From e3810cb84d3fa341e3808d6aa9c3e18f8bda3305 Mon Sep 17 00:00:00 2001 From: George Petculescu Date: Wed, 10 Mar 2021 22:11:52 +0200 Subject: Merge pull request #6028 from vibbow/patch-1 Update Session.php --- system/libraries/Session/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/libraries/Session/Session.php') diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index 06b953ab2..ec57ee548 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -723,7 +723,7 @@ class CI_Session { * * Legacy CI_Session compatibility method * - * @returns array + * @return array */ public function &get_userdata() { -- cgit v1.2.3-24-g4f1b From 9b7541e04c4976f3cd0366b1866a4c71f3e3bb5f Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 5 Jan 2022 12:54:45 +0200 Subject: PHP 8.1 compatibility for sessions (ref #6078) --- system/libraries/Session/Session.php | 42 +++++++++++++++++------------------- 1 file changed, 20 insertions(+), 22 deletions(-) (limited to 'system/libraries/Session/Session.php') diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index ec57ee548..ed379146d 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -6,7 +6,7 @@ * * This content is released under the MIT License (MIT) * - * Copyright (c) 2014 - 2019, British Columbia Institute of Technology + * Copyright (c) 2019 - 2022, CodeIgniter Foundation * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -30,6 +30,7 @@ * @author EllisLab Dev Team * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) * @copyright Copyright (c) 2014 - 2019, British Columbia Institute of Technology (https://bcit.ca/) + * @copyright Copyright (c) 2019 - 2022, CodeIgniter Foundation (https://codeigniter.com/) * @license https://opensource.org/licenses/MIT MIT License * @link https://codeigniter.com * @since Version 2.0.0 @@ -102,31 +103,24 @@ class CI_Session { $this->_configure($params); $this->_config['_sid_regexp'] = $this->_sid_regexp; - $class = new $class($this->_config); - if ($class instanceof SessionHandlerInterface) + $class = new $class($this->_config); + $wrapper = new CI_SessionWrapper($class); + if (is_php('5.4')) { - if (is_php('5.4')) - { - session_set_save_handler($class, TRUE); - } - else - { - session_set_save_handler( - array($class, 'open'), - array($class, 'close'), - array($class, 'read'), - array($class, 'write'), - array($class, 'destroy'), - array($class, 'gc') - ); - - register_shutdown_function('session_write_close'); - } + session_set_save_handler($class, TRUE); } else { - log_message('error', "Session: Driver '".$this->_driver."' doesn't implement SessionHandlerInterface. Aborting."); - return; + session_set_save_handler( + array($class, 'open'), + array($class, 'close'), + array($class, 'read'), + array($class, 'write'), + array($class, 'destroy'), + array($class, 'gc') + ); + + register_shutdown_function('session_write_close'); } // Sanitize the cookie, because apparently PHP doesn't do that for userspace handlers @@ -193,6 +187,10 @@ class CI_Session { // PHP 5.4 compatibility interface_exists('SessionHandlerInterface', FALSE) OR require_once(BASEPATH.'libraries/Session/SessionHandlerInterface.php'); + require_once(BASEPATH.'libraries/Session/CI_Session_driver_interface.php'); + $wrapper = is_php('8.0') ? 'PHP8SessionWrapper' : 'OldSessionWrapper'; + require_once(BASEPATH.'libraries/Session/'.$wrapper.'.php'); + $prefix = config_item('subclass_prefix'); if ( ! class_exists('CI_Session_driver', FALSE)) -- cgit v1.2.3-24-g4f1b From 1a2651040ef701e750b1c13cd69cc70814b079d0 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 5 Jan 2022 18:52:24 +0200 Subject: Add SameSite cookie support to Session library --- system/libraries/Session/Session.php | 83 +++++++++++++++++++++++++++++------- 1 file changed, 67 insertions(+), 16 deletions(-) (limited to 'system/libraries/Session/Session.php') diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index ed379146d..1c5c980ae 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -154,15 +154,36 @@ class CI_Session { // unless it is being currently created or regenerated elseif (isset($_COOKIE[$this->_config['cookie_name']]) && $_COOKIE[$this->_config['cookie_name']] === session_id()) { - setcookie( - $this->_config['cookie_name'], - session_id(), - (empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']), - $this->_config['cookie_path'], - $this->_config['cookie_domain'], - $this->_config['cookie_secure'], - TRUE - ); + $expires = empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']; + if (is_php('7.3')) + { + setcookie( + $this->_config['cookie_name'], + session_id(), + array( + 'expires' => $expires, + 'path' => $this->_config['cookie_path'], + 'domain' => $this->_config['cookie_domain'], + 'secure' => $this->_config['cookie_secure'], + 'httponly' => TRUE, + 'samesite' => $this->_config['cookie_samesite'] + ) + ); + } + else + { + $header = 'Set-Cookie: '.$this->_config['cookie_name'].'='.session_id(); + $header .= empty($expires) ? '' : '; Expires='.gmdate('D, d-M-Y H:i:s T', $expires).'; Max-Age='.$this->_config['cookie_lifetime']; + $header .= '; Path='.$this->_config['cookie_path']; + $header .= ($this->_config['cookie_domain'] !== '' ? '; Domain='.$this->_config['cookie_domain'] : ''); + $header .= ($this->_config['cookie_secure'] ? '; Secure' : '').'; HttpOnly; SameSite='.$this->_config['cookie_samesite']; + header($header); + } + + if ( ! $this->_config['cookie_secure'] && $this->_config['cookie_samesite'] === 'None') + { + log_message('error', 'Session:', $this->_config['cookie_name'].' cookie sent with SameSite=None, but without Secure attribute.'); + } } $this->_ci_init_vars(); @@ -284,13 +305,43 @@ class CI_Session { isset($params['cookie_domain']) OR $params['cookie_domain'] = config_item('cookie_domain'); isset($params['cookie_secure']) OR $params['cookie_secure'] = (bool) config_item('cookie_secure'); - session_set_cookie_params( - $params['cookie_lifetime'], - $params['cookie_path'], - $params['cookie_domain'], - $params['cookie_secure'], - TRUE // HttpOnly; Yes, this is intentional and not configurable for security reasons - ); + isset($params['cookie_samesite']) OR $params['cookie_samesite'] = config_item('sess_samesite'); + if ( ! isset($params['cookie_samesite']) && is_php('7.3')) + { + $params['cookie_samesite'] = ini_get('session.cookie_samesite'); + } + + if (isset($params['cookie_samesite'])) + { + $params['cookie_samesite'] = ucfirst(strtolower($params['cookie_samesite'])); + in_array($params['cookie_samesite'], array('Lax', 'Strict', 'None'), TRUE) OR $params['cookie_samesite'] = 'Lax'; + } + else + { + $params['cookie_samesite'] = 'Lax'; + } + + if (is_php('7.3')) + { + session_set_cookie_params(array( + 'lifetime' => $params['cookie_lifetime'], + 'path' => $params['cookie_path'], + 'domain' => $params['cookie_domain'], + 'secure' => $params['cookie_secure'], + 'httponly' => $params['cookie_httponly'], + 'samesite' => $params['cookie_samesite'] + )); + } + else + { + session_set_cookie_params( + $params['cookie_lifetime'], + $params['cookie_path'], + $params['cookie_domain'], + $params['cookie_secure'], + TRUE // HttpOnly; Yes, this is intentional and not configurable for security reasons + ); + } if (empty($expiration)) { -- cgit v1.2.3-24-g4f1b From 3853472a6ea2db4fbaf7d259184245b35b004fdf Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 7 Jan 2022 13:05:03 +0200 Subject: [ci skip] Fix #6083 --- system/libraries/Session/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/libraries/Session/Session.php') diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index 1c5c980ae..87113e2b5 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -328,7 +328,7 @@ class CI_Session { 'path' => $params['cookie_path'], 'domain' => $params['cookie_domain'], 'secure' => $params['cookie_secure'], - 'httponly' => $params['cookie_httponly'], + 'httponly' => TRUE, 'samesite' => $params['cookie_samesite'] )); } -- cgit v1.2.3-24-g4f1b From 52d04d27b6e172093d7d9f70c6e77846b6742742 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 8 Jan 2022 16:57:19 +0200 Subject: [ci skip] Actually use the Session wrapper (ref #6078) --- system/libraries/Session/Session.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'system/libraries/Session/Session.php') diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index 87113e2b5..9d4561616 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -107,17 +107,17 @@ class CI_Session { $wrapper = new CI_SessionWrapper($class); if (is_php('5.4')) { - session_set_save_handler($class, TRUE); + session_set_save_handler($wrapper, TRUE); } else { session_set_save_handler( - array($class, 'open'), - array($class, 'close'), - array($class, 'read'), - array($class, 'write'), - array($class, 'destroy'), - array($class, 'gc') + array($wrapper, 'open'), + array($wrapper, 'close'), + array($wrapper, 'read'), + array($wrapper, 'write'), + array($wrapper, 'destroy'), + array($wrapper, 'gc') ); register_shutdown_function('session_write_close'); -- cgit v1.2.3-24-g4f1b From 2d4ddf57cc64f37a76e53403bc1442a54cc01897 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 8 Jan 2022 17:02:48 +0200 Subject: [ci skip] Attempt to hack SameSite into session_set_cookie_params() pre-PHP7.3 --- system/libraries/Session/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/libraries/Session/Session.php') diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php index 9d4561616..8d3ba2857 100644 --- a/system/libraries/Session/Session.php +++ b/system/libraries/Session/Session.php @@ -336,7 +336,7 @@ class CI_Session { { session_set_cookie_params( $params['cookie_lifetime'], - $params['cookie_path'], + $params['cookie_path'].'; SameSite='.$params['cookie_samesite'], $params['cookie_domain'], $params['cookie_secure'], TRUE // HttpOnly; Yes, this is intentional and not configurable for security reasons -- cgit v1.2.3-24-g4f1b