X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fsession%2FSessionInfo.php;h=287da9dde36eef54b89b93679d9f3ee748096ffe;hb=942728ab20e01bba200031b01eb606ee59279bd2;hp=1b5a834c9460ddd8bb35cc1627e5683449946cc2;hpb=ae69acacf567077b3f49d1fe6c3f3770e72a9093;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/session/SessionInfo.php b/includes/session/SessionInfo.php
index 1b5a834c94..287da9dde3 100644
--- a/includes/session/SessionInfo.php
+++ b/includes/session/SessionInfo.php
@@ -54,6 +54,7 @@ class SessionInfo {
 	private $remembered = false;
 	private $forceHTTPS = false;
 	private $idIsSafe = false;
+	private $forceUse = false;
 
 	/** @var array|null */
 	private $providerMetadata = null;
@@ -72,10 +73,15 @@ class SessionInfo {
 	 *    Defaults to true.
 	 *  - forceHTTPS: (bool) Whether to force HTTPS for this session
 	 *  - metadata: (array) Provider metadata, to be returned by
-	 *    Session::getProviderMetadata().
+	 *    Session::getProviderMetadata(). See SessionProvider::mergeMetadata()
+	 *    and SessionProvider::refreshSessionInfo().
 	 *  - idIsSafe: (bool) Set true if the 'id' did not come from the user.
 	 *    Generally you'll use this from SessionProvider::newEmptySession(),
 	 *    and not from any other method.
+	 *  - forceUse: (bool) Set true if the 'id' is from
+	 *    SessionProvider::hashToSessionId() to delete conflicting session
+	 *    store data instead of discarding this SessionInfo. Ignored unless
+	 *    both 'provider' and 'id' are given.
 	 *  - copyFrom: (SessionInfo) SessionInfo to copy other data items from.
 	 */
 	public function __construct( $priority, array $data ) {
@@ -97,6 +103,7 @@ class SessionInfo {
 				'forceHTTPS' => $from->forceHTTPS,
 				'metadata' => $from->providerMetadata,
 				'idIsSafe' => $from->idIsSafe,
+				'forceUse' => $from->forceUse,
 				// @codeCoverageIgnoreStart
 			];
 			// @codeCoverageIgnoreEnd
@@ -110,6 +117,7 @@ class SessionInfo {
 				'forceHTTPS' => false,
 				'metadata' => null,
 				'idIsSafe' => false,
+				'forceUse' => false,
 				// @codeCoverageIgnoreStart
 			];
 			// @codeCoverageIgnoreEnd
@@ -137,9 +145,11 @@ class SessionInfo {
 		if ( $data['id'] !== null ) {
 			$this->id = $data['id'];
 			$this->idIsSafe = $data['idIsSafe'];
+			$this->forceUse = $data['forceUse'] && $this->provider;
 		} else {
 			$this->id = $this->provider->getManager()->generateSessionId();
 			$this->idIsSafe = true;
+			$this->forceUse = false;
 		}
 		$this->priority = (int)$priority;
 		$this->userInfo = $data['userInfo'];
@@ -185,6 +195,21 @@ class SessionInfo {
 		return $this->idIsSafe;
 	}
 
+	/**
+	 * Force use of this SessionInfo if validation fails
+	 *
+	 * The normal behavior is to discard the SessionInfo if validation against
+	 * the data stored in the session store fails. If this returns true,
+	 * SessionManager will instead delete the session store data so this
+	 * SessionInfo may still be used. This is important for providers which use
+	 * deterministic IDs and so cannot just generate a random new one.
+	 *
+	 * @return bool
+	 */
+	final public function forceUse() {
+		return $this->forceUse;
+	}
+
 	/**
 	 * Return the priority
 	 * @return int