<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[29221] trunk: Tie cookies and nonces to user sessions so they may be invalidated upon logout.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://core.trac.wordpress.org/changeset/29221">29221</a></dd>
<dt>Author</dt> <dd>nacin</dd>
<dt>Date</dt> <dd>2014-07-18 09:12:05 +0000 (Fri, 18 Jul 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Tie cookies and nonces to user sessions so they may be invalidated upon logout.
Sessions are stored in usermeta via WP_User_Meta_Session_Tokens, which extends the abstract WP_Session_Tokens class. Extending WP_Session_Tokens can allow for alternative storage, such as a separate table or Redis.
Introduces some simple APIs for session listing and destruction, such as wp_get_active_sessions() and wp_destroy_all_sessions().
This invalidates all existing authentication cookies, as a new segment (the session token) has been added to them.
props duck_, nacin, mdawaffe.
see <a href="http://core.trac.wordpress.org/ticket/20276">#20276</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludespluggablephp">trunk/src/wp-includes/pluggable.php</a></li>
<li><a href="#trunksrcwpincludesuserphp">trunk/src/wp-includes/user.php</a></li>
<li><a href="#trunksrcwpsettingsphp">trunk/src/wp-settings.php</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunksrcwpincludessessionphp">trunk/src/wp-includes/session.php</a></li>
<li><a href="#trunktestsphpunittestsusersessionphp">trunk/tests/phpunit/tests/user/session.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludespluggablephp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/pluggable.php (29220 => 29221)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/pluggable.php 2014-07-18 07:56:25 UTC (rev 29220)
+++ trunk/src/wp-includes/pluggable.php 2014-07-18 09:12:05 UTC (rev 29221)
</span><span class="lines">@@ -586,6 +586,7 @@
</span><span class="cx"> * @since 2.5.0
</span><span class="cx"> */
</span><span class="cx"> function wp_logout() {
</span><ins>+ wp_destroy_current_session();
</ins><span class="cx"> wp_clear_auth_cookie();
</span><span class="cx">
</span><span class="cx"> /**
</span><span class="lines">@@ -631,6 +632,7 @@
</span><span class="cx"> $scheme = $cookie_elements['scheme'];
</span><span class="cx"> $username = $cookie_elements['username'];
</span><span class="cx"> $hmac = $cookie_elements['hmac'];
</span><ins>+ $token = $cookie_elements['token'];
</ins><span class="cx"> $expired = $expiration = $cookie_elements['expiration'];
</span><span class="cx">
</span><span class="cx"> // Allow a grace period for POST and AJAX requests
</span><span class="lines">@@ -666,10 +668,10 @@
</span><span class="cx">
</span><span class="cx"> $pass_frag = substr($user->user_pass, 8, 4);
</span><span class="cx">
</span><del>- $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
- $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
</del><ins>+ $key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
+ $hash = hash_hmac( 'sha256', $username . '|' . $expiration . '|' . $token, $key );
</ins><span class="cx">
</span><del>- if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
</del><ins>+ if ( hash_hmac( 'sha256', $hmac, $key ) !== hash_hmac( 'sha256', $hash, $key ) ) {
</ins><span class="cx"> /**
</span><span class="cx"> * Fires if a bad authentication cookie hash is encountered.
</span><span class="cx"> *
</span><span class="lines">@@ -681,7 +683,14 @@
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if ( $expiration < time() ) {// AJAX/POST grace period set above
</del><ins>+ $manager = WP_Session_Tokens::get_instance( $user->ID );
+ if ( ! $manager->verify_token( $token ) ) {
+ do_action( 'auth_cookie_bad_session_token', $cookie_elements );
+ return false;
+ }
+
+ // AJAX/POST grace period set above
+ if ( $expiration < time() ) {
</ins><span class="cx"> $GLOBALS['login_grace_period'] = 1;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -708,17 +717,26 @@
</span><span class="cx"> * @param int $user_id User ID
</span><span class="cx"> * @param int $expiration Cookie expiration in seconds
</span><span class="cx"> * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
</span><del>- * @return string Authentication cookie contents
</del><ins>+ * @param string $token User's session token to use for this cookie
+ * @return string Authentication cookie contents. Empty string if user does not exist.
</ins><span class="cx"> */
</span><del>-function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
</del><ins>+function wp_generate_auth_cookie( $user_id, $expiration, $scheme = 'auth', $token = '' ) {
</ins><span class="cx"> $user = get_userdata($user_id);
</span><ins>+ if ( ! $user ) {
+ return '';
+ }
</ins><span class="cx">
</span><ins>+ if ( ! $token ) {
+ $manager = WP_Session_Tokens::get_instance( $user_id );
+ $token = $manager->create_token( $expiration );
+ }
+
</ins><span class="cx"> $pass_frag = substr($user->user_pass, 8, 4);
</span><span class="cx">
</span><del>- $key = wp_hash($user->user_login . $pass_frag . '|' . $expiration, $scheme);
- $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
</del><ins>+ $key = wp_hash( $user->user_login . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
+ $hash = hash_hmac( 'sha256', $user->user_login . '|' . $expiration . '|' . $token, $key );
</ins><span class="cx">
</span><del>- $cookie = $user->user_login . '|' . $expiration . '|' . $hash;
</del><ins>+ $cookie = $user->user_login . '|' . $expiration . '|' . $token . '|' . $hash;
</ins><span class="cx">
</span><span class="cx"> /**
</span><span class="cx"> * Filter the authentication cookie.
</span><span class="lines">@@ -729,8 +747,9 @@
</span><span class="cx"> * @param int $user_id User ID.
</span><span class="cx"> * @param int $expiration Authentication cookie expiration in seconds.
</span><span class="cx"> * @param string $scheme Cookie scheme used. Accepts 'auth', 'secure_auth', or 'logged_in'.
</span><ins>+ * @param string $token User's session token used.
</ins><span class="cx"> */
</span><del>- return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme );
</del><ins>+ return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme, $token );
</ins><span class="cx"> }
</span><span class="cx"> endif;
</span><span class="cx">
</span><span class="lines">@@ -772,12 +791,13 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> $cookie_elements = explode('|', $cookie);
</span><del>- if ( count($cookie_elements) != 3 )
</del><ins>+ if ( count( $cookie_elements ) !== 4 ) {
</ins><span class="cx"> return false;
</span><ins>+ }
</ins><span class="cx">
</span><del>- list($username, $expiration, $hmac) = $cookie_elements;
</del><ins>+ list( $username, $expiration, $token, $hmac ) = $cookie_elements;
</ins><span class="cx">
</span><del>- return compact('username', 'expiration', 'hmac', 'scheme');
</del><ins>+ return compact( 'username', 'expiration', 'token', 'hmac', 'scheme' );
</ins><span class="cx"> }
</span><span class="cx"> endif;
</span><span class="cx">
</span><span class="lines">@@ -793,6 +813,8 @@
</span><span class="cx"> *
</span><span class="cx"> * @param int $user_id User ID
</span><span class="cx"> * @param bool $remember Whether to remember the user
</span><ins>+ * @param mixed $secure Whether the admin cookies should only be sent over HTTPS.
+ * Default is_ssl().
</ins><span class="cx"> */
</span><span class="cx"> function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
</span><span class="cx"> if ( $remember ) {
</span><span class="lines">@@ -854,9 +876,12 @@
</span><span class="cx"> $scheme = 'auth';
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
- $logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');
</del><ins>+ $manager = WP_Session_Tokens::get_instance( $user_id );
+ $token = $manager->create_token( $expiration );
</ins><span class="cx">
</span><ins>+ $auth_cookie = wp_generate_auth_cookie( $user_id, $expiration, $scheme, $token );
+ $logged_in_cookie = wp_generate_auth_cookie( $user_id, $expiration, 'logged_in', $token );
+
</ins><span class="cx"> /**
</span><span class="cx"> * Fires immediately before the authentication cookie is set.
</span><span class="cx"> *
</span><span class="lines">@@ -1682,14 +1707,19 @@
</span><span class="cx"> $uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ $token = wp_get_session_token();
</ins><span class="cx"> $i = wp_nonce_tick();
</span><span class="cx">
</span><span class="cx"> // Nonce generated 0-12 hours ago
</span><del>- if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce )
</del><ins>+ if ( $nonce === substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 ) ) {
</ins><span class="cx"> return 1;
</span><ins>+ }
+
</ins><span class="cx"> // Nonce generated 12-24 hours ago
</span><del>- if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce )
</del><ins>+ if ( $nonce === substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ) ) {
</ins><span class="cx"> return 2;
</span><ins>+ }
+
</ins><span class="cx"> // Invalid nonce
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="lines">@@ -1712,9 +1742,10 @@
</span><span class="cx"> $uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ $token = wp_get_session_token();
</ins><span class="cx"> $i = wp_nonce_tick();
</span><span class="cx">
</span><del>- return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
</del><ins>+ return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
</ins><span class="cx"> }
</span><span class="cx"> endif;
</span><span class="cx">
</span></span></pre></div>
<a id="trunksrcwpincludessessionphp"></a>
<div class="addfile"><h4>Added: trunk/src/wp-includes/session.php (0 => 29221)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/session.php (rev 0)
+++ trunk/src/wp-includes/session.php 2014-07-18 09:12:05 UTC (rev 29221)
</span><span class="lines">@@ -0,0 +1,379 @@
</span><ins>+<?php
+/**
+ * Abstract class for managing user session tokens.
+ *
+ * @since 4.0.0
+ */
+abstract class WP_Session_Tokens {
+
+ /**
+ * User ID.
+ *
+ * @since 4.0.0
+ *
+ * @var int User ID.
+ */
+ protected $user_id;
+
+ /**
+ * Protected constructor.
+ *
+ * @param int $user_id User whose session to manage.
+ */
+ protected function __construct( $user_id ) {
+ $this->user_id = $user_id;
+ }
+
+ /**
+ * Get a session token manager instance for a user.
+ *
+ * This method contains a filter that allows a plugin to swap out
+ * the session manager for a subclass of WP_Session_Tokens.
+ *
+ * @since 4.0.0
+ *
+ * @param int $user_id User whose session to manage.
+ */
+ final public static function get_instance( $user_id ) {
+ /**
+ * Filter the session token manager used.
+ *
+ * @since 4.0.0
+ *
+ * @param string $session Name of class to use as the manager.
+ * Default 'WP_User_Meta_Session_Tokens'.
+ */
+ $manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );
+ return new $manager( $user_id );
+ }
+
+ /**
+ * Hashes a token for storage.
+ *
+ * @since 4.0.0
+ *
+ * @param string $token Token to hash.
+ * @return string A hash of the token (a verifier).
+ */
+ final private function hash_token( $token ) {
+ return hash( 'sha256', $token );
+ }
+
+ /**
+ * Validate a user's session token as authentic.
+ *
+ * Checks that the given token is present and hasn't expired.
+ *
+ * @since 4.0.0
+ *
+ * @param string $token Token to verify.
+ * @return bool Whether the token is valid for the user.
+ */
+ final public function verify_token( $token ) {
+ $verifier = $this->hash_token( $token );
+ return (bool) $this->get_session( $verifier );
+ }
+
+ /**
+ * Generate a cookie session identification token.
+ *
+ * A session identification token is a long, random string. It is used to
+ * link a cookie to an expiration time and to ensure that cookies become
+ * invalidated upon logout. This function generates a token and stores it
+ * with the associated expiration time.
+ *
+ * @since 4.0.0
+ *
+ * @param int $expiration Session expiration timestamp.
+ * @return string Session identification token.
+ */
+ final public function create_token( $expiration ) {
+ /**
+ * Filter the information attached to the newly created session.
+ *
+ * Could be used in the future to attach information such as
+ * IP address or user agent to a session.
+ *
+ * @since 4.0.0
+ *
+ * @param array $session Array of extra data.
+ * @param int $user_id User ID.
+ */
+ $session = apply_filters( 'attach_session_information', array(), $this->user_id );
+ $session['expiration'] = $expiration;
+
+ $token = wp_generate_password( 43, false, false );
+
+ $this->update_token( $token, $session );
+
+ return $token;
+ }
+
+ /**
+ * Updates a session based on its token.
+ *
+ * @since 4.0.0
+ *
+ * @param string $token Token to update.
+ * @param array $session Session information.
+ */
+ final public function update_token( $token, $session ) {
+ $verifier = $this->hash_token( $token );
+ $this->update_session( $verifier, $session );
+ }
+
+ /**
+ * Destroy a session token.
+ *
+ * @since 4.0.0
+ *
+ * @param string $token Token to destroy.
+ */
+ final public function destroy_token( $token ) {
+ $verifier = $this->hash_token( $token );
+ $this->update_session( $verifier, null );
+ }
+
+ /**
+ * Destroy all session tokens for this user,
+ * except a single token, presumably the one in use.
+ *
+ * @since 4.0.0
+ *
+ * @param string $token_to_keep Token to keep.
+ */
+ final public function destroy_other_tokens( $token_to_keep ) {
+ $verifier = $this->hash_token( $token_to_keep );
+ $session = $this->get_session( $verifier );
+ if ( $session ) {
+ $this->destroy_other_sessions( $verifier );
+ } else {
+ $this->destroy_all_tokens();
+ }
+ }
+
+ /**
+ * Determine whether a session token is still valid,
+ * based on expiration.
+ *
+ * @since 4.0.0
+ *
+ * @param array $session Session to check.
+ * @return bool Whether session is valid.
+ */
+ final protected function is_still_valid( $session ) {
+ return $session['expiration'] >= time();
+ }
+
+ /**
+ * Destroy all tokens for a user.
+ *
+ * @since 4.0.0
+ */
+ final public function destroy_all_tokens() {
+ $this->destroy_all_sessions();
+ }
+
+ /**
+ * Destroy all tokens for all users.
+ *
+ * @since 4.0.0
+ */
+ final public static function destroy_all_tokens_for_all_users() {
+ $manager = apply_filters( 'session_token_manager', 'WP_User_Meta_Session_Tokens' );
+ $manager::drop_sessions();
+ }
+
+ /**
+ * Retrieve all sessions of a user.
+ *
+ * @since 4.0.0
+ *
+ * @return array Sessions of a user.
+ */
+ final public function get_all_sessions() {
+ return array_values( $this->get_sessions() );
+ }
+
+ /**
+ * This method should retrieve all sessions of a user, keyed by verifier.
+ *
+ * @since 4.0.0
+ *
+ * @return array Sessions of a user, keyed by verifier.
+ */
+ abstract protected function get_sessions();
+
+ /**
+ * This method should look up a session by its verifier (token hash).
+ *
+ * @since 4.0.0
+ *
+ * @param $verifier Verifier of the session to retrieve.
+ * @return array|null The session, or null if it does not exist.
+ */
+ abstract protected function get_session( $verifier );
+
+ /**
+ * This method should update a session by its verifier.
+ *
+ * Omitting the second argument should destroy the session.
+ *
+ * @since 4.0.0
+ *
+ * @param $verifier Verifier of the session to update.
+ */
+ abstract protected function update_session( $verifier, $session = null );
+
+ /**
+ * This method should destroy all session tokens for this user,
+ * except a single session passed.
+ *
+ * @since 4.0.0
+ *
+ * @param $verifier Verifier of the session to keep.
+ */
+ abstract protected function destroy_other_sessions( $verifier );
+
+ /**
+ * This method should destroy all sessions for a user.
+ *
+ * @since 4.0.0
+ */
+ abstract protected function destroy_all_sessions();
+
+ /**
+ * This static method should destroy all session tokens for all users.
+ *
+ * @since 4.0.0
+ */
+ abstract public static function drop_sessions();
+}
+
+/**
+ * Meta-based user sessions token manager.
+ *
+ * @since 4.0.0
+ */
+class WP_User_Meta_Session_Tokens extends WP_Session_Tokens {
+
+ /**
+ * Get all sessions of a user.
+ *
+ * @since 4.0.0
+ *
+ * @return array Sessions of a user.
+ */
+ protected function get_sessions() {
+ $sessions = get_user_meta( $this->user_id, 'session_tokens', true );
+
+ if ( ! is_array( $sessions ) ) {
+ return array();
+ }
+
+ $sessions = array_map( array( $this, 'prepare_session' ), $sessions );
+ return array_filter( $sessions, array( $this, 'is_still_valid' ) );
+ }
+
+ /**
+ * Converts an expiration to an array of session information.
+ *
+ * @param mixed $session Session or expiration.
+ * @return array Session.
+ */
+ protected function prepare_session( $session ) {
+ if ( is_int( $session ) ) {
+ return array( 'expiration' => $session );
+ }
+
+ return $session;
+ }
+
+ /**
+ * Retrieve a session by its verifier (token hash).
+ *
+ * @since 4.0.0
+ *
+ * @param $verifier Verifier of the session to retrieve.
+ * @return array|null The session, or null if it does not exist
+ */
+ protected function get_session( $verifier ) {
+ $sessions = $this->get_sessions();
+
+ if ( isset( $sessions[ $verifier ] ) ) {
+ return $sessions[ $verifier ];
+ }
+
+ return null;
+ }
+
+ /**
+ * Update a session by its verifier.
+ *
+ * Omitting the second argument destroys the session.
+ *
+ * @since 4.0.0
+ *
+ * @param $verifier Verifier of the session to update.
+ */
+ protected function update_session( $verifier, $session = null ) {
+ $sessions = $this->get_sessions();
+
+ if ( $session ) {
+ $sessions[ $verifier ] = $session;
+ } else {
+ unset( $sessions[ $verifier ] );
+ }
+
+ $this->update_sessions( $sessions );
+ }
+
+ /**
+ * Update a user's sessions in the usermeta table.
+ *
+ * @since 4.0.0
+ *
+ * @param array $sessions
+ */
+ protected function update_sessions( $sessions ) {
+ if ( ! has_filter( 'attach_session_information' ) ) {
+ $sessions = wp_list_pluck( $sessions, 'expiration' );
+ }
+
+ if ( $sessions ) {
+ update_user_meta( $this->user_id, 'session_tokens', $sessions );
+ } else {
+ delete_user_meta( $this->user_id, 'session_tokens' );
+ }
+ }
+
+ /**
+ * Destroy all session tokens for a user, except a single session passed.
+ *
+ * @since 4.0.0
+ *
+ * @param $verifier Verifier of the session to keep.
+ */
+ protected function destroy_other_sessions( $verifier ) {
+ $session = $this->get_session( $verifier );
+ $this->update_sessions( array( $verifier => $session ) );
+ }
+
+ /**
+ * Destroy all session tokens for a user.
+ *
+ * @since 4.0.0
+ */
+ protected function destroy_all_sessions() {
+ $this->update_sessions( array() );
+ }
+
+ /**
+ * Destroy all session tokens for all users.
+ *
+ * @since 4.0.0
+ */
+ public static function drop_sessions() {
+ delete_metadata( 'user', false, 'session_tokens', false, true );
+ }
+}
</ins></span></pre></div>
<a id="trunksrcwpincludesuserphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/user.php (29220 => 29221)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/user.php 2014-07-18 07:56:25 UTC (rev 29220)
+++ trunk/src/wp-includes/user.php 2014-07-18 09:12:05 UTC (rev 29221)
</span><span class="lines">@@ -2173,3 +2173,62 @@
</span><span class="cx">
</span><span class="cx"> return $user_id;
</span><span class="cx"> }
</span><ins>+
+/**
+ * Retrieve the current session token from the logged_in cookie.
+ *
+ * @since 4.0.0
+ *
+ * @return string Token.
+ */
+function wp_get_session_token() {
+ $cookie = wp_parse_auth_cookie( '', 'logged_in' );
+ return ! empty( $cookie['token'] ) ? $cookie['token'] : '';
+}
+
+/**
+ * Retrieve a list of sessions for the current user.
+ *
+ * @since 4.0.0
+ * @return array Array of sessions.
+ */
+function wp_get_all_sessions() {
+ $manager = WP_Session_Tokens::get_instance( get_current_user_id() );
+ return $manager->get_all_sessions();
+}
+
+/**
+ * Remove the current session token from the database.
+ *
+ * @since 4.0.0
+ */
+function wp_destroy_current_session() {
+ $token = wp_get_session_token();
+ if ( $token ) {
+ $manager = WP_Session_Tokens::get_instance( get_current_user_id() );
+ $manager->destroy_token( $token );
+ }
+}
+
+/**
+ * Remove all but the current session token for the current user for the database.
+ *
+ * @since 4.0.0
+ */
+function wp_destroy_other_sessions() {
+ $token = wp_get_session_token();
+ if ( $token ) {
+ $manager = WP_Session_Tokens::get_instance( get_current_user_id() );
+ $manager->destroy_other_tokens( $token );
+ }
+}
+
+/**
+ * Remove all session tokens for the current user from the database.
+ *
+ * @since 4.0.0
+ */
+function wp_destroy_all_sessions() {
+ $manager = WP_Session_Tokens::get_instance( get_current_user_id() );
+ $manager->destroy_all_tokens();
+}
</ins></span></pre></div>
<a id="trunksrcwpsettingsphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-settings.php (29220 => 29221)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-settings.php 2014-07-18 07:56:25 UTC (rev 29220)
+++ trunk/src/wp-settings.php 2014-07-18 09:12:05 UTC (rev 29221)
</span><span class="lines">@@ -119,6 +119,7 @@
</span><span class="cx"> require( ABSPATH . WPINC . '/class-wp-theme.php' );
</span><span class="cx"> require( ABSPATH . WPINC . '/template.php' );
</span><span class="cx"> require( ABSPATH . WPINC . '/user.php' );
</span><ins>+require( ABSPATH . WPINC . '/session.php' );
</ins><span class="cx"> require( ABSPATH . WPINC . '/meta.php' );
</span><span class="cx"> require( ABSPATH . WPINC . '/general-template.php' );
</span><span class="cx"> require( ABSPATH . WPINC . '/link-template.php' );
</span></span></pre></div>
<a id="trunktestsphpunittestsusersessionphp"></a>
<div class="addfile"><h4>Added: trunk/tests/phpunit/tests/user/session.php (0 => 29221)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/tests/phpunit/tests/user/session.php (rev 0)
+++ trunk/tests/phpunit/tests/user/session.php 2014-07-18 09:12:05 UTC (rev 29221)
</span><span class="lines">@@ -0,0 +1,52 @@
</span><ins>+<?php
+/**
+ * Test WP_Session_Tokens and WP_User_Meta_Session_Tokens, in wp-includes/session.php
+ *
+ * @group user
+ * @group session
+ */
+class Tests_User_Session extends WP_UnitTestCase {
+
+ function setUp() {
+ parent::setUp();
+ remove_all_filters( 'session_token_manager' );
+ $user_id = $this->factory->user->create();
+ $this->manager = WP_Session_Tokens::get_instance( $user_id );
+ $this->assertInstanceOf( 'WP_Session_Tokens', $this->manager );
+ $this->assertInstanceOf( 'WP_User_Meta_Session_Tokens', $this->manager );
+ }
+
+ function test_verify_and_destroy_token() {
+ $expiration = time() + DAY_IN_SECONDS;
+ $token = $this->manager->create_token( $expiration );
+ $this->assertFalse( $this->manager->verify_token( 'foo' ) );
+ $this->assertTrue( $this->manager->verify_token( $token ) );
+ $this->manager->destroy_token( $token );
+ $this->assertFalse( $this->manager->verify_token( $token ) );
+ }
+
+ function test_destroy_other_tokens() {
+ $expiration = time() + DAY_IN_SECONDS;
+ $token_1 = $this->manager->create_token( $expiration );
+ $token_2 = $this->manager->create_token( $expiration );
+ $token_3 = $this->manager->create_token( $expiration );
+ $this->assertTrue( $this->manager->verify_token( $token_1 ) );
+ $this->assertTrue( $this->manager->verify_token( $token_2 ) );
+ $this->assertTrue( $this->manager->verify_token( $token_3 ) );
+ $this->manager->destroy_other_tokens( $token_2 );
+ $this->assertFalse( $this->manager->verify_token( $token_1 ) );
+ $this->assertTrue( $this->manager->verify_token( $token_2 ) );
+ $this->assertFalse( $this->manager->verify_token( $token_3 ) );
+ }
+
+ function test_destroy_all_tokens() {
+ $expiration = time() + DAY_IN_SECONDS;
+ $token_1 = $this->manager->create_token( $expiration );
+ $token_2 = $this->manager->create_token( $expiration );
+ $this->assertTrue( $this->manager->verify_token( $token_1 ) );
+ $this->assertTrue( $this->manager->verify_token( $token_2 ) );
+ $this->manager->destroy_all_tokens();
+ $this->assertFalse( $this->manager->verify_token( $token_1 ) );
+ $this->assertFalse( $this->manager->verify_token( $token_2 ) );
+ }
+}
</ins></span></pre>
</div>
</div>
</body>
</html>