tilderadio
/
AzuraCast
mirror of https://github.com/AzuraCast/AzuraCast.git
4
0
Fork 0
Code Issues Releases Wiki Activity

Enforce HTTP-only (and secure) cookies for session persistence.

This commit is contained in:
Buster "Silver Eagle" Neece 2021-08-26 18:40:11 -05:00
parent 2e9bffa08e
commit 95a9b8c781
No known key found for this signature in database
GPG Key ID: 6D9E12FF03411F4E
3 changed files with 31 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
config/services.php
View File

@ -219,28 +219,6 @@ return [
return $store;
},
// Session save handler middleware
Mezzio\Session\SessionPersistenceInterface::class => static function (
Environment $environment,
Psr\Cache\CacheItemPoolInterface $cachePool
) {
if ($environment->isCli()) {
$cachePool = new Symfony\Component\Cache\Adapter\ArrayAdapter();
}
$cachePool = new Symfony\Component\Cache\Adapter\ProxyAdapter($cachePool, 'session.');
return new Mezzio\Session\Cache\CacheSessionPersistence(
$cachePool,
'app_session',
'/',
'nocache',
43200,
time(),
true
);
},
// Console
App\Console\Application::class => static function (
DI\Container $di,

3
src/Middleware/EnforceSecurity.php
View File

@ -38,9 +38,6 @@ class EnforceSecurity implements MiddlewareInterface
$addHstsHeader = false;
if ('https' === $request->getUri()->getScheme()) {
// Enforce secure cookies.
ini_set('session.cookie_secure', '1');
$addHstsHeader = true;
} elseif ($always_use_ssl && !$internal_api_url) {
return $this->responseFactory->createResponse(307)

35
src/Middleware/InjectSession.php
View File

@ -4,26 +4,38 @@ declare(strict_types=1);
namespace App\Middleware;
use App\Entity;
use App\Environment;
use App\Http\ServerRequest;
use App\Session\Csrf;
use App\Session\Flash;
use Mezzio\Session\Cache\CacheSessionPersistence;
use Mezzio\Session\LazySession;
use Mezzio\Session\SessionPersistenceInterface;
use Psr\Cache\CacheItemPoolInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Symfony\Component\Cache\Adapter\ArrayAdapter;
use Symfony\Component\Cache\Adapter\ProxyAdapter;
/**
* Inject the session object into the request.
*/
class InjectSession implements MiddlewareInterface
{
protected CacheItemPoolInterface $cachePool;
public function __construct(
protected SessionPersistenceInterface $sessionPersistence,
CacheItemPoolInterface $cachePool,
protected Entity\Repository\SettingsRepository $settingsRepo,
protected Environment $environment
) {
if ($environment->isCli()) {
$cachePool = new ArrayAdapter();
}
$this->cachePool = new ProxyAdapter($cachePool, 'session.');
}
/**
@ -32,7 +44,22 @@ class InjectSession implements MiddlewareInterface
*/
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
$session = new LazySession($this->sessionPersistence, $request);
$alwaysUseSsl = $this->settingsRepo->readSettings()->getAlwaysUseSsl();
$isHttpsUrl = ('https' === $request->getUri()->getScheme());
$sessionPersistence = new CacheSessionPersistence(
cache: $this->cachePool,
cookieName: 'app_session',
cookiePath: '/',
cacheLimiter: 'nocache',
cacheExpire: 43200,
lastModified: time(),
persistent: true,
cookieSecure: $alwaysUseSsl && $isHttpsUrl,
cookieHttpOnly: true
);
$session = new LazySession($sessionPersistence, $request);
$csrf = new Csrf($session, $this->environment);
Csrf::setInstance($csrf);
@ -45,6 +72,6 @@ class InjectSession implements MiddlewareInterface
->withAttribute(ServerRequest::ATTR_SESSION_FLASH, $flash);
$response = $handler->handle($request);
return $this->sessionPersistence->persistSession($session, $response);
return $sessionPersistence->persistSession($session, $response);
}
}