Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-06-26 06:45:07 +02:00
Code Issues Projects Releases Wiki Activity

Session: move WP_Session_Tokens and WP_User_Meta_Session_Tokens into their own files via svn cp. If we move forard with autoloading, session.php is useless. We could even remove it now, and just load these new files in wp-settings.php. That can be decided post-mortem.

Browse Source 
See #37827.

Built from https://develop.svn.wordpress.org/trunk@38353


git-svn-id: http://core.svn.wordpress.org/trunk@38294 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Scott Taylor 2016-08-25 17:44:31 +00:00
parent 6620e0b3cc
commit 3d26e3513e
4 changed files with 460 additions and 435 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

317
wp-includes/class-wp-session-tokens.php Normal file
View File

@ -0,0 +1,317 @@
<?php
/**
* Session API: WP_Session_Tokens class
*
* @package WordPress
* @subpackage Session
* @since 4.7.0
*/
/**
* Abstract class for managing user session tokens.
*
* @since 4.0.0
*/
abstract class WP_Session_Tokens {
/**
* User ID.
*
* @since 4.0.0
* @access protected
* @var int User ID.
*/
protected $user_id;
/**
* Protected constructor.
*
* @since 4.0.0
*
* @param int $user_id User whose session to manage.
*/
protected function __construct( $user_id ) {
$this->user_id = $user_id;
}
/**
* Get a session token manager instance for a user.
*
* This method contains a filter that allows a plugin to swap out
* the session manager for a subclass of WP_Session_Tokens.
*
* @since 4.0.0
* @access public
* @static
*
* @param int $user_id User whose session to manage.
*/
final public static function get_instance( $user_id ) {
/**
* Filters the session token manager used.
*
* @since 4.0.0
*
* @param string $session Name of class to use as the manager.
* Default 'WP_User_Meta_Session_Tokens'.
*/
$manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );
return new $manager( $user_id );
}
/**
* Hashes a session token for storage.
*
* @since 4.0.0
* @access private
*
* @param string $token Session token to hash.
* @return string A hash of the session token (a verifier).
*/
final private function hash_token( $token ) {
// If ext/hash is not present, use sha1() instead.
if ( function_exists( 'hash' ) ) {
return hash( 'sha256', $token );
} else {
return sha1( $token );
}
}
/**
* Get a user's session.
*
* @since 4.0.0
* @access public
*
* @param string $token Session token
* @return array User session
*/
final public function get( $token ) {
$verifier = $this->hash_token( $token );
return $this->get_session( $verifier );
}
/**
* Validate a user's session token as authentic.
*
* Checks that the given token is present and hasn't expired.
*
* @since 4.0.0
* @access public
*
* @param string $token Token to verify.
* @return bool Whether the token is valid for the user.
*/
final public function verify( $token ) {
$verifier = $this->hash_token( $token );
return (bool) $this->get_session( $verifier );
}
/**
* Generate a session token and attach session information to it.
*
* A session token is a long, random string. It is used in a cookie
* link that cookie to an expiration time and to ensure the cookie
* becomes invalidated upon logout.
*
* This function generates a token and stores it with the associated
* expiration time (and potentially other session information via the
* {@see 'attach_session_information'} filter).
*
* @since 4.0.0
* @access public
*
* @param int $expiration Session expiration timestamp.
* @return string Session token.
*/
final public function create( $expiration ) {
/**
* Filters the information attached to the newly created session.
*
* Could be used in the future to attach information such as
* IP address or user agent to a session.
*
* @since 4.0.0
*
* @param array $session Array of extra data.
* @param int $user_id User ID.
*/
$session = apply_filters( 'attach_session_information', array(), $this->user_id );
$session['expiration'] = $expiration;
// IP address.
if ( !empty( $_SERVER['REMOTE_ADDR'] ) ) {
$session['ip'] = $_SERVER['REMOTE_ADDR'];
}
// User-agent.
if ( ! empty( $_SERVER['HTTP_USER_AGENT'] ) ) {
$session['ua'] = wp_unslash( $_SERVER['HTTP_USER_AGENT'] );
}
// Timestamp
$session['login'] = time();
$token = wp_generate_password( 43, false, false );
$this->update( $token, $session );
return $token;
}
/**
* Update a session token.
*
* @since 4.0.0
* @access public
*
* @param string $token Session token to update.
* @param array $session Session information.
*/
final public function update( $token, $session ) {
$verifier = $this->hash_token( $token );
$this->update_session( $verifier, $session );
}
/**
* Destroy a session token.
*
* @since 4.0.0
* @access public
*
* @param string $token Session token to destroy.
*/
final public function destroy( $token ) {
$verifier = $this->hash_token( $token );
$this->update_session( $verifier, null );
}
/**
* Destroy all session tokens for this user,
* except a single token, presumably the one in use.
*
* @since 4.0.0
* @access public
*
* @param string $token_to_keep Session token to keep.
*/
final public function destroy_others( $token_to_keep ) {
$verifier = $this->hash_token( $token_to_keep );
$session = $this->get_session( $verifier );
if ( $session ) {
$this->destroy_other_sessions( $verifier );
} else {
$this->destroy_all_sessions();
}
}
/**
* Determine whether a session token is still valid,
* based on expiration.
*
* @since 4.0.0
* @access protected
*
* @param array $session Session to check.
* @return bool Whether session is valid.
*/
final protected function is_still_valid( $session ) {
return $session['expiration'] >= time();
}
/**
* Destroy all session tokens for a user.
*
* @since 4.0.0
* @access public
*/
final public function destroy_all() {
$this->destroy_all_sessions();
}
/**
* Destroy all session tokens for all users.
*
* @since 4.0.0
* @access public
* @static
*/
final public static function destroy_all_for_all_users() {
$manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );
call_user_func( array( $manager, 'drop_sessions' ) );
}
/**
* Retrieve all sessions of a user.
*
* @since 4.0.0
* @access public
*
* @return array Sessions of a user.
*/
final public function get_all() {
return array_values( $this->get_sessions() );
}
/**
* This method should retrieve all sessions of a user, keyed by verifier.
*
* @since 4.0.0
* @access protected
*
* @return array Sessions of a user, keyed by verifier.
*/
abstract protected function get_sessions();
/**
* This method should look up a session by its verifier (token hash).
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to retrieve.
* @return array|null The session, or null if it does not exist.
*/
abstract protected function get_session( $verifier );
/**
* This method should update a session by its verifier.
*
* Omitting the second argument should destroy the session.
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to update.
* @param array $session Optional. Session. Omitting this argument destroys the session.
*/
abstract protected function update_session( $verifier, $session = null );
/**
* This method should destroy all session tokens for this user,
* except a single session passed.
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to keep.
*/
abstract protected function destroy_other_sessions( $verifier );
/**
* This method should destroy all sessions for a user.
*
* @since 4.0.0
* @access protected
*/
abstract protected function destroy_all_sessions();
/**
* This static method should destroy all session tokens for all users.
*
* @since 4.0.0
* @access public
* @static
*/
public static function drop_sessions() {}
}

139
wp-includes/class-wp-user-meta-session-tokens.php Normal file
View File

@ -0,0 +1,139 @@
<?php
/**
* Session API: WP_User_Meta_Session_Tokens class
*
* @package WordPress
* @subpackage Session
* @since 4.7.0
*/
/**
* Meta-based user sessions token manager.
*
* @since 4.0.0
*/
class WP_User_Meta_Session_Tokens extends WP_Session_Tokens {
/**
* Get all sessions of a user.
*
* @since 4.0.0
* @access protected
*
* @return array Sessions of a user.
*/
protected function get_sessions() {
$sessions = get_user_meta( $this->user_id, 'session_tokens', true );
if ( ! is_array( $sessions ) ) {
return array();
}
$sessions = array_map( array( $this, 'prepare_session' ), $sessions );
return array_filter( $sessions, array( $this, 'is_still_valid' ) );
}
/**
* Converts an expiration to an array of session information.
*
* @param mixed $session Session or expiration.
* @return array Session.
*/
protected function prepare_session( $session ) {
if ( is_int( $session ) ) {
return array( 'expiration' => $session );
}
return $session;
}
/**
* Retrieve a session by its verifier (token hash).
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to retrieve.
* @return array|null The session, or null if it does not exist
*/
protected function get_session( $verifier ) {
$sessions = $this->get_sessions();
if ( isset( $sessions[ $verifier ] ) ) {
return $sessions[ $verifier ];
}
return null;
}
/**
* Update a session by its verifier.
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to update.
* @param array $session Optional. Session. Omitting this argument destroys the session.
*/
protected function update_session( $verifier, $session = null ) {
$sessions = $this->get_sessions();
if ( $session ) {
$sessions[ $verifier ] = $session;
} else {
unset( $sessions[ $verifier ] );
}
$this->update_sessions( $sessions );
}
/**
* Update a user's sessions in the usermeta table.
*
* @since 4.0.0
* @access protected
*
* @param array $sessions Sessions.
*/
protected function update_sessions( $sessions ) {
if ( $sessions ) {
update_user_meta( $this->user_id, 'session_tokens', $sessions );
} else {
delete_user_meta( $this->user_id, 'session_tokens' );
}
}
/**
* Destroy all session tokens for a user, except a single session passed.
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to keep.
*/
protected function destroy_other_sessions( $verifier ) {
$session = $this->get_session( $verifier );
$this->update_sessions( array( $verifier => $session ) );
}
/**
* Destroy all session tokens for a user.
*
* @since 4.0.0
* @access protected
*/
protected function destroy_all_sessions() {
$this->update_sessions( array() );
}
/**
* Destroy all session tokens for all users.
*
* @since 4.0.0
* @access public
* @static
*/
public static function drop_sessions() {
delete_metadata( 'user', 0, 'session_tokens', false, true );
}
}

437
wp-includes/session.php
View File

@ -1,440 +1,9 @@
<?php
/**
* Abstract class for managing user session tokens.
* Session API
*
* @since 4.0.0
*/
abstract class WP_Session_Tokens {
/**
* User ID.
*
* @since 4.0.0
* @access protected
* @var int User ID.
*/
protected $user_id;
/**
* Protected constructor.
*
* @since 4.0.0
*
* @param int $user_id User whose session to manage.
*/
protected function __construct( $user_id ) {
$this->user_id = $user_id;
}
/**
* Get a session token manager instance for a user.
*
* This method contains a filter that allows a plugin to swap out
* the session manager for a subclass of WP_Session_Tokens.
*
* @since 4.0.0
* @access public
* @static
*
* @param int $user_id User whose session to manage.
*/
final public static function get_instance( $user_id ) {
/**
* Filters the session token manager used.
*
* @since 4.0.0
*
* @param string $session Name of class to use as the manager.
* Default 'WP_User_Meta_Session_Tokens'.
*/
$manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );
return new $manager( $user_id );
}
/**
* Hashes a session token for storage.
*
* @since 4.0.0
* @access private
*
* @param string $token Session token to hash.
* @return string A hash of the session token (a verifier).
*/
final private function hash_token( $token ) {
// If ext/hash is not present, use sha1() instead.
if ( function_exists( 'hash' ) ) {
return hash( 'sha256', $token );
} else {
return sha1( $token );
}
}
/**
* Get a user's session.
*
* @since 4.0.0
* @access public
*
* @param string $token Session token
* @return array User session
*/
final public function get( $token ) {
$verifier = $this->hash_token( $token );
return $this->get_session( $verifier );
}
/**
* Validate a user's session token as authentic.
*
* Checks that the given token is present and hasn't expired.
*
* @since 4.0.0
* @access public
*
* @param string $token Token to verify.
* @return bool Whether the token is valid for the user.
*/
final public function verify( $token ) {
$verifier = $this->hash_token( $token );
return (bool) $this->get_session( $verifier );
}
/**
* Generate a session token and attach session information to it.
*
* A session token is a long, random string. It is used in a cookie
* link that cookie to an expiration time and to ensure the cookie
* becomes invalidated upon logout.
*
* This function generates a token and stores it with the associated
* expiration time (and potentially other session information via the
* {@see 'attach_session_information'} filter).
*
* @since 4.0.0
* @access public
*
* @param int $expiration Session expiration timestamp.
* @return string Session token.
*/
final public function create( $expiration ) {
/**
* Filters the information attached to the newly created session.
*
* Could be used in the future to attach information such as
* IP address or user agent to a session.
*
* @since 4.0.0
*
* @param array $session Array of extra data.
* @param int $user_id User ID.
*/
$session = apply_filters( 'attach_session_information', array(), $this->user_id );
$session['expiration'] = $expiration;
// IP address.
if ( !empty( $_SERVER['REMOTE_ADDR'] ) ) {
$session['ip'] = $_SERVER['REMOTE_ADDR'];
}
// User-agent.
if ( ! empty( $_SERVER['HTTP_USER_AGENT'] ) ) {
$session['ua'] = wp_unslash( $_SERVER['HTTP_USER_AGENT'] );
}
// Timestamp
$session['login'] = time();
$token = wp_generate_password( 43, false, false );
$this->update( $token, $session );
return $token;
}
/**
* Update a session token.
*
* @since 4.0.0
* @access public
*
* @param string $token Session token to update.
* @param array $session Session information.
*/
final public function update( $token, $session ) {
$verifier = $this->hash_token( $token );
$this->update_session( $verifier, $session );
}
/**
* Destroy a session token.
*
* @since 4.0.0
* @access public
*
* @param string $token Session token to destroy.
*/
final public function destroy( $token ) {
$verifier = $this->hash_token( $token );
$this->update_session( $verifier, null );
}
/**
* Destroy all session tokens for this user,
* except a single token, presumably the one in use.
*
* @since 4.0.0
* @access public
*
* @param string $token_to_keep Session token to keep.
*/
final public function destroy_others( $token_to_keep ) {
$verifier = $this->hash_token( $token_to_keep );
$session = $this->get_session( $verifier );
if ( $session ) {
$this->destroy_other_sessions( $verifier );
} else {
$this->destroy_all_sessions();
}
}
/**
* Determine whether a session token is still valid,
* based on expiration.
*
* @since 4.0.0
* @access protected
*
* @param array $session Session to check.
* @return bool Whether session is valid.
*/
final protected function is_still_valid( $session ) {
return $session['expiration'] >= time();
}
/**
* Destroy all session tokens for a user.
*
* @since 4.0.0
* @access public
*/
final public function destroy_all() {
$this->destroy_all_sessions();
}
/**
* Destroy all session tokens for all users.
*
* @since 4.0.0
* @access public
* @static
*/
final public static function destroy_all_for_all_users() {
$manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );
call_user_func( array( $manager, 'drop_sessions' ) );
}
/**
* Retrieve all sessions of a user.
*
* @since 4.0.0
* @access public
*
* @return array Sessions of a user.
*/
final public function get_all() {
return array_values( $this->get_sessions() );
}
/**
* This method should retrieve all sessions of a user, keyed by verifier.
*
* @since 4.0.0
* @access protected
*
* @return array Sessions of a user, keyed by verifier.
*/
abstract protected function get_sessions();
/**
* This method should look up a session by its verifier (token hash).
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to retrieve.
* @return array|null The session, or null if it does not exist.
*/
abstract protected function get_session( $verifier );
/**
* This method should update a session by its verifier.
*
* Omitting the second argument should destroy the session.
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to update.
* @param array $session Optional. Session. Omitting this argument destroys the session.
*/
abstract protected function update_session( $verifier, $session = null );
/**
* This method should destroy all session tokens for this user,
* except a single session passed.
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to keep.
*/
abstract protected function destroy_other_sessions( $verifier );
/**
* This method should destroy all sessions for a user.
*
* @since 4.0.0
* @access protected
*/
abstract protected function destroy_all_sessions();
/**
* This static method should destroy all session tokens for all users.
*
* @since 4.0.0
* @access public
* @static
*/
public static function drop_sessions() {}
}
/**
* Meta-based user sessions token manager.
*
* @since 4.0.0
*/
class WP_User_Meta_Session_Tokens extends WP_Session_Tokens {
/**
* Get all sessions of a user.
*
* @since 4.0.0
* @access protected
*
* @return array Sessions of a user.
*/
protected function get_sessions() {
$sessions = get_user_meta( $this->user_id, 'session_tokens', true );
if ( ! is_array( $sessions ) ) {
return array();
}
$sessions = array_map( array( $this, 'prepare_session' ), $sessions );
return array_filter( $sessions, array( $this, 'is_still_valid' ) );
}
/**
* Converts an expiration to an array of session information.
*
* @param mixed $session Session or expiration.
* @return array Session.
*/
protected function prepare_session( $session ) {
if ( is_int( $session ) ) {
return array( 'expiration' => $session );
}
return $session;
}
/**
* Retrieve a session by its verifier (token hash).
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to retrieve.
* @return array|null The session, or null if it does not exist
*/
protected function get_session( $verifier ) {
$sessions = $this->get_sessions();
if ( isset( $sessions[ $verifier ] ) ) {
return $sessions[ $verifier ];
}
return null;
}
/**
* Update a session by its verifier.
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to update.
* @param array $session Optional. Session. Omitting this argument destroys the session.
*/
protected function update_session( $verifier, $session = null ) {
$sessions = $this->get_sessions();
if ( $session ) {
$sessions[ $verifier ] = $session;
} else {
unset( $sessions[ $verifier ] );
}
$this->update_sessions( $sessions );
}
/**
* Update a user's sessions in the usermeta table.
*
* @since 4.0.0
* @access protected
*
* @param array $sessions Sessions.
*/
protected function update_sessions( $sessions ) {
if ( $sessions ) {
update_user_meta( $this->user_id, 'session_tokens', $sessions );
} else {
delete_user_meta( $this->user_id, 'session_tokens' );
}
}
/**
* Destroy all session tokens for a user, except a single session passed.
*
* @since 4.0.0
* @access protected
*
* @param string $verifier Verifier of the session to keep.
*/
protected function destroy_other_sessions( $verifier ) {
$session = $this->get_session( $verifier );
$this->update_sessions( array( $verifier => $session ) );
}
/**
* Destroy all session tokens for a user.
*
* @since 4.0.0
* @access protected
*/
protected function destroy_all_sessions() {
$this->update_sessions( array() );
}
/**
* Destroy all session tokens for all users.
*
* @since 4.0.0
* @access public
* @static
*/
public static function drop_sessions() {
delete_metadata( 'user', 0, 'session_tokens', false, true );
}
}
require_once( ABSPATH . WPINC . '/class-wp-session-tokens.php' );
require_once( ABSPATH . WPINC . '/class-wp-user-meta-session-tokens.php' );

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.7-alpha-38352';
$wp_version = '4.7-alpha-38353';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.