Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 4.2.x will end 22 April 2024 (12 months).
  • Bug fixes for security issues in 4.2.x will end 7 October 2024 (18 months).
  • PHP version: minimum PHP 8.0.0 Note: minimum PHP version has increased since Moodle 4.1. PHP 8.1.x is supported too.

Differences Between: [Versions 310 and 402] [Versions 311 and 402] [Versions 39 and 402] [Versions 400 and 402] [Versions 401 and 402] [Versions 402 and 403]

   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Session manager class.
  19   *
  20   * @package    core
  21   * @copyright  2013 Petr Skoda {@link http://skodak.org}
  22   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  23   */
  24  
  25  namespace core\session;
  26  
  27  defined('MOODLE_INTERNAL') || die();
  28  
  29  use html_writer;
  30  
  31  /**
  32   * Session manager, this is the public Moodle API for sessions.
  33   *
  34   * Following PHP functions MUST NOT be used directly:
  35   * - session_start() - not necessary, lib/setup.php starts session automatically,
  36   *   use define('NO_MOODLE_COOKIE', true) if session not necessary.
  37   * - session_write_close() - use \core\session\manager::write_close() instead.
  38   * - session_destroy() - use require_logout() instead.
  39   *
  40   * @package    core
  41   * @copyright  2013 Petr Skoda {@link http://skodak.org}
  42   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  43   */
  44  class manager {
  45      /** @var int A hard cutoff of maximum stored history */
  46      const MAXIMUM_STORED_SESSION_HISTORY = 50;
  47  
  48      /** @var int The recent session locks array is reset if there is a time gap more than this value in seconds */
  49      const SESSION_RESET_GAP_THRESHOLD = 1;
  50  
  51      /** @var handler $handler active session handler instance */
  52      protected static $handler;
  53  
  54      /** @var bool $sessionactive Is the session active? */
  55      protected static $sessionactive = null;
  56  
  57      /** @var string $logintokenkey Key used to get and store request protection for login form. */
  58      protected static $logintokenkey = 'core_auth_login';
  59  
  60      /** @var array Stores the the SESSION before a request is performed, used to check incorrect read-only modes */
  61      private static $priorsession = [];
  62  
  63      /** @var array Stores the the SESSION after write_close is called, used to check if it was mutated after the session is closed */
  64      private static $sessionatclose = [];
  65  
  66      /**
  67       * @var bool Used to trigger the SESSION mutation warning without actually preventing SESSION mutation.
  68       * This variable is used to "copy" what the $requireslock parameter  does in start_session().
  69       * Once requireslock is set in start_session it's later accessible via $handler->requires_write_lock,
  70       * When using $CFG->enable_read_only_sessions_debug mode, this variable serves the same purpose without
  71       * actually setting the handler as requiring a write lock.
  72       */
  73      private static $requireslockdebug;
  74  
  75      /**
  76       * If the current session is not writeable, abort it, and re-open it
  77       * requesting (and blocking) until a write lock is acquired.
  78       * If current session was already opened with an intentional write lock,
  79       * this call will not do anything.
  80       * NOTE: Even when using a session handler that does not support non-locking sessions,
  81       * if the original session was not opened with the explicit intention of being locked,
  82       * this will still restart your session so that code behaviour matches as closely
  83       * as practical across environments.
  84       *
  85       * @param bool $readonlysession Used by debugging logic to determine if whatever
  86       *                              triggered the restart (e.g., a webservice) declared
  87       *                              itself as read only.
  88       */
  89      public static function restart_with_write_lock(bool $readonlysession) {
  90          global $CFG;
  91  
  92          self::$requireslockdebug = !$readonlysession;
  93  
  94          if (self::$sessionactive && !self::$handler->requires_write_lock()) {
  95              @self::$handler->abort();
  96              self::$sessionactive = false;
  97              self::start_session(true);
  98          }
  99      }
 100  
 101      /**
 102       * Start user session.
 103       *
 104       * Note: This is intended to be called only from lib/setup.php!
 105       */
 106      public static function start() {
 107          global $CFG, $DB, $PERF;
 108  
 109          if (isset(self::$sessionactive)) {
 110              debugging('Session was already started!', DEBUG_DEVELOPER);
 111              return;
 112          }
 113  
 114          // Grab the time before session lock starts.
 115          $PERF->sessionlock['start'] = microtime(true);
 116          self::load_handler();
 117  
 118          // Init the session handler only if everything initialised properly in lib/setup.php file
 119          // and the session is actually required.
 120          if (empty($DB) or empty($CFG->version) or !defined('NO_MOODLE_COOKIES') or NO_MOODLE_COOKIES or CLI_SCRIPT) {
 121              self::$sessionactive = false;
 122              self::init_empty_session();
 123              return;
 124          }
 125  
 126          if (defined('READ_ONLY_SESSION') && !empty($CFG->enable_read_only_sessions)) {
 127              $requireslock = !READ_ONLY_SESSION;
 128          } else {
 129              $requireslock = true; // For backwards compatibility, we default to assuming that a lock is needed.
 130          }
 131  
 132          // By default make the two variables the same. This means that when they are
 133          // checked below in start_session and write_close there is no possibility for
 134          // the debug version to "accidentally" execute the debug mode.
 135          self::$requireslockdebug = $requireslock;
 136          if (defined('READ_ONLY_SESSION') && !empty($CFG->enable_read_only_sessions_debug)) {
 137              // Only change the debug variable if READ_ONLY_SESSION is declared,
 138              // as would happen with the real requireslock variable.
 139              self::$requireslockdebug = !READ_ONLY_SESSION;
 140          }
 141  
 142          self::start_session($requireslock);
 143      }
 144  
 145      /**
 146       * Handles starting a session.
 147       *
 148       * @param bool $requireslock If this is false then no write lock will be acquired,
 149       *                           and the session will be read-only.
 150       */
 151      private static function start_session(bool $requireslock) {
 152          global $PERF, $CFG;
 153  
 154          try {
 155              self::$handler->init();
 156              self::$handler->set_requires_write_lock($requireslock);
 157              self::prepare_cookies();
 158              $isnewsession = empty($_COOKIE[session_name()]);
 159  
 160              if (!self::$handler->start()) {
 161                  // Could not successfully start/recover session.
 162                  throw new \core\session\exception(get_string('servererror'));
 163              }
 164  
 165              if ($requireslock) {
 166                  // Grab the time when session lock starts.
 167                  $PERF->sessionlock['gained'] = microtime(true);
 168                  $PERF->sessionlock['wait'] = $PERF->sessionlock['gained'] - $PERF->sessionlock['start'];
 169              }
 170              self::initialise_user_session($isnewsession);
 171              self::$sessionactive = true; // Set here, so the session can be cleared if the security check fails.
 172              self::check_security();
 173  
 174              if (!$requireslock || !self::$requireslockdebug) {
 175                  self::$priorsession = (array) $_SESSION['SESSION'];
 176              }
 177  
 178              if (!empty($CFG->enable_read_only_sessions) && isset($_SESSION['SESSION']->cachestore_session)) {
 179                  $caches = join(', ', array_keys($_SESSION['SESSION']->cachestore_session));
 180                  $caches = str_replace('default_session-', '', $caches);
 181                  throw new \moodle_exception("The session caches can not be in the session store when "
 182                      . "enable_read_only_sessions is enabled. Please map all session mode caches to be outside of the "
 183                      . "default session store before enabling this features. Found these definitions in the session: $caches");
 184              }
 185  
 186              // Link global $USER and $SESSION,
 187              // this is tricky because PHP does not allow references to references
 188              // and global keyword uses internally once reference to the $GLOBALS array.
 189              // The solution is to use the $GLOBALS['USER'] and $GLOBALS['$SESSION']
 190              // as the main storage of data and put references to $_SESSION.
 191              $GLOBALS['USER'] = $_SESSION['USER'];
 192              $_SESSION['USER'] =& $GLOBALS['USER'];
 193              $GLOBALS['SESSION'] = $_SESSION['SESSION'];
 194              $_SESSION['SESSION'] =& $GLOBALS['SESSION'];
 195  
 196          } catch (\Exception $ex) {
 197              self::init_empty_session();
 198              self::$sessionactive = false;
 199              throw $ex;
 200          }
 201      }
 202  
 203      /**
 204       * Returns current page performance info.
 205       *
 206       * @return array perf info
 207       */
 208      public static function get_performance_info() {
 209          global $CFG, $PERF;
 210  
 211          if (!session_id()) {
 212              return array();
 213          }
 214  
 215          self::load_handler();
 216          $size = display_size(strlen(session_encode()));
 217          $handler = get_class(self::$handler);
 218  
 219          $info = array();
 220          $info['size'] = $size;
 221          $info['html'] = html_writer::div("Session ($handler): $size", "sessionsize");
 222          $info['txt'] = "Session ($handler): $size ";
 223  
 224          if (!empty($CFG->debugsessionlock)) {
 225              $sessionlock = self::get_session_lock_info();
 226              if (!empty($sessionlock['held'])) {
 227                  // The page displays the footer and the session has been closed.
 228                  $sessionlocktext = "Session lock held: ".number_format($sessionlock['held'], 3)." secs";
 229              } else {
 230                  // The session hasn't yet been closed and so we assume now with microtime.
 231                  $sessionlockheld = microtime(true) - $PERF->sessionlock['gained'];
 232                  $sessionlocktext = "Session lock open: ".number_format($sessionlockheld, 3)." secs";
 233              }
 234              $info['txt'] .= $sessionlocktext;
 235              $info['html'] .= html_writer::div($sessionlocktext, "sessionlockstart");
 236              $sessionlockwaittext = "Session lock wait: ".number_format($sessionlock['wait'], 3)." secs";
 237              $info['txt'] .= $sessionlockwaittext;
 238              $info['html'] .= html_writer::div($sessionlockwaittext, "sessionlockwait");
 239          }
 240  
 241          return $info;
 242      }
 243  
 244      /**
 245       * Get fully qualified name of session handler class.
 246       *
 247       * @return string The name of the handler class
 248       */
 249      public static function get_handler_class() {
 250          global $CFG, $DB;
 251  
 252          if (PHPUNIT_TEST) {
 253              return '\core\session\file';
 254          } else if (!empty($CFG->session_handler_class)) {
 255              return $CFG->session_handler_class;
 256          } else if (!empty($CFG->dbsessions) and $DB->session_lock_supported()) {
 257              return '\core\session\database';
 258          }
 259  
 260          return '\core\session\file';
 261      }
 262  
 263      /**
 264       * Create handler instance.
 265       */
 266      protected static function load_handler() {
 267          if (self::$handler) {
 268              return;
 269          }
 270  
 271          // Find out which handler to use.
 272          $class = self::get_handler_class();
 273          self::$handler = new $class();
 274      }
 275  
 276      /**
 277       * Empty current session, fill it with not-logged-in user info.
 278       *
 279       * This is intended for installation scripts, unit tests and other
 280       * special areas. Do NOT use for logout and session termination
 281       * in normal requests!
 282       *
 283       * @param mixed $newsid only used after initialising a user session, is this a new user session?
 284       */
 285      public static function init_empty_session(?bool $newsid = null) {
 286          global $CFG;
 287  
 288          if (isset($GLOBALS['SESSION']->notifications)) {
 289              // Backup notifications. These should be preserved across session changes until the user fetches and clears them.
 290              $notifications = $GLOBALS['SESSION']->notifications;
 291          }
 292          $GLOBALS['SESSION'] = new \stdClass();
 293          if (isset($newsid)) {
 294              $GLOBALS['SESSION']->isnewsessioncookie = $newsid;
 295          }
 296  
 297          $GLOBALS['USER'] = new \stdClass();
 298          $GLOBALS['USER']->id = 0;
 299  
 300          if (!empty($notifications)) {
 301              // Restore notifications.
 302              $GLOBALS['SESSION']->notifications = $notifications;
 303          }
 304          if (isset($CFG->mnet_localhost_id)) {
 305              $GLOBALS['USER']->mnethostid = $CFG->mnet_localhost_id;
 306          } else {
 307              // Not installed yet, the future host id will be most probably 1.
 308              $GLOBALS['USER']->mnethostid = 1;
 309          }
 310  
 311          // Link global $USER and $SESSION.
 312          $_SESSION = array();
 313          $_SESSION['USER'] =& $GLOBALS['USER'];
 314          $_SESSION['SESSION'] =& $GLOBALS['SESSION'];
 315      }
 316  
 317      /**
 318       * Make sure all cookie and session related stuff is configured properly before session start.
 319       */
 320      protected static function prepare_cookies() {
 321          global $CFG;
 322  
 323          $cookiesecure = is_moodle_cookie_secure();
 324  
 325          if (!isset($CFG->cookiehttponly)) {
 326              $CFG->cookiehttponly = 0;
 327          }
 328  
 329          // Set sessioncookie variable if it isn't already.
 330          if (!isset($CFG->sessioncookie)) {
 331              $CFG->sessioncookie = '';
 332          }
 333          $sessionname = 'MoodleSession'.$CFG->sessioncookie;
 334  
 335          // Make sure cookie domain makes sense for this wwwroot.
 336          if (!isset($CFG->sessioncookiedomain)) {
 337              $CFG->sessioncookiedomain = '';
 338          } else if ($CFG->sessioncookiedomain !== '') {
 339              $host = parse_url($CFG->wwwroot, PHP_URL_HOST);
 340              if ($CFG->sessioncookiedomain !== $host) {
 341                  if (substr($CFG->sessioncookiedomain, 0, 1) === '.') {
 342                      if (!preg_match('|^.*'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) {
 343                          // Invalid domain - it must be end part of host.
 344                          $CFG->sessioncookiedomain = '';
 345                      }
 346                  } else {
 347                      if (!preg_match('|^.*\.'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) {
 348                          // Invalid domain - it must be end part of host.
 349                          $CFG->sessioncookiedomain = '';
 350                      }
 351                  }
 352              }
 353          }
 354  
 355          // Make sure the cookiepath is valid for this wwwroot or autodetect if not specified.
 356          if (!isset($CFG->sessioncookiepath)) {
 357              $CFG->sessioncookiepath = '';
 358          }
 359          if ($CFG->sessioncookiepath !== '/') {
 360              $path = parse_url($CFG->wwwroot, PHP_URL_PATH).'/';
 361              if ($CFG->sessioncookiepath === '') {
 362                  $CFG->sessioncookiepath = $path;
 363              } else {
 364                  if (strpos($path, $CFG->sessioncookiepath) !== 0 or substr($CFG->sessioncookiepath, -1) !== '/') {
 365                      $CFG->sessioncookiepath = $path;
 366                  }
 367              }
 368          }
 369  
 370          // Discard session ID from POST, GET and globals to tighten security,
 371          // this is session fixation prevention.
 372          unset($GLOBALS[$sessionname]);
 373          unset($_GET[$sessionname]);
 374          unset($_POST[$sessionname]);
 375          unset($_REQUEST[$sessionname]);
 376  
 377          // Compatibility hack for non-browser access to our web interface.
 378          if (!empty($_COOKIE[$sessionname]) && $_COOKIE[$sessionname] == "deleted") {
 379              unset($_COOKIE[$sessionname]);
 380          }
 381  
 382          // Set configuration.
 383          session_name($sessionname);
 384  
 385          $sessionoptions = [
 386              'lifetime' => 0,
 387              'path' => $CFG->sessioncookiepath,
 388              'domain' => $CFG->sessioncookiedomain,
 389              'secure' => $cookiesecure,
 390              'httponly' => $CFG->cookiehttponly,
 391          ];
 392  
 393          if (self::should_use_samesite_none()) {
 394              // If $samesite is empty, we don't want there to be any SameSite attribute.
 395              $sessionoptions['samesite'] = 'None';
 396          }
 397  
 398          session_set_cookie_params($sessionoptions);
 399  
 400          ini_set('session.use_trans_sid', '0');
 401          ini_set('session.use_only_cookies', '1');
 402          ini_set('session.use_strict_mode', '0');      // We have custom protection in session init.
 403          ini_set('session.serialize_handler', 'php');  // We can move to 'php_serialize' after we require PHP 5.5.4 form Moodle.
 404  
 405          // Moodle does normal session timeouts, this is for leftovers only.
 406          ini_set('session.gc_probability', 1);
 407          ini_set('session.gc_divisor', 1000);
 408          ini_set('session.gc_maxlifetime', 60*60*24*4);
 409      }
 410  
 411      /**
 412       * Initialise $_SESSION, handles google access
 413       * and sets up not-logged-in user properly.
 414       *
 415       * WARNING: $USER and $SESSION are set up later, do not use them yet!
 416       *
 417       * @param bool $newsid is this a new session in first http request?
 418       */
 419      protected static function initialise_user_session($newsid) {
 420          global $CFG, $DB;
 421  
 422          $sid = session_id();
 423          if (!$sid) {
 424              // No session, very weird.
 425              error_log('Missing session ID, session not started!');
 426              self::init_empty_session($newsid);
 427              return;
 428          }
 429  
 430          if (!$record = $DB->get_record('sessions', array('sid'=>$sid), 'id, sid, state, userid, lastip, timecreated, timemodified')) {
 431              if (!$newsid) {
 432                  if (!empty($_SESSION['USER']->id)) {
 433                      // This should not happen, just log it, we MUST not produce any output here!
 434                      error_log("Cannot find session record $sid for user ".$_SESSION['USER']->id.", creating new session.");
 435                  }
 436                  // Prevent session fixation attacks.
 437                  session_regenerate_id(true);
 438              }
 439              $_SESSION = array();
 440          }
 441          unset($sid);
 442  
 443          if (isset($_SESSION['USER']->id)) {
 444              if (!empty($_SESSION['USER']->realuser)) {
 445                  $userid = $_SESSION['USER']->realuser;
 446              } else {
 447                  $userid = $_SESSION['USER']->id;
 448              }
 449  
 450              // Verify timeout first.
 451              $maxlifetime = $CFG->sessiontimeout;
 452              $timeout = false;
 453              if (isguestuser($userid) or empty($userid)) {
 454                  // Ignore guest and not-logged in timeouts, there is very little risk here.
 455                  $timeout = false;
 456  
 457              } else if ($record->timemodified < time() - $maxlifetime) {
 458                  $timeout = true;
 459                  $authsequence = get_enabled_auth_plugins(); // Auths, in sequence.
 460                  foreach ($authsequence as $authname) {
 461                      $authplugin = get_auth_plugin($authname);
 462                      if ($authplugin->ignore_timeout_hook($_SESSION['USER'], $record->sid, $record->timecreated, $record->timemodified)) {
 463                          $timeout = false;
 464                          break;
 465                      }
 466                  }
 467              }
 468  
 469              if ($timeout) {
 470                  if (defined('NO_SESSION_UPDATE') && NO_SESSION_UPDATE) {
 471                      return;
 472                  }
 473                  session_regenerate_id(true);
 474                  $_SESSION = array();
 475                  $DB->delete_records('sessions', array('id'=>$record->id));
 476  
 477              } else {
 478                  // Update session tracking record.
 479  
 480                  $update = new \stdClass();
 481                  $updated = false;
 482  
 483                  if ($record->userid != $userid) {
 484                      $update->userid = $record->userid = $userid;
 485                      $updated = true;
 486                  }
 487  
 488                  $ip = getremoteaddr();
 489                  if ($record->lastip != $ip) {
 490                      $update->lastip = $record->lastip = $ip;
 491                      $updated = true;
 492                  }
 493  
 494                  $updatefreq = empty($CFG->session_update_timemodified_frequency) ? 20 : $CFG->session_update_timemodified_frequency;
 495  
 496                  if ($record->timemodified == $record->timecreated) {
 497                      // Always do first update of existing record.
 498                      $update->timemodified = $record->timemodified = time();
 499                      $updated = true;
 500  
 501                  } else if ($record->timemodified < time() - $updatefreq) {
 502                      // Update the session modified flag only once every 20 seconds.
 503                      $update->timemodified = $record->timemodified = time();
 504                      $updated = true;
 505                  }
 506  
 507                  if ($updated && (!defined('NO_SESSION_UPDATE') || !NO_SESSION_UPDATE)) {
 508                      $update->id = $record->id;
 509                      $DB->update_record('sessions', $update);
 510                  }
 511  
 512                  return;
 513              }
 514          } else {
 515              if ($record) {
 516                  // This happens when people switch session handlers...
 517                  session_regenerate_id(true);
 518                  $_SESSION = array();
 519                  $DB->delete_records('sessions', array('id'=>$record->id));
 520              }
 521          }
 522          unset($record);
 523  
 524          $timedout = false;
 525          if (!isset($_SESSION['SESSION'])) {
 526              $_SESSION['SESSION'] = new \stdClass();
 527              if (!$newsid) {
 528                  $timedout = true;
 529              }
 530          }
 531  
 532          $user = null;
 533  
 534          if (!empty($CFG->opentowebcrawlers)) {
 535              if (\core_useragent::is_web_crawler()) {
 536                  $user = guest_user();
 537              }
 538              $referer = get_local_referer(false);
 539              if (!empty($CFG->guestloginbutton) and !$user and !empty($referer)) {
 540                  // Automatically log in users coming from search engine results.
 541                  if (strpos($referer, 'google') !== false ) {
 542                      $user = guest_user();
 543                  } else if (strpos($referer, 'altavista') !== false ) {
 544                      $user = guest_user();
 545                  }
 546              }
 547          }
 548  
 549          // Setup $USER and insert the session tracking record.
 550          if ($user) {
 551              self::set_user($user);
 552              self::add_session_record($user->id);
 553          } else {
 554              self::init_empty_session($newsid);
 555              self::add_session_record(0);
 556          }
 557  
 558          if ($timedout) {
 559              $_SESSION['SESSION']->has_timed_out = true;
 560          }
 561      }
 562  
 563      /**
 564       * Insert new empty session record.
 565       * @param int $userid
 566       * @return \stdClass the new record
 567       */
 568      protected static function add_session_record($userid) {
 569          global $DB;
 570          $record = new \stdClass();
 571          $record->state       = 0;
 572          $record->sid         = session_id();
 573          $record->sessdata    = null;
 574          $record->userid      = $userid;
 575          $record->timecreated = $record->timemodified = time();
 576          $record->firstip     = $record->lastip = getremoteaddr();
 577  
 578          $record->id = $DB->insert_record('sessions', $record);
 579  
 580          return $record;
 581      }
 582  
 583      /**
 584       * Do various session security checks.
 585       *
 586       * WARNING: $USER and $SESSION are set up later, do not use them yet!
 587       * @throws \core\session\exception
 588       */
 589      protected static function check_security() {
 590          global $CFG;
 591  
 592          if (!empty($_SESSION['USER']->id) and !empty($CFG->tracksessionip)) {
 593              // Make sure current IP matches the one for this session.
 594              $remoteaddr = getremoteaddr();
 595  
 596              if (empty($_SESSION['USER']->sessionip)) {
 597                  $_SESSION['USER']->sessionip = $remoteaddr;
 598              }
 599  
 600              if ($_SESSION['USER']->sessionip != $remoteaddr) {
 601                  // This is a security feature - terminate the session in case of any doubt.
 602                  self::terminate_current();
 603                  throw new exception('sessionipnomatch2', 'error');
 604              }
 605          }
 606      }
 607  
 608      /**
 609       * Login user, to be called from complete_user_login() only.
 610       * @param \stdClass $user
 611       */
 612      public static function login_user(\stdClass $user) {
 613          global $DB;
 614  
 615          // Regenerate session id and delete old session,
 616          // this helps prevent session fixation attacks from the same domain.
 617  
 618          $sid = session_id();
 619          session_regenerate_id(true);
 620          $DB->delete_records('sessions', array('sid'=>$sid));
 621          self::add_session_record($user->id);
 622  
 623          // Let enrol plugins deal with new enrolments if necessary.
 624          enrol_check_plugins($user);
 625  
 626          // Setup $USER object.
 627          self::set_user($user);
 628      }
 629  
 630      /**
 631       * Returns a valid setting for the SameSite cookie attribute.
 632       *
 633       * @return string The desired setting for the SameSite attribute on the cookie. Empty string indicates the SameSite attribute
 634       * should not be set at all.
 635       */
 636      private static function should_use_samesite_none(): bool {
 637          // We only want None or no attribute at this point. When we have cookie handling compatible with Lax,
 638          // we can look at checking a setting.
 639  
 640          // Browser support for none is not consistent yet. There are known issues with Safari, and IE11.
 641          // Things are stablising, however as they're not stable yet we will deal specifically with the version of chrome
 642          // that introduces a default of lax, setting it to none for the current version of chrome (2 releases before the change).
 643          // We also check you are using secure cookies and HTTPS because if you are not running over HTTPS
 644          // then setting SameSite=None will cause your session cookie to be rejected.
 645          if (\core_useragent::is_chrome() && \core_useragent::check_chrome_version('78') && is_moodle_cookie_secure()) {
 646              return true;
 647          }
 648          return false;
 649      }
 650  
 651      /**
 652       * Terminate current user session.
 653       * @return void
 654       */
 655      public static function terminate_current() {
 656          global $DB;
 657  
 658          if (!self::$sessionactive) {
 659              self::init_empty_session();
 660              self::$sessionactive = false;
 661              return;
 662          }
 663  
 664          try {
 665              $DB->delete_records('external_tokens', array('sid'=>session_id(), 'tokentype'=>EXTERNAL_TOKEN_EMBEDDED));
 666          } catch (\Exception $ignored) {
 667              // Probably install/upgrade - ignore this problem.
 668          }
 669  
 670          // Initialize variable to pass-by-reference to headers_sent(&$file, &$line).
 671          $file = null;
 672          $line = null;
 673          if (headers_sent($file, $line)) {
 674              error_log('Cannot terminate session properly - headers were already sent in file: '.$file.' on line '.$line);
 675          }
 676  
 677          // Write new empty session and make sure the old one is deleted.
 678          $sid = session_id();
 679          session_regenerate_id(true);
 680          $DB->delete_records('sessions', array('sid'=>$sid));
 681          self::init_empty_session();
 682          self::add_session_record($_SESSION['USER']->id); // Do not use $USER here because it may not be set up yet.
 683          self::write_close();
 684      }
 685  
 686      /**
 687       * No more changes in session expected.
 688       * Unblocks the sessions, other scripts may start executing in parallel.
 689       */
 690      public static function write_close() {
 691          global $PERF, $ME, $CFG;
 692  
 693          if (self::$sessionactive) {
 694              $requireslock = self::$handler->requires_write_lock();
 695              if ($requireslock) {
 696                  // Grab the time when session lock is released.
 697                  $PERF->sessionlock['released'] = microtime(true);
 698                  if (!empty($PERF->sessionlock['gained'])) {
 699                      $PERF->sessionlock['held'] = $PERF->sessionlock['released'] - $PERF->sessionlock['gained'];
 700                  }
 701                  $PERF->sessionlock['url'] = me();
 702                  self::update_recent_session_locks($PERF->sessionlock);
 703                  self::sessionlock_debugging();
 704              }
 705  
 706              // If debugging, take a snapshot of session at close and compare on shutdown to detect any accidental mutations.
 707              if (debugging()) {
 708                  self::$sessionatclose = (array) $_SESSION['SESSION'];
 709                  \core_shutdown_manager::register_function('\core\session\manager::check_mutated_closed_session');
 710              }
 711  
 712              if (!$requireslock || !self::$requireslockdebug) {
 713                  // Compare the array of the earlier session data with the array now, if
 714                  // there is a difference then a lock is required.
 715                  $arraydiff = self::array_session_diff(
 716                      self::$priorsession,
 717                      (array) $_SESSION['SESSION']
 718                  );
 719  
 720                  if ($arraydiff) {
 721                      $error = "Script $ME defined READ_ONLY_SESSION but the following SESSION attributes were changed:";
 722                      foreach ($arraydiff as $key => $value) {
 723                          $error .= ' $SESSION->' . $key;
 724                      }
 725                      // This will emit an error if debugging is on, even if $CFG->enable_read_only_sessions
 726                      // is not true as we need to surface this class of errors.
 727                      error_log($error); // phpcs:ignore
 728                  }
 729              }
 730          }
 731  
 732          // More control over whether session data
 733          // is persisted or not.
 734          if (self::$sessionactive && session_id()) {
 735              // Write session and release lock only if
 736              // indication session start was clean.
 737              self::$handler->write_close();
 738          } else {
 739              // Otherwise, if possible lock exists want
 740              // to clear it, but do not write session.
 741              // If the $handler has not been set then
 742              // there is no session to abort.
 743              if (isset(self::$handler)) {
 744                  @self::$handler->abort();
 745              }
 746          }
 747  
 748          self::$sessionactive = false;
 749      }
 750  
 751      /**
 752       * Checks if the session has been mutated since it was closed.
 753       * In write_close the session is saved to the variable $sessionatclose
 754       * If there is a difference between $sessionatclose and the current session,
 755       * it means a script has erroneously closed the session too early.
 756       * Script is usually called in shutdown_manager
 757       */
 758      public static function check_mutated_closed_session() {
 759          global $ME;
 760  
 761          // Session is still open, mutations are allowed.
 762          if (self::$sessionactive) {
 763              return;
 764          }
 765  
 766          // Detect if session was cleared.
 767          if (!isset($_SESSION['SESSION']) && isset(self::$sessionatclose)) {
 768              debugging("Script $ME cleared the session after it was closed.");
 769              return;
 770          } else if (!isset($_SESSION['SESSION'])) {
 771              // Else session is empty, nothing to check.
 772              return;
 773          }
 774  
 775          // Session is closed - compare the current session to the session when write_close was called.
 776          $arraydiff = self::array_session_diff(
 777              self::$sessionatclose,
 778              (array) $_SESSION['SESSION']
 779          );
 780  
 781          if ($arraydiff) {
 782              $error = "Script $ME mutated the session after it was closed:";
 783              foreach ($arraydiff as $key => $value) {
 784                  $error .= ' $SESSION->' . $key;
 785  
 786                  // Extra debugging for cachestore session changes.
 787                  if (strpos($key, 'cachestore_') === 0 && is_array($value)) {
 788                      $error .= ': ' . implode(',', array_keys($value));
 789                  }
 790              }
 791              debugging($error);
 792          }
 793      }
 794  
 795      /**
 796       * Does the PHP session with given id exist?
 797       *
 798       * The session must exist both in session table and actual
 799       * session backend and the session must not be timed out.
 800       *
 801       * Timeout evaluation is simplified, the auth hooks are not executed.
 802       *
 803       * @param string $sid
 804       * @return bool
 805       */
 806      public static function session_exists($sid) {
 807          global $DB, $CFG;
 808  
 809          if (empty($CFG->version)) {
 810              // Not installed yet, do not try to access database.
 811              return false;
 812          }
 813  
 814          // Note: add sessions->state checking here if it gets implemented.
 815          if (!$record = $DB->get_record('sessions', array('sid' => $sid), 'id, userid, timemodified')) {
 816              return false;
 817          }
 818  
 819          if (empty($record->userid) or isguestuser($record->userid)) {
 820              // Ignore guest and not-logged-in timeouts, there is very little risk here.
 821          } else if ($record->timemodified < time() - $CFG->sessiontimeout) {
 822              return false;
 823          }
 824  
 825          // There is no need the existence of handler storage in public API.
 826          self::load_handler();
 827          return self::$handler->session_exists($sid);
 828      }
 829  
 830      /**
 831       * Return the number of seconds remaining in the current session.
 832       * @param string $sid
 833       */
 834      public static function time_remaining($sid) {
 835          global $DB, $CFG;
 836  
 837          if (empty($CFG->version)) {
 838              // Not installed yet, do not try to access database.
 839              return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout];
 840          }
 841  
 842          // Note: add sessions->state checking here if it gets implemented.
 843          if (!$record = $DB->get_record('sessions', array('sid' => $sid), 'id, userid, timemodified')) {
 844              return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout];
 845          }
 846  
 847          if (empty($record->userid) or isguestuser($record->userid)) {
 848              // Ignore guest and not-logged-in timeouts, there is very little risk here.
 849              return ['userid' => 0, 'timeremaining' => $CFG->sessiontimeout];
 850          } else {
 851              return ['userid' => $record->userid, 'timeremaining' => $CFG->sessiontimeout - (time() - $record->timemodified)];
 852          }
 853      }
 854  
 855      /**
 856       * Fake last access for given session, this prevents session timeout.
 857       * @param string $sid
 858       */
 859      public static function touch_session($sid) {
 860          global $DB;
 861  
 862          // Timeouts depend on core sessions table only, no need to update anything in external stores.
 863  
 864          $sql = "UPDATE {sessions} SET timemodified = :now WHERE sid = :sid";
 865          $DB->execute($sql, array('now'=>time(), 'sid'=>$sid));
 866      }
 867  
 868      /**
 869       * Terminate all sessions unconditionally.
 870       */
 871      public static function kill_all_sessions() {
 872          global $DB;
 873  
 874          self::terminate_current();
 875  
 876          self::load_handler();
 877          self::$handler->kill_all_sessions();
 878  
 879          try {
 880              $DB->delete_records('sessions');
 881          } catch (\dml_exception $ignored) {
 882              // Do not show any warnings - might be during upgrade/installation.
 883          }
 884      }
 885  
 886      /**
 887       * Terminate give session unconditionally.
 888       * @param string $sid
 889       */
 890      public static function kill_session($sid) {
 891          global $DB;
 892  
 893          self::load_handler();
 894  
 895          if ($sid === session_id()) {
 896              self::write_close();
 897          }
 898  
 899          self::$handler->kill_session($sid);
 900  
 901          $DB->delete_records('sessions', array('sid'=>$sid));
 902      }
 903  
 904      /**
 905       * Terminate all sessions of given user unconditionally.
 906       * @param int $userid
 907       * @param string $keepsid keep this sid if present
 908       */
 909      public static function kill_user_sessions($userid, $keepsid = null) {
 910          global $DB;
 911  
 912          $sessions = $DB->get_records('sessions', array('userid'=>$userid), 'id DESC', 'id, sid');
 913          foreach ($sessions as $session) {
 914              if ($keepsid and $keepsid === $session->sid) {
 915                  continue;
 916              }
 917              self::kill_session($session->sid);
 918          }
 919      }
 920  
 921      /**
 922       * Terminate other sessions of current user depending
 923       * on $CFG->limitconcurrentlogins restriction.
 924       *
 925       * This is expected to be called right after complete_user_login().
 926       *
 927       * NOTE:
 928       *  * Do not use from SSO auth plugins, this would not work.
 929       *  * Do not use from web services because they do not have sessions.
 930       *
 931       * @param int $userid
 932       * @param string $sid session id to be always keep, usually the current one
 933       * @return void
 934       */
 935      public static function apply_concurrent_login_limit($userid, $sid = null) {
 936          global $CFG, $DB;
 937  
 938          // NOTE: the $sid parameter is here mainly to allow testing,
 939          //       in most cases it should be current session id.
 940  
 941          if (isguestuser($userid) or empty($userid)) {
 942              // This applies to real users only!
 943              return;
 944          }
 945  
 946          if (empty($CFG->limitconcurrentlogins) or $CFG->limitconcurrentlogins < 0) {
 947              return;
 948          }
 949  
 950          $count = $DB->count_records('sessions', array('userid' => $userid));
 951  
 952          if ($count <= $CFG->limitconcurrentlogins) {
 953              return;
 954          }
 955  
 956          $i = 0;
 957          $select = "userid = :userid";
 958          $params = array('userid' => $userid);
 959          if ($sid) {
 960              if ($DB->record_exists('sessions', array('sid' => $sid, 'userid' => $userid))) {
 961                  $select .= " AND sid <> :sid";
 962                  $params['sid'] = $sid;
 963                  $i = 1;
 964              }
 965          }
 966  
 967          $sessions = $DB->get_records_select('sessions', $select, $params, 'timecreated DESC', 'id, sid');
 968          foreach ($sessions as $session) {
 969              $i++;
 970              if ($i <= $CFG->limitconcurrentlogins) {
 971                  continue;
 972              }
 973              self::kill_session($session->sid);
 974          }
 975      }
 976  
 977      /**
 978       * Set current user.
 979       *
 980       * @param \stdClass $user record
 981       */
 982      public static function set_user(\stdClass $user) {
 983          global $ADMIN;
 984          $GLOBALS['USER'] = $user;
 985          unset($GLOBALS['USER']->description); // Conserve memory.
 986          unset($GLOBALS['USER']->password);    // Improve security.
 987          if (isset($GLOBALS['USER']->lang)) {
 988              // Make sure it is a valid lang pack name.
 989              $GLOBALS['USER']->lang = clean_param($GLOBALS['USER']->lang, PARAM_LANG);
 990          }
 991  
 992          // Relink session with global $USER just in case it got unlinked somehow.
 993          $_SESSION['USER'] =& $GLOBALS['USER'];
 994  
 995          // Nullify the $ADMIN tree global. If we're changing users, then this is now stale and must be generated again if needed.
 996          $ADMIN = null;
 997  
 998          // Init session key.
 999          sesskey();
1000  
1001          // Make sure the user is correct in web server access logs.
1002          set_access_log_user();
1003      }
1004  
1005      /**
1006       * Periodic timed-out session cleanup.
1007       */
1008      public static function gc() {
1009          global $CFG, $DB;
1010  
1011          // This may take a long time...
1012          \core_php_time_limit::raise();
1013  
1014          $maxlifetime = $CFG->sessiontimeout;
1015  
1016          try {
1017              // Kill all sessions of deleted and suspended users without any hesitation.
1018              $rs = $DB->get_recordset_select('sessions', "userid IN (SELECT id FROM {user} WHERE deleted <> 0 OR suspended <> 0)", array(), 'id DESC', 'id, sid');
1019              foreach ($rs as $session) {
1020                  self::kill_session($session->sid);
1021              }
1022              $rs->close();
1023  
1024              // Kill sessions of users with disabled plugins.
1025              $authsequence = get_enabled_auth_plugins();
1026              $authsequence = array_flip($authsequence);
1027              unset($authsequence['nologin']); // No login means user cannot login.
1028              $authsequence = array_flip($authsequence);
1029  
1030              list($notplugins, $params) = $DB->get_in_or_equal($authsequence, SQL_PARAMS_QM, '', false);
1031              $rs = $DB->get_recordset_select('sessions', "userid IN (SELECT id FROM {user} WHERE auth $notplugins)", $params, 'id DESC', 'id, sid');
1032              foreach ($rs as $session) {
1033                  self::kill_session($session->sid);
1034              }
1035              $rs->close();
1036  
1037              // Now get a list of time-out candidates - real users only.
1038              $sql = "SELECT u.*, s.sid, s.timecreated AS s_timecreated, s.timemodified AS s_timemodified
1039                        FROM {user} u
1040                        JOIN {sessions} s ON s.userid = u.id
1041                       WHERE s.timemodified < :purgebefore AND u.id <> :guestid";
1042              $params = array('purgebefore' => (time() - $maxlifetime), 'guestid'=>$CFG->siteguest);
1043  
1044              $authplugins = array();
1045              foreach ($authsequence as $authname) {
1046                  $authplugins[$authname] = get_auth_plugin($authname);
1047              }
1048              $rs = $DB->get_recordset_sql($sql, $params);
1049              foreach ($rs as $user) {
1050                  foreach ($authplugins as $authplugin) {
1051                      /** @var \auth_plugin_base $authplugin*/
1052                      if ($authplugin->ignore_timeout_hook($user, $user->sid, $user->s_timecreated, $user->s_timemodified)) {
1053                          continue 2;
1054                      }
1055                  }
1056                  self::kill_session($user->sid);
1057              }
1058              $rs->close();
1059  
1060              // Delete expired sessions for guest user account, give them larger timeout, there is no security risk here.
1061              $params = array('purgebefore' => (time() - ($maxlifetime * 5)), 'guestid'=>$CFG->siteguest);
1062              $rs = $DB->get_recordset_select('sessions', 'userid = :guestid AND timemodified < :purgebefore', $params, 'id DESC', 'id, sid');
1063              foreach ($rs as $session) {
1064                  self::kill_session($session->sid);
1065              }
1066              $rs->close();
1067  
1068              // Delete expired sessions for userid = 0 (not logged in), better kill them asap to release memory.
1069              $params = array('purgebefore' => (time() - $maxlifetime));
1070              $rs = $DB->get_recordset_select('sessions', 'userid = 0 AND timemodified < :purgebefore', $params, 'id DESC', 'id, sid');
1071              foreach ($rs as $session) {
1072                  self::kill_session($session->sid);
1073              }
1074              $rs->close();
1075  
1076              // Cleanup letfovers from the first browser access because it may set multiple cookies and then use only one.
1077              $params = array('purgebefore' => (time() - 60*3));
1078              $rs = $DB->get_recordset_select('sessions', 'userid = 0 AND timemodified = timecreated AND timemodified < :purgebefore', $params, 'id ASC', 'id, sid');
1079              foreach ($rs as $session) {
1080                  self::kill_session($session->sid);
1081              }
1082              $rs->close();
1083  
1084          } catch (\Exception $ex) {
1085              debugging('Error gc-ing sessions: '.$ex->getMessage(), DEBUG_NORMAL, $ex->getTrace());
1086          }
1087      }
1088  
1089      /**
1090       * Is current $USER logged-in-as somebody else?
1091       * @return bool
1092       */
1093      public static function is_loggedinas() {
1094          return !empty($GLOBALS['USER']->realuser);
1095      }
1096  
1097      /**
1098       * Returns the $USER object ignoring current login-as session
1099       * @return \stdClass user object
1100       */
1101      public static function get_realuser() {
1102          if (self::is_loggedinas()) {
1103              return $_SESSION['REALUSER'];
1104          } else {
1105              return $GLOBALS['USER'];
1106          }
1107      }
1108  
1109      /**
1110       * Login as another user - no security checks here.
1111       * @param int $userid
1112       * @param \context $context
1113       * @param bool $generateevent Set to false to prevent the loginas event to be generated
1114       * @return void
1115       */
1116      public static function loginas($userid, \context $context, $generateevent = true) {
1117          global $USER;
1118  
1119          if (self::is_loggedinas()) {
1120              return;
1121          }
1122  
1123          // Switch to fresh new $_SESSION.
1124          $_SESSION = array();
1125          $_SESSION['REALSESSION'] = clone($GLOBALS['SESSION']);
1126          $GLOBALS['SESSION'] = new \stdClass();
1127          $_SESSION['SESSION'] =& $GLOBALS['SESSION'];
1128  
1129          // Create the new $USER object with all details and reload needed capabilities.
1130          $_SESSION['REALUSER'] = clone($GLOBALS['USER']);
1131          $user = get_complete_user_data('id', $userid);
1132          $user->realuser       = $_SESSION['REALUSER']->id;
1133          $user->loginascontext = $context;
1134  
1135          // Let enrol plugins deal with new enrolments if necessary.
1136          enrol_check_plugins($user);
1137  
1138          if ($generateevent) {
1139              // Create event before $USER is updated.
1140              $event = \core\event\user_loggedinas::create(
1141                  array(
1142                      'objectid' => $USER->id,
1143                      'context' => $context,
1144                      'relateduserid' => $userid,
1145                      'other' => array(
1146                          'originalusername' => fullname($USER, true),
1147                          'loggedinasusername' => fullname($user, true)
1148                      )
1149                  )
1150              );
1151          }
1152  
1153          // Set up global $USER.
1154          \core\session\manager::set_user($user);
1155  
1156          if ($generateevent) {
1157              $event->trigger();
1158          }
1159  
1160          // Queue migrating the messaging data, if we need to.
1161          if (!get_user_preferences('core_message_migrate_data', false, $userid)) {
1162              // Check if there are any legacy messages to migrate.
1163              if (\core_message\helper::legacy_messages_exist($userid)) {
1164                  \core_message\task\migrate_message_data::queue_task($userid);
1165              } else {
1166                  set_user_preference('core_message_migrate_data', true, $userid);
1167              }
1168          }
1169      }
1170  
1171      /**
1172       * Add a JS session keepalive to the page.
1173       *
1174       * A JS session keepalive script will be called to update the session modification time every $frequency seconds.
1175       *
1176       * Upon failure, the specified error message will be shown to the user.
1177       *
1178       * @param string $identifier The string identifier for the message to show on failure.
1179       * @param string $component The string component for the message to show on failure.
1180       * @param int $frequency The update frequency in seconds.
1181       * @param int $timeout The timeout of each request in seconds.
1182       * @throws \coding_exception IF the frequency is longer than the session lifetime.
1183       */
1184      public static function keepalive($identifier = 'sessionerroruser', $component = 'error', $frequency = null, $timeout = 0) {
1185          global $CFG, $PAGE;
1186  
1187          if ($frequency) {
1188              if ($frequency > $CFG->sessiontimeout) {
1189                  // Sanity check the frequency.
1190                  throw new \coding_exception('Keepalive frequency is longer than the session lifespan.');
1191              }
1192          } else {
1193              // A frequency of sessiontimeout / 10 matches the timeouts in core/network amd module.
1194              $frequency = $CFG->sessiontimeout / 10;
1195          }
1196  
1197          $PAGE->requires->js_call_amd('core/network', 'keepalive', array(
1198                  $frequency,
1199                  $timeout,
1200                  $identifier,
1201                  $component
1202              ));
1203      }
1204  
1205      /**
1206       * Generate a new login token and store it in the session.
1207       *
1208       * @return array The current login state.
1209       */
1210      private static function create_login_token() {
1211          global $SESSION;
1212  
1213          $state = [
1214              'token' => random_string(32),
1215              'created' => time() // Server time - not user time.
1216          ];
1217  
1218          if (!isset($SESSION->logintoken)) {
1219              $SESSION->logintoken = [];
1220          }
1221  
1222          // Overwrite any previous values.
1223          $SESSION->logintoken[self::$logintokenkey] = $state;
1224  
1225          return $state;
1226      }
1227  
1228      /**
1229       * Get the current login token or generate a new one.
1230       *
1231       * All login forms generated from Moodle must include a login token
1232       * named "logintoken" with the value being the result of this function.
1233       * Logins will be rejected if they do not include this token as well as
1234       * the username and password fields.
1235       *
1236       * @return string The current login token.
1237       */
1238      public static function get_login_token() {
1239          global $CFG, $SESSION;
1240  
1241          $state = false;
1242  
1243          if (!isset($SESSION->logintoken)) {
1244              $SESSION->logintoken = [];
1245          }
1246  
1247          if (array_key_exists(self::$logintokenkey, $SESSION->logintoken)) {
1248              $state = $SESSION->logintoken[self::$logintokenkey];
1249          }
1250          if (empty($state)) {
1251              $state = self::create_login_token();
1252          }
1253  
1254          // Check token lifespan.
1255          if ($state['created'] < (time() - $CFG->sessiontimeout)) {
1256              $state = self::create_login_token();
1257          }
1258  
1259          // Return the current session login token.
1260          if (array_key_exists('token', $state)) {
1261              return $state['token'];
1262          } else {
1263              return false;
1264          }
1265      }
1266  
1267      /**
1268       * Check the submitted value against the stored login token.
1269       *
1270       * @param mixed $token The value submitted in the login form that we are validating.
1271       *                     If false is passed for the token, this function will always return true.
1272       * @return boolean If the submitted token is valid.
1273       */
1274      public static function validate_login_token($token = false) {
1275          global $CFG;
1276  
1277          if (!empty($CFG->alternateloginurl) || !empty($CFG->disablelogintoken)) {
1278              // An external login page cannot generate the login token we need to protect CSRF on
1279              // login requests.
1280              // Other custom login workflows may skip this check by setting disablelogintoken in config.
1281              return true;
1282          }
1283          if ($token === false) {
1284              // authenticate_user_login is a core function was extended to validate tokens.
1285              // For existing uses other than the login form it does not
1286              // validate that a token was generated.
1287              // Some uses that do not validate the token are login/token.php,
1288              // or an auth plugin like auth/ldap/auth.php.
1289              return true;
1290          }
1291  
1292          $currenttoken = self::get_login_token();
1293  
1294          // We need to clean the login token so the old one is not valid again.
1295          self::create_login_token();
1296  
1297          if ($currenttoken !== $token) {
1298              // Fail the login.
1299              return false;
1300          }
1301          return true;
1302      }
1303  
1304      /**
1305       * Get the recent session locks array.
1306       *
1307       * @return array Recent session locks array.
1308       */
1309      public static function get_recent_session_locks() {
1310          global $SESSION;
1311  
1312          if (!isset($SESSION->recentsessionlocks)) {
1313              // This will hold the pages that blocks other page.
1314              $SESSION->recentsessionlocks = array();
1315          }
1316  
1317          return $SESSION->recentsessionlocks;
1318      }
1319  
1320      /**
1321       * Updates the recent session locks.
1322       *
1323       * This function will store session lock info of all the pages visited.
1324       *
1325       * @param array $sessionlock Session lock array.
1326       */
1327      public static function update_recent_session_locks($sessionlock) {
1328          global $CFG, $SESSION;
1329  
1330          if (empty($CFG->debugsessionlock)) {
1331              return;
1332          }
1333  
1334          $readonlysession = defined('READ_ONLY_SESSION') && READ_ONLY_SESSION;
1335          $readonlydebugging = !empty($CFG->enable_read_only_sessions) || !empty($CFG->enable_read_only_sessions_debug);
1336          if ($readonlysession && $readonlydebugging) {
1337              return;
1338          }
1339  
1340          $SESSION->recentsessionlocks = self::get_recent_session_locks();
1341          array_push($SESSION->recentsessionlocks, $sessionlock);
1342  
1343          self::cleanup_recent_session_locks();
1344      }
1345  
1346      /**
1347       * Reset recent session locks array if there is a time gap more than SESSION_RESET_GAP_THRESHOLD.
1348       */
1349      public static function cleanup_recent_session_locks() {
1350          global $SESSION;
1351  
1352          $locks = self::get_recent_session_locks();
1353  
1354          if (count($locks) > self::MAXIMUM_STORED_SESSION_HISTORY) {
1355              // Keep the last MAXIMUM_STORED_SESSION_HISTORY locks and ignore the rest.
1356              $locks = array_slice($locks, -1 * self::MAXIMUM_STORED_SESSION_HISTORY);
1357          }
1358  
1359          if (count($locks) > 2) {
1360              for ($i = count($locks) - 1; $i > 0; $i--) {
1361                  // Calculate the gap between session locks.
1362                  $gap = $locks[$i]['released'] - $locks[$i - 1]['start'];
1363                  if ($gap >= self::SESSION_RESET_GAP_THRESHOLD) {
1364                      // Remove previous locks if the gap is 1 second or more.
1365                      $SESSION->recentsessionlocks = array_slice($locks, $i);
1366                      break;
1367                  }
1368              }
1369          }
1370      }
1371  
1372      /**
1373       * Get the page that blocks other pages at a specific timestamp.
1374       *
1375       * Look for a page whose lock was gained before that timestamp, and released after that timestamp.
1376       *
1377       * @param  float $time Time before session lock starts.
1378       * @return array|null
1379       */
1380      public static function get_locked_page_at($time) {
1381          $recentsessionlocks = self::get_recent_session_locks();
1382          foreach ($recentsessionlocks as $recentsessionlock) {
1383              if ($time >= $recentsessionlock['gained'] &&
1384                  $time <= $recentsessionlock['released']) {
1385                  return $recentsessionlock;
1386              }
1387          }
1388      }
1389  
1390      /**
1391       * Display the page which blocks other pages.
1392       *
1393       * @return string
1394       */
1395      public static function display_blocking_page() {
1396          global $PERF;
1397  
1398          $page = self::get_locked_page_at($PERF->sessionlock['start']);
1399          $output = "Script ".me()." was blocked for ";
1400          $output .= number_format($PERF->sessionlock['wait'], 3);
1401          if ($page != null) {
1402              $output .= " second(s) by script: ";
1403              $output .= $page['url'];
1404          } else {
1405              $output .= " second(s) by an unknown script.";
1406          }
1407  
1408          return $output;
1409      }
1410  
1411      /**
1412       * Get session lock info of the current page.
1413       *
1414       * @return array
1415       */
1416      public static function get_session_lock_info() {
1417          global $PERF;
1418  
1419          if (!isset($PERF->sessionlock)) {
1420              return null;
1421          }
1422          return $PERF->sessionlock;
1423      }
1424  
1425      /**
1426       * Display debugging info about slow and blocked script.
1427       */
1428      public static function sessionlock_debugging() {
1429          global $CFG, $PERF;
1430  
1431          if (!empty($CFG->debugsessionlock)) {
1432              if (isset($PERF->sessionlock['held']) && $PERF->sessionlock['held'] > $CFG->debugsessionlock) {
1433                  debugging("Script ".me()." locked the session for ".number_format($PERF->sessionlock['held'], 3)
1434                  ." seconds, it should close the session using \core\session\manager::write_close().", DEBUG_NORMAL);
1435              }
1436  
1437              if (isset($PERF->sessionlock['wait']) && $PERF->sessionlock['wait'] > $CFG->debugsessionlock) {
1438                  $output = self::display_blocking_page();
1439                  debugging($output, DEBUG_DEVELOPER);
1440              }
1441          }
1442      }
1443  
1444      /**
1445       * Compares two arrays and outputs the difference.
1446       *
1447       * Note - checking between objects and array type is only done at the top level.
1448       * Any changes in types below the top level will not be detected.
1449       * However, if their values are the same, they will be treated as equal.
1450       *
1451       * Any changes, such as removals, edits or additions will be detected.
1452       *
1453       * @param array $previous
1454       * @param array $current
1455       * @return array
1456       */
1457      private static function array_session_diff(array $previous, array $current) : array {
1458          // To use array_udiff_uassoc, the first array must have the most keys; this ensures every key is checked.
1459          // To do this, we first need to sort them by the length of their keys.
1460          $arrays = [$current, $previous];
1461  
1462          // Sort them by the length of their keys.
1463          usort($arrays, function ($a, $b) {
1464              return count(array_keys($b)) - count(array_keys($a));
1465          });
1466  
1467          // The largest is the first value in the $arrays, after sorting.
1468          // The smallest is then the last one.
1469          // If they are the same size, it does not matter which is which.
1470          $largest = $arrays[0];
1471          $smallest = $arrays[1];
1472  
1473          // Defines a function that casts the values to arrays.
1474          // This is so the properties are compared, instead any object's identities.
1475          $casttoarray = function ($value) {
1476              return json_decode(json_encode($value), true);
1477          };
1478  
1479          // Defines a function that compares all keys by their string value.
1480          $keycompare = function ($a, $b) {
1481              return strcmp($a, $b);
1482          };
1483  
1484          // Defines a function that compares all values by first their type, and then their values.
1485          // If the value contains any objects, they are cast to arrays before comparison.
1486          $valcompare = function ($a, $b) use ($casttoarray) {
1487              // First compare type.
1488              // If they are not the same type, they are definitely not the same.
1489              // Note we do not check types recursively.
1490              if (gettype($a) !== gettype($b)) {
1491                  return 1;
1492              }
1493  
1494              // Next compare value. Cast any objects to arrays to compare their properties,
1495              // instead of the identitiy of the object itself.
1496              $v1 = $casttoarray($a);
1497              $v2 = $casttoarray($b);
1498  
1499              if ($v1 !== $v2) {
1500                  return 1;
1501              }
1502  
1503              return 0;
1504          };
1505  
1506          // Apply the comparison functions to the two given session arrays,
1507          // making sure to use the largest array first, so that all keys are considered.
1508          return array_udiff_uassoc($largest, $smallest, $valcompare, $keycompare);
1509      }
1510  }