- Timestamp:
- 08/25/2016 05:43:41 PM (8 years ago)
- File:
-
- 1 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/class-wp-user-meta-session-tokens.php
r38350 r38353 1 1 <?php 2 2 /** 3 * Abstract class for managing user session tokens.3 * Session API: WP_User_Meta_Session_Tokens class 4 4 * 5 * @since 4.0.0 5 * @package WordPress 6 * @subpackage Session 7 * @since 4.7.0 6 8 */ 7 abstract class WP_Session_Tokens {8 9 /**10 * User ID.11 *12 * @since 4.0.013 * @access protected14 * @var int User ID.15 */16 protected $user_id;17 18 /**19 * Protected constructor.20 *21 * @since 4.0.022 *23 * @param int $user_id User whose session to manage.24 */25 protected function __construct( $user_id ) {26 $this->user_id = $user_id;27 }28 29 /**30 * Get a session token manager instance for a user.31 *32 * This method contains a filter that allows a plugin to swap out33 * the session manager for a subclass of WP_Session_Tokens.34 *35 * @since 4.0.036 * @access public37 * @static38 *39 * @param int $user_id User whose session to manage.40 */41 final public static function get_instance( $user_id ) {42 /**43 * Filters the session token manager used.44 *45 * @since 4.0.046 *47 * @param string $session Name of class to use as the manager.48 * Default 'WP_User_Meta_Session_Tokens'.49 */50 $manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );51 return new $manager( $user_id );52 }53 54 /**55 * Hashes a session token for storage.56 *57 * @since 4.0.058 * @access private59 *60 * @param string $token Session token to hash.61 * @return string A hash of the session token (a verifier).62 */63 final private function hash_token( $token ) {64 // If ext/hash is not present, use sha1() instead.65 if ( function_exists( 'hash' ) ) {66 return hash( 'sha256', $token );67 } else {68 return sha1( $token );69 }70 }71 72 /**73 * Get a user's session.74 *75 * @since 4.0.076 * @access public77 *78 * @param string $token Session token79 * @return array User session80 */81 final public function get( $token ) {82 $verifier = $this->hash_token( $token );83 return $this->get_session( $verifier );84 }85 86 /**87 * Validate a user's session token as authentic.88 *89 * Checks that the given token is present and hasn't expired.90 *91 * @since 4.0.092 * @access public93 *94 * @param string $token Token to verify.95 * @return bool Whether the token is valid for the user.96 */97 final public function verify( $token ) {98 $verifier = $this->hash_token( $token );99 return (bool) $this->get_session( $verifier );100 }101 102 /**103 * Generate a session token and attach session information to it.104 *105 * A session token is a long, random string. It is used in a cookie106 * link that cookie to an expiration time and to ensure the cookie107 * becomes invalidated upon logout.108 *109 * This function generates a token and stores it with the associated110 * expiration time (and potentially other session information via the111 * {@see 'attach_session_information'} filter).112 *113 * @since 4.0.0114 * @access public115 *116 * @param int $expiration Session expiration timestamp.117 * @return string Session token.118 */119 final public function create( $expiration ) {120 /**121 * Filters the information attached to the newly created session.122 *123 * Could be used in the future to attach information such as124 * IP address or user agent to a session.125 *126 * @since 4.0.0127 *128 * @param array $session Array of extra data.129 * @param int $user_id User ID.130 */131 $session = apply_filters( 'attach_session_information', array(), $this->user_id );132 $session['expiration'] = $expiration;133 134 // IP address.135 if ( !empty( $_SERVER['REMOTE_ADDR'] ) ) {136 $session['ip'] = $_SERVER['REMOTE_ADDR'];137 }138 139 // User-agent.140 if ( ! empty( $_SERVER['HTTP_USER_AGENT'] ) ) {141 $session['ua'] = wp_unslash( $_SERVER['HTTP_USER_AGENT'] );142 }143 144 // Timestamp145 $session['login'] = time();146 147 $token = wp_generate_password( 43, false, false );148 149 $this->update( $token, $session );150 151 return $token;152 }153 154 /**155 * Update a session token.156 *157 * @since 4.0.0158 * @access public159 *160 * @param string $token Session token to update.161 * @param array $session Session information.162 */163 final public function update( $token, $session ) {164 $verifier = $this->hash_token( $token );165 $this->update_session( $verifier, $session );166 }167 168 /**169 * Destroy a session token.170 *171 * @since 4.0.0172 * @access public173 *174 * @param string $token Session token to destroy.175 */176 final public function destroy( $token ) {177 $verifier = $this->hash_token( $token );178 $this->update_session( $verifier, null );179 }180 181 /**182 * Destroy all session tokens for this user,183 * except a single token, presumably the one in use.184 *185 * @since 4.0.0186 * @access public187 *188 * @param string $token_to_keep Session token to keep.189 */190 final public function destroy_others( $token_to_keep ) {191 $verifier = $this->hash_token( $token_to_keep );192 $session = $this->get_session( $verifier );193 if ( $session ) {194 $this->destroy_other_sessions( $verifier );195 } else {196 $this->destroy_all_sessions();197 }198 }199 200 /**201 * Determine whether a session token is still valid,202 * based on expiration.203 *204 * @since 4.0.0205 * @access protected206 *207 * @param array $session Session to check.208 * @return bool Whether session is valid.209 */210 final protected function is_still_valid( $session ) {211 return $session['expiration'] >= time();212 }213 214 /**215 * Destroy all session tokens for a user.216 *217 * @since 4.0.0218 * @access public219 */220 final public function destroy_all() {221 $this->destroy_all_sessions();222 }223 224 /**225 * Destroy all session tokens for all users.226 *227 * @since 4.0.0228 * @access public229 * @static230 */231 final public static function destroy_all_for_all_users() {232 $manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );233 call_user_func( array( $manager, 'drop_sessions' ) );234 }235 236 /**237 * Retrieve all sessions of a user.238 *239 * @since 4.0.0240 * @access public241 *242 * @return array Sessions of a user.243 */244 final public function get_all() {245 return array_values( $this->get_sessions() );246 }247 248 /**249 * This method should retrieve all sessions of a user, keyed by verifier.250 *251 * @since 4.0.0252 * @access protected253 *254 * @return array Sessions of a user, keyed by verifier.255 */256 abstract protected function get_sessions();257 258 /**259 * This method should look up a session by its verifier (token hash).260 *261 * @since 4.0.0262 * @access protected263 *264 * @param string $verifier Verifier of the session to retrieve.265 * @return array|null The session, or null if it does not exist.266 */267 abstract protected function get_session( $verifier );268 269 /**270 * This method should update a session by its verifier.271 *272 * Omitting the second argument should destroy the session.273 *274 * @since 4.0.0275 * @access protected276 *277 * @param string $verifier Verifier of the session to update.278 * @param array $session Optional. Session. Omitting this argument destroys the session.279 */280 abstract protected function update_session( $verifier, $session = null );281 282 /**283 * This method should destroy all session tokens for this user,284 * except a single session passed.285 *286 * @since 4.0.0287 * @access protected288 *289 * @param string $verifier Verifier of the session to keep.290 */291 abstract protected function destroy_other_sessions( $verifier );292 293 /**294 * This method should destroy all sessions for a user.295 *296 * @since 4.0.0297 * @access protected298 */299 abstract protected function destroy_all_sessions();300 301 /**302 * This static method should destroy all session tokens for all users.303 *304 * @since 4.0.0305 * @access public306 * @static307 */308 public static function drop_sessions() {}309 }310 9 311 10 /**
Note: See TracChangeset
for help on using the changeset viewer.