dev (source) - SQLite Testing

This is an old revision of Users/EoNy/dev from 05/05/2026 19:08 edited by EoNy.
View source for dev

== HTTP Class Technical Documentation ==

=== Overview ===

The ##Http## class (##src/class/http.php##) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.

**File Location:** ##src/class/http.php##  
**Language:** PHP  
**Dependencies:** Database class, Session classes, Utility classes (##Ut##), Diagnostics class (##Diag##)

----

=== Class Properties ===

==== Public Properties ====

#|
*| Property | Type | Description |*
|| ##$tls_session## | bool | Indicates if the current session uses HTTPS/TLS encryption ||
|| ##$request_uri## | string | Normalized REQUEST_URI (e.g., 'PageOfNoReturn/show?a=1') ||
|| ##$ip## | string | Client's real IP address (accounts for proxies) ||
|| ##$sess## | Session | Reference to the Session object ||
|| ##$method## | string | Current HTTP method/request type ||
|| ==== Private Properties ==== ||
|| Property | Type | Description ||
|| ---------- | ------ | ------------- ||
|| ##$db## | object | Database connection reference ||
|| ##$tls_mark## | string | Cookie name for TLS session marking ||
|| ##$page## | string | Current page name being processed ||
|| ##$hash## | string | SHA1 hash of the page name ||
|| ##$query## | string | Encoded query string ||
|| ##$lang## | string | Current language code ||
|| ##$file## | string | Cache file path ||
|| ##$caching## | int | Flag indicating if page should be cached (0 or 1) ||
|
=== Security Considerations ===

==== 1. **IP Address Spoofing** ====
  - Validates IPs against private ranges
  - Filters proxy-provided IPs appropriately
  - Configurable reverse proxy trust

==== 2. **Session Security** ====
  - Binds sessions to IP address
  - Binds sessions to TLS status
  - Supports both file and database storage
  - HttpOnly cookies by default

==== 3. **TLS Enforcement** ====
  - Automatic HTTPS upgrade when configured
  - Marks TLS sessions to prevent downgrade attacks
  - HSTS header support

==== 4. **Content Security** ====
  - CSP headers to prevent XSS
  - X-Frame-Options to prevent clickjacking
  - X-Content-Type-Options to prevent MIME sniffing
  - Referrer-Policy control
  - Permissions-Policy for browser features

==== 5. **File Serving** ====
  - Validates file existence and readability
  - Prevents directory traversal via ##realpath()##
  - Rejects symbolic links
  - Special CSP for SVG and PDF files

==== 6. **Cache Security** ====
  - Cached only for anonymous users
  - Disabled for sensitive operations (edit, watch)
  - Only GET requests cached

----

=== Performance Optimization ===

==== 1. **Page Caching** ====
  - Stores full HTML output
  - TTL-based expiration
  - Language and method-aware caching
  - Conditional request support (304 Not Modified)

==== 2. **MIME Type Caching** ====
  - Loads MIME types once and caches
  - Regenerates only when config changes

==== 3. **Session Options** ====
  - File-based sessions for simple deployments
  - Database sessions for distributed systems

==== 4. **Compression** ====
  - Manual gzip implementation
  - Proper Content-Length generation
  - Only compresses appropriate sizes

----

=== Debugging ===

The class integrates with WackoWiki's diagnostic system:

%%php
// Diagnostic messages are preserved across redirects
// via session flash data

// Check cached pages (debug comments in output):
// <!-- WackoWiki Caching Engine: page cached at 2024-01-15 12:30:45 GMT -->
%%

----

=== Related Classes ===
  - **Session Classes** (##SessionFileStore##, ##SessionDbalStore##) - Session management backends
  - **Database Class** - Configuration and cache metadata storage
  - **Ut Utility Class** - String/path utilities
  - **Diag Class** - Diagnostic logging

----

=== Version History ===
  - Supports PHP 8.0+ (uses match expressions, union types)
  - Follows RFC 9110 for HTTP header handling
  - Modern cookie security practices

----

=== Conclusion ===

The ##Http## class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:
  - Extending WackoWiki with custom request handlers
  - Implementing custom session logic
  - Adding new security policies
  - Optimizing cache strategies
  - Debugging HTTP-related issues