Move regeneration of session ID into session classes
There were code paths that nowadays call ISession::login directly thus bypassing the desired regeneration of the session ID. This moves the session regeneration deeper into the session handling and thus ensures that it is always called. Furthermore, I also added the session regeneration to the remember me cookie plus added some test case expectations for this.
This commit is contained in:
parent
ebc52300e7
commit
fec41e7539
|
@ -442,7 +442,7 @@ class OC {
|
||||||
if (!$session->exists('SID_CREATED')) {
|
if (!$session->exists('SID_CREATED')) {
|
||||||
$session->set('SID_CREATED', time());
|
$session->set('SID_CREATED', time());
|
||||||
} else if (time() - $session->get('SID_CREATED') > $sessionLifeTime / 2) {
|
} else if (time() - $session->get('SID_CREATED') > $sessionLifeTime / 2) {
|
||||||
session_regenerate_id(true);
|
$session->regenerateId();
|
||||||
$session->set('SID_CREATED', time());
|
$session->set('SID_CREATED', time());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -131,6 +131,16 @@ class CryptoSessionData implements \ArrayAccess, ISession {
|
||||||
$this->session->clear();
|
$this->session->clear();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Wrapper around session_regenerate_id
|
||||||
|
*
|
||||||
|
* @param bool $deleteOldSession Whether to delete the old associated session file or not.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function regenerateId($deleteOldSession = true) {
|
||||||
|
$this->session->regenerateId($deleteOldSession);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Close the session and release the lock, also writes all changed data in batch
|
* Close the session and release the lock, also writes all changed data in batch
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -89,10 +89,9 @@ class Internal extends Session {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public function clear() {
|
public function clear() {
|
||||||
session_unset();
|
session_unset();
|
||||||
@session_regenerate_id(true);
|
$this->regenerateId();
|
||||||
@session_start();
|
@session_start();
|
||||||
$_SESSION = array();
|
$_SESSION = array();
|
||||||
}
|
}
|
||||||
|
@ -102,14 +101,35 @@ class Internal extends Session {
|
||||||
parent::close();
|
parent::close();
|
||||||
}
|
}
|
||||||
|
|
||||||
public function reopen() {
|
/**
|
||||||
throw new \Exception('The session cannot be reopened - reopen() is ony to be used in unit testing.');
|
* Wrapper around session_regenerate_id
|
||||||
}
|
*
|
||||||
|
* @param bool $deleteOldSession Whether to delete the old associated session file or not.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function regenerateId($deleteOldSession = true) {
|
||||||
|
@session_regenerate_id($deleteOldSession);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @throws \Exception
|
||||||
|
*/
|
||||||
|
public function reopen() {
|
||||||
|
throw new \Exception('The session cannot be reopened - reopen() is ony to be used in unit testing.');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param int $errorNumber
|
||||||
|
* @param string $errorString
|
||||||
|
* @throws \ErrorException
|
||||||
|
*/
|
||||||
public function trapError($errorNumber, $errorString) {
|
public function trapError($errorNumber, $errorString) {
|
||||||
throw new \ErrorException($errorString);
|
throw new \ErrorException($errorString);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @throws \Exception
|
||||||
|
*/
|
||||||
private function validateSession() {
|
private function validateSession() {
|
||||||
if ($this->sessionClosed) {
|
if ($this->sessionClosed) {
|
||||||
throw new \Exception('Session has been closed - no further changes to the session are allowed');
|
throw new \Exception('Session has been closed - no further changes to the session are allowed');
|
||||||
|
|
|
@ -80,6 +80,13 @@ class Memory extends Session {
|
||||||
$this->data = array();
|
$this->data = array();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Stub since the session ID does not need to get regenerated for the cache
|
||||||
|
*
|
||||||
|
* @param bool $deleteOldSession
|
||||||
|
*/
|
||||||
|
public function regenerateId($deleteOldSession = true) {}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Helper function for PHPUnit execution - don't use in non-test code
|
* Helper function for PHPUnit execution - don't use in non-test code
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -162,7 +162,6 @@ class OC_User {
|
||||||
* Log in a user and regenerate a new session - if the password is ok
|
* Log in a user and regenerate a new session - if the password is ok
|
||||||
*/
|
*/
|
||||||
public static function login($loginname, $password) {
|
public static function login($loginname, $password) {
|
||||||
session_regenerate_id(true);
|
|
||||||
$result = self::getUserSession()->login($loginname, $password);
|
$result = self::getUserSession()->login($loginname, $password);
|
||||||
if ($result) {
|
if ($result) {
|
||||||
//we need to pass the user name, which may differ from login name
|
//we need to pass the user name, which may differ from login name
|
||||||
|
|
|
@ -213,6 +213,7 @@ class Session implements IUserSession, Emitter {
|
||||||
* @throws LoginException
|
* @throws LoginException
|
||||||
*/
|
*/
|
||||||
public function login($uid, $password) {
|
public function login($uid, $password) {
|
||||||
|
$this->session->regenerateId();
|
||||||
$this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
|
$this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
|
||||||
$user = $this->manager->checkPassword($uid, $password);
|
$user = $this->manager->checkPassword($uid, $password);
|
||||||
if ($user !== false) {
|
if ($user !== false) {
|
||||||
|
@ -243,6 +244,7 @@ class Session implements IUserSession, Emitter {
|
||||||
* @return bool
|
* @return bool
|
||||||
*/
|
*/
|
||||||
public function loginWithCookie($uid, $currentToken) {
|
public function loginWithCookie($uid, $currentToken) {
|
||||||
|
$this->session->regenerateId();
|
||||||
$this->manager->emit('\OC\User', 'preRememberedLogin', array($uid));
|
$this->manager->emit('\OC\User', 'preRememberedLogin', array($uid));
|
||||||
$user = $this->manager->get($uid);
|
$user = $this->manager->get($uid);
|
||||||
if (is_null($user)) {
|
if (is_null($user)) {
|
||||||
|
|
|
@ -86,4 +86,12 @@ interface ISession {
|
||||||
*/
|
*/
|
||||||
public function close();
|
public function close();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Wrapper around session_regenerate_id
|
||||||
|
*
|
||||||
|
* @param bool $deleteOldSession Whether to delete the old associated session file or not.
|
||||||
|
* @return void
|
||||||
|
* @since 9.0.0
|
||||||
|
*/
|
||||||
|
public function regenerateId($deleteOldSession = true);
|
||||||
}
|
}
|
||||||
|
|
|
@ -95,6 +95,8 @@ class Session extends \Test\TestCase {
|
||||||
|
|
||||||
public function testLoginValidPasswordEnabled() {
|
public function testLoginValidPasswordEnabled() {
|
||||||
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
||||||
|
$session->expects($this->once())
|
||||||
|
->method('regenerateId');
|
||||||
$session->expects($this->exactly(2))
|
$session->expects($this->exactly(2))
|
||||||
->method('set')
|
->method('set')
|
||||||
->with($this->callback(function ($key) {
|
->with($this->callback(function ($key) {
|
||||||
|
@ -148,6 +150,8 @@ class Session extends \Test\TestCase {
|
||||||
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
||||||
$session->expects($this->never())
|
$session->expects($this->never())
|
||||||
->method('set');
|
->method('set');
|
||||||
|
$session->expects($this->once())
|
||||||
|
->method('regenerateId');
|
||||||
|
|
||||||
$managerMethods = get_class_methods('\OC\User\Manager');
|
$managerMethods = get_class_methods('\OC\User\Manager');
|
||||||
//keep following methods intact in order to ensure hooks are
|
//keep following methods intact in order to ensure hooks are
|
||||||
|
@ -179,10 +183,12 @@ class Session extends \Test\TestCase {
|
||||||
$userSession->login('foo', 'bar');
|
$userSession->login('foo', 'bar');
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testLoginInValidPassword() {
|
public function testLoginInvalidPassword() {
|
||||||
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
||||||
$session->expects($this->never())
|
$session->expects($this->never())
|
||||||
->method('set');
|
->method('set');
|
||||||
|
$session->expects($this->once())
|
||||||
|
->method('regenerateId');
|
||||||
|
|
||||||
$managerMethods = get_class_methods('\OC\User\Manager');
|
$managerMethods = get_class_methods('\OC\User\Manager');
|
||||||
//keep following methods intact in order to ensure hooks are
|
//keep following methods intact in order to ensure hooks are
|
||||||
|
@ -217,6 +223,8 @@ class Session extends \Test\TestCase {
|
||||||
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
||||||
$session->expects($this->never())
|
$session->expects($this->never())
|
||||||
->method('set');
|
->method('set');
|
||||||
|
$session->expects($this->once())
|
||||||
|
->method('regenerateId');
|
||||||
|
|
||||||
$manager = $this->getMock('\OC\User\Manager');
|
$manager = $this->getMock('\OC\User\Manager');
|
||||||
|
|
||||||
|
@ -244,6 +252,8 @@ class Session extends \Test\TestCase {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
'foo'));
|
'foo'));
|
||||||
|
$session->expects($this->once())
|
||||||
|
->method('regenerateId');
|
||||||
|
|
||||||
$managerMethods = get_class_methods('\OC\User\Manager');
|
$managerMethods = get_class_methods('\OC\User\Manager');
|
||||||
//keep following methods intact in order to ensure hooks are
|
//keep following methods intact in order to ensure hooks are
|
||||||
|
@ -292,6 +302,8 @@ class Session extends \Test\TestCase {
|
||||||
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
||||||
$session->expects($this->never())
|
$session->expects($this->never())
|
||||||
->method('set');
|
->method('set');
|
||||||
|
$session->expects($this->once())
|
||||||
|
->method('regenerateId');
|
||||||
|
|
||||||
$managerMethods = get_class_methods('\OC\User\Manager');
|
$managerMethods = get_class_methods('\OC\User\Manager');
|
||||||
//keep following methods intact in order to ensure hooks are
|
//keep following methods intact in order to ensure hooks are
|
||||||
|
@ -334,6 +346,8 @@ class Session extends \Test\TestCase {
|
||||||
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
||||||
$session->expects($this->never())
|
$session->expects($this->never())
|
||||||
->method('set');
|
->method('set');
|
||||||
|
$session->expects($this->once())
|
||||||
|
->method('regenerateId');
|
||||||
|
|
||||||
$managerMethods = get_class_methods('\OC\User\Manager');
|
$managerMethods = get_class_methods('\OC\User\Manager');
|
||||||
//keep following methods intact in order to ensure hooks are
|
//keep following methods intact in order to ensure hooks are
|
||||||
|
|
Loading…
Reference in New Issue