Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bug #35605 [HttpFoundation][FrameworkBundle] fix support for samesite…
… in session cookies (fabpot) This PR was merged into the 3.4 branch. Discussion ---------- [HttpFoundation][FrameworkBundle] fix support for samesite in session cookies | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #35520 | License | MIT | Doc PR | - This PR cherry-picks #28168 on 3.4, with a rationale given by @ConneXNL in #35520 (comment): > I hope I am wrong but I see the impact of not making any changes to Symfony 3.4 will have a tons of sites break if we cannot set the cookie's samesite setting (in the framework session and remember me) before Chrome pushes this update. > > Very soon all existing cookies are no longer going to work with cross-domains if you do not specify 'None' for the cookie_samesite. All external APIs that use cookies and are running SF 3.4 will break and devs will have no quick solution to fix their auth process. > > If you are using PHP 7.4, yes you can most likely use ini_set to workaround this issue. > > However, ini_set('cookie_samesite') does not work in PHP Version <= 7.2. I am not even sure PHP 7.3 supports the value 'None' as php.watch/articles/PHP-Samesite-cookies says it has support for 'Lax' and 'Scrict'. > > This effectively means SF 3.4 on PHP 7.2 (or PHP 7.3) is no longer supported for cross domain APIs with cookies. People would have to either update PHP to 7.4 (if they even can?) or go to Symfony 4 (with a dead live site is going to be a complete disaster). > > Since the impact of the change that chrome is about to roll out is so fundamentally changing our way to set cookies, I consider configuring samesite configuration in the framework an absolute requirement, not a feature, especially since SF 3.4 is still supported. > > What am i missing? > > Note: SF3 HTTPFoundation already supports the new cookie settings, it's just the framework that doesn't support it. Our BC policy embeds the promise that one should be able to keep the same app on a newest infrastructure (eg that's why supporting a PHP version is a bug fix). I think we can consider this for browsers here also. WDYT? Commits ------- f46e6cb [HttpFoundation][FrameworkBundle] fix support for samesite in session cookies
- Loading branch information
Showing
13 changed files
with
196 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
59 changes: 59 additions & 0 deletions
59
src/Symfony/Component/HttpFoundation/Session/SessionUtils.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of the Symfony package. | ||
* | ||
* (c) Fabien Potencier <fabien@symfony.com> | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
namespace Symfony\Component\HttpFoundation\Session; | ||
|
||
/** | ||
* Session utility functions. | ||
* | ||
* @author Nicolas Grekas <p@tchwork.com> | ||
* @author Rémon van de Kamp <rpkamp@gmail.com> | ||
* | ||
* @internal | ||
*/ | ||
final class SessionUtils | ||
{ | ||
/** | ||
* Find the session header amongst the headers that are to be sent, remove it, and return | ||
* it so the caller can process it further. | ||
*/ | ||
public static function popSessionCookie($sessionName, $sessionId) | ||
{ | ||
$sessionCookie = null; | ||
$sessionCookiePrefix = sprintf(' %s=', urlencode($sessionName)); | ||
$sessionCookieWithId = sprintf('%s%s;', $sessionCookiePrefix, urlencode($sessionId)); | ||
$otherCookies = []; | ||
foreach (headers_list() as $h) { | ||
if (0 !== stripos($h, 'Set-Cookie:')) { | ||
continue; | ||
} | ||
if (11 === strpos($h, $sessionCookiePrefix, 11)) { | ||
$sessionCookie = $h; | ||
|
||
if (11 !== strpos($h, $sessionCookieWithId, 11)) { | ||
$otherCookies[] = $h; | ||
} | ||
} else { | ||
$otherCookies[] = $h; | ||
} | ||
} | ||
if (null === $sessionCookie) { | ||
return null; | ||
} | ||
|
||
header_remove('Set-Cookie'); | ||
foreach ($otherCookies as $h) { | ||
header($h, false); | ||
} | ||
|
||
return $sessionCookie; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
...ny/Component/HttpFoundation/Tests/Session/Storage/Handler/Fixtures/with_samesite.expected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
open | ||
validateId | ||
read | ||
doRead: | ||
read | ||
|
||
write | ||
doWrite: foo|s:3:"bar"; | ||
close | ||
Array | ||
( | ||
[0] => Content-Type: text/plain; charset=utf-8 | ||
[1] => Cache-Control: max-age=0, private, must-revalidate | ||
[2] => Set-Cookie: sid=random_session_id; path=/; secure; HttpOnly; SameSite=lax | ||
) | ||
shutdown |
13 changes: 13 additions & 0 deletions
13
...Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/Fixtures/with_samesite.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
<?php | ||
|
||
require __DIR__.'/common.inc'; | ||
|
||
use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage; | ||
|
||
$storage = new NativeSessionStorage(['cookie_samesite' => 'lax']); | ||
$storage->setSaveHandler(new TestSessionHandler()); | ||
$storage->start(); | ||
|
||
$_SESSION = ['foo' => 'bar']; | ||
|
||
ob_start(function ($buffer) { return str_replace(session_id(), 'random_session_id', $buffer); }); |
23 changes: 23 additions & 0 deletions
23
...ttpFoundation/Tests/Session/Storage/Handler/Fixtures/with_samesite_and_migration.expected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
open | ||
validateId | ||
read | ||
doRead: | ||
read | ||
destroy | ||
close | ||
open | ||
validateId | ||
read | ||
doRead: | ||
read | ||
|
||
write | ||
doWrite: foo|s:3:"bar"; | ||
close | ||
Array | ||
( | ||
[0] => Content-Type: text/plain; charset=utf-8 | ||
[1] => Cache-Control: max-age=0, private, must-revalidate | ||
[2] => Set-Cookie: sid=random_session_id; path=/; secure; HttpOnly; SameSite=lax | ||
) | ||
shutdown |
Oops, something went wrong.