WordPress.org

Make WordPress Core


Ignore:
Timestamp:
07/18/2014 09:12:05 AM (6 years ago)
Author:
nacin
Message:

Tie cookies and nonces to user sessions so they may be invalidated upon logout.

Sessions are stored in usermeta via WP_User_Meta_Session_Tokens, which extends the abstract WP_Session_Tokens class. Extending WP_Session_Tokens can allow for alternative storage, such as a separate table or Redis.

Introduces some simple APIs for session listing and destruction, such as wp_get_active_sessions() and wp_destroy_all_sessions().

This invalidates all existing authentication cookies, as a new segment (the session token) has been added to them.

props duck_, nacin, mdawaffe.
see #20276.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r29165 r29221  
    21742174    return $user_id;
    21752175}
     2176
     2177/**
     2178 * Retrieve the current session token from the logged_in cookie.
     2179 *
     2180 * @since 4.0.0
     2181 *
     2182 * @return string Token.
     2183 */
     2184function wp_get_session_token() {
     2185    $cookie = wp_parse_auth_cookie( '', 'logged_in' );
     2186    return ! empty( $cookie['token'] ) ? $cookie['token'] : '';
     2187}
     2188
     2189/**
     2190 * Retrieve a list of sessions for the current user.
     2191 *
     2192 * @since 4.0.0
     2193 * @return array Array of sessions.
     2194 */
     2195function wp_get_all_sessions() {
     2196    $manager = WP_Session_Tokens::get_instance( get_current_user_id() );
     2197    return $manager->get_all_sessions();
     2198}
     2199
     2200/**
     2201 * Remove the current session token from the database.
     2202 *
     2203 * @since 4.0.0
     2204 */
     2205function wp_destroy_current_session() {
     2206    $token = wp_get_session_token();
     2207    if ( $token ) {
     2208        $manager = WP_Session_Tokens::get_instance( get_current_user_id() );
     2209        $manager->destroy_token( $token );
     2210    }
     2211}
     2212
     2213/**
     2214 * Remove all but the current session token for the current user for the database.
     2215 *
     2216 * @since 4.0.0
     2217 */
     2218function wp_destroy_other_sessions() {
     2219    $token = wp_get_session_token();
     2220    if ( $token ) {
     2221        $manager = WP_Session_Tokens::get_instance( get_current_user_id() );
     2222        $manager->destroy_other_tokens( $token );
     2223    }
     2224}
     2225
     2226/**
     2227 * Remove all session tokens for the current user from the database.
     2228 *
     2229 * @since 4.0.0
     2230 */
     2231function wp_destroy_all_sessions() {
     2232    $manager = WP_Session_Tokens::get_instance( get_current_user_id() );
     2233    $manager->destroy_all_tokens();
     2234}
Note: See TracChangeset for help on using the changeset viewer.