MediaWiki  master
SessionManager.php
Go to the documentation of this file.
1 <?php
24 namespace MediaWiki\Session;
25 
26 use BagOStuff;
27 use CachedBagOStuff;
28 use LogicException;
29 use MediaWiki\Config\Config;
30 use MediaWiki\HookContainer\HookContainer;
31 use MediaWiki\HookContainer\HookRunner;
32 use MediaWiki\MainConfigNames;
33 use MediaWiki\MediaWikiServices;
34 use MediaWiki\Request\FauxRequest;
35 use MediaWiki\Request\WebRequest;
36 use MediaWiki\User\User;
37 use MediaWiki\User\UserNameUtils;
38 use MWException;
39 use Psr\Log\LoggerInterface;
40 use Psr\Log\LogLevel;
41 
79 class SessionManager implements SessionManagerInterface {
81  private static $instance = null;
82 
84  private static $globalSession = null;
85 
87  private static $globalSessionRequest = null;
88 
90  private $logger;
91 
93  private $hookContainer;
94 
96  private $hookRunner;
97 
99  private $config;
100 
102  private $userNameUtils;
103 
105  private $store;
106 
108  private $sessionProviders = null;
109 
111  private $varyCookies = null;
112 
114  private $varyHeaders = null;
115 
117  private $allSessionBackends = [];
118 
120  private $allSessionIds = [];
121 
123  private $preventUsers = [];
124 
129  public static function singleton() {
130  if ( self::$instance === null ) {
131  self::$instance = new self();
132  }
133  return self::$instance;
134  }
135 
142  public static function getGlobalSession(): Session {
143  if ( !PHPSessionHandler::isEnabled() ) {
144  $id = '';
145  } else {
146  $id = session_id();
147  }
148 
149  $request = \RequestContext::getMain()->getRequest();
150  if (
151  !self::$globalSession // No global session is set up yet
152  || self::$globalSessionRequest !== $request // The global WebRequest changed
153  || $id !== '' && self::$globalSession->getId() !== $id // Someone messed with session_id()
154  ) {
155  self::$globalSessionRequest = $request;
156  if ( $id === '' ) {
157  // session_id() wasn't used, so fetch the Session from the WebRequest.
158  // We use $request->getSession() instead of $singleton->getSessionForRequest()
159  // because doing the latter would require a public
160  // "$request->getSessionId()" method that would confuse end
161  // users by returning SessionId|null where they'd expect it to
162  // be short for $request->getSession()->getId(), and would
163  // wind up being a duplicate of the code in
164  // $request->getSession() anyway.
165  self::$globalSession = $request->getSession();
166  } else {
167  // Someone used session_id(), so we need to follow suit.
168  // Note this overwrites whatever session might already be
169  // associated with $request with the one for $id.
170  self::$globalSession = self::singleton()->getSessionById( $id, true, $request )
171  ?: $request->getSession();
172  }
173  }
174  return self::$globalSession;
175  }
176 
183  public function __construct( $options = [] ) {
184  if ( isset( $options['config'] ) ) {
185  $this->config = $options['config'];
186  if ( !$this->config instanceof Config ) {
187  throw new \InvalidArgumentException(
188  '$options[\'config\'] must be an instance of Config'
189  );
190  }
191  } else {
192  $this->config = MediaWikiServices::getInstance()->getMainConfig();
193  }
194 
195  if ( isset( $options['logger'] ) ) {
196  if ( !$options['logger'] instanceof LoggerInterface ) {
197  throw new \InvalidArgumentException(
198  '$options[\'logger\'] must be an instance of LoggerInterface'
199  );
200  }
201  $this->setLogger( $options['logger'] );
202  } else {
203  $this->setLogger( \MediaWiki\Logger\LoggerFactory::getInstance( 'session' ) );
204  }
205 
206  if ( isset( $options['hookContainer'] ) ) {
207  $this->setHookContainer( $options['hookContainer'] );
208  } else {
209  $this->setHookContainer( MediaWikiServices::getInstance()->getHookContainer() );
210  }
211 
212  if ( isset( $options['store'] ) ) {
213  if ( !$options['store'] instanceof BagOStuff ) {
214  throw new \InvalidArgumentException(
215  '$options[\'store\'] must be an instance of BagOStuff'
216  );
217  }
218  $store = $options['store'];
219  } else {
220  $store = \ObjectCache::getInstance( $this->config->get( MainConfigNames::SessionCacheType ) );
221  }
222 
223  $this->logger->debug( 'SessionManager using store ' . get_class( $store ) );
224  $this->store = $store instanceof CachedBagOStuff ? $store : new CachedBagOStuff( $store );
225  $this->userNameUtils = MediaWikiServices::getInstance()->getUserNameUtils();
226 
227  register_shutdown_function( [ $this, 'shutdown' ] );
228  }
229 
230  public function setLogger( LoggerInterface $logger ) {
231  $this->logger = $logger;
232  }
233 
238  public function setHookContainer( HookContainer $hookContainer ) {
239  $this->hookContainer = $hookContainer;
240  $this->hookRunner = new HookRunner( $hookContainer );
241  }
242 
243  public function getSessionForRequest( WebRequest $request ) {
244  $info = $this->getSessionInfoForRequest( $request );
245 
246  if ( !$info ) {
247  $session = $this->getInitialSession( $request );
248  } else {
249  $session = $this->getSessionFromInfo( $info, $request );
250  }
251  return $session;
252  }
253 
254  public function getSessionById( $id, $create = false, WebRequest $request = null ) {
255  if ( !self::validateSessionId( $id ) ) {
256  throw new \InvalidArgumentException( 'Invalid session ID' );
257  }
258  if ( !$request ) {
259  $request = new FauxRequest;
260  }
261 
262  $session = null;
263  $info = new SessionInfo( SessionInfo::MIN_PRIORITY, [ 'id' => $id, 'idIsSafe' => true ] );
264 
265  // If we already have the backend loaded, use it directly
266  if ( isset( $this->allSessionBackends[$id] ) ) {
267  return $this->getSessionFromInfo( $info, $request );
268  }
269 
270  // Test if the session is in storage, and if so try to load it.
271  $key = $this->store->makeKey( 'MWSession', $id );
272  if ( is_array( $this->store->get( $key ) ) ) {
273  $create = false; // If loading fails, don't bother creating because it probably will fail too.
274  if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
275  $session = $this->getSessionFromInfo( $info, $request );
276  }
277  }
278 
279  if ( $create && $session === null ) {
280  try {
281  $session = $this->getEmptySessionInternal( $request, $id );
282  } catch ( \Exception $ex ) {
283  $this->logger->error( 'Failed to create empty session: {exception}',
284  [
285  'method' => __METHOD__,
286  'exception' => $ex,
287  ] );
288  $session = null;
289  }
290  }
291 
292  return $session;
293  }
294 
295  public function getEmptySession( WebRequest $request = null ) {
296  return $this->getEmptySessionInternal( $request );
297  }
298 
305  private function getEmptySessionInternal( WebRequest $request = null, $id = null ) {
306  if ( $id !== null ) {
307  if ( !self::validateSessionId( $id ) ) {
308  throw new \InvalidArgumentException( 'Invalid session ID' );
309  }
310 
311  $key = $this->store->makeKey( 'MWSession', $id );
312  if ( is_array( $this->store->get( $key ) ) ) {
313  throw new \InvalidArgumentException( 'Session ID already exists' );
314  }
315  }
316  if ( !$request ) {
317  $request = new FauxRequest;
318  }
319 
320  $infos = [];
321  foreach ( $this->getProviders() as $provider ) {
322  $info = $provider->newSessionInfo( $id );
323  if ( !$info ) {
324  continue;
325  }
326  if ( $info->getProvider() !== $provider ) {
327  throw new \UnexpectedValueException(
328  "$provider returned an empty session info for a different provider: $info"
329  );
330  }
331  if ( $id !== null && $info->getId() !== $id ) {
332  throw new \UnexpectedValueException(
333  "$provider returned empty session info with a wrong id: " .
334  $info->getId() . ' != ' . $id
335  );
336  }
337  if ( !$info->isIdSafe() ) {
338  throw new \UnexpectedValueException(
339  "$provider returned empty session info with id flagged unsafe"
340  );
341  }
342  $compare = $infos ? SessionInfo::compare( $infos[0], $info ) : -1;
343  if ( $compare > 0 ) {
344  continue;
345  }
346  if ( $compare === 0 ) {
347  $infos[] = $info;
348  } else {
349  $infos = [ $info ];
350  }
351  }
352 
353  // Make sure there's exactly one
354  if ( count( $infos ) > 1 ) {
355  throw new \UnexpectedValueException(
356  'Multiple empty sessions tied for top priority: ' . implode( ', ', $infos )
357  );
358  } elseif ( count( $infos ) < 1 ) {
359  throw new \UnexpectedValueException( 'No provider could provide an empty session!' );
360  }
361 
362  // @phan-suppress-next-line PhanTypePossiblyInvalidDimOffset False positive
363  return $this->getSessionFromInfo( $infos[0], $request );
364  }
365 
375  private function getInitialSession( WebRequest $request = null ) {
376  $session = $this->getEmptySession( $request );
377  $session->getToken();
378  return $session;
379  }
380 
381  public function invalidateSessionsForUser( User $user ) {
382  $user->setToken();
383  $user->saveSettings();
384 
385  foreach ( $this->getProviders() as $provider ) {
386  $provider->invalidateSessionsForUser( $user );
387  }
388  }
389 
390  public function getVaryHeaders() {
391  // @codeCoverageIgnoreStart
392  if ( defined( 'MW_NO_SESSION' ) && MW_NO_SESSION !== 'warn' ) {
393  return [];
394  }
395  // @codeCoverageIgnoreEnd
396  if ( $this->varyHeaders === null ) {
397  $headers = [];
398  foreach ( $this->getProviders() as $provider ) {
399  foreach ( $provider->getVaryHeaders() as $header => $options ) {
400  # Note that the $options value returned has been deprecated
401  # and is ignored.
402  $headers[$header] = null;
403  }
404  }
405  $this->varyHeaders = $headers;
406  }
407  return $this->varyHeaders;
408  }
409 
410  public function getVaryCookies() {
411  // @codeCoverageIgnoreStart
412  if ( defined( 'MW_NO_SESSION' ) && MW_NO_SESSION !== 'warn' ) {
413  return [];
414  }
415  // @codeCoverageIgnoreEnd
416  if ( $this->varyCookies === null ) {
417  $cookies = [];
418  foreach ( $this->getProviders() as $provider ) {
419  $cookies = array_merge( $cookies, $provider->getVaryCookies() );
420  }
421  $this->varyCookies = array_values( array_unique( $cookies ) );
422  }
423  return $this->varyCookies;
424  }
425 
431  public static function validateSessionId( $id ) {
432  return is_string( $id ) && preg_match( '/^[a-zA-Z0-9_-]{32,}$/', $id );
433  }
434 
435  /***************************************************************************/
436  // region Internal methods
448  public function preventSessionsForUser( $username ) {
449  $this->preventUsers[$username] = true;
450 
451  // Instruct the session providers to kill any other sessions too.
452  foreach ( $this->getProviders() as $provider ) {
453  $provider->preventSessionsForUser( $username );
454  }
455  }
456 
463  public function isUserSessionPrevented( $username ) {
464  return !empty( $this->preventUsers[$username] );
465  }
466 
471  protected function getProviders() {
472  if ( $this->sessionProviders === null ) {
473  $this->sessionProviders = [];
474  $objectFactory = MediaWikiServices::getInstance()->getObjectFactory();
475  foreach ( $this->config->get( MainConfigNames::SessionProviders ) as $spec ) {
477  $provider = $objectFactory->createObject( $spec );
478  $provider->init(
479  $this->logger,
480  $this->config,
481  $this,
482  $this->hookContainer,
483  $this->userNameUtils
484  );
485  if ( isset( $this->sessionProviders[(string)$provider] ) ) {
486  // @phan-suppress-next-line PhanTypeSuspiciousStringExpression
487  throw new \UnexpectedValueException( "Duplicate provider name \"$provider\"" );
488  }
489  $this->sessionProviders[(string)$provider] = $provider;
490  }
491  }
492  return $this->sessionProviders;
493  }
494 
505  public function getProvider( $name ) {
506  $providers = $this->getProviders();
507  return $providers[$name] ?? null;
508  }
509 
514  public function shutdown() {
515  if ( $this->allSessionBackends ) {
516  $this->logger->debug( 'Saving all sessions on shutdown' );
517  if ( session_id() !== '' ) {
518  // @codeCoverageIgnoreStart
519  session_write_close();
520  }
521  // @codeCoverageIgnoreEnd
522  foreach ( $this->allSessionBackends as $backend ) {
523  $backend->shutdown();
524  }
525  }
526  }
527 
533  private function getSessionInfoForRequest( WebRequest $request ) {
534  // Call all providers to fetch "the" session
535  $infos = [];
536  foreach ( $this->getProviders() as $provider ) {
537  $info = $provider->provideSessionInfo( $request );
538  if ( !$info ) {
539  continue;
540  }
541  if ( $info->getProvider() !== $provider ) {
542  throw new \UnexpectedValueException(
543  "$provider returned session info for a different provider: $info"
544  );
545  }
546  $infos[] = $info;
547  }
548 
549  // Sort the SessionInfos. Then find the first one that can be
550  // successfully loaded, and then all the ones after it with the same
551  // priority.
552  usort( $infos, [ SessionInfo::class, 'compare' ] );
553  $retInfos = [];
554  while ( $infos ) {
555  $info = array_pop( $infos );
556  if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
557  $retInfos[] = $info;
558  while ( $infos ) {
560  $info = array_pop( $infos );
561  if ( SessionInfo::compare( $retInfos[0], $info ) ) {
562  // We hit a lower priority, stop checking.
563  break;
564  }
565  if ( $this->loadSessionInfoFromStore( $info, $request ) ) {
566  // This is going to error out below, but we want to
567  // provide a complete list.
568  $retInfos[] = $info;
569  } else {
570  // Session load failed, so unpersist it from this request
571  $this->logUnpersist( $info, $request );
572  $info->getProvider()->unpersistSession( $request );
573  }
574  }
575  } else {
576  // Session load failed, so unpersist it from this request
577  $this->logUnpersist( $info, $request );
578  $info->getProvider()->unpersistSession( $request );
579  }
580  }
581 
582  if ( count( $retInfos ) > 1 ) {
583  throw new SessionOverflowException(
584  $retInfos,
585  'Multiple sessions for this request tied for top priority: ' . implode( ', ', $retInfos )
586  );
587  }
588 
589  return $retInfos[0] ?? null;
590  }
591 
599  private function loadSessionInfoFromStore( SessionInfo &$info, WebRequest $request ) {
600  $key = $this->store->makeKey( 'MWSession', $info->getId() );
601  $blob = $this->store->get( $key );
602 
603  // If we got data from the store and the SessionInfo says to force use,
604  // "fail" means to delete the data from the store and retry. Otherwise,
605  // "fail" is just return false.
606  if ( $info->forceUse() && $blob !== false ) {
607  $failHandler = function () use ( $key, &$info, $request ) {
608  $this->store->delete( $key );
609  return $this->loadSessionInfoFromStore( $info, $request );
610  };
611  } else {
612  $failHandler = static function () {
613  return false;
614  };
615  }
616 
617  $newParams = [];
618 
619  if ( $blob !== false ) {
620  // Double check: blob must be an array, if it's saved at all
621  if ( !is_array( $blob ) ) {
622  $this->logger->warning( 'Session "{session}": Bad data', [
623  'session' => $info->__toString(),
624  ] );
625  $this->store->delete( $key );
626  return $failHandler();
627  }
628 
629  // Double check: blob has data and metadata arrays
630  if ( !isset( $blob['data'] ) || !is_array( $blob['data'] ) ||
631  !isset( $blob['metadata'] ) || !is_array( $blob['metadata'] )
632  ) {
633  $this->logger->warning( 'Session "{session}": Bad data structure', [
634  'session' => $info->__toString(),
635  ] );
636  $this->store->delete( $key );
637  return $failHandler();
638  }
639 
640  $data = $blob['data'];
641  $metadata = $blob['metadata'];
642 
643  // Double check: metadata must be an array and must contain certain
644  // keys, if it's saved at all
645  if ( !array_key_exists( 'userId', $metadata ) ||
646  !array_key_exists( 'userName', $metadata ) ||
647  !array_key_exists( 'userToken', $metadata ) ||
648  !array_key_exists( 'provider', $metadata )
649  ) {
650  $this->logger->warning( 'Session "{session}": Bad metadata', [
651  'session' => $info->__toString(),
652  ] );
653  $this->store->delete( $key );
654  return $failHandler();
655  }
656 
657  // First, load the provider from metadata, or validate it against the metadata.
658  $provider = $info->getProvider();
659  if ( $provider === null ) {
660  $newParams['provider'] = $provider = $this->getProvider( $metadata['provider'] );
661  if ( !$provider ) {
662  $this->logger->warning(
663  'Session "{session}": Unknown provider ' . $metadata['provider'],
664  [
665  'session' => $info->__toString(),
666  ]
667  );
668  $this->store->delete( $key );
669  return $failHandler();
670  }
671  } elseif ( $metadata['provider'] !== (string)$provider ) {
672  $this->logger->warning( 'Session "{session}": Wrong provider ' .
673  $metadata['provider'] . ' !== ' . $provider,
674  [
675  'session' => $info->__toString(),
676  ] );
677  return $failHandler();
678  }
679 
680  // Load provider metadata from metadata, or validate it against the metadata
681  $providerMetadata = $info->getProviderMetadata();
682  if ( isset( $metadata['providerMetadata'] ) ) {
683  if ( $providerMetadata === null ) {
684  $newParams['metadata'] = $metadata['providerMetadata'];
685  } else {
686  try {
687  $newProviderMetadata = $provider->mergeMetadata(
688  $metadata['providerMetadata'], $providerMetadata
689  );
690  if ( $newProviderMetadata !== $providerMetadata ) {
691  $newParams['metadata'] = $newProviderMetadata;
692  }
693  } catch ( MetadataMergeException $ex ) {
694  $this->logger->warning(
695  'Session "{session}": Metadata merge failed: {exception}',
696  [
697  'session' => $info->__toString(),
698  'exception' => $ex,
699  ] + $ex->getContext()
700  );
701  return $failHandler();
702  }
703  }
704  }
705 
706  // Next, load the user from metadata, or validate it against the metadata.
707  $userInfo = $info->getUserInfo();
708  if ( !$userInfo ) {
709  // For loading, id is preferred to name.
710  try {
711  if ( $metadata['userId'] ) {
712  $userInfo = UserInfo::newFromId( $metadata['userId'] );
713  } elseif ( $metadata['userName'] !== null ) { // Shouldn't happen, but just in case
714  $userInfo = UserInfo::newFromName( $metadata['userName'] );
715  } else {
716  $userInfo = UserInfo::newAnonymous();
717  }
718  } catch ( \InvalidArgumentException $ex ) {
719  $this->logger->error( 'Session "{session}": {exception}', [
720  'session' => $info->__toString(),
721  'exception' => $ex,
722  ] );
723  return $failHandler();
724  }
725  $newParams['userInfo'] = $userInfo;
726  } else {
727  // User validation passes if user ID matches, or if there
728  // is no saved ID and the names match.
729  if ( $metadata['userId'] ) {
730  if ( $metadata['userId'] !== $userInfo->getId() ) {
731  $this->logger->warning(
732  'Session "{session}": User ID mismatch, {uid_a} !== {uid_b}',
733  [
734  'session' => $info->__toString(),
735  'uid_a' => $metadata['userId'],
736  'uid_b' => $userInfo->getId(),
737  ] );
738  return $failHandler();
739  }
740 
741  // If the user was renamed, probably best to fail here.
742  if ( $metadata['userName'] !== null &&
743  $userInfo->getName() !== $metadata['userName']
744  ) {
745  $this->logger->warning(
746  'Session "{session}": User ID matched but name didn\'t (rename?), {uname_a} !== {uname_b}',
747  [
748  'session' => $info->__toString(),
749  'uname_a' => $metadata['userName'],
750  'uname_b' => $userInfo->getName(),
751  ] );
752  return $failHandler();
753  }
754 
755  } elseif ( $metadata['userName'] !== null ) { // Shouldn't happen, but just in case
756  if ( $metadata['userName'] !== $userInfo->getName() ) {
757  $this->logger->warning(
758  'Session "{session}": User name mismatch, {uname_a} !== {uname_b}',
759  [
760  'session' => $info->__toString(),
761  'uname_a' => $metadata['userName'],
762  'uname_b' => $userInfo->getName(),
763  ] );
764  return $failHandler();
765  }
766  } elseif ( !$userInfo->isAnon() ) {
767  // Metadata specifies an anonymous user, but the passed-in
768  // user isn't anonymous.
769  $this->logger->warning(
770  'Session "{session}": Metadata has an anonymous user, but a non-anon user was provided',
771  [
772  'session' => $info->__toString(),
773  ] );
774  return $failHandler();
775  }
776  }
777 
778  // And if we have a token in the metadata, it must match the loaded/provided user.
779  if ( $metadata['userToken'] !== null &&
780  $userInfo->getToken() !== $metadata['userToken']
781  ) {
782  $this->logger->warning( 'Session "{session}": User token mismatch', [
783  'session' => $info->__toString(),
784  ] );
785  return $failHandler();
786  }
787  if ( !$userInfo->isVerified() ) {
788  $newParams['userInfo'] = $userInfo->verified();
789  }
790 
791  if ( !empty( $metadata['remember'] ) && !$info->wasRemembered() ) {
792  $newParams['remembered'] = true;
793  }
794  if ( !empty( $metadata['forceHTTPS'] ) && !$info->forceHTTPS() ) {
795  $newParams['forceHTTPS'] = true;
796  }
797  if ( !empty( $metadata['persisted'] ) && !$info->wasPersisted() ) {
798  $newParams['persisted'] = true;
799  }
800 
801  if ( !$info->isIdSafe() ) {
802  $newParams['idIsSafe'] = true;
803  }
804  } else {
805  // No metadata, so we can't load the provider if one wasn't given.
806  if ( $info->getProvider() === null ) {
807  $this->logger->warning(
808  'Session "{session}": Null provider and no metadata',
809  [
810  'session' => $info->__toString(),
811  ] );
812  return $failHandler();
813  }
814 
815  // If no user was provided and no metadata, it must be anon.
816  if ( !$info->getUserInfo() ) {
817  if ( $info->getProvider()->canChangeUser() ) {
818  $newParams['userInfo'] = UserInfo::newAnonymous();
819  } else {
820  $this->logger->info(
821  'Session "{session}": No user provided and provider cannot set user',
822  [
823  'session' => $info->__toString(),
824  ] );
825  return $failHandler();
826  }
827  } elseif ( !$info->getUserInfo()->isVerified() ) {
828  // probably just a session timeout
829  $this->logger->info(
830  'Session "{session}": Unverified user provided and no metadata to auth it',
831  [
832  'session' => $info->__toString(),
833  ] );
834  return $failHandler();
835  }
836 
837  $data = false;
838  $metadata = false;
839 
840  if ( !$info->getProvider()->persistsSessionId() && !$info->isIdSafe() ) {
841  // The ID doesn't come from the user, so it should be safe
842  // (and if not, nothing we can do about it anyway)
843  $newParams['idIsSafe'] = true;
844  }
845  }
846 
847  // Construct the replacement SessionInfo, if necessary
848  if ( $newParams ) {
849  $newParams['copyFrom'] = $info;
850  $info = new SessionInfo( $info->getPriority(), $newParams );
851  }
852 
853  // Allow the provider to check the loaded SessionInfo
854  $providerMetadata = $info->getProviderMetadata();
855  if ( !$info->getProvider()->refreshSessionInfo( $info, $request, $providerMetadata ) ) {
856  return $failHandler();
857  }
858  if ( $providerMetadata !== $info->getProviderMetadata() ) {
859  $info = new SessionInfo( $info->getPriority(), [
860  'metadata' => $providerMetadata,
861  'copyFrom' => $info,
862  ] );
863  }
864 
865  // Give hooks a chance to abort. Combined with the SessionMetadata
866  // hook, this can allow for tying a session to an IP address or the
867  // like.
868  $reason = 'Hook aborted';
869  if ( !$this->hookRunner->onSessionCheckInfo(
870  $reason, $info, $request, $metadata, $data )
871  ) {
872  $this->logger->warning( 'Session "{session}": ' . $reason, [
873  'session' => $info->__toString(),
874  ] );
875  return $failHandler();
876  }
877 
878  return true;
879  }
880 
889  public function getSessionFromInfo( SessionInfo $info, WebRequest $request ) {
890  // @codeCoverageIgnoreStart
891  if ( defined( 'MW_NO_SESSION' ) ) {
892  $ep = defined( 'MW_ENTRY_POINT' ) ? MW_ENTRY_POINT : 'this';
893 
894  if ( MW_NO_SESSION === 'warn' ) {
895  // Undocumented safety case for converting existing entry points
896  $this->logger->error( 'Sessions are supposed to be disabled for this entry point', [
897  'exception' => new \BadMethodCallException( "Sessions are disabled for $ep entry point" ),
898  ] );
899  } else {
900  throw new \BadMethodCallException( "Sessions are disabled for $ep entry point" );
901  }
902  }
903  // @codeCoverageIgnoreEnd
904 
905  $id = $info->getId();
906 
907  if ( !isset( $this->allSessionBackends[$id] ) ) {
908  if ( !isset( $this->allSessionIds[$id] ) ) {
909  $this->allSessionIds[$id] = new SessionId( $id );
910  }
911  $backend = new SessionBackend(
912  $this->allSessionIds[$id],
913  $info,
914  $this->store,
915  $this->logger,
916  $this->hookContainer,
917  $this->config->get( MainConfigNames::ObjectCacheSessionExpiry )
918  );
919  $this->allSessionBackends[$id] = $backend;
920  $delay = $backend->delaySave();
921  } else {
922  $backend = $this->allSessionBackends[$id];
923  $delay = $backend->delaySave();
924  if ( $info->wasPersisted() ) {
925  $backend->persist();
926  }
927  if ( $info->wasRemembered() ) {
928  $backend->setRememberUser( true );
929  }
930  }
931 
932  $request->setSessionId( $backend->getSessionId() );
933  $session = $backend->getSession( $request );
934 
935  if ( !$info->isIdSafe() ) {
936  $session->resetId();
937  }
938 
939  \Wikimedia\ScopedCallback::consume( $delay );
940  return $session;
941  }
942 
948  public function deregisterSessionBackend( SessionBackend $backend ) {
949  $id = $backend->getId();
950  if ( !isset( $this->allSessionBackends[$id] ) || !isset( $this->allSessionIds[$id] ) ||
951  $this->allSessionBackends[$id] !== $backend ||
952  $this->allSessionIds[$id] !== $backend->getSessionId()
953  ) {
954  throw new \InvalidArgumentException( 'Backend was not registered with this SessionManager' );
955  }
956 
957  unset( $this->allSessionBackends[$id] );
958  // Explicitly do not unset $this->allSessionIds[$id]
959  }
960 
966  public function changeBackendId( SessionBackend $backend ) {
967  $sessionId = $backend->getSessionId();
968  $oldId = (string)$sessionId;
969  if ( !isset( $this->allSessionBackends[$oldId] ) || !isset( $this->allSessionIds[$oldId] ) ||
970  $this->allSessionBackends[$oldId] !== $backend ||
971  $this->allSessionIds[$oldId] !== $sessionId
972  ) {
973  throw new \InvalidArgumentException( 'Backend was not registered with this SessionManager' );
974  }
975 
976  $newId = $this->generateSessionId();
977 
978  unset( $this->allSessionBackends[$oldId], $this->allSessionIds[$oldId] );
979  $sessionId->setId( $newId );
980  $this->allSessionBackends[$newId] = $backend;
981  $this->allSessionIds[$newId] = $sessionId;
982  }
983 
988  public function generateSessionId() {
989  $id = \Wikimedia\base_convert( \MWCryptRand::generateHex( 40 ), 16, 32, 32 );
990  // Cache non-existence to avoid a later fetch
991  $key = $this->store->makeKey( 'MWSession', $id );
992  $this->store->set( $key, false, 0, BagOStuff::WRITE_CACHE_ONLY );
993  return $id;
994  }
995 
1001  public function setupPHPSessionHandler( PHPSessionHandler $handler ) {
1002  $handler->setManager( $this, $this->store, $this->logger );
1003  }
1004 
1010  public static function resetCache() {
1011  if ( !defined( 'MW_PHPUNIT_TEST' ) && !defined( 'MW_PARSER_TEST' ) ) {
1012  // @codeCoverageIgnoreStart
1013  throw new LogicException( __METHOD__ . ' may only be called from unit tests!' );
1014  // @codeCoverageIgnoreEnd
1015  }
1016 
1017  self::$globalSession = null;
1018  self::$globalSessionRequest = null;
1019  }
1020 
1021  private function logUnpersist( SessionInfo $info, WebRequest $request ) {
1022  $logData = [
1023  'id' => $info->getId(),
1024  'provider' => get_class( $info->getProvider() ),
1025  'user' => '<anon>',
1026  'clientip' => $request->getIP(),
1027  'userAgent' => $request->getHeader( 'user-agent' ),
1028  ];
1029  if ( $info->getUserInfo() ) {
1030  if ( !$info->getUserInfo()->isAnon() ) {
1031  $logData['user'] = $info->getUserInfo()->getName();
1032  }
1033  $logData['userVerified'] = $info->getUserInfo()->isVerified();
1034  }
1035  $this->logger->info( 'Failed to load session, unpersisting', $logData );
1036  }
1037 
1048  public function logPotentialSessionLeakage( Session $session = null ) {
1049  $proxyLookup = MediaWikiServices::getInstance()->getProxyLookup();
1050  $session = $session ?: self::getGlobalSession();
1051  $suspiciousIpExpiry = $this->config->get( MainConfigNames::SuspiciousIpExpiry );
1052 
1053  if ( $suspiciousIpExpiry === false
1054  // We only care about logged-in users.
1055  || !$session->isPersistent() || $session->getUser()->isAnon()
1056  // We only care about cookie-based sessions.
1057  || !( $session->getProvider() instanceof CookieSessionProvider )
1058  ) {
1059  return;
1060  }
1061  try {
1062  $ip = $session->getRequest()->getIP();
1063  } catch ( MWException $e ) {
1064  return;
1065  }
1066  if ( $ip === '127.0.0.1' || $proxyLookup->isConfiguredProxy( $ip ) ) {
1067  return;
1068  }
1069  $mwuser = $session->getRequest()->getCookie( 'mwuser-sessionId' );
1070  $now = (int)\MediaWiki\Utils\MWTimestamp::now( TS_UNIX );
1071 
1072  // Record (and possibly log) that the IP is using the current session.
1073  // Don't touch the stored data unless we are changing the IP or re-adding an expired one.
1074  // This is slightly inaccurate (when an existing IP is seen again, the expiry is not
1075  // extended) but that shouldn't make much difference and limits the session write frequency.
1076  $data = $session->get( 'SessionManager-logPotentialSessionLeakage', [] )
1077  + [ 'ip' => null, 'mwuser' => null, 'timestamp' => 0 ];
1078  // Ignore old IP records; users change networks over time. mwuser is a session cookie and the
1079  // SessionManager session id is also a session cookie so there shouldn't be any problem there.
1080  if ( $data['ip'] &&
1081  ( $now - $data['timestamp'] > $suspiciousIpExpiry )
1082  ) {
1083  $data['ip'] = $data['timestamp'] = null;
1084  }
1085 
1086  if ( $data['ip'] !== $ip || $data['mwuser'] !== $mwuser ) {
1087  $session->set( 'SessionManager-logPotentialSessionLeakage',
1088  [ 'ip' => $ip, 'mwuser' => $mwuser, 'timestamp' => $now ] );
1089  }
1090 
1091  $ipChanged = ( $data['ip'] && $data['ip'] !== $ip );
1092  $mwuserChanged = ( $data['mwuser'] && $data['mwuser'] !== $mwuser );
1093  $logLevel = $message = null;
1094  $logData = [];
1095  // IPs change all the time. mwuser is a session cookie that's only set when missing,
1096  // so it should only change when the browser session ends which ends the SessionManager
1097  // session as well. Unless we are dealing with a very weird client, such as a bot that
1098  //manipulates cookies and can run Javascript, it should not change.
1099  // IP and mwuser changing at the same time would be *very* suspicious.
1100  if ( $ipChanged ) {
1101  $logLevel = LogLevel::INFO;
1102  $message = 'IP change within the same session';
1103  $logData += [
1104  'oldIp' => $data['ip'],
1105  'oldIpRecorded' => $data['timestamp'],
1106  ];
1107  }
1108  if ( $mwuserChanged ) {
1109  $logLevel = LogLevel::NOTICE;
1110  $message = 'mwuser change within the same session';
1111  $logData += [
1112  'oldMwuser' => $data['mwuser'],
1113  'newMwuser' => $mwuser,
1114  ];
1115  }
1116  if ( $ipChanged && $mwuserChanged ) {
1117  $logLevel = LogLevel::WARNING;
1118  $message = 'IP and mwuser change within the same session';
1119  }
1120  if ( $logLevel ) {
1121  $logData += [
1122  'session' => $session->getId(),
1123  'user' => $session->getUser()->getName(),
1124  'clientip' => $ip,
1125  'userAgent' => $session->getRequest()->getHeader( 'user-agent' ),
1126  ];
1127  $logger = \MediaWiki\Logger\LoggerFactory::getInstance( 'session-ip' );
1128  // @phan-suppress-next-line PhanTypeMismatchArgumentNullable message is set when used here
1129  $logger->log( $logLevel, $message, $logData );
1130  }
1131  }
1132 
1133  // endregion -- end of Internal methods
1134 
1135 }
if
if(!defined('MW_SETUP_CALLBACK'))
Definition: WebStart.php:88
MW_ENTRY_POINT
const MW_ENTRY_POINT
Definition: api.php:44
BagOStuff
Class representing a cache/ephemeral data store.
Definition: BagOStuff.php:85
BagOStuff\WRITE_CACHE_ONLY
const WRITE_CACHE_ONLY
Bitfield constants for set()/merge(); these are only advisory.
Definition: BagOStuff.php:117
CachedBagOStuff
Wrapper around a BagOStuff that caches data in memory.
Definition: CachedBagOStuff.php:37
MWCryptRand\generateHex
static generateHex( $chars)
Generate a run of cryptographically random data and return it in hexadecimal string format.
Definition: MWCryptRand.php:36
MWException
MediaWiki exception.
Definition: MWException.php:33
MediaWiki\HookContainer\HookRunner
This class provides an implementation of the core hook interfaces, forwarding hook calls to HookConta...
Definition: HookRunner.php:568
MediaWiki\Logger\LoggerFactory\getInstance
static getInstance( $channel)
Get a named logger instance from the currently configured logger factory.
Definition: LoggerFactory.php:92
MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition: MainConfigNames.php:22
MediaWiki\MainConfigNames\SuspiciousIpExpiry
const SuspiciousIpExpiry
Name constant for the SuspiciousIpExpiry setting, for use with Config::get()
Definition: MainConfigNames.php:1558
MediaWiki\MainConfigNames\SessionCacheType
const SessionCacheType
Name constant for the SessionCacheType setting, for use with Config::get()
Definition: MainConfigNames.php:1480
MediaWiki\MainConfigNames\SessionProviders
const SessionProviders
Name constant for the SessionProviders setting, for use with Config::get()
Definition: MainConfigNames.php:2687
MediaWiki\MainConfigNames\ObjectCacheSessionExpiry
const ObjectCacheSessionExpiry
Name constant for the ObjectCacheSessionExpiry setting, for use with Config::get()
Definition: MainConfigNames.php:1546
MediaWiki\MediaWikiServices
Service locator for MediaWiki core services.
Definition: MediaWikiServices.php:232
MediaWiki\MediaWikiServices\getInstance
static getInstance()
Returns the global default instance of the top level service locator.
Definition: MediaWikiServices.php:319
GuzzleHttp\Psr7\Request\FauxRequest
WebRequest clone which takes values from a provided array.
Definition: FauxRequest.php:42
GuzzleHttp\Psr7\Request\WebRequest
The WebRequest class encapsulates getting at data passed in the URL or via a POSTed form stripping il...
Definition: WebRequest.php:50
GuzzleHttp\Psr7\Request\WebRequest\setSessionId
setSessionId(SessionId $sessionId)
Set the session for this request.
Definition: WebRequest.php:839
GuzzleHttp\Psr7\Request\WebRequest\getSession
getSession()
Return the session for this request.
Definition: WebRequest.php:820
GuzzleHttp\Psr7\Request\WebRequest\getIP
getIP()
Work out the IP address based on various globals For trusted proxies, use the XFF client IP (first of...
Definition: WebRequest.php:1251
GuzzleHttp\Psr7\Request\WebRequest\getHeader
getHeader( $name, $flags=0)
Get a request header, or false if it isn't set.
Definition: WebRequest.php:1133
MediaWiki\Session\CookieSessionProvider
A CookieSessionProvider persists sessions using cookies.
Definition: CookieSessionProvider.php:37
MediaWiki\Session\PHPSessionHandler
Adapter for PHP's session handling.
Definition: PHPSessionHandler.php:38
MediaWiki\Session\PHPSessionHandler\setManager
setManager(SessionManagerInterface $manager, BagOStuff $store, LoggerInterface $logger)
Set the manager, store, and logger.
Definition: PHPSessionHandler.php:164
MediaWiki\Session\SessionBackend
This is the actual workhorse for Session.
Definition: SessionBackend.php:54
MediaWiki\Session\SessionBackend\getSessionId
getSessionId()
Fetch the SessionId object.
Definition: SessionBackend.php:263
MediaWiki\Session\SessionBackend\getId
getId()
Returns the session ID.
Definition: SessionBackend.php:254
MediaWiki\Session\SessionId
Value object holding the session ID in a manner that can be globally updated.
Definition: SessionId.php:40
MediaWiki\Session\SessionInfo
Value object returned by SessionProvider.
Definition: SessionInfo.php:37
MediaWiki\Session\SessionInfo\getId
getId()
Return the session ID.
Definition: SessionInfo.php:193
MediaWiki\Session\SessionInfo\getProvider
getProvider()
Return the provider.
Definition: SessionInfo.php:185
MediaWiki\Session\SessionInfo\isIdSafe
isIdSafe()
Indicate whether the ID is "safe".
Definition: SessionInfo.php:209
MediaWiki\Session\SessionInfo\getUserInfo
getUserInfo()
Return the user.
Definition: SessionInfo.php:240
MediaWiki\Session\SessionInfo\wasPersisted
wasPersisted()
Return whether the session is persisted.
Definition: SessionInfo.php:248
MediaWiki\Session\SessionInfo\MIN_PRIORITY
const MIN_PRIORITY
Minimum allowed priority.
Definition: SessionInfo.php:39
MediaWiki\Session\SessionInfo\wasRemembered
wasRemembered()
Return whether the user was remembered.
Definition: SessionInfo.php:275
MediaWiki\Session\SessionInfo\compare
static compare( $a, $b)
Compare two SessionInfo objects by priority.
Definition: SessionInfo.php:301
MediaWiki\Session\SessionManager
This serves as the entry point to the MediaWiki session handling system.
Definition: SessionManager.php:79
MediaWiki\Session\SessionManager\resetCache
static resetCache()
Reset the internal caching for unit testing.
Definition: SessionManager.php:1010
MediaWiki\Session\SessionManager\getVaryHeaders
getVaryHeaders()
Return the HTTP headers that need varying on.
Definition: SessionManager.php:390
MediaWiki\Session\SessionManager\deregisterSessionBackend
deregisterSessionBackend(SessionBackend $backend)
Deregister a SessionBackend.
Definition: SessionManager.php:948
MediaWiki\Session\SessionManager\invalidateSessionsForUser
invalidateSessionsForUser(User $user)
Invalidate sessions for a user.
Definition: SessionManager.php:381
MediaWiki\Session\SessionManager\setHookContainer
setHookContainer(HookContainer $hookContainer)
Definition: SessionManager.php:238
MediaWiki\Session\SessionManager\getVaryCookies
getVaryCookies()
Return the list of cookies that need varying on.
Definition: SessionManager.php:410
MediaWiki\Session\SessionManager\setupPHPSessionHandler
setupPHPSessionHandler(PHPSessionHandler $handler)
Call setters on a PHPSessionHandler.
Definition: SessionManager.php:1001
MediaWiki\Session\SessionManager\getEmptySession
getEmptySession(WebRequest $request=null)
Create a new, empty session.
Definition: SessionManager.php:295
MediaWiki\Session\SessionManager\getGlobalSession
static getGlobalSession()
If PHP's session_id() has been set, returns that session.
Definition: SessionManager.php:142
MediaWiki\Session\SessionManager\preventSessionsForUser
preventSessionsForUser( $username)
Prevent future sessions for the user.
Definition: SessionManager.php:448
MediaWiki\Session\SessionManager\shutdown
shutdown()
Save all active sessions on shutdown.
Definition: SessionManager.php:514
MediaWiki\Session\SessionManager\getSessionById
getSessionById( $id, $create=false, WebRequest $request=null)
Fetch a session by ID.
Definition: SessionManager.php:254
MediaWiki\Session\SessionManager\getProvider
getProvider( $name)
Get a session provider by name.
Definition: SessionManager.php:505
MediaWiki\Session\SessionManager\validateSessionId
static validateSessionId( $id)
Validate a session ID.
Definition: SessionManager.php:431
MediaWiki\Session\SessionManager\getProviders
getProviders()
Get the available SessionProviders.
Definition: SessionManager.php:471
MediaWiki\Session\SessionManager\singleton
static singleton()
Get the global SessionManager.
Definition: SessionManager.php:129
MediaWiki\Session\SessionManager\changeBackendId
changeBackendId(SessionBackend $backend)
Change a SessionBackend's ID.
Definition: SessionManager.php:966
MediaWiki\Session\SessionManager\generateSessionId
generateSessionId()
Generate a new random session ID.
Definition: SessionManager.php:988
MediaWiki\Session\SessionManager\setLogger
setLogger(LoggerInterface $logger)
Definition: SessionManager.php:230
MediaWiki\Session\SessionManager\logPotentialSessionLeakage
logPotentialSessionLeakage(Session $session=null)
If the same session is suddenly used from a different IP, that's potentially due to a session leak,...
Definition: SessionManager.php:1048
MediaWiki\Session\SessionManager\getSessionFromInfo
getSessionFromInfo(SessionInfo $info, WebRequest $request)
Create a Session corresponding to the passed SessionInfo.
Definition: SessionManager.php:889
MediaWiki\Session\SessionManager\getSessionForRequest
getSessionForRequest(WebRequest $request)
Fetch the session for a request (or a new empty session if none is attached to it)
Definition: SessionManager.php:243
MediaWiki\Session\SessionManager\isUserSessionPrevented
isUserSessionPrevented( $username)
Test if a user is prevented.
Definition: SessionManager.php:463
MediaWiki\Session\Session
Manages data for an authenticated session.
Definition: Session.php:50
MediaWiki\Session\UserInfo\newFromName
static newFromName( $name, $verified=false)
Create an instance for a logged-in user by name.
Definition: UserInfo.php:106
MediaWiki\Session\UserInfo\newAnonymous
static newAnonymous()
Create an instance for an anonymous (i.e.
Definition: UserInfo.php:78
MediaWiki\Session\UserInfo\newFromId
static newFromId( $id, $verified=false)
Create an instance for a logged-in user by ID.
Definition: UserInfo.php:88
MediaWiki\User\UserNameUtils
UserNameUtils service.
Definition: UserNameUtils.php:44
MediaWiki\User\User
internal since 1.36
Definition: User.php:98
MediaWiki\User\User\setToken
setToken( $token=false)
Set the random token (used for persistent authentication) Called from loadDefaults() among other plac...
Definition: User.php:1968
MediaWiki\User\User\saveSettings
saveSettings()
Save this user's settings into the database.
Definition: User.php:2548
MediaWiki
The MediaWiki class is the helper class for the index.php entry point.
Definition: MediaWiki.php:50
ObjectCache\getInstance
static getInstance( $id)
Get a cached instance of the specified type of cache object.
Definition: ObjectCache.php:83
RequestContext\getMain
static getMain()
Get the RequestContext object associated with the main request.
Definition: RequestContext.php:593
MediaWiki\Config\Config
Interface for configuration instances.
Definition: Config.php:32
MediaWiki\Session\SessionManagerInterface
This exists to make IDEs happy, so they don't see the internal-but-required-to-be-public methods on S...
Definition: SessionManagerInterface.php:37
MW_NO_SESSION
const MW_NO_SESSION
Definition: load.php:33
$header
$header
Definition: updateCredits.php:37