core\session\manager Class Reference

Session manager, this is the public Moodle API for sessions. More...

Static Public Member Functions
static	apply_concurrent_login_limit ($userid, $sid=null)
	Terminate other sessions of current user depending on $CFG->limitconcurrentlogins restriction. More...
static	cleanup_recent_session_locks ()
	Reset recent session locks array if there is a time gap more than SESSION_RESET_GAP_THRESHOLD.
static	display_blocking_page ()
	Display the page which blocks other pages. More...
static	gc ()
	Periodic timed-out session cleanup.
static	get_handler_class ()
	Get fully qualified name of session handler class. More...
static	get_locked_page_at ($time)
	Get the page that blocks other pages at a specific timestamp. More...
static	get_login_token ()
	Get the current login token or generate a new one. More...
static	get_performance_info ()
	Returns current page performance info. More...
static	get_realuser ()
	Returns the $USER object ignoring current login-as session. More...
static	get_recent_session_locks ()
	Get the recent session locks array. More...
static	get_session_lock_info ()
	Get session lock info of the current page. More...
static	init_empty_session ()
	Empty current session, fill it with not-logged-in user info. More...
static	is_loggedinas ()
	Is current $USER logged-in-as somebody else? More...
static	keepalive ($identifier='sessionerroruser', $component='error', $frequency=null, $timeout=0)
	Add a JS session keepalive to the page. More...
static	kill_all_sessions ()
	Terminate all sessions unconditionally.
static	kill_session ($sid)
	Terminate give session unconditionally. More...
static	kill_user_sessions ($userid, $keepsid=null)
	Terminate all sessions of given user unconditionally. More...
static	login_user (\stdClass $user)
	Login user, to be called from complete_user_login() only. More...
static	loginas ($userid, context $context, $generateevent=true)
	Login as another user - no security checks here. More...
static	session_exists ($sid)
	Does the PHP session with given id exist? More...
static	sessionlock_debugging ()
	Display debugging info about slow and blocked script.
static	set_user (\stdClass $user)
	Set current user. More...
static	start ()
	Start user session. More...
static	terminate_current ()
	Terminate current user session. More...
static	time_remaining ($sid)
	Return the number of seconds remaining in the current session. More...
static	touch_session ($sid)
	Fake last access for given session, this prevents session timeout. More...
static	update_recent_session_locks ($sessionlock)
	Updates the recent session locks. More...
static	validate_login_token ($token=false)
	Check the submitted value against the stored login token. More...
static	write_close ()
	No more changes in session expected. More...

Public Attributes
int const	MAXIMUM_STORED_SESSION_HISTORY = 50
	A hard cutoff of maximum stored history.
int const	SESSION_RESET_GAP_THRESHOLD = 1
	The recent session locks array is reset if there is a time gap more than this value in seconds.

Static Protected Member Functions
static	add_session_record ($userid)
	Insert new empty session record. More...
static	check_security ()
	Do various session security checks. More...
static	initialise_user_session ($newsid)
	Initialise $_SESSION, handles google access and sets up not-logged-in user properly. More...
static	load_handler ()
	Create handler instance.
static	prepare_cookies ()
	Make sure all cookie and session related stuff is configured properly before session start.

Static Protected Attributes
static handler	$handler
	$handler active session handler instance
static string	$logintokenkey = 'core_auth_login'
	$logintokenkey Key used to get and store request protection for login form.
static bool	$sessionactive = null
	$sessionactive Is the session active?

Detailed Description

Session manager, this is the public Moodle API for sessions.

Following PHP functions MUST NOT be used directly:

• session_start() - not necessary, lib/setup.php starts session automatically, use define('NO_MOODLE_COOKIE', true) if session not necessary.
• session_write_close() - use core\session\manager::write_close() instead.
• session_destroy() - use require_logout() instead.

Copyright

2013 Petr Skoda http://skodak.org

License

http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later

Member Function Documentation

add_session_record()

static core\session\manager::add_session_record (   $userid )

staticprotected

Insert new empty session record.

Parameters

int

$userid

Return values

stdClass

the new record

apply_concurrent_login_limit()

static core\session\manager::apply_concurrent_login_limit (   $userid,   $sid = null  )

static

Terminate other sessions of current user depending on $CFG->limitconcurrentlogins restriction.

This is expected to be called right after complete_user_login().

NOTE:

• Do not use from SSO auth plugins, this would not work.
• Do not use from web services because they do not have sessions.

Parameters

int	$userid
string	$sid	session id to be always keep, usually the current one

Return values

void

check_security()

static core\session\manager::check_security ( )

staticprotected

Do various session security checks.

WARNING: $USER and $SESSION are set up later, do not use them yet!

Exceptions

core

display_blocking_page()

static core\session\manager::display_blocking_page ( )

static

Display the page which blocks other pages.

Return values

string

get_handler_class()

static core\session\manager::get_handler_class ( )

static

Get fully qualified name of session handler class.

Return values

string

The name of the handler class

get_locked_page_at()

static core\session\manager::get_locked_page_at (   $time )

static

Get the page that blocks other pages at a specific timestamp.

Look for a page whose lock was gained before that timestamp, and released after that timestamp.

Parameters

float

$time

Time before session lock starts.

Return values

array|null

get_login_token()

static core\session\manager::get_login_token ( )

static

Get the current login token or generate a new one.

All login forms generated from Moodle must include a login token named "logintoken" with the value being the result of this function. Logins will be rejected if they do not include this token as well as the username and password fields.

Return values

string

The current login token.

get_performance_info()

static core\session\manager::get_performance_info ( )

static

Returns current page performance info.

Return values

array

perf info

get_realuser()

static core\session\manager::get_realuser ( )

static

Returns the $USER object ignoring current login-as session.

Return values

stdClass

user object

get_recent_session_locks()

static core\session\manager::get_recent_session_locks ( )

static

Get the recent session locks array.

Return values

array

Recent session locks array.

get_session_lock_info()

static core\session\manager::get_session_lock_info ( )

static

Get session lock info of the current page.

Return values

array

init_empty_session()

static core\session\manager::init_empty_session ( )

static

Empty current session, fill it with not-logged-in user info.

This is intended for installation scripts, unit tests and other special areas. Do NOT use for logout and session termination in normal requests!

initialise_user_session()

static core\session\manager::initialise_user_session (   $newsid )

staticprotected

Initialise $_SESSION, handles google access and sets up not-logged-in user properly.

WARNING: $USER and $SESSION are set up later, do not use them yet!

Parameters

bool

$newsid

is this a new session in first http request?

is_loggedinas()

static core\session\manager::is_loggedinas ( )

static

Is current $USER logged-in-as somebody else?

Return values

bool

keepalive()

static core\session\manager::keepalive (   $identifier = 'sessionerroruser',   $component = 'error',   $frequency = null,   $timeout = 0  )

static

Add a JS session keepalive to the page.

A JS session keepalive script will be called to update the session modification time every $frequency seconds.

Upon failure, the specified error message will be shown to the user.

Parameters

string	$identifier	The string identifier for the message to show on failure.
string	$component	The string component for the message to show on failure.
int	$frequency	The update frequency in seconds.
int	$timeout	The timeout of each request in seconds.

Exceptions

coding_exception

IF the frequency is longer than the session lifetime.

kill_session()

static core\session\manager::kill_session (   $sid )

static

Terminate give session unconditionally.

Parameters

string

$sid

kill_user_sessions()

static core\session\manager::kill_user_sessions (   $userid,   $keepsid = null  )

static

Terminate all sessions of given user unconditionally.

Parameters

int	$userid
string	$keepsid	keep this sid if present

login_user()

static core\session\manager::login_user ( \stdClass  $user )

static

Login user, to be called from complete_user_login() only.

Parameters

stdClass

$user

loginas()

static core\session\manager::loginas (   $userid, context  $context,   $generateevent = true  )

static

Login as another user - no security checks here.

Parameters

int	$userid
context	$context
bool	$generateevent	Set to false to prevent the loginas event to be generated

Return values

void

session_exists()

static core\session\manager::session_exists (   $sid )

static

Does the PHP session with given id exist?

The session must exist both in session table and actual session backend and the session must not be timed out.

Timeout evaluation is simplified, the auth hooks are not executed.

Parameters

string

$sid

Return values

bool

set_user()

static core\session\manager::set_user ( \stdClass  $user )

static

Set current user.

Parameters

stdClass

$user

record

start()

static core\session\manager::start ( )

static

Start user session.

Note: This is intended to be called only from lib/setup.php!

terminate_current()

static core\session\manager::terminate_current ( )

static

Terminate current user session.

Return values

void

time_remaining()

static core\session\manager::time_remaining (   $sid )

static

Return the number of seconds remaining in the current session.

Parameters

string

$sid

touch_session()

static core\session\manager::touch_session (   $sid )

static

Fake last access for given session, this prevents session timeout.

Parameters

string

$sid

update_recent_session_locks()

static core\session\manager::update_recent_session_locks (   $sessionlock )

static

Updates the recent session locks.

This function will store session lock info of all the pages visited.

Parameters

array

$sessionlock

Session lock array.

validate_login_token()

static core\session\manager::validate_login_token (   $token = false )

static

Check the submitted value against the stored login token.

Parameters

mixed

$token

The value submitted in the login form that we are validating. If false is passed for the token, this function will always return true.

Return values

boolean

If the submitted token is valid.

write_close()

static core\session\manager::write_close ( )

static

No more changes in session expected.

Unblocks the sessions, other scripts may start executing in parallel.

---

The documentation for this class was generated from the following file:

• lib/classes/session/manager.php