public function provideSessionInfo( WebRequest $request ) {
$info = array(
- 'id' => $request->getCookie( $this->params['sessionName'], '' )
+ 'id' => $this->getCookie( $request, $this->params['sessionName'], '' )
);
if ( !SessionManager::validateSessionId( $info['id'] ) ) {
unset( $info['id'] );
$info += array(
'provider' => $this,
'persisted' => isset( $info['id'] ),
- 'forceHTTPS' => $request->getCookie( 'forceHTTPS', '', false )
+ 'forceHTTPS' => $this->getCookie( $request, 'forceHTTPS', '', false )
);
return new SessionInfo( $this->priority, $info );
*/
protected function setLoggedOutCookie( $loggedOut, WebRequest $request ) {
if ( $loggedOut + 86400 > time() &&
- $loggedOut !== (int)$request->getCookie( 'LoggedOut', $this->cookieOptions['prefix'] )
+ $loggedOut !== (int)$this->getCookie( $request, 'LoggedOut', $this->cookieOptions['prefix'] )
) {
$request->response()->setCookie( 'LoggedOut', $loggedOut, $loggedOut + 86400,
$this->cookieOptions );
}
public function suggestLoginUsername( WebRequest $request ) {
- $name = $request->getCookie( 'UserName', $this->cookieOptions['prefix'] );
+ $name = $this->getCookie( $request, 'UserName', $this->cookieOptions['prefix'] );
if ( $name !== null ) {
$name = User::getCanonicalName( $name, 'usable' );
}
/**
* Fetch the user identity from cookies
- * @return array (int|null $id, string|null $token)
+ * @param \WebRequest $request
+ * @return array (string|null $id, string|null $username, string|null $token)
*/
protected function getUserInfoFromCookies( $request ) {
$prefix = $this->cookieOptions['prefix'];
return array(
- $request->getCookie( 'UserID', $prefix ),
- $request->getCookie( 'UserName', $prefix ),
- $request->getCookie( 'Token', $prefix ),
+ $this->getCookie( $request, 'UserID', $prefix ),
+ $this->getCookie( $request, 'UserName', $prefix ),
+ $this->getCookie( $request, 'Token', $prefix ),
);
}
+ /**
+ * Get a cookie. Contains an auth-specific hack.
+ * @param \WebRequest $request
+ * @param string $key
+ * @param string $prefix
+ * @param mixed $default
+ * @return mixed
+ */
+ protected function getCookie( $request, $key, $prefix, $default = null ) {
+ $value = $request->getCookie( $key, $prefix, $default );
+ if ( $value === 'deleted' ) {
+ // PHP uses this value when deleting cookies. A legitimate cookie will never have
+ // this value (usernames start with uppercase, token is longer, other auth cookies
+ // are booleans or integers). Seeing this means that in a previous request we told the
+ // client to delete the cookie, but it has poor cookie handling. Pretend the cookie is
+ // not there to avoid invalidating the session.
+ return null;
+ }
+ return $value;
+ }
+
/**
* Return the data to store in cookies
* @param User $user