Commit c8254c4c authored by Benni Mack's avatar Benni Mack Committed by Benjamin Franzke
Browse files

[TASK] Use native cookie same site functionality

TYPO3 v11 supports PHP 7.4 or higher, some workarounds
regarding same site functionality can be simplified
and removed.

Resolves: #92999
Releases: master
Change-Id: I6ab5e257cfbe595f81693fc60d824bb46e106594
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67009


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke's avatarBenjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Reviewed-by: Benjamin Franzke's avatarBenjamin Franzke <bfr@qbus.de>
parent 76f43ac7
......@@ -21,51 +21,6 @@ use Symfony\Component\HttpFoundation\Cookie;
trait CookieHeaderTrait
{
private function hasSameSiteCookieSupport(): bool
{
return version_compare(PHP_VERSION, '7.3.0', '>=');
}
/**
* Since PHP < 7.3 is not capable of sending the same-site cookie information, session_start() effectively
* sends the Set-Cookie header. This method fetches the set-cookie headers, parses it via Symfony's Cookie
* object, and resends the header.
*
* @param string[] $cookieNames
*/
private function resendCookieHeader(array $cookieNames = []): void
{
$cookies = array_filter(headers_list(), function (string $header) {
return stripos($header, 'Set-Cookie:') === 0;
});
$cookies = array_map(function (string $cookieHeader) use ($cookieNames) {
$payload = ltrim(substr($cookieHeader, 11));
$cookie = Cookie::fromString($payload);
$sameSite = $cookie->getSameSite();
// adjust SameSite flag only for given cookie names (applied to all if not declared)
if (empty($cookieNames) || in_array($cookie->getName(), $cookieNames, true)) {
$sameSite = $sameSite ?? Cookie::SAMESITE_STRICT;
}
return (string)Cookie::create(
$cookie->getName(),
$cookie->getValue(),
$cookie->getExpiresTime(),
$cookie->getPath(),
$cookie->getDomain(),
$cookie->isSecure(),
$cookie->isHttpOnly(),
$cookie->isRaw(),
$sameSite
);
}, $cookies);
if (!empty($cookies)) {
header_remove('Set-Cookie');
foreach ($cookies as $cookie) {
header('Set-Cookie: ' . $cookie, false);
}
}
}
private function sanitizeSameSiteCookieValue(string $cookieSameSite): string
{
if (!in_array($cookieSameSite, [Cookie::SAMESITE_STRICT, Cookie::SAMESITE_LAX, Cookie::SAMESITE_NONE], true)) {
......
......@@ -72,9 +72,7 @@ class SessionService implements SingletonInterface
session_set_save_handler($sessionHandler);
session_name($this->cookieName);
ini_set('session.cookie_httponly', 'On');
if ($this->hasSameSiteCookieSupport()) {
ini_set('session.cookie_samesite', Cookie::SAMESITE_STRICT);
}
ini_set('session.cookie_samesite', Cookie::SAMESITE_STRICT);
ini_set('session.cookie_path', (string)GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
// Always call the garbage collector to clean up stale session files
ini_set('session.gc_probability', (string)100);
......@@ -99,9 +97,6 @@ class SessionService implements SingletonInterface
return;
}
session_start();
if (!$this->hasSameSiteCookieSupport()) {
$this->resendCookieHeader();
}
}
/**
......@@ -162,9 +157,6 @@ class SessionService implements SingletonInterface
{
// we do not have parallel ajax requests so we can safely remove the old session data
session_regenerate_id(true);
if (!$this->hasSameSiteCookieSupport()) {
$this->resendCookieHeader([$this->cookieName]);
}
return session_id();
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment