Skip to content

Commit 052023a

Browse files
mentalstringthePanz
mentalstring
and
thePanz
authored
Add support for SameSite cookie attribute (#387)
* Add support for SameSite cookie session setting Starting from PHP 7.3 there's native support for SameSite cookies (RFC6265bis) which requires using a new session_get_cookie_params() parameter syntax. --------- Co-authored-by: Emanuele Panzeri <thepanz@gmail.com>
1 parent 46b5da0 commit 052023a

File tree

3 files changed

+31
-12
lines changed

3 files changed

+31
-12
lines changed

lib/response/sfWebResponse.class.php

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -162,17 +162,18 @@ public function isHeaderOnly()
162162
/**
163163
* Sets a cookie.
164164
*
165-
* @param string $name HTTP header name
166-
* @param string $value Value for the cookie
167-
* @param string $expire Cookie expiration period
168-
* @param string $path Path
169-
* @param string $domain Domain name
170-
* @param bool $secure If secure
171-
* @param bool $httpOnly If uses only HTTP
165+
* @param string $name HTTP header name
166+
* @param string $value Value for the cookie
167+
* @param string $expire Cookie expiration period
168+
* @param string $path Path
169+
* @param string $domain Domain name
170+
* @param bool $secure If secure
171+
* @param bool $httpOnly If uses only HTTP
172+
* @param ''|'None'|'Lax'|'Strict' $samesite If uses Same-site cookies
172173
*
173174
* @throws sfException If fails to set the cookie
174175
*/
175-
public function setCookie($name, $value, $expire = null, $path = '/', $domain = '', $secure = false, $httpOnly = false)
176+
public function setCookie($name, $value, $expire = null, $path = '/', $domain = '', $secure = false, $httpOnly = false, string $samesite = '')
176177
{
177178
if (null !== $expire) {
178179
if (is_numeric($expire)) {
@@ -193,6 +194,7 @@ public function setCookie($name, $value, $expire = null, $path = '/', $domain =
193194
'domain' => $domain,
194195
'secure' => $secure ? true : false,
195196
'httpOnly' => $httpOnly,
197+
'samesite' => $samesite,
196198
];
197199
}
198200

@@ -359,7 +361,14 @@ public function sendHttpHeaders()
359361
foreach ($this->cookies as $cookie) {
360362
$expire = isset($cookie['expire']) ? $cookie['expire'] : 0;
361363
$domain = isset($cookie['domain']) ? $cookie['domain'] : '';
362-
setrawcookie($cookie['name'], $cookie['value'], $expire, $cookie['path'], $domain, $cookie['secure'], $cookie['httpOnly']);
364+
setrawcookie($cookie['name'], $cookie['value'], [
365+
'expires' => $expire,
366+
'path' => $cookie['path'],
367+
'domain' => $domain,
368+
'secure' => $cookie['secure'],
369+
'httpOnly' => $cookie['httpOnly'],
370+
'samesite' => $cookie['samesite'],
371+
]);
363372

364373
if ($this->options['logging']) {
365374
$this->dispatcher->notify(new sfEvent($this, 'application.log', [sprintf('Send cookie "%s": "%s"', $cookie['name'], $cookie['value'])]));

lib/storage/sfSessionStorage.class.php

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,8 @@ class sfSessionStorage extends sfStorage
3535
* * session_cookie_path: Cookie path
3636
* * session_cookie_domain: Cookie domain
3737
* * session_cookie_secure: Cookie secure
38-
* * session_cookie_httponly: Cookie http only (only for PHP >= 5.2)
38+
* * session_cookie_httponly: Cookie http only
39+
* * session.cookie_samesite: Cookie same site
3940
*
4041
* The default values for all 'session_cookie_*' options are those returned by the session_get_cookie_params() function
4142
*
@@ -56,6 +57,7 @@ public function initialize($options = null)
5657
'session_cookie_domain' => $cookieDefaults['domain'],
5758
'session_cookie_secure' => $cookieDefaults['secure'],
5859
'session_cookie_httponly' => isset($cookieDefaults['httponly']) ? $cookieDefaults['httponly'] : false,
60+
'session_cookie_samesite' => isset($cookieDefaults['samesite']) ? $cookieDefaults['samesite'] : '',
5961
'session_cache_limiter' => null,
6062
'gc_maxlifetime' => 1800,
6163
], $options);
@@ -77,7 +79,15 @@ public function initialize($options = null)
7779
$domain = $this->options['session_cookie_domain'];
7880
$secure = $this->options['session_cookie_secure'];
7981
$httpOnly = $this->options['session_cookie_httponly'];
80-
session_set_cookie_params($lifetime, $path, $domain, $secure, $httpOnly);
82+
$samesite = $this->options['session_cookie_samesite'];
83+
session_set_cookie_params([
84+
'lifetime' => $lifetime,
85+
'path' => $path,
86+
'domain' => $domain,
87+
'secure' => $secure,
88+
'httponly' => $httpOnly,
89+
'samesite' => $samesite,
90+
]);
8191

8292
if (null !== $this->options['session_cache_limiter']) {
8393
session_cache_limiter($this->options['session_cache_limiter']);

test/unit/response/sfWebResponseTest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -281,7 +281,7 @@ public function normalizeHeaderName($name)
281281
// ->setCookie() ->getCookies()
282282
$t->diag('->setCookie() ->getCookies()');
283283
$response->setCookie('foo', 'bar');
284-
$t->is($response->getCookies(), ['foo' => ['name' => 'foo', 'value' => 'bar', 'expire' => null, 'path' => '/', 'domain' => '', 'secure' => false, 'httpOnly' => false]], '->setCookie() adds a cookie for the response');
284+
$t->is($response->getCookies(), ['foo' => ['name' => 'foo', 'value' => 'bar', 'expire' => null, 'path' => '/', 'domain' => '', 'secure' => false, 'httpOnly' => false, 'samesite' => '']], '->setCookie() adds a cookie for the response');
285285

286286
// ->setHeaderOnly() ->getHeaderOnly()
287287
$t->diag('->setHeaderOnly() ->isHeaderOnly()');

0 commit comments

Comments
 (0)