1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179
|
<?php
/**
* MediaWiki session provider base class
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*
* @file
* @ingroup Session
*/
namespace MediaWiki\Session;
use InvalidArgumentException;
use MediaWiki\MainConfigNames;
use MediaWiki\Request\WebRequest;
/**
* An ImmutableSessionProviderWithCookie doesn't persist the user, but
* optionally can use a cookie to support multiple IDs per session.
*
* As mentioned in the documentation for SessionProvider, many methods that are
* technically "cannot persist ID" could be turned into "can persist ID but
* not changing User" using a session cookie. This class implements such an
* optional session cookie.
*
* @stable to extend
* @ingroup Session
* @since 1.27
*/
abstract class ImmutableSessionProviderWithCookie extends SessionProvider {
/** @var string|null */
protected $sessionCookieName = null;
/** @var mixed[] */
protected $sessionCookieOptions = [];
/**
* @stable to call
* @param array $params Keys include:
* - sessionCookieName: Session cookie name, if multiple sessions per
* client are to be supported.
* - sessionCookieOptions: Options to pass to WebResponse::setCookie().
*/
public function __construct( $params = [] ) {
parent::__construct();
if ( isset( $params['sessionCookieName'] ) ) {
if ( !is_string( $params['sessionCookieName'] ) ) {
throw new InvalidArgumentException( 'sessionCookieName must be a string' );
}
$this->sessionCookieName = $params['sessionCookieName'];
}
if ( isset( $params['sessionCookieOptions'] ) ) {
if ( !is_array( $params['sessionCookieOptions'] ) ) {
throw new InvalidArgumentException( 'sessionCookieOptions must be an array' );
}
$this->sessionCookieOptions = $params['sessionCookieOptions'];
}
}
/**
* Get the session ID from the cookie, if any.
*
* Only call this if $this->sessionCookieName !== null. If
* sessionCookieName is null, do some logic (probably involving a call to
* $this->hashToSessionId()) to create the single session ID corresponding
* to this WebRequest instead of calling this method.
*
* @param WebRequest $request
* @return string|null
*/
protected function getSessionIdFromCookie( WebRequest $request ) {
if ( $this->sessionCookieName === null ) {
throw new \BadMethodCallException(
__METHOD__ . ' may not be called when $this->sessionCookieName === null'
);
}
$prefix = $this->sessionCookieOptions['prefix']
?? $this->getConfig()->get( MainConfigNames::CookiePrefix );
$id = $request->getCookie( $this->sessionCookieName, $prefix );
return SessionManager::validateSessionId( $id ) ? $id : null;
}
/**
* @inheritDoc
* @stable to override
*/
public function persistsSessionId() {
return $this->sessionCookieName !== null;
}
/**
* @inheritDoc
* @stable to override
*/
public function canChangeUser() {
return false;
}
/**
* @inheritDoc
* @stable to override
*/
public function persistSession( SessionBackend $session, WebRequest $request ) {
if ( $this->sessionCookieName === null ) {
return;
}
$response = $request->response();
if ( $response->headersSent() ) {
// Can't do anything now
$this->logger->debug( __METHOD__ . ': Headers already sent' );
return;
}
$options = $this->sessionCookieOptions;
if ( $session->shouldForceHTTPS() || $session->getUser()->requiresHTTPS() ) {
// Send a cookie unless $wgForceHTTPS is set (T256095)
if ( !$this->getConfig()->get( MainConfigNames::ForceHTTPS ) ) {
$response->setCookie( 'forceHTTPS', 'true', null,
[ 'prefix' => '', 'secure' => false ] + $options );
}
$options['secure'] = true;
}
$response->setCookie( $this->sessionCookieName, $session->getId(), null, $options );
}
/**
* @inheritDoc
* @stable to override
*/
public function unpersistSession( WebRequest $request ) {
if ( $this->sessionCookieName === null ) {
return;
}
$response = $request->response();
if ( $response->headersSent() ) {
// Can't do anything now
$this->logger->debug( __METHOD__ . ': Headers already sent' );
return;
}
$response->clearCookie( $this->sessionCookieName, $this->sessionCookieOptions );
}
/**
* @inheritDoc
* @stable to override
*/
public function getVaryCookies() {
if ( $this->sessionCookieName === null ) {
return [];
}
$prefix = $this->sessionCookieOptions['prefix'] ??
$this->getConfig()->get( MainConfigNames::CookiePrefix );
return [ $prefix . $this->sessionCookieName ];
}
public function whyNoSession() {
return wfMessage( 'sessionprovider-nocookies' );
}
}
|