Differences Between: [Versions 310 and 402] [Versions 311 and 402] [Versions 39 and 402] [Versions 400 and 402] [Versions 401 and 402] [Versions 402 and 403]
1 <?php 2 // This file is part of Moodle - http://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 /** 18 * Session manager class. 19 * 20 * @package core 21 * @copyright 2013 Petr Skoda {@link http://skodak.org} 22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 23 */ 24 25 namespace core\session; 26 27 defined('MOODLE_INTERNAL') || die(); 28 29 use html_writer; 30 31 /** 32 * Session manager, this is the public Moodle API for sessions. 33 * 34 * Following PHP functions MUST NOT be used directly: 35 * - session_start() - not necessary, lib/setup.php starts session automatically, 36 * use define('NO_MOODLE_COOKIE', true) if session not necessary. 37 * - session_write_close() - use \core\session\manager::write_close() instead. 38 * - session_destroy() - use require_logout() instead. 39 * 40 * @package core 41 * @copyright 2013 Petr Skoda {@link http://skodak.org} 42 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 43 */ 44 class manager { 45 /** @var int A hard cutoff of maximum stored history */ 46 const MAXIMUM_STORED_SESSION_HISTORY = 50; 47 48 /** @var int The recent session locks array is reset if there is a time gap more than this value in seconds */ 49 const SESSION_RESET_GAP_THRESHOLD = 1; 50 51 /** @var handler $handler active session handler instance */ 52 protected static $handler; 53 54 /** @var bool $sessionactive Is the session active? */ 55 protected static $sessionactive = null; 56 57 /** @var string $logintokenkey Key used to get and store request protection for login form. */ 58 protected static $logintokenkey = 'core_auth_login'; 59 60 /** @var array Stores the the SESSION before a request is performed, used to check incorrect read-only modes */ 61 private static $priorsession = []; 62 63 /** @var array Stores the the SESSION after write_close is called, used to check if it was mutated after the session is closed */ 64 private static $sessionatclose = []; 65 66 /** 67 * @var bool Used to trigger the SESSION mutation warning without actually preventing SESSION mutation. 68 * This variable is used to "copy" what the $requireslock parameter does in start_session(). 69 * Once requireslock is set in start_session it's later accessible via $handler->requires_write_lock, 70 * When using $CFG->enable_read_only_sessions_debug mode, this variable serves the same purpose without 71 * actually setting the handler as requiring a write lock. 72 */ 73 private static $requireslockdebug; 74 75 /** 76 * If the current session is not writeable, abort it, and re-open it 77 * requesting (and blocking) until a write lock is acquired. 78 * If current session was already opened with an intentional write lock, 79 * this call will not do anything. 80 * NOTE: Even when using a session handler that does not support non-locking sessions, 81 * if the original session was not opened with the explicit intention of being locked, 82 * this will still restart your session so that code behaviour matches as closely 83 * as practical across environments. 84 * 85 * @param bool $readonlysession Used by debugging logic to determine if whatever 86 * triggered the restart (e.g., a webservice) declared 87 * itself as read only. 88 */ 89 public static function restart_with_write_lock(bool $readonlysession) { 90 global $CFG; 91 92 self::$requireslockdebug = !$readonlysession; 93 94 if (self::$sessionactive && !self::$handler->requires_write_lock()) { 95 @self::$handler->abort(); 96 self::$sessionactive = false; 97 self::start_session(true); 98 } 99 } 100 101 /** 102 * Start user session. 103 * 104 * Note: This is intended to be called only from lib/setup.php! 105 */ 106 public static function start() { 107 global $CFG, $DB, $PERF; 108 109 if (isset(self::$sessionactive)) { 110 debugging('Session was already started!', DEBUG_DEVELOPER); 111 return; 112 } 113 114 // Grab the time before session lock starts. 115 $PERF->sessionlock['start'] = microtime(true); 116 self::load_handler(); 117 118 // Init the session handler only if everything initialised properly in lib/setup.php file 119 // and the session is actually required. 120 if (empty($DB) or empty($CFG->version) or !defined('NO_MOODLE_COOKIES') or NO_MOODLE_COOKIES or CLI_SCRIPT) { 121 self::$sessionactive = false; 122 self::init_empty_session(); 123 return; 124 } 125 126 if (defined('READ_ONLY_SESSION') && !empty($CFG->enable_read_only_sessions)) { 127 $requireslock = !READ_ONLY_SESSION; 128 } else { 129 $requireslock = true; // For backwards compatibility, we default to assuming that a lock is needed. 130 } 131 132 // By default make the two variables the same. This means that when they are 133 // checked below in start_session and write_close there is no possibility for 134 // the debug version to "accidentally" execute the debug mode. 135 self::$requireslockdebug = $requireslock; 136 if (defined('READ_ONLY_SESSION') && !empty($CFG->enable_read_only_sessions_debug)) { 137 // Only change the debug variable if READ_ONLY_SESSION is declared, 138 // as would happen with the real requireslock variable. 139 self::$requireslockdebug = !READ_ONLY_SESSION; 140 } 141 142 self::start_session($requireslock); 143 } 144 145 /** 146 * Handles starting a session. 147 * 148 * @param bool $requireslock If this is false then no write lock will be acquired, 149 * and the session will be read-only. 150 */ 151 private static function start_session(bool $requireslock) { 152 global $PERF, $CFG; 153 154 try { 155 self::$handler->init(); 156 self::$handler->set_requires_write_lock($requireslock); 157 self::prepare_cookies(); 158 $isnewsession = empty($_COOKIE[session_name()]); 159 160 if (!self::$handler->start()) { 161 // Could not successfully start/recover session. 162 throw new \core\session\exception(get_string('servererror')); 163 } 164 165 if ($requireslock) { 166 // Grab the time when session lock starts. 167 $PERF->sessionlock['gained'] = microtime(true); 168 $PERF->sessionlock['wait'] = $PERF->sessionlock['gained'] - $PERF->sessionlock['start']; 169 } 170 self::initialise_user_session($isnewsession); 171 self::$sessionactive = true; // Set here, so the session can be cleared if the security check fails. 172 self::check_security(); 173 174 if (!$requireslock || !self::$requireslockdebug) { 175 self::$priorsession = (array) $_SESSION['SESSION']; 176 } 177 178 if (!empty($CFG->enable_read_only_sessions) && isset($_SESSION['SESSION']->cachestore_session)) { 179 $caches = join(', ', array_keys($_SESSION['SESSION']->cachestore_session)); 180 $caches = str_replace('default_session-', '', $caches); 181 throw new \moodle_exception("The session caches can not be in the session store when " 182 . "enable_read_only_sessions is enabled. Please map all session mode caches to be outside of the " 183 . "default session store before enabling this features. Found these definitions in the session: $caches"); 184 } 185 186 // Link global $USER and $SESSION, 187 // this is tricky because PHP does not allow references to references 188 // and global keyword uses internally once reference to the $GLOBALS array. 189 // The solution is to use the $GLOBALS['USER'] and $GLOBALS['$SESSION'] 190 // as the main storage of data and put references to $_SESSION. 191 $GLOBALS['USER'] = $_SESSION['USER']; 192 $_SESSION['USER'] =& $GLOBALS['USER']; 193 $GLOBALS['SESSION'] = $_SESSION['SESSION']; 194 $_SESSION['SESSION'] =& $GLOBALS['SESSION']; 195 196 } catch (\Exception $ex) { 197 self::init_empty_session(); 198 self::$sessionactive = false; 199 throw $ex; 200 } 201 } 202 203 /** 204 * Returns current page performance info. 205 * 206 * @return array perf info 207 */ 208 public static function get_performance_info() { 209 global $CFG, $PERF; 210 211 if (!session_id()) { 212 return array(); 213 } 214 215 self::load_handler(); 216 $size = display_size(strlen(session_encode())); 217 $handler = get_class(self::$handler); 218 219 $info = array(); 220 $info['size'] = $size; 221 $info['html'] = html_writer::div("Session ($handler): $size", "sessionsize"); 222 $info['txt'] = "Session ($handler): $size "; 223 224 if (!empty($CFG->debugsessionlock)) { 225 $sessionlock = self::get_session_lock_info(); 226 if (!empty($sessionlock['held'])) { 227 // The page displays the footer and the session has been closed. 228 $sessionlocktext = "Session lock held: ".number_format($sessionlock['held'], 3)." secs"; 229 } else { 230 // The session hasn't yet been closed and so we assume now with microtime. 231 $sessionlockheld = microtime(true) - $PERF->sessionlock['gained']; 232 $sessionlocktext = "Session lock open: ".number_format($sessionlockheld, 3)." secs"; 233 } 234 $info['txt'] .= $sessionlocktext; 235 $info['html'] .= html_writer::div($sessionlocktext, "sessionlockstart"); 236 $sessionlockwaittext = "Session lock wait: ".number_format($sessionlock['wait'], 3)." secs"; 237 $info['txt'] .= $sessionlockwaittext; 238 $info['html'] .= html_writer::div($sessionlockwaittext, "sessionlockwait"); 239 } 240 241 return $info; 242 } 243 244 /** 245 * Get fully qualified name of session handler class. 246 * 247 * @return string The name of the handler class 248 */ 249 public static function get_handler_class() { 250 global $CFG, $DB; 251 252 if (PHPUNIT_TEST) { 253 return '\core\session\file'; 254 } else if (!empty($CFG->session_handler_class)) { 255 return $CFG->session_handler_class; 256 } else if (!empty($CFG->dbsessions) and $DB->session_lock_supported()) { 257 return '\core\session\database'; 258 } 259 260 return '\core\session\file'; 261 } 262 263 /** 264 * Create handler instance. 265 */ 266 protected static function load_handler() { 267 if (self::$handler) { 268 return; 269 } 270 271 // Find out which handler to use. 272 $class = self::get_handler_class(); 273 self::$handler = new $class(); 274 } 275 276 /** 277 * Empty current session, fill it with not-logged-in user info. 278 * 279 * This is intended for installation scripts, unit tests and other 280 * special areas. Do NOT use for logout and session termination 281 * in normal requests! 282 * 283 * @param mixed $newsid only used after initialising a user session, is this a new user session? 284 */ 285 public static function init_empty_session(?bool $newsid = null) { 286 global $CFG; 287 288 if (isset($GLOBALS['SESSION']->notifications)) { 289 // Backup notifications. These should be preserved across session changes until the user fetches and clears them. 290 $notifications = $GLOBALS['SESSION']->notifications; 291 } 292 $GLOBALS['SESSION'] = new \stdClass(); 293 if (isset($newsid)) { 294 $GLOBALS['SESSION']->isnewsessioncookie = $newsid; 295 } 296 297 $GLOBALS['USER'] = new \stdClass(); 298 $GLOBALS['USER']->id = 0; 299 300 if (!empty($notifications)) { 301 // Restore notifications. 302 $GLOBALS['SESSION']->notifications = $notifications; 303 } 304 if (isset($CFG->mnet_localhost_id)) { 305 $GLOBALS['USER']->mnethostid = $CFG->mnet_localhost_id; 306 } else { 307 // Not installed yet, the future host id will be most probably 1. 308 $GLOBALS['USER']->mnethostid = 1; 309 } 310 311 // Link global $USER and $SESSION. 312 $_SESSION = array(); 313 $_SESSION['USER'] =& $GLOBALS['USER']; 314 $_SESSION['SESSION'] =& $GLOBALS['SESSION']; 315 } 316 317 /** 318 * Make sure all cookie and session related stuff is configured properly before session start. 319 */ 320 protected static function prepare_cookies() { 321 global $CFG; 322 323 $cookiesecure = is_moodle_cookie_secure(); 324 325 if (!isset($CFG->cookiehttponly)) { 326 $CFG->cookiehttponly = 0; 327 } 328 329 // Set sessioncookie variable if it isn't already. 330 if (!isset($CFG->sessioncookie)) { 331 $CFG->sessioncookie = ''; 332 } 333 $sessionname = 'MoodleSession'.$CFG->sessioncookie; 334 335 // Make sure cookie domain makes sense for this wwwroot. 336 if (!isset($CFG->sessioncookiedomain)) { 337 $CFG->sessioncookiedomain = ''; 338 } else if ($CFG->sessioncookiedomain !== '') { 339 $host = parse_url($CFG->wwwroot, PHP_URL_HOST); 340 if ($CFG->sessioncookiedomain !== $host) { 341 if (substr($CFG->sessioncookiedomain, 0, 1) === '.') { 342 if (!preg_match('|^.*'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) { 343 // Invalid domain - it must be end part of host. 344 $CFG->sessioncookiedomain = ''; 345 } 346 } else { 347 if (!preg_match('|^.*\.'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) { 348 // Invalid domain - it must be end part of host. 349 $CFG->sessioncookiedomain = ''; 350 } 351 } 352 } 353 } 354 355 // Make sure the cookiepath is valid for this wwwroot or autodetect if not specified. 356 if (!isset($CFG->sessioncookiepath)) { 357 $CFG->sessioncookiepath = ''; 358 } 359 if ($CFG->sessioncookiepath !== '/') { 360 $path = parse_url($CFG->wwwroot, PHP_URL_PATH).'/'; 361 if ($CFG->sessioncookiepath === '') { 362 $CFG->sessioncookiepath = $path; 363 } else { 364 if (strpos($path, $CFG->sessioncookiepath) !== 0 or substr($CFG->sessioncookiepath, -1) !== '/') { 365 $CFG->sessioncookiepath = $path; 366 } 367 } 368 } 369 370 // Discard session ID from POST, GET and globals to tighten security, 371 // this is session fixation prevention. 372 unset($GLOBALS[$sessionname]); 373 unset($_GET[$sessionname]); 374 unset($_POST[$sessionname]); 375 unset($_REQUEST[$sessionname]); 376 377 // Compatibility hack for non-browser access to our web interface. 378 if (!empty($_COOKIE[$sessionname]) && $_COOKIE[$sessionname] == "deleted") { 379 unset($_COOKIE[$sessionname]); 380 } 381 382 // Set configuration. 383 session_name($sessionname); 384 385 $sessionoptions = [ 386 'lifetime' => 0, 387 'path' => $CFG->sessioncookiepath, 388 'domain' => $CFG->sessioncookiedomain, 389 'secure' => $cookiesecure, 390 'httponly' => $CFG->cookiehttponly, 391 ]; 392 393 if (self::should_use_samesite_none()) { 394 // If $samesite is empty, we don't want there to be any SameSite attribute. 395 $sessionoptions['samesite'] = 'None'; 396 } 397 398 session_set_cookie_params($sessionoptions); 399 400 ini_set('session.use_trans_sid', '0'); 401 ini_set('session.use_only_cookies', '1'); 402 ini_set('session.use_strict_mode', '0'); // We have custom protection in session init. 403 ini_set('session.serialize_handler', 'php'); // We can move to 'php_serialize' after we require PHP 5.5.4 form Moodle. 404 405 // Moodle does normal session timeouts, this is for leftovers only. 406 ini_set('session.gc_probability', 1); 407 ini_set('session.gc_divisor', 1000); 408 ini_set('session.gc_maxlifetime', 60*60*24*4); 409 } 410 411 /** 412 * Initialise $_SESSION, handles google access 413 * and sets up not-logged-in user properly. 414 * 415 * WARNING: $USER and $SESSION are set up later, do not use them yet! 416 * 417 * @param bool $newsid is this a new session in first http request? 418 */ 419 protected static function initialise_user_session($newsid) { 420 global $CFG, $DB; 421 422 $sid = session_id(); 423 if (!$sid) { 424 // No session, very weird. 425 error_log('Missing session ID, session not started!'); 426 self::init_empty_session($newsid); 427 return; 428 } 429 430 if (!$record = $DB->get_record('sessions', array('sid'=>$sid), 'id, sid, state, userid, lastip, timecreated, timemodified')) { 431 if (!$newsid) { 432 if (!empty($_SESSION['USER']->id)) { 433 // This should not happen, just log it, we MUST not produce any output here! 434 error_log("Cannot find session record $sid for user ".$_SESSION['USER']->id.", creating new session."); 435 } 436 // Prevent session fixation attacks. 437 session_regenerate_id(true); 438 } 439 $_SESSION = array(); 440 } 441 unset($sid); 442 443 if (isset($_SESSION['USER']->id)) { 444 if (!empty($_SESSION['USER']->realuser)) { 445 $userid = $_SESSION['USER']->realuser; 446 } else { 447 $userid = $_SESSION['USER']->id; 448 } 449 450 // Verify timeout first. 451 $maxlifetime = $CFG->sessiontimeout; 452 $timeout = false; 453 if (isguestuser($userid) or empty($userid)) { 454 // Ignore guest and not-logged in timeouts, there is very little risk here. 455 $timeout = false; 456 457 } else if ($record->timemodified < time() - $maxlifetime) { 458 $timeout = true; 459 $authsequence = get_enabled_auth_plugins(); // Auths, in sequence. 460 foreach ($authsequence as $authname) { 461 $authplugin = get_auth_plugin($authname); 462 if ($authplugin->ignore_timeout_hook($_SESSION['USER'], $record->sid, $record->timecreated, $record->timemodified)) { 463 $timeout = false; 464 break; 465 } 466 } 467 } 468 469 if ($timeout) { 470 if (defined('NO_SESSION_UPDATE') && NO_SESSION_UPDATE) { 471 return; 472 } 473 session_regenerate_id(true); 474 $_SESSION = array(); 475 $DB->delete_records('sessions', array('id'=>$record->id)); 476 477 } else { 478 // Update session tracking record. 479 480 $update = new \stdClass(); 481 $updated = false; 482 483 if ($record->userid != $userid) { 484 $update->userid = $record->userid = $userid; 485 $updated = true; 486 } 487 488 $ip = getremoteaddr(); 489 if ($record->lastip != $ip) { 490 $update->lastip = $record->lastip = $ip; 491 $updated = true; 492 } 493 494 $updatefreq = empty($CFG->session_update_timemodified_frequency) ? 20 : $CFG->session_update_timemodified_frequency; 495 496 if ($record->timemodified == $record->timecreated) { 497 // Always do first update of existing record. 498 $update->timemodified = $record->timemodified = time(); 499 $updated = true; 500 501 } else if ($record->timemodified < time() - $updatefreq) { 502 // Update the session modified flag only once every 20 seconds. 503 $update->timemodified = $record->timemodified = time(); 504 $updated = true; 505 } 506 507 if ($updated && (!defined('NO_SESSION_UPDATE') || !NO_SESSION_UPDATE)) { 508 $update->id = $record->id; 509 $DB->update_record('sessions', $update); 510 } 511 512 return; 513 } 514 } else { 515 if ($record) { 516 // This happens when people switch session handlers... 517 session_regenerate_id(true); 518 $_SESSION = array(); 519 $DB->delete_records('sessions', array('id'=>$record->id)); 520 } 521 } 522 unset($record); 523 524 $timedout = false; 525 if (!isset($_SESSION['SESSION'])) { 526 $_SESSION['SESSION'] = new \stdClass(); 527 if (!$newsid) { 528 $timedout = true; 529 } 530 } 531 532 $user = null; 533 534 if (!empty($CFG->opentowebcrawlers)) { 535 if (\core_useragent::is_web_crawler()) { 536 $user = guest_user(); 537 } 538 $referer = get_local_referer(false); 539 if (!empty($CFG->guestloginbutton) and !$user and !empty($referer)) { 540 // Automatically log in users coming from search engine results. 541 if (strpos($referer, 'google') !== false ) { 542 $user = guest_user(); 543 } else if (strpos($referer, 'altavista') !== false ) { 544 $user = guest_user(); 545 } 546 } 547 } 548 549 // Setup $USER and insert the session tracking record. 550 if ($user) { 551 self::set_user($user); 552 self::add_session_record($user->id); 553 } else { 554 self::init_empty_session($newsid); 555 self::add_session_record(0); 556 } 557 558 if ($timedout) { 559 $_SESSION['SESSION']->has_timed_out = true; 560 } 561 } 562 563 /** 564 * Insert new empty session record. 565 * @param int $userid 566 * @return \stdClass the new record 567 */ 568 protected static function add_session_record($userid) { 569 global $DB; 570 $record = new \stdClass(); 571 $record->state = 0; 572 $record->sid = session_id(); 573 $record->sessdata = null; 574 $record->userid = $userid; 575 $record->timecreated = $record->timemodified = time(); 576 $record->firstip = $record->lastip = getremoteaddr(); 577 578 $record->id = $DB->insert_record('sessions', $record); 579 580 return $record; 581 } 582 583 /** 584 * Do various session security checks. 585 * 586 * WARNING: $USER and $SESSION are set up later, do not use them yet! 587 * @throws \core\session\exception 588 */ 589 protected static function check_security() { 590 global $CFG; 591 592 if (!empty($_SESSION['USER']->id) and !empty($CFG->tracksessionip)) { 593 // Make sure current IP matches the one for this session. 594 $remoteaddr = getremoteaddr(); 595 596 if (empty($_SESSION['USER']->sessionip)) { 597 $_SESSION['USER']->sessionip = $remoteaddr; 598 } 599 600 if ($_SESSION['USER']->sessionip != $remoteaddr) { 601 // This is a security feature - terminate the session in case of any doubt. 602 self::terminate_current(); 603 throw new exception('sessionipnomatch2', 'error'); 604 } 605 } 606 } 607 608 /** 609 * Login user, to be called from complete_user_login() only. 610 * @param \stdClass $user 611 */ 612 public static function login_user(\stdClass $user) { 613 global $DB; 614 615 // Regenerate session id and delete old session, 616 // this helps prevent session fixation attacks from the same domain. 617 618 $sid = session_id(); 619 session_regenerate_id(true); 620 $DB->delete_records('sessions', array('sid'=>$sid)); 621 self::add_session_record($user->id); 622 623 // Let enrol plugins deal with new enrolments if necessary. 624 enrol_check_plugins($user); 625 626 // Setup $USER object. 627 self::set_user($user); 628 } 629 630 /** 631 * Returns a valid setting for the SameSite cookie attribute. 632 * 633 * @return string The desired setting for the SameSite attribute on the cookie. Empty string indicates the SameSite attribute 634 * should not be set at all. 635 */ 636 private static function should_use_samesite_none(): bool { 637 // We only want None or no attribute at this point. When we have cookie handling compatible with Lax, 638 // we can look at checking a setting. 639 640 // Browser support for none is not consistent yet. There are known issues with Safari, and IE11. 641 // Things are stablising, however as they're not stable yet we will deal specifically with the version of chrome 642 // that introduces a default of lax, setting it to none for the current version of chrome (2 releases before the change). 643 // We also check you are using secure cookies and HTTPS because if you are not running over HTTPS 644 // then setting SameSite=None will cause your session cookie to be rejected. 645 if (\core_useragent::is_chrome() && \core_useragent::check_chrome_version('78') && is_moodle_cookie_secure()) { 646 return true; 647 } 648 return false; 649 } 650 651 /** 652 * Terminate current user session. 653 * @return void 654 */ 655 public static function terminate_current() { 656 global $DB; 657 658 if (!self::$sessionactive) { 659 self::init_empty_session(); 660 self::$sessionactive = false; 661 return; 662 } 663 664 try { 665 $DB->delete_records('external_tokens', array('sid'=>session_id(), 'tokentype'=>EXTERNAL_TOKEN_EMBEDDED)); 666 } catch (\Exception $ignored) { 667 // Probably install/upgrade - ignore this problem. 668 } 669 670 // Initialize variable to pass-by-reference to headers_sent(&$file, &$line). 671 $file = null; 672 $line = null; 673 if (headers_sent($file, $line)) { 674 error_log('Cannot terminate session properly - headers were already sent in file: '.$file.' on line '.$line); 675 } 676 677 // Write new empty session and make sure the old one is deleted. 678 $sid = session_id(); 679 session_regenerate_id(true); 680 $DB->delete_records('sessions', array('sid'=>$sid)); 681 self::init_empty_session(); 682 self::add_session_record($_SESSION['USER']->id); // Do not use $USER here because it may not be set up yet. 683 self::write_close(); 684 } 685 686 /** 687 * No more changes in session expected. 688 * Unblocks the sessions, other scripts may start executing in parallel. 689 */ 690 public static function write_close() { 691 global $PERF, $ME, $CFG; 692 693 if (self::$sessionactive) { 694 $requireslock = self::$handler->requires_write_lock(); 695 if ($requireslock) { 696 // Grab the time when session lock is released. 697 $PERF->sessionlock['released'] = microtime(true); 698 if (!empty($PERF->sessionlock['gained'])) { 699 $PERF->sessionlock['held'] = $PERF->sessionlock['released'] - $PERF->sessionlock['gained']; 700 } 701 $PERF->sessionlock['url'] = me(); 702 self::update_recent_session_locks($PERF->sessionlock); 703 self::sessionlock_debugging(); 704 } 705 706 // If debugging, take a snapshot of session at close and compare on shutdown to detect any accidental mutations. 707 if (debugging()) { 708 self::$sessionatclose = (array) $_SESSION['SESSION']; 709 \core_shutdown_manager::register_function('\core\session\manager::check_mutated_closed_session'); 710 } 711 712 if (!$requireslock || !self::$requireslockdebug) { 713 // Compare the array of the earlier session data with the array now, if 714 // there is a difference then a lock is required. 715 $arraydiff = self::array_session_diff( 716 self::$priorsession, 717 (array) $_SESSION['SESSION'] 718 ); 719 720 if ($arraydiff) { 721 $error = "Script $ME defined READ_ONLY_SESSION but the following SESSION attributes were changed:"; 722 foreach ($arraydiff as $key => $value) { 723 $error .= ' $SESSION->' . $key; 724 } 725 // This will emit an error if debugging is on, even if $CFG->enable_read_only_sessions 726 // is not true as we need to surface this class of errors. 727 error_log($error); // phpcs:ignore 728 } 729 } 730 } 731 732 // More control over whether session data 733 // is persisted or not. 734 if (self::$sessionactive && session_id()) { 735 // Write session and release lock only if 736 // indication session start was clean. 737 self::$handler->write_close(); 738 } else { 739 // Otherwise, if possible lock exists want 740 // to clear it, but do not write session. 741 // If the $handler has not been set then 742 // there is no session to abort. 743 if (isset(self::$handler)) { 744 @self::$handler->abort(); 745 } 746 } 747 748 self::$sessionactive = false; 749 } 750 751 /** 752 * Checks if the session has been mutated since it was closed. 753 * In write_close the session is saved to the variable $sessionatclose 754 * If there is a difference between $sessionatclose and the current session, 755 * it means a script has erroneously closed the session too early. 756 * Script is usually called in shutdown_manager 757 */ 758 public static function check_mutated_closed_session() { 759 global $ME; 760 761 // Session is still open, mutations are allowed. 762 if (self::$sessionactive) { 763 return; 764 } 765 766 // Detect if session was cleared. 767 if (!isset($_SESSION['SESSION']) && isset(self::$sessionatclose)) { 768 debugging("Script $ME cleared the session after it was closed."); 769 return; 770 } else if (!isset($_SESSION['SESSION'])) { 771 // Else session is empty, nothing to check. 772 return; 773 } 774 775 // Session is closed - compare the current session to the session when write_close was called. 776 $arraydiff = self::array_session_diff( 777 self::$sessionatclose, 778 (array) $_SESSION['SESSION'] 779 ); 780 781 if ($arraydiff) { 782 $error = "Script $ME mutated the session after it was closed:"; 783 foreach ($arraydiff as $key => $value) { 784 $error .= ' $SESSION->' . $key; 785 786 // Extra debugging for cachestore session changes. 787 if (strpos($key, 'cachestore_') === 0 && is_array($value)) { 788 $error .= ': ' . implode(',', array_keys($value)); 789 } 790 } 791 debugging($error); 792 } 793 } 794 795 /** 796 * Does the PHP session with given id exist? 797 * 798 * The session must exist both in session table and actual 799 * session backend and the session must not be timed out. 800 * 801 * Timeout evaluation is simplified, the auth hooks are not executed. 802 * 803 * @param string $sid 804 * @return bool 805 */ 806 public static function session_exists($sid) { 807 global $DB, $CFG; 808 809 if (empty($CFG->version)) { 810 // Not installed yet, do not try to access database. 811 return false; 812 } 813 814 // Note: add sessions->state checking here if it gets implemented. 815 if (!$record = $DB->get_record('sessions', array('sid' => $sid), 'id, userid, timemodified')) { 816 return false; 817 } 818 819 if (empty($record->userid) or isguestuser($record->userid)) { 820 // Ignore guest and not-logged-in timeouts, there is very little risk here. 821 } else if ($record->timemodified < time() - $CFG->sessiontimeout) { 822 return false; 823 } 824 825 // There is no need the existence of handler storage in public API. 826 self::load_handler(); 827 return self::$handler->session_exists($sid); 828 } 829 830 /** 831 * Return the number of seconds remaining in the current session. 832 * @param string $sid 833 */ 834 public static function time_remaining($sid) { 835 global $DB, $CFG; 836 837 if (empty($CFG->version)) { 838 // Not installed yet, do not try to access database. 839 return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout]; 840 } 841 842 // Note: add sessions->state checking here if it gets implemented. 843 if (!$record = $DB->get_record('sessions', array('sid' => $sid), 'id, userid, timemodified')) { 844 return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout]; 845 } 846 847 if (empty($record->userid) or isguestuser($record->userid)) { 848 // Ignore guest and not-logged-in timeouts, there is very little risk here. 849 return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout]; 850 } else { 851 return ['userid' => $record->userid, 'timeremaining' => $CFG->sessiontimeout - (time() - $record->timemodified)]; 852 } 853 } 854 855 /** 856 * Fake last access for given session, this prevents session timeout. 857 * @param string $sid 858 */ 859 public static function touch_session($sid) { 860 global $DB; 861 862 // Timeouts depend on core sessions table only, no need to update anything in external stores. 863 864 $sql = "UPDATE {sessions} SET timemodified = :now WHERE sid = :sid"; 865 $DB->execute($sql, array('now'=>time(), 'sid'=>$sid)); 866 } 867 868 /** 869 * Terminate all sessions unconditionally. 870 */ 871 public static function kill_all_sessions() { 872 global $DB; 873 874 self::terminate_current(); 875 876 self::load_handler(); 877 self::$handler->kill_all_sessions(); 878 879 try { 880 $DB->delete_records('sessions'); 881 } catch (\dml_exception $ignored) { 882 // Do not show any warnings - might be during upgrade/installation. 883 } 884 } 885 886 /** 887 * Terminate give session unconditionally. 888 * @param string $sid 889 */ 890 public static function kill_session($sid) { 891 global $DB; 892 893 self::load_handler(); 894 895 if ($sid === session_id()) { 896 self::write_close(); 897 } 898 899 self::$handler->kill_session($sid); 900 901 $DB->delete_records('sessions', array('sid'=>$sid)); 902 } 903 904 /** 905 * Terminate all sessions of given user unconditionally. 906 * @param int $userid 907 * @param string $keepsid keep this sid if present 908 */ 909 public static function kill_user_sessions($userid, $keepsid = null) { 910 global $DB; 911 912 $sessions = $DB->get_records('sessions', array('userid'=>$userid), 'id DESC', 'id, sid'); 913 foreach ($sessions as $session) { 914 if ($keepsid and $keepsid === $session->sid) { 915 continue; 916 } 917 self::kill_session($session->sid); 918 } 919 } 920 921 /** 922 * Terminate other sessions of current user depending 923 * on $CFG->limitconcurrentlogins restriction. 924 * 925 * This is expected to be called right after complete_user_login(). 926 * 927 * NOTE: 928 * * Do not use from SSO auth plugins, this would not work. 929 * * Do not use from web services because they do not have sessions. 930 * 931 * @param int $userid 932 * @param string $sid session id to be always keep, usually the current one 933 * @return void 934 */ 935 public static function apply_concurrent_login_limit($userid, $sid = null) { 936 global $CFG, $DB; 937 938 // NOTE: the $sid parameter is here mainly to allow testing, 939 // in most cases it should be current session id. 940 941 if (isguestuser($userid) or empty($userid)) { 942 // This applies to real users only! 943 return; 944 } 945 946 if (empty($CFG->limitconcurrentlogins) or $CFG->limitconcurrentlogins < 0) { 947 return; 948 } 949 950 $count = $DB->count_records('sessions', array('userid' => $userid)); 951 952 if ($count <= $CFG->limitconcurrentlogins) { 953 return; 954 } 955 956 $i = 0; 957 $select = "userid = :userid"; 958 $params = array('userid' => $userid); 959 if ($sid) { 960 if ($DB->record_exists('sessions', array('sid' => $sid, 'userid' => $userid))) { 961 $select .= " AND sid <> :sid"; 962 $params['sid'] = $sid; 963 $i = 1; 964 } 965 } 966 967 $sessions = $DB->get_records_select('sessions', $select, $params, 'timecreated DESC', 'id, sid'); 968 foreach ($sessions as $session) { 969 $i++; 970 if ($i <= $CFG->limitconcurrentlogins) { 971 continue; 972 } 973 self::kill_session($session->sid); 974 } 975 } 976 977 /** 978 * Set current user. 979 * 980 * @param \stdClass $user record 981 */ 982 public static function set_user(\stdClass $user) { 983 global $ADMIN; 984 $GLOBALS['USER'] = $user; 985 unset($GLOBALS['USER']->description); // Conserve memory. 986 unset($GLOBALS['USER']->password); // Improve security. 987 if (isset($GLOBALS['USER']->lang)) { 988 // Make sure it is a valid lang pack name. 989 $GLOBALS['USER']->lang = clean_param($GLOBALS['USER']->lang, PARAM_LANG); 990 } 991 992 // Relink session with global $USER just in case it got unlinked somehow. 993 $_SESSION['USER'] =& $GLOBALS['USER']; 994 995 // Nullify the $ADMIN tree global. If we're changing users, then this is now stale and must be generated again if needed. 996 $ADMIN = null; 997 998 // Init session key. 999 sesskey(); 1000 1001 // Make sure the user is correct in web server access logs. 1002 set_access_log_user(); 1003 } 1004 1005 /** 1006 * Periodic timed-out session cleanup. 1007 */ 1008 public static function gc() { 1009 global $CFG, $DB; 1010 1011 // This may take a long time... 1012 \core_php_time_limit::raise(); 1013 1014 $maxlifetime = $CFG->sessiontimeout; 1015 1016 try { 1017 // Kill all sessions of deleted and suspended users without any hesitation. 1018 $rs = $DB->get_recordset_select('sessions', "userid IN (SELECT id FROM {user} WHERE deleted <> 0 OR suspended <> 0)", array(), 'id DESC', 'id, sid'); 1019 foreach ($rs as $session) { 1020 self::kill_session($session->sid); 1021 } 1022 $rs->close(); 1023 1024 // Kill sessions of users with disabled plugins. 1025 $authsequence = get_enabled_auth_plugins(); 1026 $authsequence = array_flip($authsequence); 1027 unset($authsequence['nologin']); // No login means user cannot login. 1028 $authsequence = array_flip($authsequence); 1029 1030 list($notplugins, $params) = $DB->get_in_or_equal($authsequence, SQL_PARAMS_QM, '', false); 1031 $rs = $DB->get_recordset_select('sessions', "userid IN (SELECT id FROM {user} WHERE auth $notplugins)", $params, 'id DESC', 'id, sid'); 1032 foreach ($rs as $session) { 1033 self::kill_session($session->sid); 1034 } 1035 $rs->close(); 1036 1037 // Now get a list of time-out candidates - real users only. 1038 $sql = "SELECT u.*, s.sid, s.timecreated AS s_timecreated, s.timemodified AS s_timemodified 1039 FROM {user} u 1040 JOIN {sessions} s ON s.userid = u.id 1041 WHERE s.timemodified < :purgebefore AND u.id <> :guestid"; 1042 $params = array('purgebefore' => (time() - $maxlifetime), 'guestid'=>$CFG->siteguest); 1043 1044 $authplugins = array(); 1045 foreach ($authsequence as $authname) { 1046 $authplugins[$authname] = get_auth_plugin($authname); 1047 } 1048 $rs = $DB->get_recordset_sql($sql, $params); 1049 foreach ($rs as $user) { 1050 foreach ($authplugins as $authplugin) { 1051 /** @var \auth_plugin_base $authplugin*/ 1052 if ($authplugin->ignore_timeout_hook($user, $user->sid, $user->s_timecreated, $user->s_timemodified)) { 1053 continue 2; 1054 } 1055 } 1056 self::kill_session($user->sid); 1057 } 1058 $rs->close(); 1059 1060 // Delete expired sessions for guest user account, give them larger timeout, there is no security risk here. 1061 $params = array('purgebefore' => (time() - ($maxlifetime * 5)), 'guestid'=>$CFG->siteguest); 1062 $rs = $DB->get_recordset_select('sessions', 'userid = :guestid AND timemodified < :purgebefore', $params, 'id DESC', 'id, sid'); 1063 foreach ($rs as $session) { 1064 self::kill_session($session->sid); 1065 } 1066 $rs->close(); 1067 1068 // Delete expired sessions for userid = 0 (not logged in), better kill them asap to release memory. 1069 $params = array('purgebefore' => (time() - $maxlifetime)); 1070 $rs = $DB->get_recordset_select('sessions', 'userid = 0 AND timemodified < :purgebefore', $params, 'id DESC', 'id, sid'); 1071 foreach ($rs as $session) { 1072 self::kill_session($session->sid); 1073 } 1074 $rs->close(); 1075 1076 // Cleanup letfovers from the first browser access because it may set multiple cookies and then use only one. 1077 $params = array('purgebefore' => (time() - 60*3)); 1078 $rs = $DB->get_recordset_select('sessions', 'userid = 0 AND timemodified = timecreated AND timemodified < :purgebefore', $params, 'id ASC', 'id, sid'); 1079 foreach ($rs as $session) { 1080 self::kill_session($session->sid); 1081 } 1082 $rs->close(); 1083 1084 } catch (\Exception $ex) { 1085 debugging('Error gc-ing sessions: '.$ex->getMessage(), DEBUG_NORMAL, $ex->getTrace()); 1086 } 1087 } 1088 1089 /** 1090 * Is current $USER logged-in-as somebody else? 1091 * @return bool 1092 */ 1093 public static function is_loggedinas() { 1094 return !empty($GLOBALS['USER']->realuser); 1095 } 1096 1097 /** 1098 * Returns the $USER object ignoring current login-as session 1099 * @return \stdClass user object 1100 */ 1101 public static function get_realuser() { 1102 if (self::is_loggedinas()) { 1103 return $_SESSION['REALUSER']; 1104 } else { 1105 return $GLOBALS['USER']; 1106 } 1107 } 1108 1109 /** 1110 * Login as another user - no security checks here. 1111 * @param int $userid 1112 * @param \context $context 1113 * @param bool $generateevent Set to false to prevent the loginas event to be generated 1114 * @return void 1115 */ 1116 public static function loginas($userid, \context $context, $generateevent = true) { 1117 global $USER; 1118 1119 if (self::is_loggedinas()) { 1120 return; 1121 } 1122 1123 // Switch to fresh new $_SESSION. 1124 $_SESSION = array(); 1125 $_SESSION['REALSESSION'] = clone($GLOBALS['SESSION']); 1126 $GLOBALS['SESSION'] = new \stdClass(); 1127 $_SESSION['SESSION'] =& $GLOBALS['SESSION']; 1128 1129 // Create the new $USER object with all details and reload needed capabilities. 1130 $_SESSION['REALUSER'] = clone($GLOBALS['USER']); 1131 $user = get_complete_user_data('id', $userid); 1132 $user->realuser = $_SESSION['REALUSER']->id; 1133 $user->loginascontext = $context; 1134 1135 // Let enrol plugins deal with new enrolments if necessary. 1136 enrol_check_plugins($user); 1137 1138 if ($generateevent) { 1139 // Create event before $USER is updated. 1140 $event = \core\event\user_loggedinas::create( 1141 array( 1142 'objectid' => $USER->id, 1143 'context' => $context, 1144 'relateduserid' => $userid, 1145 'other' => array( 1146 'originalusername' => fullname($USER, true), 1147 'loggedinasusername' => fullname($user, true) 1148 ) 1149 ) 1150 ); 1151 } 1152 1153 // Set up global $USER. 1154 \core\session\manager::set_user($user); 1155 1156 if ($generateevent) { 1157 $event->trigger(); 1158 } 1159 1160 // Queue migrating the messaging data, if we need to. 1161 if (!get_user_preferences('core_message_migrate_data', false, $userid)) { 1162 // Check if there are any legacy messages to migrate. 1163 if (\core_message\helper::legacy_messages_exist($userid)) { 1164 \core_message\task\migrate_message_data::queue_task($userid); 1165 } else { 1166 set_user_preference('core_message_migrate_data', true, $userid); 1167 } 1168 } 1169 } 1170 1171 /** 1172 * Add a JS session keepalive to the page. 1173 * 1174 * A JS session keepalive script will be called to update the session modification time every $frequency seconds. 1175 * 1176 * Upon failure, the specified error message will be shown to the user. 1177 * 1178 * @param string $identifier The string identifier for the message to show on failure. 1179 * @param string $component The string component for the message to show on failure. 1180 * @param int $frequency The update frequency in seconds. 1181 * @param int $timeout The timeout of each request in seconds. 1182 * @throws \coding_exception IF the frequency is longer than the session lifetime. 1183 */ 1184 public static function keepalive($identifier = 'sessionerroruser', $component = 'error', $frequency = null, $timeout = 0) { 1185 global $CFG, $PAGE; 1186 1187 if ($frequency) { 1188 if ($frequency > $CFG->sessiontimeout) { 1189 // Sanity check the frequency. 1190 throw new \coding_exception('Keepalive frequency is longer than the session lifespan.'); 1191 } 1192 } else { 1193 // A frequency of sessiontimeout / 10 matches the timeouts in core/network amd module. 1194 $frequency = $CFG->sessiontimeout / 10; 1195 } 1196 1197 $PAGE->requires->js_call_amd('core/network', 'keepalive', array( 1198 $frequency, 1199 $timeout, 1200 $identifier, 1201 $component 1202 )); 1203 } 1204 1205 /** 1206 * Generate a new login token and store it in the session. 1207 * 1208 * @return array The current login state. 1209 */ 1210 private static function create_login_token() { 1211 global $SESSION; 1212 1213 $state = [ 1214 'token' => random_string(32), 1215 'created' => time() // Server time - not user time. 1216 ]; 1217 1218 if (!isset($SESSION->logintoken)) { 1219 $SESSION->logintoken = []; 1220 } 1221 1222 // Overwrite any previous values. 1223 $SESSION->logintoken[self::$logintokenkey] = $state; 1224 1225 return $state; 1226 } 1227 1228 /** 1229 * Get the current login token or generate a new one. 1230 * 1231 * All login forms generated from Moodle must include a login token 1232 * named "logintoken" with the value being the result of this function. 1233 * Logins will be rejected if they do not include this token as well as 1234 * the username and password fields. 1235 * 1236 * @return string The current login token. 1237 */ 1238 public static function get_login_token() { 1239 global $CFG, $SESSION; 1240 1241 $state = false; 1242 1243 if (!isset($SESSION->logintoken)) { 1244 $SESSION->logintoken = []; 1245 } 1246 1247 if (array_key_exists(self::$logintokenkey, $SESSION->logintoken)) { 1248 $state = $SESSION->logintoken[self::$logintokenkey]; 1249 } 1250 if (empty($state)) { 1251 $state = self::create_login_token(); 1252 } 1253 1254 // Check token lifespan. 1255 if ($state['created'] < (time() - $CFG->sessiontimeout)) { 1256 $state = self::create_login_token(); 1257 } 1258 1259 // Return the current session login token. 1260 if (array_key_exists('token', $state)) { 1261 return $state['token']; 1262 } else { 1263 return false; 1264 } 1265 } 1266 1267 /** 1268 * Check the submitted value against the stored login token. 1269 * 1270 * @param mixed $token The value submitted in the login form that we are validating. 1271 * If false is passed for the token, this function will always return true. 1272 * @return boolean If the submitted token is valid. 1273 */ 1274 public static function validate_login_token($token = false) { 1275 global $CFG; 1276 1277 if (!empty($CFG->alternateloginurl) || !empty($CFG->disablelogintoken)) { 1278 // An external login page cannot generate the login token we need to protect CSRF on 1279 // login requests. 1280 // Other custom login workflows may skip this check by setting disablelogintoken in config. 1281 return true; 1282 } 1283 if ($token === false) { 1284 // authenticate_user_login is a core function was extended to validate tokens. 1285 // For existing uses other than the login form it does not 1286 // validate that a token was generated. 1287 // Some uses that do not validate the token are login/token.php, 1288 // or an auth plugin like auth/ldap/auth.php. 1289 return true; 1290 } 1291 1292 $currenttoken = self::get_login_token(); 1293 1294 // We need to clean the login token so the old one is not valid again. 1295 self::create_login_token(); 1296 1297 if ($currenttoken !== $token) { 1298 // Fail the login. 1299 return false; 1300 } 1301 return true; 1302 } 1303 1304 /** 1305 * Get the recent session locks array. 1306 * 1307 * @return array Recent session locks array. 1308 */ 1309 public static function get_recent_session_locks() { 1310 global $SESSION; 1311 1312 if (!isset($SESSION->recentsessionlocks)) { 1313 // This will hold the pages that blocks other page. 1314 $SESSION->recentsessionlocks = array(); 1315 } 1316 1317 return $SESSION->recentsessionlocks; 1318 } 1319 1320 /** 1321 * Updates the recent session locks. 1322 * 1323 * This function will store session lock info of all the pages visited. 1324 * 1325 * @param array $sessionlock Session lock array. 1326 */ 1327 public static function update_recent_session_locks($sessionlock) { 1328 global $CFG, $SESSION; 1329 1330 if (empty($CFG->debugsessionlock)) { 1331 return; 1332 } 1333 1334 $readonlysession = defined('READ_ONLY_SESSION') && READ_ONLY_SESSION; 1335 $readonlydebugging = !empty($CFG->enable_read_only_sessions) || !empty($CFG->enable_read_only_sessions_debug); 1336 if ($readonlysession && $readonlydebugging) { 1337 return; 1338 } 1339 1340 $SESSION->recentsessionlocks = self::get_recent_session_locks(); 1341 array_push($SESSION->recentsessionlocks, $sessionlock); 1342 1343 self::cleanup_recent_session_locks(); 1344 } 1345 1346 /** 1347 * Reset recent session locks array if there is a time gap more than SESSION_RESET_GAP_THRESHOLD. 1348 */ 1349 public static function cleanup_recent_session_locks() { 1350 global $SESSION; 1351 1352 $locks = self::get_recent_session_locks(); 1353 1354 if (count($locks) > self::MAXIMUM_STORED_SESSION_HISTORY) { 1355 // Keep the last MAXIMUM_STORED_SESSION_HISTORY locks and ignore the rest. 1356 $locks = array_slice($locks, -1 * self::MAXIMUM_STORED_SESSION_HISTORY); 1357 } 1358 1359 if (count($locks) > 2) { 1360 for ($i = count($locks) - 1; $i > 0; $i--) { 1361 // Calculate the gap between session locks. 1362 $gap = $locks[$i]['released'] - $locks[$i - 1]['start']; 1363 if ($gap >= self::SESSION_RESET_GAP_THRESHOLD) { 1364 // Remove previous locks if the gap is 1 second or more. 1365 $SESSION->recentsessionlocks = array_slice($locks, $i); 1366 break; 1367 } 1368 } 1369 } 1370 } 1371 1372 /** 1373 * Get the page that blocks other pages at a specific timestamp. 1374 * 1375 * Look for a page whose lock was gained before that timestamp, and released after that timestamp. 1376 * 1377 * @param float $time Time before session lock starts. 1378 * @return array|null 1379 */ 1380 public static function get_locked_page_at($time) { 1381 $recentsessionlocks = self::get_recent_session_locks(); 1382 foreach ($recentsessionlocks as $recentsessionlock) { 1383 if ($time >= $recentsessionlock['gained'] && 1384 $time <= $recentsessionlock['released']) { 1385 return $recentsessionlock; 1386 } 1387 } 1388 } 1389 1390 /** 1391 * Display the page which blocks other pages. 1392 * 1393 * @return string 1394 */ 1395 public static function display_blocking_page() { 1396 global $PERF; 1397 1398 $page = self::get_locked_page_at($PERF->sessionlock['start']); 1399 $output = "Script ".me()." was blocked for "; 1400 $output .= number_format($PERF->sessionlock['wait'], 3); 1401 if ($page != null) { 1402 $output .= " second(s) by script: "; 1403 $output .= $page['url']; 1404 } else { 1405 $output .= " second(s) by an unknown script."; 1406 } 1407 1408 return $output; 1409 } 1410 1411 /** 1412 * Get session lock info of the current page. 1413 * 1414 * @return array 1415 */ 1416 public static function get_session_lock_info() { 1417 global $PERF; 1418 1419 if (!isset($PERF->sessionlock)) { 1420 return null; 1421 } 1422 return $PERF->sessionlock; 1423 } 1424 1425 /** 1426 * Display debugging info about slow and blocked script. 1427 */ 1428 public static function sessionlock_debugging() { 1429 global $CFG, $PERF; 1430 1431 if (!empty($CFG->debugsessionlock)) { 1432 if (isset($PERF->sessionlock['held']) && $PERF->sessionlock['held'] > $CFG->debugsessionlock) { 1433 debugging("Script ".me()." locked the session for ".number_format($PERF->sessionlock['held'], 3) 1434 ." seconds, it should close the session using \core\session\manager::write_close().", DEBUG_NORMAL); 1435 } 1436 1437 if (isset($PERF->sessionlock['wait']) && $PERF->sessionlock['wait'] > $CFG->debugsessionlock) { 1438 $output = self::display_blocking_page(); 1439 debugging($output, DEBUG_DEVELOPER); 1440 } 1441 } 1442 } 1443 1444 /** 1445 * Compares two arrays and outputs the difference. 1446 * 1447 * Note - checking between objects and array type is only done at the top level. 1448 * Any changes in types below the top level will not be detected. 1449 * However, if their values are the same, they will be treated as equal. 1450 * 1451 * Any changes, such as removals, edits or additions will be detected. 1452 * 1453 * @param array $previous 1454 * @param array $current 1455 * @return array 1456 */ 1457 private static function array_session_diff(array $previous, array $current) : array { 1458 // To use array_udiff_uassoc, the first array must have the most keys; this ensures every key is checked. 1459 // To do this, we first need to sort them by the length of their keys. 1460 $arrays = [$current, $previous]; 1461 1462 // Sort them by the length of their keys. 1463 usort($arrays, function ($a, $b) { 1464 return count(array_keys($b)) - count(array_keys($a)); 1465 }); 1466 1467 // The largest is the first value in the $arrays, after sorting. 1468 // The smallest is then the last one. 1469 // If they are the same size, it does not matter which is which. 1470 $largest = $arrays[0]; 1471 $smallest = $arrays[1]; 1472 1473 // Defines a function that casts the values to arrays. 1474 // This is so the properties are compared, instead any object's identities. 1475 $casttoarray = function ($value) { 1476 return json_decode(json_encode($value), true); 1477 }; 1478 1479 // Defines a function that compares all keys by their string value. 1480 $keycompare = function ($a, $b) { 1481 return strcmp($a, $b); 1482 }; 1483 1484 // Defines a function that compares all values by first their type, and then their values. 1485 // If the value contains any objects, they are cast to arrays before comparison. 1486 $valcompare = function ($a, $b) use ($casttoarray) { 1487 // First compare type. 1488 // If they are not the same type, they are definitely not the same. 1489 // Note we do not check types recursively. 1490 if (gettype($a) !== gettype($b)) { 1491 return 1; 1492 } 1493 1494 // Next compare value. Cast any objects to arrays to compare their properties, 1495 // instead of the identitiy of the object itself. 1496 $v1 = $casttoarray($a); 1497 $v2 = $casttoarray($b); 1498 1499 if ($v1 !== $v2) { 1500 return 1; 1501 } 1502 1503 return 0; 1504 }; 1505 1506 // Apply the comparison functions to the two given session arrays, 1507 // making sure to use the largest array first, so that all keys are considered. 1508 return array_udiff_uassoc($largest, $smallest, $valcompare, $keycompare); 1509 } 1510 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body