Edit File by line

<?php

[0] Fix | Delete

/**

[1] Fix | Delete

* Session API: WP_Session_Tokens class

[2] Fix | Delete

[3] Fix | Delete

* @package WordPress

[4] Fix | Delete

* @subpackage Session

[5] Fix | Delete

* @since 4.7.0

[6] Fix | Delete

[7] Fix | Delete

[8] Fix | Delete

/**

[9] Fix | Delete

* Abstract class for managing user session tokens.

[10] Fix | Delete

[11] Fix | Delete

* @since 4.0.0

[12] Fix | Delete

[13] Fix | Delete

#[AllowDynamicProperties]

[14] Fix | Delete

abstract class WP_Session_Tokens {

[15] Fix | Delete

[16] Fix | Delete

/**

[17] Fix | Delete

* User ID.

[18] Fix | Delete

[19] Fix | Delete

* @since 4.0.0

[20] Fix | Delete

* @var int User ID.

[21] Fix | Delete

[22] Fix | Delete

protected $user_id;

[23] Fix | Delete

[24] Fix | Delete

/**

[25] Fix | Delete

* Protected constructor. Use the `get_instance()` method to get the instance.

[26] Fix | Delete

[27] Fix | Delete

* @since 4.0.0

[28] Fix | Delete

[29] Fix | Delete

* @param int $user_id User whose session to manage.

[30] Fix | Delete

[31] Fix | Delete

protected function __construct( $user_id ) {

[32] Fix | Delete

$this->user_id = $user_id;

[33] Fix | Delete

}

[34] Fix | Delete

[35] Fix | Delete

/**

[36] Fix | Delete

* Retrieves a session manager instance for a user.

[37] Fix | Delete

[38] Fix | Delete

* This method contains a {@see 'session_token_manager'} filter, allowing a plugin to swap out

[39] Fix | Delete

* the session manager for a subclass of `WP_Session_Tokens`.

[40] Fix | Delete

[41] Fix | Delete

* @since 4.0.0

[42] Fix | Delete

[43] Fix | Delete

* @param int $user_id User whose session to manage.

[44] Fix | Delete

* @return WP_Session_Tokens The session object, which is by default an instance of

[45] Fix | Delete

* the `WP_User_Meta_Session_Tokens` class.

[46] Fix | Delete

[47] Fix | Delete

final public static function get_instance( $user_id ) {

[48] Fix | Delete

/**

[49] Fix | Delete

* Filters the class name for the session token manager.

[50] Fix | Delete

[51] Fix | Delete

* @since 4.0.0

[52] Fix | Delete

[53] Fix | Delete

* @param string $session Name of class to use as the manager.

[54] Fix | Delete

* Default 'WP_User_Meta_Session_Tokens'.

[55] Fix | Delete

[56] Fix | Delete

$manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );

[57] Fix | Delete

return new $manager( $user_id );

[58] Fix | Delete

}

[59] Fix | Delete

[60] Fix | Delete

/**

[61] Fix | Delete

* Hashes the given session token for storage.

[62] Fix | Delete

[63] Fix | Delete

* @since 4.0.0

[64] Fix | Delete

[65] Fix | Delete

* @param string $token Session token to hash.

[66] Fix | Delete

* @return string A hash of the session token (a verifier).

[67] Fix | Delete

[68] Fix | Delete

private function hash_token( $token ) {

[69] Fix | Delete

return hash( 'sha256', $token );

[70] Fix | Delete

}

[71] Fix | Delete

[72] Fix | Delete

/**

[73] Fix | Delete

* Retrieves a user's session for the given token.

[74] Fix | Delete

[75] Fix | Delete

* @since 4.0.0

[76] Fix | Delete

[77] Fix | Delete

* @param string $token Session token.

[78] Fix | Delete

* @return array|null The session, or null if it does not exist.

[79] Fix | Delete

[80] Fix | Delete

final public function get( $token ) {

[81] Fix | Delete

$verifier = $this->hash_token( $token );

[82] Fix | Delete

return $this->get_session( $verifier );

[83] Fix | Delete

}

[84] Fix | Delete

[85] Fix | Delete

/**

[86] Fix | Delete

* Validates the given session token for authenticity and validity.

[87] Fix | Delete

[88] Fix | Delete

* Checks that the given token is present and hasn't expired.

[89] Fix | Delete

[90] Fix | Delete

* @since 4.0.0

[91] Fix | Delete

[92] Fix | Delete

* @param string $token Token to verify.

[93] Fix | Delete

* @return bool Whether the token is valid for the user.

[94] Fix | Delete

[95] Fix | Delete

final public function verify( $token ) {

[96] Fix | Delete

$verifier = $this->hash_token( $token );

[97] Fix | Delete

return (bool) $this->get_session( $verifier );

[98] Fix | Delete

}

[99] Fix | Delete

[100] Fix | Delete

/**

[101] Fix | Delete

* Generates a session token and attaches session information to it.

[102] Fix | Delete

[103] Fix | Delete

* A session token is a long, random string. It is used in a cookie

[104] Fix | Delete

* to link that cookie to an expiration time and to ensure the cookie

[105] Fix | Delete

* becomes invalidated when the user logs out.

[106] Fix | Delete

[107] Fix | Delete

* This function generates a token and stores it with the associated

[108] Fix | Delete

* expiration time (and potentially other session information via the

[109] Fix | Delete

* {@see 'attach_session_information'} filter).

[110] Fix | Delete

[111] Fix | Delete

* @since 4.0.0

[112] Fix | Delete

[113] Fix | Delete

* @param int $expiration Session expiration timestamp.

[114] Fix | Delete

* @return string Session token.

[115] Fix | Delete

[116] Fix | Delete

final public function create( $expiration ) {

[117] Fix | Delete

/**

[118] Fix | Delete

* Filters the information attached to the newly created session.

[119] Fix | Delete

[120] Fix | Delete

* Can be used to attach further information to a session.

[121] Fix | Delete

[122] Fix | Delete

* @since 4.0.0

[123] Fix | Delete

[124] Fix | Delete

* @param array $session Array of extra data.

[125] Fix | Delete

* @param int $user_id User ID.

[126] Fix | Delete

[127] Fix | Delete

$session = apply_filters( 'attach_session_information', array(), $this->user_id );

[128] Fix | Delete

$session['expiration'] = $expiration;

[129] Fix | Delete

[130] Fix | Delete

// IP address.

[131] Fix | Delete

if ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) {

[132] Fix | Delete

$session['ip'] = $_SERVER['REMOTE_ADDR'];

[133] Fix | Delete

}

[134] Fix | Delete

[135] Fix | Delete

// User-agent.

[136] Fix | Delete

if ( ! empty( $_SERVER['HTTP_USER_AGENT'] ) ) {

[137] Fix | Delete

$session['ua'] = wp_unslash( $_SERVER['HTTP_USER_AGENT'] );

[138] Fix | Delete

}

[139] Fix | Delete

[140] Fix | Delete

// Timestamp.

[141] Fix | Delete

$session['login'] = time();

[142] Fix | Delete

[143] Fix | Delete

$token = wp_generate_password( 43, false, false );

[144] Fix | Delete

[145] Fix | Delete

$this->update( $token, $session );

[146] Fix | Delete

[147] Fix | Delete

return $token;

[148] Fix | Delete

}

[149] Fix | Delete

[150] Fix | Delete

/**

[151] Fix | Delete

* Updates the data for the session with the given token.

[152] Fix | Delete

[153] Fix | Delete

* @since 4.0.0

[154] Fix | Delete

[155] Fix | Delete

* @param string $token Session token to update.

[156] Fix | Delete

* @param array $session Session information.

[157] Fix | Delete

[158] Fix | Delete

final public function update( $token, $session ) {

[159] Fix | Delete

$verifier = $this->hash_token( $token );

[160] Fix | Delete

$this->update_session( $verifier, $session );

[161] Fix | Delete

}

[162] Fix | Delete

[163] Fix | Delete

/**

[164] Fix | Delete

* Destroys the session with the given token.

[165] Fix | Delete

[166] Fix | Delete

* @since 4.0.0

[167] Fix | Delete

[168] Fix | Delete

* @param string $token Session token to destroy.

[169] Fix | Delete

[170] Fix | Delete

final public function destroy( $token ) {

[171] Fix | Delete

$verifier = $this->hash_token( $token );

[172] Fix | Delete

$this->update_session( $verifier, null );

[173] Fix | Delete

}

[174] Fix | Delete

[175] Fix | Delete

/**

[176] Fix | Delete

* Destroys all sessions for this user except the one with the given token (presumably the one in use).

[177] Fix | Delete

[178] Fix | Delete

* @since 4.0.0

[179] Fix | Delete

[180] Fix | Delete

* @param string $token_to_keep Session token to keep.

[181] Fix | Delete

[182] Fix | Delete

final public function destroy_others( $token_to_keep ) {

[183] Fix | Delete

$verifier = $this->hash_token( $token_to_keep );

[184] Fix | Delete

$session = $this->get_session( $verifier );

[185] Fix | Delete

if ( $session ) {

[186] Fix | Delete

$this->destroy_other_sessions( $verifier );

[187] Fix | Delete

} else {

[188] Fix | Delete

$this->destroy_all_sessions();

[189] Fix | Delete

}

[190] Fix | Delete

}

[191] Fix | Delete

[192] Fix | Delete

/**

[193] Fix | Delete

* Determines whether a session is still valid, based on its expiration timestamp.

[194] Fix | Delete

[195] Fix | Delete

* @since 4.0.0

[196] Fix | Delete

[197] Fix | Delete

* @param array $session Session to check.

[198] Fix | Delete

* @return bool Whether session is valid.

[199] Fix | Delete

[200] Fix | Delete

final protected function is_still_valid( $session ) {

[201] Fix | Delete

return $session['expiration'] >= time();

[202] Fix | Delete

}

[203] Fix | Delete

[204] Fix | Delete

/**

[205] Fix | Delete

* Destroys all sessions for a user.

[206] Fix | Delete

[207] Fix | Delete

* @since 4.0.0

[208] Fix | Delete

[209] Fix | Delete

final public function destroy_all() {

[210] Fix | Delete

$this->destroy_all_sessions();

[211] Fix | Delete

}

[212] Fix | Delete

[213] Fix | Delete

/**

[214] Fix | Delete

* Destroys all sessions for all users.

[215] Fix | Delete

[216] Fix | Delete

* @since 4.0.0

[217] Fix | Delete

[218] Fix | Delete

final public static function destroy_all_for_all_users() {

[219] Fix | Delete

/** This filter is documented in wp-includes/class-wp-session-tokens.php */

[220] Fix | Delete

$manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );

[221] Fix | Delete

call_user_func( array( $manager, 'drop_sessions' ) );

[222] Fix | Delete

}

[223] Fix | Delete

[224] Fix | Delete

/**

[225] Fix | Delete

* Retrieves all sessions for a user.

[226] Fix | Delete

[227] Fix | Delete

* @since 4.0.0

[228] Fix | Delete

[229] Fix | Delete

* @return array Sessions for a user.

[230] Fix | Delete

[231] Fix | Delete

final public function get_all() {

[232] Fix | Delete

return array_values( $this->get_sessions() );

[233] Fix | Delete

}

[234] Fix | Delete

[235] Fix | Delete

/**

[236] Fix | Delete

* Retrieves all sessions of the user.

[237] Fix | Delete

[238] Fix | Delete

* @since 4.0.0

[239] Fix | Delete

[240] Fix | Delete

* @return array Sessions of the user.

[241] Fix | Delete

[242] Fix | Delete

abstract protected function get_sessions();

[243] Fix | Delete

[244] Fix | Delete

/**

[245] Fix | Delete

* Retrieves a session based on its verifier (token hash).

[246] Fix | Delete

[247] Fix | Delete

* @since 4.0.0

[248] Fix | Delete

[249] Fix | Delete

* @param string $verifier Verifier for the session to retrieve.

[250] Fix | Delete

* @return array|null The session, or null if it does not exist.

[251] Fix | Delete

[252] Fix | Delete

abstract protected function get_session( $verifier );

[253] Fix | Delete

[254] Fix | Delete

/**

[255] Fix | Delete

* Updates a session based on its verifier (token hash).

[256] Fix | Delete

[257] Fix | Delete

* Omitting the second argument destroys the session.

[258] Fix | Delete

[259] Fix | Delete

* @since 4.0.0

[260] Fix | Delete

[261] Fix | Delete

* @param string $verifier Verifier for the session to update.

[262] Fix | Delete

* @param array $session Optional. Session. Omitting this argument destroys the session.

[263] Fix | Delete

[264] Fix | Delete

abstract protected function update_session( $verifier, $session = null );

[265] Fix | Delete

[266] Fix | Delete

/**

[267] Fix | Delete

* Destroys all sessions for this user, except the single session with the given verifier.

[268] Fix | Delete

[269] Fix | Delete

* @since 4.0.0

[270] Fix | Delete

[271] Fix | Delete

* @param string $verifier Verifier of the session to keep.

[272] Fix | Delete

[273] Fix | Delete

abstract protected function destroy_other_sessions( $verifier );

[274] Fix | Delete

[275] Fix | Delete

/**

[276] Fix | Delete

* Destroys all sessions for the user.

[277] Fix | Delete

[278] Fix | Delete

* @since 4.0.0

[279] Fix | Delete

[280] Fix | Delete

abstract protected function destroy_all_sessions();

[281] Fix | Delete

[282] Fix | Delete

/**

[283] Fix | Delete

* Destroys all sessions for all users.

[284] Fix | Delete

[285] Fix | Delete

* @since 4.0.0

[286] Fix | Delete

[287] Fix | Delete

public static function drop_sessions() {}

[288] Fix | Delete

}

[289] Fix | Delete

[290] Fix | Delete