Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Enforce HTTP-only (and secure) cookies for session persistence.
  • Loading branch information
BusterNeece committed Aug 26, 2021
1 parent 2e9bffa commit 95a9b8c
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 29 deletions.
22 changes: 0 additions & 22 deletions config/services.php
Expand Up @@ -219,28 +219,6 @@ function () use (
return $store;
},

// Session save handler middleware
Mezzio\Session\SessionPersistenceInterface::class => static function (
Environment $environment,
Psr\Cache\CacheItemPoolInterface $cachePool
) {
if ($environment->isCli()) {
$cachePool = new Symfony\Component\Cache\Adapter\ArrayAdapter();
}

$cachePool = new Symfony\Component\Cache\Adapter\ProxyAdapter($cachePool, 'session.');

return new Mezzio\Session\Cache\CacheSessionPersistence(
$cachePool,
'app_session',
'/',
'nocache',
43200,
time(),
true
);
},

// Console
App\Console\Application::class => static function (
DI\Container $di,
Expand Down
3 changes: 0 additions & 3 deletions src/Middleware/EnforceSecurity.php
Expand Up @@ -38,9 +38,6 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface

$addHstsHeader = false;
if ('https' === $request->getUri()->getScheme()) {
// Enforce secure cookies.
ini_set('session.cookie_secure', '1');

$addHstsHeader = true;
} elseif ($always_use_ssl && !$internal_api_url) {
return $this->responseFactory->createResponse(307)
Expand Down
35 changes: 31 additions & 4 deletions src/Middleware/InjectSession.php
Expand Up @@ -4,26 +4,38 @@

namespace App\Middleware;

use App\Entity;
use App\Environment;
use App\Http\ServerRequest;
use App\Session\Csrf;
use App\Session\Flash;
use Mezzio\Session\Cache\CacheSessionPersistence;
use Mezzio\Session\LazySession;
use Mezzio\Session\SessionPersistenceInterface;
use Psr\Cache\CacheItemPoolInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Symfony\Component\Cache\Adapter\ArrayAdapter;
use Symfony\Component\Cache\Adapter\ProxyAdapter;

/**
* Inject the session object into the request.
*/
class InjectSession implements MiddlewareInterface
{
protected CacheItemPoolInterface $cachePool;

public function __construct(
protected SessionPersistenceInterface $sessionPersistence,
CacheItemPoolInterface $cachePool,
protected Entity\Repository\SettingsRepository $settingsRepo,
protected Environment $environment
) {
if ($environment->isCli()) {
$cachePool = new ArrayAdapter();
}

$this->cachePool = new ProxyAdapter($cachePool, 'session.');
}

/**
Expand All @@ -32,7 +44,22 @@ public function __construct(
*/
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
$session = new LazySession($this->sessionPersistence, $request);
$alwaysUseSsl = $this->settingsRepo->readSettings()->getAlwaysUseSsl();
$isHttpsUrl = ('https' === $request->getUri()->getScheme());

$sessionPersistence = new CacheSessionPersistence(
cache: $this->cachePool,
cookieName: 'app_session',
cookiePath: '/',
cacheLimiter: 'nocache',
cacheExpire: 43200,
lastModified: time(),
persistent: true,
cookieSecure: $alwaysUseSsl && $isHttpsUrl,
cookieHttpOnly: true
);

$session = new LazySession($sessionPersistence, $request);

$csrf = new Csrf($session, $this->environment);
Csrf::setInstance($csrf);
Expand All @@ -45,6 +72,6 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
->withAttribute(ServerRequest::ATTR_SESSION_FLASH, $flash);

$response = $handler->handle($request);
return $this->sessionPersistence->persistSession($session, $response);
return $sessionPersistence->persistSession($session, $response);
}
}

0 comments on commit 95a9b8c

Please sign in to comment.