83 private static ?
Session $globalSession =
null;
84 private static ?
WebRequest $globalSessionRequest =
null;
86 private LoggerInterface $logger;
94 private $sessionProviders =
null;
97 private $varyCookies =
null;
100 private $varyHeaders =
null;
103 private $allSessionBackends = [];
106 private $allSessionIds = [];
109 private $preventUsers = [];
116 if ( self::$instance ===
null ) {
117 self::$instance =
new self();
119 return self::$instance;
133 $request = RequestContext::getMain()->getRequest();
135 !self::$globalSession
136 || self::$globalSessionRequest !== $request
137 || ( $id !==
'' && self::$globalSession->getId() !== $id )
139 self::$globalSessionRequest = $request;
149 self::$globalSession = $request->
getSession();
154 self::$globalSession =
self::singleton()->getSessionById( $id,
true, $request )
158 return self::$globalSession;
170 $this->config = $options[
'config'] ?? $services->getMainConfig();
171 $this->setLogger( $options[
'logger'] ?? \
MediaWiki\Logger\LoggerFactory::getInstance(
'session' ) );
172 $this->setHookContainer( $options[
'hookContainer'] ?? $services->getHookContainer() );
174 $store = $options[
'store'] ?? $services->getObjectCacheFactory()
176 $this->logger->debug(
'SessionManager using store ' . get_class( $store ) );
179 $this->userNameUtils = $services->getUserNameUtils();
181 register_shutdown_function( [ $this,
'shutdown' ] );
185 $this->logger = $logger;
193 $this->hookContainer = $hookContainer;
194 $this->hookRunner =
new HookRunner( $hookContainer );
198 $info = $this->getSessionInfoForRequest( $request );
201 $session = $this->getInitialSession( $request );
203 $session = $this->getSessionFromInfo( $info, $request );
209 if ( !self::validateSessionId( $id ) ) {
210 throw new InvalidArgumentException(
'Invalid session ID' );
220 if ( isset( $this->allSessionBackends[$id] ) ) {
221 return $this->getSessionFromInfo( $info, $request );
225 $key = $this->store->makeKey(
'MWSession', $id );
226 if ( is_array( $this->store->get( $key ) ) ) {
228 if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
229 $session = $this->getSessionFromInfo( $info, $request );
233 if ( $create && $session ===
null ) {
235 $session = $this->getEmptySessionInternal( $request, $id );
236 }
catch ( \Exception $ex ) {
237 $this->logger->error(
'Failed to create empty session: {exception}',
239 'method' => __METHOD__,
250 return $this->getEmptySessionInternal( $request );
259 private function getEmptySessionInternal( ?
WebRequest $request =
null, $id =
null ) {
260 if ( $id !==
null ) {
261 if ( !self::validateSessionId( $id ) ) {
262 throw new InvalidArgumentException(
'Invalid session ID' );
265 $key = $this->store->makeKey(
'MWSession', $id );
266 if ( is_array( $this->store->get( $key ) ) ) {
267 throw new InvalidArgumentException(
'Session ID already exists' );
271 $request =
new FauxRequest;
275 foreach ( $this->getProviders() as $provider ) {
276 $info = $provider->newSessionInfo( $id );
281 throw new \UnexpectedValueException(
282 "$provider returned an empty session info for a different provider: $info"
285 if ( $id !==
null && $info->
getId() !== $id ) {
286 throw new \UnexpectedValueException(
287 "$provider returned empty session info with a wrong id: " .
288 $info->
getId() .
' != ' . $id
292 throw new \UnexpectedValueException(
293 "$provider returned empty session info with id flagged unsafe"
297 if ( $compare > 0 ) {
300 if ( $compare === 0 ) {
308 if ( count( $infos ) > 1 ) {
309 throw new \UnexpectedValueException(
310 'Multiple empty sessions tied for top priority: ' . implode(
', ', $infos )
312 } elseif ( count( $infos ) < 1 ) {
313 throw new \UnexpectedValueException(
'No provider could provide an empty session!' );
317 return $this->getSessionFromInfo( $infos[0], $request );
329 private function getInitialSession( ?WebRequest $request =
null ) {
330 $session = $this->getEmptySession( $request );
331 $session->getToken();
339 foreach ( $this->getProviders() as $provider ) {
340 $provider->invalidateSessionsForUser( $user );
349 if ( defined(
'MW_NO_SESSION' ) &&
MW_NO_SESSION !==
'warn' ) {
353 if ( $this->varyHeaders ===
null ) {
355 foreach ( $this->getProviders() as $provider ) {
356 foreach ( $provider->getVaryHeaders() as
$header => $_ ) {
360 $this->varyHeaders = $headers;
362 return $this->varyHeaders;
367 if ( defined(
'MW_NO_SESSION' ) &&
MW_NO_SESSION !==
'warn' ) {
371 if ( $this->varyCookies ===
null ) {
373 foreach ( $this->getProviders() as $provider ) {
374 $cookies = array_merge( $cookies, $provider->getVaryCookies() );
376 $this->varyCookies = array_values( array_unique( $cookies ) );
378 return $this->varyCookies;
387 return is_string( $id ) && preg_match(
'/^[a-zA-Z0-9_-]{32,}$/', $id );
404 $this->preventUsers[$username] =
true;
407 foreach ( $this->getProviders() as $provider ) {
408 $provider->preventSessionsForUser( $username );
419 return !empty( $this->preventUsers[$username] );
427 if ( $this->sessionProviders ===
null ) {
428 $this->sessionProviders = [];
432 $provider = $objectFactory->createObject( $spec );
437 $this->hookContainer,
440 if ( isset( $this->sessionProviders[(
string)$provider] ) ) {
442 throw new \UnexpectedValueException(
"Duplicate provider name \"$provider\"" );
444 $this->sessionProviders[(string)$provider] = $provider;
447 return $this->sessionProviders;
461 $providers = $this->getProviders();
462 return $providers[$name] ??
null;
470 if ( $this->allSessionBackends ) {
471 $this->logger->debug(
'Saving all sessions on shutdown' );
472 if ( session_id() !==
'' ) {
474 session_write_close();
477 foreach ( $this->allSessionBackends as $backend ) {
478 $backend->shutdown();
488 private function getSessionInfoForRequest(
WebRequest $request ) {
491 foreach ( $this->getProviders() as $provider ) {
492 $info = $provider->provideSessionInfo( $request );
497 throw new \UnexpectedValueException(
498 "$provider returned session info for a different provider: $info"
507 usort( $infos, [ SessionInfo::class,
'compare' ] );
510 $info = array_pop( $infos );
511 if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
515 $info = array_pop( $infos );
520 if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
526 $this->logUnpersist( $info, $request );
527 $info->
getProvider()->unpersistSession( $request );
532 $this->logUnpersist( $info, $request );
533 $info->
getProvider()->unpersistSession( $request );
537 if ( count( $retInfos ) > 1 ) {
538 throw new SessionOverflowException(
540 'Multiple sessions for this request tied for top priority: ' . implode(
', ', $retInfos )
544 return $retInfos[0] ??
null;
554 private function loadSessionInfoFromStore( SessionInfo &$info, WebRequest $request ) {
555 $key = $this->store->makeKey(
'MWSession', $info->getId() );
556 $blob = $this->store->get( $key );
561 if ( $info->forceUse() && $blob !==
false ) {
562 $failHandler =
function () use ( $key, &$info, $request ) {
563 $this->store->delete( $key );
564 return $this->loadSessionInfoFromStore( $info, $request );
567 $failHandler =
static function () {
574 if ( $blob !==
false ) {
576 if ( !is_array( $blob ) ) {
577 $this->logger->warning(
'Session "{session}": Bad data', [
578 'session' => $info->__toString(),
580 $this->store->delete( $key );
581 return $failHandler();
585 if ( !isset( $blob[
'data'] ) || !is_array( $blob[
'data'] ) ||
586 !isset( $blob[
'metadata'] ) || !is_array( $blob[
'metadata'] )
588 $this->logger->warning(
'Session "{session}": Bad data structure', [
589 'session' => $info->__toString(),
591 $this->store->delete( $key );
592 return $failHandler();
595 $data = $blob[
'data'];
596 $metadata = $blob[
'metadata'];
600 if ( !array_key_exists(
'userId', $metadata ) ||
601 !array_key_exists(
'userName', $metadata ) ||
602 !array_key_exists(
'userToken', $metadata ) ||
603 !array_key_exists(
'provider', $metadata )
605 $this->logger->warning(
'Session "{session}": Bad metadata', [
606 'session' => $info->__toString(),
608 $this->store->delete( $key );
609 return $failHandler();
613 $provider = $info->getProvider();
614 if ( $provider ===
null ) {
615 $newParams[
'provider'] = $provider = $this->getProvider( $metadata[
'provider'] );
617 $this->logger->warning(
618 'Session "{session}": Unknown provider ' . $metadata[
'provider'],
620 'session' => $info->__toString(),
623 $this->store->delete( $key );
624 return $failHandler();
626 } elseif ( $metadata[
'provider'] !== (
string)$provider ) {
627 $this->logger->warning(
'Session "{session}": Wrong provider ' .
628 $metadata[
'provider'] .
' !== ' . $provider,
630 'session' => $info->__toString(),
632 return $failHandler();
636 $providerMetadata = $info->getProviderMetadata();
637 if ( isset( $metadata[
'providerMetadata'] ) ) {
638 if ( $providerMetadata ===
null ) {
639 $newParams[
'metadata'] = $metadata[
'providerMetadata'];
642 $newProviderMetadata = $provider->mergeMetadata(
643 $metadata[
'providerMetadata'], $providerMetadata
645 if ( $newProviderMetadata !== $providerMetadata ) {
646 $newParams[
'metadata'] = $newProviderMetadata;
648 }
catch ( MetadataMergeException $ex ) {
649 $this->logger->warning(
650 'Session "{session}": Metadata merge failed: {exception}',
652 'session' => $info->__toString(),
654 ] + $ex->getContext()
656 return $failHandler();
662 $userInfo = $info->getUserInfo();
666 if ( $metadata[
'userId'] ) {
668 } elseif ( $metadata[
'userName'] !==
null ) {
673 }
catch ( InvalidArgumentException $ex ) {
674 $this->logger->error(
'Session "{session}": {exception}', [
675 'session' => $info->__toString(),
678 return $failHandler();
680 $newParams[
'userInfo'] = $userInfo;
684 if ( $metadata[
'userId'] ) {
685 if ( $metadata[
'userId'] !== $userInfo->getId() ) {
687 $this->logger->warning(
688 'Session "{session}": User ID mismatch, {uid_a} !== {uid_b}',
690 'session' => $info->__toString(),
691 'uid_a' => $metadata[
'userId'],
692 'uid_b' => $userInfo->getId(),
693 'uname_a' => $metadata[
'userName'] ??
'<null>',
694 'uname_b' => $userInfo->getName() ??
'<null>',
696 return $failHandler();
700 if ( $metadata[
'userName'] !==
null &&
701 $userInfo->getName() !== $metadata[
'userName']
703 $this->logger->warning(
704 'Session "{session}": User ID matched but name didn\'t (rename?), {uname_a} !== {uname_b}',
706 'session' => $info->__toString(),
707 'uname_a' => $metadata[
'userName'],
708 'uname_b' => $userInfo->getName(),
710 return $failHandler();
713 } elseif ( $metadata[
'userName'] !==
null ) {
714 if ( $metadata[
'userName'] !== $userInfo->getName() ) {
715 $this->logger->warning(
716 'Session "{session}": User name mismatch, {uname_a} !== {uname_b}',
718 'session' => $info->__toString(),
719 'uname_a' => $metadata[
'userName'],
720 'uname_b' => $userInfo->getName(),
722 return $failHandler();
724 } elseif ( !$userInfo->isAnon() ) {
728 $this->logger->warning(
729 'Session "{session}": the session store entry is for an anonymous user, '
730 .
'but the session metadata indicates a non-anonynmous user',
732 'session' => $info->__toString(),
734 return $failHandler();
740 if ( $metadata[
'userToken'] !==
null &&
741 $userInfo->getToken() !== $metadata[
'userToken']
743 $this->logger->warning(
'Session "{session}": User token mismatch', [
744 'session' => $info->__toString(),
746 return $failHandler();
748 if ( !$userInfo->isVerified() ) {
749 $newParams[
'userInfo'] = $userInfo->verified();
752 if ( !empty( $metadata[
'remember'] ) && !$info->wasRemembered() ) {
753 $newParams[
'remembered'] =
true;
755 if ( !empty( $metadata[
'forceHTTPS'] ) && !$info->forceHTTPS() ) {
756 $newParams[
'forceHTTPS'] =
true;
758 if ( !empty( $metadata[
'persisted'] ) && !$info->wasPersisted() ) {
759 $newParams[
'persisted'] =
true;
762 if ( !$info->isIdSafe() ) {
763 $newParams[
'idIsSafe'] =
true;
767 if ( $info->getProvider() ===
null ) {
768 $this->logger->warning(
769 'Session "{session}": Null provider and no metadata',
771 'session' => $info->__toString(),
773 return $failHandler();
777 if ( !$info->getUserInfo() ) {
778 if ( $info->getProvider()->canChangeUser() ) {
784 'Session "{session}": No user provided and provider cannot set user',
786 'session' => $info->__toString(),
788 return $failHandler();
790 } elseif ( !$info->getUserInfo()->isVerified() ) {
795 'Session "{session}": Unverified user provided and no metadata to auth it',
797 'session' => $info->__toString(),
799 return $failHandler();
805 if ( !$info->getProvider()->persistsSessionId() && !$info->isIdSafe() ) {
808 $newParams[
'idIsSafe'] =
true;
814 $newParams[
'copyFrom'] = $info;
815 $info =
new SessionInfo( $info->getPriority(), $newParams );
819 $providerMetadata = $info->getProviderMetadata();
820 if ( !$info->getProvider()->refreshSessionInfo( $info, $request, $providerMetadata ) ) {
821 return $failHandler();
823 if ( $providerMetadata !== $info->getProviderMetadata() ) {
824 $info =
new SessionInfo( $info->getPriority(), [
825 'metadata' => $providerMetadata,
833 $reason =
'Hook aborted';
834 if ( !$this->hookRunner->onSessionCheckInfo(
835 $reason, $info, $request, $metadata, $data )
837 $this->logger->warning(
'Session "{session}": ' . $reason, [
838 'session' => $info->__toString(),
840 return $failHandler();
856 if ( defined(
'MW_NO_SESSION' ) ) {
861 $this->logger->error(
'Sessions are supposed to be disabled for this entry point', [
862 'exception' =>
new \BadMethodCallException(
"Sessions are disabled for $ep entry point" ),
865 throw new \BadMethodCallException(
"Sessions are disabled for $ep entry point" );
870 $id = $info->
getId();
872 if ( !isset( $this->allSessionBackends[$id] ) ) {
873 if ( !isset( $this->allSessionIds[$id] ) ) {
874 $this->allSessionIds[$id] =
new SessionId( $id );
877 $this->allSessionIds[$id],
881 $this->hookContainer,
884 $this->allSessionBackends[$id] = $backend;
885 $delay = $backend->delaySave();
887 $backend = $this->allSessionBackends[$id];
888 $delay = $backend->delaySave();
893 $backend->setRememberUser(
true );
898 $session = $backend->getSession( $request );
904 \Wikimedia\ScopedCallback::consume( $delay );
914 $id = $backend->
getId();
915 if ( !isset( $this->allSessionBackends[$id] ) || !isset( $this->allSessionIds[$id] ) ||
916 $this->allSessionBackends[$id] !== $backend ||
919 throw new InvalidArgumentException(
'Backend was not registered with this SessionManager' );
922 unset( $this->allSessionBackends[$id] );
933 $oldId = (string)$sessionId;
934 if ( !isset( $this->allSessionBackends[$oldId] ) || !isset( $this->allSessionIds[$oldId] ) ||
935 $this->allSessionBackends[$oldId] !== $backend ||
936 $this->allSessionIds[$oldId] !== $sessionId
938 throw new InvalidArgumentException(
'Backend was not registered with this SessionManager' );
941 $newId = $this->generateSessionId();
943 unset( $this->allSessionBackends[$oldId], $this->allSessionIds[$oldId] );
944 $sessionId->setId( $newId );
945 $this->allSessionBackends[$newId] = $backend;
946 $this->allSessionIds[$newId] = $sessionId;
954 $id = \Wikimedia\base_convert( \MWCryptRand::generateHex( 40 ), 16, 32, 32 );
956 $key = $this->store->makeKey(
'MWSession', $id );
957 $this->store->set( $key,
false, 0, BagOStuff::WRITE_CACHE_ONLY );
967 $handler->
setManager( $this, $this->store, $this->logger );
976 if ( !defined(
'MW_PHPUNIT_TEST' ) && !defined(
'MW_PARSER_TEST' ) ) {
978 throw new LogicException( __METHOD__ .
' may only be called from unit tests!' );
982 self::$globalSession =
null;
983 self::$globalSessionRequest =
null;
988 'id' => $info->
getId(),
992 'clientip' => $request->
getIP(),
993 'userAgent' => $request->
getHeader(
'user-agent' ),
997 $logData[
'user'] = $info->
getUserInfo()->getName();
999 $logData[
'userVerified'] = $info->
getUserInfo()->isVerified();
1001 $this->logger->info(
'Failed to load session, unpersisting', $logData );
1016 $session = $session ?: self::getGlobalSession();
1019 if ( $suspiciousIpExpiry ===
false
1021 || !$session->isPersistent() || $session->getUser()->isAnon()
1028 $ip = $session->getRequest()->getIP();
1032 if ( $ip ===
'127.0.0.1' || $proxyLookup->isConfiguredProxy( $ip ) ) {
1035 $mwuser = $session->getRequest()->getCookie(
'mwuser-sessionId' );
1036 $now = (int)\
MediaWiki\Utils\MWTimestamp::now( TS_UNIX );
1042 $data = $session->get(
'SessionManager-logPotentialSessionLeakage', [] )
1043 + [
'ip' =>
null,
'mwuser' =>
null,
'timestamp' => 0 ];
1047 ( $now - $data[
'timestamp'] > $suspiciousIpExpiry )
1049 $data[
'ip'] = $data[
'timestamp'] =
null;
1052 if ( $data[
'ip'] !== $ip || $data[
'mwuser'] !== $mwuser ) {
1053 $session->set(
'SessionManager-logPotentialSessionLeakage',
1054 [
'ip' => $ip,
'mwuser' => $mwuser,
'timestamp' => $now ] );
1057 $ipChanged = ( $data[
'ip'] && $data[
'ip'] !== $ip );
1058 $mwuserChanged = ( $data[
'mwuser'] && $data[
'mwuser'] !== $mwuser );
1059 $logLevel = $message =
null;
1067 $logLevel = LogLevel::INFO;
1068 $message =
'IP change within the same session';
1070 'oldIp' => $data[
'ip'],
1071 'oldIpRecorded' => $data[
'timestamp'],
1074 if ( $mwuserChanged ) {
1075 $logLevel = LogLevel::NOTICE;
1076 $message =
'mwuser change within the same session';
1078 'oldMwuser' => $data[
'mwuser'],
1079 'newMwuser' => $mwuser,
1082 if ( $ipChanged && $mwuserChanged ) {
1083 $logLevel = LogLevel::WARNING;
1084 $message =
'IP and mwuser change within the same session';
1088 'session' => $session->getId(),
1089 'user' => $session->getUser()->getName(),
1091 'userAgent' => $session->getRequest()->getHeader(
'user-agent' ),
1093 $logger = \MediaWiki\Logger\LoggerFactory::getInstance(
'session-ip' );
1095 $logger->log( $logLevel, $message, $logData );