mcndave
/
storage
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

- Fixed a session bug where cookie was rewriting session's cookie with a bad session_id

This commit is contained in:
Dave Mc Nicoll 2020-01-29 16:16:00 -05:00
parent 56194034f8
commit e62ef28035
2 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/Cookie.php
View File

@ -40,7 +40,8 @@ class Cookie {
?bool $secure = null, ?bool $secure = null,
?bool $httponly = null, ?bool $httponly = null,
?string $samesite = null, ?string $samesite = null,
?bool $raw = false ?bool $raw = false,
?bool $skipHash = false
) { ) {
if ( headers_sent() ) { if ( headers_sent() ) {
return false; return false;
@ -59,27 +60,26 @@ class Cookie {
'samesite' => $this->options['samesite'] ?? ( $samesite ?: "" ), 'samesite' => $this->options['samesite'] ?? ( $samesite ?: "" ),
]; ];
if ( $value ) { if ( $value && ! $skipHash ) {
$value = sha1($this->secureHash . $value . $this->secureHash) . "|$value"; $value = sha1($this->secureHash . $value . $this->secureHash) . "|$value";
} }
return $raw ? setrawcookie($name, $value ?: "", $options) : setcookie($name, $value ?: "", $options); return $raw ? setrawcookie($name, $value ?: "", $options) : setcookie($name, $value ?: "", $options);
} }
/** /**
* Fetch a cookie value, using the Input library. * Fetch a cookie value, using the Input library.
* @param string cookie name * @param string cookie name
* @param mixed default value * @param mixed default value
* @return string * @return string
*/ */
public function get(string $key, $default = null) public function get(string $key, $default = null, $skipHash = false)
{ {
if ( ! $this->has($key) ) { if ( ! $this->has($key) ) {
return $default; return $default;
} }
if ( $this->secureHash ) { if ( $this->secureHash && ! $skipHash ) {
list($hash, $value) = explode('|', $_COOKIE[$key], 2); list($hash, $value) = explode('|', $_COOKIE[$key], 2);
if (! $this->isSecure($hash, $value)) { if (! $this->isSecure($hash, $value)) {
@ -111,7 +111,7 @@ class Cookie {
unset( $_COOKIE[$name] ); unset( $_COOKIE[$name] );
return $this->set($name, '', -86400, $path ?: ( $this->options['path'] ?? "" ), $domain ?: ( $this->options['domain'] ?? "" ), $this->options['secure'] ?? false, $this->options['httponly'] ?? false); return $this->set($name, '', -86400, $path ?: ( $this->options['path'] ?? "" ), $domain ?: ( $this->options['domain'] ?? "" ), $this->options['secure'] ?? false, $this->options['httponly'] ?? false, null, false, true);
} }
public function isSecure($hash, $value) : bool public function isSecure($hash, $value) : bool

12
src/Session.php
View File

@ -4,7 +4,7 @@ namespace Storage;
use session_name, session_id, session_start, session_destroy, session_save_path, use session_name, session_id, session_start, session_destroy, session_save_path,
session_regenerate_id, session_cache_limiter, session_get_cookie_params, session_regenerate_id, session_cache_limiter, session_get_cookie_params,
session_set_cookie_params, session_status, time, array_key_exists; session_set_cookie_params, session_status, session_write_close, time, array_key_exists;
class Session class Session
{ {
@ -54,17 +54,19 @@ class Session
if ( version_compare(PHP_VERSION, '7.3.0') >= 0 ) { if ( version_compare(PHP_VERSION, '7.3.0') >= 0 ) {
session_set_cookie_params($params); session_set_cookie_params($params);
# var_dump($params); die();
} }
else { else {
session_set_cookie_params( ...array_values(array_slice($params, 0, 5)) ); session_set_cookie_params( ...array_values(array_slice($params, 0, 5)) );
} }
session_name($options['name']); session_name($options['name']);
session_cache_limiter($options['cache_limiter'] ?? 'nocache'); session_cache_limiter($options['cache_limiter'] ?? 'nocache');
session_start(); session_start();
}
# Reset timeout after session started
$cookie->set(session_name(), session_id(), time() + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly'], $params['samesite']); public static function stop() {
session_write_close();
} }
public static function regenerate() public static function regenerate()