public function provideSessionInfo(WebRequest $request)
{
$info = array('id' => $this->getCookie($request, $this->params['sessionName'], ''));
if (!SessionManager::validateSessionId($info['id'])) {
unset($info['id']);
}
list($userId, $userName, $token) = $this->getUserInfoFromCookies($request);
if ($userId !== null) {
try {
$userInfo = UserInfo::newFromId($userId);
} catch (\InvalidArgumentException $ex) {
return null;
}
// Sanity check
if ($userName !== null && $userInfo->getName() !== $userName) {
return null;
}
if ($token !== null) {
if (!hash_equals($userInfo->getToken(), $token)) {
return null;
}
$info['userInfo'] = $userInfo->verified();
} elseif (isset($info['id'])) {
// No point if no session ID
$info['userInfo'] = $userInfo;
}
}
if (!$info) {
return null;
}
$info += array('provider' => $this, 'persisted' => isset($info['id']), 'forceHTTPS' => $this->getCookie($request, 'forceHTTPS', '', false));
return new SessionInfo($this->priority, $info);
}
/**
* Get the session ID from the cookie, if any.
*
* Only call this if $this->sessionCookieName !== null. If
* sessionCookieName is null, do some logic (probably involving a call to
* $this->hashToSessionId()) to create the single session ID corresponding
* to this WebRequest instead of calling this method.
*
* @param WebRequest $request
* @return string|null
*/
protected function getSessionIdFromCookie(WebRequest $request)
{
if ($this->sessionCookieName === null) {
throw new \BadMethodCallException(__METHOD__ . ' may not be called when $this->sessionCookieName === null');
}
$prefix = isset($this->sessionCookieOptions['prefix']) ? $this->sessionCookieOptions['prefix'] : $this->config->get('CookiePrefix');
$id = $request->getCookie($this->sessionCookieName, $prefix);
return SessionManager::validateSessionId($id) ? $id : null;
}
public function provideSessionInfo(WebRequest $request)
{
$sessionId = $this->getCookie($request, $this->params['sessionName'], '');
$info = ['provider' => $this, 'forceHTTPS' => $this->getCookie($request, 'forceHTTPS', '', false)];
if (SessionManager::validateSessionId($sessionId)) {
$info['id'] = $sessionId;
$info['persisted'] = true;
}
list($userId, $userName, $token) = $this->getUserInfoFromCookies($request);
if ($userId !== null) {
try {
$userInfo = UserInfo::newFromId($userId);
} catch (\InvalidArgumentException $ex) {
return null;
}
// Sanity check
if ($userName !== null && $userInfo->getName() !== $userName) {
$this->logger->warning('Session "{session}" requested with mismatched UserID and UserName cookies.', ['session' => $sessionId, 'mismatch' => ['userid' => $userId, 'cookie_username' => $userName, 'username' => $userInfo->getName()]]);
return null;
}
if ($token !== null) {
if (!hash_equals($userInfo->getToken(), $token)) {
$this->logger->warning('Session "{session}" requested with invalid Token cookie.', ['session' => $sessionId, 'userid' => $userId, 'username' => $userInfo->getName()]);
return null;
}
$info['userInfo'] = $userInfo->verified();
$info['persisted'] = true;
// If we have user+token, it should be
} elseif (isset($info['id'])) {
$info['userInfo'] = $userInfo;
} else {
// No point in returning, loadSessionInfoFromStore() will
// reject it anyway.
return null;
}
} elseif (isset($info['id'])) {
// No UserID cookie, so insist that the session is anonymous.
// Note: this event occurs for several normal activities:
// * anon visits Special:UserLogin
// * anon browsing after seeing Special:UserLogin
// * anon browsing after edit or preview
$this->logger->debug('Session "{session}" requested without UserID cookie', ['session' => $info['id']]);
$info['userInfo'] = UserInfo::newAnonymous();
} else {
// No session ID and no user is the same as an empty session, so
// there's no point.
return null;
}
return new SessionInfo($this->priority, $info);
}
public function provideSessionInfo(WebRequest $request)
{
$info = array('id' => $this->getCookie($request, $this->params['sessionName'], ''), 'provider' => $this, 'forceHTTPS' => $this->getCookie($request, 'forceHTTPS', '', false));
if (!SessionManager::validateSessionId($info['id'])) {
unset($info['id']);
}
$info['persisted'] = isset($info['id']);
list($userId, $userName, $token) = $this->getUserInfoFromCookies($request);
if ($userId !== null) {
try {
$userInfo = UserInfo::newFromId($userId);
} catch (\InvalidArgumentException $ex) {
return null;
}
// Sanity check
if ($userName !== null && $userInfo->getName() !== $userName) {
return null;
}
if ($token !== null) {
if (!hash_equals($userInfo->getToken(), $token)) {
return null;
}
$info['userInfo'] = $userInfo->verified();
} elseif (isset($info['id'])) {
$info['userInfo'] = $userInfo;
} else {
// No point in returning, loadSessionInfoFromStore() will
// reject it anyway.
return null;
}
} elseif (isset($info['id'])) {
// No UserID cookie, so insist that the session is anonymous.
$info['userInfo'] = UserInfo::newAnonymous();
} else {
// No session ID and no user is the same as an empty session, so
// there's no point.
return null;
}
return new SessionInfo($this->priority, $info);
}
/**
* @param int $priority Session priority
* @param array $data
* - provider: (SessionProvider|null) If not given, the provider will be
* determined from the saved session data.
* - id: (string|null) Session ID
* - userInfo: (UserInfo|null) User known from the request. If
* $provider->canChangeUser() is false, a verified user
* must be provided.
* - persisted: (bool) Whether this session was persisted
* - remembered: (bool) Whether the verified user was remembered.
* Defaults to true.
* - forceHTTPS: (bool) Whether to force HTTPS for this session
* - metadata: (array) Provider metadata, to be returned by
* Session::getProviderMetadata().
* - idIsSafe: (bool) Set true if the 'id' did not come from the user.
* Generally you'll use this from SessionProvider::newEmptySession(),
* and not from any other method.
* - copyFrom: (SessionInfo) SessionInfo to copy other data items from.
*/
public function __construct($priority, array $data)
{
if ($priority < self::MIN_PRIORITY || $priority > self::MAX_PRIORITY) {
throw new \InvalidArgumentException('Invalid priority');
}
if (isset($data['copyFrom'])) {
$from = $data['copyFrom'];
if (!$from instanceof SessionInfo) {
throw new \InvalidArgumentException('Invalid copyFrom');
}
$data += array('provider' => $from->provider, 'id' => $from->id, 'userInfo' => $from->userInfo, 'persisted' => $from->persisted, 'remembered' => $from->remembered, 'forceHTTPS' => $from->forceHTTPS, 'metadata' => $from->providerMetadata, 'idIsSafe' => $from->idIsSafe);
// @codeCoverageIgnoreEnd
} else {
$data += array('provider' => null, 'id' => null, 'userInfo' => null, 'persisted' => false, 'remembered' => true, 'forceHTTPS' => false, 'metadata' => null, 'idIsSafe' => false);
// @codeCoverageIgnoreEnd
}
if ($data['id'] !== null && !SessionManager::validateSessionId($data['id'])) {
throw new \InvalidArgumentException('Invalid session ID');
}
if ($data['userInfo'] !== null && !$data['userInfo'] instanceof UserInfo) {
throw new \InvalidArgumentException('Invalid userInfo');
}
if (!$data['provider'] && $data['id'] === null) {
throw new \InvalidArgumentException('Must supply an ID when no provider is given');
}
if ($data['metadata'] !== null && !is_array($data['metadata'])) {
throw new \InvalidArgumentException('Invalid metadata');
}
$this->provider = $data['provider'];
if ($data['id'] !== null) {
$this->id = $data['id'];
$this->idIsSafe = $data['idIsSafe'];
} else {
$this->id = $this->provider->getManager()->generateSessionId();
$this->idIsSafe = true;
}
$this->priority = (int) $priority;
$this->userInfo = $data['userInfo'];
$this->persisted = (bool) $data['persisted'];
if ($data['provider'] !== null) {
if ($this->userInfo !== null && !$this->userInfo->isAnon() && $this->userInfo->isVerified()) {
$this->remembered = (bool) $data['remembered'];
}
$this->providerMetadata = $data['metadata'];
}
$this->forceHTTPS = (bool) $data['forceHTTPS'];
}
public function testGenerateSessionId()
{
$manager = $this->getManager();
$id = $manager->generateSessionId();
$this->assertTrue(SessionManager::validateSessionId($id), "Generated ID: {$id}");
}
