MDL-31501 rework user session architecture

List of changes:
 * New OOP API using PHP namespace \core\session\.
 * All handlers now update the sessions table consistently.
 * Experimental DB session support in Oracle.
 * Full support for session file handler (filesystem locking required).
 * New option for alternative session directory.
 * Official memcached session handler support.
 * Workaround for memcached version with non-functional gc.
 * Improved security - forced session id regeneration.
 * Improved compatibility with recent PHP releases.
 * Fixed borked CSS during install in debug mode.
 * Switched to file based sessions in new installs.
 * DB session setting disappears if DB does not support sessions.
 * DB session setting disappears if session handler specified in config.php.
 * Fast purging of sessions used in request only.
 * No legacy distinction -  file, database and memcached support the same functionality.
 * Session handler name included in performance info.
 * Fixed user_loggedin and user_loggedout event triggering.
 * Other minor bugfixing and improvements.
 * Fixed database session segfault if MUC disposed before $DB.

Limitations:
 * Session access time is now updated right after session start.
 * Support for $CFG->sessionlockloggedinonly was removed.
 * First request does not update userid in sessions table.
 * The timeouts may break badly if server hosting forces PHP.ini session settings.
 * The session GC is a lot slower, we do not rely on external session timeouts.
 * There cannot be any hooks triggered at the session write time.
 * File and memcached handlers do not support session lock acquire timeouts.
 * Some low level PHP session functions can not be used directly in Moodle code.

admin/auth.php

@@ -51,7 +51,7 @@
         if ($auth == $CFG->registerauth) {
             set_config('registerauth', '');
         }
-        session_gc(); // remove stale sessions
+        \core\session\manager::gc(); // Remove stale sessions.
         break;
 
     case 'enable':
@@ -61,7 +61,7 @@
             $authsenabled = array_unique($authsenabled);
             set_config('auth', implode(',', $authsenabled));
         }
-        session_gc(); // remove stale sessions
+        \core\session\manager::gc(); // Remove stale sessions.
         break;
 
     case 'down':

admin/cli/upgrade.php

@@ -172,7 +172,7 @@
 upgrade_noncore(true);
 
 // log in as admin - we need doanything permission when applying defaults
-session_set_user(get_admin());
+\core\session\manager::set_user(get_admin());
 
 // apply all default settings, just in case do it twice to fill all defaults
 admin_apply_default_settings(NULL, false);

admin/cron.php

@@ -53,7 +53,7 @@
 require_once($CFG->libdir.'/cronlib.php');
 
 // extra safety
-session_get_instance()->write_close();
+\core\session\manager::write_close();
 
 // check if execution allowed
 if (!empty($CFG->cronclionly)) {

admin/index.php

@@ -163,7 +163,7 @@
     $strinstallation = get_string('installation', 'install');
 
     // remove current session content completely
-    session_get_instance()->terminate_current();
+    \core\session\manager::terminate_current();
 
     if (empty($agreelicense)) {
         $strlicense = get_string('license');

admin/settings/server.php

@@ -35,7 +35,9 @@
 
 // "sessionhandling" settingpage
 $temp = new admin_settingpage('sessionhandling', new lang_string('sessionhandling', 'admin'));
-$temp->add(new admin_setting_configcheckbox('dbsessions', new lang_string('dbsessions', 'admin'), new lang_string('configdbsessions', 'admin'), 1));
+if (empty($CFG->session_handler_class) and $DB->session_lock_supported()) {
+    $temp->add(new admin_setting_configcheckbox('dbsessions', new lang_string('dbsessions', 'admin'), new lang_string('configdbsessions', 'admin'), 0));
+}
 $temp->add(new admin_setting_configselect('sessiontimeout', new lang_string('sessiontimeout', 'admin'), new lang_string('configsessiontimeout', 'admin'), 7200, array(14400 => new lang_string('numhours', '', 4),
                                                                                                                                                       10800 => new lang_string('numhours', '', 3),
                                                                                                                                                       7200 => new lang_string('numhours', '', 2),

admin/tool/assignmentupgrade/batchupgrade.php

@@ -47,7 +47,7 @@
 }
 raise_memory_limit(MEMORY_EXTRA);
 // Release session.
-session_get_instance()->write_close();
+\core\session\manager::write_close();
 
 echo $renderer->header();
 echo $renderer->heading(get_string('batchupgrade', 'tool_assignmentupgrade'));

admin/tool/dbtransfer/locallib.php

@@ -52,7 +52,7 @@
 function tool_dbtransfer_export_xml_database($description, $mdb) {
     @set_time_limit(0);
 
-    session_get_instance()->write_close(); // Release session.
+    \core\session\manager::write_close(); // Release session.
 
     header('Content-Type: application/xhtml+xml; charset=utf-8');
     header('Content-Disposition: attachment; filename=database.xml');
@@ -79,7 +79,7 @@ function tool_dbtransfer_export_xml_database($description, $mdb) {
 function tool_dbtransfer_transfer_database(moodle_database $sourcedb, moodle_database $targetdb, progress_trace $feedback = null) {
     @set_time_limit(0);
 
-    session_get_instance()->write_close(); // Release session.
+    \core\session\manager::write_close(); // Release session.
 
     $var = new database_mover($sourcedb, $targetdb, true, $feedback);
     $var->export_database(null);

admin/tool/generator/cli/maketestcourse.php

@@ -90,7 +90,7 @@
 }
 
 // Switch to admin user account.
-session_set_user(get_admin());
+\core\session\manager::set_user(get_admin());
 
 // Do backend code to generate course.
 $backend = new tool_generator_course_backend($shortname, $size, $fixeddataset, empty($options['quiet']));

admin/tool/generator/cli/maketestsite.php

@@ -88,7 +88,7 @@
 }
 
 // Switch to admin user account.
-session_set_user(get_admin());
+\core\session\manager::set_user(get_admin());
 
 // Do backend code to generate site.
 $backend = new tool_generator_site_backend($size, $options['bypasscheck'], $fixeddataset, empty($options['quiet']));

admin/tool/uploaduser/index.php

@@ -687,7 +687,7 @@
             }
 
             if ($dologout) {
-                session_kill_user($existinguser->id);
+                \core\session\manager::kill_user_sessions($existinguser->id);
             }
 
         } else {

admin/user.php

@@ -82,10 +82,10 @@
             die;
         } else if (data_submitted() and !$user->deleted) {
             if (delete_user($user)) {
-                session_gc(); // remove stale sessions
+                \core\session\manager::gc(); // Remove stale sessions.
                 redirect($returnurl);
             } else {
-                session_gc(); // remove stale sessions
+                \core\session\manager::gc(); // Remove stale sessions.
                 echo $OUTPUT->header();
                 echo $OUTPUT->notification($returnurl, get_string('deletednot', '', fullname($user, true)));
             }
@@ -125,7 +125,7 @@
             if (!is_siteadmin($user) and $USER->id != $user->id and $user->suspended != 1) {
                 $user->suspended = 1;
                 // Force logout.
-                session_kill_user($user->id);
+                \core\session\manager::kill_user_sessions($user->id);
                 user_update_user($user, false);
             }
         }

admin/user/user_bulk_delete.php

@@ -34,7 +34,7 @@
         }
     }
     $rs->close();
-    session_gc(); // remove stale sessions
+    \core\session\manager::gc(); // Remove stale sessions.
     echo $OUTPUT->box_start('generalbox', 'notice');
     if (!empty($notifications)) {
         echo $notifications;

auth/ldap/auth.php

@@ -808,7 +808,7 @@ function sync_users($do_updates=true) {
                     $updateuser->suspended = 1;
                     user_update_user($updateuser, false);
                     echo "\t"; print_string('auth_dbsuspenduser', 'auth_db', array('name'=>$user->username, 'id'=>$user->id)); echo "\n";
-                    session_kill_user($user->id);
+                    \core\session\manager::kill_user_sessions($user->id);
                 }
             } else {
                 print_string('nouserentriestoremove', 'auth_ldap');

auth/mnet/auth.php

@@ -141,7 +141,7 @@ function start_jump_session($mnethostid, $wantsurl, $wantsurlbackhere=false) {
         global $CFG, $USER, $DB;
         require_once $CFG->dirroot . '/mnet/xmlrpc/client.php';
 
-        if (session_is_loggedinas()) {
+        if (\core\session\manager::is_loggedinas()) {
             print_error('notpermittedtojumpas', 'mnet');
         }
 
@@ -919,7 +919,7 @@ function keepalive_server($array) {
                 $returnString .= "We failed to refresh the session for the following usernames: \n".implode("\n", $subArray)."\n\n";
             } else {
                 foreach($results as $emigrant) {
-                    session_touch($emigrant->session_id);
+                    \core\session\manager::touch_session($emigrant->session_id);
                 }
             }
         }
@@ -1076,7 +1076,7 @@ function kill_children($username, $useragent) {
                                  array('useragent'=>$useragent, 'userid'=>$userid));
 
         if (isset($remoteclient) && isset($remoteclient->id)) {
-            session_kill_user($userid);
+            \core\session\manager::kill_user_sessions($userid);
         }
         return $returnstring;
     }
@@ -1096,7 +1096,7 @@ function kill_child($username, $useragent) {
         $session = $DB->get_record('mnet_session', array('username'=>$username, 'mnethostid'=>$remoteclient->id, 'useragent'=>$useragent));
         $DB->delete_records('mnet_session', array('username'=>$username, 'mnethostid'=>$remoteclient->id, 'useragent'=>$useragent));
         if (false != $session) {
-            session_kill($session->session_id);
+            \core\session\manager::kill_session($session->session_id);
             return true;
         }
         return false;
@@ -1113,7 +1113,7 @@ function end_local_sessions(&$sessionArray) {
         global $CFG;
         if (is_array($sessionArray)) {
             while($session = array_pop($sessionArray)) {
-                session_kill($session->session_id);
+                \core\session\manager::kill_session($session->session_id);
             }
             return true;
         }

auth/shibboleth/index.php

@@ -48,7 +48,7 @@
                 && $user = authenticate_user_login($frm->username, $frm->password)) {
 
             enrol_check_plugins($user);
-            session_set_user($user);
+            \core\session\manager::set_user($user);
 
             $USER->loggedin = true;
             $USER->site     = $CFG->wwwroot; // for added security, store the site in the

badges/ajax.php

@@ -34,7 +34,7 @@
 $PAGE->set_context(context_system::instance());
 
 // Unlock session during potentially long curl request.
-session_get_instance()->write_close();
+\core\session\manager::write_close();
 
 $result = badges_check_backpack_accessibility();
 

blocks/html/lib.php

@@ -81,7 +81,7 @@ function block_html_pluginfile($course, $birecord_or_cm, $context, $filearea, $a
         $forcedownload = true;
     }
 
-    session_get_instance()->write_close();
+    \core\session\manager::write_close();
     send_stored_file($file, 60*60, 0, $forcedownload, $options);
 }
 

blocks/mnet_hosts/block_mnet_hosts.php

@@ -25,7 +25,7 @@ function get_content() {
             return false;
         }
 
-        if (session_is_loggedinas()) {
+        if (\core\session\manager::is_loggedinas()) {
             $this->content = new stdClass();
             $this->content->footer = html_writer::tag('span',
                 get_string('notpermittedtojumpas', 'mnet'));

calendar/tests/calendartype_test.php

@@ -277,6 +277,6 @@ private function datetime_field_submission_test($type, $date) {
      */
     private function set_calendar_type($type) {
         $this->user->calendartype = $type;
-        session_set_user($this->user);
+        \core\session\manager::set_user($this->user);
     }
 }

config-dist.php

@@ -224,10 +224,22 @@
 // RewriteRule (^.*/theme/yui_combo\.php)(/.*) $1?file=$2
 //
 //
-// By default all user sessions should be using locking, uncomment
-// the following setting to prevent locking for guests and not-logged-in
-// accounts. This may improve performance significantly.
-//     $CFG->sessionlockloggedinonly = 1;
+// Following settings may be used to select session driver, uncomment only one of the handlers.
+//   Database session handler (not compatible with MyISAM):
+//      $CFG->session_handler_class = '\core\session\database';
+//      $CFG->session_database_acquire_lock_timeout = 120;
+//
+//   File session handler (file system locking required):
+//      $CFG->session_handler_class = '\core\session\file';
+//      $CFG->session_file_save_path = $CFG->dataroot.'/sessions';
+//
+//   Memcached session handler (requires memcached server and extension):
+//      $CFG->session_handler_class = '\core\session\memcached';
+//      $CFG->session_memcached_save_path = '127.0.0.1:11211';
+//      $CFG->session_memcached_prefix = 'memc.sess.key.';
+//
+// Following setting allows you to alter how frequently is timemodified updated in sessions table.
+//      $CFG->session_update_timemodified_frequency = 20; // In seconds.
 //
 // If this setting is set to true, then Moodle will track the IP of the
 // current user to make sure it hasn't changed during a session.  This

course/loginas.php

@@ -11,7 +11,7 @@
 $PAGE->set_url($url);
 
 // Reset user back to their real self if needed, for security reasons you need to log out and log in again.
-if (session_is_loggedinas()) {
+if (\core\session\manager::is_loggedinas()) {
     require_sesskey();
     require_logout();
 
@@ -61,7 +61,7 @@
 }
 
 // Login as this user and return to course home page.
-session_loginas($userid, $context);
+\core\session\manager::loginas($userid, $context);
 $newfullname = fullname($USER, true);
 
 $strloginas    = get_string('loginas');

draftfile.php

@@ -84,5 +84,5 @@
 // ========================================
 // finally send the file
 // ========================================
-session_get_instance()->write_close(); // unlock session during fileserving
+\core\session\manager::write_close(); // Unlock session during file serving.
 send_stored_file($file, 0, false, true, array('preview' => $preview)); // force download - security first!

enrol/index.php

@@ -46,7 +46,7 @@
 $PAGE->set_url('/enrol/index.php', array('id'=>$course->id));
 
 // do not allow enrols when in login-as session
-if (session_is_loggedinas() and $USER->loginascontext->contextlevel == CONTEXT_COURSE) {
+if (\core\session\manager::is_loggedinas() and $USER->loginascontext->contextlevel == CONTEXT_COURSE) {
     print_error('loginasnoenrol', '', $CFG->wwwroot.'/course/view.php?id='.$USER->loginascontext->instanceid);
 }
 

file.php

@@ -111,7 +111,7 @@
 // ========================================
 // finally send the file
 // ========================================
-session_get_instance()->write_close(); // unlock session during fileserving
+\core\session\manager::write_close(); // Unlock session during file serving.
 send_stored_file($file, $lifetime, $CFG->filteruploadedfiles, $forcedownload);
 
 

lang/en/error.php

@@ -466,6 +466,7 @@
 $string['sessionwaiterr'] = 'Timed out while waiting for session lock.<br />Wait for your current requests to finish and try again later.';
 $string['sessioncookiesdisable'] = 'Incorrect use of require_key_login() - session cookies must be disabled!';
 $string['sessiondiskfull'] = 'The session partition is full. It is not possible to login at this time.<br /><br />Please notify server administrator.';
+$string['sessionhandlerproblem'] = 'Session handler is misconfigured';
 $string['sessionerroruser'] = 'Your session has timed out.  Please login again.';
 $string['sessionerroruser2'] = 'A server error that affects your login session was detected. Please login again or restart your browser.';
 $string['sessionipnomatch'] = 'Sorry, but your IP number seems to have changed from when you first logged in.  This security feature prevents crackers stealing your identity while logged in to this site.  Normal users should not be seeing this message - please ask the site administrator for help.';

lib/authlib.php

@@ -618,9 +618,7 @@ function login_is_lockedout($user) {
 function login_attempt_valid($user) {
     global $CFG;
 
-    $event = \core\event\user_loggedin::create(array('objectid' => $user->id, 'other' => array('username' => $user->username)));
-    $event->add_record_snapshot('user', $user);
-    $event->trigger();
+    // Note: user_loggedin event is triggered in complete_user_login().
 
     if ($user->mnethostid != $CFG->mnet_localhost_id) {
         return;

lib/classes/event/user_loggedin.php

@@ -96,7 +96,7 @@ protected function init() {
     /**
      * Custom validation.
      *
-     * @throws coding_exception when validation does not pass.
+     * @throws \coding_exception when validation does not pass.
      * @return void
      */
     protected function validate_data() {

lib/classes/event/user_loggedout.php

@@ -38,6 +38,7 @@ class user_loggedout extends base {
      * Initialise required event data properties.
      */
     protected function init() {
+        $this->context = \context_system::instance();
         $this->data['objecttable'] = 'user';
         $this->data['crud'] = 'r';
         $this->data['level'] = self::LEVEL_OTHER;