From 87bf84ef6e1b04d1fa248f7298fb96981251319e Mon Sep 17 00:00:00 2001 From: Toby Zerner Date: Thu, 5 Oct 2017 12:39:40 +1030 Subject: [PATCH] Allow configuring cookie attributes I decided to put this in config.php because if cookie settings were to be stored in the database and configured via admin UI, entering incorrect settings could cause the admin session to be destroyed, requiring manual database intervention to fix. But it's a good prompt for discussion as to which kind of settings belong in config.php vs the database. Thoughts? --- src/Http/CookieFactory.php | 35 +++++++++++++++++++++++++--- src/Http/Middleware/StartSession.php | 7 +++--- src/Http/Rememberer.php | 9 ++++--- 3 files changed, 42 insertions(+), 9 deletions(-) diff --git a/src/Http/CookieFactory.php b/src/Http/CookieFactory.php index 868db278c..aacaff7f5 100644 --- a/src/Http/CookieFactory.php +++ b/src/Http/CookieFactory.php @@ -45,7 +45,7 @@ class CookieFactory // Parse the forum's base URL so that we can determine the optimal cookie settings $url = parse_url(rtrim($this->app->url(), '/')); - $cookie = SetCookie::create($name, $value); + $cookie = SetCookie::create($this->getName($name), $value); // Make sure we send both the MaxAge and Expires parameters (the former // is not supported by all browser versions) @@ -55,9 +55,38 @@ class CookieFactory ->withExpires(time() + $maxAge); } + if ($domain = $this->app->config('cookie.domain')) { + $cookie = $cookie->withDomain($domain); + } + + $path = $this->app->config('cookie.path', array_get($url, 'path') ?: '/'); + $secure = $this->app->config('cookie.secure', array_get($url, 'scheme') === 'https'); + return $cookie - ->withPath(array_get($url, 'path') ?: '/') - ->withSecure(array_get($url, 'scheme') === 'https') + ->withPath($path) + ->withSecure($secure) ->withHttpOnly(true); } + + /** + * Make an expired cookie instance. + * + * @param string $name + * @return \Dflydev\FigCookies\SetCookie + */ + public function expire($name) + { + return $this->make($name)->expire(); + } + + /** + * Get a cookie name. + * + * @param string $name + * @return string + */ + public function getName($name) + { + return $this->app->config('cookie.name', 'flarum').'_'.$name; + } } diff --git a/src/Http/Middleware/StartSession.php b/src/Http/Middleware/StartSession.php index 9c6060bfc..bf714c99e 100644 --- a/src/Http/Middleware/StartSession.php +++ b/src/Http/Middleware/StartSession.php @@ -22,13 +22,14 @@ use Zend\Stratigility\MiddlewareInterface; class StartSession implements MiddlewareInterface { + const COOKIE_NAME = 'session'; + /** * @var CookieFactory */ protected $cookie; /** - * Rememberer constructor. * @param CookieFactory $cookie */ public function __construct(CookieFactory $cookie) @@ -56,7 +57,7 @@ class StartSession implements MiddlewareInterface { $session = new Session; - $session->setName('flarum_session'); + $session->setName($this->cookie->getName(self::COOKIE_NAME)); $session->start(); if (! $session->has('csrf_token')) { @@ -79,7 +80,7 @@ class StartSession implements MiddlewareInterface { return FigResponseCookies::set( $response, - $this->cookie->make($session->getName(), $session->getId()) + $this->cookie->make(self::COOKIE_NAME, $session->getId()) ); } } diff --git a/src/Http/Rememberer.php b/src/Http/Rememberer.php index a014c99d9..d331d796c 100644 --- a/src/Http/Rememberer.php +++ b/src/Http/Rememberer.php @@ -16,7 +16,7 @@ use Psr\Http\Message\ResponseInterface; class Rememberer { - protected $cookieName = 'flarum_remember'; + const COOKIE_NAME = 'remember'; /** * @var CookieFactory @@ -43,7 +43,7 @@ class Rememberer return FigResponseCookies::set( $response, - $this->cookie->make($this->cookieName, $token->id, $lifetime) + $this->cookie->make(self::COOKIE_NAME, $token->id, $lifetime) ); } @@ -56,6 +56,9 @@ class Rememberer public function forget(ResponseInterface $response) { - return FigResponseCookies::expire($response, $this->cookieName); + return FigResponseCookies::set( + $response, + $this->cookie->expire(self::COOKIE_NAME) + ); } }