Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/includes/objectcache/ObjectCacheSessionHandler.php
Brad Jorsch 5083e810eb Remove SessionManager, temporarily 
The plan here is to take it out of 1.27.0-wmf.12 and put it back in
1.27.0-wmf.13.

Since BotPasswords depends on SessionManager, that's getting temporarily
removed too.

This reverts the following commits:
* 6acd424e0d SessionManager: Notify AuthPlugin before calling hooks
* 4d1ad32d8a Close a loophole in CookieSessionProvider
* fcdd643a46 SessionManager: Don't save non-persisted sessions to backend storage
* 058aec4c76 MessageCache: Don't get a ParserOptions for $wgUser before the end of Setup.php
* b5c0c03bb7 SessionManager: Save user name to metadata even if the user doesn't exist locally
* 13f2f09a19 SECURITY: Fix User::setToken() call on User::newSystemUser
* 305bc75b27 SessionManager: Don't generate user tokens when checking the tokens
* 7c4bd85d21 RequestContext::exportSession() should only export persisted session IDs
* 296ccfd4a9 SessionManager: Save 'persisted' flag in session metadata
* 94ba53f677 Move CSRF token handling into MediaWiki\Session\Session
* 46a565d6b0 Avoid false "added in both Session and $_SESSION" when value is null
* c00d0b5d94 Log backtrace for "User::loadFromSession called before the end of Setup.php"
* 4eeff5b559 Use $wgSecureCookie to decide whether to actually mark secure cookies as 'secure'
* 7491b52f70 Call session_cache_limiter() before starting a session
* 2c34aeea72 SessionManager: Abstract forceHTTPS cookie setting
* 9aa53627a5 Ignore auth cookies with value 'deleted'
* 43f904b51a SessionManager: Kill getPersistedSessionId()
* 50c5256352 SessionManager: Add SessionBackend::setProviderMetadata()
* f640d40315 SessionManager: Notify AuthPlugin when auto-creating accounts
* 70b05d1ac1 Add checks of $wgEnableBotPasswords in more places
* bfed32eb78 Do not raise a PHP warning when session write fails
* 722a7331ad Only check LoggedOut timestamp on the user loaded from session
* 4f5057b84b SessionManager: Change behavior of getSessionById()
* 66e82e614e Fix typo in [[MediaWiki:Botpasswords-editexisting/en]]
* f9fd9516d9 Add "bot passwords"
* d7716f1df0 Add missing argument for wfDebugLog
* a73c5b7395 Add SessionManager

Change-Id: I2389a8133e25ab929e9f27f41fa9a05df8147a50
2016-02-01 22:06:49 +00:00

207 lines
5.6 KiB
PHP
Raw Blame History

<?php
/**
* Session storage in object cache.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*
* @file
* @ingroup Cache
*/
use MediaWiki\Logger\LoggerFactory;
/**
* Session storage in object cache.
* Used if $wgSessionsInObjectCache is true.
*
* @ingroup Cache
*/
class ObjectCacheSessionHandler {
/** @var array Map of (session ID => SHA-1 of the data) */
protected static $hashCache = array();
/**
* Install a session handler for the current web request
*/
static function install() {
session_set_save_handler(
array( __CLASS__, 'open' ),
array( __CLASS__, 'close' ),
array( __CLASS__, 'read' ),
array( __CLASS__, 'write' ),
array( __CLASS__, 'destroy' ),
array( __CLASS__, 'gc' ) );
// It's necessary to register a shutdown function to call session_write_close(),
// because by the time the request shutdown function for the session module is
// called, the BagOStuff has already been destroyed. Shutdown functions registered
// this way are called before object destruction.
register_shutdown_function( array( __CLASS__, 'handleShutdown' ) );
}
/**
* Get the cache storage object to use for session storage
* @return BagOStuff
*/
protected static function getCache() {
global $wgSessionCacheType;
return ObjectCache::getInstance( $wgSessionCacheType );
}
/**
* Get a cache key for the given session id.
*
* @param string $id Session id
* @return string Cache key
*/
protected static function getKey( $id ) {
return wfMemcKey( 'session', $id );
}
/**
* @param mixed $data
* @return string
*/
protected static function getHash( $data ) {
return sha1( serialize( $data ) );
}
/**
* Callback when opening a session.
*
* @param string $save_path Path used to store session files, unused
* @param string $session_name Session name
* @return bool Success
*/
static function open( $save_path, $session_name ) {
return true;
}
/**
* Callback when closing a session.
* NOP.
*
* @return bool Success
*/
static function close() {
return true;
}
/**
* Callback when reading session data.
*
* @param string $id Session id
* @return mixed Session data
*/
static function read( $id ) {
$stime = microtime( true );
$data = self::getCache()->get( self::getKey( $id ) );
$real = microtime( true ) - $stime;
RequestContext::getMain()->getStats()->timing( "session.read", 1000 * $real );
self::$hashCache = array( $id => self::getHash( $data ) );
return ( $data === false ) ? '' : $data;
}
/**
* Callback when writing session data.
*
* @param string $id Session id
* @param string $data Session data
* @return bool Success
*/
static function write( $id, $data ) {
global $wgObjectCacheSessionExpiry;
// Only issue a write if anything changed (PHP 5.6 already does this)
if ( !isset( self::$hashCache[$id] )
|| self::getHash( $data ) !== self::$hashCache[$id]
) {
$stime = microtime( true );
self::getCache()->set( self::getKey( $id ), $data, $wgObjectCacheSessionExpiry );
$real = microtime( true ) - $stime;
RequestContext::getMain()->getStats()->timing( "session.write", 1000 * $real );
}
return true;
}
/**
* Callback to destroy a session when calling session_destroy().
*
* @param string $id Session id
* @return bool Success
*/
static function destroy( $id ) {
$stime = microtime( true );
self::getCache()->delete( self::getKey( $id ) );
$real = microtime( true ) - $stime;
RequestContext::getMain()->getStats()->timing( "session.destroy", 1000 * $real );
return true;
}
/**
* Callback to execute garbage collection.
* NOP: Object caches perform garbage collection implicitly
*
* @param int $maxlifetime Maximum session life time
* @return bool Success
*/
static function gc( $maxlifetime ) {
return true;
}
/**
* Shutdown function.
* See the comment inside ObjectCacheSessionHandler::install for rationale.
*/
static function handleShutdown() {
session_write_close();
}
/**
* Pre-emptive session renewal function
*/
static function renewCurrentSession() {
global $wgObjectCacheSessionExpiry;
// Once a session is at half TTL, renew it
$window = $wgObjectCacheSessionExpiry / 2;
$logger = LoggerFactory::getInstance( 'SessionHandler' );
$now = microtime( true );
// Session are only written in object stores when $_SESSION changes,
// which also renews the TTL ($wgObjectCacheSessionExpiry). If a user
// is active but not causing session data changes, it may suddenly
// expire as they view a form, blocking the first submission.
// Make a dummy change every so often to avoid this.
if ( !isset( $_SESSION['wsExpiresUnix'] ) ) {
$_SESSION['wsExpiresUnix'] = $now + $wgObjectCacheSessionExpiry;
$logger->info( "Set expiry for session " . session_id(), array() );
} elseif ( ( $now + $window ) > $_SESSION['wsExpiresUnix'] ) {
$_SESSION['wsExpiresUnix'] = $now + $wgObjectCacheSessionExpiry;
$logger->info( "Renewed session " . session_id(), array() );
}
}
}
Reference in a new issue View git blame Copy permalink