Fix PHP fatal error "Call to undefined function
core\session\disk_free_space()" when disable_functions=disk_free_space.
Prior to PHP 8.0 this error was suppressed by '@'.
Co-authored-by: Federico Alvarez <32086536+fedealvz@users.noreply.github.com>
PHP allows the specification of invalid values for `max_execution_time`,
including negative values. These should be normalised the same way that
an empty (unlimited) value is.
Storage of session metadata has moved into the session handler class.
This allows for other classes to fully control session handling and
removes the dependancy on the core sessions database table.
Previously, the standard method of interaction with the
session metadata was direct DB calls; this may break other plugins as there
are now proper APIs available through the session manager.
Co-authored-by: Darren Cocco <moodle@darren.cocco.id.au>
Co-authored-by: Trisha Milan <trishamilan@catalyst-au.net>
Co-authored-by: Andrew Nicols <andrew@nicols.co.uk>
The fix covers two places:
- The Redis session.
- The Redis cache store.
The PHP Redis has the option to establish the connection using TLS/SSL instead of using the "tls://" prefix.
This is done to ensure consistency with the Redis cluster connection,
as the code for both single and cluster connections is located in one place.
If $CFG->enable_read_only_sessions_debug was not enabled, debugging could be
enabled part-way through a request when restart_with_write_lock was
called. This meant that a diff between the initial and final session
would be made during write_close(), although the intial session state
was never captured. This generated false positives in the logs, and it
thought any variable set in the session was a change from the original
value.
This ensures that debugging is enabled before the debug flag is allowed
to change, preventing false positives.
Also added @runInSeparateProcess on each session Redis cluster test to let the test run
in a separate process to avoid the error "the headers are not already sent" by PHPUnit.
Unfortunately, the read_timeout named parameter was not recognized on some machines.
To avoid such errors, this patch removed the named parameter on a single Redis connect() and the Redis cluster.
This has been generated running the following Sniff,
part of the Moodle's CodeSniffer standard:
- PSR2.Methods.MethodDeclaration
It just ensures all the function declarations have
the correct order for:
- abstract and final.
- visibility (public, protected, private).
- static.
So, all the lines modified by this commit are function declarations
and the only changes are in the positions of those keywords.
This has been generated running the following Sniffs, all
them part of the Moodle's CodeSniffer standard:
- PSR12.Functions.ReturnTypeDeclaration
- PSR12.Functions.NullableTypeDeclaration
- moodle.Methods.MethodDeclarationSpacing
- Squiz.Whitespace.ScopeKeywordSpacing
All them are, exclusively, about correct spacing, so the changes
are, all them, only white space changes.
Only exceptions to the above are 3 changes what were setting the
return type in a new line, and, when that happens, the closing
parenthesis (bracket) has to go to the same line than the colon.
Previously, $CFG->sessionlockdebug was reporting long session locks for
all requests, even if they defined READ_ONLY_SESSION. This change
ensures that only sessions with locks are reported.
In write_close() call update_recent_session_locks() before setting
$sessionatclose so that it includes $SESSION->recentsessionlocks and
doesn't trigger the debugging in check_mutated_closed_session().
This patch removes the UI setting (cookiehttponly) for HTTP only
cookies. For new installs HTTP only cookies will default to on.
For existing sites teh behaviour will stay as set.
The behaviour can be overriden in config.php
If for any reason a Redis session lock is not being released, all subsequent
requests will wait to acquire the lock, forcing them to time out eventually.
This will happen till the original lock finally expires after the session timeout.
This sets the Redis session lock expiry time to whatever is lower,
either the PHP execution time `max_execution_time`, if the value was
defined in the `php.ini` or the globally configured `sessiontimeout`.
Setting it to the lower of the two will not make things worse it if the
execution timeout is longer than the session timeout.
For the PHP execution time, once the PHP execution time is over, we can
be sure that the lock is no longer actively held so that the lock can
expire safely. Although at `lib/classes/php_time_limit.php::raise(int)`,
Moodle can progressively increase the maximum PHP execution time, this
is limited to the `max_execution_time` value defined in the `php.ini`.
For the session timeout, we assume it is safe to consider the lock to
expire once the session itself expires.
If we unnecessarily hold the lock any longer, it blocks other session
requests.
Co-authored-by: Daniel Ziegenberg <daniel@ziegenberg.at>
Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>
A snapshot of the session is now taken when write_close is called.
The session at shutdown is then compared to the snapshot. If changes
are detected, they are logged. This aids developers in seeing if
early session closes may be having unintended consequences.
Previously, newly added keys to the session were not detected. Objects
with the same properties were also incorrectly reported as different.
This commit improves this, and updates the unit tests to reflect the
new functionality.
PHP before version 8.1 automatically converted to int if the function
parameter (or array key) is expected to be int. PHP 8.1 shows notice in
this case
The Redis cache store and session handler both do a 'ping()' after
connecting to Redis. This is unnecessary because the connect() call
has just checked the network connection and it's hardly likely that
the server has gone down since then.
According to my profiling, both connect() and ping() take
measurable time when talking to a separate server, i.e. a few
milliseconds. So it's not the case that connect() doesn't really
talk to the server, as I initially wondered.
If using Redis on a separate (non-localhost) server for both session
and cache store, removing these ping calls can save a millisecond
or two per request.
The 'unable to obtain session lock'-exception raised by the Redis
session handler is hardcoded in English and not all that useful
to the end user.
This change adds the error message to the lang/error.php and gives
the user further hints why the error might have occured and how it
could be fixed.
Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>