From a5e6c8875e0fcd12fdcb1fcc7620b069735415ee Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Fri, 17 Apr 2020 12:18:53 +0900
Subject: [PATCH 1/8] SameSite=None compat

---
 app/config/eccube/packages/framework.yaml     |  3 +-
 app/config/eccube/services.yaml               |  7 ++
 .../SameSiteNoneCompatSessionHandler.php      | 81 +++++++++++++++++++
 3 files changed, 89 insertions(+), 2 deletions(-)
 create mode 100644 src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php

diff --git a/app/config/eccube/packages/framework.yaml b/app/config/eccube/packages/framework.yaml
index 585d4322d42..6145711bcc8 100644
--- a/app/config/eccube/packages/framework.yaml
+++ b/app/config/eccube/packages/framework.yaml
@@ -8,10 +8,9 @@ framework:
     trusted_hosts: ~
     # https://symfony.com/doc/current/reference/configuration/framework.html#handler-id
     session:
-        handler_id: session.handler.native_file
+        handler_id: 'Eccube\Session\Storage\Handler\SameSiteNoneCompatSessionHandler'
         save_path: '%kernel.project_dir%/var/sessions/%kernel.environment%'
         name: '%env(ECCUBE_COOKIE_NAME)%'
-        cookie_path: '%env(ECCUBE_COOKIE_PATH)%'
         cookie_lifetime: '%env(ECCUBE_COOKIE_LIFETIME)%'
         gc_maxlifetime: '%env(ECCUBE_GC_MAXLIFETIME)%'
         cookie_httponly: true
diff --git a/app/config/eccube/services.yaml b/app/config/eccube/services.yaml
index 9d6a5e34c83..1cb1730ce3f 100644
--- a/app/config/eccube/services.yaml
+++ b/app/config/eccube/services.yaml
@@ -171,3 +171,10 @@ services:
         # Symfony\Bridge\Twig\Extension\RoutingExtensionの後に登録するため,
         # autoconfigureはfalseにし, CompilerPassで追加する.
         autoconfigure: false
+
+    native_file_session_handler:
+        class: Symfony\Component\HttpFoundation\Session\Storage\Handler\NativeFileSessionHandler
+
+    Eccube\Session\Storage\Handler\SameSiteNoneCompatSessionHandler:
+        arguments:
+            - '@native_file_session_handler'
diff --git a/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
new file mode 100644
index 00000000000..11d575d34f4
--- /dev/null
+++ b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
@@ -0,0 +1,81 @@
+<?php
+
+namespace Eccube\Session\Storage\Handler;
+
+use Symfony\Component\HttpFoundation\Session\Storage\Handler\StrictSessionHandler;
+
+class SameSiteNoneCompatSessionHandler extends StrictSessionHandler
+{
+    private $sessionName;
+    private $prefetchId;
+    private $prefetchData;
+    private $newSessionId;
+    private $igbinaryEmptyData;
+
+    public function __construct(\SessionHandlerInterface $handler)
+    {
+        parent::__construct($handler);
+        $this->handler = $handler;
+        // TODO UA や PHP バージョンで分岐する
+        ini_set('session.cookie_path', '/; SameSite=None');
+        ini_set('session.cookie_secure', 1);
+    }
+
+    public function open($savePath, $sessionName)
+    {
+        $this->sessionName = $sessionName;
+        return parent::open($savePath, $sessionName);
+    }
+    public function destroy($sessionId)
+    {
+        if (\PHP_VERSION_ID < 70000) {
+            $this->prefetchData = null;
+        }
+        if (!headers_sent() && filter_var(ini_get('session.use_cookies'), FILTER_VALIDATE_BOOLEAN)) {
+            if (!$this->sessionName) {
+                throw new \LogicException(sprintf('Session name cannot be empty, did you forget to call "parent::open()" in "%s"?.', \get_class($this)));
+            }
+            $sessionCookie = sprintf(' %s=', urlencode($this->sessionName));
+            $sessionCookieWithId = sprintf('%s%s;', $sessionCookie, urlencode($sessionId));
+            $sessionCookieFound = false;
+            $otherCookies = [];
+            foreach (headers_list() as $h) {
+                if (0 !== stripos($h, 'Set-Cookie:')) {
+                    continue;
+                }
+                if (11 === strpos($h, $sessionCookie, 11)) {
+                    $sessionCookieFound = true;
+
+                    if (11 !== strpos($h, $sessionCookieWithId, 11)) {
+                        $otherCookies[] = $h;
+                    }
+                } else {
+                    $otherCookies[] = $h;
+                }
+            }
+            if ($sessionCookieFound) {
+                header_remove('Set-Cookie');
+                foreach ($otherCookies as $h) {
+                    header($h, false);
+                }
+            } else {
+                if (\PHP_VERSION_ID < 70300) {
+                    setcookie($this->sessionName, '', 0, ini_get('session.cookie_path'), ini_get('session.cookie_domain'), filter_var(ini_get('session.cookie_secure'), FILTER_VALIDATE_BOOLEAN), filter_var(ini_get('session.cookie_httponly'), FILTER_VALIDATE_BOOLEAN));
+                } else {
+                    setcookie($this->sessionName, '',
+                              [
+                                  'expires' => 0,
+                                  'path' => '/', // TODO
+                                  'domain' => ini_get('session.cookie_domain'),
+                                  'secure' =>  filter_var(ini_get('session.cookie_secure'), FILTER_VALIDATE_BOOLEAN),
+                                  'httponly' => filter_var(ini_get('session.cookie_httponly'), FILTER_VALIDATE_BOOLEAN),
+                                  'samesite' => 'None' // TODO UA で分岐する
+                              ]
+                    );
+                }
+            }
+        }
+
+        return $this->newSessionId === $sessionId || $this->doDestroy($sessionId);
+    }
+}

From e3bb95b38349d90efe6ed6ca3889c206ae648d77 Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Fri, 17 Apr 2020 15:20:45 +0900
Subject: [PATCH 2/8] =?UTF-8?q?=E3=82=B3=E3=83=A1=E3=83=B3=E3=83=88?=
 =?UTF-8?q?=E8=BF=BD=E5=8A=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../SameSiteNoneCompatSessionHandler.php      | 35 +++++++++++++++++--
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
index 11d575d34f4..02256a595a5 100644
--- a/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
+++ b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
@@ -1,31 +1,60 @@
 <?php
 
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
 namespace Eccube\Session\Storage\Handler;
 
 use Symfony\Component\HttpFoundation\Session\Storage\Handler\StrictSessionHandler;
 
 class SameSiteNoneCompatSessionHandler extends StrictSessionHandler
 {
+    /** @var \SessionHandlerInterface */
+    private $handler;
+    /** @var string */
     private $sessionName;
+    /** @var string */
     private $prefetchId;
+    /** @var string|null */
     private $prefetchData;
+    /** @var string */
     private $newSessionId;
+    /** @var string|null */
     private $igbinaryEmptyData;
 
+    /**
+     *  {@inheritdoc}
+     */
     public function __construct(\SessionHandlerInterface $handler)
     {
         parent::__construct($handler);
         $this->handler = $handler;
         // TODO UA や PHP バージョンで分岐する
         ini_set('session.cookie_path', '/; SameSite=None');
-        ini_set('session.cookie_secure', 1);
+        ini_set('session.cookie_secure', '1');
     }
 
+    /**
+     * {@inheritdoc}
+     */
     public function open($savePath, $sessionName)
     {
         $this->sessionName = $sessionName;
+
         return parent::open($savePath, $sessionName);
     }
+
+    /**
+     * {@inheritdoc}
+     */
     public function destroy($sessionId)
     {
         if (\PHP_VERSION_ID < 70000) {
@@ -67,9 +96,9 @@ public function destroy($sessionId)
                                   'expires' => 0,
                                   'path' => '/', // TODO
                                   'domain' => ini_get('session.cookie_domain'),
-                                  'secure' =>  filter_var(ini_get('session.cookie_secure'), FILTER_VALIDATE_BOOLEAN),
+                                  'secure' => filter_var(ini_get('session.cookie_secure'), FILTER_VALIDATE_BOOLEAN),
                                   'httponly' => filter_var(ini_get('session.cookie_httponly'), FILTER_VALIDATE_BOOLEAN),
-                                  'samesite' => 'None' // TODO UA で分岐する
+                                  'samesite' => 'None', // TODO UA で分岐する
                               ]
                     );
                 }

From 094004393b490d6017bdf5a8ed023369c1cd6d7e Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Fri, 17 Apr 2020 17:08:33 +0900
Subject: [PATCH 3/8] =?UTF-8?q?SessionHandler=20=E3=81=AE=E3=83=86?=
 =?UTF-8?q?=E3=82=B9=E3=83=88=E3=82=92=E7=A7=BB=E6=A4=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../SameSiteNoneCompatSessionHandler.php      |   8 +-
 .../SameSiteNoneCompatSessionHandlerTest.php  |  56 ++++++
 tests/Fixtures/session/common.php             | 172 ++++++++++++++++++
 .../Fixtures/session/empty_destroys.expected  |  17 ++
 tests/Fixtures/session/empty_destroys.php     |   8 +
 tests/Fixtures/session/read_only.expected     |  14 ++
 tests/Fixtures/session/read_only.php          |   8 +
 tests/Fixtures/session/regenerate.expected    |  24 +++
 tests/Fixtures/session/regenerate.php         |  10 +
 tests/Fixtures/session/ruleset.xml            |  36 ++++
 tests/Fixtures/session/storage.expected       |  20 ++
 tests/Fixtures/session/storage.php            |  24 +++
 tests/Fixtures/session/with_cookie.expected   |  15 ++
 tests/Fixtures/session/with_cookie.php        |   8 +
 .../session/with_cookie_and_session.expected  |  24 +++
 .../session/with_cookie_and_session.php       |  13 ++
 16 files changed, 454 insertions(+), 3 deletions(-)
 create mode 100644 tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
 create mode 100644 tests/Fixtures/session/common.php
 create mode 100644 tests/Fixtures/session/empty_destroys.expected
 create mode 100644 tests/Fixtures/session/empty_destroys.php
 create mode 100644 tests/Fixtures/session/read_only.expected
 create mode 100644 tests/Fixtures/session/read_only.php
 create mode 100644 tests/Fixtures/session/regenerate.expected
 create mode 100644 tests/Fixtures/session/regenerate.php
 create mode 100644 tests/Fixtures/session/ruleset.xml
 create mode 100644 tests/Fixtures/session/storage.expected
 create mode 100644 tests/Fixtures/session/storage.php
 create mode 100644 tests/Fixtures/session/with_cookie.expected
 create mode 100644 tests/Fixtures/session/with_cookie.php
 create mode 100644 tests/Fixtures/session/with_cookie_and_session.expected
 create mode 100644 tests/Fixtures/session/with_cookie_and_session.php

diff --git a/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
index 02256a595a5..bbca4384d0b 100644
--- a/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
+++ b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
@@ -35,7 +35,6 @@ class SameSiteNoneCompatSessionHandler extends StrictSessionHandler
      */
     public function __construct(\SessionHandlerInterface $handler)
     {
-        parent::__construct($handler);
         $this->handler = $handler;
         // TODO UA や PHP バージョンで分岐する
         ini_set('session.cookie_path', '/; SameSite=None');
@@ -48,8 +47,11 @@ public function __construct(\SessionHandlerInterface $handler)
     public function open($savePath, $sessionName)
     {
         $this->sessionName = $sessionName;
-
-        return parent::open($savePath, $sessionName);
+        // see https://github.com/symfony/symfony/blob/f46e6cb8a086d0c44502cf35e699a1aa0044b11c/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php#L37-L39
+        if (!headers_sent() && !ini_get('session.cache_limiter') && '0' !== ini_get('session.cache_limiter')) {
+            header(sprintf('Cache-Control: max-age=%d, private, must-revalidate', 60 * (int) ini_get('session.cache_expire')));
+        }
+        return $this->handler->open($savePath, $sessionName);
     }
 
     /**
diff --git a/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php b/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
new file mode 100644
index 00000000000..5c3bc935698
--- /dev/null
+++ b/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
@@ -0,0 +1,56 @@
+<?php
+
+namespace Symfony\Component\HttpFoundation\Tests\Session\Storage\Handler;
+
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @requires PHP 7.0
+ * @see https://github.com/symfony/symfony/blob/3.4/src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/AbstractSessionHandlerTest.php
+ */
+class SameSiteNoneCompatSessionHandlerTest extends TestCase
+{
+    private static $server;
+    const FIXTURES_DIR = __DIR__.'/../../../../../Fixtures/session';
+
+    public static function setUpBeforeClass()
+    {
+        $spec = [
+            1 => ['file', '/dev/null', 'w'],
+            2 => ['file', '/dev/null', 'w'],
+        ];
+        if (!self::$server = @proc_open('exec php -S localhost:8053', $spec, $pipes, self::FIXTURES_DIR)) {
+            self::markTestSkipped('PHP server unable to start.');
+        }
+        sleep(1);
+    }
+
+    public static function tearDownAfterClass()
+    {
+        if (self::$server) {
+            proc_terminate(self::$server);
+            proc_close(self::$server);
+        }
+    }
+
+    /**
+     * @dataProvider provideSession
+     */
+    public function testSession($fixture)
+    {
+        $context = ['http' => ['header' => "Cookie: sid=123abc\r\n"]];
+        $context = stream_context_create($context);
+        $result = file_get_contents(sprintf('http://localhost:8053/%s.php', $fixture), false, $context);
+
+        $this->assertStringEqualsFile(sprintf(self::FIXTURES_DIR.'/%s.expected', $fixture), $result);
+    }
+
+    public function provideSession()
+    {
+        foreach (glob(self::FIXTURES_DIR.'/*.php') as $file) {
+            $name = pathinfo($file, PATHINFO_FILENAME);
+            if ($name == 'common') continue;
+            yield [$name];
+        }
+    }
+}
diff --git a/tests/Fixtures/session/common.php b/tests/Fixtures/session/common.php
new file mode 100644
index 00000000000..d461e792efe
--- /dev/null
+++ b/tests/Fixtures/session/common.php
@@ -0,0 +1,172 @@
+<?php
+
+use Eccube\Session\Storage\Handler\SameSiteNoneCompatSessionHandler;
+
+$parent = __DIR__;
+while (!@file_exists($parent.'/vendor/autoload.php')) {
+    if (!@file_exists($parent)) {
+        // open_basedir restriction in effect
+        break;
+    }
+    if ($parent === dirname($parent)) {
+        echo "vendor/autoload.php not found\n";
+        exit(1);
+    }
+
+    $parent = dirname($parent);
+}
+
+require $parent.'/vendor/autoload.php';
+
+error_reporting(-1);
+ini_set('html_errors', 0);
+ini_set('display_errors', 1);
+ini_set('session.gc_probability', 0);
+ini_set('session.serialize_handler', 'php');
+ini_set('session.cookie_lifetime', 0);
+ini_set('session.cookie_domain', '');
+ini_set('session.cookie_secure', '');
+ini_set('session.cookie_httponly', '');
+ini_set('session.use_cookies', 1);
+ini_set('session.use_only_cookies', 1);
+ini_set('session.cache_expire', 180);
+ini_set('session.cookie_path', '/');
+ini_set('session.cookie_domain', '');
+ini_set('session.cookie_secure', 1);
+ini_set('session.cookie_httponly', 1);
+ini_set('session.use_strict_mode', 1);
+ini_set('session.lazy_write', 1);
+ini_set('session.name', 'sid');
+ini_set('session.save_path', __DIR__);
+ini_set('session.cache_limiter', '');
+
+header_remove('X-Powered-By');
+header('Content-Type: text/plain; charset=utf-8');
+
+register_shutdown_function(function () {
+    echo "\n";
+    session_write_close();
+    print_r(headers_list());
+    echo "shutdown\n";
+});
+ob_start();
+
+class MockSessionHandler extends \SessionHandler
+{
+    private $data;
+
+    public function __construct($data = null)
+    {
+        $this->data = $data;
+    }
+
+    public function getData()
+    {
+        return $this->data;
+    }
+
+    public function open($path, $name)
+    {
+        return parent::open($path, $name);
+    }
+}
+class TestSessionHandler extends SameSiteNoneCompatSessionHandler
+{
+    private $handler;
+    private $data;
+
+    public function __construct(\SessionHandlerInterface $handler)
+    {
+        parent::__construct($handler);
+        $this->data = $handler->getData();
+    }
+
+    public function open($path, $name)
+    {
+        echo __FUNCTION__, "\n";
+
+        return parent::open($path, $name);
+    }
+
+    public function validateId($sessionId)
+    {
+        echo __FUNCTION__, "\n";
+
+        return parent::validateId($sessionId);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function read($sessionId)
+    {
+        echo __FUNCTION__, "\n";
+
+        return parent::read($sessionId);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function updateTimestamp($sessionId, $data)
+    {
+        echo __FUNCTION__, "\n";
+
+        return true;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function write($sessionId, $data)
+    {
+        echo __FUNCTION__, "\n";
+
+        return parent::write($sessionId, $data);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function destroy($sessionId)
+    {
+        echo __FUNCTION__, "\n";
+
+        return parent::destroy($sessionId);
+    }
+
+    public function close()
+    {
+        echo __FUNCTION__, "\n";
+
+        return true;
+    }
+
+    public function gc($maxLifetime)
+    {
+        echo __FUNCTION__, "\n";
+
+        return true;
+    }
+
+    protected function doRead($sessionId)
+    {
+        echo __FUNCTION__.': ', $this->data, "\n";
+
+        return $this->data;
+    }
+
+    protected function doWrite($sessionId, $data)
+    {
+        echo __FUNCTION__.': ', $data, "\n";
+
+        return true;
+    }
+
+    protected function doDestroy($sessionId)
+    {
+        echo __FUNCTION__, "\n";
+
+        return true;
+    }
+}
diff --git a/tests/Fixtures/session/empty_destroys.expected b/tests/Fixtures/session/empty_destroys.expected
new file mode 100644
index 00000000000..82037147407
--- /dev/null
+++ b/tests/Fixtures/session/empty_destroys.expected
@@ -0,0 +1,17 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+destroy
+doDestroy
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: sid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
+)
+shutdown
diff --git a/tests/Fixtures/session/empty_destroys.php b/tests/Fixtures/session/empty_destroys.php
new file mode 100644
index 00000000000..beee69fa811
--- /dev/null
+++ b/tests/Fixtures/session/empty_destroys.php
@@ -0,0 +1,8 @@
+<?php
+
+require __DIR__.'/common.php';
+
+session_set_save_handler(new TestSessionHandler(new MockSessionHandler('abc|i:123;')), false);
+session_start();
+
+unset($_SESSION['abc']);
diff --git a/tests/Fixtures/session/read_only.expected b/tests/Fixtures/session/read_only.expected
new file mode 100644
index 00000000000..587adaf158b
--- /dev/null
+++ b/tests/Fixtures/session/read_only.expected
@@ -0,0 +1,14 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+123
+updateTimestamp
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+)
+shutdown
diff --git a/tests/Fixtures/session/read_only.php b/tests/Fixtures/session/read_only.php
new file mode 100644
index 00000000000..ceb00478d60
--- /dev/null
+++ b/tests/Fixtures/session/read_only.php
@@ -0,0 +1,8 @@
+<?php
+
+require __DIR__.'/common.php';
+
+session_set_save_handler(new TestSessionHandler(new MockSessionHandler('abc|i:123;')), false);
+session_start();
+
+echo $_SESSION['abc'];
diff --git a/tests/Fixtures/session/regenerate.expected b/tests/Fixtures/session/regenerate.expected
new file mode 100644
index 00000000000..baa5f2f6f5c
--- /dev/null
+++ b/tests/Fixtures/session/regenerate.expected
@@ -0,0 +1,24 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+destroy
+doDestroy
+close
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+doWrite: abc|i:123;
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: sid=random_session_id; path=/; secure; HttpOnly
+)
+shutdown
diff --git a/tests/Fixtures/session/regenerate.php b/tests/Fixtures/session/regenerate.php
new file mode 100644
index 00000000000..115f011cc62
--- /dev/null
+++ b/tests/Fixtures/session/regenerate.php
@@ -0,0 +1,10 @@
+<?php
+
+require __DIR__.'/common.php';
+
+session_set_save_handler(new TestSessionHandler(new MockSessionHandler('abc|i:123;')), false);
+session_start();
+
+session_regenerate_id(true);
+
+ob_start(function ($buffer) { return str_replace(session_id(), 'random_session_id', $buffer); });
diff --git a/tests/Fixtures/session/ruleset.xml b/tests/Fixtures/session/ruleset.xml
new file mode 100644
index 00000000000..7e219bf1b0d
--- /dev/null
+++ b/tests/Fixtures/session/ruleset.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0"?>
+<ruleset name="Sample">
+ <description>A sample coding standard</description>
+
+ <!-- Include all sniffs in the PEAR standard -->
+ <rule ref="Zend">
+   <exclude name="Generic.Functions.OpeningFunctionBraceBsdAllman.BraceOnSameLine"/>
+   <exclude name="Zend.NamingConventions.ValidVariableName.NotCamelCaps"/>
+   <exclude name="PEAR.Classes.ClassDeclaration.OpenBraceNewLine"/>
+ </rule>
+
+ <!-- Include some specific sniffs -->
+ <rule ref="Generic.ControlStructures.InlineControlStructure"/>
+ <rule ref="Generic.Functions.FunctionCallArgumentSpacing"/>
+
+ <!-- Change the settings of the Line Length sniff -->
+ <rule ref="Generic.Files.LineLength">
+  <properties>
+   <property name="lineLimit" value="120"/>
+   <property name="absoluteLineLimit" value="0"/>
+  </properties>
+ </rule>
+
+  <!-- Change both Line Length messages -->
+ <rule ref="Generic.Files.LineLength.MaxExceeded">
+  <message>Line longer than the max of %s; has %s chars</message>
+ </rule>
+ <rule ref="Generic.Files.LineLength.TooLong">
+  <message>Line longer than %s chars; has %s chars</message>
+ </rule>
+
+ <!-- Disable internal message for missing code and short open tags -->
+ <rule ref="Internal.NoCodeFound">
+  <severity>0</severity>
+ </rule>
+</ruleset>
diff --git a/tests/Fixtures/session/storage.expected b/tests/Fixtures/session/storage.expected
new file mode 100644
index 00000000000..4533a10a1f7
--- /dev/null
+++ b/tests/Fixtures/session/storage.expected
@@ -0,0 +1,20 @@
+open
+validateId
+read
+doRead: 
+read
+Array
+(
+    [0] => bar
+)
+$_SESSION is not empty
+write
+destroy
+close
+$_SESSION is not empty
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=0, private, must-revalidate
+)
+shutdown
diff --git a/tests/Fixtures/session/storage.php b/tests/Fixtures/session/storage.php
new file mode 100644
index 00000000000..adb04bb0fc2
--- /dev/null
+++ b/tests/Fixtures/session/storage.php
@@ -0,0 +1,24 @@
+<?php
+
+require __DIR__.'/common.php';
+
+use Symfony\Component\HttpFoundation\Session\Flash\FlashBag;
+use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
+
+$storage = new NativeSessionStorage();
+$storage->setSaveHandler(new TestSessionHandler(new MockSessionHandler()));
+$flash = new FlashBag();
+$storage->registerBag($flash);
+$storage->start();
+
+$flash->add('foo', 'bar');
+
+print_r($flash->get('foo'));
+echo empty($_SESSION) ? '$_SESSION is empty' : '$_SESSION is not empty';
+echo "\n";
+
+$storage->save();
+
+echo empty($_SESSION) ? '$_SESSION is empty' : '$_SESSION is not empty';
+
+ob_start(function ($buffer) { return str_replace(session_id(), 'random_session_id', $buffer); });
diff --git a/tests/Fixtures/session/with_cookie.expected b/tests/Fixtures/session/with_cookie.expected
new file mode 100644
index 00000000000..33da0a5be6e
--- /dev/null
+++ b/tests/Fixtures/session/with_cookie.expected
@@ -0,0 +1,15 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+updateTimestamp
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: abc=def
+)
+shutdown
diff --git a/tests/Fixtures/session/with_cookie.php b/tests/Fixtures/session/with_cookie.php
new file mode 100644
index 00000000000..14cda048f00
--- /dev/null
+++ b/tests/Fixtures/session/with_cookie.php
@@ -0,0 +1,8 @@
+<?php
+
+require __DIR__.'/common.php';
+
+session_set_save_handler(new TestSessionHandler(new MockSessionHandler('abc|i:123;')), false);
+session_start();
+
+setcookie('abc', 'def');
diff --git a/tests/Fixtures/session/with_cookie_and_session.expected b/tests/Fixtures/session/with_cookie_and_session.expected
new file mode 100644
index 00000000000..5de2d9e3904
--- /dev/null
+++ b/tests/Fixtures/session/with_cookie_and_session.expected
@@ -0,0 +1,24 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+updateTimestamp
+close
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+destroy
+doDestroy
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: abc=def
+)
+shutdown
diff --git a/tests/Fixtures/session/with_cookie_and_session.php b/tests/Fixtures/session/with_cookie_and_session.php
new file mode 100644
index 00000000000..b4cbc4fad65
--- /dev/null
+++ b/tests/Fixtures/session/with_cookie_and_session.php
@@ -0,0 +1,13 @@
+<?php
+
+require __DIR__.'/common.php';
+
+setcookie('abc', 'def');
+
+session_set_save_handler(new TestSessionHandler(new MockSessionHandler('abc|i:123;')), false);
+session_start();
+session_write_close();
+session_start();
+
+$_SESSION['abc'] = 234;
+unset($_SESSION['abc']);

From 5476a217140a0815700556c3a791e5f5108ff0f6 Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Fri, 17 Apr 2020 18:49:22 +0900
Subject: [PATCH 4/8] =?UTF-8?q?=E3=83=86=E3=82=B9=E3=83=88=E3=81=8C?=
 =?UTF-8?q?=E5=8B=95=E4=BD=9C=E3=81=99=E3=82=8B=E3=82=88=E3=81=86=E4=BF=AE?=
 =?UTF-8?q?=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../SameSiteNoneCompatSessionHandler.php      | 54 ++++++++++++++++++-
 .../SameSiteNoneCompatSessionHandlerTest.php  | 21 ++++++--
 2 files changed, 71 insertions(+), 4 deletions(-)

diff --git a/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
index bbca4384d0b..4e4b6f4c273 100644
--- a/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
+++ b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
@@ -19,9 +19,11 @@ class SameSiteNoneCompatSessionHandler extends StrictSessionHandler
 {
     /** @var \SessionHandlerInterface */
     private $handler;
+    /** @var bool */
+    private $doDestroy;
     /** @var string */
     private $sessionName;
-    /** @var string */
+    /** @var string|null */
     private $prefetchId;
     /** @var string|null */
     private $prefetchData;
@@ -54,6 +56,30 @@ public function open($savePath, $sessionName)
         return $this->handler->open($savePath, $sessionName);
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    protected function doRead($sessionId)
+    {
+        return $this->handler->read($sessionId);
+    }
+
+        /**
+     * {@inheritdoc}
+     */
+    public function updateTimestamp($sessionId, $data)
+    {
+        return $this->write($sessionId, $data);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function doWrite($sessionId, $data)
+    {
+        return $this->handler->write($sessionId, $data);
+    }
+
     /**
      * {@inheritdoc}
      */
@@ -109,4 +135,30 @@ public function destroy($sessionId)
 
         return $this->newSessionId === $sessionId || $this->doDestroy($sessionId);
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function doDestroy($sessionId)
+    {
+        $this->doDestroy = false;
+
+        return $this->handler->destroy($sessionId);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function close()
+    {
+        return $this->handler->close();
+    }
+
+    /**
+     * @return bool
+     */
+    public function gc($maxlifetime)
+    {
+        return $this->handler->gc($maxlifetime);
+    }
 }
diff --git a/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php b/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
index 5c3bc935698..15e7277fe96 100644
--- a/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
+++ b/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
@@ -36,9 +36,14 @@ public static function tearDownAfterClass()
     /**
      * @dataProvider provideSession
      */
-    public function testSession($fixture)
+    public function testSession($fixture, $user_agent)
     {
-        $context = ['http' => ['header' => "Cookie: sid=123abc\r\n"]];
+        $context = [
+            'http' => [
+                'header' => "Cookie: sid=123abc\r\n",
+                'user_agent' => $user_agent
+            ]
+        ];
         $context = stream_context_create($context);
         $result = file_get_contents(sprintf('http://localhost:8053/%s.php', $fixture), false, $context);
 
@@ -47,10 +52,20 @@ public function testSession($fixture)
 
     public function provideSession()
     {
+        $userAgents = [
+            'Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1',
+        ];
+
         foreach (glob(self::FIXTURES_DIR.'/*.php') as $file) {
             $name = pathinfo($file, PATHINFO_FILENAME);
             if ($name == 'common') continue;
-            yield [$name];
+            if ($name == 'storage') {
+                // TODO Mock が動作しないためスキップ
+                continue;
+            }
+            foreach ($userAgents as $user_agent) {
+                yield [$name, $user_agent];
+            }
         }
     }
 }

From 22009b27d0e65e85c4aa07b63d1993e0e79b8f1b Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Tue, 21 Apr 2020 12:43:26 +0900
Subject: [PATCH 5/8] =?UTF-8?q?UA=20=E3=81=A8=20PHP=E3=83=90=E3=83=BC?=
 =?UTF-8?q?=E3=82=B8=E3=83=A7=E3=83=B3,=20SSL=E6=9C=89=E7=84=A1=E3=81=A7?=
 =?UTF-8?q?=20Coookie=20=E3=81=AE=E3=83=91=E3=83=A9=E3=83=A1=E3=83=BC?=
 =?UTF-8?q?=E3=82=BF=E3=82=92=E5=88=B6=E5=BE=A1=E3=81=99=E3=82=8B=E3=82=88?=
 =?UTF-8?q?=E3=81=86=E4=BF=AE=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../SameSiteNoneCompatSessionHandler.php      | 60 +++++++++++++++++--
 .../SameSiteNoneCompatSessionHandlerTest.php  | 46 ++++++++++++--
 tests/Fixtures/session/common.php             |  9 +++
 .../Fixtures/session/empty_destroys.expected  |  2 +-
 .../empty_destroys.samesite-compat.expected   | 17 ++++++
 .../session/empty_destroys.samesite.expected  | 17 ++++++
 .../session/empty_destroys.secure.expected    | 17 ++++++
 .../read_only.samesite-compat.expected        | 14 +++++
 .../session/read_only.samesite.expected       | 14 +++++
 .../session/read_only.secure.expected         | 14 +++++
 tests/Fixtures/session/regenerate.expected    |  2 +-
 .../regenerate.samesite-compat.expected       | 24 ++++++++
 .../session/regenerate.samesite.expected      | 24 ++++++++
 .../session/regenerate.secure.expected        | 24 ++++++++
 .../session/storage.samesite-compat.expected  | 20 +++++++
 .../session/storage.samesite.expected         | 20 +++++++
 .../Fixtures/session/storage.secure.expected  | 20 +++++++
 .../with_cookie.samesite-compat.expected      | 15 +++++
 .../session/with_cookie.samesite.expected     | 15 +++++
 .../session/with_cookie.secure.expected       | 15 +++++
 ...ookie_and_session.samesite-compat.expected | 24 ++++++++
 .../with_cookie_and_session.samesite.expected | 24 ++++++++
 .../with_cookie_and_session.secure.expected   | 24 ++++++++
 23 files changed, 449 insertions(+), 12 deletions(-)
 create mode 100644 tests/Fixtures/session/empty_destroys.samesite-compat.expected
 create mode 100644 tests/Fixtures/session/empty_destroys.samesite.expected
 create mode 100644 tests/Fixtures/session/empty_destroys.secure.expected
 create mode 100644 tests/Fixtures/session/read_only.samesite-compat.expected
 create mode 100644 tests/Fixtures/session/read_only.samesite.expected
 create mode 100644 tests/Fixtures/session/read_only.secure.expected
 create mode 100644 tests/Fixtures/session/regenerate.samesite-compat.expected
 create mode 100644 tests/Fixtures/session/regenerate.samesite.expected
 create mode 100644 tests/Fixtures/session/regenerate.secure.expected
 create mode 100644 tests/Fixtures/session/storage.samesite-compat.expected
 create mode 100644 tests/Fixtures/session/storage.samesite.expected
 create mode 100644 tests/Fixtures/session/storage.secure.expected
 create mode 100644 tests/Fixtures/session/with_cookie.samesite-compat.expected
 create mode 100644 tests/Fixtures/session/with_cookie.samesite.expected
 create mode 100644 tests/Fixtures/session/with_cookie.secure.expected
 create mode 100644 tests/Fixtures/session/with_cookie_and_session.samesite-compat.expected
 create mode 100644 tests/Fixtures/session/with_cookie_and_session.samesite.expected
 create mode 100644 tests/Fixtures/session/with_cookie_and_session.secure.expected

diff --git a/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
index 4e4b6f4c273..89fad8a7c0c 100644
--- a/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
+++ b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
@@ -13,6 +13,9 @@
 
 namespace Eccube\Session\Storage\Handler;
 
+use Skorp\Dissua\SameSite;
+use Symfony\Component\HttpFoundation\Cookie;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Session\Storage\Handler\StrictSessionHandler;
 
 class SameSiteNoneCompatSessionHandler extends StrictSessionHandler
@@ -38,9 +41,10 @@ class SameSiteNoneCompatSessionHandler extends StrictSessionHandler
     public function __construct(\SessionHandlerInterface $handler)
     {
         $this->handler = $handler;
-        // TODO UA や PHP バージョンで分岐する
-        ini_set('session.cookie_path', '/; SameSite=None');
-        ini_set('session.cookie_secure', '1');
+
+        ini_set('session.cookie_secure', $this->getCookieSecure());
+        ini_set('session.cookie_samesite', $this->getCookieSameSite());
+        ini_set('session.cookie_path', $this->getCookiePath());
     }
 
     /**
@@ -49,10 +53,11 @@ public function __construct(\SessionHandlerInterface $handler)
     public function open($savePath, $sessionName)
     {
         $this->sessionName = $sessionName;
-        // see https://github.com/symfony/symfony/blob/f46e6cb8a086d0c44502cf35e699a1aa0044b11c/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php#L37-L39
+        // see https://github.com/symfony/symfony/blob/2adc85d49cbe14e346068fa7e9c2e1f08ab31de6/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php#L35-L37
         if (!headers_sent() && !ini_get('session.cache_limiter') && '0' !== ini_get('session.cache_limiter')) {
             header(sprintf('Cache-Control: max-age=%d, private, must-revalidate', 60 * (int) ini_get('session.cache_expire')));
         }
+
         return $this->handler->open($savePath, $sessionName);
     }
 
@@ -82,6 +87,7 @@ protected function doWrite($sessionId, $data)
 
     /**
      * {@inheritdoc}
+     * @see https://github.com/symfony/symfony/blob/2adc85d49cbe14e346068fa7e9c2e1f08ab31de6/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php#L126-L167
      */
     public function destroy($sessionId)
     {
@@ -122,11 +128,11 @@ public function destroy($sessionId)
                     setcookie($this->sessionName, '',
                               [
                                   'expires' => 0,
-                                  'path' => '/', // TODO
+                                  'path' => $this->getCookiePath(),
                                   'domain' => ini_get('session.cookie_domain'),
                                   'secure' => filter_var(ini_get('session.cookie_secure'), FILTER_VALIDATE_BOOLEAN),
                                   'httponly' => filter_var(ini_get('session.cookie_httponly'), FILTER_VALIDATE_BOOLEAN),
-                                  'samesite' => 'None', // TODO UA で分岐する
+                                  'samesite' => $this->getCookieSameSite(),
                               ]
                     );
                 }
@@ -161,4 +167,46 @@ public function gc($maxlifetime)
     {
         return $this->handler->gc($maxlifetime);
     }
+
+    /**
+     * @return string
+     */
+    public function getCookieSameSite()
+    {
+        if ($this->shouldSendSameSiteNone() && \PHP_VERSION_ID >= 70300 && $this->getCookieSecure()) {
+            return Cookie::SAMESITE_NONE;
+        }
+
+        return '';
+    }
+
+    /**
+     * @return string
+     */
+    public function getCookiePath()
+    {
+        $cookiePath = env('ECCUBE_COOKIE_PATH', '/');
+        if ($this->shouldSendSameSiteNone() && \PHP_VERSION_ID < 70300 && $this->getCookieSecure()) {
+            return $cookiePath.'; SameSite='.Cookie::SAMESITE_NONE;
+        }
+
+        return $cookiePath;
+    }
+
+    /**
+     * @return string
+     */
+    public function getCookieSecure()
+    {
+        $request = Request::createFromGlobals();
+        return $request->isSecure() ? '1' : '0';
+    }
+
+    /**
+     * @return bool
+     */
+    private function shouldSendSameSiteNone()
+    {
+        return SameSite::handle($_SERVER['HTTP_USER_AGENT']);
+    }
 }
diff --git a/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php b/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
index 15e7277fe96..6f6cb120f35 100644
--- a/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
+++ b/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
@@ -36,7 +36,34 @@ public static function tearDownAfterClass()
     /**
      * @dataProvider provideSession
      */
-    public function testSession($fixture, $user_agent)
+    public function testSecureSession($fixture, $user_agent, $shouldSendSameSiteNone)
+    {
+        $context = [
+            'http' => [
+                'header' => "Cookie: sid=123abc\r\nX-Forwarded-proto: https",
+                'user_agent' => $user_agent
+            ]
+        ];
+        $context = stream_context_create($context);
+        $result = file_get_contents(sprintf('http://localhost:8053/%s.php', $fixture), false, $context);
+
+        if ($shouldSendSameSiteNone) {
+            if (PHP_VERSION_ID < 70300) {
+                // PHP7.3未満は互換用 cookie
+                $this->assertStringEqualsFile(sprintf(self::FIXTURES_DIR.'/%s.samesite-compat.expected', $fixture), $result);
+            } else {
+                $this->assertStringEqualsFile(sprintf(self::FIXTURES_DIR.'/%s.samesite.expected', $fixture), $result);
+            }
+        } else {
+            $this->assertStringEqualsFile(sprintf(self::FIXTURES_DIR.'/%s.secure.expected', $fixture), $result);
+        }
+    }
+
+    /**
+     * Secure 属性が付与されない場合は, SameSite 属性も付与されない(ブラウザのデフォルト値)
+     * @dataProvider provideSession
+     */
+    public function testNonSecureSession($fixture, $user_agent, $shouldSendSameSiteNone)
     {
         $context = [
             'http' => [
@@ -50,10 +77,21 @@ public function testSession($fixture, $user_agent)
         $this->assertStringEqualsFile(sprintf(self::FIXTURES_DIR.'/%s.expected', $fixture), $result);
     }
 
+    /**
+     * @see https://github.com/skorp/detect-incompatible-samesite-useragents/blob/master/tests/UserAgents.php
+     */
     public function provideSession()
     {
         $userAgents = [
-            'Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1',
+            'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130' => true,
+            'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.3945.130' => false,
+            'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3945.130' => false,
+            'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15' => false,
+            'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15' => true,
+            'Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 EdgiOS/44.8.0 Mobile/15E148 Safari/605.1.15' => false,
+            'Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1' => true,
+            'Mozilla/5.0 (Linux; U; Android 4.1.2; en-us; SM-T210R Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 UCBrowser/2.3.2.300' => false,
+            'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3) AppleWebKit/534.31 (KHTML, like Gecko) Chrome/17.0.558.0 Safari/534.31 UCBrowser/3.0.0.357' => false,
         ];
 
         foreach (glob(self::FIXTURES_DIR.'/*.php') as $file) {
@@ -63,8 +101,8 @@ public function provideSession()
                 // TODO Mock が動作しないためスキップ
                 continue;
             }
-            foreach ($userAgents as $user_agent) {
-                yield [$name, $user_agent];
+            foreach ($userAgents as $user_agent => $shouldSendSameSiteNone) {
+                yield [$name, $user_agent, $shouldSendSameSiteNone];
             }
         }
     }
diff --git a/tests/Fixtures/session/common.php b/tests/Fixtures/session/common.php
index d461e792efe..a9d196779da 100644
--- a/tests/Fixtures/session/common.php
+++ b/tests/Fixtures/session/common.php
@@ -1,6 +1,8 @@
 <?php
 
+use Dotenv\Dotenv;
 use Eccube\Session\Storage\Handler\SameSiteNoneCompatSessionHandler;
+use Symfony\Component\HttpFoundation\Request;
 
 $parent = __DIR__;
 while (!@file_exists($parent.'/vendor/autoload.php')) {
@@ -17,6 +19,13 @@
 }
 
 require $parent.'/vendor/autoload.php';
+if (file_exists($parent.'/.env')) {
+    (new Dotenv($parent))->overload();
+}
+
+Request::setTrustedProxies(['127.0.0.1', '::1', 'REMOTE_ADDR'], Request::HEADER_X_FORWARDED_ALL ^ Request::HEADER_X_FORWARDED_HOST);
+Request::setTrustedHosts(['127.0.0.1', '::1']);
+Request::createFromGlobals();
 
 error_reporting(-1);
 ini_set('html_errors', 0);
diff --git a/tests/Fixtures/session/empty_destroys.expected b/tests/Fixtures/session/empty_destroys.expected
index 82037147407..c01fffbce23 100644
--- a/tests/Fixtures/session/empty_destroys.expected
+++ b/tests/Fixtures/session/empty_destroys.expected
@@ -12,6 +12,6 @@ Array
 (
     [0] => Content-Type: text/plain; charset=utf-8
     [1] => Cache-Control: max-age=10800, private, must-revalidate
-    [2] => Set-Cookie: sid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
+    [2] => Set-Cookie: sid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; HttpOnly
 )
 shutdown
diff --git a/tests/Fixtures/session/empty_destroys.samesite-compat.expected b/tests/Fixtures/session/empty_destroys.samesite-compat.expected
new file mode 100644
index 00000000000..f189df44dcd
--- /dev/null
+++ b/tests/Fixtures/session/empty_destroys.samesite-compat.expected
@@ -0,0 +1,17 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+destroy
+doDestroy
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: sid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; SameSite=none; secure; HttpOnly
+)
+shutdown
diff --git a/tests/Fixtures/session/empty_destroys.samesite.expected b/tests/Fixtures/session/empty_destroys.samesite.expected
new file mode 100644
index 00000000000..6cbe3fbf38f
--- /dev/null
+++ b/tests/Fixtures/session/empty_destroys.samesite.expected
@@ -0,0 +1,17 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+destroy
+doDestroy
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: sid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly; SameSite=none
+)
+shutdown
diff --git a/tests/Fixtures/session/empty_destroys.secure.expected b/tests/Fixtures/session/empty_destroys.secure.expected
new file mode 100644
index 00000000000..82037147407
--- /dev/null
+++ b/tests/Fixtures/session/empty_destroys.secure.expected
@@ -0,0 +1,17 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+destroy
+doDestroy
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: sid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; HttpOnly
+)
+shutdown
diff --git a/tests/Fixtures/session/read_only.samesite-compat.expected b/tests/Fixtures/session/read_only.samesite-compat.expected
new file mode 100644
index 00000000000..587adaf158b
--- /dev/null
+++ b/tests/Fixtures/session/read_only.samesite-compat.expected
@@ -0,0 +1,14 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+123
+updateTimestamp
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+)
+shutdown
diff --git a/tests/Fixtures/session/read_only.samesite.expected b/tests/Fixtures/session/read_only.samesite.expected
new file mode 100644
index 00000000000..587adaf158b
--- /dev/null
+++ b/tests/Fixtures/session/read_only.samesite.expected
@@ -0,0 +1,14 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+123
+updateTimestamp
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+)
+shutdown
diff --git a/tests/Fixtures/session/read_only.secure.expected b/tests/Fixtures/session/read_only.secure.expected
new file mode 100644
index 00000000000..587adaf158b
--- /dev/null
+++ b/tests/Fixtures/session/read_only.secure.expected
@@ -0,0 +1,14 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+123
+updateTimestamp
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+)
+shutdown
diff --git a/tests/Fixtures/session/regenerate.expected b/tests/Fixtures/session/regenerate.expected
index baa5f2f6f5c..d462a571c37 100644
--- a/tests/Fixtures/session/regenerate.expected
+++ b/tests/Fixtures/session/regenerate.expected
@@ -19,6 +19,6 @@ Array
 (
     [0] => Content-Type: text/plain; charset=utf-8
     [1] => Cache-Control: max-age=10800, private, must-revalidate
-    [2] => Set-Cookie: sid=random_session_id; path=/; secure; HttpOnly
+    [2] => Set-Cookie: sid=random_session_id; path=/; HttpOnly
 )
 shutdown
diff --git a/tests/Fixtures/session/regenerate.samesite-compat.expected b/tests/Fixtures/session/regenerate.samesite-compat.expected
new file mode 100644
index 00000000000..123839f3ad3
--- /dev/null
+++ b/tests/Fixtures/session/regenerate.samesite-compat.expected
@@ -0,0 +1,24 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+destroy
+doDestroy
+close
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+doWrite: abc|i:123;
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: sid=random_session_id; path=/; SameSite=none; secure; HttpOnly
+)
+shutdown
diff --git a/tests/Fixtures/session/regenerate.samesite.expected b/tests/Fixtures/session/regenerate.samesite.expected
new file mode 100644
index 00000000000..8f5e59a2fb4
--- /dev/null
+++ b/tests/Fixtures/session/regenerate.samesite.expected
@@ -0,0 +1,24 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+destroy
+doDestroy
+close
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+doWrite: abc|i:123;
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: sid=random_session_id; path=/; secure; HttpOnly; SameSite=none
+)
+shutdown
diff --git a/tests/Fixtures/session/regenerate.secure.expected b/tests/Fixtures/session/regenerate.secure.expected
new file mode 100644
index 00000000000..baa5f2f6f5c
--- /dev/null
+++ b/tests/Fixtures/session/regenerate.secure.expected
@@ -0,0 +1,24 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+destroy
+doDestroy
+close
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+doWrite: abc|i:123;
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: sid=random_session_id; path=/; secure; HttpOnly
+)
+shutdown
diff --git a/tests/Fixtures/session/storage.samesite-compat.expected b/tests/Fixtures/session/storage.samesite-compat.expected
new file mode 100644
index 00000000000..4533a10a1f7
--- /dev/null
+++ b/tests/Fixtures/session/storage.samesite-compat.expected
@@ -0,0 +1,20 @@
+open
+validateId
+read
+doRead: 
+read
+Array
+(
+    [0] => bar
+)
+$_SESSION is not empty
+write
+destroy
+close
+$_SESSION is not empty
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=0, private, must-revalidate
+)
+shutdown
diff --git a/tests/Fixtures/session/storage.samesite.expected b/tests/Fixtures/session/storage.samesite.expected
new file mode 100644
index 00000000000..4533a10a1f7
--- /dev/null
+++ b/tests/Fixtures/session/storage.samesite.expected
@@ -0,0 +1,20 @@
+open
+validateId
+read
+doRead: 
+read
+Array
+(
+    [0] => bar
+)
+$_SESSION is not empty
+write
+destroy
+close
+$_SESSION is not empty
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=0, private, must-revalidate
+)
+shutdown
diff --git a/tests/Fixtures/session/storage.secure.expected b/tests/Fixtures/session/storage.secure.expected
new file mode 100644
index 00000000000..4533a10a1f7
--- /dev/null
+++ b/tests/Fixtures/session/storage.secure.expected
@@ -0,0 +1,20 @@
+open
+validateId
+read
+doRead: 
+read
+Array
+(
+    [0] => bar
+)
+$_SESSION is not empty
+write
+destroy
+close
+$_SESSION is not empty
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=0, private, must-revalidate
+)
+shutdown
diff --git a/tests/Fixtures/session/with_cookie.samesite-compat.expected b/tests/Fixtures/session/with_cookie.samesite-compat.expected
new file mode 100644
index 00000000000..33da0a5be6e
--- /dev/null
+++ b/tests/Fixtures/session/with_cookie.samesite-compat.expected
@@ -0,0 +1,15 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+updateTimestamp
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: abc=def
+)
+shutdown
diff --git a/tests/Fixtures/session/with_cookie.samesite.expected b/tests/Fixtures/session/with_cookie.samesite.expected
new file mode 100644
index 00000000000..33da0a5be6e
--- /dev/null
+++ b/tests/Fixtures/session/with_cookie.samesite.expected
@@ -0,0 +1,15 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+updateTimestamp
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: abc=def
+)
+shutdown
diff --git a/tests/Fixtures/session/with_cookie.secure.expected b/tests/Fixtures/session/with_cookie.secure.expected
new file mode 100644
index 00000000000..33da0a5be6e
--- /dev/null
+++ b/tests/Fixtures/session/with_cookie.secure.expected
@@ -0,0 +1,15 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+updateTimestamp
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: abc=def
+)
+shutdown
diff --git a/tests/Fixtures/session/with_cookie_and_session.samesite-compat.expected b/tests/Fixtures/session/with_cookie_and_session.samesite-compat.expected
new file mode 100644
index 00000000000..5de2d9e3904
--- /dev/null
+++ b/tests/Fixtures/session/with_cookie_and_session.samesite-compat.expected
@@ -0,0 +1,24 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+updateTimestamp
+close
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+destroy
+doDestroy
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: abc=def
+)
+shutdown
diff --git a/tests/Fixtures/session/with_cookie_and_session.samesite.expected b/tests/Fixtures/session/with_cookie_and_session.samesite.expected
new file mode 100644
index 00000000000..5de2d9e3904
--- /dev/null
+++ b/tests/Fixtures/session/with_cookie_and_session.samesite.expected
@@ -0,0 +1,24 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+updateTimestamp
+close
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+destroy
+doDestroy
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: abc=def
+)
+shutdown
diff --git a/tests/Fixtures/session/with_cookie_and_session.secure.expected b/tests/Fixtures/session/with_cookie_and_session.secure.expected
new file mode 100644
index 00000000000..5de2d9e3904
--- /dev/null
+++ b/tests/Fixtures/session/with_cookie_and_session.secure.expected
@@ -0,0 +1,24 @@
+open
+validateId
+read
+doRead: abc|i:123;
+read
+updateTimestamp
+close
+open
+validateId
+read
+doRead: abc|i:123;
+read
+
+write
+destroy
+doDestroy
+close
+Array
+(
+    [0] => Content-Type: text/plain; charset=utf-8
+    [1] => Cache-Control: max-age=10800, private, must-revalidate
+    [2] => Set-Cookie: abc=def
+)
+shutdown

From b14b021433a1c0d0356942ee01a7547536cb58df Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Tue, 21 Apr 2020 14:00:15 +0900
Subject: [PATCH 6/8] Apply composer require
 skorp/detect-incompatible-samesite-useragents

---
 composer.json |  1 +
 composer.lock | 56 ++++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/composer.json b/composer.json
index b0614e13f26..4d459c9728c 100644
--- a/composer.json
+++ b/composer.json
@@ -50,6 +50,7 @@
         "sensio/generator-bundle": "^3.1",
         "setasign/fpdi": "^2.2",
         "setasign/fpdi-tcpdf": "^2.2",
+        "skorp/detect-incompatible-samesite-useragents": "^1.0",
         "suncat/mobile-detect-bundle": "^1.1",
         "swiftmailer/swiftmailer": "^6.1",
         "symfony/asset": "^3.4",
diff --git a/composer.lock b/composer.lock
index 2d78c5aeeeb..b959620205b 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "1c7efc44402b4eb643446b45fbc2d105",
+    "content-hash": "9f90fb1a2efd3a3160e24841a6a19488",
     "packages": [
         {
             "name": "composer/ca-bundle",
@@ -1686,6 +1686,7 @@
                 "monolog",
                 "productivity"
             ],
+            "abandoned": true,
             "time": "2019-10-24T07:13:31+00:00"
         },
         {
@@ -3347,6 +3348,7 @@
                 }
             ],
             "description": "This bundle generates code for you",
+            "abandoned": "symfony/maker-bundle",
             "time": "2017-12-07T15:36:41+00:00"
         },
         {
@@ -3447,8 +3449,53 @@
                 "fpdi",
                 "pdf"
             ],
+            "abandoned": true,
             "time": "2019-01-30T14:39:33+00:00"
         },
+        {
+            "name": "skorp/detect-incompatible-samesite-useragents",
+            "version": "1.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/skorp/detect-incompatible-samesite-useragents.git",
+                "reference": "4299c61f8c4edac2b63fd8629408d0bfc5ad76d9"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/skorp/detect-incompatible-samesite-useragents/zipball/4299c61f8c4edac2b63fd8629408d0bfc5ad76d9",
+                "reference": "4299c61f8c4edac2b63fd8629408d0bfc5ad76d9",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^8.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Skorp\\Dissua\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Kadir Özdemir"
+                }
+            ],
+            "description": "Determine if UserAgent is incompatible with SameSite=None",
+            "keywords": [
+                "cookies",
+                "safari",
+                "samesite",
+                "samesite cookie"
+            ],
+            "time": "2020-01-29T21:12:37+00:00"
+        },
         {
             "name": "suncat/mobile-detect-bundle",
             "version": "v1.1.1",
@@ -7569,6 +7616,7 @@
                 "code",
                 "zf"
             ],
+            "abandoned": "laminas/laminas-code",
             "time": "2019-10-05T23:18:22+00:00"
         },
         {
@@ -7623,6 +7671,7 @@
                 "events",
                 "zf2"
             ],
+            "abandoned": "laminas/laminas-eventmanager",
             "time": "2018-04-25T15:33:34+00:00"
         }
     ],
@@ -8000,12 +8049,12 @@
             "version": "1.7.1",
             "source": {
                 "type": "git",
-                "url": "https://github.com/facebook/php-webdriver.git",
+                "url": "https://github.com/php-webdriver/php-webdriver-archive.git",
                 "reference": "e43de70f3c7166169d0f14a374505392734160e5"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/facebook/php-webdriver/zipball/e43de70f3c7166169d0f14a374505392734160e5",
+                "url": "https://api.github.com/repos/php-webdriver/php-webdriver-archive/zipball/e43de70f3c7166169d0f14a374505392734160e5",
                 "reference": "e43de70f3c7166169d0f14a374505392734160e5",
                 "shasum": ""
             },
@@ -8053,6 +8102,7 @@
                 "selenium",
                 "webdriver"
             ],
+            "abandoned": "php-webdriver/webdriver",
             "time": "2019-06-13T08:02:18+00:00"
         },
         {

From 25bb6193c59825539b5f48e5117c353b11c7849a Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Tue, 21 Apr 2020 14:00:48 +0900
Subject: [PATCH 7/8] =?UTF-8?q?=E3=82=B3=E3=83=9E=E3=83=B3=E3=83=89?=
 =?UTF-8?q?=E3=83=A9=E3=82=A4=E3=83=B3=E5=AE=9F=E8=A1=8C=E6=99=82,=20Undef?=
 =?UTF-8?q?ined=20index=20=E3=81=AB=E3=81=AA=E3=82=8B=E3=81=AE=E3=82=92?=
 =?UTF-8?q?=E4=BF=AE=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Storage/Handler/SameSiteNoneCompatSessionHandler.php     | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
index 89fad8a7c0c..f3eaffa8996 100644
--- a/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
+++ b/src/Eccube/Session/Storage/Handler/SameSiteNoneCompatSessionHandler.php
@@ -69,7 +69,7 @@ protected function doRead($sessionId)
         return $this->handler->read($sessionId);
     }
 
-        /**
+    /**
      * {@inheritdoc}
      */
     public function updateTimestamp($sessionId, $data)
@@ -207,6 +207,7 @@ public function getCookieSecure()
      */
     private function shouldSendSameSiteNone()
     {
-        return SameSite::handle($_SERVER['HTTP_USER_AGENT']);
+        $userAgent = array_key_exists('HTTP_USER_AGENT', $_SERVER) ? $_SERVER['HTTP_USER_AGENT'] : null;
+        return SameSite::handle($userAgent);
     }
 }

From 0b25bdae045a86600d3ac18aed41871e07991eaf Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Wed, 22 Apr 2020 16:29:48 +0900
Subject: [PATCH 8/8] =?UTF-8?q?PHP7.4.5,=207.3.17=20=E3=81=AE=E3=83=90?=
 =?UTF-8?q?=E3=82=B0=E3=81=A7=E3=82=A8=E3=83=A9=E3=83=BC=E3=81=AB=E3=81=AA?=
 =?UTF-8?q?=E3=82=8B=E3=81=9F=E3=82=81=E3=82=B9=E3=82=AD=E3=83=83=E3=83=97?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- see https://github.com/symfony/symfony/pull/36485#issuecomment-615928699
---
 .../Handler/SameSiteNoneCompatSessionHandlerTest.php        | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php b/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
index 6f6cb120f35..bbbb5e76c5b 100644
--- a/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
+++ b/tests/Eccube/Tests/Session/Storage/Handler/SameSiteNoneCompatSessionHandlerTest.php
@@ -101,6 +101,12 @@ public function provideSession()
                 // TODO Mock が動作しないためスキップ
                 continue;
             }
+            if ($name == 'regenerate') {
+                // XXX PHP7.4.5, 7.3.17 のバグでエラーになるためスキップ
+                // see https://github.com/symfony/symfony/pull/36485#issuecomment-615928699
+                if (PHP_VERSION_ID === 70405) continue;
+                if (PHP_VERSION_ID === 70317) continue;
+            }
             foreach ($userAgents as $user_agent => $shouldSendSameSiteNone) {
                 yield [$name, $user_agent, $shouldSendSameSiteNone];
             }