diff --git a/Migration.md b/Migration.md index d930549..5b5aa62 100644 --- a/Migration.md +++ b/Migration.md @@ -20,6 +20,10 @@ $ composer update delight-im/auth * The method `logOutButKeepSession` from class `Auth` is now simply called `logOut`. Therefore, the former method `logout` is now called `logOutAndDestroySession`. With both methods, mind the capitalization of the letter “O”. + * If you previously had the second argument of the `Auth` constructor, which is named `$useHttps`, set to `true`, make sure to set the value of the `session.cookie_secure` directive to `1` now. You may do so either directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. Otherwise, make sure it is set to `0`. + + * If you previously had the third argument of the `Auth` constructor, which is named `$allowCookiesScriptAccess`, set to `true`, make sure to set the value of the `session.cookie_httponly` directive to `0` now. You may do so either directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. Otherwise, make sure it is set to `1`. + * Only if *both* of the following two conditions are met: * The directive `session.cookie_domain` is set to an empty value. It may have been set directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. You can check the value of that directive by executing the following statement somewhere in your application: diff --git a/src/Auth.php b/src/Auth.php index 9f766c4..2397afc 100644 --- a/src/Auth.php +++ b/src/Auth.php @@ -70,11 +70,6 @@ final class Auth extends UserManager { // do not send session IDs in URLs \ini_set('session.use_trans_sid', 0); - // get our cookie settings - $params = $this->createCookieSettings(); - // define our new cookie settings - \session_set_cookie_params($params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']); - // start the session (requests a cookie to be written on the client) @Session::start(); } @@ -436,8 +431,7 @@ final class Auth extends UserManager { * @throws AuthError if an internal problem occurred (do *not* catch) */ private function setRememberCookie($selector, $token, $expires) { - // get our cookie settings - $params = $this->createCookieSettings(); + $params = \session_get_cookie_params(); if (isset($selector) && isset($token)) { $content = $selector . self::COOKIE_CONTENT_SEPARATOR . $token; @@ -524,8 +518,7 @@ final class Auth extends UserManager { * @throws AuthError if an internal problem occurred (do *not* catch) */ private function deleteSessionCookie() { - // get our cookie settings - $params = $this->createCookieSettings(); + $params = \session_get_cookie_params(); // ask for the session cookie to be deleted (requests a cookie to be written on the client) $cookie = new Cookie(\session_name()); @@ -1751,24 +1744,6 @@ final class Auth extends UserManager { return new Administration($this->db, $this->dbTablePrefix); } - /** - * Creates the cookie settings that will be used to create and update cookies on the client - * - * @return array the cookie settings - */ - private function createCookieSettings() { - // get the default cookie settings - $params = \session_get_cookie_params(); - - // check if we want to send cookies via SSL/TLS only - $params['secure'] = $params['secure'] || $this->useHttps; - // check if we want to send cookies via HTTP(S) only - $params['httponly'] = $params['httponly'] || !$this->allowCookiesScriptAccess; - - // return the modified settings - return $params; - } - /** * Creates a UUID v4 as per RFC 4122 *