src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php line 173

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of EC-CUBE
  5. *
  6. * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
  7. *
  8. * http://www.ec-cube.co.jp/
  9. *
  10. * For the full copyright and license information, please view the LICENSE
  11. * file that was distributed with this source code.
  12. */
  14. namespace Eccube\Session\Storage\Handler;
  16. use Skorp\Dissua\SameSite;
  17. use Symfony\Component\HttpFoundation\Cookie;
  18. use Symfony\Component\HttpFoundation\Request;
  19. use Symfony\Component\HttpFoundation\Session\Storage\Handler\StrictSessionHandler;
  21. class SameSiteNoneCompatSessionHandler extends StrictSessionHandler
  22. {
  23. /** @var \SessionHandlerInterface */
  24. private $handler;
  25. /** @var bool */
  26. private $doDestroy;
  27. /** @var string */
  28. private $sessionName;
  29. /** @var string|null */
  30. private $prefetchData;
  31. /** @var string */
  32. private $newSessionId;
  34. /**
  35. * {@inheritdoc}
  36. */
  37. public function __construct(\SessionHandlerInterface $handler)
  38. {
  39. $this->handler = $handler;
  41. ini_set('session.cookie_secure', $this->getCookieSecure());
  42. ini_set('session.cookie_samesite', $this->getCookieSameSite());
  43. ini_set('session.cookie_path', $this->getCookiePath());
  44. }
  46. /**
  47. * {@inheritdoc}
  48. */
  49. public function open($savePath, $sessionName)
  50. {
  51. $this->sessionName = $sessionName;
  52. // see https://github.com/symfony/symfony/blob/2adc85d49cbe14e346068fa7e9c2e1f08ab31de6/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php#L35-L37
  53. if (!headers_sent() && !ini_get('session.cache_limiter') && '0' !== ini_get('session.cache_limiter')) {
  54. header(sprintf('Cache-Control: max-age=%d, private, must-revalidate', 60 * (int) ini_get('session.cache_expire')));
  55. }
  57. return $this->handler->open($savePath, $sessionName);
  58. }
  60. /**
  61. * {@inheritdoc}
  62. */
  63. protected function doRead($sessionId)
  64. {
  65. return $this->handler->read($sessionId);
  66. }
  68. /**
  69. * {@inheritdoc}
  70. */
  71. public function updateTimestamp($sessionId, $data)
  72. {
  73. return $this->write($sessionId, $data);
  74. }
  76. /**
  77. * {@inheritdoc}
  78. */
  79. protected function doWrite($sessionId, $data)
  80. {
  81. return $this->handler->write($sessionId, $data);
  82. }
  84. /**
  85. * {@inheritdoc}
  86. *
  87. * @see https://github.com/symfony/symfony/blob/2adc85d49cbe14e346068fa7e9c2e1f08ab31de6/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php#L126-L167
  88. */
  89. public function destroy($sessionId)
  90. {
  91. if (\PHP_VERSION_ID < 70000) {
  92. $this->prefetchData = null;
  93. }
  94. if (!headers_sent() && filter_var(ini_get('session.use_cookies'), FILTER_VALIDATE_BOOLEAN)) {
  95. if (!$this->sessionName) {
  96. throw new \LogicException(sprintf('Session name cannot be empty, did you forget to call "parent::open()" in "%s"?.', \get_class($this)));
  97. }
  98. $sessionCookie = sprintf(' %s=', urlencode($this->sessionName));
  99. $sessionCookieWithId = sprintf('%s%s;', $sessionCookie, urlencode($sessionId));
  100. $sessionCookieFound = false;
  101. $otherCookies = [];
  102. foreach (headers_list() as $h) {
  103. if (0 !== stripos($h, 'Set-Cookie:')) {
  104. continue;
  105. }
  106. if (11 === strpos($h, $sessionCookie, 11)) {
  107. $sessionCookieFound = true;
  109. if (11 !== strpos($h, $sessionCookieWithId, 11)) {
  110. $otherCookies[] = $h;
  111. }
  112. } else {
  113. $otherCookies[] = $h;
  114. }
  115. }
  116. if ($sessionCookieFound) {
  117. header_remove('Set-Cookie');
  118. foreach ($otherCookies as $h) {
  119. header($h, false);
  120. }
  121. } else {
  122. if (\PHP_VERSION_ID < 70300) {
  123. setcookie($this->sessionName, '', 0, ini_get('session.cookie_path'), ini_get('session.cookie_domain'), filter_var(ini_get('session.cookie_secure'), FILTER_VALIDATE_BOOLEAN), filter_var(ini_get('session.cookie_httponly'), FILTER_VALIDATE_BOOLEAN));
  124. } else {
  125. setcookie($this->sessionName, '',
  126. [
  127. 'expires' => 0,
  128. 'path' => $this->getCookiePath(),
  129. 'domain' => ini_get('session.cookie_domain'),
  130. 'secure' => filter_var(ini_get('session.cookie_secure'), FILTER_VALIDATE_BOOLEAN),
  131. 'httponly' => filter_var(ini_get('session.cookie_httponly'), FILTER_VALIDATE_BOOLEAN),
  132. 'samesite' => $this->getCookieSameSite(),
  133. ]
  134. );
  135. }
  136. }
  137. }
  139. return $this->newSessionId === $sessionId || $this->doDestroy($sessionId);
  140. }
  142. /**
  143. * {@inheritdoc}
  144. */
  145. protected function doDestroy($sessionId)
  146. {
  147. $this->doDestroy = false;
  149. return $this->handler->destroy($sessionId);
  150. }
  152. /**
  153. * {@inheritdoc}
  154. */
  155. public function close()
  156. {
  157. return $this->handler->close();
  158. }
  160. /**
  161. * @return bool
  162. */
  163. public function gc($maxlifetime)
  164. {
  165. return $this->handler->gc($maxlifetime);
  166. }
  168. /**
  169. * @return string
  170. */
  171. public function getCookieSameSite()
  172. {
  173. if ($this->shouldSendSameSiteNone() && \PHP_VERSION_ID >= 70300 && $this->getCookieSecure()) {
  174. return Cookie::SAMESITE_NONE;
  175. }
  177. return '';
  178. }
  180. /**
  181. * @return string
  182. */
  183. public function getCookiePath()
  184. {
  185. $cookiePath = env('ECCUBE_COOKIE_PATH', '/');
  186. if ($this->shouldSendSameSiteNone() && \PHP_VERSION_ID < 70300 && $this->getCookieSecure()) {
  187. return $cookiePath.'; SameSite='.Cookie::SAMESITE_NONE;
  188. }
  190. return $cookiePath;
  191. }
  193. /**
  194. * @return string
  195. */
  196. public function getCookieSecure()
  197. {
  198. $request = Request::createFromGlobals();
  200. return $request->isSecure() ? '1' : '0';
  201. }
  203. /**
  204. * @return bool
  205. */
  206. private function shouldSendSameSiteNone()
  207. {
  208. $userAgent = array_key_exists('HTTP_USER_AGENT', $_SERVER) ? $_SERVER['HTTP_USER_AGENT'] : null;
  210. return SameSite::handle($userAgent);
  211. }
  212. }