Issues in CookieSessionProvider.php - All Issues - Inspection of "Daily Inspection: Merge "Add GENDER support to pro..." - wikimedia/mediawiki - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Branch — master (939199)

unknown

created 2016-11-04 17:19 UTC

includes/session/CookieSessionProvider.php (1 issue)

Labels

Bug 1

Severity

Major 1

Gergő Tisza 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * MediaWiki cookie-based session provider interface
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 * http://www.gnu.org/copyleft/gpl.html
 *
 * @file
 * @ingroup Session
 */

namespace MediaWiki\Session;

use Config;
use User;
use WebRequest;

/**
 * A CookieSessionProvider persists sessions using cookies
 *
 * @ingroup Session
 * @since 1.27
 */
class CookieSessionProvider extends SessionProvider {

	protected $params = [];
	protected $cookieOptions = [];

	/**
	 * @param array $params Keys include:
	 *  - priority: (required) Priority of the returned sessions
	 *  - callUserSetCookiesHook: Whether to call the deprecated hook
	 *  - sessionName: Session cookie name. Doesn't honor 'prefix'. Defaults to
	 *    $wgSessionName, or $wgCookiePrefix . '_session' if that is unset.
	 *  - cookieOptions: Options to pass to WebRequest::setCookie():
	 *    - prefix: Cookie prefix, defaults to $wgCookiePrefix
	 *    - path: Cookie path, defaults to $wgCookiePath
	 *    - domain: Cookie domain, defaults to $wgCookieDomain
	 *    - secure: Cookie secure flag, defaults to $wgCookieSecure
	 *    - httpOnly: Cookie httpOnly flag, defaults to $wgCookieHttpOnly
	 */
	public function __construct( $params = [] ) {
		parent::__construct();

		$params += [
			'cookieOptions' => [],
			// @codeCoverageIgnoreStart
		];
		// @codeCoverageIgnoreEnd

		if ( !isset( $params['priority'] ) ) {
			throw new \InvalidArgumentException( __METHOD__ . ': priority must be specified' );
		}
		if ( $params['priority'] < SessionInfo::MIN_PRIORITY ||
			$params['priority'] > SessionInfo::MAX_PRIORITY
		) {
			throw new \InvalidArgumentException( __METHOD__ . ': Invalid priority' );
		}

		if ( !is_array( $params['cookieOptions'] ) ) {
			throw new \InvalidArgumentException( __METHOD__ . ': cookieOptions must be an array' );
		}

		$this->priority = $params['priority'];
		$this->cookieOptions = $params['cookieOptions'];
		$this->params = $params;
		unset( $this->params['priority'] );
		unset( $this->params['cookieOptions'] );
	}

	public function setConfig( Config $config ) {
		parent::setConfig( $config );

		// @codeCoverageIgnoreStart
		$this->params += [
			// @codeCoverageIgnoreEnd
			'callUserSetCookiesHook' => false,
			'sessionName' =>
				$config->get( 'SessionName' ) ?: $config->get( 'CookiePrefix' ) . '_session',
		];

		// @codeCoverageIgnoreStart
		$this->cookieOptions += [
			// @codeCoverageIgnoreEnd
			'prefix' => $config->get( 'CookiePrefix' ),
			'path' => $config->get( 'CookiePath' ),
			'domain' => $config->get( 'CookieDomain' ),
			'secure' => $config->get( 'CookieSecure' ),
			'httpOnly' => $config->get( 'CookieHttpOnly' ),
		];
	}

	public function provideSessionInfo( WebRequest $request ) {
		$sessionId = $this->getCookie( $request, $this->params['sessionName'], '' );
		$info = [
			'provider' => $this,
			'forceHTTPS' => $this->getCookie( $request, 'forceHTTPS', '', false )
		];
		if ( SessionManager::validateSessionId( $sessionId ) ) {
			$info['id'] = $sessionId;
			$info['persisted'] = true;
		}

		list( $userId, $userName, $token ) = $this->getUserInfoFromCookies( $request );
		if ( $userId !== null ) {
			try {
				$userInfo = UserInfo::newFromId( $userId );
			} catch ( \InvalidArgumentException $ex ) {
				return null;
			}

			// Sanity check
			if ( $userName !== null && $userInfo->getName() !== $userName ) {
				$this->logger->warning(
					'Session "{session}" requested with mismatched UserID and UserName cookies.',
					[
						'session' => $sessionId,
						'mismatch' => [
							'userid' => $userId,
							'cookie_username' => $userName,
							'username' => $userInfo->getName(),
						],
				] );
				return null;
			}

			if ( $token !== null ) {
				if ( !hash_equals( $userInfo->getToken(), $token ) ) {
					$this->logger->warning(
						'Session "{session}" requested with invalid Token cookie.',
						[
							'session' => $sessionId,
							'userid' => $userId,
							'username' => $userInfo->getName(),
					 ] );
					return null;
				}
				$info['userInfo'] = $userInfo->verified();
				$info['persisted'] = true; // If we have user+token, it should be
			} elseif ( isset( $info['id'] ) ) {
				$info['userInfo'] = $userInfo;
			} else {
				// No point in returning, loadSessionInfoFromStore() will
				// reject it anyway.
				return null;
			}
		} elseif ( isset( $info['id'] ) ) {
			// No UserID cookie, so insist that the session is anonymous.
			// Note: this event occurs for several normal activities:
			// * anon visits Special:UserLogin
			// * anon browsing after seeing Special:UserLogin
			// * anon browsing after edit or preview
			$this->logger->debug(
				'Session "{session}" requested without UserID cookie',
				[
					'session' => $info['id'],
			] );
			$info['userInfo'] = UserInfo::newAnonymous();
		} else {
			// No session ID and no user is the same as an empty session, so
			// there's no point.
			return null;
		}

		return new SessionInfo( $this->priority, $info );
	}

	public function persistsSessionId() {
		return true;
	}

	public function canChangeUser() {
		return true;
	}

	public function persistSession( SessionBackend $session, WebRequest $request ) {
		$response = $request->response();
		if ( $response->headersSent() ) {
			// Can't do anything now
			$this->logger->debug( __METHOD__ . ': Headers already sent' );
			return;
		}

		$user = $session->getUser();

		$cookies = $this->cookieDataToExport( $user, $session->shouldRememberUser() );
		$sessionData = $this->sessionDataToExport( $user );

		// Legacy hook
		if ( $this->params['callUserSetCookiesHook'] && !$user->isAnon() ) {
			\Hooks::run( 'UserSetCookies', [ $user, &$sessionData, &$cookies ] );
		}

		$options = $this->cookieOptions;

		$forceHTTPS = $session->shouldForceHTTPS() || $user->requiresHTTPS();
		if ( $forceHTTPS ) {
			// Don't set the secure flag if the request came in
			// over "http", for backwards compat.
			// @todo Break that backwards compat properly.
			$options['secure'] = $this->config->get( 'CookieSecure' );
		}

		$response->setCookie( $this->params['sessionName'], $session->getId(), null,
			[ 'prefix' => '' ] + $options
		);

		foreach ( $cookies as $key => $value ) {
			if ( $value === false ) {
				$response->clearCookie( $key, $options );
			} else {
				$expirationDuration = $this->getLoginCookieExpiration( $key, $session->shouldRememberUser() );
				$expiration = $expirationDuration ? $expirationDuration + time() : null;
				$response->setCookie( $key, (string)$value, $expiration, $options );
			}
		}

		$this->setForceHTTPSCookie( $forceHTTPS, $session, $request );
		$this->setLoggedOutCookie( $session->getLoggedOutTimestamp(), $request );

		if ( $sessionData ) {
			$session->addData( $sessionData );
		}
	}

	public function unpersistSession( WebRequest $request ) {
		$response = $request->response();
		if ( $response->headersSent() ) {
			// Can't do anything now
			$this->logger->debug( __METHOD__ . ': Headers already sent' );
			return;
		}

		$cookies = [
			'UserID' => false,
			'Token' => false,
		];

		$response->clearCookie(
			$this->params['sessionName'], [ 'prefix' => '' ] + $this->cookieOptions
		);

		foreach ( $cookies as $key => $value ) {
			$response->clearCookie( $key, $this->cookieOptions );
		}

		$this->setForceHTTPSCookie( false, null, $request );
	}

	/**
	 * Set the "forceHTTPS" cookie
	 * @param bool $set Whether the cookie should be set or not
	 * @param SessionBackend|null $backend
	 * @param WebRequest $request
	 */
	protected function setForceHTTPSCookie(
		$set, SessionBackend $backend = null, WebRequest $request
	) {
		$response = $request->response();
		if ( $set ) {
			if ( $backend->shouldRememberUser() ) {
function someFunction(A $objectMaybe = null)
{
    if ($objectMaybe instanceof A) {
        $objectMaybe->doSomething();
    }
}
				$expirationDuration = $this->getLoginCookieExpiration(
					'forceHTTPS',
					true
				);
				$expiration = $expirationDuration ? $expirationDuration + time() : null;
			} else {
				$expiration = null;
			}
			$response->setCookie( 'forceHTTPS', 'true', $expiration,
				[ 'prefix' => '', 'secure' => false ] + $this->cookieOptions );
		} else {
			$response->clearCookie( 'forceHTTPS',
				[ 'prefix' => '', 'secure' => false ] + $this->cookieOptions );
		}
	}

	/**
	 * Set the "logged out" cookie
	 * @param int $loggedOut timestamp
	 * @param WebRequest $request
	 */
	protected function setLoggedOutCookie( $loggedOut, WebRequest $request ) {
		if ( $loggedOut + 86400 > time() &&
			$loggedOut !== (int)$this->getCookie( $request, 'LoggedOut', $this->cookieOptions['prefix'] )
		) {
			$request->response()->setCookie( 'LoggedOut', $loggedOut, $loggedOut + 86400,
				$this->cookieOptions );
		}
	}

	public function getVaryCookies() {
		return [
			// Vary on token and session because those are the real authn
			// determiners. UserID and UserName don't matter without those.
			$this->cookieOptions['prefix'] . 'Token',
			$this->cookieOptions['prefix'] . 'LoggedOut',
			$this->params['sessionName'],
			'forceHTTPS',
		];
	}

	public function suggestLoginUsername( WebRequest $request ) {
		 $name = $this->getCookie( $request, 'UserName', $this->cookieOptions['prefix'] );
		 if ( $name !== null ) {
			 $name = User::getCanonicalName( $name, 'usable' );
		 }
		 return $name === false ? null : $name;
	}

	/**
	 * Fetch the user identity from cookies
	 * @param \WebRequest $request
	 * @return array (string|null $id, string|null $username, string|null $token)
	 */
	protected function getUserInfoFromCookies( $request ) {
		$prefix = $this->cookieOptions['prefix'];
		return [
			$this->getCookie( $request, 'UserID', $prefix ),
			$this->getCookie( $request, 'UserName', $prefix ),
			$this->getCookie( $request, 'Token', $prefix ),
		];
	}

	/**
	 * Get a cookie. Contains an auth-specific hack.
	 * @param \WebRequest $request
	 * @param string $key
	 * @param string $prefix
	 * @param mixed $default
	 * @return mixed
	 */
	protected function getCookie( $request, $key, $prefix, $default = null ) {
		$value = $request->getCookie( $key, $prefix, $default );
		if ( $value === 'deleted' ) {
			// PHP uses this value when deleting cookies. A legitimate cookie will never have
			// this value (usernames start with uppercase, token is longer, other auth cookies
			// are booleans or integers). Seeing this means that in a previous request we told the
			// client to delete the cookie, but it has poor cookie handling. Pretend the cookie is
			// not there to avoid invalidating the session.
			return null;
		}
		return $value;
	}

	/**
	 * Return the data to store in cookies
	 * @param User $user
	 * @param bool $remember
	 * @return array $cookies Set value false to unset the cookie
	 */
	protected function cookieDataToExport( $user, $remember ) {
		if ( $user->isAnon() ) {
			return [
				'UserID' => false,
				'Token' => false,
			];
		} else {
			return [
				'UserID' => $user->getId(),
				'UserName' => $user->getName(),
				'Token' => $remember ? (string)$user->getToken() : false,
			];
		}
	}

	/**
	 * Return extra data to store in the session
	 * @param User $user
	 * @return array $session
	 */
	protected function sessionDataToExport( $user ) {
		// If we're calling the legacy hook, we should populate $session
		// like User::setCookies() did.
		if ( !$user->isAnon() && $this->params['callUserSetCookiesHook'] ) {
			return [
				'wsUserID' => $user->getId(),
				'wsToken' => $user->getToken(),
				'wsUserName' => $user->getName(),
			];
		}

		return [];
	}

	public function whyNoSession() {
		return wfMessage( 'sessionprovider-nocookies' );
	}

	public function getRememberUserDuration() {
		return min( $this->getLoginCookieExpiration( 'UserID', true ),
			$this->getLoginCookieExpiration( 'Token', true ) ) ?: null;
	}

	/**
	 * Gets the list of cookies that must be set to the 'remember me' duration,
	 * if $wgExtendedLoginCookieExpiration is in use.
	 *
	 * @return string[] Array of unprefixed cookie keys
	 */
	protected function getExtendedLoginCookies() {
		return [ 'UserID', 'UserName', 'Token' ];
	}

	/**
	 * Returns the lifespan of the login cookies, in seconds. 0 means until the end of the session.
	 *
	 * Cookies that are session-length do not call this function.
	 *
	 * @param string $cookieName
	 * @param boolean $shouldRememberUser Whether the user should be remembered
	 *   long-term
	 * @return int Cookie expiration time in seconds; 0 for session cookies
	 */
	protected function getLoginCookieExpiration( $cookieName, $shouldRememberUser ) {
		$extendedCookies = $this->getExtendedLoginCookies();
		$normalExpiration = $this->config->get( 'CookieExpiration' );

		if ( $shouldRememberUser && in_array( $cookieName, $extendedCookies, true ) ) {
			$extendedExpiration = $this->config->get( 'ExtendedLoginCookieExpiration' );

			return ( $extendedExpiration !== null ) ? (int)$extendedExpiration : (int)$normalExpiration;
		} else {
			return (int)$normalExpiration;
		}
	}
}


1		<?php
2		/**
3		* MediaWiki cookie-based session provider interface
4		*
5		* This program is free software; you can redistribute it and/or modify
6		* it under the terms of the GNU General Public License as published by
7		* the Free Software Foundation; either version 2 of the License, or
8		* (at your option) any later version.
9		*
10		* This program is distributed in the hope that it will be useful,
11		* but WITHOUT ANY WARRANTY; without even the implied warranty of
12		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13		* GNU General Public License for more details.
14		*
15		* You should have received a copy of the GNU General Public License along
16		* with this program; if not, write to the Free Software Foundation, Inc.,
17		* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18		* http://www.gnu.org/copyleft/gpl.html
19		*
20		* @file
21		* @ingroup Session
22		*/
23
24		namespace MediaWiki\Session;
25
26		use Config;
27		use User;
28		use WebRequest;
29
30		/**
31		* A CookieSessionProvider persists sessions using cookies
32		*
33		* @ingroup Session
34		* @since 1.27
35		*/
36		class CookieSessionProvider extends SessionProvider {
37
38		protected $params = [];
39		protected $cookieOptions = [];
40
41		/**
42		* @param array $params Keys include:
43		* - priority: (required) Priority of the returned sessions
44		* - callUserSetCookiesHook: Whether to call the deprecated hook
45		* - sessionName: Session cookie name. Doesn't honor 'prefix'. Defaults to
46		* $wgSessionName, or $wgCookiePrefix . '_session' if that is unset.
47		* - cookieOptions: Options to pass to WebRequest::setCookie():
48		* - prefix: Cookie prefix, defaults to $wgCookiePrefix
49		* - path: Cookie path, defaults to $wgCookiePath
50		* - domain: Cookie domain, defaults to $wgCookieDomain
51		* - secure: Cookie secure flag, defaults to $wgCookieSecure
52		* - httpOnly: Cookie httpOnly flag, defaults to $wgCookieHttpOnly
53		*/
54		public function __construct( $params = [] ) {
55		parent::__construct();
56
57		$params += [
58		'cookieOptions' => [],
59		// @codeCoverageIgnoreStart
60		];
61		// @codeCoverageIgnoreEnd
62
63		if ( !isset( $params['priority'] ) ) {
64		throw new \InvalidArgumentException( __METHOD__ . ': priority must be specified' );
65		}
66	View Code Duplication	if ( $params['priority'] < SessionInfo::MIN_PRIORITY \|\|
67		$params['priority'] > SessionInfo::MAX_PRIORITY
68		) {
69		throw new \InvalidArgumentException( __METHOD__ . ': Invalid priority' );
70		}
71
72		if ( !is_array( $params['cookieOptions'] ) ) {
73		throw new \InvalidArgumentException( __METHOD__ . ': cookieOptions must be an array' );
74		}
75
76		$this->priority = $params['priority'];
77		$this->cookieOptions = $params['cookieOptions'];
78		$this->params = $params;
79		unset( $this->params['priority'] );
80		unset( $this->params['cookieOptions'] );
81		}
82
83		public function setConfig( Config $config ) {
84		parent::setConfig( $config );
85
86		// @codeCoverageIgnoreStart
87		$this->params += [
88		// @codeCoverageIgnoreEnd
89		'callUserSetCookiesHook' => false,
90		'sessionName' =>
91		$config->get( 'SessionName' ) ?: $config->get( 'CookiePrefix' ) . '_session',
92		];
93
94		// @codeCoverageIgnoreStart
95		$this->cookieOptions += [
96		// @codeCoverageIgnoreEnd
97		'prefix' => $config->get( 'CookiePrefix' ),
98		'path' => $config->get( 'CookiePath' ),
99		'domain' => $config->get( 'CookieDomain' ),
100		'secure' => $config->get( 'CookieSecure' ),
101		'httpOnly' => $config->get( 'CookieHttpOnly' ),
102		];
103		}
104
105		public function provideSessionInfo( WebRequest $request ) {
106		$sessionId = $this->getCookie( $request, $this->params['sessionName'], '' );
107		$info = [
108		'provider' => $this,
109		'forceHTTPS' => $this->getCookie( $request, 'forceHTTPS', '', false )
110		];
111		if ( SessionManager::validateSessionId( $sessionId ) ) {
112		$info['id'] = $sessionId;
113		$info['persisted'] = true;
114		}
115
116		list( $userId, $userName, $token ) = $this->getUserInfoFromCookies( $request );
117		if ( $userId !== null ) {
118		try {
119		$userInfo = UserInfo::newFromId( $userId );
120		} catch ( \InvalidArgumentException $ex ) {
121		return null;
122		}
123
124		// Sanity check
125		if ( $userName !== null && $userInfo->getName() !== $userName ) {
126		$this->logger->warning(
127		'Session "{session}" requested with mismatched UserID and UserName cookies.',
128		[
129		'session' => $sessionId,
130		'mismatch' => [
131		'userid' => $userId,
132		'cookie_username' => $userName,
133		'username' => $userInfo->getName(),
134		],
135		] );
136		return null;
137		}
138
139		if ( $token !== null ) {
140		if ( !hash_equals( $userInfo->getToken(), $token ) ) {
141		$this->logger->warning(
142		'Session "{session}" requested with invalid Token cookie.',
143		[
144		'session' => $sessionId,
145		'userid' => $userId,
146		'username' => $userInfo->getName(),
147		] );
148		return null;
149		}
150		$info['userInfo'] = $userInfo->verified();
151		$info['persisted'] = true; // If we have user+token, it should be
152		} elseif ( isset( $info['id'] ) ) {
153		$info['userInfo'] = $userInfo;
154		} else {
155		// No point in returning, loadSessionInfoFromStore() will
156		// reject it anyway.
157		return null;
158		}
159		} elseif ( isset( $info['id'] ) ) {
160		// No UserID cookie, so insist that the session is anonymous.
161		// Note: this event occurs for several normal activities:
162		// * anon visits Special:UserLogin
163		// * anon browsing after seeing Special:UserLogin
164		// * anon browsing after edit or preview
165		$this->logger->debug(
166		'Session "{session}" requested without UserID cookie',
167		[
168		'session' => $info['id'],
169		] );
170		$info['userInfo'] = UserInfo::newAnonymous();
171		} else {
172		// No session ID and no user is the same as an empty session, so
173		// there's no point.
174		return null;
175		}
176
177		return new SessionInfo( $this->priority, $info );
178		}
179
180		public function persistsSessionId() {
181		return true;
182		}
183
184		public function canChangeUser() {
185		return true;
186		}
187
188		public function persistSession( SessionBackend $session, WebRequest $request ) {
189		$response = $request->response();
190		if ( $response->headersSent() ) {
191		// Can't do anything now
192		$this->logger->debug( __METHOD__ . ': Headers already sent' );
193		return;
194		}
195
196		$user = $session->getUser();
197
198		$cookies = $this->cookieDataToExport( $user, $session->shouldRememberUser() );
199		$sessionData = $this->sessionDataToExport( $user );
200
201		// Legacy hook
202		if ( $this->params['callUserSetCookiesHook'] && !$user->isAnon() ) {
203		\Hooks::run( 'UserSetCookies', [ $user, &$sessionData, &$cookies ] );
204		}
205
206		$options = $this->cookieOptions;
207
208		$forceHTTPS = $session->shouldForceHTTPS() \|\| $user->requiresHTTPS();
209		if ( $forceHTTPS ) {
210		// Don't set the secure flag if the request came in
211		// over "http", for backwards compat.
212		// @todo Break that backwards compat properly.
213		$options['secure'] = $this->config->get( 'CookieSecure' );
214		}
215
216		$response->setCookie( $this->params['sessionName'], $session->getId(), null,
217		[ 'prefix' => '' ] + $options
218		);
219
220		foreach ( $cookies as $key => $value ) {
221		if ( $value === false ) {
222		$response->clearCookie( $key, $options );
223		} else {
224		$expirationDuration = $this->getLoginCookieExpiration( $key, $session->shouldRememberUser() );
225		$expiration = $expirationDuration ? $expirationDuration + time() : null;
226		$response->setCookie( $key, (string)$value, $expiration, $options );
227		}
228		}
229
230		$this->setForceHTTPSCookie( $forceHTTPS, $session, $request );
231		$this->setLoggedOutCookie( $session->getLoggedOutTimestamp(), $request );
232
233		if ( $sessionData ) {
234		$session->addData( $sessionData );
235		}
236		}
237
238		public function unpersistSession( WebRequest $request ) {
239		$response = $request->response();
240		if ( $response->headersSent() ) {
241		// Can't do anything now
242		$this->logger->debug( __METHOD__ . ': Headers already sent' );
243		return;
244		}
245
246		$cookies = [
247		'UserID' => false,
248		'Token' => false,
249		];
250
251		$response->clearCookie(
252		$this->params['sessionName'], [ 'prefix' => '' ] + $this->cookieOptions
253		);
254
255		foreach ( $cookies as $key => $value ) {
256		$response->clearCookie( $key, $this->cookieOptions );
257		}
258
259		$this->setForceHTTPSCookie( false, null, $request );
260		}
261
262		/**
263		* Set the "forceHTTPS" cookie
264		* @param bool $set Whether the cookie should be set or not
265		* @param SessionBackend\|null $backend
266		* @param WebRequest $request
267		*/
268		protected function setForceHTTPSCookie(
269		$set, SessionBackend $backend = null, WebRequest $request
270		) {
271		$response = $request->response();
272		if ( $set ) {
273		if ( $backend->shouldRememberUser() ) {
		0 ignored issues – show Bug introduced 2016-05-16 17:54 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$backend` is not always an object, but can also be of type `null`. Maybe add an additional type check? If a variable is not always an object, we recommend to add an additional type check to ensure your method call is safe: function someFunction(A $objectMaybe = null) { if ($objectMaybe instanceof A) { $objectMaybe->doSomething(); } } Loading history...
274		$expirationDuration = $this->getLoginCookieExpiration(
275		'forceHTTPS',
276		true
277		);
278		$expiration = $expirationDuration ? $expirationDuration + time() : null;
279		} else {
280		$expiration = null;
281		}
282		$response->setCookie( 'forceHTTPS', 'true', $expiration,
283		[ 'prefix' => '', 'secure' => false ] + $this->cookieOptions );
284		} else {
285		$response->clearCookie( 'forceHTTPS',
286		[ 'prefix' => '', 'secure' => false ] + $this->cookieOptions );
287		}
288		}
289
290		/**
291		* Set the "logged out" cookie
292		* @param int $loggedOut timestamp
293		* @param WebRequest $request
294		*/
295		protected function setLoggedOutCookie( $loggedOut, WebRequest $request ) {
296		if ( $loggedOut + 86400 > time() &&
297		$loggedOut !== (int)$this->getCookie( $request, 'LoggedOut', $this->cookieOptions['prefix'] )
298		) {
299		$request->response()->setCookie( 'LoggedOut', $loggedOut, $loggedOut + 86400,
300		$this->cookieOptions );
301		}
302		}
303
304		public function getVaryCookies() {
305		return [
306		// Vary on token and session because those are the real authn
307		// determiners. UserID and UserName don't matter without those.
308		$this->cookieOptions['prefix'] . 'Token',
309		$this->cookieOptions['prefix'] . 'LoggedOut',
310		$this->params['sessionName'],
311		'forceHTTPS',
312		];
313		}
314
315		public function suggestLoginUsername( WebRequest $request ) {
316		$name = $this->getCookie( $request, 'UserName', $this->cookieOptions['prefix'] );
317		if ( $name !== null ) {
318		$name = User::getCanonicalName( $name, 'usable' );
319		}
320		return $name === false ? null : $name;
321		}
322
323		/**
324		* Fetch the user identity from cookies
325		* @param \WebRequest $request
326		* @return array (string\|null $id, string\|null $username, string\|null $token)
327		*/
328		protected function getUserInfoFromCookies( $request ) {
329		$prefix = $this->cookieOptions['prefix'];
330		return [
331		$this->getCookie( $request, 'UserID', $prefix ),
332		$this->getCookie( $request, 'UserName', $prefix ),
333		$this->getCookie( $request, 'Token', $prefix ),
334		];
335		}
336
337		/**
338		* Get a cookie. Contains an auth-specific hack.
339		* @param \WebRequest $request
340		* @param string $key
341		* @param string $prefix
342		* @param mixed $default
343		* @return mixed
344		*/
345		protected function getCookie( $request, $key, $prefix, $default = null ) {
346		$value = $request->getCookie( $key, $prefix, $default );
347		if ( $value === 'deleted' ) {
348		// PHP uses this value when deleting cookies. A legitimate cookie will never have
349		// this value (usernames start with uppercase, token is longer, other auth cookies
350		// are booleans or integers). Seeing this means that in a previous request we told the
351		// client to delete the cookie, but it has poor cookie handling. Pretend the cookie is
352		// not there to avoid invalidating the session.
353		return null;
354		}
355		return $value;
356		}
357
358		/**
359		* Return the data to store in cookies
360		* @param User $user
361		* @param bool $remember
362		* @return array $cookies Set value false to unset the cookie
363		*/
364		protected function cookieDataToExport( $user, $remember ) {
365		if ( $user->isAnon() ) {
366		return [
367		'UserID' => false,
368		'Token' => false,
369		];
370		} else {
371		return [
372		'UserID' => $user->getId(),
373		'UserName' => $user->getName(),
374		'Token' => $remember ? (string)$user->getToken() : false,
375		];
376		}
377		}
378
379		/**
380		* Return extra data to store in the session
381		* @param User $user
382		* @return array $session
383		*/
384		protected function sessionDataToExport( $user ) {
385		// If we're calling the legacy hook, we should populate $session
386		// like User::setCookies() did.
387		if ( !$user->isAnon() && $this->params['callUserSetCookiesHook'] ) {
388		return [
389		'wsUserID' => $user->getId(),
390		'wsToken' => $user->getToken(),
391		'wsUserName' => $user->getName(),
392		];
393		}
394
395		return [];
396		}
397
398		public function whyNoSession() {
399		return wfMessage( 'sessionprovider-nocookies' );
400		}
401
402		public function getRememberUserDuration() {
403		return min( $this->getLoginCookieExpiration( 'UserID', true ),
404		$this->getLoginCookieExpiration( 'Token', true ) ) ?: null;
405		}
406
407		/**
408		* Gets the list of cookies that must be set to the 'remember me' duration,
409		* if $wgExtendedLoginCookieExpiration is in use.
410		*
411		* @return string[] Array of unprefixed cookie keys
412		*/
413		protected function getExtendedLoginCookies() {
414		return [ 'UserID', 'UserName', 'Token' ];
415		}
416
417		/**
418		* Returns the lifespan of the login cookies, in seconds. 0 means until the end of the session.
419		*
420		* Cookies that are session-length do not call this function.
421		*
422		* @param string $cookieName
423		* @param boolean $shouldRememberUser Whether the user should be remembered
424		* long-term
425		* @return int Cookie expiration time in seconds; 0 for session cookies
426		*/
427		protected function getLoginCookieExpiration( $cookieName, $shouldRememberUser ) {
428		$extendedCookies = $this->getExtendedLoginCookies();
429		$normalExpiration = $this->config->get( 'CookieExpiration' );
430
431		if ( $shouldRememberUser && in_array( $cookieName, $extendedCookies, true ) ) {
432		$extendedExpiration = $this->config->get( 'ExtendedLoginCookieExpiration' );
433
434		return ( $extendedExpiration !== null ) ? (int)$extendedExpiration : (int)$normalExpiration;
435		} else {
436		return (int)$normalExpiration;
437		}
438		}
439		}
440

wikimedia / mediawiki

Branch — master (939199)

includes/session/CookieSessionProvider.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like