src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php line 69

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of EC-CUBE
  5.  *
  6.  * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
  7.  *
  8.  * http://www.ec-cube.co.jp/
  9.  *
  10.  * For the full copyright and license information, please view the LICENSE
  11.  * file that was distributed with this source code.
  12.  */
  14. namespace Eccube\Session\Storage\Handler;
  16. use Skorp\Dissua\SameSite;
  17. use Symfony\Component\HttpFoundation\Cookie;
  18. use Symfony\Component\HttpFoundation\Request;
  19. use Symfony\Component\HttpFoundation\Session\Storage\Handler\StrictSessionHandler;
  21. class SameSiteNoneCompatSessionHandler extends StrictSessionHandler
  22. {
  23.     /** @var \SessionHandlerInterface */
  24.     private $handler;
  25.     /** @var bool */
  26.     private $doDestroy;
  27.     /** @var string */
  28.     private $sessionName;
  29.     /** @var string|null */
  30.     private $prefetchId;
  31.     /** @var string|null */
  32.     private $prefetchData;
  33.     /** @var string */
  34.     private $newSessionId;
  35.     /** @var string|null */
  36.     private $igbinaryEmptyData;
  38.     /**
  39.      *  {@inheritdoc}
  40.      */
  41.     public function __construct(\SessionHandlerInterface $handler)
  42.     {
  43.         $this->handler $handler;
  45.         ini_set('session.cookie_secure'$this->getCookieSecure());
  46.         ini_set('session.cookie_samesite'$this->getCookieSameSite());
  47.         ini_set('session.cookie_path'$this->getCookiePath());
  48.     }
  50.     /**
  51.      * {@inheritdoc}
  52.      */
  53.     public function open($savePath$sessionName)
  54.     {
  55.         $this->sessionName $sessionName;
  56.         // see https://github.com/symfony/symfony/blob/2adc85d49cbe14e346068fa7e9c2e1f08ab31de6/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php#L35-L37
  57.         if (!headers_sent() && !ini_get('session.cache_limiter') && '0' !== ini_get('session.cache_limiter')) {
  58.             header(sprintf('Cache-Control: max-age=%d, private, must-revalidate'60 * (int) ini_get('session.cache_expire')));
  59.         }
  61.         return $this->handler->open($savePath$sessionName);
  62.     }
  64.     /**
  65.      * {@inheritdoc}
  66.      */
  67.     protected function doRead($sessionId)
  68.     {
  69.         return $this->handler->read($sessionId);
  70.     }
  72.     /**
  73.      * {@inheritdoc}
  74.      */
  75.     public function updateTimestamp($sessionId$data)
  76.     {
  77.         return $this->write($sessionId$data);
  78.     }
  80.     /**
  81.      * {@inheritdoc}
  82.      */
  83.     protected function doWrite($sessionId$data)
  84.     {
  85.         return $this->handler->write($sessionId$data);
  86.     }
  88.     /**
  89.      * {@inheritdoc}
  90.      * @see https://github.com/symfony/symfony/blob/2adc85d49cbe14e346068fa7e9c2e1f08ab31de6/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php#L126-L167
  91.      */
  92.     public function destroy($sessionId)
  93.     {
  94.         if (\PHP_VERSION_ID 70000) {
  95.             $this->prefetchData null;
  96.         }
  97.         if (!headers_sent() && filter_var(ini_get('session.use_cookies'), FILTER_VALIDATE_BOOLEAN)) {
  98.             if (!$this->sessionName) {
  99.                 throw new \LogicException(sprintf('Session name cannot be empty, did you forget to call "parent::open()" in "%s"?.', \get_class($this)));
  100.             }
  101.             $sessionCookie sprintf(' %s='urlencode($this->sessionName));
  102.             $sessionCookieWithId sprintf('%s%s;'$sessionCookieurlencode($sessionId));
  103.             $sessionCookieFound false;
  104.             $otherCookies = [];
  105.             foreach (headers_list() as $h) {
  106.                 if (!== stripos($h'Set-Cookie:')) {
  107.                     continue;
  108.                 }
  109.                 if (11 === strpos($h$sessionCookie11)) {
  110.                     $sessionCookieFound true;
  112.                     if (11 !== strpos($h$sessionCookieWithId11)) {
  113.                         $otherCookies[] = $h;
  114.                     }
  115.                 } else {
  116.                     $otherCookies[] = $h;
  117.                 }
  118.             }
  119.             if ($sessionCookieFound) {
  120.                 header_remove('Set-Cookie');
  121.                 foreach ($otherCookies as $h) {
  122.                     header($hfalse);
  123.                 }
  124.             } else {
  125.                 if (\PHP_VERSION_ID 70300) {
  126.                     setcookie($this->sessionName''0ini_get('session.cookie_path'), ini_get('session.cookie_domain'), filter_var(ini_get('session.cookie_secure'), FILTER_VALIDATE_BOOLEAN), filter_var(ini_get('session.cookie_httponly'), FILTER_VALIDATE_BOOLEAN));
  127.                 } else {
  128.                     setcookie($this->sessionName'',
  129.                               [
  130.                                   'expires' => 0,
  131.                                   'path' => $this->getCookiePath(),
  132.                                   'domain' => ini_get('session.cookie_domain'),
  133.                                   'secure' => filter_var(ini_get('session.cookie_secure'), FILTER_VALIDATE_BOOLEAN),
  134.                                   'httponly' => filter_var(ini_get('session.cookie_httponly'), FILTER_VALIDATE_BOOLEAN),
  135.                                   'samesite' => $this->getCookieSameSite(),
  136.                               ]
  137.                     );
  138.                 }
  139.             }
  140.         }
  142.         return $this->newSessionId === $sessionId || $this->doDestroy($sessionId);
  143.     }
  145.     /**
  146.      * {@inheritdoc}
  147.      */
  148.     protected function doDestroy($sessionId)
  149.     {
  150.         $this->doDestroy false;
  152.         return $this->handler->destroy($sessionId);
  153.     }
  155.     /**
  156.      * {@inheritdoc}
  157.      */
  158.     public function close()
  159.     {
  160.         return $this->handler->close();
  161.     }
  163.     /**
  164.      * @return bool
  165.      */
  166.     public function gc($maxlifetime)
  167.     {
  168.         return $this->handler->gc($maxlifetime);
  169.     }
  171.     /**
  172.      * @return string
  173.      */
  174.     public function getCookieSameSite()
  175.     {
  176.         if ($this->shouldSendSameSiteNone() && \PHP_VERSION_ID >= 70300 && $this->getCookieSecure()) {
  177.             return Cookie::SAMESITE_NONE;
  178.         }
  180.         return '';
  181.     }
  183.     /**
  184.      * @return string
  185.      */
  186.     public function getCookiePath()
  187.     {
  188.         $cookiePath env('ECCUBE_COOKIE_PATH''/');
  189.         if ($this->shouldSendSameSiteNone() && \PHP_VERSION_ID 70300 && $this->getCookieSecure()) {
  190.             return $cookiePath.'; SameSite='.Cookie::SAMESITE_NONE;
  191.         }
  193.         return $cookiePath;
  194.     }
  196.     /**
  197.      * @return string
  198.      */
  199.     public function getCookieSecure()
  200.     {
  201.         $request Request::createFromGlobals();
  202.         return $request->isSecure() ? '1' '0';
  203.     }
  205.     /**
  206.      * @return bool
  207.      */
  208.     private function shouldSendSameSiteNone()
  209.     {
  210.         $userAgent array_key_exists('HTTP_USER_AGENT'$_SERVER) ? $_SERVER['HTTP_USER_AGENT'] : null;
  211.         return SameSite::handle($userAgent);
  212.     }
  213. }