From c1169808df98eaf1a1cf93bc0d16aebd900ea5b2 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Fri, 7 Feb 2020 20:31:30 +0900 Subject: [PATCH 1/7] SameSite cookie support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - TODO PHP7.3 or higher - SameSite=None を未サポートの UA 向けに, SameSite 属性を削除した cookie を発行する - SameSite=None が SameSite=Strict と見なされて cookie が拒否された場合は, 互換用の cookie を読み込む --- data/class/helper/SC_Helper_Session.php | 5 +++++ data/class/sessionfactory/SC_SessionFactory_UseCookie.php | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/data/class/helper/SC_Helper_Session.php b/data/class/helper/SC_Helper_Session.php index 2e116d8e32..9d1cf577f7 100644 --- a/data/class/helper/SC_Helper_Session.php +++ b/data/class/helper/SC_Helper_Session.php @@ -68,6 +68,11 @@ public function sfSessClose() */ public function sfSessRead($id) { + if ($id !== $_COOKIE['legacy-ECSESSID']) { + // session_id と $_COOKIE['legacy-ECSESSID'] が異なる場合は ECSESSID の cookie が拒否されたと見なす + GC_Utils_Ex::gfPrintLog('replace session id: '.$id.'=>'.$_COOKIE['legacy-ECSESSID']); + $id = $_COOKIE['legacy-ECSESSID']; // $_COOKIE['legacy-ECSESSID'] からセッションデータを読み込む + } $objQuery = SC_Query_Ex::getSingletonInstance(); $arrRet = $objQuery->select('sess_data', 'dtb_session', 'sess_id = ?', array($id)); if (empty($arrRet)) { diff --git a/data/class/sessionfactory/SC_SessionFactory_UseCookie.php b/data/class/sessionfactory/SC_SessionFactory_UseCookie.php index 7eb9e088d6..b2d06ca832 100644 --- a/data/class/sessionfactory/SC_SessionFactory_UseCookie.php +++ b/data/class/sessionfactory/SC_SessionFactory_UseCookie.php @@ -46,11 +46,17 @@ public function initSession() ini_set('session.cache_limiter', 'none'); // (session.auto_start などで)セッションが開始されていた場合に備えて閉じる。(FIXME: 保存する必要はない。破棄で良い。) session_write_close(); - session_set_cookie_params(0, ROOT_URLPATH, DOMAIN_NAME, $this->getSecureOption(), true); + // FIXME PHP7.3 or higher + session_set_cookie_params(0, ROOT_URLPATH, DOMAIN_NAME.'; SameSite=None', $this->getSecureOption(), true); + $params = session_get_cookie_params(); // セッション開始 // FIXME EC-CUBE をネストしてインストールした場合を考慮して、一意とすべき session_name('ECSESSID'); session_start(); + if (session_id() !== '') { + // SameSite=None を未サポートの UA 向けに cookie を発行する + setcookie('legacy-'.session_name(), session_id(), $params['lifetime'], ROOT_URLPATH, $params['domain'], $params['secure'], true); + } } /** From b602cf8cea0a14f4347f922f692d499f7ff904a1 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Fri, 7 Feb 2020 20:56:20 +0900 Subject: [PATCH 2/7] =?UTF-8?q?=E7=AE=A1=E7=90=86=E7=94=BB=E9=9D=A2?= =?UTF-8?q?=E3=83=AD=E3=82=B0=E3=82=A4=E3=83=B3=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- data/class/helper/SC_Helper_Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/class/helper/SC_Helper_Session.php b/data/class/helper/SC_Helper_Session.php index 9d1cf577f7..2b37910093 100644 --- a/data/class/helper/SC_Helper_Session.php +++ b/data/class/helper/SC_Helper_Session.php @@ -68,7 +68,7 @@ public function sfSessClose() */ public function sfSessRead($id) { - if ($id !== $_COOKIE['legacy-ECSESSID']) { + if (empty($_COOKIE['ECSESSID']) && $id !== $_COOKIE['legacy-ECSESSID']) { // session_id と $_COOKIE['legacy-ECSESSID'] が異なる場合は ECSESSID の cookie が拒否されたと見なす GC_Utils_Ex::gfPrintLog('replace session id: '.$id.'=>'.$_COOKIE['legacy-ECSESSID']); $id = $_COOKIE['legacy-ECSESSID']; // $_COOKIE['legacy-ECSESSID'] からセッションデータを読み込む From cb44b5272341f08b8f0eac2a93d87fb736966e7c Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Fri, 7 Feb 2020 22:40:34 +0900 Subject: [PATCH 3/7] =?UTF-8?q?=E4=BA=92=E6=8F=9B=E7=94=A8=20Cookie=20?= =?UTF-8?q?=E3=82=82=20SameSite=3DNone=20=E3=81=8C=E3=81=A4=E3=81=84?= =?UTF-8?q?=E3=81=A6=E3=81=97=E3=81=BE=E3=81=A3=E3=81=A6=E3=81=84=E3=81=9F?= =?UTF-8?q?=E3=81=AE=E3=82=92=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- data/class/sessionfactory/SC_SessionFactory_UseCookie.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/class/sessionfactory/SC_SessionFactory_UseCookie.php b/data/class/sessionfactory/SC_SessionFactory_UseCookie.php index b2d06ca832..cd44706c17 100644 --- a/data/class/sessionfactory/SC_SessionFactory_UseCookie.php +++ b/data/class/sessionfactory/SC_SessionFactory_UseCookie.php @@ -47,7 +47,7 @@ public function initSession() // (session.auto_start などで)セッションが開始されていた場合に備えて閉じる。(FIXME: 保存する必要はない。破棄で良い。) session_write_close(); // FIXME PHP7.3 or higher - session_set_cookie_params(0, ROOT_URLPATH, DOMAIN_NAME.'; SameSite=None', $this->getSecureOption(), true); + session_set_cookie_params(0, ROOT_URLPATH.'; SameSite=None', DOMAIN_NAME, $this->getSecureOption(), true); $params = session_get_cookie_params(); // セッション開始 // FIXME EC-CUBE をネストしてインストールした場合を考慮して、一意とすべき From 00a6726ff0f4505d4e1d64a400e8141ee40a6759 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Mon, 10 Feb 2020 09:17:36 +0900 Subject: [PATCH 4/7] =?UTF-8?q?=E3=83=AD=E3=82=B0=E5=87=BA=E5=8A=9B?= =?UTF-8?q?=E5=89=8A=E9=99=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- data/class/helper/SC_Helper_Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/class/helper/SC_Helper_Session.php b/data/class/helper/SC_Helper_Session.php index 2b37910093..97f3168729 100644 --- a/data/class/helper/SC_Helper_Session.php +++ b/data/class/helper/SC_Helper_Session.php @@ -70,7 +70,7 @@ public function sfSessRead($id) { if (empty($_COOKIE['ECSESSID']) && $id !== $_COOKIE['legacy-ECSESSID']) { // session_id と $_COOKIE['legacy-ECSESSID'] が異なる場合は ECSESSID の cookie が拒否されたと見なす - GC_Utils_Ex::gfPrintLog('replace session id: '.$id.'=>'.$_COOKIE['legacy-ECSESSID']); + GC_Utils_Ex::gfPrintLog('replace session id'); $id = $_COOKIE['legacy-ECSESSID']; // $_COOKIE['legacy-ECSESSID'] からセッションデータを読み込む } $objQuery = SC_Query_Ex::getSingletonInstance(); From 8ff48a44de43508fd2ab5a4ebadf1123cef7620f Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Mon, 10 Feb 2020 10:34:52 +0900 Subject: [PATCH 5/7] PHP7.3 or higher support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - secure オプションが無い場合は SameSite を空で送る - 互換用 cookie は secure オプション必須にする --- data/class/helper/SC_Helper_Session.php | 5 ++-- .../SC_SessionFactory_UseCookie.php | 27 +++++++++++++++---- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/data/class/helper/SC_Helper_Session.php b/data/class/helper/SC_Helper_Session.php index 97f3168729..a0a87f72aa 100644 --- a/data/class/helper/SC_Helper_Session.php +++ b/data/class/helper/SC_Helper_Session.php @@ -68,9 +68,10 @@ public function sfSessClose() */ public function sfSessRead($id) { - if (empty($_COOKIE['ECSESSID']) && $id !== $_COOKIE['legacy-ECSESSID']) { + // SameSite=None を未サポート UA 向け対応 + if (empty($_COOKIE['ECSESSID']) && isset($_COOKIE['legacy-ECSESSID']) && $id !== $_COOKIE['legacy-ECSESSID']) { // session_id と $_COOKIE['legacy-ECSESSID'] が異なる場合は ECSESSID の cookie が拒否されたと見なす - GC_Utils_Ex::gfPrintLog('replace session id'); + GC_Utils_Ex::gfPrintLog('replace session id: ECSESSID=>legacy-ECSESSID'); $id = $_COOKIE['legacy-ECSESSID']; // $_COOKIE['legacy-ECSESSID'] からセッションデータを読み込む } $objQuery = SC_Query_Ex::getSingletonInstance(); diff --git a/data/class/sessionfactory/SC_SessionFactory_UseCookie.php b/data/class/sessionfactory/SC_SessionFactory_UseCookie.php index cd44706c17..cbff35dbb7 100644 --- a/data/class/sessionfactory/SC_SessionFactory_UseCookie.php +++ b/data/class/sessionfactory/SC_SessionFactory_UseCookie.php @@ -46,16 +46,33 @@ public function initSession() ini_set('session.cache_limiter', 'none'); // (session.auto_start などで)セッションが開始されていた場合に備えて閉じる。(FIXME: 保存する必要はない。破棄で良い。) session_write_close(); - // FIXME PHP7.3 or higher - session_set_cookie_params(0, ROOT_URLPATH.'; SameSite=None', DOMAIN_NAME, $this->getSecureOption(), true); - $params = session_get_cookie_params(); + $params = array( + 'lifetime' => 0, + 'path' => ROOT_URLPATH, + 'domain' => DOMAIN_NAME, + 'secure' => $this->getSecureOption(), + 'httponly' => true, + 'samesite' => '' + ); + if ($this->getSecureOption()) { + $params['samesite'] = 'None'; // require secure option + } + if (PHP_VERSION_ID >= 70300) { + session_set_cookie_params($params); + } else { + $samesite = ''; + if (!empty($params['samesite'])) { + $samesite = '; SameSite='.$params['samesite']; + } + session_set_cookie_params($params['lifetime'], $params['path'].$samesite, $params['domain'], $params['secure'], $params['httponly']); + } // セッション開始 // FIXME EC-CUBE をネストしてインストールした場合を考慮して、一意とすべき session_name('ECSESSID'); session_start(); if (session_id() !== '') { - // SameSite=None を未サポートの UA 向けに cookie を発行する - setcookie('legacy-'.session_name(), session_id(), $params['lifetime'], ROOT_URLPATH, $params['domain'], $params['secure'], true); + // SameSite=None を未サポートの UA 向けに cookie を発行する. secure option 必須 + setcookie('legacy-'.session_name(), session_id(), $params['lifetime'], $params['path'], $params['domain'], true, true); } } From d3cd7ddfb135fd7a942b96f5236355ca38062d5f Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Mon, 10 Feb 2020 10:57:52 +0900 Subject: [PATCH 6/7] =?UTF-8?q?=E4=BA=92=E6=8F=9B=E7=94=A8=20cookie=20?= =?UTF-8?q?=E3=82=92=E8=AA=AD=E3=81=BF=E8=BE=BC=E3=82=93=E3=81=A0=E3=81=82?= =?UTF-8?q?=E3=81=A8=E3=81=AF=E5=89=8A=E9=99=A4=E3=81=99=E3=82=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- data/class/helper/SC_Helper_Session.php | 1 + 1 file changed, 1 insertion(+) diff --git a/data/class/helper/SC_Helper_Session.php b/data/class/helper/SC_Helper_Session.php index a0a87f72aa..1520706e11 100644 --- a/data/class/helper/SC_Helper_Session.php +++ b/data/class/helper/SC_Helper_Session.php @@ -73,6 +73,7 @@ public function sfSessRead($id) // session_id と $_COOKIE['legacy-ECSESSID'] が異なる場合は ECSESSID の cookie が拒否されたと見なす GC_Utils_Ex::gfPrintLog('replace session id: ECSESSID=>legacy-ECSESSID'); $id = $_COOKIE['legacy-ECSESSID']; // $_COOKIE['legacy-ECSESSID'] からセッションデータを読み込む + unset($_COOKIE['legacy-ECSESSID']); } $objQuery = SC_Query_Ex::getSingletonInstance(); $arrRet = $objQuery->select('sess_data', 'dtb_session', 'sess_id = ?', array($id)); From bf2bac19ed1d232e437043d0a2b0e3482ec306bd Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Mon, 10 Feb 2020 10:59:39 +0900 Subject: [PATCH 7/7] =?UTF-8?q?=E3=82=B3=E3=83=A1=E3=83=B3=E3=83=88?= =?UTF-8?q?=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- data/class/helper/SC_Helper_Session.php | 2 +- data/class/sessionfactory/SC_SessionFactory_UseCookie.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/class/helper/SC_Helper_Session.php b/data/class/helper/SC_Helper_Session.php index 1520706e11..b7e4b5628c 100644 --- a/data/class/helper/SC_Helper_Session.php +++ b/data/class/helper/SC_Helper_Session.php @@ -72,7 +72,7 @@ public function sfSessRead($id) if (empty($_COOKIE['ECSESSID']) && isset($_COOKIE['legacy-ECSESSID']) && $id !== $_COOKIE['legacy-ECSESSID']) { // session_id と $_COOKIE['legacy-ECSESSID'] が異なる場合は ECSESSID の cookie が拒否されたと見なす GC_Utils_Ex::gfPrintLog('replace session id: ECSESSID=>legacy-ECSESSID'); - $id = $_COOKIE['legacy-ECSESSID']; // $_COOKIE['legacy-ECSESSID'] からセッションデータを読み込む + $id = $_COOKIE['legacy-ECSESSID']; // 互換用 cookie からセッションデータを読み込む unset($_COOKIE['legacy-ECSESSID']); } $objQuery = SC_Query_Ex::getSingletonInstance(); diff --git a/data/class/sessionfactory/SC_SessionFactory_UseCookie.php b/data/class/sessionfactory/SC_SessionFactory_UseCookie.php index cbff35dbb7..dba3e29483 100644 --- a/data/class/sessionfactory/SC_SessionFactory_UseCookie.php +++ b/data/class/sessionfactory/SC_SessionFactory_UseCookie.php @@ -71,7 +71,7 @@ public function initSession() session_name('ECSESSID'); session_start(); if (session_id() !== '') { - // SameSite=None を未サポートの UA 向けに cookie を発行する. secure option 必須 + // SameSite=None を未サポートの UA 向けに 互換用 cookie を発行する. secure option 必須 setcookie('legacy-'.session_name(), session_id(), $params['lifetime'], $params['path'], $params['domain'], true, true); } }