/**
* Reset the session_id
*
* @since 1.22
*/
function wfResetSessionID()
{
global $wgCookieSecure;
$oldSessionId = session_id();
$cookieParams = session_get_cookie_params();
if (wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure']) {
session_regenerate_id(false);
} else {
$tmp = $_SESSION;
session_destroy();
wfSetupSession(MWCryptRand::generateHex(32));
$_SESSION = $tmp;
}
$newSessionId = session_id();
Hooks::run('ResetSessionID', array($oldSessionId, $newSessionId));
}
/**
* Renew the user's session id, using strong entropy
*/
private function renewSessionId()
{
global $wgSecureLogin, $wgCookieSecure;
if ($wgSecureLogin && !$this->mStickHTTPS) {
$wgCookieSecure = false;
}
// If either we don't trust PHP's entropy, or if we need
// to change cookie settings when logging in because of
// wpStickHTTPS, then change the session ID manually.
$cookieParams = session_get_cookie_params();
if (wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure']) {
session_regenerate_id(false);
} else {
$tmp = $_SESSION;
session_destroy();
wfSetupSession(MWCryptRand::generateHex(32));
$_SESSION = $tmp;
}
}
/**
* Override session_id before session startup if php's built-in
* session generation code is not secure.
*/
function wfFixSessionID()
{
// If the cookie or session id is already set we already have a session and should abort
if (isset($_COOKIE[session_name()]) || session_id()) {
return;
}
// PHP's built-in session entropy is enabled if:
// - entropy_file is set or you're on Windows with php 5.3.3+
// - AND entropy_length is > 0
// We treat it as disabled if it doesn't have an entropy length of at least 32
$entropyEnabled = wfCheckEntropy();
// If built-in entropy is not enabled or not sufficient override php's built in session id generation code
if (!$entropyEnabled) {
wfDebug(__METHOD__ . ": PHP's built in entropy is disabled or not sufficient, overriding session id generation using our cryptrand source.\n");
session_id(MWCryptRand::generateHex(32));
}
}
/**
* Renew the user's session id, using strong entropy
*/
private function renewSessionId()
{
if (wfCheckEntropy()) {
session_regenerate_id(false);
} else {
//If we don't trust PHP's entropy, we have to replace the session manually
$tmp = $_SESSION;
session_unset();
session_write_close();
session_id(MWCryptRand::generateHex(32));
session_start();
$_SESSION = $tmp;
}
}
/**
* Reset the session_id
*
* Backported from MW 1.22
*/
function wfResetSessionID()
{
global $wgCookieSecure;
$oldSessionId = session_id();
$cookieParams = session_get_cookie_params();
if (wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure']) {
session_regenerate_id(true);
// Wikia - $delete_old_session = true
} else {
$tmp = $_SESSION;
session_destroy();
wfSetupSession(MWCryptRand::generateHex(32));
$_SESSION = $tmp;
}
$newSessionId = session_id();
Hooks::run('ResetSessionID', array($oldSessionId, $newSessionId));
wfDebug(sprintf("%s: new ID is '%s'\n", __METHOD__, $newSessionId));
}
/**
* Override session_id before session startup if php's built-in
* session generation code is not secure.
*/
function wfFixSessionID()
{
// If the cookie or session id is already set we already have a session and should abort
if (isset($_COOKIE[session_name()]) || session_id()) {
return;
}
$entropyEnabled = wfCheckEntropy();
// If built-in entropy is not enabled or not sufficient override php's built in session id generation code
if (!$entropyEnabled) {
wfDebug(__METHOD__ . ": PHP's built in entropy is disabled or not sufficient, overriding session id generation using our cryptrand source.\n");
session_id(MWCryptRand::generateHex(32));
}
}
