DatabaseMysqlBase visibility cleanups
[mediawiki.git] / includes / session / CookieSessionProvider.php
blob79fc720d1ea526b33182f923275b1e0664d3a2fd
1 <?php
2 /**
3 * MediaWiki cookie-based session provider interface
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
20 * @file
21 * @ingroup Session
24 namespace MediaWiki\Session;
26 use Config;
27 use User;
28 use WebRequest;
30 /**
31 * A CookieSessionProvider persists sessions using cookies
33 * @ingroup Session
34 * @since 1.27
36 class CookieSessionProvider extends SessionProvider {
38 protected $params = [];
39 protected $cookieOptions = [];
41 /**
42 * @param array $params Keys include:
43 * - priority: (required) Priority of the returned sessions
44 * - callUserSetCookiesHook: Whether to call the deprecated hook
45 * - sessionName: Session cookie name. Doesn't honor 'prefix'. Defaults to
46 * $wgSessionName, or $wgCookiePrefix . '_session' if that is unset.
47 * - cookieOptions: Options to pass to WebRequest::setCookie():
48 * - prefix: Cookie prefix, defaults to $wgCookiePrefix
49 * - path: Cookie path, defaults to $wgCookiePath
50 * - domain: Cookie domain, defaults to $wgCookieDomain
51 * - secure: Cookie secure flag, defaults to $wgCookieSecure
52 * - httpOnly: Cookie httpOnly flag, defaults to $wgCookieHttpOnly
54 public function __construct( $params = [] ) {
55 parent::__construct();
57 $params += [
58 'cookieOptions' => [],
59 // @codeCoverageIgnoreStart
61 // @codeCoverageIgnoreEnd
63 if ( !isset( $params['priority'] ) ) {
64 throw new \InvalidArgumentException( __METHOD__ . ': priority must be specified' );
66 if ( $params['priority'] < SessionInfo::MIN_PRIORITY ||
67 $params['priority'] > SessionInfo::MAX_PRIORITY
68 ) {
69 throw new \InvalidArgumentException( __METHOD__ . ': Invalid priority' );
72 if ( !is_array( $params['cookieOptions'] ) ) {
73 throw new \InvalidArgumentException( __METHOD__ . ': cookieOptions must be an array' );
76 $this->priority = $params['priority'];
77 $this->cookieOptions = $params['cookieOptions'];
78 $this->params = $params;
79 unset( $this->params['priority'] );
80 unset( $this->params['cookieOptions'] );
83 public function setConfig( Config $config ) {
84 parent::setConfig( $config );
86 // @codeCoverageIgnoreStart
87 $this->params += [
88 // @codeCoverageIgnoreEnd
89 'callUserSetCookiesHook' => false,
90 'sessionName' =>
91 $config->get( 'SessionName' ) ?: $config->get( 'CookiePrefix' ) . '_session',
94 // @codeCoverageIgnoreStart
95 $this->cookieOptions += [
96 // @codeCoverageIgnoreEnd
97 'prefix' => $config->get( 'CookiePrefix' ),
98 'path' => $config->get( 'CookiePath' ),
99 'domain' => $config->get( 'CookieDomain' ),
100 'secure' => $config->get( 'CookieSecure' ),
101 'httpOnly' => $config->get( 'CookieHttpOnly' ),
105 public function provideSessionInfo( WebRequest $request ) {
106 $sessionId = $this->getCookie( $request, $this->params['sessionName'], '' );
107 $info = [
108 'provider' => $this,
109 'forceHTTPS' => $this->getCookie( $request, 'forceHTTPS', '', false )
111 if ( SessionManager::validateSessionId( $sessionId ) ) {
112 $info['id'] = $sessionId;
113 $info['persisted'] = true;
116 list( $userId, $userName, $token ) = $this->getUserInfoFromCookies( $request );
117 if ( $userId !== null ) {
118 try {
119 $userInfo = UserInfo::newFromId( $userId );
120 } catch ( \InvalidArgumentException $ex ) {
121 return null;
124 // Sanity check
125 if ( $userName !== null && $userInfo->getName() !== $userName ) {
126 $this->logger->warning(
127 'Session "{session}" requested with mismatched UserID and UserName cookies.',
129 'session' => $sessionId,
130 'mismatch' => [
131 'userid' => $userId,
132 'cookie_username' => $userName,
133 'username' => $userInfo->getName(),
135 ] );
136 return null;
139 if ( $token !== null ) {
140 if ( !hash_equals( $userInfo->getToken(), $token ) ) {
141 $this->logger->warning(
142 'Session "{session}" requested with invalid Token cookie.',
144 'session' => $sessionId,
145 'userid' => $userId,
146 'username' => $userInfo->getName(),
147 ] );
148 return null;
150 $info['userInfo'] = $userInfo->verified();
151 $info['persisted'] = true; // If we have user+token, it should be
152 } elseif ( isset( $info['id'] ) ) {
153 $info['userInfo'] = $userInfo;
154 } else {
155 // No point in returning, loadSessionInfoFromStore() will
156 // reject it anyway.
157 return null;
159 } elseif ( isset( $info['id'] ) ) {
160 // No UserID cookie, so insist that the session is anonymous.
161 // Note: this event occurs for several normal activities:
162 // * anon visits Special:UserLogin
163 // * anon browsing after seeing Special:UserLogin
164 // * anon browsing after edit or preview
165 $this->logger->debug(
166 'Session "{session}" requested without UserID cookie',
168 'session' => $info['id'],
169 ] );
170 $info['userInfo'] = UserInfo::newAnonymous();
171 } else {
172 // No session ID and no user is the same as an empty session, so
173 // there's no point.
174 return null;
177 return new SessionInfo( $this->priority, $info );
180 public function persistsSessionId() {
181 return true;
184 public function canChangeUser() {
185 return true;
188 public function persistSession( SessionBackend $session, WebRequest $request ) {
189 $response = $request->response();
190 if ( $response->headersSent() ) {
191 // Can't do anything now
192 $this->logger->debug( __METHOD__ . ': Headers already sent' );
193 return;
196 $user = $session->getUser();
198 $cookies = $this->cookieDataToExport( $user, $session->shouldRememberUser() );
199 $sessionData = $this->sessionDataToExport( $user );
201 // Legacy hook
202 if ( $this->params['callUserSetCookiesHook'] && !$user->isAnon() ) {
203 \Hooks::run( 'UserSetCookies', [ $user, &$sessionData, &$cookies ] );
206 $options = $this->cookieOptions;
208 $forceHTTPS = $session->shouldForceHTTPS() || $user->requiresHTTPS();
209 if ( $forceHTTPS ) {
210 // Don't set the secure flag if the request came in
211 // over "http", for backwards compat.
212 // @todo Break that backwards compat properly.
213 $options['secure'] = $this->config->get( 'CookieSecure' );
216 $response->setCookie( $this->params['sessionName'], $session->getId(), null,
217 [ 'prefix' => '' ] + $options
220 foreach ( $cookies as $key => $value ) {
221 if ( $value === false ) {
222 $response->clearCookie( $key, $options );
223 } else {
224 $expirationDuration = $this->getLoginCookieExpiration( $key, $session->shouldRememberUser() );
225 $expiration = $expirationDuration ? $expirationDuration + time() : null;
226 $response->setCookie( $key, (string)$value, $expiration, $options );
230 $this->setForceHTTPSCookie( $forceHTTPS, $session, $request );
231 $this->setLoggedOutCookie( $session->getLoggedOutTimestamp(), $request );
233 if ( $sessionData ) {
234 $session->addData( $sessionData );
238 public function unpersistSession( WebRequest $request ) {
239 $response = $request->response();
240 if ( $response->headersSent() ) {
241 // Can't do anything now
242 $this->logger->debug( __METHOD__ . ': Headers already sent' );
243 return;
246 $cookies = [
247 'UserID' => false,
248 'Token' => false,
251 $response->clearCookie(
252 $this->params['sessionName'], [ 'prefix' => '' ] + $this->cookieOptions
255 foreach ( $cookies as $key => $value ) {
256 $response->clearCookie( $key, $this->cookieOptions );
259 $this->setForceHTTPSCookie( false, null, $request );
263 * Set the "forceHTTPS" cookie
264 * @param bool $set Whether the cookie should be set or not
265 * @param SessionBackend|null $backend
266 * @param WebRequest $request
268 protected function setForceHTTPSCookie(
269 $set, SessionBackend $backend = null, WebRequest $request
271 $response = $request->response();
272 if ( $set ) {
273 if ( $backend->shouldRememberUser() ) {
274 $expirationDuration = $this->getLoginCookieExpiration(
275 'forceHTTPS',
276 true
278 $expiration = $expirationDuration ? $expirationDuration + time() : null;
279 } else {
280 $expiration = null;
282 $response->setCookie( 'forceHTTPS', 'true', $expiration,
283 [ 'prefix' => '', 'secure' => false ] + $this->cookieOptions );
284 } else {
285 $response->clearCookie( 'forceHTTPS',
286 [ 'prefix' => '', 'secure' => false ] + $this->cookieOptions );
291 * Set the "logged out" cookie
292 * @param int $loggedOut timestamp
293 * @param WebRequest $request
295 protected function setLoggedOutCookie( $loggedOut, WebRequest $request ) {
296 if ( $loggedOut + 86400 > time() &&
297 $loggedOut !== (int)$this->getCookie( $request, 'LoggedOut', $this->cookieOptions['prefix'] )
299 $request->response()->setCookie( 'LoggedOut', $loggedOut, $loggedOut + 86400,
300 $this->cookieOptions );
304 public function getVaryCookies() {
305 return [
306 // Vary on token and session because those are the real authn
307 // determiners. UserID and UserName don't matter without those.
308 $this->cookieOptions['prefix'] . 'Token',
309 $this->cookieOptions['prefix'] . 'LoggedOut',
310 $this->params['sessionName'],
311 'forceHTTPS',
315 public function suggestLoginUsername( WebRequest $request ) {
316 $name = $this->getCookie( $request, 'UserName', $this->cookieOptions['prefix'] );
317 if ( $name !== null ) {
318 $name = User::getCanonicalName( $name, 'usable' );
320 return $name === false ? null : $name;
324 * Fetch the user identity from cookies
325 * @param \WebRequest $request
326 * @return array (string|null $id, string|null $username, string|null $token)
328 protected function getUserInfoFromCookies( $request ) {
329 $prefix = $this->cookieOptions['prefix'];
330 return [
331 $this->getCookie( $request, 'UserID', $prefix ),
332 $this->getCookie( $request, 'UserName', $prefix ),
333 $this->getCookie( $request, 'Token', $prefix ),
338 * Get a cookie. Contains an auth-specific hack.
339 * @param \WebRequest $request
340 * @param string $key
341 * @param string $prefix
342 * @param mixed $default
343 * @return mixed
345 protected function getCookie( $request, $key, $prefix, $default = null ) {
346 $value = $request->getCookie( $key, $prefix, $default );
347 if ( $value === 'deleted' ) {
348 // PHP uses this value when deleting cookies. A legitimate cookie will never have
349 // this value (usernames start with uppercase, token is longer, other auth cookies
350 // are booleans or integers). Seeing this means that in a previous request we told the
351 // client to delete the cookie, but it has poor cookie handling. Pretend the cookie is
352 // not there to avoid invalidating the session.
353 return null;
355 return $value;
359 * Return the data to store in cookies
360 * @param User $user
361 * @param bool $remember
362 * @return array $cookies Set value false to unset the cookie
364 protected function cookieDataToExport( $user, $remember ) {
365 if ( $user->isAnon() ) {
366 return [
367 'UserID' => false,
368 'Token' => false,
370 } else {
371 return [
372 'UserID' => $user->getId(),
373 'UserName' => $user->getName(),
374 'Token' => $remember ? (string)$user->getToken() : false,
380 * Return extra data to store in the session
381 * @param User $user
382 * @return array $session
384 protected function sessionDataToExport( $user ) {
385 // If we're calling the legacy hook, we should populate $session
386 // like User::setCookies() did.
387 if ( !$user->isAnon() && $this->params['callUserSetCookiesHook'] ) {
388 return [
389 'wsUserID' => $user->getId(),
390 'wsToken' => $user->getToken(),
391 'wsUserName' => $user->getName(),
395 return [];
398 public function whyNoSession() {
399 return wfMessage( 'sessionprovider-nocookies' );
402 public function getRememberUserDuration() {
403 return min( $this->getLoginCookieExpiration( 'UserID', true ),
404 $this->getLoginCookieExpiration( 'Token', true ) ) ?: null;
408 * Gets the list of cookies that must be set to the 'remember me' duration,
409 * if $wgExtendedLoginCookieExpiration is in use.
411 * @return string[] Array of unprefixed cookie keys
413 protected function getExtendedLoginCookies() {
414 return [ 'UserID', 'UserName', 'Token' ];
418 * Returns the lifespan of the login cookies, in seconds. 0 means until the end of the session.
420 * Cookies that are session-length do not call this function.
422 * @param string $cookieName
423 * @param boolean $shouldRememberUser Whether the user should be remembered
424 * long-term
425 * @return int Cookie expiration time in seconds; 0 for session cookies
427 protected function getLoginCookieExpiration( $cookieName, $shouldRememberUser ) {
428 $extendedCookies = $this->getExtendedLoginCookies();
429 $normalExpiration = $this->config->get( 'CookieExpiration' );
431 if ( $shouldRememberUser && in_array( $cookieName, $extendedCookies, true ) ) {
432 $extendedExpiration = $this->config->get( 'ExtendedLoginCookieExpiration' );
434 return ( $extendedExpiration !== null ) ? (int)$extendedExpiration : (int)$normalExpiration;
435 } else {
436 return (int)$normalExpiration;