Merge pull request #82 from nanasess/samesite-none-compat

SameSite cookie support

.travis.yml

@@ -107,7 +107,8 @@ before_script:
 script: # PHP7 + precise のテストは実行されない
   - if [[ $PHP_SAPI = 'phpdbg' ]] && [[ $CODENAME = 'trusty' ]]; then phpdbg -qrr ./vendor/bin/phpunit --coverage-clover=coverage.clover ; fi
   - if [[ $PHP_SAPI != 'phpdbg' ]]; then ./vendor/bin/phpunit ; fi
-
+  - 'sed -i -e "s|force_ssl:\(.*\)|force_ssl: 1|" app/config/eccube/config.yml' # force_ssl を有効にしてテスト
+  - if [[ $PHP_SAPI != 'phpdbg' ]]; then ./vendor/bin/phpunit tests/Eccube/Tests/Web/SameSiteCookieTest.php ; fi
 after_script:
   - if [[ $PHP_SAPI = 'phpdbg' ]]; then wget https://scrutinizer-ci.com/ocular.phar ; fi
   - if [[ $PHP_SAPI = 'phpdbg' ]]; then php ocular.phar code-coverage:upload --format=php-clover coverage.clover ; fi

src/Eccube/Application.php

@@ -236,11 +236,32 @@ public function initLocale()
 
     public function initSession()
     {
+        $root_urlpath = $this['config']['root_urlpath'] ?: '/';
+        $ua = array_key_exists('HTTP_USER_AGENT', $_SERVER) ? $_SERVER['HTTP_USER_AGENT'] : '';
+        $targetUaPatterns = array(
+            '/^.*iPhone; CPU iPhone OS 1[0-2].*$/',
+            '/^.*iPad; CPU OS 1[0-2].*$/',
+            '/^.*iPod touch; CPU iPhone OS 1[0-2].*$/',
+            '/^.*Macintosh; Intel Mac OS X.*Version\/1[0-2].*Safari.*$/',
+        );
+        $isUnsupported = array_filter($targetUaPatterns, function ($pattern) use ($ua) {
+            return preg_match($pattern, $ua);
+        });
+        if ($this['config']['force_ssl'] == \Eccube\Common\Constant::ENABLED && !$isUnsupported) {
+            if (PHP_VERSION_ID >= 70300) {
+                ini_set('session.cookie_path', $root_urlpath);
+                ini_set('session.cookie_samesite', 'none');
+            } else {
+                ini_set('session.cookie_path', $root_urlpath.'; SameSite=none');
+            }
+        } else {
+            ini_set('session.cookie_path', $root_urlpath);
+        }
+
         $this->register(new \Silex\Provider\SessionServiceProvider(), array(
             'session.storage.save_path' => $this['config']['root_dir'].'/app/cache/eccube/session',
             'session.storage.options' => array(
                 'name' => $this['config']['cookie_name'],
-                'cookie_path' => $this['config']['root_urlpath'] ?: '/',
                 'cookie_secure' => $this['config']['force_ssl'],
                 'cookie_lifetime' => $this['config']['cookie_lifetime'],
                 'cookie_httponly' => true,

tests/Eccube/Tests/Web/SameSiteCookieTest.php

@@ -0,0 +1,47 @@
+<?php
+
+namespace Eccube\Tests\Web;
+
+class SameSiteCookieTest extends AbstractWebTestCase
+{
+    public function setUp()
+    {
+        // parent::setUp() は, 各テストメソッドで行う
+    }
+
+    public function provideSession()
+     {
+         return array(
+             array('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130', true),
+             array('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15', false),
+             array('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15', true),
+             array('Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 EdgiOS/44.8.0 Mobile/15E148 Safari/605.1.15', false),
+             array('Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1', true)
+         );
+     }
+
+    /**
+     * @dataProvider provideSession
+     */
+    public function testSessionParams($userAgent, $shouldSendSameSiteNone)
+    {
+        $_SERVER['HTTP_USER_AGENT'] = $userAgent;
+        parent::setUp();
+        if (!$this->app['config']['force_ssl']) {
+            $this->markTestSkipped('force_ssl required');
+        }
+        $this->client->request('GET', $this->app['url_generator']->generate('homepage'));
+        $this->assertTrue($this->client->getResponse()->isSuccessful());
+        $cookieParams = session_get_cookie_params();
+        if ($shouldSendSameSiteNone) {
+            if (PHP_VERSION_ID >= 70300) {
+                $this->assertEquals('/', $cookieParams['path']);
+                $this->assertEquals('none', $cookieParams['samesite']);
+            } else {
+                $this->assertEquals('/; SameSite=none', $cookieParams['path']);
+            }
+        } else {
+            $this->assertEquals('/', $cookieParams['path']);
+        }
+    }
+}