mirror/php-auth
1
0
Fork 0
mirror of https://github.com/delight-im/PHP-Auth.git synced 2025-08-04 15:17:28 +02:00
Code Issues Releases Wiki Activity

Do not duplicate and overwrite parts of cookie configuration anymore

Browse Source 
Previously, PHP's configuration directives 'session.cookie_httponly'
and 'session.cookie_secure' were always overwritten with duplicated
and separately tracked variants of each directive
This commit is contained in:
Marco
2017-10-20 22:30:16 +02:00
parent f1360dceba
commit eec450677f
2 changed files with 6 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Migration.md
View File

@@ -20,6 +20,10 @@ $ composer update delight-im/auth
* The method `logOutButKeepSession` from class `Auth` is now simply called `logOut`. Therefore, the former method `logout` is now called `logOutAndDestroySession`. With both methods, mind the capitalization of the letter “O”. * The method `logOutButKeepSession` from class `Auth` is now simply called `logOut`. Therefore, the former method `logout` is now called `logOutAndDestroySession`. With both methods, mind the capitalization of the letter “O”.
* If you previously had the second argument of the `Auth` constructor, which is named `$useHttps`, set to `true`, make sure to set the value of the `session.cookie_secure` directive to `1` now. You may do so either directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. Otherwise, make sure it is set to `0`.
* If you previously had the third argument of the `Auth` constructor, which is named `$allowCookiesScriptAccess`, set to `true`, make sure to set the value of the `session.cookie_httponly` directive to `0` now. You may do so either directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. Otherwise, make sure it is set to `1`.
* Only if *both* of the following two conditions are met: * Only if *both* of the following two conditions are met:
* The directive `session.cookie_domain` is set to an empty value. It may have been set directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. You can check the value of that directive by executing the following statement somewhere in your application: * The directive `session.cookie_domain` is set to an empty value. It may have been set directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. You can check the value of that directive by executing the following statement somewhere in your application:

29
src/Auth.php
View File

@@ -70,11 +70,6 @@ final class Auth extends UserManager {
// do not send session IDs in URLs // do not send session IDs in URLs
\ini_set('session.use_trans_sid', 0); \ini_set('session.use_trans_sid', 0);
// get our cookie settings
$params = $this->createCookieSettings();
// define our new cookie settings
\session_set_cookie_params($params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']);
// start the session (requests a cookie to be written on the client) // start the session (requests a cookie to be written on the client)
@Session::start(); @Session::start();
} }
@@ -436,8 +431,7 @@ final class Auth extends UserManager {
* @throws AuthError if an internal problem occurred (do *not* catch) * @throws AuthError if an internal problem occurred (do *not* catch)
*/ */
private function setRememberCookie($selector, $token, $expires) { private function setRememberCookie($selector, $token, $expires) {
// get our cookie settings $params = \session_get_cookie_params();
$params = $this->createCookieSettings();
if (isset($selector) && isset($token)) { if (isset($selector) && isset($token)) {
$content = $selector . self::COOKIE_CONTENT_SEPARATOR . $token; $content = $selector . self::COOKIE_CONTENT_SEPARATOR . $token;
@@ -524,8 +518,7 @@ final class Auth extends UserManager {
* @throws AuthError if an internal problem occurred (do *not* catch) * @throws AuthError if an internal problem occurred (do *not* catch)
*/ */
private function deleteSessionCookie() { private function deleteSessionCookie() {
// get our cookie settings $params = \session_get_cookie_params();
$params = $this->createCookieSettings();
// ask for the session cookie to be deleted (requests a cookie to be written on the client) // ask for the session cookie to be deleted (requests a cookie to be written on the client)
$cookie = new Cookie(\session_name()); $cookie = new Cookie(\session_name());
@@ -1751,24 +1744,6 @@ final class Auth extends UserManager {
return new Administration($this->db, $this->dbTablePrefix); return new Administration($this->db, $this->dbTablePrefix);
} }
/**
* Creates the cookie settings that will be used to create and update cookies on the client
*
* @return array the cookie settings
*/
private function createCookieSettings() {
// get the default cookie settings
$params = \session_get_cookie_params();
// check if we want to send cookies via SSL/TLS only
$params['secure'] = $params['secure'] || $this->useHttps;
// check if we want to send cookies via HTTP(S) only
$params['httponly'] = $params['httponly'] || !$this->allowCookiesScriptAccess;
// return the modified settings
return $params;
}
/** /**
* Creates a UUID v4 as per RFC 4122 * Creates a UUID v4 as per RFC 4122
* *