Difference between revisions for Users / Eo Ny / dev





Revision 1 as of 05/05/2026 19:06
14 05/17/2026 21:10 WikiAdmin 13 05/05/2026 19:29 EoNy 12 05/05/2026 19:28 WikiAdmin 11 05/05/2026 19:28 WikiAdmin 10 05/05/2026 19:27 WikiAdmin 9 05/05/2026 19:25 WikiAdmin 8 05/05/2026 19:24 WikiAdmin 7 05/05/2026 19:23 WikiAdmin 6 05/05/2026 19:21 EoNy 5 05/05/2026 19:11 EoNy 4 05/05/2026 19:10 EoNy 3 05/05/2026 19:10 EoNy 2 05/05/2026 19:08 EoNy 1 05/05/2026 19:06 EoNy

(19.7 KiB)
EoNy
 Next edit →
Revision 15 as of 05/18/2026 05:04
18 05/21/2026 16:12 WikiAdmin 17 05/18/2026 15:15 WikiAdmin 16 05/18/2026 05:05 WikiAdmin 15 05/18/2026 05:04 WikiAdmin 14 05/17/2026 21:10 WikiAdmin 13 05/05/2026 19:29 EoNy 12 05/05/2026 19:28 WikiAdmin 11 05/05/2026 19:28 WikiAdmin 10 05/05/2026 19:27 WikiAdmin 9 05/05/2026 19:25 WikiAdmin 8 05/05/2026 19:24 WikiAdmin 7 05/05/2026 19:23 WikiAdmin 6 05/05/2026 19:21 EoNy 5 05/05/2026 19:11 EoNy 4 05/05/2026 19:10 EoNy 3 05/05/2026 19:10 EoNy 2 05/05/2026 19:08 EoNy

(18.3 KiB) -1,484
WikiAdmin

HTTP Class Technical Documentation


Overview


The Http class (src/class/http.php) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.

File Location: src/class/http.php
Language: PHP
Dependencies: Database class, Session classes, Utility classes (Ut), Diagnostics class (Diag)

Class Properties


==== Public Properties ====
====Public Properties====
||
Property Type Description
$tls_session bool Indicates if the current session uses HTTPS/TLS encryption
$request_uri string Normalized REQUEST_URI (e.g., 'PageOfNoReturn/show?a=1')
$ip string Client's real IP address (accounts for proxies)
$sess Session Reference to the Session object
$method string Current HTTP method/request type

Private Properties

Private Properties


*| Property | Type | Description |
* <!markup:1:end> $db | object | Database connection reference $tls_mark | string | Cookie name for TLS session marking $page | string | Current page name being processed $hash | string | SHA1 hash of the page name $query | string | Encoded query string $lang | string | Current language code $file | string | Cache file path $caching | int | Flag indicating if page should be cached (0 or 1) <!markup:1:end>
<!markup:1:begin>
<!markup:1:begin>

=== <!--markup:1:begin-->|| ||<!--markup:1:end--> Constructor === 
php <!--markup:1:begin-->||
||<!--markup:1:end-->
public function __construct(&$db)


**Purpose: || ||** Initializes the Http object and sets up HTTP session handling.
**Parameters: || ||**
  • ** || || $db - Database object reference

**Initialization || || Steps:**
  1. ** || || Stores database reference
  2. || || Extracts and normalizes REQUEST_URI
  3. || || Detects TLS/HTTPS session status
  4. || || Determines client's real IP address
  5. || || Sets up TLS mark cookie name
  6. || || Enforces TLS session upgrade if needed

**Example: || ||** 
php** <!--markup:1:begin-->||
||<!--markup:1:end-->
$http = new Http($db);


|| || === <!--markup:1:begin-->|| ||<!--markup:1:end--> Core Methods ===
==== <!--markup:1:begin-->|| ||<!--markup:1:end--> Session Management ====
===== <!--markup:1:begin-->|| ||<!--markup:1:end--> ##session($route): void## =====
Initializes || || the session handler (file-based or database-based).
**Parameters: || ||**
  • ** || || $route (int) - Routing flag:
  • || || Bit 2 ($route & 2): Enable static mode for files/freecap (disables replay prevention and ID regeneration)

**Features: || ||**
  • ** || || Selects storage backend (file or database)
  • || || Configures cookie settings (security, path, httponly)
  • || || Binds IP and TLS validation
  • || || Recovers diagnostic logs from previous session

**Example: || ||** 
php** <!--markup:1:begin-->||
||<!--markup:1:end-->
$http->session(0);  // Normal session
$http->session(2);  // Static file serving mode


|| || ==== <!--markup:1:begin-->|| ||<!--markup:1:end--> Caching System ====
===== <!--markup:1:begin-->|| ||<!--markup:1:end--> ##check_cache($page, $method): void## =====
Determines || || if a page can be cached and prepares the cache check.
**Parameters: || ||**
  • ** || || $page (string) - Page name to cache
  • || || $method (string) - Request method/action (e.g., 'show', 'edit')

**Caching || || Rules:**
  • ** || || ✅ Enabled for GET requests only
  • || || ✅ Disabled for POST requests
  • || || ❌ Never cached for 'edit' or 'watch' methods
  • || || ✅ Only cached for anonymous users (no logged-in users)

**Example: || ||** 
php** <!--markup:1:begin-->||
||<!--markup:1:end-->
$http->check_cache('HomePage', 'show');


|| || || || ===== store_cache(): void ===== || ||
=====store_cache(): void===== Saves the generated page content to cache file.

**Features: || ||**
  • ** || || Retrieves output buffer content
  • || || Saves to cache file with proper permissions
  • || || Records cache metadata in database
  • || || Only executes if caching flag is set and user is anonymous

**Example: || ||** || || 
php<!--markup:1:end-->**
<!--markup:2:begin-->
(hl php)<!markup:2:end> // Called at end of page rendering
$http->store_cache();
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##invalidate_page($page): int## =====
Invalidates <!--markup:1:begin-->||
||<!--markup:1:end--> all cached versions of a page.

**Parameters: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##$page## (string) - Page name to invalidate

**Returns: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Number of cache entries invalidated

**Process: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  1.** <!--markup:1:begin-->||
||<!--markup:1:end--> Finds all cached versions (different methods/languages)
  2. <!--markup:1:begin-->||
||<!--markup:1:end--> Touches files to past timestamp (faster than deletion)
  3. <!--markup:1:begin-->||
||<!--markup:1:end--> Removes entries from cache metadata table
  4. <!--markup:1:begin-->||
||<!--markup:1:end--> Returns count of invalidated caches

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** <!markup:1:begin>|| ||
$count = $http->invalidate_page('HomePage');
echo "Invalidated $count cache entries";
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

==== <!--markup:1:begin-->||
||<!--markup:1:end--> TLS/HTTPS Security ====

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##secure_base_url(): void## =====
Switches <!--markup:1:begin-->||
||<!--markup:1:end--> base URL from HTTP to HTTPS.

**Purpose: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Ensures all subsequent URLs use HTTPS
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Stores original HTTP URL for fallback
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Called when TLS session is detected

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $http->secure_base_url();
// $db->base_url now uses https://
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##ensure_tls($url): void## =====
Enforces <!--markup:1:begin-->||
||<!--markup:1:end--> HTTPS for a specific URL and redirects if necessary.

**Parameters: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##$url## (string) - URL to secure

**Behavior: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> If not already HTTPS and TLS is enabled, forces HTTPS redirect
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Handles both relative and absolute URLs
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Converts relative URLs using current server name

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $http->ensure_tls('/secure/payment');
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

==== <!--markup:1:begin-->||
||<!--markup:1:end--> IP Address Detection ====

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##real_ip(): string## (Private) =====
Detects <!--markup:1:begin-->||
||<!--markup:1:end--> client's real IP address accounting for proxies.

**Proxy <!--markup:1:begin-->||
||<!--markup:1:end--> Headers Checked (in order):**
  1.** <!--markup:1:begin-->||
||<!--markup:1:end--> ##HTTP_X_CLUSTER_CLIENT_IP##
  2. <!--markup:1:begin-->||
||<!--markup:1:end--> ##HTTP_X_FORWARDED_FOR## (or custom header)
  3. <!--markup:1:begin-->||
||<!--markup:1:end--> ##HTTP_CLIENT_IP##
  4. <!--markup:1:begin-->||
||<!--markup:1:end--> ##HTTP_X_REMOTE_ADDR##
  5. <!--markup:1:begin-->||
||<!--markup:1:end--> ##REMOTE_ADDR## (fallback)

**Features: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Filters out private/reserved IP ranges
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Respects configured reverse proxy addresses
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Returns ##'0.0.0.0'## as fallback

**Configuration <!--markup:1:begin-->||
||<!--markup:1:end--> in Database:**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##reverse_proxy_addresses## - Comma/space-separated proxy IPs
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##reverse_proxy_header## - Custom header name (default: ##X-Forwarded-For##)

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $client_ip = $http->ip; // e.g., "203.0.113.42"
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

==== <!--markup:1:begin-->||
||<!--markup:1:end--> HTTPS Detection ====

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##tls_session(): bool## (Private) =====
Detects <!--markup:1:begin-->||
||<!--markup:1:end--> if current connection uses HTTPS/TLS.

**Checks <!--markup:1:begin-->||
||<!--markup:1:end--> (any being true = HTTPS):**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##$_SERVER['HTTPS']## is 'on'
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##$_SERVER['SERVER_PORT']## is 443
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##$_SERVER['HTTP_X_FORWARDED_PROTO']## is 'https'
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##$_SERVER['HTTP_X_FORWARDED_SSL']## is 'on'
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##$_SERVER['HTTP_X_FORWARDED_PORT']## is 443

---- <!--markup:1:begin-->||
||<!--markup:1:end-->

==== <!--markup:1:begin-->||
||<!--markup:1:end--> Security Headers ==== <!--markup:1:begin-->||
|| ===== ##http_security_headers(): void## ===== ||
||<!--markup:1:end-->

<!--markup:2:begin-->=====##http_security_headers(): void##=====<!--markup:2:end-->

Sets security-related HTTP headers.

**Headers <!--markup:1:begin-->||
||<!--markup:1:end--> Set:** <!--markup:1:begin-->||
||<!--markup:1:end-->**

<!--markup:2:begin-->#|
*|<!--markup:2:end--> Header | Purpose | Config Key | <!--markup:1:begin-->||
|| --------<!--markup:1:end-->*
|| <!--markup:1:begin-->--------- | ------------ ||<!--markup:1:end--> Content-Security-Policy | XSS/injection protection | ##csp## ||
|| Permissions-Policy | Control browser features | ##permissions_policy## ||
|| Referrer-Policy | Control referrer information | ##referrer_policy## ||
|| Strict-Transport-Security | Force HTTPS | Auto (TLS only) ||
|| X-Frame-Options | Clickjacking protection | Hardcoded: ##SAMEORIGIN## ||
|| X-Content-Type-Options | MIME sniffing prevention | Hardcoded: ##nosniff## ||
<!--markup:1:begin-->||<!--markup:1:end-->
<!--markup:2:begin-->|#<!--markup:2:end-->

**CSP Configuration Options:**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##0## - Disabled
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##1## - Default policy (from ##csp.conf##)
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##2## - Custom policy (from ##csp_custom.conf##)

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $http->http_security_headers();
---- <!--markup:1:begin-->||
||<!--markup:1:end-->
==== <!--markup:1:begin-->||
||<!--markup:1:end--> HTTP Methods ====

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##redirect($url, $permanent = false): void## =====
Performs <!--markup:1:begin-->||
||<!--markup:1:end--> an HTTP redirect.

**Parameters: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##$url## (string) - Target URL
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##$permanent## (bool) - Use 301 (permanent) vs 302 (temporary)

**Features: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Decodes ##&amp;## entities to prevent broken redirects
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Only works if headers not yet sent
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Uses output buffering to work anywhere in page processing

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $http->redirect('http://example.com/new-page', true); // 301
$http->redirect('/wiki/HomePage'); // 302
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##terminate(): void## =====
Safe <!--markup:1:begin-->||
||<!--markup:1:end--> exit/die with cleanup.

**Cleanup <!--markup:1:begin-->||
||<!--markup:1:end--> Operations:**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Saves diagnostic logs to session flash data
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Ends script execution

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $http->terminate();
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##status($code): void## =====
Sets <!--markup:1:begin-->||
||<!--markup:1:end--> HTTP response status code.

**Supported <!--markup:1:begin-->||
||<!--markup:1:end--> Status Codes:**
php** || || 200 => 'OK'
206 => 'Partial Content'
301 => 'Moved Permanently'
302 => 'Moved Temporarily'
304 => 'Not Modified'
400 => 'Bad Request'
401 => 'Unauthorized'
403 => 'Forbidden'
404 => 'Not Found'
405 => 'Method Not Allowed'
409 => 'Conflict'
410 => 'Gone'
416 => 'Requested Range Not Satisfiable'
500 => 'Internal Server Error'
501 => 'Not Implemented'
503 => 'Service Unavailable'
**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $http->status(404); // Send 404 Not Found
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

==== <!--markup:1:begin-->||
||<!--markup:1:end--> Caching Control ====

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##no_cache($client_only = true): void## =====
Disables <!--markup:1:begin-->||
||<!--markup:1:end--> caching of the current page.

**Parameters: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##$client_only## (bool, default: TRUE)
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##TRUE##: Disable browser cache only
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##FALSE##: Disable both browser and server cache

**Headers <!--markup:1:begin-->||
||<!--markup:1:end--> Set:**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##Last-Modified: <current-time>## (always fresh)
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##Cache-Control: no-store##

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $http->no_cache(); // Client-side only
$http->no_cache(false); // Both client & server
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##cache_promisc(): void## =====
Marks <!--markup:1:begin-->||
||<!--markup:1:end--> page as publicly cacheable.

**Headers <!--markup:1:begin-->||
||<!--markup:1:end--> Set:**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##Cache-Control: public##

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $http->cache_promisc();
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

==== <!--markup:1:begin-->||
||<!--markup:1:end--> Language Negotiation ====

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##user_agent_language(): string## =====
Determines <!--markup:1:begin-->||
||<!--markup:1:end--> best language based on browser preferences.

**Features: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Follows RFC 9110 section 12.5.4 (HTTP Accept-Language)
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Parses ##Accept-Language## header with quality factors
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Attempts exact match first, then language fallback
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Falls back to default system language

**Example <!--markup:1:begin-->||
||<!--markup:1:end--> Header:**
** || || Accept-Language: en-US,en;q=0.9,de;q=0.8
**Returns: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Language code (e.g., 'en', 'en-US', 'de')

---- <!--markup:1:begin-->||
||<!--markup:1:end-->

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##available_languages($subset = true): array## =====
Returns <!--markup:1:begin-->||
||<!--markup:1:end--> list of available language translations.

**Parameters: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##$subset## (bool, default: TRUE)
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##TRUE##: Only allowed languages
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##FALSE##: All available languages

**Features: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Scans ##LANG_DIR## for language files
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Filters by ##allowed_languages## config if set
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Caches result in session
  - <!--markup:1:begin-->||
||<!--markup:1:end--> System language always included

**Returns: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Associative array: ##['en' => 'en', 'de' => 'de', ...]##

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $all_langs = $http->available_languages(false);
$allowed = $http->available_languages(true);
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

==== <!--markup:1:begin-->||
||<!--markup:1:end--> File Serving ====

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##sendfile($path, $filename = null, $age = null): void## =====
Serves <!--markup:1:begin-->||
||<!--markup:1:end--> files with proper HTTP headers and caching.

**Parameters: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##$path## (string) - File path (or HTTP_XXX constant for error pages)
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##$filename## (string, optional) - Custom download filename
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##$age## (int, optional) - Cache age in days

**Features: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> HTTP range request support (partial file downloads)
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ETag and Last-Modified conditional requests
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Proper MIME type detection
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Content-Security-Policy for special file types
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Streaming for large files
  - <!--markup:1:begin-->||
||<!--markup:1:end--> GZip compression for text files

**Special <!--markup:1:begin-->||
||<!--markup:1:end--> Paths:**
php** || || $http->sendfile(404); // Serves file defined by HTTP_404 constant
$http->sendfile(403); // Serves file defined by HTTP_403 constant
**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $http->sendfile('uploads/document.pdf', 'my-document.pdf', 30);
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##mime_type($path): string## =====
Returns <!--markup:1:begin-->||
||<!--markup:1:end--> MIME type for a file.

**Returns: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> MIME type string (e.g., 'application/pdf')
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Default: ##'application/octet-stream'##

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $mime = $http->mime_type('file.pdf'); // 'application/pdf'
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##mime_types(): array## (Private) =====
Loads <!--markup:1:begin-->||
||<!--markup:1:end--> and caches MIME types from configuration.

**Features: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Reads from ##config/mime.types##
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Caches to ##cache/config/mime.types##
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Reloads if config is updated

---- <!--markup:1:begin-->||
||<!--markup:1:end-->

==== <!--markup:1:begin-->||
||<!--markup:1:end--> Compression ====

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##gzip(): void## =====
Compresses <!--markup:1:begin-->||
||<!--markup:1:end--> HTTP response with gzip/x-gzip.

**Features: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Manually implements gzip (not relying on zlib.output_compression)
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Produces correct ##Content-Length## header
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Only compresses if:
  - <!--markup:1:begin-->||
||<!--markup:1:end--> 860 bytes < content < 1 MB
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Client accepts compression
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Headers not already sent

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $http->gzip();
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

==== <!--markup:1:begin-->||
||<!--markup:1:end--> Utility Methods ====

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##parse_str($str): array## (Private) =====
Parses <!--markup:1:begin-->||
||<!--markup:1:end--> URL-encoded strings with special character handling.

**Purpose: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Safely handles special characters in query/form data
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Converts encoding properly

**Example: <!--markup:1:begin-->||
||<!--markup:1:end-->**
php** || || $data = $http->parse_str('name=John&age=30');
---- <!--markup:1:begin-->||
||<!--markup:1:end-->

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##request_uri(): string## (Private) =====
Extracts <!--markup:1:begin-->||
||<!--markup:1:end--> and normalizes REQUEST_URI from server.

**Normalization: <!--markup:1:begin-->||
||<!--markup:1:end-->**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> Removes base URL prefix
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Removes spaces
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Collapses multiple slashes
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Removes ##..## path traversal attempts
  - <!--markup:1:begin-->||
||<!--markup:1:end--> Removes leading/trailing slashes

---- <!--markup:1:begin-->||
||<!--markup:1:end-->

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##cut_prefix($prefix, $path): string## (Private) =====
Removes <!--markup:1:begin-->||
||<!--markup:1:end--> prefix from path (case-insensitive).

---- <!--markup:1:begin-->||
||<!--markup:1:end-->

===== <!--markup:1:begin-->||
||<!--markup:1:end--> ##get_header_conf($file_name): string## (Private) =====
Loads <!--markup:1:begin-->||
||<!--markup:1:end--> security header configuration from files.

**Files <!--markup:1:begin-->||
||<!--markup:1:end--> Supported:**
  -** <!--markup:1:begin-->||
||<!--markup:1:end--> ##csp.conf## / ##csp_custom.conf##
  - <!--markup:1:begin-->||
||<!--markup:1:end--> ##permissions_policy.conf## / ##permissions_policy_custom.conf##

---- <!--markup:1:begin-->||
||<!--markup:1:end--> <!--markup:1:begin-->||
|| === Configuration Dependencies === ||
||<!--markup:1:end-->

<!--markup:2:begin-->===Configuration Dependencies===<!--markup:2:end-->

The class relies on these database configuration settings: <!--markup:1:begin-->||
||<!--markup:1:end-->

<!--markup:2:begin-->#|
*|<!--markup:2:end--> Setting | Type | Purpose | <!--markup:1:begin-->||
|| ---------<!--markup:1:end-->*
|| <!--markup:1:begin-->------ | --------- ||<!--markup:1:end--> ##base_url## | string | Wiki's base URL ||
|| ##tls## | bool | Enable HTTPS enforcement ||
|| ##cache## | bool | Enable page caching ||
|| ##cache_ttl## | int | Cache lifetime in seconds ||
|| ##session_store## | int | 1=File, 0=Database ||
|| ##system_seed_hash## | string | Session encryption seed ||
|| ##cookie_prefix## | string | Session cookie prefix ||
|| ##cookie_path## | string | Cookie path ||
|| ##allow_persistent_cookie## | bool | Allow persistent login ||
|| ##session_length## | int | Session lifetime in seconds ||
|| ##reverse_proxy_addresses## | string | Comma/space-separated proxy IPs ||
|| ##reverse_proxy_header## | string | Custom X-Forwarded header ||
|| ##language## | string | Default language code ||
|| ##multilanguage## | bool | Enable language negotiation ||
|| ##allowed_languages## | string | Comma/space-separated allowed langs ||
|| ##enable_security_headers## | bool | Send security headers ||
|| ##csp## | int | CSP setting (0/1/2) ||
|| ##permissions_policy## | int | Permissions-Policy setting (0/1/2) ||
|| ##referrer_policy## | int | Referrer-Policy setting (0-8) ||
<!--markup:1:begin-->||<!--markup:1:end-->
<!--markup:2:begin-->|#<!--markup:2:end-->

---- <!--markup:1:begin-->||
|| === Constants Used === ||
||<!--markup:1:end-->

<!--markup:2:begin-->===Constants Used===

#|
*|<!--markup:2:end--> Constant | Type | Purpose | <!--markup:1:begin-->||
|| ----------<!--markup:1:end-->*
|| <!--markup:1:begin-->------ | --------- ||<!--markup:1:end--> ##IN_WACKO## | bool | Security check (exit if not defined) ||
|| ##CHMOD_SAFE## | int | File permissions for cache files ||
|| ##CHMOD_FILE## | int | File permissions for config cache ||
|| ##CACHE_PAGE_DIR## | string | Page cache directory ||
|| ##CACHE_SESSION_DIR## | string | Session cache directory ||
|| ##CACHE_CONFIG_DIR## | string | Config cache directory ||
|| ##CONFIG_DIR## | string | Configuration directory ||
|| ##LANG_DIR## | string | Language files directory ||
|| ##DAYSECS## | int | Seconds in a day (86400) ||
|| ##HTTP_404## | string | Path to 404 error page ||
|| ##HTTP_403## | string | Path to 403 error page ||
|#

----

=== Workflow Examples ===

<!--markup:1:begin-->==== Example<!--markup:1:end-->

<!--markup:2:begin-->====Example<!--markup:2:end--> 1: Handling a GET <!--markup:1:begin-->Request ====
php<!markup:1:end> <!markup:2:begin>Request====

PHP 
<!--markup:2:end-->
// In main wiki entry point
$http = new Http($db);
$http->session(0);  // Start session

// Check if page can be served from cache
$http->check_cache('HomePage', 'show');

// ... render page content ...

// Store rendered page in cache if applicable
$http->store_cache();

// Send security headers
$http->http_security_headers();

// Possibly compress output
$http->gzip();

Example 2: Handling TLS/HTTPS Upgrade 


php
$http = new Http($db);  // Constructor detects TLS requirement
// If TLS is enabled and user wasn't in TLS before:
// - Sets TLS session flag
// - Marks session with TLS cookie
// - Redirects to HTTPS version

Example 3: Invalidating Cache After Page Edit 


php
// User edits a page
$http = new Http($db);
$count = $http->invalidate_page('HomePage');
// All cached versions (different languages, methods) are invalidated

Example 4: Serving a File 


php
$http = new Http($db);
$http->session(2);  // Static file mode - no session replay prevention

// Serve with 30-day cache
$http->sendfile('uploads/manual.pdf', 'user-manual.pdf', 30);


Security Considerations

1. IP Address Spoofing

  • Validates IPs against private ranges
  • Filters proxy-provided IPs appropriately
  • Configurable reverse proxy trust

2. Session Security

  • Binds sessions to IP address
  • Binds sessions to TLS status
  • Supports both file and database storage
  • HttpOnly cookies by default

3. TLS Enforcement

  • Automatic HTTPS upgrade when configured
  • Marks TLS sessions to prevent downgrade attacks
  • HSTS header support

4. Content Security

  • CSP headers to prevent XSS
  • X-Frame-Options to prevent clickjacking
  • X-Content-Type-Options to prevent MIME sniffing
  • Referrer-Policy control
  • Permissions-Policy for browser features

5. File Serving

  • Validates file existence and readability
  • Prevents directory traversal via realpath()
  • Rejects symbolic links
  • Special CSP for SVG and PDF files

6. Cache Security

  • Cached only for anonymous users
  • Disabled for sensitive operations (edit, watch)
  • Only GET requests cached

Performance Optimization

1. Page Caching

  • Stores full HTML output
  • TTL-based expiration
  • Language and method-aware caching
  • Conditional request support (304 Not Modified)

2. MIME Type Caching

  • Loads MIME types once and caches
  • Regenerates only when config changes

3. Session Options

  • File-based sessions for simple deployments
  • Database sessions for distributed systems

4. Compression

  • Manual gzip implementation
  • Proper Content-Length generation
  • Only compresses appropriate sizes

Debugging


The class integrates with WackoWiki's diagnostic system:

php
// Diagnostic messages are preserved across redirects
// via session flash data

// Check cached pages (debug comments in output):
// <!-- WackoWiki Caching Engine: page cached at 2024-01-15 12:30:45 GMT -->


Related Classes

  • Session Classes (SessionFileStore, SessionDbalStore) - Session management backends
  • Database Class - Configuration and cache metadata storage
  • Ut Utility Class - String/path utilities
  • Diag Class - Diagnostic logging

Version History

  • Supports PHP 8.0+ (uses match expressions, union types)
  • Follows RFC 9110 for HTTP header handling
  • Modern cookie security practices

Conclusion


The Http class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:
  • Extending WackoWiki with custom request handlers
  • Implementing custom session logic
  • Adding new security policies
  • Optimizing cache strategies
  • Debugging HTTP-related issues