Changeset View
Changeset View
Standalone View
Standalone View
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
| Show First 20 Lines • Show All 152 Lines • ▼ Show 20 Lines | $session_dict = array( | ||||
| 'type' => $session_type, | 'type' => $session_type, | ||||
| ); | ); | ||||
| foreach ($info as $key => $value) { | foreach ($info as $key => $value) { | ||||
| if (strncmp($key, 's_', 2) === 0) { | if (strncmp($key, 's_', 2) === 0) { | ||||
| unset($info[$key]); | unset($info[$key]); | ||||
| $session_dict[substr($key, 2)] = $value; | $session_dict[substr($key, 2)] = $value; | ||||
| } | } | ||||
| } | } | ||||
| $user = $user_table->loadFromArray($info); | |||||
| switch ($session_type) { | |||||
| case PhabricatorAuthSession::TYPE_WEB: | |||||
| // Explicitly prevent bots and mailing lists from establishing web | |||||
| // sessions. It's normally impossible to attach authentication to these | |||||
| // accounts, and likewise impossible to generate sessions, but it's | |||||
| // technically possible that a session could exist in the database. If | |||||
| // one does somehow, refuse to load it. | |||||
| if (!$user->canEstablishWebSessions()) { | |||||
| return null; | |||||
| } | |||||
| break; | |||||
| } | |||||
| $session = id(new PhabricatorAuthSession())->loadFromArray($session_dict); | $session = id(new PhabricatorAuthSession())->loadFromArray($session_dict); | ||||
| $ttl = PhabricatorAuthSession::getSessionTypeTTL($session_type); | $ttl = PhabricatorAuthSession::getSessionTypeTTL($session_type); | ||||
| // If more than 20% of the time on this session has been used, refresh the | // If more than 20% of the time on this session has been used, refresh the | ||||
| // TTL back up to the full duration. The idea here is that sessions are | // TTL back up to the full duration. The idea here is that sessions are | ||||
| // good forever if used regularly, but get GC'd when they fall out of use. | // good forever if used regularly, but get GC'd when they fall out of use. | ||||
| // NOTE: If we begin rotating session keys when extending sessions, the | // NOTE: If we begin rotating session keys when extending sessions, the | ||||
| // CSRF code needs to be updated so CSRF tokens survive session rotation. | // CSRF code needs to be updated so CSRF tokens survive session rotation. | ||||
| if (time() + (0.80 * $ttl) > $session->getSessionExpires()) { | if (time() + (0.80 * $ttl) > $session->getSessionExpires()) { | ||||
| $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); | $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); | ||||
| $conn_w = $session_table->establishConnection('w'); | $conn_w = $session_table->establishConnection('w'); | ||||
| queryfx( | queryfx( | ||||
| $conn_w, | $conn_w, | ||||
| 'UPDATE %T SET sessionExpires = UNIX_TIMESTAMP() + %d WHERE id = %d', | 'UPDATE %T SET sessionExpires = UNIX_TIMESTAMP() + %d WHERE id = %d', | ||||
| $session->getTableName(), | $session->getTableName(), | ||||
| $ttl, | $ttl, | ||||
| $session->getID()); | $session->getID()); | ||||
| unset($unguarded); | unset($unguarded); | ||||
| } | } | ||||
| $user = $user_table->loadFromArray($info); | |||||
| $user->attachSession($session); | $user->attachSession($session); | ||||
| return $user; | return $user; | ||||
| } | } | ||||
| /** | /** | ||||
| * Issue a new session key for a given identity. Phabricator supports | * Issue a new session key for a given identity. Phabricator supports | ||||
| * different types of sessions (like "web" and "conduit") and each session | * different types of sessions (like "web" and "conduit") and each session | ||||
| ▲ Show 20 Lines • Show All 517 Lines • Show Last 20 Lines | |||||