Commit Graph

100 Commits

Author SHA1 Message Date
Mark Johnson 217154895c MDL-81192 sessions: Prevent false positive session change errors
If $CFG->enable_read_only_sessions_debug was not enabled, debugging could be
enabled part-way through a request when restart_with_write_lock was
called. This meant that a diff between the initial and final session
would be made during write_close(), although the intial session state
was never captured. This generated false positives in the logs, and it
thought any variable set in the session was a change from the original
value.

This ensures that debugging is enabled before the debug flag is allowed
to change, preventing false positives.
2024-04-11 08:54:39 +01:00
Juan Leyva 5e7440acdc MDL-81405 session: New core cookie helper utility class 2024-04-06 12:25:51 +02:00
Mark Johnson cb18237b5c MDL-80281 session: Don't report long session locks for readonly sessions
Previously, $CFG->sessionlockdebug was reporting long session locks for
all requests, even if they defined READ_ONLY_SESSION. This change
ensures that only sessions with locks are reported.
2023-11-28 16:21:17 +00:00
Rossco Hellmans d0385ed705 MDL-79092 session: fix recentsessionlocks mutated session debugging
In write_close() call update_recent_session_locks() before setting
$sessionatclose so that it includes $SESSION->recentsessionlocks and
doesn't trigger the debugging in check_mutated_closed_session().
2023-08-23 09:29:34 +10:00
Matt Porritt 668057c3eb MDL-50160 Administration: HTTP only cookies default set to on.
This patch removes the UI setting (cookiehttponly) for HTTP only
cookies. For new installs HTTP only cookies will default to on.
For existing sites teh behaviour will stay as set.
The behaviour can be overriden in config.php
2023-07-31 14:09:30 +10:00
Srdjan f061599fc9 MDL-72622 core: Support TLS for redis session 2023-06-27 09:49:36 +10:00
Marina Glancy 8fc1486d36 MDL-77164 various: fix incorrect phpdocs 2023-04-13 11:35:06 +01:00
Nils Adermann e63ed5511b MDL-70687 session: Redis session lock exp = max exec time
If for any reason a Redis session lock is not being released, all subsequent
requests will wait to acquire the lock, forcing them to time out eventually.
This will happen till the original lock finally expires after the session timeout.

This sets the Redis session lock expiry time to whatever is lower,
either the PHP execution time `max_execution_time`, if the value was
defined in the `php.ini` or the globally configured `sessiontimeout`.
Setting it to the lower of the two will not make things worse it if the
execution timeout is longer than the session timeout.
For the PHP execution time, once the PHP execution time is over, we can
be sure that the lock is no longer actively held so that the lock can
expire safely. Although at `lib/classes/php_time_limit.php::raise(int)`,
Moodle can progressively increase the maximum PHP execution time, this
is limited to the `max_execution_time` value defined in the `php.ini`.
For the session timeout, we assume it is safe to consider the lock to
expire once the session itself expires.
If we unnecessarily hold the lock any longer, it blocks other session
requests.

Co-authored-by: Daniel Ziegenberg <daniel@ziegenberg.at>
Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>
2023-03-10 12:33:53 +01:00
Paul Holden 922c61dee8 MDL-74585 core: pass string identifier/component to network keepalive.
Avoid passing potentially large amounts of data in the page AMD call,
allow the `core/network` module to load actual string content itself.
2023-02-22 13:49:30 +00:00
Matthew Hilton 4faa3204d6 MDL-73317 session: Log extra details for cachestore changes
More visibility depth is required for cachestore changes since they
are usually multi dimensional arrays.
2023-02-09 12:03:49 +10:00
Matthew Hilton 9c8d8502c0 MDL-73317 session: Log session changes after close
A snapshot of the session is now taken when write_close is called.
The session at shutdown is then compared to the snapshot. If changes
are detected, they are logged. This aids developers in seeing if
early session closes may be having unintended consequences.
2023-02-09 12:03:49 +10:00
Matthew Hilton 95077da502 MDL-73317 session: Improve session diff detection
Previously, newly added keys to the session were not detected. Objects
with the same properties were also incorrectly reported as different.

This commit improves this, and updates the unit tests to reflect the
new functionality.
2023-02-09 12:03:49 +10:00
Andrew Nicols a3cc26f8bb MDL-76583 core: Update uses of external_* classes 2023-01-19 07:34:09 +08:00
Marina Glancy b1c97381b4 MDL-76356 various: avoid implicit conversion to int
PHP before version 8.1 automatically converted to int if the function
parameter (or array key) is expected to be int. PHP 8.1 shows notice in
this case
2023-01-10 15:27:11 +01:00
Brendan Heywood 825d11ec50 MDL-76166 auth: Ensure user is in server access logs 2022-11-30 13:25:20 +11:00
sam marshall 4ab9f08ce0 MDL-75369 Redis: Remove unnecessary ping after connect
The Redis cache store and session handler both do a 'ping()' after
connecting to Redis. This is unnecessary because the connect() call
has just checked the network connection and it's hardly likely that
the server has gone down since then.

According to my profiling, both connect() and ping() take
measurable time when talking to a separate server, i.e. a few
milliseconds. So it's not the case that connect() doesn't really
talk to the server, as I initially wondered.

If using Redis on a separate (non-localhost) server for both session
and cache store, removing these ping calls can save a millisecond
or two per request.
2022-09-13 10:45:00 +01:00
Jun Pataleta de177cc564 Merge branch 'MDL-72283_allow-customisation-of-redis-session-handler-errors' of https://github.com/ziegenberg/moodle 2022-05-24 10:13:04 +08:00
Daniel Ziegenberg 01309248d8 MDL-72283 caching: internationalize redis session handler error
The 'unable to obtain session lock'-exception raised by the Redis
session handler is hardcoded in English and not all that useful
to the end user.

This change adds the error message to the lang/error.php and gives
the user further hints why the error might have occured and how it
could be fixed.

Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>
2022-05-23 16:42:33 +02:00
Brendan Heywood e032ac9303 MDL-68668 redis: Add session lock acquire warning 2022-05-20 22:41:38 +10:00
Eloy Lafuente (stronk7) a5c91474ee MDL-71807 cleanup: Replace deprecated codingStandardsIgnore annotations
The PHP_CodeSniffer @codingStandardsIgnore annotations are deprecated
and, since version 3.x, the new // phpcs:ignore comments should be used
instead.

This commits just reviews all the uses in core, replacing them for
the better new candidate, or removing when no longer needed.
2022-03-08 10:48:53 +01:00
Eloy Lafuente (stronk7) 5300351831 MDL-73500 general: Remove php < 73 conditional code
This commit removes code that only was being executed by php < 73
and it's 100% safe to do so because Moodle 3.11 and up require
php 73, hence it was not executed ever.

Removed code includes:
- ldap_control_paged_result and ldap_control_paged_result_response
  (that were deprecated in php 73 and have been removed in php 80).
- conditional code in the session manager, where some hacks were
  needed for php < 73. Note that this removes the private function
  append_samesite_cookie_attribute() completely because it was
  doinf nothing (first line was returning for php < 73).
- Also removed the old session.hash_function ini setting because
  it was removed in php 71.

Kept code includes:
- The environmental check_igbinary322_version test has not been
  removed because it doesn't hurt (always returns "ok" for php 73
  sites) and doing it would involve to backport the environment.xml
  file to 39 and 310. Instead, a note has been added to MDL-71747
  in order to get rid of that check for 4.1 and up.
2022-01-21 19:47:55 +01:00
Andrew Nicols 47a81d8844 Merge branch 'MDL-72796_fix-retry-delay-for-redis-session-cache' of https://github.com/ziegenberg/moodle 2021-12-07 10:51:56 +08:00
Cameron Ball f71fced168 MDL-73245 cache: Fix bug with session lock debugging
When session lock debugging and read only sessions deubgging are both
enabled, session lock debugging becomes moot. This patch causes
the session lock deubgging code to exit early if read only sessions
debugging is enabled.
2021-12-06 12:15:53 +08:00
Daniel Ziegenberg 371b490a1f MDL-72796 caching: fix retry delay for redis session cache
The random retry delay for redis session cache was calculated as
rand(100000, 500000) giving an effective retry delay of 100 seconds
to 500 seconds. That's off by a factor of a thousand! Using Redis as a
session cache and when the connection hangs, you can get random
"cannot obtain session lock" errors because it's waiting up to
500 seconds (or about 8.33 minutes) for a Redis connection.
This sets the delay to the originally intended 100ms to 500ms.
(see MDL-59866).

Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>
2021-12-05 17:03:56 +01:00
Juan Leyva 39d96944eb MDL-66776 notifications: New login session notification 2021-11-04 11:18:00 +01:00
Cameron Ball d5eaa5224e MDL-72670 session: Correct read only debugging logic
Prior to this patch the debugging mode (when enabled) would trigger
on everywhere, regardless of whether or not READ_ONLY_SESSION is defined.

This patch modifies that behaviour so that the debugging only kicks in
if READ_ONLY_SESSION is defined and set to true.
2021-10-08 15:11:40 +08:00
Eloy Lafuente (stronk7) 8cf7878e18 Merge branch 'MDL-70424-auth-avoid-changes' of https://github.com/brendanheywood/moodle 2021-03-04 00:27:53 +01:00
Adrian Greeve cb69d6389c MDL-70828 performance: Allow session locking issue to be turned off.
If a developer has debugging on then they will recieve all debugging
messages for locking whether wanted or not. We already have a setting
to display these messages.
2021-02-24 11:26:08 +08:00
Brendan Heywood 300213ee2e MDL-70424 auth: Avoid random changes to $CFG->auth 2021-02-23 11:40:57 +11:00
Brendan Heywood 1dadeaeb39 MDL-68608 session: Improved the readonly session debugging 2020-12-14 14:09:55 +11:00
Eloy Lafuente (stronk7) 93f49909d5 Merge branch 'MDL-69121-redis-session-store-compression' of git://github.com/jamie-catalyst/moodle into master 2020-11-24 22:58:48 +01:00
Jamie Stamp f2ee4599f7 MDL-69121 core: Add ZSTD/Gzip compression options to Redis sessions 2020-11-09 12:34:22 +00:00
Jake Dallimore b64a8b3675 Merge branch 'MDL-68983-recent-session-lock-ro' of https://github.com/brendanheywood/moodle 2020-10-21 12:45:36 +08:00
Brendan Heywood 57aed80df6 MDL-68983 cache: Fix bug with readonly session combined with lock debug 2020-10-13 14:52:37 +11:00
Brendan Heywood 8c1c164e0a MDL-69707 session: Avoid redis writes if the session is unchanged 2020-09-29 20:45:38 +10:00
Brendan Heywood 8eab4f77cc MDL-68577 session: Fine tune the redis lock polling 2020-05-20 15:54:10 +10:00
Don Bowman cf7b00b8cf MDL-68696 sessions: Fixed redis session handler for readonly
In 39770792ca read-only sessions were allowed.
In the redis case, as called from the mobile application,
this can lead to returning 'false' for session rather than ''.
2020-05-15 12:09:15 -04:00
Brendan Heywood 7bc8ccdcf0 MDL-67075 session: Added extra debugging of blocking redis session locks 2020-04-30 13:06:07 +10:00
Mark Nelson 39770792ca MDL-58018 core: add support to redis for read-only sessions 2020-04-21 19:29:12 +02:00
Mark Nelson 7daa126d1d MDL-58018 core: add support to database for read-only sessions 2020-04-21 19:29:12 +02:00
Mark Nelson 4400ed3e1c MDL-58018 core: finish dev to support open sessions without a lock 2020-04-21 19:29:12 +02:00
Adam Eijdenberg 1c3b89b170 MDL-58018 core: Add support to open sessions without a lock 2020-04-20 14:13:34 +02:00
Brendan Cox 86b082cece MDL-67175 session: set SameSite=None for Chrome 78 and above
Totara reference TL-22311 (original code by Brendan Cox and Sam Hemelryk)
https://github.com/moodle/moodle/commit/a3f4de2b7efe66de6617a67ce7c87f2862e76ac6
2020-02-07 08:05:14 +08:00
Ilya Tregubov 4120908e19 MDL-65249 Session: Throw exception if number of attempts exceeded. 2019-06-25 15:09:42 +10:00
Michael Hawkins 76d0192e0b MDL-7339 admin: Replaced "open to google" references to be more generic
AMOS BEGIN
 MOV [configopentogoogle,admin],[configopentowebcrawlers,admin]
 MOV [opentogoogle,admin],[opentowebcrawlers,admin]
 MOV [check_google_details,report_security],[check_crawlers_details,report_security]
 MOV [check_google_error,report_security],[check_crawlers_error,report_security]
 MOV [check_google_info,report_security],[check_crawlers_info,report_security]
 MOV [check_google_name,report_security],[check_crawlers_name,report_security]
 MOV [check_google_ok,report_security],[check_crawlers_ok,report_security]
AMOS END
2019-06-11 10:04:01 +08:00
Damyon Wiese 7aeeb44463 MDL-34498 session: Add a checker to warn before session expiry
Replaces old yui module checknet.
2019-06-06 09:31:01 +08:00
Damyon Wiese e7f9ae50e5 MDL-65572 messaging: Loginas upgrade check
When using login as, we also need to check if there are legacy messages that
need updating and set the user preference if required.
2019-05-20 09:12:40 +08:00
Shamim Rezaie abbf6e5499 MDL-65393 core: Peer review amendments
- defining and using constand properties instead of hard-coded values
- Fixing the docblock for the cleanup_recent_session_locks function
2019-05-15 02:30:48 +10:00
Ilya Tregubov dbed8bdb86 MDL-65393 core: Make session history cleanup more aggressive. 2019-05-15 02:22:23 +10:00
Trisha Milan fdb9c3217d MDL-64449 core: Added Session lock debugging option 2019-04-03 14:20:57 +11:00