X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fsession%2FSessionInfo.php;h=577e03a264293ff118e58cf0aa6d22003dac61fb;hb=3ba2de358dc7de6820974726104fb2b36a0cf1fb;hp=ff40aa5a5d2b8d66b206acde3e52989d41752917;hpb=9193046880a4f1db46f7376c14decc9f952aa01e;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/session/SessionInfo.php b/includes/session/SessionInfo.php index ff40aa5a5d..577e03a264 100644 --- a/includes/session/SessionInfo.php +++ b/includes/session/SessionInfo.php @@ -54,6 +54,7 @@ class SessionInfo { private $remembered = false; private $forceHTTPS = false; private $idIsSafe = false; + private $forceUse = false; /** @var array|null */ private $providerMetadata = null; @@ -72,10 +73,15 @@ class SessionInfo { * Defaults to true. * - forceHTTPS: (bool) Whether to force HTTPS for this session * - metadata: (array) Provider metadata, to be returned by - * Session::getProviderMetadata(). + * Session::getProviderMetadata(). See SessionProvider::mergeMetadata() + * and SessionProvider::refreshSessionInfo(). * - idIsSafe: (bool) Set true if the 'id' did not come from the user. * Generally you'll use this from SessionProvider::newEmptySession(), * and not from any other method. + * - forceUse: (bool) Set true if the 'id' is from + * SessionProvider::hashToSessionId() to delete conflicting session + * store data instead of discarding this SessionInfo. Ignored unless + * both 'provider' and 'id' are given. * - copyFrom: (SessionInfo) SessionInfo to copy other data items from. */ public function __construct( $priority, array $data ) { @@ -88,7 +94,7 @@ class SessionInfo { if ( !$from instanceof SessionInfo ) { throw new \InvalidArgumentException( 'Invalid copyFrom' ); } - $data += array( + $data += [ 'provider' => $from->provider, 'id' => $from->id, 'userInfo' => $from->userInfo, @@ -97,11 +103,12 @@ class SessionInfo { 'forceHTTPS' => $from->forceHTTPS, 'metadata' => $from->providerMetadata, 'idIsSafe' => $from->idIsSafe, + 'forceUse' => $from->forceUse, // @codeCoverageIgnoreStart - ); + ]; // @codeCoverageIgnoreEnd } else { - $data += array( + $data += [ 'provider' => null, 'id' => null, 'userInfo' => null, @@ -110,8 +117,9 @@ class SessionInfo { 'forceHTTPS' => false, 'metadata' => null, 'idIsSafe' => false, + 'forceUse' => false, // @codeCoverageIgnoreStart - ); + ]; // @codeCoverageIgnoreEnd } @@ -137,9 +145,11 @@ class SessionInfo { if ( $data['id'] !== null ) { $this->id = $data['id']; $this->idIsSafe = $data['idIsSafe']; + $this->forceUse = $data['forceUse'] && $this->provider; } else { $this->id = $this->provider->getManager()->generateSessionId(); $this->idIsSafe = true; + $this->forceUse = false; } $this->priority = (int)$priority; $this->userInfo = $data['userInfo']; @@ -185,6 +195,21 @@ class SessionInfo { return $this->idIsSafe; } + /** + * Force use of this SessionInfo if validation fails + * + * The normal behavior is to discard the SessionInfo if validation against + * the data stored in the session store fails. If this returns true, + * SessionManager will instead delete the session store data so this + * SessionInfo may still be used. This is important for providers which use + * deterministic IDs and so cannot just generate a random new one. + * + * @return bool + */ + final public function forceUse() { + return $this->forceUse; + } + /** * Return the priority * @return int @@ -203,9 +228,6 @@ class SessionInfo { /** * Return whether the session is persisted - * - * i.e. a session ID was given to the constuctor - * * @return bool */ final public function wasPersisted() { @@ -260,7 +282,7 @@ class SessionInfo { * @return int Negative if $a < $b, positive if $a > $b, zero if equal */ public static function compare( $a, $b ) { - return $a->getPriority() - $b->getPriority(); + return $a->getPriority() <=> $b->getPriority(); } }