Search moodle.org's
Developer Documentation
Developer Documentation
See Release Notes
Long Term Support Release
- Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
- Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
- PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.
/lib/classes/session/ -> manager.php (source)
Differences Between: [Versions 310 and 401] [Versions 311 and 401] [Versions 39 and 401] [Versions 400 and 401] [Versions 401 and 402] [Versions 401 and 403]
1 <?php 2 // This file is part of Moodle - http://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 /** 18 * Session manager class. 19 * 20 * @package core 21 * @copyright 2013 Petr Skoda {@link http://skodak.org} 22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 23 */ 24 25 namespace core\session; 26 27 defined('MOODLE_INTERNAL') || die(); 28 29 use html_writer; 30 31 /** 32 * Session manager, this is the public Moodle API for sessions. 33 * 34 * Following PHP functions MUST NOT be used directly: 35 * - session_start() - not necessary, lib/setup.php starts session automatically, 36 * use define('NO_MOODLE_COOKIE', true) if session not necessary. 37 * - session_write_close() - use \core\session\manager::write_close() instead. 38 * - session_destroy() - use require_logout() instead. 39 * 40 * @package core 41 * @copyright 2013 Petr Skoda {@link http://skodak.org} 42 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 43 */ 44 class manager { 45 /** @var int A hard cutoff of maximum stored history */ 46 const MAXIMUM_STORED_SESSION_HISTORY = 50; 47 48 /** @var int The recent session locks array is reset if there is a time gap more than this value in seconds */ 49 const SESSION_RESET_GAP_THRESHOLD = 1; 50 51 /** @var handler $handler active session handler instance */ 52 protected static $handler; 53 54 /** @var bool $sessionactive Is the session active? */ 55 protected static $sessionactive = null; 56 57 /** @var string $logintokenkey Key used to get and store request protection for login form. */ 58 protected static $logintokenkey = 'core_auth_login'; 59 60 /** @var array Stores the the SESSION before a request is performed, used to check incorrect read-only modes */ 61 private static $priorsession = []; 62 63 /** 64 * @var bool Used to trigger the SESSION mutation warning without actually preventing SESSION mutation. 65 * This variable is used to "copy" what the $requireslock parameter does in start_session(). 66 * Once requireslock is set in start_session it's later accessible via $handler->requires_write_lock, 67 * When using $CFG->enable_read_only_sessions_debug mode, this variable serves the same purpose without 68 * actually setting the handler as requiring a write lock. 69 */ 70 private static $requireslockdebug; 71 72 /** 73 * If the current session is not writeable, abort it, and re-open it 74 * requesting (and blocking) until a write lock is acquired. 75 * If current session was already opened with an intentional write lock, 76 * this call will not do anything. 77 * NOTE: Even when using a session handler that does not support non-locking sessions, 78 * if the original session was not opened with the explicit intention of being locked, 79 * this will still restart your session so that code behaviour matches as closely 80 * as practical across environments. 81 * 82 * @param bool $readonlysession Used by debugging logic to determine if whatever 83 * triggered the restart (e.g., a webservice) declared 84 * itself as read only. 85 */ 86 public static function restart_with_write_lock(bool $readonlysession) { 87 global $CFG; 88 89 self::$requireslockdebug = !$readonlysession; 90 91 if (self::$sessionactive && !self::$handler->requires_write_lock()) { 92 @self::$handler->abort(); 93 self::$sessionactive = false; 94 self::start_session(true); 95 } 96 } 97 98 /** 99 * Start user session. 100 * 101 * Note: This is intended to be called only from lib/setup.php! 102 */ 103 public static function start() { 104 global $CFG, $DB, $PERF; 105 106 if (isset(self::$sessionactive)) { 107 debugging('Session was already started!', DEBUG_DEVELOPER); 108 return; 109 } 110 111 // Grab the time before session lock starts. 112 $PERF->sessionlock['start'] = microtime(true); 113 self::load_handler(); 114 115 // Init the session handler only if everything initialised properly in lib/setup.php file 116 // and the session is actually required. 117 if (empty($DB) or empty($CFG->version) or !defined('NO_MOODLE_COOKIES') or NO_MOODLE_COOKIES or CLI_SCRIPT) { 118 self::$sessionactive = false; 119 self::init_empty_session(); 120 return; 121 } 122 123 if (defined('READ_ONLY_SESSION') && !empty($CFG->enable_read_only_sessions)) { 124 $requireslock = !READ_ONLY_SESSION; 125 } else { 126 $requireslock = true; // For backwards compatibility, we default to assuming that a lock is needed. 127 } 128 129 // By default make the two variables the same. This means that when they are 130 // checked below in start_session and write_close there is no possibility for 131 // the debug version to "accidentally" execute the debug mode. 132 self::$requireslockdebug = $requireslock; 133 if (defined('READ_ONLY_SESSION') && !empty($CFG->enable_read_only_sessions_debug)) { 134 // Only change the debug variable if READ_ONLY_SESSION is declared, 135 // as would happen with the real requireslock variable. 136 self::$requireslockdebug = !READ_ONLY_SESSION; 137 } 138 139 self::start_session($requireslock); 140 } 141 142 /** 143 * Handles starting a session. 144 * 145 * @param bool $requireslock If this is false then no write lock will be acquired, 146 * and the session will be read-only. 147 */ 148 private static function start_session(bool $requireslock) { 149 global $PERF, $CFG; 150 151 try { 152 self::$handler->init(); 153 self::$handler->set_requires_write_lock($requireslock); 154 self::prepare_cookies(); 155 $isnewsession = empty($_COOKIE[session_name()]); 156 157 if (!self::$handler->start()) { 158 // Could not successfully start/recover session. 159 throw new \core\session\exception(get_string('servererror')); 160 } 161 162 if ($requireslock) { 163 // Grab the time when session lock starts. 164 $PERF->sessionlock['gained'] = microtime(true); 165 $PERF->sessionlock['wait'] = $PERF->sessionlock['gained'] - $PERF->sessionlock['start']; 166 } 167 self::initialise_user_session($isnewsession); 168 self::$sessionactive = true; // Set here, so the session can be cleared if the security check fails. 169 self::check_security(); 170 171 if (!$requireslock || !self::$requireslockdebug) { 172 self::$priorsession = (array) $_SESSION['SESSION']; 173 } 174 175 if (!empty($CFG->enable_read_only_sessions) && isset($_SESSION['SESSION']->cachestore_session)) { 176 $caches = join(', ', array_keys($_SESSION['SESSION']->cachestore_session)); 177 $caches = str_replace('default_session-', '', $caches); 178 throw new \moodle_exception("The session caches can not be in the session store when " 179 . "enable_read_only_sessions is enabled. Please map all session mode caches to be outside of the " 180 . "default session store before enabling this features. Found these definitions in the session: $caches"); 181 } 182 183 // Link global $USER and $SESSION, 184 // this is tricky because PHP does not allow references to references 185 // and global keyword uses internally once reference to the $GLOBALS array. 186 // The solution is to use the $GLOBALS['USER'] and $GLOBALS['$SESSION'] 187 // as the main storage of data and put references to $_SESSION. 188 $GLOBALS['USER'] = $_SESSION['USER']; 189 $_SESSION['USER'] =& $GLOBALS['USER']; 190 $GLOBALS['SESSION'] = $_SESSION['SESSION']; 191 $_SESSION['SESSION'] =& $GLOBALS['SESSION']; 192 193 } catch (\Exception $ex) { 194 self::init_empty_session(); 195 self::$sessionactive = false; 196 throw $ex; 197 } 198 } 199 200 /** 201 * Returns current page performance info. 202 * 203 * @return array perf info 204 */ 205 public static function get_performance_info() { 206 global $CFG, $PERF; 207 208 if (!session_id()) { 209 return array(); 210 } 211 212 self::load_handler(); 213 $size = display_size(strlen(session_encode())); 214 $handler = get_class(self::$handler); 215 216 $info = array(); 217 $info['size'] = $size; 218 $info['html'] = html_writer::div("Session ($handler): $size", "sessionsize"); 219 $info['txt'] = "Session ($handler): $size "; 220 221 if (!empty($CFG->debugsessionlock)) { 222 $sessionlock = self::get_session_lock_info(); 223 if (!empty($sessionlock['held'])) { 224 // The page displays the footer and the session has been closed. 225 $sessionlocktext = "Session lock held: ".number_format($sessionlock['held'], 3)." secs"; 226 } else { 227 // The session hasn't yet been closed and so we assume now with microtime. 228 $sessionlockheld = microtime(true) - $PERF->sessionlock['gained']; 229 $sessionlocktext = "Session lock open: ".number_format($sessionlockheld, 3)." secs"; 230 } 231 $info['txt'] .= $sessionlocktext; 232 $info['html'] .= html_writer::div($sessionlocktext, "sessionlockstart"); 233 $sessionlockwaittext = "Session lock wait: ".number_format($sessionlock['wait'], 3)." secs"; 234 $info['txt'] .= $sessionlockwaittext; 235 $info['html'] .= html_writer::div($sessionlockwaittext, "sessionlockwait"); 236 } 237 238 return $info; 239 } 240 241 /** 242 * Get fully qualified name of session handler class. 243 * 244 * @return string The name of the handler class 245 */ 246 public static function get_handler_class() { 247 global $CFG, $DB; 248 249 if (PHPUNIT_TEST) { 250 return '\core\session\file'; 251 } else if (!empty($CFG->session_handler_class)) { 252 return $CFG->session_handler_class; 253 } else if (!empty($CFG->dbsessions) and $DB->session_lock_supported()) { 254 return '\core\session\database'; 255 } 256 257 return '\core\session\file'; 258 } 259 260 /** 261 * Create handler instance. 262 */ 263 protected static function load_handler() { 264 if (self::$handler) { 265 return; 266 } 267 268 // Find out which handler to use. 269 $class = self::get_handler_class(); 270 self::$handler = new $class(); 271 } 272 273 /** 274 * Empty current session, fill it with not-logged-in user info. 275 * 276 * This is intended for installation scripts, unit tests and other 277 * special areas. Do NOT use for logout and session termination 278 * in normal requests! 279 * 280 * @param mixed $newsid only used after initialising a user session, is this a new user session? 281 */ 282 public static function init_empty_session(?bool $newsid = null) { 283 global $CFG; 284 285 if (isset($GLOBALS['SESSION']->notifications)) { 286 // Backup notifications. These should be preserved across session changes until the user fetches and clears them. 287 $notifications = $GLOBALS['SESSION']->notifications; 288 } 289 $GLOBALS['SESSION'] = new \stdClass(); 290 if (isset($newsid)) { 291 $GLOBALS['SESSION']->isnewsessioncookie = $newsid; 292 } 293 294 $GLOBALS['USER'] = new \stdClass(); 295 $GLOBALS['USER']->id = 0; 296 297 if (!empty($notifications)) { 298 // Restore notifications. 299 $GLOBALS['SESSION']->notifications = $notifications; 300 } 301 if (isset($CFG->mnet_localhost_id)) { 302 $GLOBALS['USER']->mnethostid = $CFG->mnet_localhost_id; 303 } else { 304 // Not installed yet, the future host id will be most probably 1. 305 $GLOBALS['USER']->mnethostid = 1; 306 } 307 308 // Link global $USER and $SESSION. 309 $_SESSION = array(); 310 $_SESSION['USER'] =& $GLOBALS['USER']; 311 $_SESSION['SESSION'] =& $GLOBALS['SESSION']; 312 } 313 314 /** 315 * Make sure all cookie and session related stuff is configured properly before session start. 316 */ 317 protected static function prepare_cookies() { 318 global $CFG; 319 320 $cookiesecure = is_moodle_cookie_secure(); 321 322 if (!isset($CFG->cookiehttponly)) { 323 $CFG->cookiehttponly = 0; 324 } 325 326 // Set sessioncookie variable if it isn't already. 327 if (!isset($CFG->sessioncookie)) { 328 $CFG->sessioncookie = ''; 329 } 330 $sessionname = 'MoodleSession'.$CFG->sessioncookie; 331 332 // Make sure cookie domain makes sense for this wwwroot. 333 if (!isset($CFG->sessioncookiedomain)) { 334 $CFG->sessioncookiedomain = ''; 335 } else if ($CFG->sessioncookiedomain !== '') { 336 $host = parse_url($CFG->wwwroot, PHP_URL_HOST); 337 if ($CFG->sessioncookiedomain !== $host) { 338 if (substr($CFG->sessioncookiedomain, 0, 1) === '.') { 339 if (!preg_match('|^.*'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) { 340 // Invalid domain - it must be end part of host. 341 $CFG->sessioncookiedomain = ''; 342 } 343 } else { 344 if (!preg_match('|^.*\.'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) { 345 // Invalid domain - it must be end part of host. 346 $CFG->sessioncookiedomain = ''; 347 } 348 } 349 } 350 } 351 352 // Make sure the cookiepath is valid for this wwwroot or autodetect if not specified. 353 if (!isset($CFG->sessioncookiepath)) { 354 $CFG->sessioncookiepath = ''; 355 } 356 if ($CFG->sessioncookiepath !== '/') { 357 $path = parse_url($CFG->wwwroot, PHP_URL_PATH).'/'; 358 if ($CFG->sessioncookiepath === '') { 359 $CFG->sessioncookiepath = $path; 360 } else { 361 if (strpos($path, $CFG->sessioncookiepath) !== 0 or substr($CFG->sessioncookiepath, -1) !== '/') { 362 $CFG->sessioncookiepath = $path; 363 } 364 } 365 } 366 367 // Discard session ID from POST, GET and globals to tighten security, 368 // this is session fixation prevention. 369 unset($GLOBALS[$sessionname]); 370 unset($_GET[$sessionname]); 371 unset($_POST[$sessionname]); 372 unset($_REQUEST[$sessionname]); 373 374 // Compatibility hack for non-browser access to our web interface. 375 if (!empty($_COOKIE[$sessionname]) && $_COOKIE[$sessionname] == "deleted") { 376 unset($_COOKIE[$sessionname]); 377 } 378 379 // Set configuration. 380 session_name($sessionname); 381 382 $sessionoptions = [ 383 'lifetime' => 0, 384 'path' => $CFG->sessioncookiepath, 385 'domain' => $CFG->sessioncookiedomain, 386 'secure' => $cookiesecure, 387 'httponly' => $CFG->cookiehttponly, 388 ]; 389 390 if (self::should_use_samesite_none()) { 391 // If $samesite is empty, we don't want there to be any SameSite attribute. 392 $sessionoptions['samesite'] = 'None'; 393 } 394 395 session_set_cookie_params($sessionoptions); 396 397 ini_set('session.use_trans_sid', '0'); 398 ini_set('session.use_only_cookies', '1'); 399 ini_set('session.use_strict_mode', '0'); // We have custom protection in session init. 400 ini_set('session.serialize_handler', 'php'); // We can move to 'php_serialize' after we require PHP 5.5.4 form Moodle. 401 402 // Moodle does normal session timeouts, this is for leftovers only. 403 ini_set('session.gc_probability', 1); 404 ini_set('session.gc_divisor', 1000); 405 ini_set('session.gc_maxlifetime', 60*60*24*4); 406 } 407 408 /** 409 * Initialise $_SESSION, handles google access 410 * and sets up not-logged-in user properly. 411 * 412 * WARNING: $USER and $SESSION are set up later, do not use them yet! 413 * 414 * @param bool $newsid is this a new session in first http request? 415 */ 416 protected static function initialise_user_session($newsid) { 417 global $CFG, $DB; 418 419 $sid = session_id(); 420 if (!$sid) { 421 // No session, very weird. 422 error_log('Missing session ID, session not started!'); 423 self::init_empty_session($newsid); 424 return; 425 } 426 427 if (!$record = $DB->get_record('sessions', array('sid'=>$sid), 'id, sid, state, userid, lastip, timecreated, timemodified')) { 428 if (!$newsid) { 429 if (!empty($_SESSION['USER']->id)) { 430 // This should not happen, just log it, we MUST not produce any output here! 431 error_log("Cannot find session record $sid for user ".$_SESSION['USER']->id.", creating new session."); 432 } 433 // Prevent session fixation attacks. 434 session_regenerate_id(true); 435 } 436 $_SESSION = array(); 437 } 438 unset($sid); 439 440 if (isset($_SESSION['USER']->id)) { 441 if (!empty($_SESSION['USER']->realuser)) { 442 $userid = $_SESSION['USER']->realuser; 443 } else { 444 $userid = $_SESSION['USER']->id; 445 } 446 447 // Verify timeout first. 448 $maxlifetime = $CFG->sessiontimeout; 449 $timeout = false; 450 if (isguestuser($userid) or empty($userid)) { 451 // Ignore guest and not-logged in timeouts, there is very little risk here. 452 $timeout = false; 453 454 } else if ($record->timemodified < time() - $maxlifetime) { 455 $timeout = true; 456 $authsequence = get_enabled_auth_plugins(); // Auths, in sequence. 457 foreach ($authsequence as $authname) { 458 $authplugin = get_auth_plugin($authname); 459 if ($authplugin->ignore_timeout_hook($_SESSION['USER'], $record->sid, $record->timecreated, $record->timemodified)) { 460 $timeout = false; 461 break; 462 } 463 } 464 } 465 466 if ($timeout) { 467 if (defined('NO_SESSION_UPDATE') && NO_SESSION_UPDATE) { 468 return; 469 } 470 session_regenerate_id(true); 471 $_SESSION = array(); 472 $DB->delete_records('sessions', array('id'=>$record->id)); 473 474 } else { 475 // Update session tracking record. 476 477 $update = new \stdClass(); 478 $updated = false; 479 480 if ($record->userid != $userid) { 481 $update->userid = $record->userid = $userid; 482 $updated = true; 483 } 484 485 $ip = getremoteaddr(); 486 if ($record->lastip != $ip) { 487 $update->lastip = $record->lastip = $ip; 488 $updated = true; 489 } 490 491 $updatefreq = empty($CFG->session_update_timemodified_frequency) ? 20 : $CFG->session_update_timemodified_frequency; 492 493 if ($record->timemodified == $record->timecreated) { 494 // Always do first update of existing record. 495 $update->timemodified = $record->timemodified = time(); 496 $updated = true; 497 498 } else if ($record->timemodified < time() - $updatefreq) { 499 // Update the session modified flag only once every 20 seconds. 500 $update->timemodified = $record->timemodified = time(); 501 $updated = true; 502 } 503 504 if ($updated && (!defined('NO_SESSION_UPDATE') || !NO_SESSION_UPDATE)) { 505 $update->id = $record->id; 506 $DB->update_record('sessions', $update); 507 } 508 509 return; 510 } 511 } else { 512 if ($record) { 513 // This happens when people switch session handlers... 514 session_regenerate_id(true); 515 $_SESSION = array(); 516 $DB->delete_records('sessions', array('id'=>$record->id)); 517 } 518 } 519 unset($record); 520 521 $timedout = false; 522 if (!isset($_SESSION['SESSION'])) { 523 $_SESSION['SESSION'] = new \stdClass(); 524 if (!$newsid) { 525 $timedout = true; 526 } 527 } 528 529 $user = null; 530 531 if (!empty($CFG->opentowebcrawlers)) { 532 if (\core_useragent::is_web_crawler()) { 533 $user = guest_user(); 534 } 535 $referer = get_local_referer(false); 536 if (!empty($CFG->guestloginbutton) and !$user and !empty($referer)) { 537 // Automatically log in users coming from search engine results. 538 if (strpos($referer, 'google') !== false ) { 539 $user = guest_user(); 540 } else if (strpos($referer, 'altavista') !== false ) { 541 $user = guest_user(); 542 } 543 } 544 } 545 546 // Setup $USER and insert the session tracking record. 547 if ($user) { 548 self::set_user($user); 549 self::add_session_record($user->id); 550 } else { 551 self::init_empty_session($newsid); 552 self::add_session_record(0); 553 } 554 555 if ($timedout) { 556 $_SESSION['SESSION']->has_timed_out = true; 557 } 558 } 559 560 /** 561 * Insert new empty session record. 562 * @param int $userid 563 * @return \stdClass the new record 564 */ 565 protected static function add_session_record($userid) { 566 global $DB; 567 $record = new \stdClass(); 568 $record->state = 0; 569 $record->sid = session_id(); 570 $record->sessdata = null; 571 $record->userid = $userid; 572 $record->timecreated = $record->timemodified = time(); 573 $record->firstip = $record->lastip = getremoteaddr(); 574 575 $record->id = $DB->insert_record('sessions', $record); 576 577 return $record; 578 } 579 580 /** 581 * Do various session security checks. 582 * 583 * WARNING: $USER and $SESSION are set up later, do not use them yet! 584 * @throws \core\session\exception 585 */ 586 protected static function check_security() { 587 global $CFG; 588 589 if (!empty($_SESSION['USER']->id) and !empty($CFG->tracksessionip)) { 590 // Make sure current IP matches the one for this session. 591 $remoteaddr = getremoteaddr(); 592 593 if (empty($_SESSION['USER']->sessionip)) { 594 $_SESSION['USER']->sessionip = $remoteaddr; 595 } 596 597 if ($_SESSION['USER']->sessionip != $remoteaddr) { 598 // This is a security feature - terminate the session in case of any doubt. 599 self::terminate_current(); 600 throw new exception('sessionipnomatch2', 'error'); 601 } 602 } 603 } 604 605 /** 606 * Login user, to be called from complete_user_login() only. 607 * @param \stdClass $user 608 */ 609 public static function login_user(\stdClass $user) { 610 global $DB; 611 612 // Regenerate session id and delete old session, 613 // this helps prevent session fixation attacks from the same domain. 614 615 $sid = session_id(); 616 session_regenerate_id(true); 617 $DB->delete_records('sessions', array('sid'=>$sid)); 618 self::add_session_record($user->id); 619 620 // Let enrol plugins deal with new enrolments if necessary. 621 enrol_check_plugins($user); 622 623 // Setup $USER object. 624 self::set_user($user); 625 } 626 627 /** 628 * Returns a valid setting for the SameSite cookie attribute. 629 * 630 * @return string The desired setting for the SameSite attribute on the cookie. Empty string indicates the SameSite attribute 631 * should not be set at all. 632 */ 633 private static function should_use_samesite_none(): bool { 634 // We only want None or no attribute at this point. When we have cookie handling compatible with Lax, 635 // we can look at checking a setting. 636 637 // Browser support for none is not consistent yet. There are known issues with Safari, and IE11. 638 // Things are stablising, however as they're not stable yet we will deal specifically with the version of chrome 639 // that introduces a default of lax, setting it to none for the current version of chrome (2 releases before the change). 640 // We also check you are using secure cookies and HTTPS because if you are not running over HTTPS 641 // then setting SameSite=None will cause your session cookie to be rejected. 642 if (\core_useragent::is_chrome() && \core_useragent::check_chrome_version('78') && is_moodle_cookie_secure()) { 643 return true; 644 } 645 return false; 646 } 647 648 /** 649 * Terminate current user session. 650 * @return void 651 */ 652 public static function terminate_current() { 653 global $DB; 654 655 if (!self::$sessionactive) { 656 self::init_empty_session(); 657 self::$sessionactive = false; 658 return; 659 } 660 661 try { 662 $DB->delete_records('external_tokens', array('sid'=>session_id(), 'tokentype'=>EXTERNAL_TOKEN_EMBEDDED)); 663 } catch (\Exception $ignored) { 664 // Probably install/upgrade - ignore this problem. 665 } 666 667 // Initialize variable to pass-by-reference to headers_sent(&$file, &$line). 668 $file = null; 669 $line = null; 670 if (headers_sent($file, $line)) { 671 error_log('Cannot terminate session properly - headers were already sent in file: '.$file.' on line '.$line); 672 } 673 674 // Write new empty session and make sure the old one is deleted. 675 $sid = session_id(); 676 session_regenerate_id(true); 677 $DB->delete_records('sessions', array('sid'=>$sid)); 678 self::init_empty_session(); 679 self::add_session_record($_SESSION['USER']->id); // Do not use $USER here because it may not be set up yet. 680 self::write_close(); 681 } 682 683 /** 684 * No more changes in session expected. 685 * Unblocks the sessions, other scripts may start executing in parallel. 686 */ 687 public static function write_close() { 688 global $PERF, $ME, $CFG; 689 690 if (self::$sessionactive) { 691 $requireslock = self::$handler->requires_write_lock(); 692 if ($requireslock) { 693 // Grab the time when session lock is released. 694 $PERF->sessionlock['released'] = microtime(true); 695 if (!empty($PERF->sessionlock['gained'])) { 696 $PERF->sessionlock['held'] = $PERF->sessionlock['released'] - $PERF->sessionlock['gained']; 697 } 698 $PERF->sessionlock['url'] = me(); 699 self::update_recent_session_locks($PERF->sessionlock); 700 self::sessionlock_debugging(); 701 } 702 if (!$requireslock || !self::$requireslockdebug) { 703 // Compare the array of the earlier session data with the array now, if 704 // there is a difference then a lock is required. 705 $arraydiff = self::array_session_diff( 706 self::$priorsession, 707 (array) $_SESSION['SESSION'] 708 ); 709 710 if ($arraydiff) { 711 $error = "Script $ME defined READ_ONLY_SESSION but the following SESSION attributes were changed:"; 712 foreach ($arraydiff as $key => $value) { 713 $error .= ' $SESSION->' . $key; 714 } 715 // This will emit an error if debugging is on, even if $CFG->enable_read_only_sessions 716 // is not true as we need to surface this class of errors. 717 error_log($error); // phpcs:ignore 718 } 719 } 720 } 721 722 // More control over whether session data 723 // is persisted or not. 724 if (self::$sessionactive && session_id()) { 725 // Write session and release lock only if 726 // indication session start was clean. 727 self::$handler->write_close(); 728 } else { 729 // Otherwise, if possible lock exists want 730 // to clear it, but do not write session. 731 // If the $handler has not been set then 732 // there is no session to abort. 733 if (isset(self::$handler)) { 734 @self::$handler->abort(); 735 } 736 } 737 738 self::$sessionactive = false; 739 } 740 741 /** 742 * Does the PHP session with given id exist? 743 * 744 * The session must exist both in session table and actual 745 * session backend and the session must not be timed out. 746 * 747 * Timeout evaluation is simplified, the auth hooks are not executed. 748 * 749 * @param string $sid 750 * @return bool 751 */ 752 public static function session_exists($sid) { 753 global $DB, $CFG; 754 755 if (empty($CFG->version)) { 756 // Not installed yet, do not try to access database. 757 return false; 758 } 759 760 // Note: add sessions->state checking here if it gets implemented. 761 if (!$record = $DB->get_record('sessions', array('sid' => $sid), 'id, userid, timemodified')) { 762 return false; 763 } 764 765 if (empty($record->userid) or isguestuser($record->userid)) { 766 // Ignore guest and not-logged-in timeouts, there is very little risk here. 767 } else if ($record->timemodified < time() - $CFG->sessiontimeout) { 768 return false; 769 } 770 771 // There is no need the existence of handler storage in public API. 772 self::load_handler(); 773 return self::$handler->session_exists($sid); 774 } 775 776 /** 777 * Return the number of seconds remaining in the current session. 778 * @param string $sid 779 */ 780 public static function time_remaining($sid) { 781 global $DB, $CFG; 782 783 if (empty($CFG->version)) { 784 // Not installed yet, do not try to access database. 785 return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout]; 786 } 787 788 // Note: add sessions->state checking here if it gets implemented. 789 if (!$record = $DB->get_record('sessions', array('sid' => $sid), 'id, userid, timemodified')) { 790 return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout]; 791 } 792 793 if (empty($record->userid) or isguestuser($record->userid)) { 794 // Ignore guest and not-logged-in timeouts, there is very little risk here. 795 return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout]; 796 } else { 797 return ['userid' => $record->userid, 'timeremaining' => $CFG->sessiontimeout - (time() - $record->timemodified)]; 798 } 799 } 800 801 /** 802 * Fake last access for given session, this prevents session timeout. 803 * @param string $sid 804 */ 805 public static function touch_session($sid) { 806 global $DB; 807 808 // Timeouts depend on core sessions table only, no need to update anything in external stores. 809 810 $sql = "UPDATE {sessions} SET timemodified = :now WHERE sid = :sid"; 811 $DB->execute($sql, array('now'=>time(), 'sid'=>$sid)); 812 } 813 814 /** 815 * Terminate all sessions unconditionally. 816 */ 817 public static function kill_all_sessions() { 818 global $DB; 819 820 self::terminate_current(); 821 822 self::load_handler(); 823 self::$handler->kill_all_sessions(); 824 825 try { 826 $DB->delete_records('sessions'); 827 } catch (\dml_exception $ignored) { 828 // Do not show any warnings - might be during upgrade/installation. 829 } 830 } 831 832 /** 833 * Terminate give session unconditionally. 834 * @param string $sid 835 */ 836 public static function kill_session($sid) { 837 global $DB; 838 839 self::load_handler(); 840 841 if ($sid === session_id()) { 842 self::write_close(); 843 } 844 845 self::$handler->kill_session($sid); 846 847 $DB->delete_records('sessions', array('sid'=>$sid)); 848 } 849 850 /** 851 * Terminate all sessions of given user unconditionally. 852 * @param int $userid 853 * @param string $keepsid keep this sid if present 854 */ 855 public static function kill_user_sessions($userid, $keepsid = null) { 856 global $DB; 857 858 $sessions = $DB->get_records('sessions', array('userid'=>$userid), 'id DESC', 'id, sid'); 859 foreach ($sessions as $session) { 860 if ($keepsid and $keepsid === $session->sid) { 861 continue; 862 } 863 self::kill_session($session->sid); 864 } 865 } 866 867 /** 868 * Terminate other sessions of current user depending 869 * on $CFG->limitconcurrentlogins restriction. 870 * 871 * This is expected to be called right after complete_user_login(). 872 * 873 * NOTE: 874 * * Do not use from SSO auth plugins, this would not work. 875 * * Do not use from web services because they do not have sessions. 876 * 877 * @param int $userid 878 * @param string $sid session id to be always keep, usually the current one 879 * @return void 880 */ 881 public static function apply_concurrent_login_limit($userid, $sid = null) { 882 global $CFG, $DB; 883 884 // NOTE: the $sid parameter is here mainly to allow testing, 885 // in most cases it should be current session id. 886 887 if (isguestuser($userid) or empty($userid)) { 888 // This applies to real users only! 889 return; 890 } 891 892 if (empty($CFG->limitconcurrentlogins) or $CFG->limitconcurrentlogins < 0) { 893 return; 894 } 895 896 $count = $DB->count_records('sessions', array('userid' => $userid)); 897 898 if ($count <= $CFG->limitconcurrentlogins) { 899 return; 900 } 901 902 $i = 0; 903 $select = "userid = :userid"; 904 $params = array('userid' => $userid); 905 if ($sid) { 906 if ($DB->record_exists('sessions', array('sid' => $sid, 'userid' => $userid))) { 907 $select .= " AND sid <> :sid"; 908 $params['sid'] = $sid; 909 $i = 1; 910 } 911 } 912 913 $sessions = $DB->get_records_select('sessions', $select, $params, 'timecreated DESC', 'id, sid'); 914 foreach ($sessions as $session) { 915 $i++; 916 if ($i <= $CFG->limitconcurrentlogins) { 917 continue; 918 } 919 self::kill_session($session->sid); 920 } 921 } 922 923 /** 924 * Set current user. 925 * 926 * @param \stdClass $user record 927 */ 928 public static function set_user(\stdClass $user) { 929 global $ADMIN; 930 $GLOBALS['USER'] = $user; 931 unset($GLOBALS['USER']->description); // Conserve memory. 932 unset($GLOBALS['USER']->password); // Improve security. 933 if (isset($GLOBALS['USER']->lang)) { 934 // Make sure it is a valid lang pack name. 935 $GLOBALS['USER']->lang = clean_param($GLOBALS['USER']->lang, PARAM_LANG); 936 } 937 938 // Relink session with global $USER just in case it got unlinked somehow. 939 $_SESSION['USER'] =& $GLOBALS['USER']; 940 941 // Nullify the $ADMIN tree global. If we're changing users, then this is now stale and must be generated again if needed. 942 $ADMIN = null; 943 944 // Init session key. 945 sesskey(); 946 947 // Make sure the user is correct in web server access logs. 948 set_access_log_user(); 949 } 950 951 /** 952 * Periodic timed-out session cleanup. 953 */ 954 public static function gc() { 955 global $CFG, $DB; 956 957 // This may take a long time... 958 \core_php_time_limit::raise(); 959 960 $maxlifetime = $CFG->sessiontimeout; 961 962 try { 963 // Kill all sessions of deleted and suspended users without any hesitation. 964 $rs = $DB->get_recordset_select('sessions', "userid IN (SELECT id FROM {user} WHERE deleted <> 0 OR suspended <> 0)", array(), 'id DESC', 'id, sid'); 965 foreach ($rs as $session) { 966 self::kill_session($session->sid); 967 } 968 $rs->close(); 969 970 // Kill sessions of users with disabled plugins. 971 $authsequence = get_enabled_auth_plugins(); 972 $authsequence = array_flip($authsequence); 973 unset($authsequence['nologin']); // No login means user cannot login. 974 $authsequence = array_flip($authsequence); 975 976 list($notplugins, $params) = $DB->get_in_or_equal($authsequence, SQL_PARAMS_QM, '', false); 977 $rs = $DB->get_recordset_select('sessions', "userid IN (SELECT id FROM {user} WHERE auth $notplugins)", $params, 'id DESC', 'id, sid'); 978 foreach ($rs as $session) { 979 self::kill_session($session->sid); 980 } 981 $rs->close(); 982 983 // Now get a list of time-out candidates - real users only. 984 $sql = "SELECT u.*, s.sid, s.timecreated AS s_timecreated, s.timemodified AS s_timemodified 985 FROM {user} u 986 JOIN {sessions} s ON s.userid = u.id 987 WHERE s.timemodified < :purgebefore AND u.id <> :guestid"; 988 $params = array('purgebefore' => (time() - $maxlifetime), 'guestid'=>$CFG->siteguest); 989 990 $authplugins = array(); 991 foreach ($authsequence as $authname) { 992 $authplugins[$authname] = get_auth_plugin($authname); 993 } 994 $rs = $DB->get_recordset_sql($sql, $params); 995 foreach ($rs as $user) { 996 foreach ($authplugins as $authplugin) { 997 /** @var \auth_plugin_base $authplugin*/ 998 if ($authplugin->ignore_timeout_hook($user, $user->sid, $user->s_timecreated, $user->s_timemodified)) { 999 continue 2; 1000 } 1001 } 1002 self::kill_session($user->sid); 1003 } 1004 $rs->close(); 1005 1006 // Delete expired sessions for guest user account, give them larger timeout, there is no security risk here. 1007 $params = array('purgebefore' => (time() - ($maxlifetime * 5)), 'guestid'=>$CFG->siteguest); 1008 $rs = $DB->get_recordset_select('sessions', 'userid = :guestid AND timemodified < :purgebefore', $params, 'id DESC', 'id, sid'); 1009 foreach ($rs as $session) { 1010 self::kill_session($session->sid); 1011 } 1012 $rs->close(); 1013 1014 // Delete expired sessions for userid = 0 (not logged in), better kill them asap to release memory. 1015 $params = array('purgebefore' => (time() - $maxlifetime)); 1016 $rs = $DB->get_recordset_select('sessions', 'userid = 0 AND timemodified < :purgebefore', $params, 'id DESC', 'id, sid'); 1017 foreach ($rs as $session) { 1018 self::kill_session($session->sid); 1019 } 1020 $rs->close(); 1021 1022 // Cleanup letfovers from the first browser access because it may set multiple cookies and then use only one. 1023 $params = array('purgebefore' => (time() - 60*3)); 1024 $rs = $DB->get_recordset_select('sessions', 'userid = 0 AND timemodified = timecreated AND timemodified < :purgebefore', $params, 'id ASC', 'id, sid'); 1025 foreach ($rs as $session) { 1026 self::kill_session($session->sid); 1027 } 1028 $rs->close(); 1029 1030 } catch (\Exception $ex) { 1031 debugging('Error gc-ing sessions: '.$ex->getMessage(), DEBUG_NORMAL, $ex->getTrace()); 1032 } 1033 } 1034 1035 /** 1036 * Is current $USER logged-in-as somebody else? 1037 * @return bool 1038 */ 1039 public static function is_loggedinas() { 1040 return !empty($GLOBALS['USER']->realuser); 1041 } 1042 1043 /** 1044 * Returns the $USER object ignoring current login-as session 1045 * @return \stdClass user object 1046 */ 1047 public static function get_realuser() { 1048 if (self::is_loggedinas()) { 1049 return $_SESSION['REALUSER']; 1050 } else { 1051 return $GLOBALS['USER']; 1052 } 1053 } 1054 1055 /** 1056 * Login as another user - no security checks here. 1057 * @param int $userid 1058 * @param \context $context 1059 * @param bool $generateevent Set to false to prevent the loginas event to be generated 1060 * @return void 1061 */ 1062 public static function loginas($userid, \context $context, $generateevent = true) { 1063 global $USER; 1064 1065 if (self::is_loggedinas()) { 1066 return; 1067 } 1068 1069 // Switch to fresh new $_SESSION. 1070 $_SESSION = array(); 1071 $_SESSION['REALSESSION'] = clone($GLOBALS['SESSION']); 1072 $GLOBALS['SESSION'] = new \stdClass(); 1073 $_SESSION['SESSION'] =& $GLOBALS['SESSION']; 1074 1075 // Create the new $USER object with all details and reload needed capabilities. 1076 $_SESSION['REALUSER'] = clone($GLOBALS['USER']); 1077 $user = get_complete_user_data('id', $userid); 1078 $user->realuser = $_SESSION['REALUSER']->id; 1079 $user->loginascontext = $context; 1080 1081 // Let enrol plugins deal with new enrolments if necessary. 1082 enrol_check_plugins($user); 1083 1084 if ($generateevent) { 1085 // Create event before $USER is updated. 1086 $event = \core\event\user_loggedinas::create( 1087 array( 1088 'objectid' => $USER->id, 1089 'context' => $context, 1090 'relateduserid' => $userid, 1091 'other' => array( 1092 'originalusername' => fullname($USER, true), 1093 'loggedinasusername' => fullname($user, true) 1094 ) 1095 ) 1096 ); 1097 } 1098 1099 // Set up global $USER. 1100 \core\session\manager::set_user($user); 1101 1102 if ($generateevent) { 1103 $event->trigger(); 1104 } 1105 1106 // Queue migrating the messaging data, if we need to. 1107 if (!get_user_preferences('core_message_migrate_data', false, $userid)) { 1108 // Check if there are any legacy messages to migrate. 1109 if (\core_message\helper::legacy_messages_exist($userid)) { 1110 \core_message\task\migrate_message_data::queue_task($userid); 1111 } else { 1112 set_user_preference('core_message_migrate_data', true, $userid); 1113 } 1114 } 1115 } 1116 1117 /** 1118 * Add a JS session keepalive to the page. 1119 * 1120 * A JS session keepalive script will be called to update the session modification time every $frequency seconds. 1121 * 1122 * Upon failure, the specified error message will be shown to the user. 1123 * 1124 * @param string $identifier The string identifier for the message to show on failure. 1125 * @param string $component The string component for the message to show on failure. 1126 * @param int $frequency The update frequency in seconds. 1127 * @param int $timeout The timeout of each request in seconds. 1128 * @throws coding_exception IF the frequency is longer than the session lifetime. 1129 */ 1130 public static function keepalive($identifier = 'sessionerroruser', $component = 'error', $frequency = null, $timeout = 0) { 1131 global $CFG, $PAGE; 1132 1133 if ($frequency) { 1134 if ($frequency > $CFG->sessiontimeout) { 1135 // Sanity check the frequency. 1136 throw new \coding_exception('Keepalive frequency is longer than the session lifespan.'); 1137 } 1138 } else { 1139 // A frequency of sessiontimeout / 10 matches the timeouts in core/network amd module. 1140 $frequency = $CFG->sessiontimeout / 10; 1141 } 1142 1143 $PAGE->requires->js_call_amd('core/network', 'keepalive', array( 1144 $frequency, 1145 $timeout, 1146 $identifier, 1147 $component 1148 )); 1149 } 1150 1151 /** 1152 * Generate a new login token and store it in the session. 1153 * 1154 * @return array The current login state. 1155 */ 1156 private static function create_login_token() { 1157 global $SESSION; 1158 1159 $state = [ 1160 'token' => random_string(32), 1161 'created' => time() // Server time - not user time. 1162 ]; 1163 1164 if (!isset($SESSION->logintoken)) { 1165 $SESSION->logintoken = []; 1166 } 1167 1168 // Overwrite any previous values. 1169 $SESSION->logintoken[self::$logintokenkey] = $state; 1170 1171 return $state; 1172 } 1173 1174 /** 1175 * Get the current login token or generate a new one. 1176 * 1177 * All login forms generated from Moodle must include a login token 1178 * named "logintoken" with the value being the result of this function. 1179 * Logins will be rejected if they do not include this token as well as 1180 * the username and password fields. 1181 * 1182 * @return string The current login token. 1183 */ 1184 public static function get_login_token() { 1185 global $CFG, $SESSION; 1186 1187 $state = false; 1188 1189 if (!isset($SESSION->logintoken)) { 1190 $SESSION->logintoken = []; 1191 } 1192 1193 if (array_key_exists(self::$logintokenkey, $SESSION->logintoken)) { 1194 $state = $SESSION->logintoken[self::$logintokenkey]; 1195 } 1196 if (empty($state)) { 1197 $state = self::create_login_token(); 1198 } 1199 1200 // Check token lifespan. 1201 if ($state['created'] < (time() - $CFG->sessiontimeout)) { 1202 $state = self::create_login_token(); 1203 } 1204 1205 // Return the current session login token. 1206 if (array_key_exists('token', $state)) { 1207 return $state['token']; 1208 } else { 1209 return false; 1210 } 1211 } 1212 1213 /** 1214 * Check the submitted value against the stored login token. 1215 * 1216 * @param mixed $token The value submitted in the login form that we are validating. 1217 * If false is passed for the token, this function will always return true. 1218 * @return boolean If the submitted token is valid. 1219 */ 1220 public static function validate_login_token($token = false) { 1221 global $CFG; 1222 1223 if (!empty($CFG->alternateloginurl) || !empty($CFG->disablelogintoken)) { 1224 // An external login page cannot generate the login token we need to protect CSRF on 1225 // login requests. 1226 // Other custom login workflows may skip this check by setting disablelogintoken in config. 1227 return true; 1228 } 1229 if ($token === false) { 1230 // authenticate_user_login is a core function was extended to validate tokens. 1231 // For existing uses other than the login form it does not 1232 // validate that a token was generated. 1233 // Some uses that do not validate the token are login/token.php, 1234 // or an auth plugin like auth/ldap/auth.php. 1235 return true; 1236 } 1237 1238 $currenttoken = self::get_login_token(); 1239 1240 // We need to clean the login token so the old one is not valid again. 1241 self::create_login_token(); 1242 1243 if ($currenttoken !== $token) { 1244 // Fail the login. 1245 return false; 1246 } 1247 return true; 1248 } 1249 1250 /** 1251 * Get the recent session locks array. 1252 * 1253 * @return array Recent session locks array. 1254 */ 1255 public static function get_recent_session_locks() { 1256 global $SESSION; 1257 1258 if (!isset($SESSION->recentsessionlocks)) { 1259 // This will hold the pages that blocks other page. 1260 $SESSION->recentsessionlocks = array(); 1261 } 1262 1263 return $SESSION->recentsessionlocks; 1264 } 1265 1266 /** 1267 * Updates the recent session locks. 1268 * 1269 * This function will store session lock info of all the pages visited. 1270 * 1271 * @param array $sessionlock Session lock array. 1272 */ 1273 public static function update_recent_session_locks($sessionlock) { 1274 global $CFG, $SESSION; 1275 1276 if (empty($CFG->debugsessionlock)) { 1277 return; 1278 } 1279 1280 $readonlysession = defined('READ_ONLY_SESSION') && READ_ONLY_SESSION; 1281 $readonlydebugging = !empty($CFG->enable_read_only_sessions) || !empty($CFG->enable_read_only_sessions_debug); 1282 if ($readonlysession && $readonlydebugging) { 1283 return; 1284 } 1285 1286 $SESSION->recentsessionlocks = self::get_recent_session_locks(); 1287 array_push($SESSION->recentsessionlocks, $sessionlock); 1288 1289 self::cleanup_recent_session_locks(); 1290 } 1291 1292 /** 1293 * Reset recent session locks array if there is a time gap more than SESSION_RESET_GAP_THRESHOLD. 1294 */ 1295 public static function cleanup_recent_session_locks() { 1296 global $SESSION; 1297 1298 $locks = self::get_recent_session_locks(); 1299 1300 if (count($locks) > self::MAXIMUM_STORED_SESSION_HISTORY) { 1301 // Keep the last MAXIMUM_STORED_SESSION_HISTORY locks and ignore the rest. 1302 $locks = array_slice($locks, -1 * self::MAXIMUM_STORED_SESSION_HISTORY); 1303 } 1304 1305 if (count($locks) > 2) { 1306 for ($i = count($locks) - 1; $i > 0; $i--) { 1307 // Calculate the gap between session locks. 1308 $gap = $locks[$i]['released'] - $locks[$i - 1]['start']; 1309 if ($gap >= self::SESSION_RESET_GAP_THRESHOLD) { 1310 // Remove previous locks if the gap is 1 second or more. 1311 $SESSION->recentsessionlocks = array_slice($locks, $i); 1312 break; 1313 } 1314 } 1315 } 1316 } 1317 1318 /** 1319 * Get the page that blocks other pages at a specific timestamp. 1320 * 1321 * Look for a page whose lock was gained before that timestamp, and released after that timestamp. 1322 * 1323 * @param float $time Time before session lock starts. 1324 * @return array|null 1325 */ 1326 public static function get_locked_page_at($time) { 1327 $recentsessionlocks = self::get_recent_session_locks(); 1328 foreach ($recentsessionlocks as $recentsessionlock) { 1329 if ($time >= $recentsessionlock['gained'] && 1330 $time <= $recentsessionlock['released']) { 1331 return $recentsessionlock; 1332 } 1333 } 1334 } 1335 1336 /** 1337 * Display the page which blocks other pages. 1338 * 1339 * @return string 1340 */ 1341 public static function display_blocking_page() { 1342 global $PERF; 1343 1344 $page = self::get_locked_page_at($PERF->sessionlock['start']); 1345 $output = "Script ".me()." was blocked for "; 1346 $output .= number_format($PERF->sessionlock['wait'], 3); 1347 if ($page != null) { 1348 $output .= " second(s) by script: "; 1349 $output .= $page['url']; 1350 } else { 1351 $output .= " second(s) by an unknown script."; 1352 } 1353 1354 return $output; 1355 } 1356 1357 /** 1358 * Get session lock info of the current page. 1359 * 1360 * @return array 1361 */ 1362 public static function get_session_lock_info() { 1363 global $PERF; 1364 1365 if (!isset($PERF->sessionlock)) { 1366 return null; 1367 } 1368 return $PERF->sessionlock; 1369 } 1370 1371 /** 1372 * Display debugging info about slow and blocked script. 1373 */ 1374 public static function sessionlock_debugging() { 1375 global $CFG, $PERF; 1376 1377 if (!empty($CFG->debugsessionlock)) { 1378 if (isset($PERF->sessionlock['held']) && $PERF->sessionlock['held'] > $CFG->debugsessionlock) { 1379 debugging("Script ".me()." locked the session for ".number_format($PERF->sessionlock['held'], 3) 1380 ." seconds, it should close the session using \core\session\manager::write_close().", DEBUG_NORMAL); 1381 } 1382 1383 if (isset($PERF->sessionlock['wait']) && $PERF->sessionlock['wait'] > $CFG->debugsessionlock) { 1384 $output = self::display_blocking_page(); 1385 debugging($output, DEBUG_DEVELOPER); 1386 } 1387 } 1388 } 1389 1390 /** 1391 * Compares two arrays outputs the difference. 1392 * 1393 * Note this does not use array_diff_assoc due to 1394 * the use of stdClasses in Moodle sessions. 1395 * 1396 * @param array $array1 1397 * @param array $array2 1398 * @return array 1399 */ 1400 private static function array_session_diff(array $array1, array $array2) : array { 1401 $difference = []; 1402 foreach ($array1 as $key => $value) { 1403 if (!isset($array2[$key])) { 1404 $difference[$key] = $value; 1405 } else if ($array2[$key] !== $value) { 1406 $difference[$key] = $value; 1407 } 1408 } 1409 1410 return $difference; 1411 } 1412 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
