MediaWiki  master
ImmutableSessionProviderWithCookie.php
Go to the documentation of this file.
1 <?php
24 namespace MediaWiki\Session;
25 
27 use WebRequest;
28 
43 
45  protected $sessionCookieName = null;
47  protected $sessionCookieOptions = [];
48 
56  public function __construct( $params = [] ) {
57  parent::__construct();
58 
59  if ( isset( $params['sessionCookieName'] ) ) {
60  if ( !is_string( $params['sessionCookieName'] ) ) {
61  throw new \InvalidArgumentException( 'sessionCookieName must be a string' );
62  }
63  $this->sessionCookieName = $params['sessionCookieName'];
64  }
65  if ( isset( $params['sessionCookieOptions'] ) ) {
66  if ( !is_array( $params['sessionCookieOptions'] ) ) {
67  throw new \InvalidArgumentException( 'sessionCookieOptions must be an array' );
68  }
69  $this->sessionCookieOptions = $params['sessionCookieOptions'];
70  }
71  }
72 
84  protected function getSessionIdFromCookie( WebRequest $request ) {
85  if ( $this->sessionCookieName === null ) {
86  throw new \BadMethodCallException(
87  __METHOD__ . ' may not be called when $this->sessionCookieName === null'
88  );
89  }
90 
91  $prefix = $this->sessionCookieOptions['prefix']
92  ?? $this->getConfig()->get( MainConfigNames::CookiePrefix );
93  $id = $request->getCookie( $this->sessionCookieName, $prefix );
94  return SessionManager::validateSessionId( $id ) ? $id : null;
95  }
96 
101  public function persistsSessionId() {
102  return $this->sessionCookieName !== null;
103  }
104 
109  public function canChangeUser() {
110  return false;
111  }
112 
117  public function persistSession( SessionBackend $session, WebRequest $request ) {
118  if ( $this->sessionCookieName === null ) {
119  return;
120  }
121 
122  $response = $request->response();
123  if ( $response->headersSent() ) {
124  // Can't do anything now
125  $this->logger->debug( __METHOD__ . ': Headers already sent' );
126  return;
127  }
128 
129  $options = $this->sessionCookieOptions;
130  if ( $session->shouldForceHTTPS() || $session->getUser()->requiresHTTPS() ) {
131  // Send a cookie unless $wgForceHTTPS is set (T256095)
132  if ( !$this->getConfig()->get( MainConfigNames::ForceHTTPS ) ) {
133  $response->setCookie( 'forceHTTPS', 'true', null,
134  [ 'prefix' => '', 'secure' => false ] + $options );
135  }
136  $options['secure'] = true;
137  }
138 
139  $response->setCookie( $this->sessionCookieName, $session->getId(), null, $options );
140  }
141 
146  public function unpersistSession( WebRequest $request ) {
147  if ( $this->sessionCookieName === null ) {
148  return;
149  }
150 
151  $response = $request->response();
152  if ( $response->headersSent() ) {
153  // Can't do anything now
154  $this->logger->debug( __METHOD__ . ': Headers already sent' );
155  return;
156  }
157 
158  $response->clearCookie( $this->sessionCookieName, $this->sessionCookieOptions );
159  }
160 
165  public function getVaryCookies() {
166  if ( $this->sessionCookieName === null ) {
167  return [];
168  }
169 
170  $prefix = $this->sessionCookieOptions['prefix'] ??
171  $this->getConfig()->get( MainConfigNames::CookiePrefix );
172  return [ $prefix . $this->sessionCookieName ];
173  }
174 
175  public function whyNoSession() {
176  return wfMessage( 'sessionprovider-nocookies' );
177  }
178 }
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
A class containing constants representing the names of configuration variables.
const ForceHTTPS
Name constant for the ForceHTTPS setting, for use with Config::get()
const CookiePrefix
Name constant for the CookiePrefix setting, for use with Config::get()
An ImmutableSessionProviderWithCookie doesn't persist the user, but optionally can use a cookie to su...
whyNoSession()
Return a Message for why sessions might not be being persisted.For example, "check whether you're blo...
canChangeUser()
Indicate whether the user associated with the request can be changed.If false, any session passed to ...
persistsSessionId()
Indicate whether self::persistSession() can save arbitrary session IDs.If false, any session passed t...
unpersistSession(WebRequest $request)
Remove any persisted session from a request/response.For example, blank and expire any cookies set by...
persistSession(SessionBackend $session, WebRequest $request)
Persist a session into a request/response.For example, you might set cookies for the session's ID,...
getVaryCookies()
Return the list of cookies that need varying on.Stability: stableto override For use by \MediaWiki\Se...
getSessionIdFromCookie(WebRequest $request)
Get the session ID from the cookie, if any.
This is the actual workhorse for Session.
shouldForceHTTPS()
Whether HTTPS should be forced.
getId()
Returns the session ID.
getUser()
Returns the authenticated user for this session.
static validateSessionId( $id)
Validate a session ID.
A SessionProvider provides SessionInfo and support for Session.
The WebRequest class encapsulates getting at data passed in the URL or via a POSTed form stripping il...
Definition: WebRequest.php:47
response()
Return a handle to WebResponse style object, for setting cookies, headers and other stuff,...
getCookie( $key, $prefix=null, $default=null)
Get a cookie from the $_COOKIE jar.
Definition: WebRequest.php:877