3 * MediaWiki session backend
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
24 namespace MediaWiki\Session
;
27 use Psr\Log\LoggerInterface
;
32 * This is the actual workhorse for Session.
34 * Most code does not need to use this class, you want \MediaWiki\Session\Session.
35 * The exceptions are SessionProviders and SessionMetadata hook functions,
36 * which get an instance of this class rather than Session.
38 * The reasons for this split are:
39 * 1. A session can be attached to multiple requests, but we want the Session
40 * object to have some features that correspond to just one of those
42 * 2. We want reasonable garbage collection behavior, but we also want the
43 * SessionManager to hold a reference to every active session so it can be
44 * saved when the request ends.
49 final class SessionBackend
{
53 private $persist = false;
54 private $remember = false;
55 private $forceHTTPS = false;
57 /** @var array|null */
60 private $forcePersist = false;
61 private $metaDirty = false;
62 private $dataDirty = false;
64 /** @var string Used to detect subarray modifications */
65 private $dataHash = null;
67 /** @var CachedBagOStuff */
70 /** @var LoggerInterface */
79 private $curIndex = 0;
81 /** @var WebRequest[] Session requests */
82 private $requests = [];
84 /** @var SessionProvider provider */
87 /** @var array|null provider-specified metadata */
88 private $providerMetadata = null;
91 private $loggedOut = 0;
92 private $delaySave = 0;
94 private $usePhpSessionHandling = true;
95 private $checkPHPSessionRecursionGuard = false;
97 private $shutdown = false;
100 * @param SessionId $id Session ID object
101 * @param SessionInfo $info Session info to populate from
102 * @param CachedBagOStuff $store Backend data store
103 * @param LoggerInterface $logger
104 * @param int $lifetime Session data lifetime in seconds
106 public function __construct(
107 SessionId
$id, SessionInfo
$info, CachedBagOStuff
$store, LoggerInterface
$logger, $lifetime
109 $phpSessionHandling = \RequestContext
::getMain()->getConfig()->get( 'PHPSessionHandling' );
110 $this->usePhpSessionHandling
= $phpSessionHandling !== 'disable';
112 if ( $info->getUserInfo() && !$info->getUserInfo()->isVerified() ) {
113 throw new \
InvalidArgumentException(
114 "Refusing to create session for unverified user {$info->getUserInfo()}"
117 if ( $info->getProvider() === null ) {
118 throw new \
InvalidArgumentException( 'Cannot create session without a provider' );
120 if ( $info->getId() !== $id->getId() ) {
121 throw new \
InvalidArgumentException( 'SessionId and SessionInfo don\'t match' );
125 $this->user
= $info->getUserInfo() ?
$info->getUserInfo()->getUser() : new User
;
126 $this->store
= $store;
127 $this->logger
= $logger;
128 $this->lifetime
= $lifetime;
129 $this->provider
= $info->getProvider();
130 $this->persist
= $info->wasPersisted();
131 $this->remember
= $info->wasRemembered();
132 $this->forceHTTPS
= $info->forceHTTPS();
133 $this->providerMetadata
= $info->getProviderMetadata();
135 $blob = $store->get( wfMemcKey( 'MWSession', (string)$this->id
) );
136 if ( !is_array( $blob ) ||
137 !isset( $blob['metadata'] ) ||
!is_array( $blob['metadata'] ) ||
138 !isset( $blob['data'] ) ||
!is_array( $blob['data'] )
141 $this->dataDirty
= true;
142 $this->metaDirty
= true;
143 $this->logger
->debug(
144 'SessionBackend "{session}" is unsaved, marking dirty in constructor',
146 'session' => $this->id
,
149 $this->data
= $blob['data'];
150 if ( isset( $blob['metadata']['loggedOut'] ) ) {
151 $this->loggedOut
= (int)$blob['metadata']['loggedOut'];
153 if ( isset( $blob['metadata']['expires'] ) ) {
154 $this->expires
= (int)$blob['metadata']['expires'];
156 $this->metaDirty
= true;
157 $this->logger
->debug(
158 'SessionBackend "{session}" metadata dirty due to missing expiration timestamp',
160 'session' => $this->id
,
164 $this->dataHash
= md5( serialize( $this->data
) );
168 * Return a new Session for this backend
169 * @param WebRequest $request
172 public function getSession( WebRequest
$request ) {
173 $index = ++
$this->curIndex
;
174 $this->requests
[$index] = $request;
175 $session = new Session( $this, $index, $this->logger
);
180 * Deregister a Session
181 * @private For use by \MediaWiki\Session\Session::__destruct() only
184 public function deregisterSession( $index ) {
185 unset( $this->requests
[$index] );
186 if ( !$this->shutdown
&& !count( $this->requests
) ) {
188 $this->provider
->getManager()->deregisterSessionBackend( $this );
193 * Shut down a session
194 * @private For use by \MediaWiki\Session\SessionManager::shutdown() only
196 public function shutdown() {
198 $this->shutdown
= true;
202 * Returns the session ID.
205 public function getId() {
206 return (string)$this->id
;
210 * Fetch the SessionId object
211 * @private For internal use by WebRequest
214 public function getSessionId() {
219 * Changes the session ID
220 * @return string New ID (might be the same as the old)
222 public function resetId() {
223 if ( $this->provider
->persistsSessionId() ) {
224 $oldId = (string)$this->id
;
225 $restart = $this->usePhpSessionHandling
&& $oldId === session_id() &&
226 PHPSessionHandler
::isEnabled();
229 // If this session is the one behind PHP's $_SESSION, we need
230 // to close then reopen it.
231 session_write_close();
234 $this->provider
->getManager()->changeBackendId( $this );
235 $this->provider
->sessionIdWasReset( $this, $oldId );
236 $this->metaDirty
= true;
237 $this->logger
->debug(
238 'SessionBackend "{session}" metadata dirty due to ID reset (formerly "{oldId}")',
240 'session' => $this->id
,
245 session_id( (string)$this->id
);
246 \MediaWiki\
quietCall( 'session_start' );
251 // Delete the data for the old session ID now
252 $this->store
->delete( wfMemcKey( 'MWSession', $oldId ) );
257 * Fetch the SessionProvider for this session
258 * @return SessionProviderInterface
260 public function getProvider() {
261 return $this->provider
;
265 * Indicate whether this session is persisted across requests
267 * For example, if cookies are set.
271 public function isPersistent() {
272 return $this->persist
;
276 * Make this session persisted across requests
278 * If the session is already persistent, equivalent to calling
281 public function persist() {
282 if ( !$this->persist
) {
283 $this->persist
= true;
284 $this->forcePersist
= true;
285 $this->metaDirty
= true;
286 $this->logger
->debug(
287 'SessionBackend "{session}" force-persist due to persist()',
289 'session' => $this->id
,
298 * Make this session not persisted across requests
300 public function unpersist() {
301 if ( $this->persist
) {
302 // Close the PHP session, if we're the one that's open
303 if ( $this->usePhpSessionHandling
&& PHPSessionHandler
::isEnabled() &&
304 session_id() === (string)$this->id
306 $this->logger
->debug(
307 'SessionBackend "{session}" Closing PHP session for unpersist',
308 [ 'session' => $this->id
]
310 session_write_close();
314 $this->persist
= false;
315 $this->forcePersist
= true;
316 $this->metaDirty
= true;
318 // Delete the session data, so the local cache-only write in
319 // self::save() doesn't get things out of sync with the backend.
320 $this->store
->delete( wfMemcKey( 'MWSession', (string)$this->id
) );
327 * Indicate whether the user should be remembered independently of the
331 public function shouldRememberUser() {
332 return $this->remember
;
336 * Set whether the user should be remembered independently of the session
338 * @param bool $remember
340 public function setRememberUser( $remember ) {
341 if ( $this->remember
!== (bool)$remember ) {
342 $this->remember
= (bool)$remember;
343 $this->metaDirty
= true;
344 $this->logger
->debug(
345 'SessionBackend "{session}" metadata dirty due to remember-user change',
347 'session' => $this->id
,
354 * Returns the request associated with a Session
355 * @param int $index Session index
358 public function getRequest( $index ) {
359 if ( !isset( $this->requests
[$index] ) ) {
360 throw new \
InvalidArgumentException( 'Invalid session index' );
362 return $this->requests
[$index];
366 * Returns the authenticated user for this session
369 public function getUser() {
374 * Fetch the rights allowed the user when this session is active.
375 * @return null|string[] Allowed user rights, or null to allow all.
377 public function getAllowedUserRights() {
378 return $this->provider
->getAllowedUserRights( $this );
382 * Indicate whether the session user info can be changed
385 public function canSetUser() {
386 return $this->provider
->canChangeUser();
390 * Set a new user for this session
391 * @note This should only be called when the user has been authenticated via a login process
392 * @param User $user User to set on the session.
393 * This may become a "UserValue" in the future, or User may be refactored
396 public function setUser( $user ) {
397 if ( !$this->canSetUser() ) {
398 throw new \
BadMethodCallException(
399 'Cannot set user on this session; check $session->canSetUser() first'
404 $this->metaDirty
= true;
405 $this->logger
->debug(
406 'SessionBackend "{session}" metadata dirty due to user change',
408 'session' => $this->id
,
414 * Get a suggested username for the login form
415 * @param int $index Session index
416 * @return string|null
418 public function suggestLoginUsername( $index ) {
419 if ( !isset( $this->requests
[$index] ) ) {
420 throw new \
InvalidArgumentException( 'Invalid session index' );
422 return $this->provider
->suggestLoginUsername( $this->requests
[$index] );
426 * Whether HTTPS should be forced
429 public function shouldForceHTTPS() {
430 return $this->forceHTTPS
;
434 * Set whether HTTPS should be forced
437 public function setForceHTTPS( $force ) {
438 if ( $this->forceHTTPS
!== (bool)$force ) {
439 $this->forceHTTPS
= (bool)$force;
440 $this->metaDirty
= true;
441 $this->logger
->debug(
442 'SessionBackend "{session}" metadata dirty due to force-HTTPS change',
444 'session' => $this->id
,
451 * Fetch the "logged out" timestamp
454 public function getLoggedOutTimestamp() {
455 return $this->loggedOut
;
459 * Set the "logged out" timestamp
462 public function setLoggedOutTimestamp( $ts = null ) {
464 if ( $this->loggedOut
!== $ts ) {
465 $this->loggedOut
= $ts;
466 $this->metaDirty
= true;
467 $this->logger
->debug(
468 'SessionBackend "{session}" metadata dirty due to logged-out-timestamp change',
470 'session' => $this->id
,
477 * Fetch provider metadata
478 * @protected For use by SessionProvider subclasses only
481 public function getProviderMetadata() {
482 return $this->providerMetadata
;
486 * Set provider metadata
487 * @protected For use by SessionProvider subclasses only
488 * @param array|null $metadata
490 public function setProviderMetadata( $metadata ) {
491 if ( $metadata !== null && !is_array( $metadata ) ) {
492 throw new \
InvalidArgumentException( '$metadata must be an array or null' );
494 if ( $this->providerMetadata
!== $metadata ) {
495 $this->providerMetadata
= $metadata;
496 $this->metaDirty
= true;
497 $this->logger
->debug(
498 'SessionBackend "{session}" metadata dirty due to provider metadata change',
500 'session' => $this->id
,
507 * Fetch the session data array
509 * Note the caller is responsible for calling $this->dirty() if anything in
510 * the array is changed.
512 * @private For use by \MediaWiki\Session\Session only.
515 public function &getData() {
520 * Add data to the session.
522 * Overwrites any existing data under the same keys.
524 * @param array $newData Key-value pairs to add to the session
526 public function addData( array $newData ) {
527 $data = &$this->getData();
528 foreach ( $newData as $key => $value ) {
529 if ( !array_key_exists( $key, $data ) ||
$data[$key] !== $value ) {
530 $data[$key] = $value;
531 $this->dataDirty
= true;
532 $this->logger
->debug(
533 'SessionBackend "{session}" data dirty due to addData(): {callers}',
535 'session' => $this->id
,
536 'callers' => wfGetAllCallers( 5 ),
544 * @private For use by \MediaWiki\Session\Session only.
546 public function dirty() {
547 $this->dataDirty
= true;
548 $this->logger
->debug(
549 'SessionBackend "{session}" data dirty due to dirty(): {callers}',
551 'session' => $this->id
,
552 'callers' => wfGetAllCallers( 5 ),
557 * Renew the session by resaving everything
559 * Resets the TTL in the backend store if the session is near expiring, and
560 * re-persists the session to any active WebRequests if persistent.
562 public function renew() {
563 if ( time() +
$this->lifetime
/ 2 > $this->expires
) {
564 $this->metaDirty
= true;
565 $this->logger
->debug(
566 'SessionBackend "{callers}" metadata dirty for renew(): {callers}',
568 'session' => $this->id
,
569 'callers' => wfGetAllCallers( 5 ),
571 if ( $this->persist
) {
572 $this->forcePersist
= true;
573 $this->logger
->debug(
574 'SessionBackend "{session}" force-persist for renew(): {callers}',
576 'session' => $this->id
,
577 'callers' => wfGetAllCallers( 5 ),
585 * Delay automatic saving while multiple updates are being made
587 * Calls to save() will not be delayed.
589 * @return \ScopedCallback When this goes out of scope, a save will be triggered
591 public function delaySave() {
593 return new \
ScopedCallback( function () {
594 if ( --$this->delaySave
<= 0 ) {
595 $this->delaySave
= 0;
602 * Save and persist session data, unless delayed
604 private function autosave() {
605 if ( $this->delaySave
<= 0 ) {
611 * Save and persist session data
612 * @param bool $closing Whether the session is being closed
614 public function save( $closing = false ) {
615 $anon = $this->user
->isAnon();
617 if ( !$anon && $this->provider
->getManager()->isUserSessionPrevented( $this->user
->getName() ) ) {
618 $this->logger
->debug(
619 'SessionBackend "{session}" not saving, user {user} was ' .
620 'passed to SessionManager::preventSessionsForUser',
622 'session' => $this->id
,
623 'user' => $this->user
,
628 // Ensure the user has a token
629 // @codeCoverageIgnoreStart
630 if ( !$anon && !$this->user
->getToken( false ) ) {
631 $this->logger
->debug(
632 'SessionBackend "{session}" creating token for user {user} on save',
634 'session' => $this->id
,
635 'user' => $this->user
,
637 $this->user
->setToken();
638 if ( !wfReadOnly() ) {
639 $this->user
->saveSettings();
641 $this->metaDirty
= true;
643 // @codeCoverageIgnoreEnd
645 if ( !$this->metaDirty
&& !$this->dataDirty
&&
646 $this->dataHash
!== md5( serialize( $this->data
) )
648 $this->logger
->debug(
649 'SessionBackend "{session}" data dirty due to hash mismatch, {expected} !== {got}',
651 'session' => $this->id
,
652 'expected' => $this->dataHash
,
653 'got' => md5( serialize( $this->data
) ),
655 $this->dataDirty
= true;
658 if ( !$this->metaDirty
&& !$this->dataDirty
&& !$this->forcePersist
) {
662 $this->logger
->debug(
663 'SessionBackend "{session}" save: dataDirty={dataDirty} ' .
664 'metaDirty={metaDirty} forcePersist={forcePersist}',
666 'session' => $this->id
,
667 'dataDirty' => (int)$this->dataDirty
,
668 'metaDirty' => (int)$this->metaDirty
,
669 'forcePersist' => (int)$this->forcePersist
,
672 // Persist or unpersist to the provider, if necessary
673 if ( $this->metaDirty ||
$this->forcePersist
) {
674 if ( $this->persist
) {
675 foreach ( $this->requests
as $request ) {
676 $request->setSessionId( $this->getSessionId() );
677 $this->provider
->persistSession( $this, $request );
680 $this->checkPHPSession();
683 foreach ( $this->requests
as $request ) {
684 if ( $request->getSessionId() === $this->id
) {
685 $this->provider
->unpersistSession( $request );
691 $this->forcePersist
= false;
693 if ( !$this->metaDirty
&& !$this->dataDirty
) {
697 // Save session data to store, if necessary
698 $metadata = $origMetadata = [
699 'provider' => (string)$this->provider
,
700 'providerMetadata' => $this->providerMetadata
,
701 'userId' => $anon ?
0 : $this->user
->getId(),
702 'userName' => User
::isValidUserName( $this->user
->getName() ) ?
$this->user
->getName() : null,
703 'userToken' => $anon ?
null : $this->user
->getToken(),
704 'remember' => !$anon && $this->remember
,
705 'forceHTTPS' => $this->forceHTTPS
,
706 'expires' => time() +
$this->lifetime
,
707 'loggedOut' => $this->loggedOut
,
708 'persisted' => $this->persist
,
711 \Hooks
::run( 'SessionMetadata', [ $this, &$metadata, $this->requests
] );
713 foreach ( $origMetadata as $k => $v ) {
714 if ( $metadata[$k] !== $v ) {
715 throw new \
UnexpectedValueException( "SessionMetadata hook changed metadata key \"$k\"" );
720 wfMemcKey( 'MWSession', (string)$this->id
),
722 'data' => $this->data
,
723 'metadata' => $metadata,
725 $metadata['expires'],
726 $this->persist ?
0 : CachedBagOStuff
::WRITE_CACHE_ONLY
729 $this->metaDirty
= false;
730 $this->dataDirty
= false;
731 $this->dataHash
= md5( serialize( $this->data
) );
732 $this->expires
= $metadata['expires'];
736 * For backwards compatibility, open the PHP session when the global
737 * session is persisted
739 private function checkPHPSession() {
740 if ( !$this->checkPHPSessionRecursionGuard
) {
741 $this->checkPHPSessionRecursionGuard
= true;
742 $reset = new \
ScopedCallback( function () {
743 $this->checkPHPSessionRecursionGuard
= false;
746 if ( $this->usePhpSessionHandling
&& session_id() === '' && PHPSessionHandler
::isEnabled() &&
747 SessionManager
::getGlobalSession()->getId() === (string)$this->id
749 $this->logger
->debug(
750 'SessionBackend "{session}" Taking over PHP session',
752 'session' => $this->id
,
754 session_id( (string)$this->id
);
755 \MediaWiki\
quietCall( 'session_start' );