fix(session): Log critical conditions where sessions might be lost

* Regenerating session when cookies can't be sent -> lost
* Regenerating session ID and deleting old data -> possible loss

Signed-off-by: Christoph Wurst <[email protected]>

Author: ChristophWurst

lib/private/Session/Internal.php

@@ -36,6 +36,8 @@
 use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\IProvider;
 use OCP\Session\Exceptions\SessionNotAvailableException;
+use function headers_sent;
+use function OCP\Log\logger;
 
 /**
  * Class Internal
@@ -138,6 +140,14 @@ public function regenerateId(bool $deleteOldSession = true, bool $updateToken =
 			}
 		}
 
+		if (headers_sent()) {
+			logger('core')->critical('Regenerating session ID but headers have been sent. This session will be lost.', [
+				'deleteOldSession' => $deleteOldSession,
+			]);
+		} else if ($deleteOldSession) {
+			logger('core')->warning('Calling session_regenerate_id with delete_old_session=true can lead to lost sessions');
+		}
+
 		try {
 			@session_regenerate_id($deleteOldSession);
 		} catch (\Error $e) {
@@ -222,6 +232,12 @@ private function startSession(bool $silence = false, bool $readAndClose = true)
 		if (\OC::hasSessionRelaxedExpiry()) {
 			$sessionParams['read_and_close'] = $readAndClose;
 		}
+		if (headers_sent()) {
+			logger('core')->critical('Starting session but headers have been sent. This session will be lost.', [
+				'silence' => $silence,
+				'readAndClos' => $readAndClose,
+			]);
+		}
 		$this->invoke('session_start', [$sessionParams], $silence);
 	}
 }