public function provideSessionInfo(WebRequest $request) { $info = array('id' => $this->getCookie($request, $this->params['sessionName'], '')); if (!SessionManager::validateSessionId($info['id'])) { unset($info['id']); } list($userId, $userName, $token) = $this->getUserInfoFromCookies($request); if ($userId !== null) { try { $userInfo = UserInfo::newFromId($userId); } catch (\InvalidArgumentException $ex) { return null; } // Sanity check if ($userName !== null && $userInfo->getName() !== $userName) { return null; } if ($token !== null) { if (!hash_equals($userInfo->getToken(), $token)) { return null; } $info['userInfo'] = $userInfo->verified(); } elseif (isset($info['id'])) { // No point if no session ID $info['userInfo'] = $userInfo; } } if (!$info) { return null; } $info += array('provider' => $this, 'persisted' => isset($info['id']), 'forceHTTPS' => $this->getCookie($request, 'forceHTTPS', '', false)); return new SessionInfo($this->priority, $info); }
/** * Get the session ID from the cookie, if any. * * Only call this if $this->sessionCookieName !== null. If * sessionCookieName is null, do some logic (probably involving a call to * $this->hashToSessionId()) to create the single session ID corresponding * to this WebRequest instead of calling this method. * * @param WebRequest $request * @return string|null */ protected function getSessionIdFromCookie(WebRequest $request) { if ($this->sessionCookieName === null) { throw new \BadMethodCallException(__METHOD__ . ' may not be called when $this->sessionCookieName === null'); } $prefix = isset($this->sessionCookieOptions['prefix']) ? $this->sessionCookieOptions['prefix'] : $this->config->get('CookiePrefix'); $id = $request->getCookie($this->sessionCookieName, $prefix); return SessionManager::validateSessionId($id) ? $id : null; }
public function provideSessionInfo(WebRequest $request) { $sessionId = $this->getCookie($request, $this->params['sessionName'], ''); $info = ['provider' => $this, 'forceHTTPS' => $this->getCookie($request, 'forceHTTPS', '', false)]; if (SessionManager::validateSessionId($sessionId)) { $info['id'] = $sessionId; $info['persisted'] = true; } list($userId, $userName, $token) = $this->getUserInfoFromCookies($request); if ($userId !== null) { try { $userInfo = UserInfo::newFromId($userId); } catch (\InvalidArgumentException $ex) { return null; } // Sanity check if ($userName !== null && $userInfo->getName() !== $userName) { $this->logger->warning('Session "{session}" requested with mismatched UserID and UserName cookies.', ['session' => $sessionId, 'mismatch' => ['userid' => $userId, 'cookie_username' => $userName, 'username' => $userInfo->getName()]]); return null; } if ($token !== null) { if (!hash_equals($userInfo->getToken(), $token)) { $this->logger->warning('Session "{session}" requested with invalid Token cookie.', ['session' => $sessionId, 'userid' => $userId, 'username' => $userInfo->getName()]); return null; } $info['userInfo'] = $userInfo->verified(); $info['persisted'] = true; // If we have user+token, it should be } elseif (isset($info['id'])) { $info['userInfo'] = $userInfo; } else { // No point in returning, loadSessionInfoFromStore() will // reject it anyway. return null; } } elseif (isset($info['id'])) { // No UserID cookie, so insist that the session is anonymous. // Note: this event occurs for several normal activities: // * anon visits Special:UserLogin // * anon browsing after seeing Special:UserLogin // * anon browsing after edit or preview $this->logger->debug('Session "{session}" requested without UserID cookie', ['session' => $info['id']]); $info['userInfo'] = UserInfo::newAnonymous(); } else { // No session ID and no user is the same as an empty session, so // there's no point. return null; } return new SessionInfo($this->priority, $info); }
public function provideSessionInfo(WebRequest $request) { $info = array('id' => $this->getCookie($request, $this->params['sessionName'], ''), 'provider' => $this, 'forceHTTPS' => $this->getCookie($request, 'forceHTTPS', '', false)); if (!SessionManager::validateSessionId($info['id'])) { unset($info['id']); } $info['persisted'] = isset($info['id']); list($userId, $userName, $token) = $this->getUserInfoFromCookies($request); if ($userId !== null) { try { $userInfo = UserInfo::newFromId($userId); } catch (\InvalidArgumentException $ex) { return null; } // Sanity check if ($userName !== null && $userInfo->getName() !== $userName) { return null; } if ($token !== null) { if (!hash_equals($userInfo->getToken(), $token)) { return null; } $info['userInfo'] = $userInfo->verified(); } elseif (isset($info['id'])) { $info['userInfo'] = $userInfo; } else { // No point in returning, loadSessionInfoFromStore() will // reject it anyway. return null; } } elseif (isset($info['id'])) { // No UserID cookie, so insist that the session is anonymous. $info['userInfo'] = UserInfo::newAnonymous(); } else { // No session ID and no user is the same as an empty session, so // there's no point. return null; } return new SessionInfo($this->priority, $info); }
/** * @param int $priority Session priority * @param array $data * - provider: (SessionProvider|null) If not given, the provider will be * determined from the saved session data. * - id: (string|null) Session ID * - userInfo: (UserInfo|null) User known from the request. If * $provider->canChangeUser() is false, a verified user * must be provided. * - persisted: (bool) Whether this session was persisted * - remembered: (bool) Whether the verified user was remembered. * Defaults to true. * - forceHTTPS: (bool) Whether to force HTTPS for this session * - metadata: (array) Provider metadata, to be returned by * Session::getProviderMetadata(). * - idIsSafe: (bool) Set true if the 'id' did not come from the user. * Generally you'll use this from SessionProvider::newEmptySession(), * and not from any other method. * - copyFrom: (SessionInfo) SessionInfo to copy other data items from. */ public function __construct($priority, array $data) { if ($priority < self::MIN_PRIORITY || $priority > self::MAX_PRIORITY) { throw new \InvalidArgumentException('Invalid priority'); } if (isset($data['copyFrom'])) { $from = $data['copyFrom']; if (!$from instanceof SessionInfo) { throw new \InvalidArgumentException('Invalid copyFrom'); } $data += array('provider' => $from->provider, 'id' => $from->id, 'userInfo' => $from->userInfo, 'persisted' => $from->persisted, 'remembered' => $from->remembered, 'forceHTTPS' => $from->forceHTTPS, 'metadata' => $from->providerMetadata, 'idIsSafe' => $from->idIsSafe); // @codeCoverageIgnoreEnd } else { $data += array('provider' => null, 'id' => null, 'userInfo' => null, 'persisted' => false, 'remembered' => true, 'forceHTTPS' => false, 'metadata' => null, 'idIsSafe' => false); // @codeCoverageIgnoreEnd } if ($data['id'] !== null && !SessionManager::validateSessionId($data['id'])) { throw new \InvalidArgumentException('Invalid session ID'); } if ($data['userInfo'] !== null && !$data['userInfo'] instanceof UserInfo) { throw new \InvalidArgumentException('Invalid userInfo'); } if (!$data['provider'] && $data['id'] === null) { throw new \InvalidArgumentException('Must supply an ID when no provider is given'); } if ($data['metadata'] !== null && !is_array($data['metadata'])) { throw new \InvalidArgumentException('Invalid metadata'); } $this->provider = $data['provider']; if ($data['id'] !== null) { $this->id = $data['id']; $this->idIsSafe = $data['idIsSafe']; } else { $this->id = $this->provider->getManager()->generateSessionId(); $this->idIsSafe = true; } $this->priority = (int) $priority; $this->userInfo = $data['userInfo']; $this->persisted = (bool) $data['persisted']; if ($data['provider'] !== null) { if ($this->userInfo !== null && !$this->userInfo->isAnon() && $this->userInfo->isVerified()) { $this->remembered = (bool) $data['remembered']; } $this->providerMetadata = $data['metadata']; } $this->forceHTTPS = (bool) $data['forceHTTPS']; }
public function testGenerateSessionId() { $manager = $this->getManager(); $id = $manager->generateSessionId(); $this->assertTrue(SessionManager::validateSessionId($id), "Generated ID: {$id}"); }