phorge-phorge/src/applications/auth/storage/PhabricatorAuthSession.php

<?php

final class PhabricatorAuthSession extends PhabricatorAuthDAO
  implements PhabricatorPolicyInterface {

  const TYPE_WEB      = 'web';
  const TYPE_CONDUIT  = 'conduit';

  protected $userPHID;
  protected $type;
  protected $sessionKey;
  protected $sessionStart;
  protected $sessionExpires;

  private $identityObject = self::ATTACHABLE;

  public function getConfiguration() {
    return array(
      self::CONFIG_TIMESTAMPS => false,
    ) + parent::getConfiguration();
  }

  public function getApplicationName() {
    // This table predates the "Auth" application, and really all applications.
    return 'user';
  }

  public function getTableName() {
    // This is a very old table with a nonstandard name.
    return PhabricatorUser::SESSION_TABLE;
  }

  public function attachIdentityObject($identity_object) {
    $this->identityObject = $identity_object;
    return $this;
  }

  public function getIdentityObject() {
    return $this->assertAttached($this->identityObject);
  }

  public static function getSessionTypeTTL($session_type) {
    switch ($session_type) {
      case self::TYPE_WEB:
        return (60 * 60 * 24 * 30); // 30 days
      case self::TYPE_CONDUIT:
        return (60 * 60 * 24); // 24 hours
      default:
        throw new Exception(pht('Unknown session type "%s".', $session_type));
    }
  }

/* -(  PhabricatorPolicyInterface  )----------------------------------------- */


  public function getCapabilities() {
    return array(
      PhabricatorPolicyCapability::CAN_VIEW,
    );
  }

  public function getPolicy($capability) {
    return PhabricatorPolicies::POLICY_NOONE;
  }

  public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
    if (!$viewer->getPHID()) {
      return false;
    }

    $object = $this->getIdentityObject();
    if ($object instanceof PhabricatorUser) {
      return ($object->getPHID() == $viewer->getPHID());
    } else if ($object instanceof PhabricatorExternalAccount) {
      return ($object->getUserPHID() == $viewer->getPHID());
    }

    return false;
  }

  public function describeAutomaticCapability($capability) {
    return pht('A session is visible only to its owner.');
  }

}
Add an "active login sessions" table to Settings Summary: Ref T4310. Ref T3720. Partly, this makes it easier for users to understand login sessions. Partly, it makes it easier for me to make changes to login sessions for T4310 / T3720 without messing anything up. Test Plan: {F101512} Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T3720, T4310 Differential Revision: https://secure.phabricator.com/D7954 2014-01-14 20:05:45 +01:00			`<?php`

			`final class PhabricatorAuthSession extends PhabricatorAuthDAO`
			`implements PhabricatorPolicyInterface {`

Replace "web" and "conduit" magic session strings with constants Summary: Ref T4310. Ref T3720. We use bare strings to refer to session types in several places right now; use constants instead. Test Plan: grep; logged out; logged in; ran Conduit commands. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4310, T3720 Differential Revision: https://secure.phabricator.com/D7963 2014-01-14 22:22:34 +01:00			`const TYPE_WEB = 'web';`
			`const TYPE_CONDUIT = 'conduit';`

Add an "active login sessions" table to Settings Summary: Ref T4310. Ref T3720. Partly, this makes it easier for users to understand login sessions. Partly, it makes it easier for me to make changes to login sessions for T4310 / T3720 without messing anything up. Test Plan: {F101512} Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T3720, T4310 Differential Revision: https://secure.phabricator.com/D7954 2014-01-14 20:05:45 +01:00			`protected $userPHID;`
			`protected $type;`
			`protected $sessionKey;`
			`protected $sessionStart;`
Expire and garbage collect unused sessions Summary: Ref T3720. Ref T4310. Currently, we limit the maximum number of concurrent sessions of each type. This is primarily because sessions predate garbage collection and we had no way to prevent the session table from growing fairly quickly and without bound unless we did this. Now that we have GC (and it's modular!) we can just expire unused sessions after a while and throw them away: - Add a `sessionExpires` column to the table, with a key. - Add a GC for old sessions. - When we establish a session, set `sessionExpires` to the current time plus the session TTL. - When a user uses a session and has used up more than 20% of the time on it, extend the session. In addition to this, we could also rotate sessions, but I think that provides very little value. If we do want to implement it, we should hold it until after T3720 / T4310. Test Plan: - Ran schema changes. - Looked at database. - Tested GC: - Started GC. - Set expires on one row to the past. - Restarted GC. - Verified GC nuked the session. - Logged in. - Logged out. - Ran Conduit method. - Tested refresh: - Set threshold to 0.0001% instead of 20%. - Loaded page. - Saw a session extension ever few page loads. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4310, T3720 Differential Revision: https://secure.phabricator.com/D7976 2014-01-15 22:56:16 +01:00			`protected $sessionExpires;`
Add an "active login sessions" table to Settings Summary: Ref T4310. Ref T3720. Partly, this makes it easier for users to understand login sessions. Partly, it makes it easier for me to make changes to login sessions for T4310 / T3720 without messing anything up. Test Plan: {F101512} Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T3720, T4310 Differential Revision: https://secure.phabricator.com/D7954 2014-01-14 20:05:45 +01:00
			`private $identityObject = self::ATTACHABLE;`

			`public function getConfiguration() {`
			`return array(`
			`self::CONFIG_TIMESTAMPS => false,`
			`) + parent::getConfiguration();`
			`}`

			`public function getApplicationName() {`
			`// This table predates the "Auth" application, and really all applications.`
			`return 'user';`
			`}`

			`public function getTableName() {`
			`// This is a very old table with a nonstandard name.`
			`return PhabricatorUser::SESSION_TABLE;`
			`}`

			`public function attachIdentityObject($identity_object) {`
			`$this->identityObject = $identity_object;`
			`return $this;`
			`}`

			`public function getIdentityObject() {`
			`return $this->assertAttached($this->identityObject);`
			`}`

Expire and garbage collect unused sessions Summary: Ref T3720. Ref T4310. Currently, we limit the maximum number of concurrent sessions of each type. This is primarily because sessions predate garbage collection and we had no way to prevent the session table from growing fairly quickly and without bound unless we did this. Now that we have GC (and it's modular!) we can just expire unused sessions after a while and throw them away: - Add a `sessionExpires` column to the table, with a key. - Add a GC for old sessions. - When we establish a session, set `sessionExpires` to the current time plus the session TTL. - When a user uses a session and has used up more than 20% of the time on it, extend the session. In addition to this, we could also rotate sessions, but I think that provides very little value. If we do want to implement it, we should hold it until after T3720 / T4310. Test Plan: - Ran schema changes. - Looked at database. - Tested GC: - Started GC. - Set expires on one row to the past. - Restarted GC. - Verified GC nuked the session. - Logged in. - Logged out. - Ran Conduit method. - Tested refresh: - Set threshold to 0.0001% instead of 20%. - Loaded page. - Saw a session extension ever few page loads. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4310, T3720 Differential Revision: https://secure.phabricator.com/D7976 2014-01-15 22:56:16 +01:00			`public static function getSessionTypeTTL($session_type) {`
			`switch ($session_type) {`
			`case self::TYPE_WEB:`
			`return (60 * 60 * 24 * 30); // 30 days`
			`case self::TYPE_CONDUIT:`
			`return (60 * 60 * 24); // 24 hours`
			`default:`
			`throw new Exception(pht('Unknown session type "%s".', $session_type));`
			`}`
			`}`

Add an "active login sessions" table to Settings Summary: Ref T4310. Ref T3720. Partly, this makes it easier for users to understand login sessions. Partly, it makes it easier for me to make changes to login sessions for T4310 / T3720 without messing anything up. Test Plan: {F101512} Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T3720, T4310 Differential Revision: https://secure.phabricator.com/D7954 2014-01-14 20:05:45 +01:00			`/* -( PhabricatorPolicyInterface )----------------------------------------- */`


			`public function getCapabilities() {`
			`return array(`
			`PhabricatorPolicyCapability::CAN_VIEW,`
			`);`
			`}`

			`public function getPolicy($capability) {`
			`return PhabricatorPolicies::POLICY_NOONE;`
			`}`

			`public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {`
			`if (!$viewer->getPHID()) {`
			`return false;`
			`}`

			`$object = $this->getIdentityObject();`
			`if ($object instanceof PhabricatorUser) {`
			`return ($object->getPHID() == $viewer->getPHID());`
			`} else if ($object instanceof PhabricatorExternalAccount) {`
			`return ($object->getUserPHID() == $viewer->getPHID());`
			`}`

			`return false;`
			`}`

			`public function describeAutomaticCapability($capability) {`
			`return pht('A session is visible only to its owner.');`
			`}`

			`}`