Moodle PHP Documentation 4.4
Moodle 4.4.1 (Build: 20240610) (db07c09afc5)
core\session\manager Class Reference

Session manager, this is the public Moodle API for sessions. More...

Static Public Member Functions

static apply_concurrent_login_limit ($userid, $sid=null)
 Terminate other sessions of current user depending on $CFG->limitconcurrentlogins restriction.
 
static check_mutated_closed_session ()
 Checks if the session has been mutated since it was closed.
 
static cleanup_recent_session_locks ()
 Reset recent session locks array if there is a time gap more than SESSION_RESET_GAP_THRESHOLD.
 
static display_blocking_page ()
 Display the page which blocks other pages.
 
static gc ()
 Periodic timed-out session cleanup.
 
static get_handler_class ()
 Get fully qualified name of session handler class.
 
static get_locked_page_at ($time)
 Get the page that blocks other pages at a specific timestamp.
 
static get_login_token ()
 Get the current login token or generate a new one.
 
static get_performance_info ()
 Returns current page performance info.
 
static get_realuser ()
 Returns the $USER object ignoring current login-as session.
 
static get_recent_session_locks ()
 Get the recent session locks array.
 
static get_session_lock_info ()
 Get session lock info of the current page.
 
static init_empty_session (?bool $newsid=null)
 Empty current session, fill it with not-logged-in user info.
 
static is_loggedinas ()
 Is current $USER logged-in-as somebody else?
 
static keepalive ($identifier='sessionerroruser', $component='error', $frequency=null, $timeout=0)
 Add a JS session keepalive to the page.
 
static kill_all_sessions ()
 Terminate all sessions unconditionally.
 
static kill_session ($sid)
 Terminate give session unconditionally.
 
static kill_user_sessions ($userid, $keepsid=null)
 Terminate all sessions of given user unconditionally.
 
static login_user (\stdClass $user)
 Login user, to be called from complete_user_login() only.
 
static loginas ($userid, context $context, $generateevent=true)
 Login as another user - no security checks here.
 
static restart_with_write_lock (bool $readonlysession)
 If the current session is not writeable, abort it, and re-open it requesting (and blocking) until a write lock is acquired.
 
static session_exists ($sid)
 Does the PHP session with given id exist?
 
static sessionlock_debugging ()
 Display debugging info about slow and blocked script.
 
static set_user (\stdClass $user)
 Set current user.
 
static start ()
 Start user session.
 
static terminate_current ()
 Terminate current user session.
 
static time_remaining ($sid)
 Return the number of seconds remaining in the current session.
 
static touch_session ($sid)
 Fake last access for given session, this prevents session timeout.
 
static update_recent_session_locks ($sessionlock)
 Updates the recent session locks.
 
static validate_login_token ($token=false)
 Check the submitted value against the stored login token.
 
static write_close ()
 No more changes in session expected.
 

Public Attributes

int const MAXIMUM_STORED_SESSION_HISTORY = 50
 A hard cutoff of maximum stored history.
 
int const SESSION_RESET_GAP_THRESHOLD = 1
 The recent session locks array is reset if there is a time gap more than this value in seconds.
 

Static Protected Member Functions

static add_session_record ($userid)
 Insert new empty session record.
 
static check_security ()
 Do various session security checks.
 
static initialise_user_session ($newsid)
 Initialise $_SESSION, handles google access and sets up not-logged-in user properly.
 
static load_handler ()
 Create handler instance.
 
static prepare_cookies ()
 Make sure all cookie and session related stuff is configured properly before session start.
 

Static Protected Attributes

static handler $handler
 $handler active session handler instance
 
static string $logintokenkey = 'core_auth_login'
 $logintokenkey Key used to get and store request protection for login form.
 
static bool $sessionactive = null
 $sessionactive Is the session active?
 

Detailed Description

Session manager, this is the public Moodle API for sessions.

Following PHP functions MUST NOT be used directly:

  • session_start() - not necessary, lib/setup.php starts session automatically, use define('NO_MOODLE_COOKIE', true) if session not necessary.
  • session_write_close() - use core\session\manager\write_close() instead.
  • session_destroy() - use require_logout() instead.
License
http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later

Member Function Documentation

◆ add_session_record()

static core\session\manager::add_session_record ( $userid)
staticprotected

Insert new empty session record.

Parameters
int$userid
Return values
stdClassthe new record

◆ apply_concurrent_login_limit()

static core\session\manager::apply_concurrent_login_limit ( $userid,
$sid = null )
static

Terminate other sessions of current user depending on $CFG->limitconcurrentlogins restriction.

This is expected to be called right after complete_user_login().

NOTE:

  • Do not use from SSO auth plugins, this would not work.
  • Do not use from web services because they do not have sessions.
Parameters
int$userid
string$sidsession id to be always keep, usually the current one
Return values
void

◆ check_mutated_closed_session()

static core\session\manager::check_mutated_closed_session ( )
static

Checks if the session has been mutated since it was closed.

In write_close the session is saved to the variable $sessionatclose If there is a difference between $sessionatclose and the current session, it means a script has erroneously closed the session too early. Script is usually called in shutdown_manager

◆ check_security()

static core\session\manager::check_security ( )
staticprotected

Do various session security checks.

WARNING: $USER and $SESSION are set up later, do not use them yet!

Exceptions
core\session\exception

◆ display_blocking_page()

static core\session\manager::display_blocking_page ( )
static

Display the page which blocks other pages.

Return values
string

◆ get_handler_class()

static core\session\manager::get_handler_class ( )
static

Get fully qualified name of session handler class.

Return values
stringThe name of the handler class

◆ get_locked_page_at()

static core\session\manager::get_locked_page_at ( $time)
static

Get the page that blocks other pages at a specific timestamp.

Look for a page whose lock was gained before that timestamp, and released after that timestamp.

Parameters
float$timeTime before session lock starts.
Return values
array|null

◆ get_login_token()

static core\session\manager::get_login_token ( )
static

Get the current login token or generate a new one.

All login forms generated from Moodle must include a login token named "logintoken" with the value being the result of this function. Logins will be rejected if they do not include this token as well as the username and password fields.

Return values
stringThe current login token.

◆ get_performance_info()

static core\session\manager::get_performance_info ( )
static

Returns current page performance info.

Return values
arrayperf info

◆ get_realuser()

static core\session\manager::get_realuser ( )
static

Returns the $USER object ignoring current login-as session.

Return values
stdClassuser object

◆ get_recent_session_locks()

static core\session\manager::get_recent_session_locks ( )
static

Get the recent session locks array.

Return values
arrayRecent session locks array.

◆ get_session_lock_info()

static core\session\manager::get_session_lock_info ( )
static

Get session lock info of the current page.

Return values
array

◆ init_empty_session()

static core\session\manager::init_empty_session ( ?bool $newsid = null)
static

Empty current session, fill it with not-logged-in user info.

This is intended for installation scripts, unit tests and other special areas. Do NOT use for logout and session termination in normal requests!

Parameters
mixed$newsidonly used after initialising a user session, is this a new user session?

◆ initialise_user_session()

static core\session\manager::initialise_user_session ( $newsid)
staticprotected

Initialise $_SESSION, handles google access and sets up not-logged-in user properly.

WARNING: $USER and $SESSION are set up later, do not use them yet!

Parameters
bool$newsidis this a new session in first http request?

◆ is_loggedinas()

static core\session\manager::is_loggedinas ( )
static

Is current $USER logged-in-as somebody else?

Return values
bool

◆ keepalive()

static core\session\manager::keepalive ( $identifier = 'sessionerroruser',
$component = 'error',
$frequency = null,
$timeout = 0 )
static

Add a JS session keepalive to the page.

A JS session keepalive script will be called to update the session modification time every $frequency seconds.

Upon failure, the specified error message will be shown to the user.

Parameters
string$identifierThe string identifier for the message to show on failure.
string$componentThe string component for the message to show on failure.
int$frequencyThe update frequency in seconds.
int$timeoutThe timeout of each request in seconds.
Exceptions
coding_exceptionIF the frequency is longer than the session lifetime.

◆ kill_session()

static core\session\manager::kill_session ( $sid)
static

Terminate give session unconditionally.

Parameters
string$sid

◆ kill_user_sessions()

static core\session\manager::kill_user_sessions ( $userid,
$keepsid = null )
static

Terminate all sessions of given user unconditionally.

Parameters
int$userid
string$keepsidkeep this sid if present

◆ login_user()

static core\session\manager::login_user ( \stdClass $user)
static

Login user, to be called from complete_user_login() only.

Parameters
stdClass$user

◆ loginas()

static core\session\manager::loginas ( $userid,
context $context,
$generateevent = true )
static

Login as another user - no security checks here.

Parameters
int$userid
context$context
bool$generateeventSet to false to prevent the loginas event to be generated
Return values
void

◆ restart_with_write_lock()

static core\session\manager::restart_with_write_lock ( bool $readonlysession)
static

If the current session is not writeable, abort it, and re-open it requesting (and blocking) until a write lock is acquired.

If current session was already opened with an intentional write lock, this call will not do anything. NOTE: Even when using a session handler that does not support non-locking sessions, if the original session was not opened with the explicit intention of being locked, this will still restart your session so that code behaviour matches as closely as practical across environments.

Parameters
bool$readonlysessionUsed by debugging logic to determine if whatever triggered the restart (e.g., a webservice) declared itself as read only.

◆ session_exists()

static core\session\manager::session_exists ( $sid)
static

Does the PHP session with given id exist?

The session must exist both in session table and actual session backend and the session must not be timed out.

Timeout evaluation is simplified, the auth hooks are not executed.

Parameters
string$sid
Return values
bool

◆ set_user()

static core\session\manager::set_user ( \stdClass $user)
static

Set current user.

Parameters
stdClass$userrecord

◆ start()

static core\session\manager::start ( )
static

Start user session.

Note: This is intended to be called only from lib/setup.php!

◆ terminate_current()

static core\session\manager::terminate_current ( )
static

Terminate current user session.

Return values
void

◆ time_remaining()

static core\session\manager::time_remaining ( $sid)
static

Return the number of seconds remaining in the current session.

Parameters
string$sid

◆ touch_session()

static core\session\manager::touch_session ( $sid)
static

Fake last access for given session, this prevents session timeout.

Parameters
string$sid

◆ update_recent_session_locks()

static core\session\manager::update_recent_session_locks ( $sessionlock)
static

Updates the recent session locks.

This function will store session lock info of all the pages visited.

Parameters
array$sessionlockSession lock array.

◆ validate_login_token()

static core\session\manager::validate_login_token ( $token = false)
static

Check the submitted value against the stored login token.

Parameters
mixed$tokenThe value submitted in the login form that we are validating. If false is passed for the token, this function will always return true.
Return values
booleanIf the submitted token is valid.

◆ write_close()

static core\session\manager::write_close ( )
static

No more changes in session expected.

Unblocks the sessions, other scripts may start executing in parallel.


The documentation for this class was generated from the following file: