Skip to content

Commit a0226e7

Browse files
mentalstringmentalstring
committed
Add support for SameSite cookie session setting
1 parent 168da9b commit a0226e7

File tree

3 files changed

+30
-11
lines changed

3 files changed

+30
-11
lines changed

lib/response/sfWebResponse.class.php

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -161,17 +161,18 @@ public function isHeaderOnly()
161161
/**
162162
* Sets a cookie.
163163
*
164-
* @param string $name HTTP header name
165-
* @param string $value Value for the cookie
166-
* @param string $expire Cookie expiration period
167-
* @param string $path Path
168-
* @param string $domain Domain name
169-
* @param bool $secure If secure
170-
* @param bool $httpOnly If uses only HTTP
164+
* @param string $name HTTP header name
165+
* @param string $value Value for the cookie
166+
* @param string $expire Cookie expiration period
167+
* @param string $path Path
168+
* @param string $domain Domain name
169+
* @param bool $secure If secure
170+
* @param bool $httpOnly If uses only HTTP
171+
* @param ''|'None'|'Lax'|'Strict' $samesite If uses Same-site cookies
171172
*
172173
* @throws sfException If fails to set the cookie
173174
*/
174-
public function setCookie($name, $value, $expire = null, $path = '/', $domain = '', $secure = false, $httpOnly = false)
175+
public function setCookie($name, $value, $expire = null, $path = '/', $domain = '', $secure = false, $httpOnly = false, $samesite = '')
175176
{
176177
if (null !== $expire) {
177178
if (is_numeric($expire)) {
@@ -192,6 +193,7 @@ public function setCookie($name, $value, $expire = null, $path = '/', $domain =
192193
'domain' => $domain,
193194
'secure' => $secure ? true : false,
194195
'httpOnly' => $httpOnly,
196+
'samesite' => $samesite,
195197
];
196198
}
197199

@@ -358,7 +360,14 @@ public function sendHttpHeaders()
358360
foreach ($this->cookies as $cookie) {
359361
$expire = isset($cookie['expire']) ? $cookie['expire'] : 0;
360362
$domain = isset($cookie['domain']) ? $cookie['domain'] : '';
361-
setrawcookie($cookie['name'], $cookie['value'], $expire, $cookie['path'], $domain, $cookie['secure'], $cookie['httpOnly']);
363+
setrawcookie($cookie['name'], $cookie['value'], [
364+
'expires' => $expire,
365+
'path' => $cookie['path'],
366+
'domain' => $domain,
367+
'secure' => $cookie['secure'],
368+
'httpOnly' => $cookie['httpOnly'],
369+
'samesite' => $cookie['samesite'],
370+
]);
362371

363372
if ($this->options['logging']) {
364373
$this->dispatcher->notify(new sfEvent($this, 'application.log', [sprintf('Send cookie "%s": "%s"', $cookie['name'], $cookie['value'])]));

lib/storage/sfSessionStorage.class.php

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ class sfSessionStorage extends sfStorage
3636
* * session_cookie_domain: Cookie domain
3737
* * session_cookie_secure: Cookie secure
3838
* * session_cookie_httponly: Cookie http only (only for PHP >= 5.2)
39+
* * session.cookie_samesite: Cookie same site (only for PHP >= 7.3)
3940
*
4041
* The default values for all 'session_cookie_*' options are those returned by the session_get_cookie_params() function
4142
*
@@ -56,6 +57,7 @@ public function initialize($options = null)
5657
'session_cookie_domain' => $cookieDefaults['domain'],
5758
'session_cookie_secure' => $cookieDefaults['secure'],
5859
'session_cookie_httponly' => isset($cookieDefaults['httponly']) ? $cookieDefaults['httponly'] : false,
60+
'session_cookie_samesite' => isset($cookieDefaults['samesite']) ? $cookieDefaults['samesite'] : '',
5961
'session_cache_limiter' => null,
6062
'gc_maxlifetime' => 1800,
6163
], $options);
@@ -77,7 +79,15 @@ public function initialize($options = null)
7779
$domain = $this->options['session_cookie_domain'];
7880
$secure = $this->options['session_cookie_secure'];
7981
$httpOnly = $this->options['session_cookie_httponly'];
80-
session_set_cookie_params($lifetime, $path, $domain, $secure, $httpOnly);
82+
$samesite = $this->options['session_cookie_samesite'];
83+
session_set_cookie_params([
84+
'lifetime' => $lifetime,
85+
'path' => $path,
86+
'domain' => $domain,
87+
'secure' => $secure,
88+
'httponly' => $httpOnly,
89+
'samesite' => $samesite,
90+
]);
8191

8292
if (null !== $this->options['session_cache_limiter']) {
8393
session_cache_limiter($this->options['session_cache_limiter']);

test/unit/response/sfWebResponseTest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -281,7 +281,7 @@ public function normalizeHeaderName($name)
281281
// ->setCookie() ->getCookies()
282282
$t->diag('->setCookie() ->getCookies()');
283283
$response->setCookie('foo', 'bar');
284-
$t->is($response->getCookies(), ['foo' => ['name' => 'foo', 'value' => 'bar', 'expire' => null, 'path' => '/', 'domain' => '', 'secure' => false, 'httpOnly' => false]], '->setCookie() adds a cookie for the response');
284+
$t->is($response->getCookies(), ['foo' => ['name' => 'foo', 'value' => 'bar', 'expire' => null, 'path' => '/', 'domain' => '', 'secure' => false, 'httpOnly' => false, 'samesite' => '']], '->setCookie() adds a cookie for the response');
285285

286286
// ->setHeaderOnly() ->getHeaderOnly()
287287
$t->diag('->setHeaderOnly() ->isHeaderOnly()');

0 commit comments

Comments
 (0)