Manual:SessionProvider.php
| MediaWiki file: SessionProvider.php | |
|---|---|
| Location: | includes/session/ |
| Source code: | master • 1.43.1 • 1.42.6 • 1.39.12 |
| Classes: | MediaWiki\Session\SessionProvider |
The SessionProvider class is an abstract class used to provide a SessionInfo as well as support for Sessions.
Purposes
- A SessionProvider is responsible for taking a WebRequest and determining the authenticated session that it's a part of. It does this by returning an SessionInfo object with basic information about the session it thinks is associated with the request, namely the session ID and possibly the authenticated user the session belongs to.
- The SessionProvider also provides for updating the WebResponse with information necessary to provide the client with data that the client will send with later requests.
- It also provides for populating the Vary and Key headers with the data necessary to correctly vary the cache on these client requests. An important part of this is indicating whether it even can tell the client to include such data in future requests, via the
persistsSessionId()andcanChangeUser()methods. In order of decreasing commonness, the cases are:- Cannot persist ID, no changing User: The request identifies and authenticates a particular local user, and the client cannot be instructed to include an arbitrary session ID with future requests. For example, OAuth or SSL certificate auth.
- Can persist ID and can change User: The client can be instructed to return at least one piece of arbitrary data, that being the session ID. The user identity might also be given to the client, otherwise it's saved in the session data. For example, cookie-based sessions.
- Can persist ID but no changing User: The request uniquely identifies and authenticates a local user, and the client can be instructed to return an arbitrary session ID with future requests. For example, HTTP Digest authentication might somehow use the 'opaque' field as a session ID (although getting MediaWiki to return 401 responses without breaking other stuff might be a challenge).
- Note: many methods that are technically "cannot persist ID" could be turned into "can persist ID but not change User" using a session cookie, as implemented by ImmutableSessionProviderWithCookie. If doing so, different session cookie names should be used for different providers to avoid collisions.
Implements
Methods
Include:
- init() - Initialise with dependencies of a SessionProvider
- getConfig() [protected]
- getHookContainer() [protected]
- getManager() - Get the SessionManager
- provideSessionInfo( WebRequest $request ) [abstract] - Provide session info for a request
- newSessionInfo( $id = null ) - Provide session info for a new, empty session
- mergeMetadata( array $savedMetadata, array $providedMetadata ) - Merge saved session provider metadata
- refreshSessionInfo( SessionInfo $info, WebRequest $request, &$metadata ) - (bool) Validate a loaded SessionInfo and refresh provider metadata
- persistsSessionId() [abstract] - Indicate whether self::persistSession() can save arbitrary session IDs
- canChangeUser() [abstract] - Indicate whether the user associated with the request can be changed
- getRememberUserDuration()
- sessionIdWasReset( SessionBackend $session, $oldId ) - Notification that the session ID was reset
- persistSession( SessionBackend $session, WebRequest $request ) [abstract] - Persist a session into a request/response
- unpersistSession( WebRequest $request ) [abstract] -
- preventSessionsForUser( $username ) - Prevent future sessions for the user
- invalidateSessionsForUser( User $user )
- getVaryHeaders() - Return the HTTP headers that need varying on
- getVaryCookies() - Return the list of cookies that need varying on
- suggestLoginUsername( WebRequest $request ) - Get a suggested username for the login form
- getAllowedUserRights( SessionBackend $backend ) - Fetch the rights allowed the user when the specified session is active.
- describeMessage() [protected] - Return a Message identifying this session type
- describe( Language $lang )
- whyNoSession()
- safeAgainstCsrf() - bool
- hashToSessionId( $data, $key = null ) [final protected]
Extended by
- Manual:ImmutableSessionProviderWithCookie.php
- Manual:BotPasswordSessionProvider.php (extends the above)
- Manual:CookieSessionProvider.php
- Manual:InstallerSessionProvider.php
- Manual:DummySessionProvider.php
For SessionProviders in extensions, see for instance:
- Extension:CentralAuth - CentralAuthTokenSessionProvider
- Extension:NetworkSession - NetworkSessionProvider