Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73317

Detect and add debugging for when the session is changed after it has been closed

XMLWordPrintable

    • MOODLE_401_STABLE
    • MOODLE_402_STABLE
    • MDL-73317-master
    • Hide
      1. Copy the two  attached scripts to siteroot
      2. Enable debugging
      3. Navigate in a web browser to /MDL-73317-session-cache-write-close.php
      4. Check that a debugging message will be shown indicating the session was edited after it was closed for e.g: 

        1. Script /MDL-73317-session-cache-write-close.php mutated the session 
          after it was closed: $SESSION->cachestore_session: 
          default_session-core/coursecat,default_session-core/calendar_categories,default_session-core/courseeditorstate,default_session-core/contentbank_allowed_courses,default_session-core/contentbank_allowed_categories,default_session-core/userselections,default_session-core/navigation_expandcourse,default_session-core/grade_categories,default_session-core/tagindexbuilder,default_session-core/presignup,default_session-tool_mobile/subscriptiondataline 790 of /lib/classes/session/manager.php: call to debugging()line ? of unknownfile: call to core\session\manager::check_mutated_closed_session()line 155 of /lib/classes/shutdown_manager.php: call to call_user_func_array()line ? of unknownfile: call to core_shutdown_manager::shutdown_handler()

      5. Navigate in a web browser to /MDL-73317-delete-after-close.php
      6. Check that a debugging message will be shown indicating the session was cleared after close for e.g.: 

        1. Script /MDL-73317-delete-after-close.php cleared the session after it was closed.  line 762 of /lib/classes/session/manager.php: call to debugging() line ? of unknownfile: call to core\session\manager::check_mutated_closed_session() line 155 of /lib/classes/shutdown_manager.php: call to call_user_func_array() line ? of unknownfile: call to core_shutdown_manager::shutdown_handler()

      Show
      Copy the two  attached scripts to siteroot Enable debugging Navigate in a web browser to / MDL-73317 -session-cache-write-close.php Check that a debugging message will be shown indicating the session was edited after it was closed for e.g: Script /MDL- 73317 -session-cache-write-close.php mutated the session after it was closed: $SESSION->cachestore_session: default_session-core/coursecat,default_session-core/calendar_categories,default_session-core/courseeditorstate,default_session-core/contentbank_allowed_courses,default_session-core/contentbank_allowed_categories,default_session-core/userselections,default_session-core/navigation_expandcourse,default_session-core/grade_categories,default_session-core/tagindexbuilder,default_session-core/presignup,default_session-tool_mobile/subscriptiondataline 790 of /lib/classes/session/manager.php: call to debugging()line ? of unknownfile: call to core\session\manager::check_mutated_closed_session()line 155 of /lib/classes/shutdown_manager.php: call to call_user_func_array()line ? of unknownfile: call to core_shutdown_manager::shutdown_handler() Navigate in a web browser to / MDL-73317 -delete-after-close.php Check that a debugging message will be shown indicating the session was cleared after close for e.g.: Script /MDL- 73317 -delete-after-close.php cleared the session after it was closed. line 762 of /lib/classes/session/manager.php: call to debugging() line ? of unknownfile: call to core\session\manager::check_mutated_closed_session() line 155 of /lib/classes/shutdown_manager.php: call to call_user_func_array() line ? of unknownfile: call to core_shutdown_manager::shutdown_handler()

      The problem

      After $SESSION->write_close() is called, code should not write to the session.

      However, It is difficult as a developer to know if any code called afterwards will write to the session as the code paths may be very complex and require lots of manual inspection.

      Ideal Solution

      Logging for any changes to the session that happen after it is closed.

      Background

      This is a superset of MDL-69977. I suspect there are some pages which blindly write to the session but the session has already been closed. So these changes are just lost. At minimum these should be turn up in the error log. 

      The logic here already exists for handling readonly session mutation detection so its just the same logic after the write close, but always on.

        1. MDL-73317_classic.png
          MDL-73317_classic.png
          290 kB
        2. MDL-73317.png
          MDL-73317.png
          360 kB
        3. MDL-73317-delete-after-close.php
          0.3 kB
        4. MDL-73317-session-cache-write-close-1.php
          0.6 kB

            matthewhilton Matthew Hilton
            brendanheywood Brendan Heywood
            Brendan Heywood Brendan Heywood
            Andrew Lyons Andrew Lyons
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 6 hours, 16 minutes
                6h 16m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.