3 * Session storage in object cache.
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
24 namespace MediaWiki\Session
;
26 use Psr\Log\LoggerInterface
;
30 * Adapter for PHP's session handling
34 class PHPSessionHandler
implements \SessionHandlerInterface
{
35 /** @var PHPSessionHandler */
36 protected static $instance = null;
38 /** @var bool Whether PHP session handling is enabled */
39 protected $enable = false;
40 protected $warn = true;
42 /** @var SessionManager|null */
45 /** @var BagOStuff|null */
48 /** @var LoggerInterface */
51 /** @var array Track original session fields for later modification check */
52 protected $sessionFieldCache = [];
54 protected function __construct( SessionManager
$manager ) {
55 $this->setEnableFlags(
56 \RequestContext
::getMain()->getConfig()->get( 'PHPSessionHandling' )
58 $manager->setupPHPSessionHandler( $this );
62 * Set $this->enable and $this->warn
64 * Separate just because there doesn't seem to be a good way to test it
67 * @param string $PHPSessionHandling See $wgPHPSessionHandling
69 private function setEnableFlags( $PHPSessionHandling ) {
70 switch ( $PHPSessionHandling ) {
82 $this->enable
= false;
89 * Test whether the handler is installed
92 public static function isInstalled() {
93 return (bool)self
::$instance;
97 * Test whether the handler is installed and enabled
100 public static function isEnabled() {
101 return self
::$instance && self
::$instance->enable
;
105 * Install a session handler for the current web request
106 * @param SessionManager $manager
108 public static function install( SessionManager
$manager ) {
109 if ( self
::$instance ) {
110 $manager->setupPHPSessionHandler( self
::$instance );
114 // @codeCoverageIgnoreStart
115 if ( defined( 'MW_NO_SESSION_HANDLER' ) ) {
116 throw new \
BadMethodCallException( 'MW_NO_SESSION_HANDLER is defined' );
118 // @codeCoverageIgnoreEnd
120 self
::$instance = new self( $manager );
122 // Close any auto-started session, before we replace it
123 session_write_close();
126 \Wikimedia\
suppressWarnings();
128 // Tell PHP not to mess with cookies itself
129 ini_set( 'session.use_cookies', 0 );
130 ini_set( 'session.use_trans_sid', 0 );
132 // T124510: Disable automatic PHP session related cache headers.
133 // MediaWiki adds it's own headers and the default PHP behavior may
134 // set headers such as 'Pragma: no-cache' that cause problems with
136 session_cache_limiter( '' );
138 // Also set a sane serialization handler
139 \Wikimedia\PhpSessionSerializer
::setSerializeHandler();
141 // Register this as the save handler, and register an appropriate
142 // shutdown function.
143 session_set_save_handler( self
::$instance, true );
145 \Wikimedia\restoreWarnings
();
150 * Set the manager, store, and logger
151 * @private Use self::install().
152 * @param SessionManager $manager
153 * @param BagOStuff $store
154 * @param LoggerInterface $logger
156 public function setManager(
157 SessionManager
$manager, BagOStuff
$store, LoggerInterface
$logger
159 if ( $this->manager
!== $manager ) {
160 // Close any existing session before we change stores
161 if ( $this->manager
) {
162 session_write_close();
164 $this->manager
= $manager;
165 $this->store
= $store;
166 $this->logger
= $logger;
167 \Wikimedia\PhpSessionSerializer
::setLogger( $this->logger
);
172 * Workaround for PHP5 bug
174 * PHP5 has a bug in handling boolean return values for
175 * SessionHandlerInterface methods, it expects 0 or -1 instead of true or
176 * false. See <https://wiki.php.net/rfc/session.user.return-value>.
178 * PHP7 and HHVM are not affected.
180 * @todo When we drop support for Zend PHP 5, this can be removed.
182 * @codeCoverageIgnore
184 protected static function returnSuccess() {
185 return defined( 'HHVM_VERSION' ) ||
version_compare( PHP_VERSION
, '7.0.0', '>=' ) ?
true : 0;
189 * Workaround for PHP5 bug
190 * @see self::returnSuccess()
192 * @codeCoverageIgnore
194 protected static function returnFailure() {
195 return defined( 'HHVM_VERSION' ) ||
version_compare( PHP_VERSION
, '7.0.0', '>=' ) ?
false : -1;
199 * Initialize the session (handler)
200 * @private For internal use only
201 * @param string $save_path Path used to store session files (ignored)
202 * @param string $session_name Session name (ignored)
203 * @return bool|int Success (see self::returnSuccess())
205 public function open( $save_path, $session_name ) {
206 if ( self
::$instance !== $this ) {
207 throw new \
UnexpectedValueException( __METHOD__
. ': Wrong instance called!' );
209 if ( !$this->enable
) {
210 throw new \
BadMethodCallException( 'Attempt to use PHP session management' );
212 return self
::returnSuccess();
216 * Close the session (handler)
217 * @private For internal use only
218 * @return bool|int Success (see self::returnSuccess())
220 public function close() {
221 if ( self
::$instance !== $this ) {
222 throw new \
UnexpectedValueException( __METHOD__
. ': Wrong instance called!' );
224 $this->sessionFieldCache
= [];
225 return self
::returnSuccess();
230 * @private For internal use only
231 * @param string $id Session id
232 * @return string Session data
234 public function read( $id ) {
235 if ( self
::$instance !== $this ) {
236 throw new \
UnexpectedValueException( __METHOD__
. ': Wrong instance called!' );
238 if ( !$this->enable
) {
239 throw new \
BadMethodCallException( 'Attempt to use PHP session management' );
242 $session = $this->manager
->getSessionById( $id, false );
248 $data = iterator_to_array( $session );
249 $this->sessionFieldCache
[$id] = $data;
250 return (string)\Wikimedia\PhpSessionSerializer
::encode( $data );
255 * @private For internal use only
256 * @param string $id Session id
257 * @param string $dataStr Session data. Not that you should ever call this
258 * directly, but note that this has the same issues with code injection
259 * via user-controlled data as does PHP's unserialize function.
260 * @return bool|int Success (see self::returnSuccess())
262 public function write( $id, $dataStr ) {
263 if ( self
::$instance !== $this ) {
264 throw new \
UnexpectedValueException( __METHOD__
. ': Wrong instance called!' );
266 if ( !$this->enable
) {
267 throw new \
BadMethodCallException( 'Attempt to use PHP session management' );
270 $session = $this->manager
->getSessionById( $id, true );
272 // This can happen under normal circumstances, if the session exists but is
273 // invalid. Let's emit a log warning instead of a PHP warning.
274 $this->logger
->warning(
275 __METHOD__
. ': Session "{session}" cannot be loaded, skipping write.',
279 return self
::returnSuccess();
282 // First, decode the string PHP handed us
283 $data = \Wikimedia\PhpSessionSerializer
::decode( $dataStr );
284 if ( $data === null ) {
285 // @codeCoverageIgnoreStart
286 return self
::returnFailure();
287 // @codeCoverageIgnoreEnd
290 // Now merge the data into the Session object.
292 $cache = isset( $this->sessionFieldCache
[$id] ) ?
$this->sessionFieldCache
[$id] : [];
293 foreach ( $data as $key => $value ) {
294 if ( !array_key_exists( $key, $cache ) ) {
295 if ( $session->exists( $key ) ) {
296 // New in both, so ignore and log
297 $this->logger
->warning(
298 __METHOD__
. ": Key \"$key\" added in both Session and \$_SESSION!"
301 // New in $_SESSION, keep it
302 $session->set( $key, $value );
305 } elseif ( $cache[$key] === $value ) {
306 // Unchanged in $_SESSION, so ignore it
307 } elseif ( !$session->exists( $key ) ) {
308 // Deleted in Session, keep but log
309 $this->logger
->warning(
310 __METHOD__
. ": Key \"$key\" deleted in Session and changed in \$_SESSION!"
312 $session->set( $key, $value );
314 } elseif ( $cache[$key] === $session->get( $key ) ) {
315 // Unchanged in Session, so keep it
316 $session->set( $key, $value );
319 // Changed in both, so ignore and log
320 $this->logger
->warning(
321 __METHOD__
. ": Key \"$key\" changed in both Session and \$_SESSION!"
325 // Anything deleted in $_SESSION and unchanged in Session should be deleted too
326 // (but not if $_SESSION can't represent it at all)
327 \Wikimedia\PhpSessionSerializer
::setLogger( new \Psr\Log\
NullLogger() );
328 foreach ( $cache as $key => $value ) {
329 if ( !array_key_exists( $key, $data ) && $session->exists( $key ) &&
330 \Wikimedia\PhpSessionSerializer
::encode( [ $key => true ] )
332 if ( $cache[$key] === $session->get( $key ) ) {
333 // Unchanged in Session, delete it
334 $session->remove( $key );
337 // Changed in Session, ignore deletion and log
338 $this->logger
->warning(
339 __METHOD__
. ": Key \"$key\" changed in Session and deleted in \$_SESSION!"
344 \Wikimedia\PhpSessionSerializer
::setLogger( $this->logger
);
346 // Save and update cache if anything changed
349 wfDeprecated( '$_SESSION', '1.27' );
350 $this->logger
->warning( 'Something wrote to $_SESSION!' );
354 $this->sessionFieldCache
[$id] = iterator_to_array( $session );
359 return self
::returnSuccess();
364 * @private For internal use only
365 * @param string $id Session id
366 * @return bool|int Success (see self::returnSuccess())
368 public function destroy( $id ) {
369 if ( self
::$instance !== $this ) {
370 throw new \
UnexpectedValueException( __METHOD__
. ': Wrong instance called!' );
372 if ( !$this->enable
) {
373 throw new \
BadMethodCallException( 'Attempt to use PHP session management' );
375 $session = $this->manager
->getSessionById( $id, false );
379 return self
::returnSuccess();
383 * Execute garbage collection.
384 * @private For internal use only
385 * @param int $maxlifetime Maximum session life time (ignored)
386 * @return bool|int Success (see self::returnSuccess())
387 * @codeCoverageIgnore See T135576
389 public function gc( $maxlifetime ) {
390 if ( self
::$instance !== $this ) {
391 throw new \
UnexpectedValueException( __METHOD__
. ': Wrong instance called!' );
393 $before = date( 'YmdHis', time() );
394 $this->store
->deleteObjectsExpiringBefore( $before );
395 return self
::returnSuccess();