symfony/symfonyPublic

NotificationsYou must be signed in to change notification settings
Fork9.7k
Star30.8k

Commitf46e6cb

fabpot

authored and

nicolas-grekas

committed

[HttpFoundation][FrameworkBundle] fix support for samesite in session cookies

1 parentadacae6 commitf46e6cbCopy full SHA for f46e6cb

File tree

13 files changed

+196

-39

lines changed

src/Symfony
- Bundle/FrameworkBundle
  - DependencyInjection
    - Configuration.php
    - FrameworkExtension.php
  - Tests/DependencyInjection
    - ConfigurationTest.php
- Component/HttpFoundation
  - Session
    - SessionUtils.php
    - Storage
      - Handler
        AbstractSessionHandler.php
      - NativeSessionStorage.php
  - Tests/Session/Storage
    - Handler/Fixtures
    - NativeSessionStorageTest.php

13 files changed

+196

-39

lines changed

`‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@`
`20`	`20`	`useSymfony\Component\Config\Definition\ConfigurationInterface;`
`21`	`21`	`useSymfony\Component\DependencyInjection\Exception\LogicException;`
`22`	`22`	`useSymfony\Component\Form\Form;`
	`23`	`+useSymfony\Component\HttpFoundation\Cookie;`
`23`	`24`	`useSymfony\Component\Lock\Lock;`
`24`	`25`	`useSymfony\Component\Lock\Store\SemaphoreStore;`
`25`	`26`	`useSymfony\Component\PropertyInfo\PropertyInfoExtractorInterface;`
`@@ -490,6 +491,7 @@ private function addSessionSection(ArrayNodeDefinition $rootNode)`
`490`	`491`	`->scalarNode('cookie_domain')->end()`
`491`	`492`	`->booleanNode('cookie_secure')->end()`
`492`	`493`	`->booleanNode('cookie_httponly')->defaultTrue()->end()`
	`494`	`+ ->enumNode('cookie_samesite')->values([null, Cookie::SAMESITE_LAX, Cookie::SAMESITE_STRICT])->defaultNull()->end()`
`493`	`495`	`->booleanNode('use_cookies')->end()`
`494`	`496`	`->scalarNode('gc_divisor')->end()`
`495`	`497`	`->scalarNode('gc_probability')->defaultValue(1)->end()`

`‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -867,7 +867,7 @@ private function registerSessionConfiguration(array $config, ContainerBuilder $c`
`867`	`867`	`// session storage`
`868`	`868`	`$container->setAlias('session.storage',$config['storage_id'])->setPrivate(true);`
`869`	`869`	`$options = ['cache_limiter' =>'0'];`
`870`		`-foreach (['name','cookie_lifetime','cookie_path','cookie_domain','cookie_secure','cookie_httponly','use_cookies','gc_maxlifetime','gc_probability','gc_divisor','use_strict_mode']as$key) {`
	`870`	`+foreach (['name','cookie_lifetime','cookie_path','cookie_domain','cookie_secure','cookie_httponly','cookie_samesite','use_cookies','gc_maxlifetime','gc_probability','gc_divisor']as$key) {`
`871`	`871`	`if (isset($config[$key])) {`
`872`	`872`	`$options[$key] =$config[$key];`
`873`	`873`	`}`

`‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -436,6 +436,7 @@ protected static function getBundleDefaultConfig()`
`436`	`436`	`'storage_id' =>'session.storage.native',`
`437`	`437`	`'handler_id' =>'session.handler.native_file',`
`438`	`438`	`'cookie_httponly' =>true,`
	`439`	`+'cookie_samesite' =>null,`
`439`	`440`	`'gc_probability' =>1,`
`440`	`441`	`'save_path' =>'%kernel.cache_dir%/sessions',`
`441`	`442`	`'metadata_update_threshold' =>'0',`

`‎src/Symfony/Component/HttpFoundation/Session/SessionUtils.php‎`

Lines changed: 59 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,59 @@`
	`1`	`+<?php`
	`2`	`+`
	`3`	`+/*`
	`4`	`+ * This file is part of the Symfony package.`
	`5`	`+ *`
	`6`	`+ * (c) Fabien Potencier <fabien@symfony.com>`
	`7`	`+ *`
	`8`	`+ * For the full copyright and license information, please view the LICENSE`
	`9`	`+ * file that was distributed with this source code.`
	`10`	`+ */`
	`11`	`+`
	`12`	`+namespaceSymfony\Component\HttpFoundation\Session;`
	`13`	`+`
	`14`	`+/**`
	`15`	`+ * Session utility functions.`
	`16`	`+ *`
	`17`	`+ * @author Nicolas Grekas <p@tchwork.com>`
	`18`	`+ * @author Rémon van de Kamp <rpkamp@gmail.com>`
	`19`	`+ *`
	`20`	`+ * @internal`
	`21`	`+ */`
	`22`	`+finalclass SessionUtils`
	`23`	`+{`
	`24`	`+/**`
	`25`	`+ * Find the session header amongst the headers that are to be sent, remove it, and return`
	`26`	`+ * it so the caller can process it further.`
	`27`	`+ */`
	`28`	`+publicstaticfunctionpopSessionCookie($sessionName,$sessionId)`
	`29`	`+ {`
	`30`	`+$sessionCookie =null;`
	`31`	`+$sessionCookiePrefix =sprintf(' %s=',urlencode($sessionName));`
	`32`	`+$sessionCookieWithId =sprintf('%s%s;',$sessionCookiePrefix,urlencode($sessionId));`
	`33`	`+$otherCookies = [];`
	`34`	`+foreach (headers_list()as$h) {`
	`35`	`+if (0 !==stripos($h,'Set-Cookie:')) {`
	`36`	`+continue;`
	`37`	`+ }`
	`38`	`+if (11 ===strpos($h,$sessionCookiePrefix,11)) {`
	`39`	`+$sessionCookie =$h;`
	`40`	`+`
	`41`	`+if (11 !==strpos($h,$sessionCookieWithId,11)) {`
	`42`	`+$otherCookies[] =$h;`
	`43`	`+ }`
	`44`	`+ }else {`
	`45`	`+$otherCookies[] =$h;`
	`46`	`+ }`
	`47`	`+ }`
	`48`	`+if (null ===$sessionCookie) {`
	`49`	`+returnnull;`
	`50`	`+ }`
	`51`	`+`
	`52`	`+header_remove('Set-Cookie');`
	`53`	`+foreach ($otherCookiesas$h) {`
	`54`	`+header($h,false);`
	`55`	`+ }`
	`56`	`+`
	`57`	`+return$sessionCookie;`
	`58`	`+ }`
	`59`	`+}`

`‎src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php‎`

Lines changed: 22 additions & 28 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@`
`11`	`11`
`12`	`12`	`namespaceSymfony\Component\HttpFoundation\Session\Storage\Handler;`
`13`	`13`
	`14`	`+useSymfony\Component\HttpFoundation\Session\SessionUtils;`
	`15`	`+`
`14`	`16`	`/**`
`15`	`17`	`* This abstract session handler provides a generic implementation`
`16`	`18`	`* of the PHP 7.0 SessionUpdateTimestampHandlerInterface,`
`@@ -27,7 +29,7 @@ abstract class AbstractSessionHandler implements \SessionHandlerInterface, \Sess`
`27`	`29`	`private$igbinaryEmptyData;`
`28`	`30`
`29`	`31`	`/**`
`30`		`- *{@inheritdoc}`
	`32`	`+ *@return bool`
`31`	`33`	`*/`
`32`	`34`	`publicfunctionopen($savePath,$sessionName)`
`33`	`35`	`{`
`@@ -62,7 +64,7 @@ abstract protected function doWrite($sessionId, $data);`
`62`	`64`	`abstractprotectedfunctiondoDestroy($sessionId);`
`63`	`65`
`64`	`66`	`/**`
`65`		`- *{@inheritdoc}`
	`67`	`+ *@return bool`
`66`	`68`	`*/`
`67`	`69`	`publicfunctionvalidateId($sessionId)`
`68`	`70`	`{`
`@@ -73,7 +75,7 @@ public function validateId($sessionId)`
`73`	`75`	`}`
`74`	`76`
`75`	`77`	`/**`
`76`		`- *{@inheritdoc}`
	`78`	`+ *@return string`
`77`	`79`	`*/`
`78`	`80`	`publicfunctionread($sessionId)`
`79`	`81`	`{`
`@@ -99,7 +101,7 @@ public function read($sessionId)`
`99`	`101`	`}`
`100`	`102`
`101`	`103`	`/**`
`102`		`- *{@inheritdoc}`
	`104`	`+ *@return bool`
`103`	`105`	`*/`
`104`	`106`	`publicfunctionwrite($sessionId,$data)`
`105`	`107`	`{`
`@@ -124,7 +126,7 @@ public function write($sessionId, $data)`
`124`	`126`	`}`
`125`	`127`
`126`	`128`	`/**`
`127`		`- *{@inheritdoc}`
	`129`	`+ *@return bool`
`128`	`130`	`*/`
`129`	`131`	`publicfunctiondestroy($sessionId)`
`130`	`132`	`{`
`@@ -135,31 +137,23 @@ public function destroy($sessionId)`
`135`	`137`	`if (!$this->sessionName) {`
`136`	`138`	`thrownew \LogicException(sprintf('Session name cannot be empty, did you forget to call "parent::open()" in "%s"?.',static::class));`
`137`	`139`	`}`
`138`		`-$sessionCookie =sprintf(' %s=',urlencode($this->sessionName));`
`139`		`-$sessionCookieWithId =sprintf('%s%s;',$sessionCookie,urlencode($sessionId));`
`140`		`-$sessionCookieFound =false;`
`141`		`-$otherCookies = [];`
`142`		`-foreach (headers_list()as$h) {`
`143`		`-if (0 !==stripos($h,'Set-Cookie:')) {`
`144`		`-continue;`
`145`		`- }`
`146`		`-if (11 ===strpos($h,$sessionCookie,11)) {`
`147`		`-$sessionCookieFound =true;`
`148`		`-`
`149`		`-if (11 !==strpos($h,$sessionCookieWithId,11)) {`
`150`		`-$otherCookies[] =$h;`
`151`		`- }`
	`140`	`+$cookie = SessionUtils::popSessionCookie($this->sessionName,$sessionId);`
	`141`	`+`
	`142`	`+/*`
	`143`	`+ * We send an invalidation Set-Cookie header (zero lifetime)`
	`144`	`+ * when either the session was started or a cookie with`
	`145`	`+ * the session name was sent by the client (in which case`
	`146`	`+ * we know it's invalid as a valid session cookie would've`
	`147`	`+ * started the session).`
	`148`	`+ */`
	`149`	`+if (null ===$cookie \|\|isset($_COOKIE[$this->sessionName])) {`
	`150`	`+if (\PHP_VERSION_ID <70300) {`
	`151`	`+setcookie($this->sessionName,'',0,ini_get('session.cookie_path'),ini_get('session.cookie_domain'),filter_var(ini_get('session.cookie_secure'),FILTER_VALIDATE_BOOLEAN),filter_var(ini_get('session.cookie_httponly'),FILTER_VALIDATE_BOOLEAN));`
`152`	`152`	`}else {`
`153`		`-$otherCookies[] =$h;`
`154`		`- }`
`155`		`- }`
`156`		`-if ($sessionCookieFound) {`
`157`		`-header_remove('Set-Cookie');`
`158`		`-foreach ($otherCookiesas$h) {`
`159`		`-header($h,false);`
	`153`	`+$params =session_get_cookie_params();`
	`154`	`+ unset($params['lifetime']);`
	`155`	`+setcookie($this->sessionName,'',$params);`
`160`	`156`	`}`
`161`		`- }else {`
`162`		`-setcookie($this->sessionName,'',0,ini_get('session.cookie_path'),ini_get('session.cookie_domain'),filter_var(ini_get('session.cookie_secure'),FILTER_VALIDATE_BOOLEAN),filter_var(ini_get('session.cookie_httponly'),FILTER_VALIDATE_BOOLEAN));`
`163`	`157`	`}`
`164`	`158`	`}`
`165`	`159`

`‎src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php‎`

Lines changed: 36 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@`
`12`	`12`	`namespaceSymfony\Component\HttpFoundation\Session\Storage;`
`13`	`13`
`14`	`14`	`useSymfony\Component\HttpFoundation\Session\SessionBagInterface;`
	`15`	`+useSymfony\Component\HttpFoundation\Session\SessionUtils;`
`15`	`16`	`useSymfony\Component\HttpFoundation\Session\Storage\Handler\StrictSessionHandler;`
`16`	`17`	`useSymfony\Component\HttpFoundation\Session\Storage\Proxy\AbstractProxy;`
`17`	`18`	`useSymfony\Component\HttpFoundation\Session\Storage\Proxy\SessionHandlerProxy;`
`@@ -48,6 +49,11 @@ class NativeSessionStorage implements SessionStorageInterface`
`48`	`49`	`*/`
`49`	`50`	`protected$metadataBag;`
`50`	`51`
	`52`	`+/**`
	`53`	`+ * @var string\|null`
	`54`	`+ */`
	`55`	`+private$emulateSameSite;`
	`56`	`+`
`51`	`57`	`/**`
`52`	`58`	`* Depending on how you want the storage driver to behave you probably`
`53`	`59`	`* want to override this constructor entirely.`
`@@ -67,6 +73,7 @@ class NativeSessionStorage implements SessionStorageInterface`
`67`	`73`	`* cookie_lifetime, "0"`
`68`	`74`	`* cookie_path, "/"`
`69`	`75`	`* cookie_secure, ""`
	`76`	`+ * cookie_samesite, null`
`70`	`77`	`* entropy_file, ""`
`71`	`78`	`* entropy_length, "0"`
`72`	`79`	`* gc_divisor, "100"`
`@@ -94,9 +101,7 @@ class NativeSessionStorage implements SessionStorageInterface`
`94`	`101`	`* trans_sid_hosts, $_SERVER['HTTP_HOST']`
`95`	`102`	`* trans_sid_tags, "a=href,area=href,frame=src,form="`
`96`	`103`	`*`
`97`		`- * @param array $options Session configuration options`
`98`		`- * @param \SessionHandlerInterface\|null $handler`
`99`		`- * @param MetadataBag $metaBag MetadataBag`
	`104`	`+ * @param AbstractProxy\|\SessionHandlerInterface\|null $handler`
`100`	`105`	`*/`
`101`	`106`	`publicfunction__construct(array$options = [],$handler =null,MetadataBag$metaBag =null)`
`102`	`107`	`{`
`@@ -150,6 +155,13 @@ public function start()`
`150`	`155`	`thrownew \RuntimeException('Failed to start the session');`
`151`	`156`	`}`
`152`	`157`
	`158`	`+if (null !==$this->emulateSameSite) {`
	`159`	`+$originalCookie = SessionUtils::popSessionCookie(session_name(),session_id());`
	`160`	`+if (null !==$originalCookie) {`
	`161`	`+header(sprintf('%s; SameSite=%s',$originalCookie,$this->emulateSameSite),false);`
	`162`	`+ }`
	`163`	`+ }`
	`164`	`+`
`153`	`165`	`$this->loadSession();`
`154`	`166`
`155`	`167`	`returntrue;`
`@@ -215,6 +227,13 @@ public function regenerate($destroy = false, $lifetime = null)`
`215`	`227`	`// @see https://bugs.php.net/70013`
`216`	`228`	`$this->loadSession();`
`217`	`229`
	`230`	`+if (null !==$this->emulateSameSite) {`
	`231`	`+$originalCookie = SessionUtils::popSessionCookie(session_name(),session_id());`
	`232`	`+if (null !==$originalCookie) {`
	`233`	`+header(sprintf('%s; SameSite=%s',$originalCookie,$this->emulateSameSite),false);`
	`234`	`+ }`
	`235`	`+ }`
	`236`	`+`
`218`	`237`	`return$isRegenerated;`
`219`	`238`	`}`
`220`	`239`
`@@ -223,6 +242,7 @@ public function regenerate($destroy = false, $lifetime = null)`
`223`	`242`	`*/`
`224`	`243`	`publicfunctionsave()`
`225`	`244`	`{`
	`245`	`+// Store a copy so we can restore the bags in case the session was not left empty`
`226`	`246`	`$session =$_SESSION;`
`227`	`247`
`228`	`248`	`foreach ($this->bagsas$bag) {`
`@@ -248,7 +268,11 @@ public function save()`
`248`	`268`	`session_write_close();`
`249`	`269`	`}finally {`
`250`	`270`	`restore_error_handler();`
`251`		`-$_SESSION =$session;`
	`271`	`+`
	`272`	`+// Restore only if not empty`
	`273`	`+if ($_SESSION) {`
	`274`	`+$_SESSION =$session;`
	`275`	`+ }`
`252`	`276`	`}`
`253`	`277`
`254`	`278`	`$this->closed =true;`
`@@ -347,7 +371,7 @@ public function setOptions(array $options)`
`347`	`371`
`348`	`372`	`$validOptions =array_flip([`
`349`	`373`	`'cache_expire','cache_limiter','cookie_domain','cookie_httponly',`
`350`		`-'cookie_lifetime','cookie_path','cookie_secure',`
	`374`	`+'cookie_lifetime','cookie_path','cookie_secure','cookie_samesite',`
`351`	`375`	`'entropy_file','entropy_length','gc_divisor',`
`352`	`376`	`'gc_maxlifetime','gc_probability','hash_bits_per_character',`
`353`	`377`	`'hash_function','lazy_write','name','referer_check',`
`@@ -360,6 +384,12 @@ public function setOptions(array $options)`
`360`	`384`
`361`	`385`	`foreach ($optionsas$key =>$value) {`
`362`	`386`	`if (isset($validOptions[$key])) {`
	`387`	`+if ('cookie_samesite' ===$key && \PHP_VERSION_ID <70300) {`
	`388`	`+// PHP < 7.3 does not support same_site cookies. We will emulate it in`
	`389`	`+// the start() method instead.`
	`390`	`+$this->emulateSameSite =$value;`
	`391`	`+continue;`
	`392`	`+ }`
`363`	`393`	`ini_set('url_rewriter.tags' !==$key ?'session.'.$key :$key,$value);`
`364`	`394`	`}`
`365`	`395`	`}`
`@@ -381,7 +411,7 @@ public function setOptions(array $options)`
`381`	`411`	`* @see https://php.net/sessionhandlerinterface`
`382`	`412`	`* @see https://php.net/sessionhandler`
`383`	`413`	`*`
`384`		`- * @param \SessionHandlerInterface\|null $saveHandler`
	`414`	`+ * @paramAbstractProxy\|\SessionHandlerInterface\|null $saveHandler`
`385`	`415`	`*`
`386`	`416`	`* @throws \InvalidArgumentException`
`387`	`417`	`*/`

`‎src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/Fixtures/storage.expected‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -11,10 +11,11 @@ $_SESSION is not empty`
`11`	`11`	`write`
`12`	`12`	`destroy`
`13`	`13`	`close`
`14`		`-$_SESSION isnotempty`
	`14`	`+$_SESSION is empty`
`15`	`15`	`Array`
`16`	`16`	`(`
`17`	`17`	`[0] => Content-Type: text/plain; charset=utf-8`
`18`	`18`	`[1] => Cache-Control: max-age=0, private, must-revalidate`
	`19`	`+ [2] => Set-Cookie: sid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly`
`19`	`20`	`)`
`20`	`21`	`shutdown`

`‎src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/Fixtures/with_cookie_and_session.expected‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -20,5 +20,6 @@ Array`
`20`	`20`	`[0] => Content-Type: text/plain; charset=utf-8`
`21`	`21`	`[1] => Cache-Control: max-age=10800, private, must-revalidate`
`22`	`22`	`[2] => Set-Cookie: abc=def`
	`23`	`+ [3] => Set-Cookie: sid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly`
`23`	`24`	`)`
`24`	`25`	`shutdown`

`‎src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/Fixtures/with_samesite.expected‎`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,16 @@`
	`1`	`+open`
	`2`	`+validateId`
	`3`	`+read`
	`4`	`+doRead:`
	`5`	`+read`
	`6`	`+`
	`7`	`+write`
	`8`	`+doWrite: foo\|s:3:"bar";`
	`9`	`+close`
	`10`	`+Array`
	`11`	`+(`
	`12`	`+ [0] => Content-Type: text/plain; charset=utf-8`
	`13`	`+ [1] => Cache-Control: max-age=0, private, must-revalidate`
	`14`	`+ [2] => Set-Cookie: sid=random_session_id; path=/; secure; HttpOnly; SameSite=lax`
	`15`	`+)`
	`16`	`+shutdown`

`‎src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/Fixtures/with_samesite.php‎`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,13 @@`
	`1`	`+<?php`
	`2`	`+`
	`3`	`+require__DIR__.'/common.inc';`
	`4`	`+`
	`5`	`+useSymfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;`
	`6`	`+`
	`7`	`+$storage =newNativeSessionStorage(['cookie_samesite' =>'lax']);`
	`8`	`+$storage->setSaveHandler(newTestSessionHandler());`
	`9`	`+$storage->start();`
	`10`	`+`
	`11`	`+$_SESSION = ['foo' =>'bar'];`
	`12`	`+`
	`13`	`+ob_start(function ($buffer) {returnstr_replace(session_id(),'random_session_id',$buffer); });`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commitf46e6cb

File tree

13 files changed

13 files changed

`‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php‎`

`‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php‎`

`‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php‎`

`‎src/Symfony/Component/HttpFoundation/Session/SessionUtils.php‎`

`‎src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php‎`

`‎src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php‎`

`‎src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/Fixtures/storage.expected‎`

`‎src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/Fixtures/with_cookie_and_session.expected‎`

`‎src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/Fixtures/with_samesite.expected‎`

`‎src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/Fixtures/with_samesite.php‎`

0 commit comments