From 23888fab5054487790a7cb79e35861464ad30bee Mon Sep 17 00:00:00 2001
From: Anthony MARTIN <anthony.martin@sensiolabs.com>
Date: Tue, 29 Jan 2019 17:57:01 +0100
Subject: [PATCH] [FrameworkBundle] Add sid_length and sid_bits_per_character
 session ini options in configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #29830
| License       | MIT
| Doc PR        | n/a

this a fix for the issue #29830

After deliberation, we estimate that only `sid_length` and` sid_bits_per_character` session options should be exposed. These options à optional.

For others, we recommend changing your php.ini file

We can now configure the session like this :

```yaml
framwork:
  session:
    sid_length: 64 //optional, recommended value is 32
    sid_bits_per_character: 6 //optional, recommended value is 5
```
---
 .../Bundle/FrameworkBundle/CHANGELOG.md       |  2 ++
 .../DependencyInjection/Configuration.php     |  8 ++++++
 .../Resources/config/schema/symfony-1.0.xsd   | 28 ++++++++++++++++++-
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md b/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
index 9b9fdecee5bb0..872b7614206de 100644
--- a/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
+++ b/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
@@ -12,6 +12,8 @@ CHANGELOG
    PHP's native `serialize()` and `unserialize()` functions. To use the
    original serialization method, set the `framework.messenger.serializer.id`
    config option to `messenger.transport.symfony_serializer`.
+ * Added php ini session options `sid_length` and `sid_bits_per_character` 
+   to the `session` section of the configuration
 
 4.2.0
 -----
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
index 3335149d7f574..53a3220000ad3 100644
--- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
+++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -509,6 +509,14 @@ private function addSessionSection(ArrayNodeDefinition $rootNode)
                             ->defaultValue(0)
                             ->info('seconds to wait between 2 session metadata updates')
                         ->end()
+                        ->integerNode('sid_length')
+                            ->min(22)
+                            ->max(256)
+                        ->end()
+                        ->integerNode('sid_bits_per_character')
+                            ->min(4)
+                            ->max(6)
+                        ->end()
                     ->end()
                 ->end()
             ->end()
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd b/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd
index f2b57a31e72c6..9addff6c13993 100644
--- a/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd
+++ b/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd
@@ -114,13 +114,16 @@
         <xsd:attribute name="cookie-domain" type="xsd:string" />
         <xsd:attribute name="cookie-secure" type="cookie_secure" />
         <xsd:attribute name="cookie-httponly" type="xsd:boolean" />
+        <xsd:attribute name="cookie-samesite" type="cookie_samesite" />
         <xsd:attribute name="use-cookies" type="xsd:boolean" />
         <xsd:attribute name="cache-limiter" type="xsd:string" />
         <xsd:attribute name="gc-maxlifetime" type="xsd:string" />
         <xsd:attribute name="gc-divisor" type="xsd:string" />
         <xsd:attribute name="gc-probability" type="xsd:string" />
-        <xsd:attribute name="use-strict-mode" type="xsd:boolean" />
         <xsd:attribute name="save-path" type="xsd:string" />
+        <xsd:attribute name="metadata-update-threshold" type="xsd:nonNegativeInteger" />
+        <xsd:attribute name="sid-length" type="sid_length" />
+        <xsd:attribute name="sid-bits-per-character" type="sid_bits_per_character" />
     </xsd:complexType>
 
     <xsd:complexType name="request">
@@ -352,6 +355,29 @@
         </xsd:restriction>
     </xsd:simpleType>
 
+    <xsd:simpleType name="cookie_samesite">
+        <xsd:restriction base="xsd:string">
+            <xsd:enumeration value="" />
+            <xsd:enumeration value="lax" />
+            <xsd:enumeration value="strict" />
+        </xsd:restriction>
+    </xsd:simpleType>
+
+    <xsd:simpleType name="sid_bits_per_character">
+        <xsd:restriction base="xsd:positiveInteger">
+            <xsd:enumeration value="4" />
+            <xsd:enumeration value="5" />
+            <xsd:enumeration value="6" />
+        </xsd:restriction>
+    </xsd:simpleType>
+
+    <xsd:simpleType name="sid_length">
+        <xsd:restriction base="xsd:positiveInteger">
+            <xsd:minInclusive value="22" />
+            <xsd:maxInclusive value="256" />
+        </xsd:restriction>
+    </xsd:simpleType>
+
     <xsd:simpleType name="workflow_type">
         <xsd:restriction base="xsd:string">
             <xsd:enumeration value="state_machine" />