vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-04-01 11:14:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Tie cookies and nonces to user sessions so they may be invalidated upon logout.

Browse Source 
Sessions are stored in usermeta via WP_User_Meta_Session_Tokens, which extends the abstract WP_Session_Tokens class. Extending WP_Session_Tokens can allow for alternative storage, such as a separate table or Redis.

Introduces some simple APIs for session listing and destruction, such as wp_get_active_sessions() and wp_destroy_all_sessions().

This invalidates all existing authentication cookies, as a new segment (the session token) has been added to them.

props duck_, nacin, mdawaffe.
see #20276.


git-svn-id: https://develop.svn.wordpress.org/trunk@29221 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Andrew Nacin
2014-07-18 09:12:05 +00:00
parent a14ea26577
commit 97fcbef707
5 changed files with 540 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
tests/phpunit/tests/user/session.php Normal file
View File

@@ -0,0 +1,52 @@
<?php
/**
* Test WP_Session_Tokens and WP_User_Meta_Session_Tokens, in wp-includes/session.php
*
* @group user
* @group session
*/
class Tests_User_Session extends WP_UnitTestCase {
function setUp() {
parent::setUp();
remove_all_filters( 'session_token_manager' );
$user_id = $this->factory->user->create();
$this->manager = WP_Session_Tokens::get_instance( $user_id );
$this->assertInstanceOf( 'WP_Session_Tokens', $this->manager );
$this->assertInstanceOf( 'WP_User_Meta_Session_Tokens', $this->manager );
}
function test_verify_and_destroy_token() {
$expiration = time() + DAY_IN_SECONDS;
$token = $this->manager->create_token( $expiration );
$this->assertFalse( $this->manager->verify_token( 'foo' ) );
$this->assertTrue( $this->manager->verify_token( $token ) );
$this->manager->destroy_token( $token );
$this->assertFalse( $this->manager->verify_token( $token ) );
}
function test_destroy_other_tokens() {
$expiration = time() + DAY_IN_SECONDS;
$token_1 = $this->manager->create_token( $expiration );
$token_2 = $this->manager->create_token( $expiration );
$token_3 = $this->manager->create_token( $expiration );
$this->assertTrue( $this->manager->verify_token( $token_1 ) );
$this->assertTrue( $this->manager->verify_token( $token_2 ) );
$this->assertTrue( $this->manager->verify_token( $token_3 ) );
$this->manager->destroy_other_tokens( $token_2 );
$this->assertFalse( $this->manager->verify_token( $token_1 ) );
$this->assertTrue( $this->manager->verify_token( $token_2 ) );
$this->assertFalse( $this->manager->verify_token( $token_3 ) );
}
function test_destroy_all_tokens() {
$expiration = time() + DAY_IN_SECONDS;
$token_1 = $this->manager->create_token( $expiration );
$token_2 = $this->manager->create_token( $expiration );
$this->assertTrue( $this->manager->verify_token( $token_1 ) );
$this->assertTrue( $this->manager->verify_token( $token_2 ) );
$this->manager->destroy_all_tokens();
$this->assertFalse( $this->manager->verify_token( $token_1 ) );
$this->assertFalse( $this->manager->verify_token( $token_2 ) );
}
}