A snapshot of the session is now taken when write_close is called.
The session at shutdown is then compared to the snapshot. If changes
are detected, they are logged. This aids developers in seeing if
early session closes may be having unintended consequences.
Previously, newly added keys to the session were not detected. Objects
with the same properties were also incorrectly reported as different.
This commit improves this, and updates the unit tests to reflect the
new functionality.
The PHP_CodeSniffer @codingStandardsIgnore annotations are deprecated
and, since version 3.x, the new // phpcs:ignore comments should be used
instead.
This commits just reviews all the uses in core, replacing them for
the better new candidate, or removing when no longer needed.
This commit removes code that only was being executed by php < 73
and it's 100% safe to do so because Moodle 3.11 and up require
php 73, hence it was not executed ever.
Removed code includes:
- ldap_control_paged_result and ldap_control_paged_result_response
(that were deprecated in php 73 and have been removed in php 80).
- conditional code in the session manager, where some hacks were
needed for php < 73. Note that this removes the private function
append_samesite_cookie_attribute() completely because it was
doinf nothing (first line was returning for php < 73).
- Also removed the old session.hash_function ini setting because
it was removed in php 71.
Kept code includes:
- The environmental check_igbinary322_version test has not been
removed because it doesn't hurt (always returns "ok" for php 73
sites) and doing it would involve to backport the environment.xml
file to 39 and 310. Instead, a note has been added to MDL-71747
in order to get rid of that check for 4.1 and up.
When session lock debugging and read only sessions deubgging are both
enabled, session lock debugging becomes moot. This patch causes
the session lock deubgging code to exit early if read only sessions
debugging is enabled.
Prior to this patch the debugging mode (when enabled) would trigger
on everywhere, regardless of whether or not READ_ONLY_SESSION is defined.
This patch modifies that behaviour so that the debugging only kicks in
if READ_ONLY_SESSION is defined and set to true.
If a developer has debugging on then they will recieve all debugging
messages for locking whether wanted or not. We already have a setting
to display these messages.
CSRF protection for the login form. The authenticate_user_login function was
extended to validate the token (in \core\session\manager) but by default it
does not perform the extra validation. Existing uses of this function from
auth plugins and features like "change password" will continue to work without
changes. New config value $CFG->disablelogintoken can bypass this check.
We should complete the deletion process using the same
user that started it.
Added a new param to loginas() to prevent the event to be generated as
there is no need to generate an new event for that as the user didn't
explicitly loginas again.
This is primarily because iOS has changed something under the hood which
means that only session cookies which have an expiry are passed around the
OS.
In order to make media playable outside of the browser (e.g. a video), we
must set a session cookie timeout.
Since the session timeout is configurable, this patch sets the cookie
timeout to the session timeout plus a period of one week.
This ensures that videos continue to work, and that the expired session
message is shown on the login page, but without requiring excessively long
session times.
For pages where there will be significant user interaction in which the
server is not updated, it may be necessary to poll the server periodically
to touch the session.
This makes use of the existing checknet script which was designed for
checking network connectivity but fits into this use-case reasonably well.
This reverses the references used for global $USER and $SESSION,
the reason is that PHP does not allow references to references.
$USER is a reference to $GLOBALS['USER'] which means we cannot
put any references to it. Solution is to store the current user and session
objects in $GLOBALS['USER'] and $GLOBALS['SESSIOn'] are reference
them in $_SESSION.
This patch makes the session code behave the same way in CLI,
phpunit and normal web requests - this allows use to finally
unit test most aspects of the session code in Moodle.
