const ForceHTTPS
Name constant for the ForceHTTPS setting, for use with Config::get()
Definition MainConfigNames.php:70

MediaWiki\MainConfigNames\CookieExpiration
const CookieExpiration
Name constant for the CookieExpiration setting, for use with Config::get()
Definition MainConfigNames.php:3196

MediaWiki\MainConfigNames\CookieDomain
const CookieDomain
Name constant for the CookieDomain setting, for use with Config::get()
Definition MainConfigNames.php:3208

MediaWiki\MainConfigNames\CookiePath
const CookiePath
Name constant for the CookiePath setting, for use with Config::get()
Definition MainConfigNames.php:3214

MediaWiki\MainConfigNames\CookieSameSite
const CookieSameSite
Name constant for the CookieSameSite setting, for use with Config::get()
Definition MainConfigNames.php:3238

MediaWiki\MainConfigNames\CookieSecure
const CookieSecure
Name constant for the CookieSecure setting, for use with Config::get()
Definition MainConfigNames.php:3220

MediaWiki\MainConfigNames\SessionName
const SessionName
Name constant for the SessionName setting, for use with Config::get()
Definition MainConfigNames.php:3250

MediaWiki\MainConfigNames\ExtendedLoginCookieExpiration
const ExtendedLoginCookieExpiration
Name constant for the ExtendedLoginCookieExpiration setting, for use with Config::get()
Definition MainConfigNames.php:3202

MediaWiki\MainConfigNames\CookiePrefix
const CookiePrefix
Name constant for the CookiePrefix setting, for use with Config::get()
Definition MainConfigNames.php:3226

MediaWiki\MainConfigNames\CookieHttpOnly
const CookieHttpOnly
Name constant for the CookieHttpOnly setting, for use with Config::get()
Definition MainConfigNames.php:3232

MediaWiki\Request\WebRequest
The WebRequest class encapsulates getting at data passed in the URL or via a POSTed form,...
Definition WebRequest.php:51

MediaWiki\Request\WebRequest\response
response()
Return a handle to WebResponse style object, for setting cookies, headers and other stuff,...
Definition WebRequest.php:1132

MediaWiki\Session\CookieSessionProvider
A CookieSessionProvider persists sessions using cookies.
Definition CookieSessionProvider.php:38

MediaWiki\Session\CookieSessionProvider\suggestLoginUsername
suggestLoginUsername(WebRequest $request)
Get a suggested username for the login form.
Definition CookieSessionProvider.php:314

MediaWiki\Session\CookieSessionProvider\canChangeUser
canChangeUser()
Indicate whether the user associated with the request can be changed.
Definition CookieSessionProvider.php:188

MediaWiki\Session\CookieSessionProvider\sessionDataToExport
sessionDataToExport( $user)
Return extra data to store in the session.
Definition CookieSessionProvider.php:387

MediaWiki\Session\CookieSessionProvider\persistSession
persistSession(SessionBackend $session, WebRequest $request)
Persist a session into a request/response.
Definition CookieSessionProvider.php:192

MediaWiki\Session\CookieSessionProvider\$cookieOptions
mixed[] $cookieOptions
Definition CookieSessionProvider.php:44

MediaWiki\Session\CookieSessionProvider\getUserInfoFromCookies
getUserInfoFromCookies( $request)
Fetch the user identity from cookies.
Definition CookieSessionProvider.php:331

MediaWiki\Session\CookieSessionProvider\whyNoSession
whyNoSession()
Return a Message for why sessions might not be being persisted.For example, "check whether you're blo...
Definition CookieSessionProvider.php:391

MediaWiki\Session\CookieSessionProvider\setLoggedOutCookie
setLoggedOutCookie( $loggedOut, WebRequest $request)
Definition CookieSessionProvider.php:294

MediaWiki\Session\CookieSessionProvider\$params
mixed[] $params
Definition CookieSessionProvider.php:41

MediaWiki\Session\CookieSessionProvider\getExtendedLoginCookies
getExtendedLoginCookies()
Gets the list of cookies that must be set to the 'remember me' duration, if $wgExtendedLoginCookieExp...
Definition CookieSessionProvider.php:406

MediaWiki\Session\CookieSessionProvider\setForceHTTPSCookie
setForceHTTPSCookie( $set, ?SessionBackend $backend, WebRequest $request)
Set the "forceHTTPS" cookie, unless $wgForceHTTPS prevents it.
Definition CookieSessionProvider.php:266

MediaWiki\Session\CookieSessionProvider\getVaryCookies
getVaryCookies()
Return the list of cookies that need varying on.
Definition CookieSessionProvider.php:303

MediaWiki\Session\CookieSessionProvider\getCookie
getCookie( $request, $key, $prefix, $default=null)
Get a cookie.
Definition CookieSessionProvider.php:348

MediaWiki\Session\CookieSessionProvider\persistsSessionId
persistsSessionId()
Indicate whether self::persistSession() can save arbitrary session IDs.
Definition CookieSessionProvider.php:184

MediaWiki\Session\CookieSessionProvider\__construct
__construct( $params=[])
Definition CookieSessionProvider.php:59

MediaWiki\Session\CookieSessionProvider\provideSessionInfo
provideSessionInfo(WebRequest $request)
Provide session info for a request.
Definition CookieSessionProvider.php:110

MediaWiki\Session\CookieSessionProvider\cookieDataToExport
cookieDataToExport( $user, $remember)
Return the data to store in cookies.
Definition CookieSessionProvider.php:367

MediaWiki\Session\CookieSessionProvider\getRememberUserDuration
getRememberUserDuration()
Returns the duration (in seconds) for which users will be remembered when Session::setRememberUser() ...
Definition CookieSessionProvider.php:395

MediaWiki\Session\CookieSessionProvider\unpersistSession
unpersistSession(WebRequest $request)
Remove any persisted session from a request/response.
Definition CookieSessionProvider.php:235

MediaWiki\Session\CookieSessionProvider\getLoginCookieExpiration
getLoginCookieExpiration( $cookieName, $shouldRememberUser)
Returns the lifespan of the login cookies, in seconds.
Definition CookieSessionProvider.php:420

MediaWiki\Session\CookieSessionProvider\postInitSetup
postInitSetup()
A provider can override this to do any necessary setup after init() is called.
Definition CookieSessionProvider.php:88

MediaWiki\Session\SessionBackend
This is the actual workhorse for Session.
Definition SessionBackend.php:57

MediaWiki\Session\SessionBackend\addData
addData(array $newData)
Add data to the session.
Definition SessionBackend.php:581

MediaWiki\Session\SessionBackend\shouldForceHTTPS
shouldForceHTTPS()
Whether HTTPS should be forced.
Definition SessionBackend.php:486

MediaWiki\Session\SessionBackend\getId
getId()
Returns the session ID.
Definition SessionBackend.php:252

MediaWiki\Session\SessionBackend\getLoggedOutTimestamp
getLoggedOutTimestamp()
Fetch the "logged out" timestamp.
Definition SessionBackend.php:511

MediaWiki\Session\SessionBackend\getUser
getUser()
Returns the authenticated user for this session.
Definition SessionBackend.php:417

MediaWiki\Session\SessionBackend\shouldRememberUser
shouldRememberUser()
Indicate whether the user should be remembered independently of the session ID.
Definition SessionBackend.php:380

MediaWiki\Session\SessionInfo
Value object returned by SessionProvider.
Definition SessionInfo.php:40

MediaWiki\Session\SessionInfo\MIN_PRIORITY
const MIN_PRIORITY
Minimum allowed priority.
Definition SessionInfo.php:42

MediaWiki\Session\SessionInfo\MAX_PRIORITY
const MAX_PRIORITY
Maximum allowed priority.
Definition SessionInfo.php:45

MediaWiki\Session\SessionManager\validateSessionId
static validateSessionId( $id)
Validate a session ID.
Definition SessionManager.php:386

MediaWiki\Session\SessionProvider
A SessionProvider provides SessionInfo and support for Session.
Definition SessionProvider.php:97

MediaWiki\Session\SessionProvider\getConfig
getConfig()
Get the config.
Definition SessionProvider.php:189

MediaWiki\Session\UserInfo\newAnonymous
static newAnonymous()
Create an instance for an anonymous (i.e.
Definition UserInfo.php:80

MediaWiki\Session\UserInfo\newFromId
static newFromId( $id, $verified=false)
Create an instance for a logged-in user by ID.
Definition UserInfo.php:90

MediaWiki\User\User
User class for the MediaWiki software.
Definition User.php:121

MediaWiki\User\UserRigorOptions
Shared interface for rigor levels when dealing with User methods.
Definition UserRigorOptions.php:30

MediaWiki\Session
Definition BotPasswordSessionProvider.php:24