Enforce HTTP-only (and secure) cookies for session persistence.
This commit is contained in:
parent
2e9bffa08e
commit
95a9b8c781
|
@ -219,28 +219,6 @@ return [
|
|||
return $store;
|
||||
},
|
||||
|
||||
// Session save handler middleware
|
||||
Mezzio\Session\SessionPersistenceInterface::class => static function (
|
||||
Environment $environment,
|
||||
Psr\Cache\CacheItemPoolInterface $cachePool
|
||||
) {
|
||||
if ($environment->isCli()) {
|
||||
$cachePool = new Symfony\Component\Cache\Adapter\ArrayAdapter();
|
||||
}
|
||||
|
||||
$cachePool = new Symfony\Component\Cache\Adapter\ProxyAdapter($cachePool, 'session.');
|
||||
|
||||
return new Mezzio\Session\Cache\CacheSessionPersistence(
|
||||
$cachePool,
|
||||
'app_session',
|
||||
'/',
|
||||
'nocache',
|
||||
43200,
|
||||
time(),
|
||||
true
|
||||
);
|
||||
},
|
||||
|
||||
// Console
|
||||
App\Console\Application::class => static function (
|
||||
DI\Container $di,
|
||||
|
|
|
@ -38,9 +38,6 @@ class EnforceSecurity implements MiddlewareInterface
|
|||
|
||||
$addHstsHeader = false;
|
||||
if ('https' === $request->getUri()->getScheme()) {
|
||||
// Enforce secure cookies.
|
||||
ini_set('session.cookie_secure', '1');
|
||||
|
||||
$addHstsHeader = true;
|
||||
} elseif ($always_use_ssl && !$internal_api_url) {
|
||||
return $this->responseFactory->createResponse(307)
|
||||
|
|
|
@ -4,26 +4,38 @@ declare(strict_types=1);
|
|||
|
||||
namespace App\Middleware;
|
||||
|
||||
use App\Entity;
|
||||
use App\Environment;
|
||||
use App\Http\ServerRequest;
|
||||
use App\Session\Csrf;
|
||||
use App\Session\Flash;
|
||||
use Mezzio\Session\Cache\CacheSessionPersistence;
|
||||
use Mezzio\Session\LazySession;
|
||||
use Mezzio\Session\SessionPersistenceInterface;
|
||||
use Psr\Cache\CacheItemPoolInterface;
|
||||
use Psr\Http\Message\ResponseInterface;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
use Psr\Http\Server\MiddlewareInterface;
|
||||
use Psr\Http\Server\RequestHandlerInterface;
|
||||
use Symfony\Component\Cache\Adapter\ArrayAdapter;
|
||||
use Symfony\Component\Cache\Adapter\ProxyAdapter;
|
||||
|
||||
/**
|
||||
* Inject the session object into the request.
|
||||
*/
|
||||
class InjectSession implements MiddlewareInterface
|
||||
{
|
||||
protected CacheItemPoolInterface $cachePool;
|
||||
|
||||
public function __construct(
|
||||
protected SessionPersistenceInterface $sessionPersistence,
|
||||
CacheItemPoolInterface $cachePool,
|
||||
protected Entity\Repository\SettingsRepository $settingsRepo,
|
||||
protected Environment $environment
|
||||
) {
|
||||
if ($environment->isCli()) {
|
||||
$cachePool = new ArrayAdapter();
|
||||
}
|
||||
|
||||
$this->cachePool = new ProxyAdapter($cachePool, 'session.');
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -32,7 +44,22 @@ class InjectSession implements MiddlewareInterface
|
|||
*/
|
||||
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
|
||||
{
|
||||
$session = new LazySession($this->sessionPersistence, $request);
|
||||
$alwaysUseSsl = $this->settingsRepo->readSettings()->getAlwaysUseSsl();
|
||||
$isHttpsUrl = ('https' === $request->getUri()->getScheme());
|
||||
|
||||
$sessionPersistence = new CacheSessionPersistence(
|
||||
cache: $this->cachePool,
|
||||
cookieName: 'app_session',
|
||||
cookiePath: '/',
|
||||
cacheLimiter: 'nocache',
|
||||
cacheExpire: 43200,
|
||||
lastModified: time(),
|
||||
persistent: true,
|
||||
cookieSecure: $alwaysUseSsl && $isHttpsUrl,
|
||||
cookieHttpOnly: true
|
||||
);
|
||||
|
||||
$session = new LazySession($sessionPersistence, $request);
|
||||
|
||||
$csrf = new Csrf($session, $this->environment);
|
||||
Csrf::setInstance($csrf);
|
||||
|
@ -45,6 +72,6 @@ class InjectSession implements MiddlewareInterface
|
|||
->withAttribute(ServerRequest::ATTR_SESSION_FLASH, $flash);
|
||||
|
||||
$response = $handler->handle($request);
|
||||
return $this->sessionPersistence->persistSession($session, $response);
|
||||
return $sessionPersistence->persistSession($session, $response);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue