Secure session via SameSite header

2019-11-14 17:11:59 +01:00 · 2019-11-14 17:11:59 +01:00 · 56c58d50b3
commit 56c58d50b3
parent 1f8d6bba7d
1 changed files with 114 additions and 93 deletions
--- a/app/Web/Session.php
+++ b/app/Web/Session.php
@ -8,109 +8,130 @@ use Exception;
 class Session
 {

-	/**
-	 * Session constructor.
-	 * @param string $name
-	 * @param string $path
-	 * @throws Exception
-	 */
-	public function __construct(string $name, $path = '')
-	{
-		if (session_status() === PHP_SESSION_NONE) {
-			if (!is_writable($path) && $path !== '') {
-				throw new Exception("The given path '{$path}' is not writable.");
-			}
+    /**
+     * Session constructor.
+     * @param  string  $name
+     * @param  string  $path
+     * @throws Exception
+     */
+    public function __construct(string $name, $path = '')
+    {
+        if (session_status() === PHP_SESSION_NONE) {
+            if (!is_writable($path) && $path !== '') {
+                throw new Exception("The given path '{$path}' is not writable.");
+            }

-			$started = @session_start([
-				'name' => $name,
-				'save_path' => $path,
-				'cookie_httponly' => true,
-				'gc_probability' => 25,
-			]);
+            $started = @session_start([
+                'name' => $name,
+                'save_path' => $path,
+                'cookie_httponly' => true,
+                'gc_probability' => 25,
+                'cookie_samesite' => 'Lax' // works only for php  >= 7.3
+            ]);

-			if (!$started) {
-				throw new Exception("Cannot start the HTTP session. That the session path '{$path}' is writable and your PHP settings.");
-			}
-		}
-	}
+            // Workaround for php <= 7.3
+            if (PHP_VERSION_ID < 70300) {
+                $sessionParams = session_get_cookie_params();
+                setcookie(
+                    $name,
+                    $this->getId(),
+                    $sessionParams['filetime'],
+                    $sessionParams['path'],
+                    $sessionParams['domain'].'; SameSite=Lax'
+                );
+            }

-	/**
-	 * Destroy the current session
-	 * @return bool
-	 */
-	public function destroy(): bool
-	{
-		return session_destroy();
-	}
+            if (!$started) {
+                throw new Exception("Cannot start the HTTP session. That the session path '{$path}' is writable and your PHP settings.");
+            }
+        }
+    }

-	/**
-	 * Clear all session stored values
-	 */
-	public function clear(): void
-	{
-		$_SESSION = [];
-	}
+    /**
+     * @return string
+     */
+    public function getId()
+    {
+        return session_id();
+    }

-	/**
-	 * Check if session has a stored key
-	 * @param $key
-	 * @return bool
-	 */
-	public function has($key): bool
-	{
-		return isset($_SESSION[$key]);
-	}
+    /**
+     * Destroy the current session
+     * @return bool
+     */
+    public function destroy(): bool
+    {
+        return session_destroy();
+    }

-	/**
-	 * Get the content of the current session
-	 * @return array
-	 */
-	public function all(): array
-	{
-		return $_SESSION;
-	}
+    /**
+     * Clear all session stored values
+     */
+    public function clear(): void
+    {
+        $_SESSION = [];
+    }

-	/**
-	 * Returned a value given a key
-	 * @param $key
-	 * @param null $default
-	 * @return mixed
-	 */
-	public function get($key, $default = null)
-	{
-		return self::has($key) ? $_SESSION[$key] : $default;
-	}
+    /**
+     * Check if session has a stored key
+     * @param $key
+     * @return bool
+     */
+    public function has($key): bool
+    {
+        return isset($_SESSION[$key]);
+    }

-	/**
-	 * Add a key-value pair to the session
-	 * @param $key
-	 * @param $value
-	 */
-	public function set($key, $value): void
-	{
-		$_SESSION[$key] = $value;
-	}
+    /**
+     * Get the content of the current session
+     * @return array
+     */
+    public function all(): array
+    {
+        return $_SESSION;
+    }

-	/**
-	 * Set a flash alert
-	 * @param $message
-	 * @param string $type
-	 */
-	public function alert($message, string $type = 'info'): void
-	{
-		$_SESSION['_flash'][] = [$type => $message];
-	}
+    /**
+     * Returned a value given a key
+     * @param $key
+     * @param  null  $default
+     * @return mixed
+     */
+    public function get($key, $default = null)
+    {
+        return self::has($key) ? $_SESSION[$key] : $default;
+    }
+
+    /**
+     * Add a key-value pair to the session
+     * @param $key
+     * @param $value
+     */
+    public function set($key, $value): void
+    {
+        $_SESSION[$key] = $value;
+    }
+
+    /**
+     * Set a flash alert
+     * @param $message
+     * @param  string  $type
+     */
+    public function alert($message, string $type = 'info'): void
+    {
+        $_SESSION['_flash'][] = [$type => $message];
+    }


-	/**
-	 * Retrieve flash alerts
-	 * @return array
-	 */
-	public function getAlert(): ?array
-	{
-		$flash = self::get('_flash');
-		self::set('_flash', []);
-		return $flash;
-	}
+    /**
+     * Retrieve flash alerts
+     * @return array
+     */
+    public function getAlert(): ?array
+    {
+        $flash = self::get('_flash');
+        self::set('_flash', []);
+        return $flash;
+    }

 }