MediaWiki  master
SessionManager.php
Go to the documentation of this file.
1 <?php
24 namespace MediaWiki\Session;
25 
26 use MediaWiki\MediaWikiServices;
27 use MWException;
28 use Psr\Log\LoggerInterface;
29 use BagOStuff;
30 use CachedBagOStuff;
31 use Config;
32 use FauxRequest;
33 use User;
34 use WebRequest;
35 use Wikimedia\ObjectFactory;
36 
50 final class SessionManager implements SessionManagerInterface {
52  private static $instance = null;
53 
55  private static $globalSession = null;
56 
58  private static $globalSessionRequest = null;
59 
61  private $logger;
62 
64  private $config;
65 
67  private $store;
68 
70  private $sessionProviders = null;
71 
73  private $varyCookies = null;
74 
76  private $varyHeaders = null;
77 
79  private $allSessionBackends = [];
80 
82  private $allSessionIds = [];
83 
85  private $preventUsers = [];
86 
92  public static function singleton() {
93  if ( self::$instance === null ) {
94  self::$instance = new self();
95  }
96  return self::$instance;
97  }
98 
107  public static function getGlobalSession() {
108  if ( !PHPSessionHandler::isEnabled() ) {
109  $id = '';
110  } else {
111  $id = session_id();
112  }
113 
114  $request = \RequestContext::getMain()->getRequest();
115  if (
116  !self::$globalSession // No global session is set up yet
117  || self::$globalSessionRequest !== $request // The global WebRequest changed
118  || $id !== '' && self::$globalSession->getId() !== $id // Someone messed with session_id()
119  ) {
120  self::$globalSessionRequest = $request;
121  if ( $id === '' ) {
122  // session_id() wasn't used, so fetch the Session from the WebRequest.
123  // We use $request->getSession() instead of $singleton->getSessionForRequest()
124  // because doing the latter would require a public
125  // "$request->getSessionId()" method that would confuse end
126  // users by returning SessionId|null where they'd expect it to
127  // be short for $request->getSession()->getId(), and would
128  // wind up being a duplicate of the code in
129  // $request->getSession() anyway.
130  self::$globalSession = $request->getSession();
131  } else {
132  // Someone used session_id(), so we need to follow suit.
133  // Note this overwrites whatever session might already be
134  // associated with $request with the one for $id.
135  self::$globalSession = self::singleton()->getSessionById( $id, true, $request )
136  ?: $request->getSession();
137  }
138  }
139  return self::$globalSession;
140  }
141 
148  public function __construct( $options = [] ) {
149  if ( isset( $options['config'] ) ) {
150  $this->config = $options['config'];
151  if ( !$this->config instanceof Config ) {
152  throw new \InvalidArgumentException(
153  '$options[\'config\'] must be an instance of Config'
154  );
155  }
156  } else {
157  $this->config = MediaWikiServices::getInstance()->getMainConfig();
158  }
159 
160  if ( isset( $options['logger'] ) ) {
161  if ( !$options['logger'] instanceof LoggerInterface ) {
162  throw new \InvalidArgumentException(
163  '$options[\'logger\'] must be an instance of LoggerInterface'
164  );
165  }
166  $this->setLogger( $options['logger'] );
167  } else {
168  $this->setLogger( \MediaWiki\Logger\LoggerFactory::getInstance( 'session' ) );
169  }
170 
171  if ( isset( $options['store'] ) ) {
172  if ( !$options['store'] instanceof BagOStuff ) {
173  throw new \InvalidArgumentException(
174  '$options[\'store\'] must be an instance of BagOStuff'
175  );
176  }
177  $store = $options['store'];
178  } else {
179  $store = \ObjectCache::getInstance( $this->config->get( 'SessionCacheType' ) );
180  }
181  $this->store = $store instanceof CachedBagOStuff ? $store : new CachedBagOStuff( $store );
182 
183  register_shutdown_function( [ $this, 'shutdown' ] );
184  }
185 
186  public function setLogger( LoggerInterface $logger ) {
187  $this->logger = $logger;
188  }
189 
190  public function getSessionForRequest( WebRequest $request ) {
191  $info = $this->getSessionInfoForRequest( $request );
192 
193  if ( !$info ) {
194  $session = $this->getEmptySession( $request );
195  } else {
196  $session = $this->getSessionFromInfo( $info, $request );
197  }
198  return $session;
199  }
200 
201  public function getSessionById( $id, $create = false, WebRequest $request = null ) {
202  if ( !self::validateSessionId( $id ) ) {
203  throw new \InvalidArgumentException( 'Invalid session ID' );
204  }
205  if ( !$request ) {
206  $request = new FauxRequest;
207  }
208 
209  $session = null;
210  $info = new SessionInfo( SessionInfo::MIN_PRIORITY, [ 'id' => $id, 'idIsSafe' => true ] );
211 
212  // If we already have the backend loaded, use it directly
213  if ( isset( $this->allSessionBackends[$id] ) ) {
214  return $this->getSessionFromInfo( $info, $request );
215  }
216 
217  // Test if the session is in storage, and if so try to load it.
218  $key = $this->store->makeKey( 'MWSession', $id );
219  if ( is_array( $this->store->get( $key ) ) ) {
220  $create = false; // If loading fails, don't bother creating because it probably will fail too.
221  if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
222  $session = $this->getSessionFromInfo( $info, $request );
223  }
224  }
225 
226  if ( $create && $session === null ) {
227  $ex = null;
228  try {
229  $session = $this->getEmptySessionInternal( $request, $id );
230  } catch ( \Exception $ex ) {
231  $this->logger->error( 'Failed to create empty session: {exception}',
232  [
233  'method' => __METHOD__,
234  'exception' => $ex,
235  ] );
236  $session = null;
237  }
238  }
239 
240  return $session;
241  }
242 
243  public function getEmptySession( WebRequest $request = null ) {
244  return $this->getEmptySessionInternal( $request );
245  }
246 
253  private function getEmptySessionInternal( WebRequest $request = null, $id = null ) {
254  if ( $id !== null ) {
255  if ( !self::validateSessionId( $id ) ) {
256  throw new \InvalidArgumentException( 'Invalid session ID' );
257  }
258 
259  $key = $this->store->makeKey( 'MWSession', $id );
260  if ( is_array( $this->store->get( $key ) ) ) {
261  throw new \InvalidArgumentException( 'Session ID already exists' );
262  }
263  }
264  if ( !$request ) {
265  $request = new FauxRequest;
266  }
267 
268  $infos = [];
269  foreach ( $this->getProviders() as $provider ) {
270  $info = $provider->newSessionInfo( $id );
271  if ( !$info ) {
272  continue;
273  }
274  if ( $info->getProvider() !== $provider ) {
275  throw new \UnexpectedValueException(
276  "$provider returned an empty session info for a different provider: $info"
277  );
278  }
279  if ( $id !== null && $info->getId() !== $id ) {
280  throw new \UnexpectedValueException(
281  "$provider returned empty session info with a wrong id: " .
282  $info->getId() . ' != ' . $id
283  );
284  }
285  if ( !$info->isIdSafe() ) {
286  throw new \UnexpectedValueException(
287  "$provider returned empty session info with id flagged unsafe"
288  );
289  }
290  $compare = $infos ? SessionInfo::compare( $infos[0], $info ) : -1;
291  if ( $compare > 0 ) {
292  continue;
293  }
294  if ( $compare === 0 ) {
295  $infos[] = $info;
296  } else {
297  $infos = [ $info ];
298  }
299  }
300 
301  // Make sure there's exactly one
302  if ( count( $infos ) > 1 ) {
303  throw new \UnexpectedValueException(
304  'Multiple empty sessions tied for top priority: ' . implode( ', ', $infos )
305  );
306  } elseif ( count( $infos ) < 1 ) {
307  throw new \UnexpectedValueException( 'No provider could provide an empty session!' );
308  }
309 
310  return $this->getSessionFromInfo( $infos[0], $request );
311  }
312 
313  public function invalidateSessionsForUser( User $user ) {
314  $user->setToken();
315  $user->saveSettings();
316 
317  $authUser = \MediaWiki\Auth\AuthManager::callLegacyAuthPlugin( 'getUserInstance', [ &$user ] );
318  if ( $authUser ) {
319  $authUser->resetAuthToken();
320  }
321 
322  foreach ( $this->getProviders() as $provider ) {
323  $provider->invalidateSessionsForUser( $user );
324  }
325  }
326 
327  public function getVaryHeaders() {
328  // @codeCoverageIgnoreStart
329  if ( defined( 'MW_NO_SESSION' ) && MW_NO_SESSION !== 'warn' ) {
330  return [];
331  }
332  // @codeCoverageIgnoreEnd
333  if ( $this->varyHeaders === null ) {
334  $headers = [];
335  foreach ( $this->getProviders() as $provider ) {
336  foreach ( $provider->getVaryHeaders() as $header => $options ) {
337  if ( !isset( $headers[$header] ) ) {
338  $headers[$header] = [];
339  }
340  if ( is_array( $options ) ) {
341  $headers[$header] = array_unique( array_merge( $headers[$header], $options ) );
342  }
343  }
344  }
345  $this->varyHeaders = $headers;
346  }
347  return $this->varyHeaders;
348  }
349 
350  public function getVaryCookies() {
351  // @codeCoverageIgnoreStart
352  if ( defined( 'MW_NO_SESSION' ) && MW_NO_SESSION !== 'warn' ) {
353  return [];
354  }
355  // @codeCoverageIgnoreEnd
356  if ( $this->varyCookies === null ) {
357  $cookies = [];
358  foreach ( $this->getProviders() as $provider ) {
359  $cookies = array_merge( $cookies, $provider->getVaryCookies() );
360  }
361  $this->varyCookies = array_values( array_unique( $cookies ) );
362  }
363  return $this->varyCookies;
364  }
365 
371  public static function validateSessionId( $id ) {
372  return is_string( $id ) && preg_match( '/^[a-zA-Z0-9_-]{32,}$/', $id );
373  }
374 
388  public static function autoCreateUser( User $user ) {
389  wfDeprecated( __METHOD__, '1.27' );
390  return \MediaWiki\Auth\AuthManager::singleton()->autoCreateUser(
391  $user,
392  \MediaWiki\Auth\AuthManager::AUTOCREATE_SOURCE_SESSION,
393  false
394  )->isGood();
395  }
396 
406  public function preventSessionsForUser( $username ) {
407  $this->preventUsers[$username] = true;
408 
409  // Instruct the session providers to kill any other sessions too.
410  foreach ( $this->getProviders() as $provider ) {
411  $provider->preventSessionsForUser( $username );
412  }
413  }
414 
421  public function isUserSessionPrevented( $username ) {
422  return !empty( $this->preventUsers[$username] );
423  }
424 
429  protected function getProviders() {
430  if ( $this->sessionProviders === null ) {
431  $this->sessionProviders = [];
432  foreach ( $this->config->get( 'SessionProviders' ) as $spec ) {
433  $provider = ObjectFactory::getObjectFromSpec( $spec );
434  $provider->setLogger( $this->logger );
435  $provider->setConfig( $this->config );
436  $provider->setManager( $this );
437  if ( isset( $this->sessionProviders[(string)$provider] ) ) {
438  throw new \UnexpectedValueException( "Duplicate provider name \"$provider\"" );
439  }
440  $this->sessionProviders[(string)$provider] = $provider;
441  }
442  }
443  return $this->sessionProviders;
444  }
445 
456  public function getProvider( $name ) {
457  $providers = $this->getProviders();
458  return $providers[$name] ?? null;
459  }
460 
465  public function shutdown() {
466  if ( $this->allSessionBackends ) {
467  $this->logger->debug( 'Saving all sessions on shutdown' );
468  if ( session_id() !== '' ) {
469  // @codeCoverageIgnoreStart
470  session_write_close();
471  }
472  // @codeCoverageIgnoreEnd
473  foreach ( $this->allSessionBackends as $backend ) {
474  $backend->shutdown();
475  }
476  }
477  }
478 
484  private function getSessionInfoForRequest( WebRequest $request ) {
485  // Call all providers to fetch "the" session
486  $infos = [];
487  foreach ( $this->getProviders() as $provider ) {
488  $info = $provider->provideSessionInfo( $request );
489  if ( !$info ) {
490  continue;
491  }
492  if ( $info->getProvider() !== $provider ) {
493  throw new \UnexpectedValueException(
494  "$provider returned session info for a different provider: $info"
495  );
496  }
497  $infos[] = $info;
498  }
499 
500  // Sort the SessionInfos. Then find the first one that can be
501  // successfully loaded, and then all the ones after it with the same
502  // priority.
503  usort( $infos, 'MediaWiki\\Session\\SessionInfo::compare' );
504  $retInfos = [];
505  while ( $infos ) {
506  $info = array_pop( $infos );
507  if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
508  $retInfos[] = $info;
509  while ( $infos ) {
510  $info = array_pop( $infos );
511  if ( SessionInfo::compare( $retInfos[0], $info ) ) {
512  // We hit a lower priority, stop checking.
513  break;
514  }
515  if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
516  // This is going to error out below, but we want to
517  // provide a complete list.
518  $retInfos[] = $info;
519  } else {
520  // Session load failed, so unpersist it from this request
521  $info->getProvider()->unpersistSession( $request );
522  }
523  }
524  } else {
525  // Session load failed, so unpersist it from this request
526  $info->getProvider()->unpersistSession( $request );
527  }
528  }
529 
530  if ( count( $retInfos ) > 1 ) {
531  $ex = new \OverflowException(
532  'Multiple sessions for this request tied for top priority: ' . implode( ', ', $retInfos )
533  );
534  $ex->sessionInfos = $retInfos;
535  throw $ex;
536  }
537 
538  return $retInfos ? $retInfos[0] : null;
539  }
540 
548  private function loadSessionInfoFromStore( SessionInfo &$info, WebRequest $request ) {
549  $key = $this->store->makeKey( 'MWSession', $info->getId() );
550  $blob = $this->store->get( $key );
551 
552  // If we got data from the store and the SessionInfo says to force use,
553  // "fail" means to delete the data from the store and retry. Otherwise,
554  // "fail" is just return false.
555  if ( $info->forceUse() && $blob !== false ) {
556  $failHandler = function () use ( $key, &$info, $request ) {
557  $this->store->delete( $key );
558  return $this->loadSessionInfoFromStore( $info, $request );
559  };
560  } else {
561  $failHandler = function () {
562  return false;
563  };
564  }
565 
566  $newParams = [];
567 
568  if ( $blob !== false ) {
569  // Sanity check: blob must be an array, if it's saved at all
570  if ( !is_array( $blob ) ) {
571  $this->logger->warning( 'Session "{session}": Bad data', [
572  'session' => $info,
573  ] );
574  $this->store->delete( $key );
575  return $failHandler();
576  }
577 
578  // Sanity check: blob has data and metadata arrays
579  if ( !isset( $blob['data'] ) || !is_array( $blob['data'] ) ||
580  !isset( $blob['metadata'] ) || !is_array( $blob['metadata'] )
581  ) {
582  $this->logger->warning( 'Session "{session}": Bad data structure', [
583  'session' => $info,
584  ] );
585  $this->store->delete( $key );
586  return $failHandler();
587  }
588 
589  $data = $blob['data'];
590  $metadata = $blob['metadata'];
591 
592  // Sanity check: metadata must be an array and must contain certain
593  // keys, if it's saved at all
594  if ( !array_key_exists( 'userId', $metadata ) ||
595  !array_key_exists( 'userName', $metadata ) ||
596  !array_key_exists( 'userToken', $metadata ) ||
597  !array_key_exists( 'provider', $metadata )
598  ) {
599  $this->logger->warning( 'Session "{session}": Bad metadata', [
600  'session' => $info,
601  ] );
602  $this->store->delete( $key );
603  return $failHandler();
604  }
605 
606  // First, load the provider from metadata, or validate it against the metadata.
607  $provider = $info->getProvider();
608  if ( $provider === null ) {
609  $newParams['provider'] = $provider = $this->getProvider( $metadata['provider'] );
610  if ( !$provider ) {
611  $this->logger->warning(
612  'Session "{session}": Unknown provider ' . $metadata['provider'],
613  [
614  'session' => $info,
615  ]
616  );
617  $this->store->delete( $key );
618  return $failHandler();
619  }
620  } elseif ( $metadata['provider'] !== (string)$provider ) {
621  $this->logger->warning( 'Session "{session}": Wrong provider ' .
622  $metadata['provider'] . ' !== ' . $provider,
623  [
624  'session' => $info,
625  ] );
626  return $failHandler();
627  }
628 
629  // Load provider metadata from metadata, or validate it against the metadata
630  $providerMetadata = $info->getProviderMetadata();
631  if ( isset( $metadata['providerMetadata'] ) ) {
632  if ( $providerMetadata === null ) {
633  $newParams['metadata'] = $metadata['providerMetadata'];
634  } else {
635  try {
636  $newProviderMetadata = $provider->mergeMetadata(
637  $metadata['providerMetadata'], $providerMetadata
638  );
639  if ( $newProviderMetadata !== $providerMetadata ) {
640  $newParams['metadata'] = $newProviderMetadata;
641  }
642  } catch ( MetadataMergeException $ex ) {
643  $this->logger->warning(
644  'Session "{session}": Metadata merge failed: {exception}',
645  [
646  'session' => $info,
647  'exception' => $ex,
648  ] + $ex->getContext()
649  );
650  return $failHandler();
651  }
652  }
653  }
654 
655  // Next, load the user from metadata, or validate it against the metadata.
656  $userInfo = $info->getUserInfo();
657  if ( !$userInfo ) {
658  // For loading, id is preferred to name.
659  try {
660  if ( $metadata['userId'] ) {
661  $userInfo = UserInfo::newFromId( $metadata['userId'] );
662  } elseif ( $metadata['userName'] !== null ) { // Shouldn't happen, but just in case
663  $userInfo = UserInfo::newFromName( $metadata['userName'] );
664  } else {
665  $userInfo = UserInfo::newAnonymous();
666  }
667  } catch ( \InvalidArgumentException $ex ) {
668  $this->logger->error( 'Session "{session}": {exception}', [
669  'session' => $info,
670  'exception' => $ex,
671  ] );
672  return $failHandler();
673  }
674  $newParams['userInfo'] = $userInfo;
675  } else {
676  // User validation passes if user ID matches, or if there
677  // is no saved ID and the names match.
678  if ( $metadata['userId'] ) {
679  if ( $metadata['userId'] !== $userInfo->getId() ) {
680  $this->logger->warning(
681  'Session "{session}": User ID mismatch, {uid_a} !== {uid_b}',
682  [
683  'session' => $info,
684  'uid_a' => $metadata['userId'],
685  'uid_b' => $userInfo->getId(),
686  ] );
687  return $failHandler();
688  }
689 
690  // If the user was renamed, probably best to fail here.
691  if ( $metadata['userName'] !== null &&
692  $userInfo->getName() !== $metadata['userName']
693  ) {
694  $this->logger->warning(
695  'Session "{session}": User ID matched but name didn\'t (rename?), {uname_a} !== {uname_b}',
696  [
697  'session' => $info,
698  'uname_a' => $metadata['userName'],
699  'uname_b' => $userInfo->getName(),
700  ] );
701  return $failHandler();
702  }
703 
704  } elseif ( $metadata['userName'] !== null ) { // Shouldn't happen, but just in case
705  if ( $metadata['userName'] !== $userInfo->getName() ) {
706  $this->logger->warning(
707  'Session "{session}": User name mismatch, {uname_a} !== {uname_b}',
708  [
709  'session' => $info,
710  'uname_a' => $metadata['userName'],
711  'uname_b' => $userInfo->getName(),
712  ] );
713  return $failHandler();
714  }
715  } elseif ( !$userInfo->isAnon() ) {
716  // Metadata specifies an anonymous user, but the passed-in
717  // user isn't anonymous.
718  $this->logger->warning(
719  'Session "{session}": Metadata has an anonymous user, but a non-anon user was provided',
720  [
721  'session' => $info,
722  ] );
723  return $failHandler();
724  }
725  }
726 
727  // And if we have a token in the metadata, it must match the loaded/provided user.
728  if ( $metadata['userToken'] !== null &&
729  $userInfo->getToken() !== $metadata['userToken']
730  ) {
731  $this->logger->warning( 'Session "{session}": User token mismatch', [
732  'session' => $info,
733  ] );
734  return $failHandler();
735  }
736  if ( !$userInfo->isVerified() ) {
737  $newParams['userInfo'] = $userInfo->verified();
738  }
739 
740  if ( !empty( $metadata['remember'] ) && !$info->wasRemembered() ) {
741  $newParams['remembered'] = true;
742  }
743  if ( !empty( $metadata['forceHTTPS'] ) && !$info->forceHTTPS() ) {
744  $newParams['forceHTTPS'] = true;
745  }
746  if ( !empty( $metadata['persisted'] ) && !$info->wasPersisted() ) {
747  $newParams['persisted'] = true;
748  }
749 
750  if ( !$info->isIdSafe() ) {
751  $newParams['idIsSafe'] = true;
752  }
753  } else {
754  // No metadata, so we can't load the provider if one wasn't given.
755  if ( $info->getProvider() === null ) {
756  $this->logger->warning(
757  'Session "{session}": Null provider and no metadata',
758  [
759  'session' => $info,
760  ] );
761  return $failHandler();
762  }
763 
764  // If no user was provided and no metadata, it must be anon.
765  if ( !$info->getUserInfo() ) {
766  if ( $info->getProvider()->canChangeUser() ) {
767  $newParams['userInfo'] = UserInfo::newAnonymous();
768  } else {
769  $this->logger->info(
770  'Session "{session}": No user provided and provider cannot set user',
771  [
772  'session' => $info,
773  ] );
774  return $failHandler();
775  }
776  } elseif ( !$info->getUserInfo()->isVerified() ) {
777  // probably just a session timeout
778  $this->logger->info(
779  'Session "{session}": Unverified user provided and no metadata to auth it',
780  [
781  'session' => $info,
782  ] );
783  return $failHandler();
784  }
785 
786  $data = false;
787  $metadata = false;
788 
789  if ( !$info->getProvider()->persistsSessionId() && !$info->isIdSafe() ) {
790  // The ID doesn't come from the user, so it should be safe
791  // (and if not, nothing we can do about it anyway)
792  $newParams['idIsSafe'] = true;
793  }
794  }
795 
796  // Construct the replacement SessionInfo, if necessary
797  if ( $newParams ) {
798  $newParams['copyFrom'] = $info;
799  $info = new SessionInfo( $info->getPriority(), $newParams );
800  }
801 
802  // Allow the provider to check the loaded SessionInfo
803  $providerMetadata = $info->getProviderMetadata();
804  if ( !$info->getProvider()->refreshSessionInfo( $info, $request, $providerMetadata ) ) {
805  return $failHandler();
806  }
807  if ( $providerMetadata !== $info->getProviderMetadata() ) {
808  $info = new SessionInfo( $info->getPriority(), [
809  'metadata' => $providerMetadata,
810  'copyFrom' => $info,
811  ] );
812  }
813 
814  // Give hooks a chance to abort. Combined with the SessionMetadata
815  // hook, this can allow for tying a session to an IP address or the
816  // like.
817  $reason = 'Hook aborted';
818  if ( !\Hooks::run(
819  'SessionCheckInfo',
820  [ &$reason, $info, $request, $metadata, $data ]
821  ) ) {
822  $this->logger->warning( 'Session "{session}": ' . $reason, [
823  'session' => $info,
824  ] );
825  return $failHandler();
826  }
827 
828  return true;
829  }
830 
839  public function getSessionFromInfo( SessionInfo $info, WebRequest $request ) {
840  // @codeCoverageIgnoreStart
841  if ( defined( 'MW_NO_SESSION' ) ) {
842  if ( MW_NO_SESSION === 'warn' ) {
843  // Undocumented safety case for converting existing entry points
844  $this->logger->error( 'Sessions are supposed to be disabled for this entry point', [
845  'exception' => new \BadMethodCallException( 'Sessions are disabled for this entry point' ),
846  ] );
847  } else {
848  throw new \BadMethodCallException( 'Sessions are disabled for this entry point' );
849  }
850  }
851  // @codeCoverageIgnoreEnd
852 
853  $id = $info->getId();
854 
855  if ( !isset( $this->allSessionBackends[$id] ) ) {
856  if ( !isset( $this->allSessionIds[$id] ) ) {
857  $this->allSessionIds[$id] = new SessionId( $id );
858  }
859  $backend = new SessionBackend(
860  $this->allSessionIds[$id],
861  $info,
862  $this->store,
863  $this->logger,
864  $this->config->get( 'ObjectCacheSessionExpiry' )
865  );
866  $this->allSessionBackends[$id] = $backend;
867  $delay = $backend->delaySave();
868  } else {
869  $backend = $this->allSessionBackends[$id];
870  $delay = $backend->delaySave();
871  if ( $info->wasPersisted() ) {
872  $backend->persist();
873  }
874  if ( $info->wasRemembered() ) {
875  $backend->setRememberUser( true );
876  }
877  }
878 
879  $request->setSessionId( $backend->getSessionId() );
880  $session = $backend->getSession( $request );
881 
882  if ( !$info->isIdSafe() ) {
883  $session->resetId();
884  }
885 
886  \Wikimedia\ScopedCallback::consume( $delay );
887  return $session;
888  }
889 
895  public function deregisterSessionBackend( SessionBackend $backend ) {
896  $id = $backend->getId();
897  if ( !isset( $this->allSessionBackends[$id] ) || !isset( $this->allSessionIds[$id] ) ||
898  $this->allSessionBackends[$id] !== $backend ||
899  $this->allSessionIds[$id] !== $backend->getSessionId()
900  ) {
901  throw new \InvalidArgumentException( 'Backend was not registered with this SessionManager' );
902  }
903 
904  unset( $this->allSessionBackends[$id] );
905  // Explicitly do not unset $this->allSessionIds[$id]
906  }
907 
913  public function changeBackendId( SessionBackend $backend ) {
914  $sessionId = $backend->getSessionId();
915  $oldId = (string)$sessionId;
916  if ( !isset( $this->allSessionBackends[$oldId] ) || !isset( $this->allSessionIds[$oldId] ) ||
917  $this->allSessionBackends[$oldId] !== $backend ||
918  $this->allSessionIds[$oldId] !== $sessionId
919  ) {
920  throw new \InvalidArgumentException( 'Backend was not registered with this SessionManager' );
921  }
922 
923  $newId = $this->generateSessionId();
924 
925  unset( $this->allSessionBackends[$oldId], $this->allSessionIds[$oldId] );
926  $sessionId->setId( $newId );
927  $this->allSessionBackends[$newId] = $backend;
928  $this->allSessionIds[$newId] = $sessionId;
929  }
930 
935  public function generateSessionId() {
936  do {
937  $id = \Wikimedia\base_convert( \MWCryptRand::generateHex( 40 ), 16, 32, 32 );
938  $key = $this->store->makeKey( 'MWSession', $id );
939  } while ( isset( $this->allSessionIds[$id] ) || is_array( $this->store->get( $key ) ) );
940  return $id;
941  }
942 
948  public function setupPHPSessionHandler( PHPSessionHandler $handler ) {
949  $handler->setManager( $this, $this->store, $this->logger );
950  }
951 
956  public static function resetCache() {
957  if ( !defined( 'MW_PHPUNIT_TEST' ) ) {
958  // @codeCoverageIgnoreStart
959  throw new MWException( __METHOD__ . ' may only be called from unit tests!' );
960  // @codeCoverageIgnoreEnd
961  }
962 
963  self::$globalSession = null;
964  self::$globalSessionRequest = null;
965  }
966 
969 }
MediaWiki\Session\SessionManager\getVaryCookies
getVaryCookies()
Return the list of cookies that need varying on.
Definition: SessionManager.php:350
MediaWiki\Session\SessionInfo\MIN_PRIORITY
const MIN_PRIORITY
Minimum allowed priority.
Definition: SessionInfo.php:36
MediaWiki\Session\SessionBackend\getSessionId
getSessionId()
Fetch the SessionId object.
Definition: SessionBackend.php:214
MediaWiki\Session\SessionBackend
This is the actual workhorse for Session.
Definition: SessionBackend.php:49
MediaWiki\Session\SessionManager\getProviders
getProviders()
Get the available SessionProviders.
Definition: SessionManager.php:429
MediaWiki\Session\SessionInfo\getUserInfo
getUserInfo()
Return the user.
Definition: SessionInfo.php:225
MediaWiki\Session\SessionManager\isUserSessionPrevented
isUserSessionPrevented( $username)
Test if a user is prevented.
Definition: SessionManager.php:421
MediaWiki\Session\SessionManager\$allSessionBackends
SessionBackend [] $allSessionBackends
Definition: SessionManager.php:79
User\saveSettings
saveSettings()
Save this user&#39;s settings into the database.
Definition: User.php:4218
false
processing should stop and the error should be shown to the user * false
Definition: hooks.txt:187
use
Apache License January AND DISTRIBUTION Definitions License shall mean the terms and conditions for use
Definition: APACHE-LICENSE-2.0.txt:3
MediaWiki\Session\SessionManager\changeBackendId
changeBackendId(SessionBackend $backend)
Change a SessionBackend&#39;s ID.
Definition: SessionManager.php:913
MediaWiki\Session\SessionManager\getEmptySessionInternal
getEmptySessionInternal(WebRequest $request=null, $id=null)
Definition: SessionManager.php:253
MediaWiki\Session\SessionInfo\getPriority
getPriority()
Return the priority.
Definition: SessionInfo.php:217
MediaWiki\Session\SessionManager\getEmptySession
getEmptySession(WebRequest $request=null)
Create a new, empty session.
Definition: SessionManager.php:243
string
This code would result in ircNotify being run twice when an article is and once for brion Hooks can return three possible true was required This is the default since MediaWiki *some string
Definition: hooks.txt:175
ObjectCache\getInstance
static getInstance( $id)
Get a cached instance of the specified type of cache object.
Definition: ObjectCache.php:92
MediaWiki\Session\SessionManager\$instance
static SessionManager null $instance
Definition: SessionManager.php:52
MediaWikiServices
injection txt This is an overview of how MediaWiki makes use of dependency injection The design described here grew from the discussion of RFC T384 The term dependency this means that anything an object needs to operate should be injected from the the object itself should only know narrow no concrete implementation of the logic it relies on The requirement to inject everything typically results in an architecture that based on two main types of and essentially stateless service objects that use other service objects to operate on the value objects As of the beginning MediaWiki is only starting to use the DI approach Much of the code still relies on global state or direct resulting in a highly cyclical dependency MediaWikiServices
Definition: injection.txt:23
User\setToken
setToken( $token=false)
Set the random token (used for persistent authentication) Called from loadDefaults() among other plac...
Definition: User.php:3053
MediaWiki\Session\SessionManager\autoCreateUser
static autoCreateUser(User $user)
Auto-create the given user, if necessary.
Definition: SessionManager.php:388
MediaWiki\Session\SessionInfo\compare
static compare( $a, $b)
Compare two SessionInfo objects by priority.
Definition: SessionInfo.php:284
MediaWiki\Session\SessionManager\shutdown
shutdown()
Save all active sessions on shutdown.
Definition: SessionManager.php:465
MediaWiki
A helper class for throttling authentication attempts.
MediaWiki\Session\SessionInfo\getId
getId()
Return the session ID.
Definition: SessionInfo.php:178
MediaWiki\Session\PHPSessionHandler\setManager
setManager(SessionManager $manager, BagOStuff $store, LoggerInterface $logger)
Set the manager, store, and logger.
Definition: PHPSessionHandler.php:156
MediaWiki\MediaWikiServices\getInstance
static getInstance()
Returns the global default instance of the top level service locator.
Definition: MediaWikiServices.php:121
MediaWiki\Session\MetadataMergeException
Subclass of UnexpectedValueException that can be annotated with additional data for debug logging...
Definition: MetadataMergeException.php:35
MediaWiki\Session\SessionInfo\forceUse
forceUse()
Force use of this SessionInfo if validation fails.
Definition: SessionInfo.php:209
MediaWiki\Session\SessionBackend\delaySave
delaySave()
Delay automatic saving while multiple updates are being made.
Definition: SessionBackend.php:591
MediaWiki\Session\SessionManager\getSessionFromInfo
getSessionFromInfo(SessionInfo $info, WebRequest $request)
Create a Session corresponding to the passed SessionInfo.
Definition: SessionManager.php:839
MediaWiki\Session\SessionManager\setupPHPSessionHandler
setupPHPSessionHandler(PHPSessionHandler $handler)
Call setters on a PHPSessionHandler.
Definition: SessionManager.php:948
store
MediaWiki s SiteStore can be cached and stored in a flat in a json format If the SiteStore is frequently the file cache may provide a performance benefit over a database store
Definition: sitescache.txt:1
MediaWiki\Session\SessionManager\preventSessionsForUser
preventSessionsForUser( $username)
Prevent future sessions for the user.
Definition: SessionManager.php:406
MW_NO_SESSION
const MW_NO_SESSION
Definition: load.php:30
MediaWiki\Session\UserInfo\newAnonymous
static newAnonymous()
Create an instance for an anonymous (i.e.
Definition: UserInfo.php:74
MediaWiki\Session\UserInfo\newFromId
static newFromId( $id, $verified=false)
Create an instance for a logged-in user by ID.
Definition: UserInfo.php:84
User
The User object encapsulates all of the user-specific settings (user_id, name, rights, email address, options, last login time).
Definition: User.php:47
$handler
this hook is for auditing only or null if authentication failed before getting that far or null if we can t even determine that When $user is not it can be in the form of< username >< more info > e g for bot passwords intended to be added to log contexts Fields it might only if the login was with a bot password probably a stub it is not rendered in wiki pages or galleries in category pages allow injecting custom HTML after the section Any uses of the hook need to handle escaping see BaseTemplate::getToolbox and BaseTemplate::makeListItem for details on the format of individual items inside of this array or by returning and letting standard HTTP rendering take place modifiable or by returning false and taking over the output modifiable modifiable after all normalizations have been except for the $wgMaxImageArea check set to true or false to override the $wgMaxImageArea check result gives extension the possibility to transform it themselves $handler
Definition: hooks.txt:780
MediaWiki\Session\SessionManager\resetCache
static resetCache()
Reset the internal caching for unit testing.
Definition: SessionManager.php:956
MediaWiki\Session\SessionManager\getSessionForRequest
getSessionForRequest(WebRequest $request)
Fetch the session for a request (or a new empty session if none is attached to it) ...
Definition: SessionManager.php:190
RequestContext\getMain
static getMain()
Get the RequestContext object associated with the main request.
Definition: RequestContext.php:432
Config
Interface for configuration instances.
Definition: Config.php:28
MediaWiki\Auth\AuthManager\callLegacyAuthPlugin
static callLegacyAuthPlugin( $method, array $params, $return=null)
Call a legacy AuthPlugin method, if necessary.
Definition: AuthManager.php:243
MediaWiki\Session\SessionManager\getSessionInfoForRequest
getSessionInfoForRequest(WebRequest $request)
Fetch the SessionInfo(s) for a request.
Definition: SessionManager.php:484
MediaWiki\Session\SessionManager\deregisterSessionBackend
deregisterSessionBackend(SessionBackend $backend)
Deregister a SessionBackend.
Definition: SessionManager.php:895
MediaWiki\Session\SessionManager\getSessionById
getSessionById( $id, $create=false, WebRequest $request=null)
Fetch a session by ID.
Definition: SessionManager.php:201
MediaWiki\Session\SessionInfo\getProvider
getProvider()
Return the provider.
Definition: SessionInfo.php:170
$options
null means default in associative array with keys and values unescaped Should be merged with default with a value of false meaning to suppress the attribute in associative array with keys and values unescaped & $options
Definition: hooks.txt:1995
MediaWiki\Session\SessionManager\setLogger
setLogger(LoggerInterface $logger)
Definition: SessionManager.php:186
MWCryptRand\generateHex
static generateHex( $chars)
Generate a run of cryptographically random data and return it in hexadecimal string format...
Definition: MWCryptRand.php:74
MediaWiki\Session\SessionManager\$globalSessionRequest
static WebRequest null $globalSessionRequest
Definition: SessionManager.php:58
null
this hook is for auditing only or null if authentication failed before getting that far or null if we can t even determine that When $user is not null
Definition: hooks.txt:780
MediaWiki\Session\SessionBackend\getId
getId()
Returns the session ID.
Definition: SessionBackend.php:205
MediaWiki\Session\SessionInfo\getProviderMetadata
getProviderMetadata()
Return provider metadata.
Definition: SessionInfo.php:241
MediaWiki\Session\SessionInfo\wasPersisted
wasPersisted()
Return whether the session is persisted.
Definition: SessionInfo.php:233
$header
$header
Definition: updateCredits.php:35
MediaWiki\Session\PHPSessionHandler
Adapter for PHP&#39;s session handling.
Definition: PHPSessionHandler.php:34
as
This document is intended to provide useful advice for parties seeking to redistribute MediaWiki to end users It s targeted particularly at maintainers for Linux since it s been observed that distribution packages of MediaWiki often break We ve consistently had to recommend that users seeking support use official tarballs instead of their distribution s and this often solves whatever problem the user is having It would be nice if this could such as
Definition: distributors.txt:9
MediaWiki\Session\SessionManager\singleton
static singleton()
Get the global SessionManager.
Definition: SessionManager.php:92
WebRequest\setSessionId
setSessionId(SessionId $sessionId)
Set the session for this request.
Definition: WebRequest.php:761
MediaWiki\Session\SessionManager\generateSessionId
generateSessionId()
Generate a new random session ID.
Definition: SessionManager.php:935
User
User
Definition: All_system_messages.txt:425
MediaWiki\Session\PHPSessionHandler\isEnabled
static isEnabled()
Test whether the handler is installed and enabled.
Definition: PHPSessionHandler.php:100
MediaWiki\Session\SessionManager\getGlobalSession
static getGlobalSession()
Get the "global" session.
Definition: SessionManager.php:107
php
injection txt This is an overview of how MediaWiki makes use of dependency injection The design described here grew from the discussion of RFC T384 The term dependency this means that anything an object needs to operate should be injected from the the object itself should only know narrow no concrete implementation of the logic it relies on The requirement to inject everything typically results in an architecture that based on two main types of and essentially stateless service objects that use other service objects to operate on the value objects As of the beginning MediaWiki is only starting to use the DI approach Much of the code still relies on global state or direct resulting in a highly cyclical dependency which acts as the top level factory for services in MediaWiki which can be used to gain access to default instances of various services MediaWikiServices however also allows new services to be defined and default services to be redefined Services are defined or redefined by providing a callback the instantiator that will return a new instance of the service When it will create an instance of MediaWikiServices and populate it with the services defined in the files listed by thereby bootstrapping the DI framework Per $wgServiceWiringFiles lists includes ServiceWiring php
Definition: injection.txt:35
MediaWiki\Session\SessionManager\invalidateSessionsForUser
invalidateSessionsForUser(User $user)
Invalidate sessions for a user.
Definition: SessionManager.php:313
$username
this hook is for auditing only or null if authentication failed before getting that far $username
Definition: hooks.txt:780
MediaWiki\Session\SessionManager\$sessionProviders
SessionProvider [] $sessionProviders
Definition: SessionManager.php:70
MediaWiki\Session\UserInfo\newFromName
static newFromName( $name, $verified=false)
Create an instance for a logged-in user by name.
Definition: UserInfo.php:102
MediaWiki\Session\SessionId
Value object holding the session ID in a manner that can be globally updated.
Definition: SessionId.php:38
wfDeprecated
wfDeprecated( $function, $version=false, $component=false, $callerOffset=2)
Throws a warning that $function is deprecated.
Definition: GlobalFunctions.php:1077
MediaWiki\Session\SessionManager\getVaryHeaders
getVaryHeaders()
Return the HTTP headers that need varying on.
Definition: SessionManager.php:327
MediaWiki\Session\SessionManager\$globalSession
static Session null $globalSession
Definition: SessionManager.php:55
$name
Allows to change the fields on the form that will be generated $name
Definition: hooks.txt:271
MediaWiki\Session\SessionManager
This serves as the entry point to the MediaWiki session handling system.
Definition: SessionManager.php:50
MediaWiki\Session\SessionManagerInterface
This exists to make IDEs happy, so they don&#39;t see the internal-but-required-to-be-public methods on S...
Definition: SessionManagerInterface.php:37
$request
do that in ParserLimitReportFormat instead use this to modify the parameters of the image all existing parser cache entries will be invalid To avoid you ll need to handle that somehow(e.g. with the RejectParserCacheValue hook) because MediaWiki won 't do it for you. & $defaults also a ContextSource after deleting those rows but within the same transaction you ll probably need to make sure the header is varied on $request
Definition: hooks.txt:2625
MediaWiki\Session\SessionManager\getProvider
getProvider( $name)
Get a session provider by name.
Definition: SessionManager.php:456
MediaWiki\Session\SessionManager\validateSessionId
static validateSessionId( $id)
Validate a session ID.
Definition: SessionManager.php:371
MediaWiki\Session\SessionInfo\forceHTTPS
forceHTTPS()
Whether this session should only be used over HTTPS.
Definition: SessionInfo.php:268
$user
return true to allow those checks to and false if checking is done & $user
Definition: hooks.txt:1486
MediaWiki\Session\SessionInfo
Value object returned by SessionProvider.
Definition: SessionInfo.php:34
Hooks\run
static run( $event, array $args=[], $deprecatedVersion=null)
Call hook functions defined in Hooks::register and $wgHooks.
Definition: Hooks.php:200
MediaWiki\Session\SessionManager\loadSessionInfoFromStore
loadSessionInfoFromStore(SessionInfo &$info, WebRequest $request)
Load and verify the session info against the store.
Definition: SessionManager.php:548
MediaWiki\Session\SessionInfo\wasRemembered
wasRemembered()
Return whether the user was remembered.
Definition: SessionInfo.php:260
MediaWiki\Session\SessionInfo\isIdSafe
isIdSafe()
Indicate whether the ID is "safe".
Definition: SessionInfo.php:194