Initial support for SameSite cookie parameter

bryanjhv · May 27, 2020 · 9783c04 · 9783c04
1 parent 69efc2c
commit 9783c04
Show file tree

Hide file tree

Showing 4 changed files with 92 additions and 19 deletions.
diff --git a/readme.md b/readme.md
@@ -39,7 +39,8 @@ $app->add(new \Slim\Middleware\Session([
 
 - `lifetime`: How much should the session last? Default `20 minutes`. Any
   argument that `strtotime` can parse is valid.
-- `path`, `domain`, `secure`, `httponly`: Options for the session cookie.
+- `path`, `domain`, `secure`, `httponly`, `samesite`: Options for the session
+  cookie. Please note that `samesite` is disabled by default.
 - `name`: Name for the session cookie. Defaults to `slim_session` (instead of
   PHP's `PHPSESSID`).
 - **`autorefresh`**: `true` if you want session to be refresh when user activity

diff --git a/src/Slim/Middleware/Session.php b/src/Slim/Middleware/Session.php
@@ -2,6 +2,7 @@
 
 namespace Slim\Middleware;
 
+use SlimSession\Cookie;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
@@ -42,6 +43,7 @@ public function __construct($settings = [])
             'domain' => '',
             'secure' => false,
             'httponly' => false,
+            'samesite' => '',
             'name' => 'slim_session',
             'autorefresh' => false,
             'handler' => null,
@@ -92,25 +94,16 @@ protected function startSession()
         $settings = $this->settings;
         $name = $settings['name'];
 
-        session_set_cookie_params(
-            $settings['lifetime'],
-            $settings['path'],
-            $settings['domain'],
-            $settings['secure'],
-            $settings['httponly']
-        );
+        Cookie::setup($settings);
 
         // Refresh session cookie when "inactive",
         // else PHP won't know we want this to refresh
         if ($settings['autorefresh'] && isset($_COOKIE[$name])) {
-            setcookie(
+            Cookie::set(
                 $name,
                 $_COOKIE[$name],
                 time() + $settings['lifetime'],
-                $settings['path'],
-                $settings['domain'],
-                $settings['secure'],
-                $settings['httponly']
+                $settings
             );
         }
 

diff --git a/src/SlimSession/Cookie.php b/src/SlimSession/Cookie.php
@@ -0,0 +1,82 @@
+<?php
+
+namespace SlimSession;
+
+/**
+ * Cookie class
+ *
+ * This is an internal class that helps to handle SameSite cookie support in all
+ * the supported PHP versions for this package in a standarized form.
+ *
+ * @package SlimSession
+ * @author  Bryan Horna
+ */
+class Cookie
+{
+    /**
+     * @param array      $params
+     * @param array|null $set
+     */
+    private static function call($params, $set)
+    {
+        if ($set) {
+            $expires = 'expires';
+            $callback = 'setcookie';
+        } else {
+            $expires = 'lifetime';
+            $callback = 'session_set_cookie_params';
+        }
+
+        $args = [
+            $expires => $params[$expires],
+            'path' => $params['path'],
+            'domain' => $params['domain'],
+            'secure' => $params['secure'],
+            'httponly' => $params['httponly'],
+        ];
+
+        $new = PHP_VERSION_ID >= 70300;
+        $samesite = $params['samesite'];
+        if ($new) {
+            $args['samesite'] = $samesite;
+            if ($set) {
+                $args = [$set[0], $set[1], $args];
+            }
+        } else {
+            if ($samesite) {
+                $args['path'] .=
+                    ($args['path'] ? '; ' : '') . "SameSite=$samesite";
+            }
+            $args = array_values($args);
+            if ($set) {
+                $args = array_merge([$set[0], $set[1]], $args);
+            }
+        }
+
+        call_user_func_array($callback, $args);
+    }
+
+    /**
+     * Set session cookie params.
+     *
+     * @param array $params
+     */
+    public static function setup($params)
+    {
+        self::call($params, null);
+    }
+
+    /**
+     * Set a cookie.
+     *
+     * @param string $name
+     * @param string $value
+     * @param int    $expires
+     * @param array  $params
+     */
+    public static function set($name, $value, $expires, $params)
+    {
+        $params['expires'] = $expires;
+        self::call($params, [$name, $value]);
+    }
+}
diff --git a/src/SlimSession/Helper.php b/src/SlimSession/Helper.php
@@ -9,6 +9,7 @@
  * and the session variables passed via $_SESSION superglobal.
  *
  * @package SlimSession
+ * @author  Bryan Horna
  */
 class Helper implements \ArrayAccess, \Countable, \IteratorAggregate
 {
@@ -124,15 +125,11 @@ public static function destroy()
             session_write_close();
 
             if (ini_get('session.use_cookies')) {
-                $params = session_get_cookie_params();
-                setcookie(
+                Cookie::set(
                     session_name(),
                     '',
                     time() - 4200,
-                    $params['path'],
-                    $params['domain'],
-                    $params['secure'],
-                    $params['httponly']
+                    session_get_cookie_params()
                 );
             }
         }