WebSVN – Moodle – Diff – /lib/classes/session/manager.php

 // GNU General Public License for more details.
 //
 // You should have received a copy of the GNU General Public License
 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
-/**
- * Session manager class.
- *
- * @package    core
- * @copyright  2013 Petr Skoda {@link http://skodak.org}
- * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
- */
 namespace core\session;
-defined('MOODLE_INTERNAL') || die();
+use core\clock;
 use core\di;
 use html_writer;
      *                              itself as read only.
      */
     public static function restart_with_write_lock(bool $readonlysession) {
         global $CFG;
-        if (!empty($CFG->enable_read_only_sessions_debug)) {
+        if (!empty($CFG->enable_read_only_sessions) || !empty($CFG->enable_read_only_sessions_debug)) {
             self::$requireslockdebug = !$readonlysession;
+        }
             self::prepare_cookies();
             $isnewsession = empty($_COOKIE[session_name()]);
             if (!self::$handler->start()) {
                 // Could not successfully start/recover session.
-                throw new \core\session\exception(get_string('servererror'));
+                throw new \core\session\exception('sessionstarterror', 'error');
+            }
             if ($requireslock) {
      */
     public static function get_handler_class() {
         global $CFG, $DB;
         if (PHPUNIT_TEST) {
-            return '\core\session\file';
+            return \core\tests\session\mock_handler::class;
         } else if (!empty($CFG->session_handler_class)) {
             return $CFG->session_handler_class;
-        } else if (!empty($CFG->dbsessions) and $DB->session_lock_supported()) {
+        } else if (!empty($CFG->dbsessions) && $DB->session_lock_supported()) {
-            return '\core\session\database';
+            return database::class;
         }
-        return '\core\session\file';
+        return file::class;
+    }
+        }
         // Find out which handler to use.
         $class = self::get_handler_class();
+        self::$handler = new $class();
+        if (!self::$handler instanceof \core\session\handler) {
+            throw new exception("$class must implement the \core\session\handler");
         self::$handler = new $class();
+    }
     /**
      * WARNING: $USER and $SESSION are set up later, do not use them yet!
+     *
      * @param bool $newsid is this a new session in first http request?
      */
     protected static function initialise_user_session($newsid) {
-        global $CFG, $DB;
+        global $CFG;
         $sid = session_id();
         if (!$sid) {
             // No session, very weird.
             error_log('Missing session ID, session not started!');
             self::init_empty_session($newsid);
             return;
-        }
+        }
+        $record = self::get_session_by_sid($sid);
-        if (!$record = $DB->get_record('sessions', array('sid'=>$sid), 'id, sid, state, userid, lastip, timecreated, timemodified')) {
+        if (!isset($record->sid)) {
             if (!$newsid) {
                 if (!empty($_SESSION['USER']->id)) {
                     // This should not happen, just log it, we MUST not produce any output here!
                     error_log("Cannot find session record $sid for user ".$_SESSION['USER']->id.", creating new session.");
             $timeout = false;
             if (isguestuser($userid) or empty($userid)) {
                 // Ignore guest and not-logged in timeouts, there is very little risk here.
                 $timeout = false;
-            } else if ($record->timemodified < time() - $maxlifetime) {
+            } else if ($record->timemodified < di::get(clock::class)->time() - $maxlifetime) {
                 $timeout = true;
                 $authsequence = get_enabled_auth_plugins(); // Auths, in sequence.
                 foreach ($authsequence as $authname) {
                     $authplugin = get_auth_plugin($authname);
                 if (defined('NO_SESSION_UPDATE') && NO_SESSION_UPDATE) {
                     return;
+                }
                 session_regenerate_id(true);
                 $_SESSION = array();
-                $DB->delete_records('sessions', array('id'=>$record->id));
+                self::destroy($record->sid);
             } else {
                 // Update session tracking record.
                 $update = new \stdClass();
                 $updated = false;
                 if ($record->userid != $userid) {
                 if ($record->lastip != $ip) {
                     $update->lastip = $record->lastip = $ip;
                     $updated = true;
+                }
+                $time = di::get(clock::class)->time();
                 $updatefreq = empty($CFG->session_update_timemodified_frequency) ? 20 : $CFG->session_update_timemodified_frequency;
                 if ($record->timemodified == $record->timecreated) {
                     // Always do first update of existing record.
-                    $update->timemodified = $record->timemodified = time();
+                    $update->timemodified = $record->timemodified = $time;
                     $updated = true;
-                } else if ($record->timemodified < time() - $updatefreq) {
+                } else if ($record->timemodified < $time - $updatefreq) {
                     // Update the session modified flag only once every 20 seconds.
-                    $update->timemodified = $record->timemodified = time();
+                    $update->timemodified = $record->timemodified = $time;
                     $updated = true;
+                }
-                }
                 if ($updated && (!defined('NO_SESSION_UPDATE') || !NO_SESSION_UPDATE)) {
-                if ($updated && (!defined('NO_SESSION_UPDATE') || !NO_SESSION_UPDATE)) {
+                    $update->id = $record->id;
-                    $update->id = $record->id;
+                    $update->userid = $record->userid;
-                    $DB->update_record('sessions', $update);
-                }
+                    self::$handler->update_session($update);
+                }
-                return;
-            }
+                return;
-        } else {
+            }
-            if ($record) {
-                // This happens when people switch session handlers...
+        } else if (isset($record->sid)) {
-                session_regenerate_id(true);
+            // This happens when people switch session handlers...
-                $_SESSION = array();
+            session_regenerate_id(true);
-                $DB->delete_records('sessions', array('id'=>$record->id));
+            $_SESSION = [];
+        }
         // Setup $USER and insert the session tracking record.
         if ($user) {
             self::set_user($user);
-            self::add_session_record($user->id);
+            self::add_session($user->id);
         } else {
             self::init_empty_session($newsid);
-            self::add_session_record(0);
+            self::add_session(0);
+        }
         if ($timedout) {
             $_SESSION['SESSION']->has_timed_out = true;
+        }
+    }
+    /**
+     * Returns a single session record for this session id.
+     *
+     * @param string $sid
+     * @return \stdClass
+     */
+    public static function get_session_by_sid(string $sid): \stdClass {
+        return self::$handler->get_session_by_sid($sid);
+    }
+    /**
+     * Returns all the session records for this user id.
+     *
+     * @param int $userid
+     * @return array
+     */
+    public static function get_sessions_by_userid(int $userid): array {
+        return self::$handler->get_sessions_by_userid($userid);
+    }
     /**
-    /**
+     * Insert new empty session record.
      * Insert new empty session record.
      * @param int $userid
-     * @return \stdClass the new record
-     */
-    protected static function add_session_record($userid) {
-        global $DB;
+     * @return \stdClass the new record
-        $record = new \stdClass();
-        $record->state       = 0;
-        $record->sid         = session_id();
-        $record->sessdata    = null;
-        $record->userid      = $userid;
+     */
-        $record->timecreated = $record->timemodified = time();
+    public static function add_session(int $userid): \stdClass {
+        return self::$handler->add_session($userid);
+    }
-        $record->firstip     = $record->lastip = getremoteaddr();
+    /**
+     * Update a session record.
+     *
+     * @param \stdClass $record
      * @return bool
-        $record->id = $DB->insert_record('sessions', $record);
+     */
     public static function update_session(\stdClass $record): bool {
-        return $record;
+        return self::$handler->update_session($record);
         // Regenerate session id and delete old session,
         // this helps prevent session fixation attacks from the same domain.
         $sid = session_id();
         session_regenerate_id(true);
-        $DB->delete_records('sessions', array('sid'=>$sid));
+        self::destroy($sid);
-        self::add_session_record($user->id);
+        self::add_session($user->id);
         // Let enrol plugins deal with new enrolments if necessary.
+        }
         // Write new empty session and make sure the old one is deleted.
         $sid = session_id();
         session_regenerate_id(true);
-        $DB->delete_records('sessions', array('sid'=>$sid));
+        self::destroy($sid);
         self::init_empty_session();
-        self::add_session_record($_SESSION['USER']->id); // Do not use $USER here because it may not be set up yet.
+        self::add_session($_SESSION['USER']->id); // Do not use $USER here because it may not be set up yet.
         self::write_close();
+    }
             // Not installed yet, do not try to access database.
             return false;
+        }
         // Note: add sessions->state checking here if it gets implemented.
+        $record = self::get_session_by_sid($sid);
-        if (!$record = $DB->get_record('sessions', array('sid' => $sid), 'id, userid, timemodified')) {
+        if (!isset($record->sid)) {
             return false;
+        }
         if (empty($record->userid) or isguestuser($record->userid)) {
             // Ignore guest and not-logged-in timeouts, there is very little risk here.
-        } else if ($record->timemodified < time() - $CFG->sessiontimeout) {
+        } else if ($record->timemodified < di::get(clock::class)->time() - $CFG->sessiontimeout) {
             return false;
+        }
             // Not installed yet, do not try to access database.
             return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout];
+        }
         // Note: add sessions->state checking here if it gets implemented.
-        if (!$record = $DB->get_record('sessions', array('sid' => $sid), 'id, userid, timemodified')) {
+        if (!$record = self::get_session_by_sid($sid)) {
             return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout];
+        }
         if (empty($record->userid) or isguestuser($record->userid)) {
             // Ignore guest and not-logged-in timeouts, there is very little risk here.
+            return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout];
+        } else {
-            return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout];
+            return [
+                'userid' => $record->userid,
-        } else {
+                'timeremaining' => $CFG->sessiontimeout - (di::get(clock::class)->time() - $record->timemodified),
-            return ['userid' => $record->userid, 'timeremaining' => $CFG->sessiontimeout - (time() - $record->timemodified)];
+            ];
+        }
+    }
     /**
      * Fake last access for given session, this prevents session timeout.
-     * @param string $sid
-     */
-    public static function touch_session($sid) {
+     * @param string $sid
-        global $DB;
+     */
+    public static function touch_session($sid) {
         // Timeouts depend on core sessions table only, no need to update anything in external stores.
+        self::$handler->update_session((object) [
             'sid' => $sid,
-        $sql = "UPDATE {sessions} SET timemodified = :now WHERE sid = :sid";
+            'timemodified' => di::get(clock::class)->time(),
-        $DB->execute($sql, array('now'=>time(), 'sid'=>$sid));
+        ]);
+    }
+    /**
+     * Terminate all sessions unconditionally.
+     *
+     * @return void
+     * @deprecated since Moodle 4.5 See MDL-66161
+     * @todo Remove in MDL-81848
+     */
+    #[\core\attribute\deprecated(
+        replacement: 'destroy_all',
-    /**
+        since: '4.5',
+    )]
+    public static function kill_all_sessions(): void {
+        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);
+        self::destroy_all();
+    }
+    /**
+     * Terminate give session unconditionally.
+     *
+     * @param string $sid
+     * @return void
+     * @deprecated since Moodle 4.5 See MDL-66161
+     * @todo Remove in MDL-81848
+     */
+    #[\core\attribute\deprecated(
-     * Terminate all sessions unconditionally.
+        replacement: 'destroy',
+        since: '4.5',
+    )]
+    public static function kill_session($sid): void {
+        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);
+        self::destroy($sid);
+    }
+    /**
+     * Kill sessions of users with disabled plugins.
+     *
+     * @param string $pluginname
+     * @return void
+     * @deprecated since Moodle 4.5 See MDL-66161
+     * @todo Remove in MDL-81848
+     */
+    #[\core\attribute\deprecated(
+        replacement: 'destroy_by_auth_plugin',
+        since: '4.5',
+    )]
+    public static function kill_sessions_for_auth_plugin(string $pluginname): void {
+        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);
+        self::destroy_by_auth_plugin($pluginname);
+    }
+    /**
+     * Terminate all sessions of given user unconditionally.
+     *
+     * @param int $userid
+     * @param string $keepsid keep this sid if present
+     * @deprecated since Moodle 4.5 See MDL-66161
+     * @todo Remove in MDL-81848
+     */
+    #[\core\attribute\deprecated(
+            replacement: 'destroy_user_sessions',
+            since: '4.5',
+    )]
+    public static function kill_user_sessions($userid, $keepsid = null) {
+        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);
+        self::destroy_user_sessions($userid, $keepsid);
+    }
+    /**
+     * Destroy all sessions for a given plugin.
+     * Typically used when a plugin is disabled or uninstalled, so all sessions (users) for that plugin are logged out.
+     *
+     * @param string $pluginname Auth plugin name.
+     */
+    public static function destroy_by_auth_plugin(string $pluginname): void {
+        self::$handler->destroy_by_auth_plugin($pluginname);
+    }
+    /**
-     */
+     * Destroy all sessions, and delete all the session data.
-    public static function kill_all_sessions() {
         global $DB;
+     * @return bool
-        self::terminate_current();
+     */
     public static function destroy_all(): bool {
+        self::terminate_current();
         self::load_handler();
+        try {
-        self::$handler->kill_all_sessions();
+            $result = self::$handler->destroy_all();
         } catch (\moodle_exception $ignored) {
-        try {
+            // Do not show any warnings - might be during upgrade/installation.
+            $result = true;
-            $DB->delete_records('sessions');
+        }
-        } catch (\dml_exception $ignored) {
+         return $result;
-            // Do not show any warnings - might be during upgrade/installation.
+    }
-        }
-    }
     /**
-     * Terminate give session unconditionally.
+     * Destroy a specific session and delete this session record for this session id.
      * @param string $sid
-     */
+     * @param string $id
-    public static function kill_session($sid) {
-        global $DB;
      * @return bool
-        self::load_handler();
+     */
+    public static function destroy(string $id): bool {
-        if ($sid === session_id()) {
+        self::load_handler();
             self::write_close();
         if ($id === session_id()) {
+            self::write_close();
-        self::$handler->kill_session($sid);
-        $DB->delete_records('sessions', array('sid'=>$sid));
+        }
         return self::$handler->destroy($id);
     /**
      * Terminate all sessions of given user unconditionally.
-     * @param int $userid
+    /**
-     * @param string $keepsid keep this sid if present
+     * Destroy all sessions of given user unconditionally.
-     */
+     * @param int $userid
-    public static function kill_user_sessions($userid, $keepsid = null) {
+     * @param string $keepsid keep this sid if present
-        global $DB;
+     */
         if (empty($CFG->limitconcurrentlogins) or $CFG->limitconcurrentlogins < 0) {
             return;
         }
+        $sessions = self::get_sessions_by_userid($userid);
-        $count = $DB->count_records('sessions', array('userid' => $userid));
+        $count = count($sessions);
         if ($count <= $CFG->limitconcurrentlogins) {
-            return;
-        }
             return;
+        }
-        $i = 0;
-        $select = "userid = :userid";
+        $i = 0;
-        $params = array('userid' => $userid);
+        if ($sid) {
-        if ($sid) {
+            foreach ($sessions as $key => $session) {
-            if ($DB->record_exists('sessions', array('sid' => $sid, 'userid' => $userid))) {
+                if ($session->sid == $sid && $session->userid == $userid) {
-                $select .= " AND sid <> :sid";
+                    $i = 1;
+                    unset($sessions[$key]);
+                }
-                $params['sid'] = $sid;
+            }
+        }
-                $i = 1;
+        // Order records by timecreated DESC.
         usort($sessions, function($a, $b){
             return $b->timecreated <=> $a->timecreated;
         });
         $sessions = $DB->get_records_select('sessions', $select, $params, 'timecreated DESC', 'id, sid');
         foreach ($sessions as $session) {
             $i++;
             if ($i <= $CFG->limitconcurrentlogins) {
                 continue;
+            }
         set_access_log_user();
+    }
     /**
+     * Periodic timed-out session cleanup.
+     *
+     * @param int $maxlifetime Sessions that have not updated for the last max_lifetime seconds will be removed.
-     * Periodic timed-out session cleanup.
+     * @return void
      */
-    public static function gc() {
+    public static function gc(int $maxlifetime = 0): void {
-        global $CFG, $DB;
-        // This may take a long time...
-        \core_php_time_limit::raise();
-        $maxlifetime = $CFG->sessiontimeout;
-        try {
-            // Kill all sessions of deleted and suspended users without any hesitation.
-            $rs = $DB->get_recordset_select('sessions', "userid IN (SELECT id FROM {user} WHERE deleted <> 0 OR suspended <> 0)", array(), 'id DESC', 'id, sid');
-            foreach ($rs as $session) {
-                self::kill_session($session->sid);
-            }
-            $rs->close();
-            // Kill sessions of users with disabled plugins.
-            $authsequence = get_enabled_auth_plugins();
-            $authsequence = array_flip($authsequence);
-            unset($authsequence['nologin']); // No login means user cannot login.
-            $authsequence = array_flip($authsequence);
-            list($notplugins, $params) = $DB->get_in_or_equal($authsequence, SQL_PARAMS_QM, '', false);
-            $rs = $DB->get_recordset_select('sessions', "userid IN (SELECT id FROM {user} WHERE auth $notplugins)", $params, 'id DESC', 'id, sid');
-            foreach ($rs as $session) {
-                self::kill_session($session->sid);
-            }
-            $rs->close();
-            // Now get a list of time-out candidates - real users only.
-            $sql = "SELECT u.*, s.sid, s.timecreated AS s_timecreated, s.timemodified AS s_timemodified
-                      FROM {user} u
-                      JOIN {sessions} s ON s.userid = u.id
-                     WHERE s.timemodified < :purgebefore AND u.id <> :guestid";
-            $params = array('purgebefore' => (time() - $maxlifetime), 'guestid'=>$CFG->siteguest);
-            $authplugins = array();
-            foreach ($authsequence as $authname) {
-                $authplugins[$authname] = get_auth_plugin($authname);
-            }
-            $rs = $DB->get_recordset_sql($sql, $params);
-            foreach ($rs as $user) {
-                foreach ($authplugins as $authplugin) {
-                    /** @var \auth_plugin_base $authplugin*/
-                    if ($authplugin->ignore_timeout_hook($user, $user->sid, $user->s_timecreated, $user->s_timemodified)) {
-                        continue 2;
-                    }
-                }
-                self::kill_session($user->sid);
-            }
-            $rs->close();
-            // Delete expired sessions for guest user account, give them larger timeout, there is no security risk here.
-            $params = array('purgebefore' => (time() - ($maxlifetime * 5)), 'guestid'=>$CFG->siteguest);
-            $rs = $DB->get_recordset_select('sessions', 'userid = :guestid AND timemodified < :purgebefore', $params, 'id DESC', 'id, sid');
-            foreach ($rs as $session) {
-                self::kill_session($session->sid);
-            }
-            $rs->close();
-            // Delete expired sessions for userid = 0 (not logged in), better kill them asap to release memory.
-            $params = array('purgebefore' => (time() - $maxlifetime));
-            $rs = $DB->get_recordset_select('sessions', 'userid = 0 AND timemodified < :purgebefore', $params, 'id DESC', 'id, sid');
-            foreach ($rs as $session) {
-                self::kill_session($session->sid);
-            }
-            $rs->close();
-            // Cleanup letfovers from the first browser access because it may set multiple cookies and then use only one.
-            $params = array('purgebefore' => (time() - 60*3));
-            $rs = $DB->get_recordset_select('sessions', 'userid = 0 AND timemodified = timecreated AND timemodified < :purgebefore', $params, 'id ASC', 'id, sid');
-            foreach ($rs as $session) {
-                self::kill_session($session->sid);
-            }
+        global $CFG;
-            $rs->close();
+        // If max lifetime is not provided, use the default session timeout.
-        } catch (\Exception $ex) {
+        if ($maxlifetime == 0) {
+            $maxlifetime = $CFG->sessiontimeout;
             debugging('Error gc-ing sessions: '.$ex->getMessage(), DEBUG_NORMAL, $ex->getTrace());
         self::$handler->gc($maxlifetime);
+    }
     private static function create_login_token() {
         global $SESSION;
         $state = [
             'token' => random_string(32),
-            'created' => time() // Server time - not user time.
+            'created' => di::get(clock::class)->time(), // Server time - not user time.
         ];
         if (!isset($SESSION->logintoken)) {
         if (empty($state)) {
             $state = self::create_login_token();
+        }
         // Check token lifespan.
-        if ($state['created'] < (time() - $CFG->sessiontimeout)) {
+        if ($state['created'] < (di::get(clock::class)->time() - $CFG->sessiontimeout)) {
             $state = self::create_login_token();
+        }

Proyectos de Subversion Moodle

(root)/lib/classes/session/manager.php – Rev 1 → 1441