aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Session
Commit message (Collapse)AuthorAgeFilesLines
* fix(setup): ignore long session login during installationMaxence Lange2024-08-271-3/+5
| | | Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
* fix(session): Log when session_* calls are slowChristoph Wurst2024-08-073-15/+28
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* perf: Set session.cache_limiter at runtime to avoid clients caching static ↵Julius Härtl2024-07-081-0/+1
| | | | | | | | | | | assets served by PHP By default there is a Pragma: no-cache header set due to the default value `no-cache` of session.cache-limiter, which will cause Chrome and iOS to not cache even with a different Cache-Control header set on the response. Signed-off-by: Julius Härtl <jus@bitgrid.net>
* chore: Add SPDX headerAndy Scherzinger2024-05-245-120/+16
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* fix(typo): Fix typo in docsJoas Schilling2024-03-251-1/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* chore: Add missing ArrayAccess template parametersCôme Chilliet2024-02-062-0/+4
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Always catch OCP versions of authentication exceptionsCôme Chilliet2024-01-111-1/+1
| | | | | | And always throw OC versions for BC Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-232-5/+5
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* fix(session): Do not log fresh/empty session as errorChristoph Wurst2023-11-071-12/+18
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* fix(session): Log when crypto session data is lostChristoph Wurst2023-10-111-1/+7
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* chore: Replace \OC::$server->query with \OCP\Server::get in /libChristoph Wurst2023-07-061-1/+1
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* chore: Drop dead private methods in /libChristoph Wurst2023-06-062-21/+0
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Don't call session_start() when PHP session is still or already open.Claus-Justus Heine2023-04-171-0/+1
| | | | Signed-off-by: Claus-Justus Heine <himself@claus-justus-heine.de>
* composer run cs:fixCôme Chilliet2023-01-201-1/+0
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: Make sure to reopen session before cleaningJulius Härtl2022-12-101-0/+4
| | | | | | | Otherwise restoring the requesttoken would reopen and read the existing session data and restore it instead of clearing Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Do not remove complete encrypted session key when just a key should be removedJulius Härtl2022-11-031-1/+0
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Read encrypted session data again on reopenJulius Härtl2022-11-031-1/+5
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add config option to disable strict session timeout to be able to use ↵Julius Härtl2022-08-171-3/+7
| | | | | | | | read_and_close Fixed https://github.com/nextcloud/server/issues/29356 Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Reopen sessions if we need to write to them instead of keeping them openJulius Härtl2022-08-173-6/+34
| | | | | | | Sessions are a locking operation until we write close them, so close them early and reopen later in case we want to write to them Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Fix typos in lib/private subdirectoryluz paz2022-07-271-1/+1
| | | | | | Found via `codespell -q 3 -S l10n -L jus ./lib/private` Signed-off-by: luz paz <luzpaz@github.com>
* Fix ArrayAccess and JsonSerializable return typesCôme Chilliet2021-11-232-4/+6
| | | | | | First round of modifications for PHP 8.1 Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Only trap E_ERROR in session handlingJulius Härtl2021-08-171-1/+3
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Update php licensesJohn Molakvoæ (skjnldsv)2021-06-045-5/+0
| | | | Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
* Generate a new session id if the decrypting the session data failsRoeland Jago Douma2020-12-041-0/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Remove the cookie paths for php<7.3Christoph Wurst2020-11-062-21/+13
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Silence duplicate session warningsRoeland Jago Douma2020-08-141-4/+4
| | | | | | | | Fixes #20490 Basically restroring the old behavior. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Update license headers for 19Christoph Wurst2020-04-291-0/+1
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Add visibility to all constantsChristoph Wurst2020-04-102-2/+2
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Format control structures, classes, methods and functionChristoph Wurst2020-04-104-7/+8
| | | | | | | | | | | | | | | To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Use php keywords in lowercaseChristoph Wurst2020-04-091-1/+1
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Remove unused importsChristoph Wurst2020-03-251-2/+0
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Only send samesite cookiesRoeland Jago Douma2020-02-062-3/+27
| | | | | | | | This makes the last remaining two cookies lax. The session cookie itself. And the session password as well (on php 7.3 that is). Samesite cookies are the best cookies! Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Update license headersChristoph Wurst2019-12-055-8/+21
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* replace setcookie value with '' instead of null.MartB2018-09-061-1/+1
| | | | | | | The php documentation states that an empty string should be used for a cookie when it has no real value. null leads to the following error: expects parameter 2 to be string, null given Signed-off-by: Martin Böh <mart.b@outlook.de>
* Allow updating the token on session regenerationRoeland Jago Douma2018-06-143-4/+36
| | | | | | | Sometimes when we force a session regeneration we want to update the current token for this session. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Make ISession strictRoeland Jago Douma2018-02-264-29/+33
| | | | | | | * Make all implementations strict * Add scalar types Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Fix type in CryptoSessionDataMorris Jobke2018-01-121-1/+1
| | | | | | Found while adding strict typing for PHP7+. Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Update license headersMorris Jobke2017-11-062-1/+4
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Fix MigrationSchemaChecker and CryptoWrapperLukas Reschke2017-08-011-3/+5
| | | | Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Forward port of #5190 to masterArthur Schiwon2017-06-151-9/+32
| | | | | | | | | | | | | | | | | Treat PHP Errors on User session regenerate Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> remove unnecessary lines… Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> change PHP errors to ErrorException in the session (PHP >=7) Otherwise it might be that authentication apps are being disabled on during operation while in fact the session handler has hiccup. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* Catch session already closed exception in destructorVictor Dubiniuk2017-04-252-2/+7
|
* Do not clear CSRF token on logout (fix for #1303)Roeland Jago Douma2017-03-131-0/+4
| | | | | | | | | | | | | | | | | | | This is a hacky way to allow the use case of #1303. What happens is 1. User tries to login 2. PreLoginHook kicks in and figures out that the user need to change their LDAP password or whatever => redirects user 3. While loading the redirect some logic of ours kicks in and logouts the user (thus clearing the session). 4. We render the new page but now the session and the page disagree about the CSRF token This is kind of hacky but I don't think it introduces new attack vectors. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Update with robinJoas Schilling2016-07-213-3/+3
|
* Fix othersJoas Schilling2016-07-215-8/+13
|
* Update license headersLukas Reschke2016-05-264-5/+7
|
* throw SessionNotAvailableException if session_id returns empty stringChristoph Wurst2016-04-263-4/+17
|
* add ISession::getId() wrapper for session_idChristoph Wurst2016-04-253-0/+30
|
* Move \OC\Session to PSR-4Roeland Jago Douma2016-04-155-0/+613