From dc8cdaf89f37dc10b108967c4a07a2cf0f14b1bd Mon Sep 17 00:00:00 2001 From: Paulo Magalhaes Date: Fri, 22 Nov 2019 15:54:11 +0000 Subject: [PATCH] Add support for SameSite cookie session setting Starting from PHP 7.3 there's native support for SameSite cookies (RFC6265bis) which requires using a new session_get_cookie_params() parameter syntax --- lib/response/sfWebResponse.class.php | 17 +++++++++++++++-- lib/storage/sfSessionStorage.class.php | 15 ++++++++++++++- test/unit/response/sfWebResponseTest.php | 2 +- 3 files changed, 30 insertions(+), 4 deletions(-) diff --git a/lib/response/sfWebResponse.class.php b/lib/response/sfWebResponse.class.php index 4a9a6585a..1794dddbe 100644 --- a/lib/response/sfWebResponse.class.php +++ b/lib/response/sfWebResponse.class.php @@ -158,10 +158,11 @@ public function isHeaderOnly() * @param string $domain Domain name * @param bool $secure If secure * @param bool $httpOnly If uses only HTTP + * @param string $samesite SameSite cookies * * @throws sfException If fails to set the cookie */ - public function setCookie($name, $value, $expire = null, $path = '/', $domain = '', $secure = false, $httpOnly = false) + public function setCookie($name, $value, $expire = null, $path = '/', $domain = '', $secure = false, $httpOnly = false, $samesite = '') { if ($expire !== null) { @@ -187,6 +188,7 @@ public function setCookie($name, $value, $expire = null, $path = '/', $domain = 'domain' => $domain, 'secure' => $secure ? true : false, 'httpOnly' => $httpOnly, + 'samesite' => $samesite ); } @@ -365,7 +367,18 @@ public function sendHttpHeaders() // cookies foreach ($this->cookies as $cookie) { - setrawcookie($cookie['name'], $cookie['value'], $cookie['expire'], $cookie['path'], $cookie['domain'], $cookie['secure'], $cookie['httpOnly']); + if (PHP_VERSION_ID < 70300) { + setrawcookie($cookie['name'], $cookie['value'], $cookie['expire'], $cookie['path'], $cookie['domain'], $cookie['secure'], $cookie['httpOnly']); + } else { + setrawcookie($cookie['name'], $cookie['value'], array( + 'expires' => $cookie['expire'], + 'path' => $cookie['path'], + 'domain' => $cookie['domain'], + 'secure' => $cookie['secure'], + 'httpOnly' => $cookie['httpOnly'], + 'samesite' => $cookie['samesite'], + )); + } if ($this->options['logging']) { diff --git a/lib/storage/sfSessionStorage.class.php b/lib/storage/sfSessionStorage.class.php index 0a29f19e0..638911644 100644 --- a/lib/storage/sfSessionStorage.class.php +++ b/lib/storage/sfSessionStorage.class.php @@ -62,6 +62,7 @@ public function initialize($options = null) 'session_cookie_domain' => $cookieDefaults['domain'], 'session_cookie_secure' => $cookieDefaults['secure'], 'session_cookie_httponly' => isset($cookieDefaults['httponly']) ? $cookieDefaults['httponly'] : false, + 'session_cookie_samesite' => isset($cookieDefaults['samesite']) ? $cookieDefaults['samesite'] : '', 'session_cache_limiter' => null, ), $options); @@ -83,7 +84,19 @@ public function initialize($options = null) $domain = $this->options['session_cookie_domain']; $secure = $this->options['session_cookie_secure']; $httpOnly = $this->options['session_cookie_httponly']; - session_set_cookie_params($lifetime, $path, $domain, $secure, $httpOnly); + $samesite = $this->options['session_cookie_samesite']; + if (PHP_VERSION_ID < 70300) { + session_set_cookie_params($lifetime, $path, $domain, $secure, $httpOnly); + } else { + session_set_cookie_params(array( + 'lifetime' => $lifetime, + 'path' => $path, + 'domain' => $domain, + 'secure' => $secure, + 'httponly' => $httpOnly, + 'samesite' => $samesite + )); + } if (null !== $this->options['session_cache_limiter']) { diff --git a/test/unit/response/sfWebResponseTest.php b/test/unit/response/sfWebResponseTest.php index 0697da8d8..4d2b7ee07 100644 --- a/test/unit/response/sfWebResponseTest.php +++ b/test/unit/response/sfWebResponseTest.php @@ -288,7 +288,7 @@ public function normalizeHeaderName($name) // ->setCookie() ->getCookies() $t->diag('->setCookie() ->getCookies()'); $response->setCookie('foo', 'bar'); -$t->is($response->getCookies(), array('foo' => array('name' => 'foo', 'value' => 'bar', 'expire' => null, 'path' => '/', 'domain' => '', 'secure' => false, 'httpOnly' => false)), '->setCookie() adds a cookie for the response'); +$t->is($response->getCookies(), array('foo' => array('name' => 'foo', 'value' => 'bar', 'expire' => null, 'path' => '/', 'domain' => '', 'secure' => false, 'httpOnly' => false, 'samesite' => '')), '->setCookie() adds a cookie for the response'); // ->setHeaderOnly() ->getHeaderOnly() $t->diag('->setHeaderOnly() ->isHeaderOnly()');