Proyectos de Subversion Moodle

 *

 *

 * @package    core

 * @package    core

 * @copyright  2013 Petr Skoda {@link http://skodak.org}

 * @copyright  2013 Petr Skoda {@link http://skodak.org}

 * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later

 * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later

 */

 */

    /** @var int A hard cutoff of maximum stored history */

    /** @var int A hard cutoff of maximum stored history */

    const MAXIMUM_STORED_SESSION_HISTORY = 50;

    const MAXIMUM_STORED_SESSION_HISTORY = 50;

    /** @var int The recent session locks array is reset if there is a time gap more than this value in seconds */

    /** @var int The recent session locks array is reset if there is a time gap more than this value in seconds */

     *

     *

     * @param bool $readonlysession Used by debugging logic to determine if whatever

     * @param bool $readonlysession Used by debugging logic to determine if whatever

     *                              triggered the restart (e.g., a webservice) declared

     *                              triggered the restart (e.g., a webservice) declared

     *                              itself as read only.

     *                              itself as read only.

     */

     */

        global $CFG;

        global $CFG;

        if (!empty($CFG->enable_read_only_sessions) || !empty($CFG->enable_read_only_sessions_debug)) {

        if (!empty($CFG->enable_read_only_sessions) || !empty($CFG->enable_read_only_sessions_debug)) {

            self::$requireslockdebug = !$readonlysession;

            self::$requireslockdebug = !$readonlysession;

    /**

    /**

     * Start user session.

     * Start user session.

     *

     *

     * Note: This is intended to be called only from lib/setup.php!

     * Note: This is intended to be called only from lib/setup.php!

     */

     */

        global $CFG, $DB, $PERF;

        global $CFG, $DB, $PERF;

        if (isset(self::$sessionactive)) {

        if (isset(self::$sessionactive)) {

            debugging('Session was already started!', DEBUG_DEVELOPER);

            debugging('Session was already started!', DEBUG_DEVELOPER);

     * Handles starting a session.

     * Handles starting a session.

     *

     *

     * @param bool $requireslock If this is false then no write lock will be acquired,

     * @param bool $requireslock If this is false then no write lock will be acquired,

     *                           and the session will be read-only.

     *                           and the session will be read-only.

     */

     */

        global $PERF, $CFG;

        global $PERF, $CFG;

        try {

        try {

            self::$handler->init();

            self::$handler->init();

            // this is tricky because PHP does not allow references to references

            // this is tricky because PHP does not allow references to references

            // and global keyword uses internally once reference to the $GLOBALS array.

            // and global keyword uses internally once reference to the $GLOBALS array.

            // The solution is to use the $GLOBALS['USER'] and $GLOBALS['$SESSION']

            // The solution is to use the $GLOBALS['USER'] and $GLOBALS['$SESSION']

            // as the main storage of data and put references to $_SESSION.

            // as the main storage of data and put references to $_SESSION.

            $GLOBALS['USER'] = $_SESSION['USER'];

            $GLOBALS['USER'] = $_SESSION['USER'];

            $GLOBALS['SESSION'] = $_SESSION['SESSION'];

            $GLOBALS['SESSION'] = $_SESSION['SESSION'];

        } catch (\Exception $ex) {

        } catch (\Exception $ex) {

            self::init_empty_session();

            self::init_empty_session();

            self::$sessionactive = false;

            self::$sessionactive = false;

            throw $ex;

            throw $ex;

        }

        }

    /**

    /**

     * Returns current page performance info.

     * Returns current page performance info.

     *

     *

     * @return array perf info

     * @return array perf info

     */

     */

        global $CFG, $PERF;

        global $CFG, $PERF;

        if (!session_id()) {

        if (!session_id()) {

            return array();

            return array();

        if (!empty($CFG->debugsessionlock)) {

        if (!empty($CFG->debugsessionlock)) {

            $sessionlock = self::get_session_lock_info();

            $sessionlock = self::get_session_lock_info();

            if (!empty($sessionlock['held'])) {

            if (!empty($sessionlock['held'])) {

                $sessionlocktext = "Session lock held: ".number_format($sessionlock['held'], 3)." secs";

                $sessionlocktext = "Session lock held: " . number_format($sessionlock['held'], 3) . " secs";

            } else {

            } else {

                // The session hasn't yet been closed and so we assume now with microtime.

                // The session hasn't yet been closed and so we assume now with microtime.

                $sessionlocktext = "Session lock open: ".number_format($sessionlockheld, 3)." secs";

                $sessionlocktext = "Session lock open: " . number_format($sessionlockheld, 3) . " secs";

            }

            }

            $info['txt'] .= $sessionlocktext;

            $info['txt'] .= $sessionlocktext;

            $sessionlockwaittext = "Session lock wait: ".number_format($sessionlock['wait'], 3)." secs";

            $sessionlockwaittext = "Session lock wait: " . number_format($sessionlock['wait'], 3) . " secs";

            $info['txt'] .= $sessionlockwaittext;

            $info['txt'] .= $sessionlockwaittext;

            $info['html'] .= html_writer::div($sessionlockwaittext, "sessionlockwait");

            $info['html'] .= html_writer::div($sessionlockwaittext, "sessionlockwait");

        }

        }

    /**

    /**

     * Get fully qualified name of session handler class.

     * Get fully qualified name of session handler class.

     *

     *

     * @return string The name of the handler class

     * @return string The name of the handler class

     */

     */

        global $CFG, $DB;

        global $CFG, $DB;

        if (PHPUNIT_TEST) {

        if (PHPUNIT_TEST) {

            return \core\tests\session\mock_handler::class;

            return \core\tests\session\mock_handler::class;

    }

    }

    /**

    /**

     * Create handler instance.

     * Create handler instance.

    protected static function load_handler() {

    {

        if (self::$handler) {

        if (self::$handler) {

            return;

            return;

        }

        }

     * special areas. Do NOT use for logout and session termination

     * special areas. Do NOT use for logout and session termination

     * in normal requests!

     * in normal requests!

     *

     *

     * @param mixed $newsid only used after initialising a user session, is this a new user session?

     * @param mixed $newsid only used after initialising a user session, is this a new user session?

     */

     */

        global $CFG;

        global $CFG;

        if (isset($GLOBALS['SESSION']->notifications)) {

        if (isset($GLOBALS['SESSION']->notifications)) {

            // Backup notifications. These should be preserved across session changes until the user fetches and clears them.

            // Backup notifications. These should be preserved across session changes until the user fetches and clears them.

            $GLOBALS['USER']->mnethostid = 1;

            $GLOBALS['USER']->mnethostid = 1;

        }

        }

        // Link global $USER and $SESSION.

        // Link global $USER and $SESSION.

        $_SESSION['SESSION'] =& $GLOBALS['SESSION'];

        $_SESSION['SESSION'] = &$GLOBALS['SESSION'];

    }

    }

    /**

    /**

     */

    protected static function prepare_cookies()

    protected static function prepare_cookies() {

    {

        global $CFG;

        global $CFG;

        // Set sessioncookie variable if it isn't already.

        // Set sessioncookie variable if it isn't already.

        if (!isset($CFG->sessioncookie)) {

        if (!isset($CFG->sessioncookie)) {

            $CFG->sessioncookie = '';

            $CFG->sessioncookie = '';

        $sessionname = 'MoodleSession'.$CFG->sessioncookie;

        $sessionname = 'MoodleSession' . $CFG->sessioncookie;

        // Make sure cookie domain makes sense for this wwwroot.

        // Make sure cookie domain makes sense for this wwwroot.

        if (!isset($CFG->sessioncookiedomain)) {

        if (!isset($CFG->sessioncookiedomain)) {

            $CFG->sessioncookiedomain = '';

            $CFG->sessioncookiedomain = '';

        } else if ($CFG->sessioncookiedomain !== '') {

        } else if ($CFG->sessioncookiedomain !== '') {

            $host = parse_url($CFG->wwwroot, PHP_URL_HOST);

            $host = parse_url($CFG->wwwroot, PHP_URL_HOST);

                if (substr($CFG->sessioncookiedomain, 0, 1) === '.') {

                if (substr($CFG->sessioncookiedomain, 0, 1) === '.') {

                    if (!preg_match('|^.*'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) {

                    if (!preg_match('|^.*' . preg_quote($CFG->sessioncookiedomain, '|') . '$|', $host)) {

                        // Invalid domain - it must be end part of host.

                        // Invalid domain - it must be end part of host.

                        $CFG->sessioncookiedomain = '';

                        $CFG->sessioncookiedomain = '';

                } else {

                } else {

                    if (!preg_match('|^.*\.'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) {

                    if (!preg_match('|^.*\.' . preg_quote($CFG->sessioncookiedomain, '|') . '$|', $host)) {

                        // Invalid domain - it must be end part of host.

                        // Invalid domain - it must be end part of host.

                        $CFG->sessioncookiedomain = '';

                        $CFG->sessioncookiedomain = '';

                    }

                    }

        // Make sure the cookiepath is valid for this wwwroot or autodetect if not specified.

        // Make sure the cookiepath is valid for this wwwroot or autodetect if not specified.

        if (!isset($CFG->sessioncookiepath)) {

        if (!isset($CFG->sessioncookiepath)) {

            $CFG->sessioncookiepath = '';

            $CFG->sessioncookiepath = '';

        }

        }

        if ($CFG->sessioncookiepath !== '/') {

        if ($CFG->sessioncookiepath !== '/') {

            if ($CFG->sessioncookiepath === '') {

            if ($CFG->sessioncookiepath === '') {

                $CFG->sessioncookiepath = $path;

                $CFG->sessioncookiepath = $path;

            } else {

            } else {

                if (strpos($path, $CFG->sessioncookiepath) !== 0 or substr($CFG->sessioncookiepath, -1) !== '/') {

                if (strpos($path, $CFG->sessioncookiepath) !== 0 or substr($CFG->sessioncookiepath, -1) !== '/') {

                    $CFG->sessioncookiepath = $path;

                    $CFG->sessioncookiepath = $path;

        ini_set('session.serialize_handler', 'php');  // We can move to 'php_serialize' after we require PHP 5.5.4 form Moodle.

        ini_set('session.serialize_handler', 'php');  // We can move to 'php_serialize' after we require PHP 5.5.4 form Moodle.

        // Moodle does normal session timeouts, this is for leftovers only.

        // Moodle does normal session timeouts, this is for leftovers only.

        ini_set('session.gc_probability', 1);

        ini_set('session.gc_probability', 1);

        ini_set('session.gc_maxlifetime', 60*60*24*4);

        ini_set('session.gc_maxlifetime', 60 * 60 * 24 * 4);

    }

    }

    /**

    /**

     * Initialise $_SESSION, handles google access

     * Initialise $_SESSION, handles google access

     * and sets up not-logged-in user properly.

     * and sets up not-logged-in user properly.

     *

     *

     * WARNING: $USER and $SESSION are set up later, do not use them yet!

     * WARNING: $USER and $SESSION are set up later, do not use them yet!

     *

     *

     */

    protected static function initialise_user_session($newsid)

    protected static function initialise_user_session($newsid) {

    {

        global $CFG;

        global $CFG;

        $record = self::get_session_by_sid($sid);

        $record = self::get_session_by_sid($sid);

        if (!isset($record->sid)) {

        if (!isset($record->sid)) {

            if (!$newsid) {

            if (!$newsid) {

                if (!empty($_SESSION['USER']->id)) {

                if (!empty($_SESSION['USER']->id)) {

                    // This should not happen, just log it, we MUST not produce any output here!

                    // This should not happen, just log it, we MUST not produce any output here!

                }

                }

                // Prevent session fixation attacks.

                // Prevent session fixation attacks.

                session_regenerate_id(true);

                session_regenerate_id(true);

            }

            }

            $_SESSION = array();

            $_SESSION = array();

            $maxlifetime = $CFG->sessiontimeout;

            $maxlifetime = $CFG->sessiontimeout;

            $timeout = false;

            $timeout = false;

            if (isguestuser($userid) or empty($userid)) {

            if (isguestuser($userid) or empty($userid)) {

                // Ignore guest and not-logged in timeouts, there is very little risk here.

                // Ignore guest and not-logged in timeouts, there is very little risk here.

                $timeout = false;

                $timeout = false;

            } else if ($record->timemodified < di::get(clock::class)->time() - $maxlifetime) {

            } else if ($record->timemodified < di::get(clock::class)->time() - $maxlifetime) {

                $timeout = true;

                $timeout = true;

                $authsequence = get_enabled_auth_plugins(); // Auths, in sequence.

                $authsequence = get_enabled_auth_plugins(); // Auths, in sequence.

                foreach ($authsequence as $authname) {

                foreach ($authsequence as $authname) {

                    $authplugin = get_auth_plugin($authname);

                    $authplugin = get_auth_plugin($authname);

                if ($record->timemodified == $record->timecreated) {

                if ($record->timemodified == $record->timecreated) {

                    // Always do first update of existing record.

                    // Always do first update of existing record.

                    $update->timemodified = $record->timemodified = $time;

                    $update->timemodified = $record->timemodified = $time;

                    $updated = true;

                } else if ($record->timemodified < $time - $updatefreq) {

                } else if ($record->timemodified < $time - $updatefreq) {

                    // Update the session modified flag only once every 20 seconds.

                    // Update the session modified flag only once every 20 seconds.

                    $update->timemodified = $record->timemodified = $time;

                    $update->timemodified = $record->timemodified = $time;

                    $updated = true;

                    $updated = true;

                $user = guest_user();

                $user = guest_user();

            }

            }

            $referer = get_local_referer(false);

            $referer = get_local_referer(false);

            if (!empty($CFG->guestloginbutton) and !$user and !empty($referer)) {

            if (!empty($CFG->guestloginbutton) and !$user and !empty($referer)) {

                // Automatically log in users coming from search engine results.

                // Automatically log in users coming from search engine results.

                    $user = guest_user();

                    $user = guest_user();

                    $user = guest_user();

                    $user = guest_user();

                }

                }

            }

            }

        }

        }

     * Returns a single session record for this session id.

     * Returns a single session record for this session id.

     *

     *

     * @param string $sid

     * @param string $sid

     * @return \stdClass

     * @return \stdClass

     */

     */

        return self::$handler->get_session_by_sid($sid);

        return self::$handler->get_session_by_sid($sid);

    }

    }

    /**

    /**

     * Returns all the session records for this user id.

     * Returns all the session records for this user id.

     *

     *

     * @param int $userid

     * @param int $userid

     * @return array

     * @return array

    public static function get_sessions_by_userid(int $userid): array {

    {

        return self::$handler->get_sessions_by_userid($userid);

        return self::$handler->get_sessions_by_userid($userid);

    }

    }

    /**

    /**

     * Insert new empty session record.

     * Insert new empty session record.

     *

     *

     * @param int $userid

     * @param int $userid

     */

    public static function add_session(int $userid): \stdClass

    public static function add_session(int $userid): \stdClass {

    {

        return self::$handler->add_session($userid);

        return self::$handler->add_session($userid);

    }

    }

    /**

    /**

     * Update a session record.

     * Update a session record.

     *

     *

     * @return bool

     */

     */

    public static function update_session(\stdClass $record): bool

    public static function update_session(\stdClass $record): bool {

    {

        return self::$handler->update_session($record);

        return self::$handler->update_session($record);

    }

    }

    /**

    /**

     * Do various session security checks.

     * Do various session security checks.

     * WARNING: $USER and $SESSION are set up later, do not use them yet!

     * @throws \core\session\exception

     * @throws \core\session\exception

     */

     */

    protected static function check_security()

    protected static function check_security() {

    {

    /**

    /**

     * Login user, to be called from complete_user_login() only.

     * Login user, to be called from complete_user_login() only.

     * @param \stdClass $user

     * @param \stdClass $user

    public static function login_user(\stdClass $user) {

    {

        global $DB;

        global $DB;

     * Returns a valid setting for the SameSite cookie attribute.

     * Returns a valid setting for the SameSite cookie attribute.

     *

     *

     * @return string The desired setting for the SameSite attribute on the cookie. Empty string indicates the SameSite attribute

     * @return string The desired setting for the SameSite attribute on the cookie. Empty string indicates the SameSite attribute

     * should not be set at all.

     * should not be set at all.

     */

     */

        // We only want None or no attribute at this point. When we have cookie handling compatible with Lax,

        // We only want None or no attribute at this point. When we have cookie handling compatible with Lax,

        // we can look at checking a setting.

        // we can look at checking a setting.

        // Browser support for none is not consistent yet. There are known issues with Safari, and IE11.

        // Browser support for none is not consistent yet. There are known issues with Safari, and IE11.

    /**

    /**

     * Terminate current user session.

     * Terminate current user session.

     * @return void

     * @return void

    public static function terminate_current() {

    {

        global $DB;

        global $DB;

        if (!self::$sessionactive) {

        if (!self::$sessionactive) {

            self::init_empty_session();

            self::init_empty_session();

            self::$sessionactive = false;

            self::$sessionactive = false;

            return;

            return;

        try {

        try {

            $DB->delete_records('external_tokens', array('sid'=>session_id(), 'tokentype'=>EXTERNAL_TOKEN_EMBEDDED));

            $DB->delete_records('external_tokens', array('sid' => session_id(), 'tokentype' => EXTERNAL_TOKEN_EMBEDDED));

        } catch (\Exception $ignored) {

        } catch (\Exception $ignored) {

            // Probably install/upgrade - ignore this problem.

            // Probably install/upgrade - ignore this problem.

        }

        }

        $file = null;

        $file = null;

        $line = null;

        $line = null;

        if (headers_sent($file, $line)) {

        if (headers_sent($file, $line)) {

            error_log('Cannot terminate session properly - headers were already sent in file: '.$file.' on line '.$line);

            error_log('Cannot terminate session properly - headers were already sent in file: ' . $file . ' on line ' . $line);

    /**

    /**

     * No more changes in session expected.

     * No more changes in session expected.

     * Unblocks the sessions, other scripts may start executing in parallel.

     * Unblocks the sessions, other scripts may start executing in parallel.

    public static function write_close() {

    {

        global $PERF, $ME, $CFG;

        global $PERF, $ME, $CFG;

        if (self::$sessionactive) {

        if (self::$sessionactive) {

     * In write_close the session is saved to the variable $sessionatclose

     * In write_close the session is saved to the variable $sessionatclose

     * If there is a difference between $sessionatclose and the current session,

     * If there is a difference between $sessionatclose and the current session,

     * it means a script has erroneously closed the session too early.

     * it means a script has erroneously closed the session too early.

     * Script is usually called in shutdown_manager

     * Script is usually called in shutdown_manager

     */

     */

        global $ME;

        global $ME;

        // Session is still open, mutations are allowed.

        // Session is still open, mutations are allowed.

        if (self::$sessionactive) {

        if (self::$sessionactive) {

     * Timeout evaluation is simplified, the auth hooks are not executed.

     * Timeout evaluation is simplified, the auth hooks are not executed.

     *

     *

     * @param string $sid

     * @param string $sid

     * @return bool

     * @return bool

     */

     */

        global $DB, $CFG;

        global $DB, $CFG;

        if (empty($CFG->version)) {

        if (empty($CFG->version)) {

            // Not installed yet, do not try to access database.

            // Not installed yet, do not try to access database.

    /**

    /**

     * Return the number of seconds remaining in the current session.

     * Return the number of seconds remaining in the current session.

     * @param string $sid

     * @param string $sid

    public static function time_remaining($sid) {

    {

        global $DB, $CFG;

        global $DB, $CFG;

        if (empty($CFG->version)) {

        if (empty($CFG->version)) {

    /**

    /**

     * Fake last access for given session, this prevents session timeout.

     * Fake last access for given session, this prevents session timeout.

     * @param string $sid

     * @param string $sid

    public static function touch_session($sid) {

    {

        // Timeouts depend on core sessions table only, no need to update anything in external stores.

        // Timeouts depend on core sessions table only, no need to update anything in external stores.

        self::$handler->update_session((object) [

        self::$handler->update_session((object) [

            'sid' => $sid,

            'sid' => $sid,

            'timemodified' => di::get(clock::class)->time(),

            'timemodified' => di::get(clock::class)->time(),

     */

     */

    #[\core\attribute\deprecated(

    #[\core\attribute\deprecated(

        replacement: 'destroy_all',

        replacement: 'destroy_all',

        since: '4.5',

        since: '4.5',

    )]

    )]

        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);

        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);

        self::destroy_all();

        self::destroy_all();

    }

    }

     */

     */

    #[\core\attribute\deprecated(

    #[\core\attribute\deprecated(

        replacement: 'destroy',

        replacement: 'destroy',

        since: '4.5',

        since: '4.5',

    )]

    )]

        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);

        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);

        self::destroy($sid);

        self::destroy($sid);

    }

    }

     */

     */

    #[\core\attribute\deprecated(

    #[\core\attribute\deprecated(

        replacement: 'destroy_by_auth_plugin',

        replacement: 'destroy_by_auth_plugin',

        since: '4.5',

        since: '4.5',

    )]

    )]

        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);

        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);

        self::destroy_by_auth_plugin($pluginname);

        self::destroy_by_auth_plugin($pluginname);

    }

    }

     * @param string $keepsid keep this sid if present

     * @param string $keepsid keep this sid if present

     * @deprecated since Moodle 4.5 See MDL-66161

     * @deprecated since Moodle 4.5 See MDL-66161

     * @todo Remove in MDL-81848

     * @todo Remove in MDL-81848

     */

     */

    #[\core\attribute\deprecated(

    #[\core\attribute\deprecated(

    )]

    )]

        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);

        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);

        self::destroy_user_sessions($userid, $keepsid);

        self::destroy_user_sessions($userid, $keepsid);

    }

    }

    /**

    /**

     * Destroy all sessions for a given plugin.

     * Destroy all sessions for a given plugin.

     * Typically used when a plugin is disabled or uninstalled, so all sessions (users) for that plugin are logged out.

     * Typically used when a plugin is disabled or uninstalled, so all sessions (users) for that plugin are logged out.

     *

     *

     * @param string $pluginname Auth plugin name.

     * @param string $pluginname Auth plugin name.

    public static function destroy_by_auth_plugin(string $pluginname): void {

    {

        self::$handler->destroy_by_auth_plugin($pluginname);

        self::$handler->destroy_by_auth_plugin($pluginname);

    }

    }

    /**

    /**

     * Destroy all sessions, and delete all the session data.

     * Destroy all sessions, and delete all the session data.

     *

     *

     */

    public static function destroy_all(): bool

    public static function destroy_all(): bool {

    {

        self::terminate_current();

        self::terminate_current();

        self::load_handler();

        self::load_handler();

        try {

        try {

            $result = self::$handler->destroy_all();

            $result = self::$handler->destroy_all();

        } catch (\moodle_exception $ignored) {

        } catch (\moodle_exception $ignored) {

            $result = true;

            $result = true;

        }

        }

         return $result;

        return $result;

    }

    }

    /**

    /**

     *

     * @param string $id

     * @param string $id

     * @return bool

     * @return bool

     */

     */

    public static function destroy(string $id): bool

    /**

    /**

     * Destroy all sessions of given user unconditionally.

     * Destroy all sessions of given user unconditionally.

     * @param int $userid

     * @param int $userid

     * @param string $keepsid keep this sid if present

     * @param string $keepsid keep this sid if present

     */

     */

        $sessions = self::get_sessions_by_userid($userid);

        $sessions = self::get_sessions_by_userid($userid);

        foreach ($sessions as $session) {

        foreach ($sessions as $session) {

            if ($keepsid and $keepsid === $session->sid) {

            if ($keepsid and $keepsid === $session->sid) {

                continue;

                continue;

            }

            }

     *

     *

     * @param int $userid

     * @param int $userid

     * @param string $sid session id to be always keep, usually the current one

     * @param string $sid session id to be always keep, usually the current one

     * @return void

     * @return void

     */

     */

        global $CFG, $DB;

        global $CFG, $DB;

        // NOTE: the $sid parameter is here mainly to allow testing,

        // NOTE: the $sid parameter is here mainly to allow testing,

                }

                }

            }

            }

        }

        }

        usort($sessions, function($a, $b){

        usort($sessions, function ($a, $b) {

            return $b->timecreated <=> $a->timecreated;

            return $b->timecreated <=> $a->timecreated;

        });

        });

    /**

    /**

     * Set current user.

     * Set current user.

     *

     *

     * @param \stdClass $user record

     * @param \stdClass $user record

     */

     */

        global $ADMIN;

        global $ADMIN;

        $GLOBALS['USER'] = $user;

        $GLOBALS['USER'] = $user;

        unset($GLOBALS['USER']->description); // Conserve memory.

        unset($GLOBALS['USER']->description); // Conserve memory.

        unset($GLOBALS['USER']->password);    // Improve security.

        unset($GLOBALS['USER']->password);    // Improve security.

        if (isset($GLOBALS['USER']->lang)) {

        if (isset($GLOBALS['USER']->lang)) {

            // Make sure it is a valid lang pack name.

            // Make sure it is a valid lang pack name.

            $GLOBALS['USER']->lang = clean_param($GLOBALS['USER']->lang, PARAM_LANG);

            $GLOBALS['USER']->lang = clean_param($GLOBALS['USER']->lang, PARAM_LANG);

        }

        }

        $_SESSION['USER'] =& $GLOBALS['USER'];

        $_SESSION['USER'] = &$GLOBALS['USER'];

        // Nullify the $ADMIN tree global. If we're changing users, then this is now stale and must be generated again if needed.

        // Nullify the $ADMIN tree global. If we're changing users, then this is now stale and must be generated again if needed.

     * Periodic timed-out session cleanup.

     * Periodic timed-out session cleanup.

     *

     *

     * @param int $maxlifetime Sessions that have not updated for the last max_lifetime seconds will be removed.

     * @param int $maxlifetime Sessions that have not updated for the last max_lifetime seconds will be removed.

     * @return void

     * @return void

     */

     */

        global $CFG;

        global $CFG;

        // If max lifetime is not provided, use the default session timeout.

        // If max lifetime is not provided, use the default session timeout.

        if ($maxlifetime == 0) {

        if ($maxlifetime == 0) {

    /**

    /**

     * Is current $USER logged-in-as somebody else?

     * Is current $USER logged-in-as somebody else?

     * @return bool

     * @return bool

    public static function is_loggedinas() {

    {

        return !empty($GLOBALS['USER']->realuser);

        return !empty($GLOBALS['USER']->realuser);

    }

    }

    /**

    /**

     * Returns the $USER object ignoring current login-as session

     * Returns the $USER object ignoring current login-as session

     */

    public static function get_realuser()

    public static function get_realuser() {

    {

        if (self::is_loggedinas()) {

        if (self::is_loggedinas()) {

            return $_SESSION['REALUSER'];

            return $_SESSION['REALUSER'];

        } else {

        } else {

     * @param int $userid

     * @param int $userid

     * @param \context $context

     * @param \context $context

     * @param bool $generateevent Set to false to prevent the loginas event to be generated

     * @param bool $generateevent Set to false to prevent the loginas event to be generated

     * @return void

     * @return void

     */

     */

        global $USER;

        global $USER;

        if (self::is_loggedinas()) {

        if (self::is_loggedinas()) {

            return;

            return;

        }

        }

        $_SESSION = array();

        $_SESSION = array();

        $GLOBALS['SESSION'] = new \stdClass();

        $GLOBALS['SESSION'] = new \stdClass();

        // Create the new $USER object with all details and reload needed capabilities.

        // Create the new $USER object with all details and reload needed capabilities.

        $_SESSION['REALUSER'] = clone($GLOBALS['USER']);

        $_SESSION['REALUSER'] = clone ($GLOBALS['USER']);

        $user = get_complete_user_data('id', $userid);

        $user = get_complete_user_data('id', $userid);

     * @param string $component The string component for the message to show on failure.

     * @param string $component The string component for the message to show on failure.

     * @param int $frequency The update frequency in seconds.

     * @param int $frequency The update frequency in seconds.

     * @param int $timeout The timeout of each request in seconds.

     * @param int $timeout The timeout of each request in seconds.

     * @throws \coding_exception IF the frequency is longer than the session lifetime.

     * @throws \coding_exception IF the frequency is longer than the session lifetime.

     */

     */

        global $CFG, $PAGE;

        global $CFG, $PAGE;

        if ($frequency) {

        if ($frequency) {

            if ($frequency > $CFG->sessiontimeout) {

            if ($frequency > $CFG->sessiontimeout) {

            // A frequency of sessiontimeout / 10 matches the timeouts in core/network amd module.

            // A frequency of sessiontimeout / 10 matches the timeouts in core/network amd module.

            $frequency = $CFG->sessiontimeout / 10;

            $frequency = $CFG->sessiontimeout / 10;

        }

        }

            ));

        ));

    }

    }

    /**

    /**

     * Generate a new login token and store it in the session.

     * Generate a new login token and store it in the session.

     *

     *

     */

    private static function create_login_token()

    private static function create_login_token() {

    {

        global $SESSION;

        global $SESSION;

     * Logins will be rejected if they do not include this token as well as

     * Logins will be rejected if they do not include this token as well as

     * the username and password fields.

     * the username and password fields.

     *

     *

     * @return string The current login token.

     * @return string The current login token.

     */

     */

        global $CFG, $SESSION;

        global $CFG, $SESSION;

        $state = false;

        $state = false;

     *

     *

     * @param mixed $token The value submitted in the login form that we are validating.

     * @param mixed $token The value submitted in the login form that we are validating.

     *                     If false is passed for the token, this function will always return true.

     *                     If false is passed for the token, this function will always return true.

     * @return boolean If the submitted token is valid.

     * @return boolean If the submitted token is valid.

     */

     */

        global $CFG, $SESSION;

        global $CFG, $SESSION;

        if (!empty($CFG->alternateloginurl) || !empty($CFG->disablelogintoken)) {

        if (!empty($CFG->alternateloginurl) || !empty($CFG->disablelogintoken)) {

            // An external login page cannot generate the login token we need to protect CSRF on

            // An external login page cannot generate the login token we need to protect CSRF on

    /**

    /**

     * Get the recent session locks array.

     * Get the recent session locks array.

     *

     *

     * @return array Recent session locks array.

     * @return array Recent session locks array.

     */

     */

        global $SESSION;

        global $SESSION;

        if (!isset($SESSION->recentsessionlocks)) {

        if (!isset($SESSION->recentsessionlocks)) {

            // This will hold the pages that blocks other page.

            // This will hold the pages that blocks other page.

     *

     *

     * This function will store session lock info of all the pages visited.

     * This function will store session lock info of all the pages visited.

     *

     *

     * @param array $sessionlock Session lock array.

     * @param array $sessionlock Session lock array.

     */

     */

        global $CFG, $SESSION;

        global $CFG, $SESSION;

        if (empty($CFG->debugsessionlock)) {

        if (empty($CFG->debugsessionlock)) {

            return;

            return;

    }

    }

    /**

    /**

     * Reset recent session locks array if there is a time gap more than SESSION_RESET_GAP_THRESHOLD.

     * Reset recent session locks array if there is a time gap more than SESSION_RESET_GAP_THRESHOLD.

    public static function cleanup_recent_session_locks() {

    {

        global $SESSION;

        global $SESSION;

     * Look for a page whose lock was gained before that timestamp, and released after that timestamp.

     * Look for a page whose lock was gained before that timestamp, and released after that timestamp.

     *

     *

     * @param  float $time Time before session lock starts.

     * @param  float $time Time before session lock starts.

     * @return array|null

     * @return array|null

     */

     */

        $recentsessionlocks = self::get_recent_session_locks();

        $recentsessionlocks = self::get_recent_session_locks();

        foreach ($recentsessionlocks as $recentsessionlock) {

        foreach ($recentsessionlocks as $recentsessionlock) {

                return $recentsessionlock;

                return $recentsessionlock;

            }

            }

        }

        }

    }

    }

    /**

    /**

     * Display the page which blocks other pages.

     * Display the page which blocks other pages.

     *

     *

     * @return string

     * @return string

    public static function display_blocking_page() {

    {

        global $PERF;

        global $PERF;

        $page = self::get_locked_page_at($PERF->sessionlock['start']);

        $page = self::get_locked_page_at($PERF->sessionlock['start']);

        $output = "Script ".me()." was blocked for ";

        $output = "Script " . me() . " was blocked for ";

        $output .= number_format($PERF->sessionlock['wait'], 3);

        $output .= number_format($PERF->sessionlock['wait'], 3);

        if ($page != null) {

        if ($page != null) {

            $output .= " second(s) by script: ";

            $output .= " second(s) by script: ";

    /**

    /**

     * Get session lock info of the current page.

     * Get session lock info of the current page.

     *

     *

     * @return array

     * @return array

     */

     */

        global $PERF;

        global $PERF;

        if (!isset($PERF->sessionlock)) {

        if (!isset($PERF->sessionlock)) {

            return null;

            return null;

    }

    }

    /**

    /**

     * Display debugging info about slow and blocked script.

     * Display debugging info about slow and blocked script.

    public static function sessionlock_debugging() {

    {

        global $CFG, $PERF;

        global $CFG, $PERF;

                debugging("Script ".me()." locked the session for ".number_format($PERF->sessionlock['held'], 3)

                debugging("Script " . me() . " locked the session for " . number_format($PERF->sessionlock['held'], 3)

                ." seconds, it should close the session using \core\session\manager::write_close().", DEBUG_NORMAL);

                    . " seconds, it should close the session using \core\session\manager::write_close().", DEBUG_NORMAL);

            }

            }

            if (isset($PERF->sessionlock['wait']) && $PERF->sessionlock['wait'] > $CFG->debugsessionlock) {

            if (isset($PERF->sessionlock['wait']) && $PERF->sessionlock['wait'] > $CFG->debugsessionlock) {

                $output = self::display_blocking_page();

                $output = self::display_blocking_page();

                debugging($output, DEBUG_DEVELOPER);

                debugging($output, DEBUG_DEVELOPER);

            }

            }

        }

        return self::$sessionactive === true;

    }

    }

    /**

    /**

     * Compares two arrays and outputs the difference.

     * Compares two arrays and outputs the difference.

     *

     *

     * @param array $previous

     * @param array $previous

     * @param array $current

     * @param array $current

     * @return array

     * @return array

     */

     */

        // To use array_udiff_uassoc, the first array must have the most keys; this ensures every key is checked.

        // To use array_udiff_uassoc, the first array must have the most keys; this ensures every key is checked.

        // To do this, we first need to sort them by the length of their keys.

        // To do this, we first need to sort them by the length of their keys.

        $arrays = [$current, $previous];

        $arrays = [$current, $previous];