use Liuggio\StatsdClient\Sender\SocketSender;
use MediaWiki\Logger\LoggerFactory;
-use MediaWiki\Session\SessionManager;
// Hide compatibility functions from Doxygen
/// @cond
/**
* Check if there is sufficient entropy in php's built-in session generation
*
- * @deprecated since 1.27, PHP's session generation isn't used with
- * MediaWiki\\Session\\SessionManager
* @return bool True = there is sufficient entropy
*/
function wfCheckEntropy() {
- wfDeprecated( __FUNCTION__, '1.27' );
return (
( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) )
|| ini_get( 'session.entropy_file' )
}
/**
- * @deprecated since 1.27, PHP's session generation isn't used with
- * MediaWiki\\Session\\SessionManager
+ * Override session_id before session startup if php's built-in
+ * session generation code is not secure.
*/
function wfFixSessionID() {
- wfDeprecated( __FUNCTION__, '1.27' );
+ // If the cookie or session id is already set we already have a session and should abort
+ if ( isset( $_COOKIE[session_name()] ) || session_id() ) {
+ return;
+ }
+
+ // PHP's built-in session entropy is enabled if:
+ // - entropy_file is set or you're on Windows with php 5.3.3+
+ // - AND entropy_length is > 0
+ // We treat it as disabled if it doesn't have an entropy length of at least 32
+ $entropyEnabled = wfCheckEntropy();
+
+ // If built-in entropy is not enabled or not sufficient override PHP's
+ // built in session id generation code
+ if ( !$entropyEnabled ) {
+ wfDebug( __METHOD__ . ": PHP's built in entropy is disabled or not sufficient, " .
+ "overriding session id generation using our cryptrand source.\n" );
+ session_id( MWCryptRand::generateHex( 32 ) );
+ }
}
/**
- * Reset the session id
+ * Reset the session_id
*
- * @deprecated since 1.27, use MediaWiki\\Session\\SessionManager instead
* @since 1.22
*/
function wfResetSessionID() {
- wfDeprecated( __FUNCTION__, '1.27' );
- $session = SessionManager::getGlobalSession();
- $delay = $session->delaySave();
-
- $session->resetId();
-
- // Make sure a session is started, since that's what the old
- // wfResetSessionID() did.
- if ( session_id() !== $session->getId() ) {
- wfSetupSession( $session->getId() );
+ global $wgCookieSecure;
+ $oldSessionId = session_id();
+ $cookieParams = session_get_cookie_params();
+ if ( wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure'] ) {
+ session_regenerate_id( false );
+ } else {
+ $tmp = $_SESSION;
+ session_destroy();
+ wfSetupSession( MWCryptRand::generateHex( 32 ) );
+ $_SESSION = $tmp;
}
-
- ScopedCallback::consume( $delay );
+ $newSessionId = session_id();
}
/**
* Initialise php session
*
- * @deprecated since 1.27, use MediaWiki\\Session\\SessionManager instead.
- * Generally, "using" SessionManager will be calling ->getSessionById() or
- * ::getGlobalSession() (depending on whether you were passing $sessionId
- * here), then calling $session->persist().
- * @param bool|string $sessionId
+ * @param bool $sessionId
*/
function wfSetupSession( $sessionId = false ) {
- wfDeprecated( __FUNCTION__, '1.27' );
+ global $wgSessionsInObjectCache, $wgSessionHandler;
+ global $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookieHttpOnly;
- // If they're calling this, they probably want our session management even
- // if NO_SESSION was set for Setup.php.
- if ( !MediaWiki\Session\PHPSessionHandler::isInstalled() ) {
- MediaWiki\Session\PHPSessionHandler::install( SessionManager::singleton() );
+ if ( $wgSessionsInObjectCache ) {
+ ObjectCacheSessionHandler::install();
+ } elseif ( $wgSessionHandler && $wgSessionHandler != ini_get( 'session.save_handler' ) ) {
+ # Only set this if $wgSessionHandler isn't null and session.save_handler
+ # hasn't already been set to the desired value (that causes errors)
+ ini_set( 'session.save_handler', $wgSessionHandler );
}
+ session_set_cookie_params(
+ 0, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookieHttpOnly );
+ session_cache_limiter( 'private, must-revalidate' );
if ( $sessionId ) {
session_id( $sessionId );
+ } else {
+ wfFixSessionID();
}
- $session = SessionManager::getGlobalSession();
- $session->persist();
+ MediaWiki\suppressWarnings();
+ session_start();
+ MediaWiki\restoreWarnings();
- if ( session_id() !== $session->getId() ) {
- session_id( $session->getId() );
+ if ( $wgSessionsInObjectCache ) {
+ ObjectCacheSessionHandler::renewCurrentSession();
}
- MediaWiki\quietCall( 'session_cache_limiter', 'private, must-revalidate' );
- MediaWiki\quietCall( 'session_start' );
}
/**