3 * MediaWiki cookie-based session provider interface
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
24 namespace MediaWiki\Session
;
31 * A CookieSessionProvider persists sessions using cookies
36 class CookieSessionProvider
extends SessionProvider
{
38 protected $params = array();
39 protected $cookieOptions = array();
42 * @param array $params Keys include:
43 * - priority: (required) Priority of the returned sessions
44 * - callUserSetCookiesHook: Whether to call the deprecated hook
45 * - sessionName: Session cookie name. Doesn't honor 'prefix'. Defaults to
46 * $wgSessionName, or $wgCookiePrefix . '_session' if that is unset.
47 * - cookieOptions: Options to pass to WebRequest::setCookie():
48 * - prefix: Cookie prefix, defaults to $wgCookiePrefix
49 * - path: Cookie path, defaults to $wgCookiePath
50 * - domain: Cookie domain, defaults to $wgCookieDomain
51 * - secure: Cookie secure flag, defaults to $wgCookieSecure
52 * - httpOnly: Cookie httpOnly flag, defaults to $wgCookieHttpOnly
54 public function __construct( $params = array() ) {
55 parent
::__construct();
58 'cookieOptions' => array(),
59 // @codeCoverageIgnoreStart
61 // @codeCoverageIgnoreEnd
63 if ( !isset( $params['priority'] ) ) {
64 throw new \
InvalidArgumentException( __METHOD__
. ': priority must be specified' );
66 if ( $params['priority'] < SessionInfo
::MIN_PRIORITY ||
67 $params['priority'] > SessionInfo
::MAX_PRIORITY
69 throw new \
InvalidArgumentException( __METHOD__
. ': Invalid priority' );
72 if ( !is_array( $params['cookieOptions'] ) ) {
73 throw new \
InvalidArgumentException( __METHOD__
. ': cookieOptions must be an array' );
76 $this->priority
= $params['priority'];
77 $this->cookieOptions
= $params['cookieOptions'];
78 $this->params
= $params;
79 unset( $this->params
['priority'] );
80 unset( $this->params
['cookieOptions'] );
83 public function setConfig( Config
$config ) {
84 parent
::setConfig( $config );
86 // @codeCoverageIgnoreStart
87 $this->params +
= array(
88 // @codeCoverageIgnoreEnd
89 'callUserSetCookiesHook' => false,
91 $config->get( 'SessionName' ) ?
: $config->get( 'CookiePrefix' ) . '_session',
94 // @codeCoverageIgnoreStart
95 $this->cookieOptions +
= array(
96 // @codeCoverageIgnoreEnd
97 'prefix' => $config->get( 'CookiePrefix' ),
98 'path' => $config->get( 'CookiePath' ),
99 'domain' => $config->get( 'CookieDomain' ),
100 'secure' => $config->get( 'CookieSecure' ),
101 'httpOnly' => $config->get( 'CookieHttpOnly' ),
105 public function provideSessionInfo( WebRequest
$request ) {
107 'id' => $this->getCookie( $request, $this->params
['sessionName'], '' ),
109 'forceHTTPS' => $this->getCookie( $request, 'forceHTTPS', '', false )
111 if ( !SessionManager
::validateSessionId( $info['id'] ) ) {
112 unset( $info['id'] );
114 $info['persisted'] = isset( $info['id'] );
116 list( $userId, $userName, $token ) = $this->getUserInfoFromCookies( $request );
117 if ( $userId !== null ) {
119 $userInfo = UserInfo
::newFromId( $userId );
120 } catch ( \InvalidArgumentException
$ex ) {
125 if ( $userName !== null && $userInfo->getName() !== $userName ) {
129 if ( $token !== null ) {
130 if ( !hash_equals( $userInfo->getToken(), $token ) ) {
133 $info['userInfo'] = $userInfo->verified();
134 } elseif ( isset( $info['id'] ) ) {
135 $info['userInfo'] = $userInfo;
137 // No point in returning, loadSessionInfoFromStore() will
141 } elseif ( isset( $info['id'] ) ) {
142 // No UserID cookie, so insist that the session is anonymous.
143 $info['userInfo'] = UserInfo
::newAnonymous();
145 // No session ID and no user is the same as an empty session, so
150 return new SessionInfo( $this->priority
, $info );
153 public function persistsSessionId() {
157 public function canChangeUser() {
161 public function persistSession( SessionBackend
$session, WebRequest
$request ) {
162 $response = $request->response();
163 if ( $response->headersSent() ) {
164 // Can't do anything now
165 $this->logger
->debug( __METHOD__
. ': Headers already sent' );
169 $user = $session->getUser();
171 $cookies = $this->cookieDataToExport( $user, $session->shouldRememberUser() );
172 $sessionData = $this->sessionDataToExport( $user );
175 if ( $this->params
['callUserSetCookiesHook'] && !$user->isAnon() ) {
176 \Hooks
::run( 'UserSetCookies', array( $user, &$sessionData, &$cookies ) );
179 $options = $this->cookieOptions
;
181 $forceHTTPS = $session->shouldForceHTTPS() ||
$user->requiresHTTPS();
183 // Don't set the secure flag if the request came in
184 // over "http", for backwards compat.
185 // @todo Break that backwards compat properly.
186 $options['secure'] = $this->config
->get( 'CookieSecure' );
189 $response->setCookie( $this->params
['sessionName'], $session->getId(), null,
190 array( 'prefix' => '' ) +
$options
193 $extendedCookies = $this->config
->get( 'ExtendedLoginCookies' );
194 $extendedExpiry = $this->config
->get( 'ExtendedLoginCookieExpiration' );
196 foreach ( $cookies as $key => $value ) {
197 if ( $value === false ) {
198 $response->clearCookie( $key, $options );
200 if ( $extendedExpiry !== null && in_array( $key, $extendedCookies ) ) {
201 $expiry = time() +
(int)$extendedExpiry;
203 $expiry = 0; // Default cookie expiration
205 $response->setCookie( $key, (string)$value, $expiry, $options );
209 $this->setForceHTTPSCookie( $forceHTTPS, $session, $request );
210 $this->setLoggedOutCookie( $session->getLoggedOutTimestamp(), $request );
212 if ( $sessionData ) {
213 $session->addData( $sessionData );
217 public function unpersistSession( WebRequest
$request ) {
218 $response = $request->response();
219 if ( $response->headersSent() ) {
220 // Can't do anything now
221 $this->logger
->debug( __METHOD__
. ': Headers already sent' );
230 $response->clearCookie(
231 $this->params
['sessionName'], array( 'prefix' => '' ) +
$this->cookieOptions
234 foreach ( $cookies as $key => $value ) {
235 $response->clearCookie( $key, $this->cookieOptions
);
238 $this->setForceHTTPSCookie( false, null, $request );
242 * Set the "forceHTTPS" cookie
243 * @param bool $set Whether the cookie should be set or not
244 * @param SessionBackend|null $backend
245 * @param WebRequest $request
247 protected function setForceHTTPSCookie(
248 $set, SessionBackend
$backend = null, WebRequest
$request
250 $response = $request->response();
252 $response->setCookie( 'forceHTTPS', 'true', $backend->shouldRememberUser() ?
0 : null,
253 array( 'prefix' => '', 'secure' => false ) +
$this->cookieOptions
);
255 $response->clearCookie( 'forceHTTPS',
256 array( 'prefix' => '', 'secure' => false ) +
$this->cookieOptions
);
261 * Set the "logged out" cookie
262 * @param int $loggedOut timestamp
263 * @param WebRequest $request
265 protected function setLoggedOutCookie( $loggedOut, WebRequest
$request ) {
266 if ( $loggedOut +
86400 > time() &&
267 $loggedOut !== (int)$this->getCookie( $request, 'LoggedOut', $this->cookieOptions
['prefix'] )
269 $request->response()->setCookie( 'LoggedOut', $loggedOut, $loggedOut +
86400,
270 $this->cookieOptions
);
274 public function getVaryCookies() {
276 // Vary on token and session because those are the real authn
277 // determiners. UserID and UserName don't matter without those.
278 $this->cookieOptions
['prefix'] . 'Token',
279 $this->cookieOptions
['prefix'] . 'LoggedOut',
280 $this->params
['sessionName'],
285 public function suggestLoginUsername( WebRequest
$request ) {
286 $name = $this->getCookie( $request, 'UserName', $this->cookieOptions
['prefix'] );
287 if ( $name !== null ) {
288 $name = User
::getCanonicalName( $name, 'usable' );
290 return $name === false ?
null : $name;
294 * Fetch the user identity from cookies
295 * @param \WebRequest $request
296 * @return array (string|null $id, string|null $username, string|null $token)
298 protected function getUserInfoFromCookies( $request ) {
299 $prefix = $this->cookieOptions
['prefix'];
301 $this->getCookie( $request, 'UserID', $prefix ),
302 $this->getCookie( $request, 'UserName', $prefix ),
303 $this->getCookie( $request, 'Token', $prefix ),
308 * Get a cookie. Contains an auth-specific hack.
309 * @param \WebRequest $request
311 * @param string $prefix
312 * @param mixed $default
315 protected function getCookie( $request, $key, $prefix, $default = null ) {
316 $value = $request->getCookie( $key, $prefix, $default );
317 if ( $value === 'deleted' ) {
318 // PHP uses this value when deleting cookies. A legitimate cookie will never have
319 // this value (usernames start with uppercase, token is longer, other auth cookies
320 // are booleans or integers). Seeing this means that in a previous request we told the
321 // client to delete the cookie, but it has poor cookie handling. Pretend the cookie is
322 // not there to avoid invalidating the session.
329 * Return the data to store in cookies
331 * @param bool $remember
332 * @return array $cookies Set value false to unset the cookie
334 protected function cookieDataToExport( $user, $remember ) {
335 if ( $user->isAnon() ) {
342 'UserID' => $user->getId(),
343 'UserName' => $user->getName(),
344 'Token' => $remember ?
(string)$user->getToken() : false,
350 * Return extra data to store in the session
352 * @return array $session
354 protected function sessionDataToExport( $user ) {
355 // If we're calling the legacy hook, we should populate $session
356 // like User::setCookies() did.
357 if ( !$user->isAnon() && $this->params
['callUserSetCookiesHook'] ) {
359 'wsUserID' => $user->getId(),
360 'wsToken' => $user->getToken(),
361 'wsUserName' => $user->getName(),
368 public function whyNoSession() {
369 return wfMessage( 'sessionprovider-nocookies' );