Commit Graph

62 Commits

Author SHA1 Message Date
Andrew Nicols bf18273a08 MDL-85897 core: Move all deprecations to emit_deprecation 2025-07-30 13:53:27 +08:00
Benjamin Walker 859fb5a319 MDL-83996 sessions: Fix false positive read only sessions errors 2025-07-21 10:26:29 +10:00
Paul Holden f096b8a658 MDL-84901 auth: specific session start error language string. 2025-07-08 12:33:05 +01:00
Trisha Milan e52fbd2f84 MDL-66151 Performance: Session Manager modularisation
Storage of session metadata has moved into the session handler class.
This allows for other classes to fully control session handling and
removes the dependancy on the core sessions database table.

Previously, the standard method of interaction with the
session metadata was direct DB calls; this may break other plugins as there
are now proper APIs available through the session manager.

Co-authored-by: Darren Cocco <moodle@darren.cocco.id.au>
Co-authored-by: Trisha Milan <trishamilan@catalyst-au.net>
Co-authored-by: Andrew Nicols <andrew@nicols.co.uk>
2024-09-03 13:04:04 +10:00
Mark Johnson 337a0ee705 MDL-81192 sessions: Prevent false positive session change errors
If $CFG->enable_read_only_sessions_debug was not enabled, debugging could be
enabled part-way through a request when restart_with_write_lock was
called. This meant that a diff between the initial and final session
would be made during write_close(), although the intial session state
was never captured. This generated false positives in the logs, and it
thought any variable set in the session was a change from the original
value.

This ensures that debugging is enabled before the debug flag is allowed
to change, preventing false positives.
2024-04-11 08:55:11 +01:00
Jun Pataleta 3278ce7aba Merge branch 'MDL-65292' of https://github.com/stronk7/moodle 2024-03-08 08:00:41 +08:00
Eloy Lafuente (stronk7) ba1f804ffa MDL-65292 style: Fix all function declarations white space
This has been generated running the following Sniffs, all
them part of the Moodle's CodeSniffer standard:
- PSR12.Functions.ReturnTypeDeclaration
- PSR12.Functions.NullableTypeDeclaration
- moodle.Methods.MethodDeclarationSpacing
- Squiz.Whitespace.ScopeKeywordSpacing

All them are, exclusively, about correct spacing, so the changes
are, all them, only white space changes.

Only exceptions to the above are 3 changes what were setting the
return type in a new line, and, when that happens, the closing
parenthesis (bracket) has to go to the same line than the colon.
2024-02-28 23:33:26 +01:00
Brendan Heywood c1fc12b479 MDL-80080 session: Unset logintoken after use 2024-02-22 10:56:02 +11:00
Mark Johnson 0757441874 MDL-80281 session: Don't report long session locks for readonly sessions
Previously, $CFG->sessionlockdebug was reporting long session locks for
all requests, even if they defined READ_ONLY_SESSION. This change
ensures that only sessions with locks are reported.
2023-11-28 16:20:45 +00:00
Rossco Hellmans d0385ed705 MDL-79092 session: fix recentsessionlocks mutated session debugging
In write_close() call update_recent_session_locks() before setting
$sessionatclose so that it includes $SESSION->recentsessionlocks and
doesn't trigger the debugging in check_mutated_closed_session().
2023-08-23 09:29:34 +10:00
Matt Porritt 668057c3eb MDL-50160 Administration: HTTP only cookies default set to on.
This patch removes the UI setting (cookiehttponly) for HTTP only
cookies. For new installs HTTP only cookies will default to on.
For existing sites teh behaviour will stay as set.
The behaviour can be overriden in config.php
2023-07-31 14:09:30 +10:00
Marina Glancy 8fc1486d36 MDL-77164 various: fix incorrect phpdocs 2023-04-13 11:35:06 +01:00
Paul Holden 922c61dee8 MDL-74585 core: pass string identifier/component to network keepalive.
Avoid passing potentially large amounts of data in the page AMD call,
allow the `core/network` module to load actual string content itself.
2023-02-22 13:49:30 +00:00
Matthew Hilton 4faa3204d6 MDL-73317 session: Log extra details for cachestore changes
More visibility depth is required for cachestore changes since they
are usually multi dimensional arrays.
2023-02-09 12:03:49 +10:00
Matthew Hilton 9c8d8502c0 MDL-73317 session: Log session changes after close
A snapshot of the session is now taken when write_close is called.
The session at shutdown is then compared to the snapshot. If changes
are detected, they are logged. This aids developers in seeing if
early session closes may be having unintended consequences.
2023-02-09 12:03:49 +10:00
Matthew Hilton 95077da502 MDL-73317 session: Improve session diff detection
Previously, newly added keys to the session were not detected. Objects
with the same properties were also incorrectly reported as different.

This commit improves this, and updates the unit tests to reflect the
new functionality.
2023-02-09 12:03:49 +10:00
Brendan Heywood 825d11ec50 MDL-76166 auth: Ensure user is in server access logs 2022-11-30 13:25:20 +11:00
Eloy Lafuente (stronk7) a5c91474ee MDL-71807 cleanup: Replace deprecated codingStandardsIgnore annotations
The PHP_CodeSniffer @codingStandardsIgnore annotations are deprecated
and, since version 3.x, the new // phpcs:ignore comments should be used
instead.

This commits just reviews all the uses in core, replacing them for
the better new candidate, or removing when no longer needed.
2022-03-08 10:48:53 +01:00
Eloy Lafuente (stronk7) 5300351831 MDL-73500 general: Remove php < 73 conditional code
This commit removes code that only was being executed by php < 73
and it's 100% safe to do so because Moodle 3.11 and up require
php 73, hence it was not executed ever.

Removed code includes:
- ldap_control_paged_result and ldap_control_paged_result_response
  (that were deprecated in php 73 and have been removed in php 80).
- conditional code in the session manager, where some hacks were
  needed for php < 73. Note that this removes the private function
  append_samesite_cookie_attribute() completely because it was
  doinf nothing (first line was returning for php < 73).
- Also removed the old session.hash_function ini setting because
  it was removed in php 71.

Kept code includes:
- The environmental check_igbinary322_version test has not been
  removed because it doesn't hurt (always returns "ok" for php 73
  sites) and doing it would involve to backport the environment.xml
  file to 39 and 310. Instead, a note has been added to MDL-71747
  in order to get rid of that check for 4.1 and up.
2022-01-21 19:47:55 +01:00
Cameron Ball f71fced168 MDL-73245 cache: Fix bug with session lock debugging
When session lock debugging and read only sessions deubgging are both
enabled, session lock debugging becomes moot. This patch causes
the session lock deubgging code to exit early if read only sessions
debugging is enabled.
2021-12-06 12:15:53 +08:00
Juan Leyva 39d96944eb MDL-66776 notifications: New login session notification 2021-11-04 11:18:00 +01:00
Cameron Ball d5eaa5224e MDL-72670 session: Correct read only debugging logic
Prior to this patch the debugging mode (when enabled) would trigger
on everywhere, regardless of whether or not READ_ONLY_SESSION is defined.

This patch modifies that behaviour so that the debugging only kicks in
if READ_ONLY_SESSION is defined and set to true.
2021-10-08 15:11:40 +08:00
Eloy Lafuente (stronk7) 8cf7878e18 Merge branch 'MDL-70424-auth-avoid-changes' of https://github.com/brendanheywood/moodle 2021-03-04 00:27:53 +01:00
Adrian Greeve cb69d6389c MDL-70828 performance: Allow session locking issue to be turned off.
If a developer has debugging on then they will recieve all debugging
messages for locking whether wanted or not. We already have a setting
to display these messages.
2021-02-24 11:26:08 +08:00
Brendan Heywood 300213ee2e MDL-70424 auth: Avoid random changes to $CFG->auth 2021-02-23 11:40:57 +11:00
Brendan Heywood 1dadeaeb39 MDL-68608 session: Improved the readonly session debugging 2020-12-14 14:09:55 +11:00
Brendan Heywood 57aed80df6 MDL-68983 cache: Fix bug with readonly session combined with lock debug 2020-10-13 14:52:37 +11:00
Mark Nelson 4400ed3e1c MDL-58018 core: finish dev to support open sessions without a lock 2020-04-21 19:29:12 +02:00
Adam Eijdenberg 1c3b89b170 MDL-58018 core: Add support to open sessions without a lock 2020-04-20 14:13:34 +02:00
Brendan Cox 86b082cece MDL-67175 session: set SameSite=None for Chrome 78 and above
Totara reference TL-22311 (original code by Brendan Cox and Sam Hemelryk)
https://github.com/moodle/moodle/commit/a3f4de2b7efe66de6617a67ce7c87f2862e76ac6
2020-02-07 08:05:14 +08:00
Michael Hawkins 76d0192e0b MDL-7339 admin: Replaced "open to google" references to be more generic
AMOS BEGIN
 MOV [configopentogoogle,admin],[configopentowebcrawlers,admin]
 MOV [opentogoogle,admin],[opentowebcrawlers,admin]
 MOV [check_google_details,report_security],[check_crawlers_details,report_security]
 MOV [check_google_error,report_security],[check_crawlers_error,report_security]
 MOV [check_google_info,report_security],[check_crawlers_info,report_security]
 MOV [check_google_name,report_security],[check_crawlers_name,report_security]
 MOV [check_google_ok,report_security],[check_crawlers_ok,report_security]
AMOS END
2019-06-11 10:04:01 +08:00
Damyon Wiese 7aeeb44463 MDL-34498 session: Add a checker to warn before session expiry
Replaces old yui module checknet.
2019-06-06 09:31:01 +08:00
Damyon Wiese e7f9ae50e5 MDL-65572 messaging: Loginas upgrade check
When using login as, we also need to check if there are legacy messages that
need updating and set the user preference if required.
2019-05-20 09:12:40 +08:00
Shamim Rezaie abbf6e5499 MDL-65393 core: Peer review amendments
- defining and using constand properties instead of hard-coded values
- Fixing the docblock for the cleanup_recent_session_locks function
2019-05-15 02:30:48 +10:00
Ilya Tregubov dbed8bdb86 MDL-65393 core: Make session history cleanup more aggressive. 2019-05-15 02:22:23 +10:00
Trisha Milan fdb9c3217d MDL-64449 core: Added Session lock debugging option 2019-04-03 14:20:57 +11:00
Damyon Wiese 6dfe428363 MDL-63183 auth: Login protection
CSRF protection for the login form. The authenticate_user_login function was
extended to validate the token (in \core\session\manager) but by default it
does not perform the extra validation. Existing uses of this function from
auth plugins and features like "change password" will continue to work without
changes. New config value $CFG->disablelogintoken can bypass this check.
2018-11-07 00:14:48 +01:00
Jake Dallimore 7d91564204 MDL-59595 admin: Make sure $ADMIN is properly unset when changing users 2018-07-24 08:25:30 +08:00
Tim Schroeder 81f55e41a7 MDL-61351 core: added \core\session\manager\get_handler_class()
* This is needed e.g. by the shibboleth logout handler to check which
type of sessions are used.
2018-07-17 16:45:20 +08:00
Davo Smith a2f1c5c39a MDL-57752 session: fix check_security() session termination 2017-02-13 07:54:02 +00:00
Nicholas Hoobin b86c685075 MDL-56417 session: Respect the return value of ignore_timeout_hook. 2016-11-10 14:24:24 +08:00
David Monllao 44eb1490c4 MDL-54751 course: Set adhoc task user
We should complete the deletion process using the same
user that started it.

Added a new param to loginas() to prevent the event to be generated as
there is no need to generate an new event for that as the user didn't
explicitly loginas again.
2016-11-08 09:45:07 +08:00
Dan Poltawski 1810eb1bf8 Revert "Merge branch 'MDL-56129-master' of git://github.com/andrewnicols/moodle"
This reverts commit aaa2788e42, reversing
changes made to 80b74762c9.
2016-10-27 09:59:38 +01:00
Andrew Nicols c823bfee62 MDL-56129 core: Set a timeout on the session cookie
This is primarily because iOS has changed something under the hood which
means that only session cookies which have an expiry are passed around the
OS.

In order to make media playable outside of the browser (e.g. a video), we
must set a session cookie timeout.

Since the session timeout is configurable, this patch sets the cookie
timeout to the session timeout plus a period of one week.

This ensures that videos continue to work, and that the expired session
message is shown on the login page, but without requiring excessively long
session times.
2016-10-24 11:47:06 +08:00
Brendan Heywood 657ddbf592 MDL-55273 admin: Change $CFG->cookiesecure default to on 2016-08-22 09:20:32 +10:00
Fred Woolard 1ac585fefd MDL-53713 core: account for session_start returning false 2016-05-06 09:27:27 +08:00
Andrew Nicols 2f244f1cc6 MDL-30811 core: Initiate notifications on first use only 2016-03-02 13:30:09 +08:00
Andrew Nicols 0346323cec MDL-30811 output: Add support for session notifications 2016-02-29 09:05:56 +08:00
Andrew Nicols 34c6ec1869 MDL-50891 useragent: Move web crawler checks to useragent class 2015-08-28 14:31:51 +08:00
Simey Lameze dcee0b9447 MDL-49360 core_lib: add new method get_local_referer()
This commit also replace all usages of $_SERVER['HTTP_REFERER'] and get_referer().
2015-07-27 11:11:24 +08:00