HTTP Class Technical Documentation
Overview
The Http class (src/class/http.php) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.
File Location: src/class/http.php
Language: PHP
Dependencies: Database class, Session classes, Utility classes (Ut), Diagnostics class (Diag)
Class Properties
Public Properties
| Property |
Type |
Description |
$tls_session |
bool |
Indicates if the current session uses HTTPS/TLS encryption |
$request_uri |
string |
Normalized REQUEST_URI (e.g., 'PageOfNoReturn/show?a=1') |
$ip |
string |
Client's real IP address (accounts for proxies) |
$sess |
Session |
Reference to the Session object |
$method |
string |
Current HTTP method/request type |
Private Properties |
| Property |
Type |
Description |
|
|
|
$db |
object |
Database connection reference |
$tls_mark |
string |
Cookie name for TLS session marking |
$page |
string |
Current page name being processed |
$hash |
string |
SHA1 hash of the page name |
$query |
string |
Encoded query string |
$lang |
string |
Current language code |
$file |
string |
Cache file path |
$caching |
int |
Flag indicating if page should be cached (0 or 1) |
| Security Considerations
1. IP Address Spoofing
- Validates IPs against private ranges
- Filters proxy-provided IPs appropriately
- Configurable reverse proxy trust
2. Session Security
- Binds sessions to IP address
- Binds sessions to TLS status
- Supports both file and database storage
- HttpOnly cookies by default
3. TLS Enforcement
- Automatic HTTPS upgrade when configured
- Marks TLS sessions to prevent downgrade attacks
- HSTS header support
4. Content Security
- CSP headers to prevent XSS
- X-Frame-Options to prevent clickjacking
- X-Content-Type-Options to prevent MIME sniffing
- Referrer-Policy control
- Permissions-Policy for browser features
5. File Serving
- Validates file existence and readability
- Prevents directory traversal via
realpath()
- Rejects symbolic links
- Special CSP for SVG and PDF files
6. Cache Security
- Cached only for anonymous users
- Disabled for sensitive operations (edit, watch)
- Only GET requests cached
Performance Optimization
1. Page Caching
- Stores full HTML output
- TTL-based expiration
- Language and method-aware caching
- Conditional request support (304 Not Modified)
2. MIME Type Caching
- Loads MIME types once and caches
- Regenerates only when config changes
3. Session Options
- File-based sessions for simple deployments
- Database sessions for distributed systems
4. Compression
- Manual gzip implementation
- Proper Content-Length generation
- Only compresses appropriate sizes
Debugging
The class integrates with WackoWiki's diagnostic system:
php
// Diagnostic messages are preserved across redirects
// via session flash data
// Check cached pages (debug comments in output):
// <!-- WackoWiki Caching Engine: page cached at 2024-01-15 12:30:45 GMT -->
Related Classes
- Session Classes (
SessionFileStore, SessionDbalStore) - Session management backends
- Database Class - Configuration and cache metadata storage
- Ut Utility Class - String/path utilities
- Diag Class - Diagnostic logging
Version History
- Supports PHP 8.0+ (uses match expressions, union types)
- Follows RFC 9110 for HTTP header handling
- Modern cookie security practices
Conclusion
The Http class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:
- Extending WackoWiki with custom request handlers
- Implementing custom session logic
- Adding new security policies
- Optimizing cache strategies
- Debugging HTTP-related issues