This serves as the entry point to the MediaWiki session handling system. More...
Public Member Functions | |
| __construct ( $options=[]) | |
| getEmptySession (WebRequest $request=null) | |
| Create a new, empty session. More... | |
| getSessionById ( $id, $create=false, WebRequest $request=null) | |
| Fetch a session by ID. More... | |
| getSessionForRequest (WebRequest $request) | |
| Fetch the session for a request (or a new empty session if none is attached to it) More... | |
| getVaryCookies () | |
| Return the list of cookies that need varying on. More... | |
| getVaryHeaders () | |
| Return the HTTP headers that need varying on. More... | |
| invalidateSessionsForUser (User $user) | |
| Invalidate sessions for a user. More... | |
| setHookContainer (HookContainer $hookContainer) | |
| setLogger (LoggerInterface $logger) | |
Static Public Member Functions | |
| static | getGlobalSession () |
| If PHP's session_id() has been set, returns that session. More... | |
| static | singleton () |
| Get the global SessionManager. More... | |
| static | validateSessionId ( $id) |
| Validate a session ID. More... | |
Private Member Functions | |
| getEmptySessionInternal (WebRequest $request=null, $id=null) | |
Private Attributes | |
| SessionBackend[] | $allSessionBackends = [] |
| SessionId[] | $allSessionIds = [] |
| Config | $config |
| HookContainer | $hookContainer |
| HookRunner | $hookRunner |
| LoggerInterface | $logger |
| true[] | $preventUsers = [] |
| SessionProvider[] | $sessionProviders = null |
| CachedBagOStuff null | $store |
| UserNameUtils | $userNameUtils |
| string[] | $varyCookies = null |
| array | $varyHeaders = null |
Static Private Attributes | |
| static Session null | $globalSession = null |
| static WebRequest null | $globalSessionRequest = null |
| static SessionManager null | $instance = null |
Internal methods | |
| static | resetCache () |
| Reset the internal caching for unit testing. More... | |
| preventSessionsForUser ( $username) | |
| Prevent future sessions for the user. More... | |
| isUserSessionPrevented ( $username) | |
| Test if a user is prevented. More... | |
| getProvider ( $name) | |
| Get a session provider by name. More... | |
| shutdown () | |
| Save all active sessions on shutdown. More... | |
| getSessionFromInfo (SessionInfo $info, WebRequest $request) | |
| Create a Session corresponding to the passed SessionInfo. More... | |
| deregisterSessionBackend (SessionBackend $backend) | |
| Deregister a SessionBackend. More... | |
| changeBackendId (SessionBackend $backend) | |
| Change a SessionBackend's ID. More... | |
| generateSessionId () | |
| Generate a new random session ID. More... | |
| setupPHPSessionHandler (PHPSessionHandler $handler) | |
| Call setters on a PHPSessionHandler. More... | |
| logPotentialSessionLeakage (Session $session=null) | |
| If the same session is suddenly used from a different IP, that's potentially due to a session leak, so log it. More... | |
| getSessionInfoForRequest (WebRequest $request) | |
| Fetch the SessionInfo(s) for a request. More... | |
| loadSessionInfoFromStore (SessionInfo &$info, WebRequest $request) | |
| Load and verify the session info against the store. More... | |
| logUnpersist (SessionInfo $info, WebRequest $request) | |
| Reset the internal caching for unit testing. More... | |
| getProviders () | |
| Get the available SessionProviders. More... | |
Detailed Description
This serves as the entry point to the MediaWiki session handling system.
Most methods here are for internal use by session handling code. Other callers should only use getGlobalSession and the methods of SessionManagerInterface; the rest of the functionality is exposed via MediaWiki\Session\Session methods.
To provide custom session handling, implement a MediaWiki\Session\SessionProvider.
Storage expectations
The SessionManager should be configured with a very fast storage system that is optimized for holding key-value pairs. It expects:
- Low latencies. Session data is read or written to during nearly all web requests from people that have contributed to or otherwise engaged with the site, including those not logged in with a registered account.
- Locally writable data. The data must be writable from both primary and secondary data centres.
- Locally latest reads. Writes must by default be immediately consistent within the local data centre, and visible to other reads from web servers in that data centre.
- Replication. The data must be eventually consistent across all data centres. Writes are either synced to all remote data centres, or locally overwritten by another write that is.
- Support BagOStuff::WRITE_SYNC flag. The data must writable with synchronous replication waited for, across all data centres. This is used when resetting or deleting a session, which must not be lost or overwritten by earlier or overlapping write actions.
The SessionManager uses set() and delete() for write operations, which should by default be synchronous in the local data centre, and replicate asynchronously to any others. This behaviour can be overridden by the use of the WRITE_SYNC flag.
- Since
- 1.27
Definition at line 83 of file SessionManager.php.
Constructor & Destructor Documentation
◆ __construct()
| MediaWiki\Session\SessionManager::__construct | ( | $options = [] | ) |
- Parameters
-
array $options
Definition at line 187 of file SessionManager.php.
References MediaWiki\Logger\LoggerFactory\getInstance(), ObjectCache\getInstance(), MediaWiki\MediaWikiServices\getInstance(), and MediaWiki\MainConfigNames\SessionCacheType.
Member Function Documentation
◆ changeBackendId()
| MediaWiki\Session\SessionManager::changeBackendId | ( | SessionBackend | $backend | ) |
Change a SessionBackend's ID.
- Access: internal
- For use from \MediaWiki\Session\SessionBackend only
- Parameters
-
SessionBackend $backend
Definition at line 956 of file SessionManager.php.
References MediaWiki\Session\SessionBackend\getSessionId().
◆ deregisterSessionBackend()
| MediaWiki\Session\SessionManager::deregisterSessionBackend | ( | SessionBackend | $backend | ) |
Deregister a SessionBackend.
- Access: internal
- For use from \MediaWiki\Session\SessionBackend only
- Parameters
-
SessionBackend $backend
Definition at line 938 of file SessionManager.php.
References MediaWiki\Session\SessionBackend\getId(), and MediaWiki\Session\SessionBackend\getSessionId().
◆ generateSessionId()
| MediaWiki\Session\SessionManager::generateSessionId | ( | ) |
Generate a new random session ID.
- Returns
- string
Definition at line 978 of file SessionManager.php.
References MWCryptRand\generateHex().
◆ getEmptySession()
| MediaWiki\Session\SessionManager::getEmptySession | ( | WebRequest | $request = null | ) |
Create a new, empty session.
The first provider configured that is able to provide an empty session will be used.
- Parameters
-
WebRequest | null $request Corresponding request. Any existing session associated with this WebRequest object will be overwritten.
- Returns
- Session
Implements MediaWiki\Session\SessionManagerInterface.
Definition at line 300 of file SessionManager.php.
◆ getEmptySessionInternal()
|
private |
- Parameters
-
WebRequest | null $request string | null $id ID to force on the new session
- Returns
- Session
Definition at line 310 of file SessionManager.php.
References MediaWiki\Session\SessionInfo\compare().
◆ getGlobalSession()
|
static |
If PHP's session_id() has been set, returns that session.
Otherwise returns the session for RequestContext::getMain()->getRequest().
- Returns
- Session
Definition at line 146 of file SessionManager.php.
Referenced by MediaWiki\Auth\RememberMeAuthenticationRequest\__construct(), MediaWiki\Session\SessionBackend\checkPHPSession(), ApiLogin\execute(), ApiLogout\execute(), RequestContext\exportSession(), SpecialUserLogout\onSubmit(), RawAction\onView(), ApiEditPage\persistGlobalSession(), McrUndoAction\show(), and SubmitAction\show().
◆ getProvider()
| MediaWiki\Session\SessionManager::getProvider | ( | $name | ) |
Get a session provider by name.
Generally, this will only be used by internal implementation of some special session-providing mechanism. General purpose code, if it needs to access a SessionProvider at all, will use Session::getProvider().
- Parameters
-
string $name
- Returns
- SessionProvider|null
Definition at line 495 of file SessionManager.php.
◆ getProviders()
|
protected |
Get the available SessionProviders.
- Returns
- SessionProvider[]
Definition at line 461 of file SessionManager.php.
References MediaWiki\MediaWikiServices\getInstance(), MediaWiki\Session\SessionProvider\init(), and MediaWiki\MainConfigNames\SessionProviders.
◆ getSessionById()
| MediaWiki\Session\SessionManager::getSessionById | ( | $id, | |
$create = false, |
|||
| WebRequest | $request = null |
||
| ) |
Fetch a session by ID.
- Parameters
-
string $id bool $create If no session exists for $id, try to create a new one. May still return null if a session for $id exists but cannot be loaded. WebRequest | null $request Corresponding request. Any existing session associated with this WebRequest object will be overwritten.
- Returns
- Session|null
Implements MediaWiki\Session\SessionManagerInterface.
Definition at line 258 of file SessionManager.php.
References MediaWiki\Session\SessionInfo\MIN_PRIORITY.
◆ getSessionForRequest()
| MediaWiki\Session\SessionManager::getSessionForRequest | ( | WebRequest | $request | ) |
Fetch the session for a request (or a new empty session if none is attached to it)
- Note
- You probably want to use $request->getSession() instead. It's more efficient and doesn't break FauxRequests or sessions that were changed by $this->getSessionById() or $this->getEmptySession().
- Parameters
-
WebRequest $request Any existing associated session will be reset to the session corresponding to the data in the request itself.
- Returns
- Session
- Exceptions
-
Implements MediaWiki\Session\SessionManagerInterface.
Definition at line 247 of file SessionManager.php.
◆ getSessionFromInfo()
| MediaWiki\Session\SessionManager::getSessionFromInfo | ( | SessionInfo | $info, |
| WebRequest | $request | ||
| ) |
Create a Session corresponding to the passed SessionInfo.
- Access: internal
- For use by a SessionProvider that needs to specially create its own Session. Most session providers won't need this.
- Parameters
-
SessionInfo $info WebRequest $request
- Returns
- Session
Definition at line 879 of file SessionManager.php.
References MediaWiki\Session\SessionInfo\getId(), MediaWiki\Session\SessionInfo\isIdSafe(), MW_ENTRY_POINT, MW_NO_SESSION, MediaWiki\MainConfigNames\ObjectCacheSessionExpiry, WebRequest\setSessionId(), MediaWiki\Session\SessionInfo\wasPersisted(), and MediaWiki\Session\SessionInfo\wasRemembered().
◆ getSessionInfoForRequest()
|
private |
Fetch the SessionInfo(s) for a request.
- Parameters
-
WebRequest $request
- Returns
- SessionInfo|null
Definition at line 523 of file SessionManager.php.
References MediaWiki\Session\SessionInfo\compare().
◆ getVaryCookies()
| MediaWiki\Session\SessionManager::getVaryCookies | ( | ) |
Return the list of cookies that need varying on.
- Returns
- string[]
Implements MediaWiki\Session\SessionManagerInterface.
Definition at line 400 of file SessionManager.php.
References MW_NO_SESSION.
◆ getVaryHeaders()
| MediaWiki\Session\SessionManager::getVaryHeaders | ( | ) |
Return the HTTP headers that need varying on.
The return value is such that someone could theoretically do this:
Note that the $options argument to OutputPage::addVaryHeader() has been deprecated and should always be null.
- Returns
- array
Implements MediaWiki\Session\SessionManagerInterface.
Definition at line 380 of file SessionManager.php.
References $header, and MW_NO_SESSION.
◆ invalidateSessionsForUser()
| MediaWiki\Session\SessionManager::invalidateSessionsForUser | ( | User | $user | ) |
Invalidate sessions for a user.
After calling this, existing sessions should be invalid. For mutable session providers, this generally means the user has to log in again; for immutable providers, it generally means the loss of session data.
- Parameters
-
User $user
Implements MediaWiki\Session\SessionManagerInterface.
Definition at line 371 of file SessionManager.php.
References User\saveSettings(), and User\setToken().
◆ isUserSessionPrevented()
| MediaWiki\Session\SessionManager::isUserSessionPrevented | ( | $username | ) |
Test if a user is prevented.
- Access: internal
- For use from SessionBackend only
- Parameters
-
string $username
- Returns
- bool
Definition at line 453 of file SessionManager.php.
◆ loadSessionInfoFromStore()
|
private |
Load and verify the session info against the store.
- Parameters
-
SessionInfo &$info Will likely be replaced with an updated SessionInfo instance WebRequest $request
- Returns
- bool Whether the session info matches the stored data (if any)
Definition at line 589 of file SessionManager.php.
References $blob, MediaWiki\Session\SessionInfo\__toString(), MediaWiki\Session\SessionInfo\forceHTTPS(), MediaWiki\Session\SessionInfo\forceUse(), MediaWiki\Session\MetadataMergeException\getContext(), MediaWiki\Session\SessionInfo\getId(), MediaWiki\Session\SessionInfo\getPriority(), MediaWiki\Session\SessionInfo\getProvider(), MediaWiki\Session\SessionInfo\getProviderMetadata(), MediaWiki\Session\SessionInfo\getUserInfo(), MediaWiki\Session\SessionInfo\isIdSafe(), MediaWiki\Session\UserInfo\newAnonymous(), MediaWiki\Session\UserInfo\newFromId(), MediaWiki\Session\UserInfo\newFromName(), MediaWiki\Session\SessionInfo\wasPersisted(), and MediaWiki\Session\SessionInfo\wasRemembered().
◆ logPotentialSessionLeakage()
| MediaWiki\Session\SessionManager::logPotentialSessionLeakage | ( | Session | $session = null | ) |
If the same session is suddenly used from a different IP, that's potentially due to a session leak, so log it.
In the vast majority of cases it is a false positive due to a user switching connections, but we are interested in an audit track where we can look up a specific username, so a noisy log is fine. Also log changes to the mwuser cookie, an analytics cookie set by mediawiki.user.js which should be a little less noisy.
- Access: private
- For use in Setup.php only
- Parameters
-
Session | null $session For testing only
Definition at line 1038 of file SessionManager.php.
References MediaWiki\Logger\LoggerFactory\getInstance(), MediaWiki\MediaWikiServices\getInstance(), and MediaWiki\MainConfigNames\SuspiciousIpExpiry.
◆ logUnpersist()
|
private |
Reset the internal caching for unit testing.
- Note
- Unit tests only
- Access: internal
Definition at line 1011 of file SessionManager.php.
References WebRequest\getHeader(), MediaWiki\Session\SessionInfo\getId(), WebRequest\getIP(), MediaWiki\Session\SessionInfo\getProvider(), and MediaWiki\Session\SessionInfo\getUserInfo().
◆ preventSessionsForUser()
| MediaWiki\Session\SessionManager::preventSessionsForUser | ( | $username | ) |
Prevent future sessions for the user.
The intention is that the named account will never again be usable for normal login (i.e. there is no way to undo the prevention of access).
- Access: internal
- For use from \User::newSystemUser only
- Parameters
-
string $username
Definition at line 438 of file SessionManager.php.
◆ resetCache()
|
static |
Reset the internal caching for unit testing.
- Note
- Unit tests only
- Access: internal
Definition at line 1000 of file SessionManager.php.
◆ setHookContainer()
| MediaWiki\Session\SessionManager::setHookContainer | ( | HookContainer | $hookContainer | ) |
- Access: internal
- Parameters
-
HookContainer $hookContainer
Definition at line 242 of file SessionManager.php.
◆ setLogger()
| MediaWiki\Session\SessionManager::setLogger | ( | LoggerInterface | $logger | ) |
Definition at line 234 of file SessionManager.php.
◆ setupPHPSessionHandler()
| MediaWiki\Session\SessionManager::setupPHPSessionHandler | ( | PHPSessionHandler | $handler | ) |
Call setters on a PHPSessionHandler.
- Access: internal
- Use PhpSessionHandler::install()
- Parameters
-
PHPSessionHandler $handler
Definition at line 991 of file SessionManager.php.
References MediaWiki\Session\PHPSessionHandler\setManager().
◆ shutdown()
| MediaWiki\Session\SessionManager::shutdown | ( | ) |
Save all active sessions on shutdown.
- Access: internal
- For internal use with register_shutdown_function()
Definition at line 504 of file SessionManager.php.
◆ singleton()
|
static |
Get the global SessionManager.
- Returns
- self
Definition at line 133 of file SessionManager.php.
References MediaWiki\Session\SessionManager\$instance.
Referenced by RequestContext\importScopedSession().
◆ validateSessionId()
|
static |
Validate a session ID.
- Parameters
-
string $id
- Returns
- bool
Definition at line 421 of file SessionManager.php.
Referenced by MediaWiki\Session\SessionInfo\__construct(), MediaWiki\Session\ImmutableSessionProviderWithCookie\getSessionIdFromCookie(), and MediaWiki\Session\CookieSessionProvider\provideSessionInfo().
Member Data Documentation
◆ $allSessionBackends
|
private |
Definition at line 121 of file SessionManager.php.
◆ $allSessionIds
|
private |
Definition at line 124 of file SessionManager.php.
◆ $config
|
private |
Definition at line 103 of file SessionManager.php.
◆ $globalSession
|
staticprivate |
Definition at line 88 of file SessionManager.php.
◆ $globalSessionRequest
|
staticprivate |
Definition at line 91 of file SessionManager.php.
◆ $hookContainer
|
private |
Definition at line 97 of file SessionManager.php.
◆ $hookRunner
|
private |
Definition at line 100 of file SessionManager.php.
◆ $instance
|
staticprivate |
Definition at line 85 of file SessionManager.php.
Referenced by MediaWiki\Session\SessionManager\singleton().
◆ $logger
|
private |
Definition at line 94 of file SessionManager.php.
◆ $preventUsers
|
private |
Definition at line 127 of file SessionManager.php.
◆ $sessionProviders
|
private |
Definition at line 112 of file SessionManager.php.
◆ $store
|
private |
Definition at line 109 of file SessionManager.php.
◆ $userNameUtils
|
private |
Definition at line 106 of file SessionManager.php.
◆ $varyCookies
|
private |
Definition at line 115 of file SessionManager.php.
◆ $varyHeaders
|
private |
Definition at line 118 of file SessionManager.php.
The documentation for this class was generated from the following file:
- includes/session/SessionManager.php
