session: New/unified cookie handling options.

Adds options to control the various session cookie parameters, and changes users of setcookie to use those options instead. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2381 44740490-163a-0410-bde0-09ae8108e29a

session: New/unified cookie handling options.
60fcb921 · Olav Morken · 092e9a33 · 60fcb921 · 60fcb921 · 60fcb921
Commit 60fcb921 authored 14 years ago by Olav Morken
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -145,6 +145,36 @@ $config = array (
 	'session.datastore.timeout' => (4*60*60), // 4 hours
 	

+	/*
+	 * Expiration time for the session cookie, in seconds.
+	 *
+	 * Defaults to 0, which means that the cookie expires when the browser is closed.
+	 *
+	 * Example:
+	 *  'session.cookie.lifetime' => 30*60,
+	 */
+	'session.cookie.lifetime' => 0,
+
+	/*
+	 * Limit the path of the cookies.
+	 *
+	 * Can be used to limit the path of the cookies to a specific subdirectory.
+	 *
+	 * Example:
+	 *  'session.cookie.path' => '/simplesaml/',
+	 */
+	'session.cookie.path' => '/',
+
+	/*
+	 * Cookie domain.
+	 *
+	 * Can be used to make the session cookie available to several domains.
+	 *
+	 * Example:
+	 *  'session.cookie.domain' => '.example.org',
+	 */
+	'session.cookie.domain' => NULL,
+
 	/*
 	 * Set the secure flag in the cookie.
 	 *
@@ -158,8 +188,8 @@ $config = array (
 	 * Options to override the default settings for php sessions.
 	 */
 	'session.phpsession.cookiename'  => null,
-	'session.phpsession.limitedpath' => false,
 	'session.phpsession.savepath'    => null,
+	'session.phpsession.httponly'    => FALSE,
 	
 	/*
 	 * Languages available and what language is default

--- a/lib/SimpleSAML/AuthMemCookie.php
+++ b/lib/SimpleSAML/AuthMemCookie.php
@@ -153,7 +153,8 @@ class SimpleSAML_AuthMemCookie {
 		$memcache->delete($sessionID);

 		/* Delete the session cookie. */
-		setcookie($cookieName, '', 1, '/', NULL, SimpleSAML_Utilities::isHTTPS(), TRUE);
+		$sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
+		$sessionHandler->setCookie($cookieName, NULL);
 	}



--- a/lib/SimpleSAML/SessionHandler.php
+++ b/lib/SimpleSAML/SessionHandler.php
@@ -129,6 +129,53 @@ abstract class SimpleSAML_SessionHandler {
 		return TRUE;
 	}

-}

-?>
\ No newline at end of file
+	/**
+	 * Get the cookie parameters that should be used for session cookies.
+	 *
+	 * @return array
+	 * @link http://www.php.net/manual/en/function.session-get-cookie-params.php
+	 */
+	public function getCookieParams() {
+
+		$config = SimpleSAML_Configuration::getInstance();
+
+		return array(
+			'lifetime' => $config->getInteger('session.cookie.lifetime', 0),
+			'path' => $config->getString('session.cookie.path', '/'),
+			'domain' => $config->getString('session.cookie.domain', NULL),
+			'secure' => $config->getBoolean('session.cookie.secure', FALSE),
+			'httponly' => TRUE,
+		);
+	}
+
+
+	/**
+	 * Set a session cookie.
+	 *
+	 * @param string $name  The name of the session cookie.
+	 * @param string|NULL $value  The value of the cookie. Set to NULL to delete the cookie.
+	 */
+	public function setCookie($name, $value) {
+		assert('is_string($name)');
+		assert('is_string($value) || is_null($value)');
+
+		$params = $this->getCookieParams();
+
+		if ($value === NULL) {
+			$expire = time() - 365*24*60*60;
+		} elseif ($params['lifetime'] === 0) {
+			$expire = 0;
+		} else {
+			$expire = time() + $params['lifetime'];;
+		}
+
+		$version = explode('.', PHP_VERSION);
+		if ((int)$version[0] === 5 && (int)$version[1] < 2) {
+			setcookie($name, $value, $expire, $params['path'], $params['domain'], $params['secure']);
+		} else {
+			setcookie($name, $value, $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
+		}
+	}
+
+}
--- a/lib/SimpleSAML/SessionHandlerCookie.php
+++ b/lib/SimpleSAML/SessionHandlerCookie.php
@@ -51,9 +51,7 @@ extends SimpleSAML_SessionHandler {
 		/* We don't have a valid session. Create a new session id. */
 		$this->session_id = self::createSessionID();

-		$config = SimpleSAML_Configuration::getInstance();
-		$secureFlag = $config->getBoolean('session.cookie.secure', FALSE);
-		setcookie('SimpleSAMLSessionID', $this->session_id, 0, '/', NULL, $secureFlag);
+		$this->setCookie('SimpleSAMLSessionID', $this->session_id);
 	}



--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -32,11 +32,16 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler {
 		 */
 		if(session_id() === '') {
 			$config = SimpleSAML_Configuration::getInstance();
-			
-			$cookiepath = ($config->getBoolean('session.phpsession.limitedpath', FALSE) ? '/' . $config->getBaseURL() : '/');
-			$secureFlag = $config->getBoolean('session.cookie.secure', FALSE);
-			session_set_cookie_params(0, $cookiepath, NULL, $secureFlag);
-			
+
+			$params = $this->getCookieParams();
+
+			$version = explode('.', PHP_VERSION);
+			if ((int)$version[0] === 5 && (int)$version[1] < 2) {
+				session_set_cookie_params($params['lifetime'], $params['path'], $params['domain'], $params['secure']);
+			} else {
+				session_set_cookie_params($params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']);
+			}
+
 			$cookiename = $config->getString('session.phpsession.cookiename', NULL);
 			if (!empty($cookiename)) session_name($cookiename);

@@ -114,6 +119,30 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler {
 		return array_key_exists($cookieName, $_COOKIE);
 	}

-}

-?>
\ No newline at end of file
+	/**
+	 * Get the cookie parameters that should be used for session cookies.
+	 *
+	 * This function contains some adjustments from the default to provide backwards-compatibility.
+	 *
+	 * @return array
+	 * @link http://www.php.net/manual/en/function.session-get-cookie-params.php
+	 */
+	public function getCookieParams() {
+
+		$config = SimpleSAML_Configuration::getInstance();
+
+		$ret = parent::getCookieParams();
+
+		if ($config->hasValue('session.phpsession.limitedpath') && $config->hasValue('session.cookie.path')) {
+			throw new SimpleSAML_Error_Exception('You cannot set both the session.phpsession.limitedpath and session.cookie.path options.');
+		} elseif ($config->hasValue('session.phpsession.limitedpath')) {
+			$ret['path'] = $config->getBoolean('session.phpsession.limitedpath', FALSE) ? '/' . $config->getBaseURL() : '/';
+		}
+
+		$ret['httponly'] = $config->getBoolean('session.phpsession.httponly', FALSE);
+
+		return $ret;
+	}
+
+}
--- a/www/authmemcookie.php
+++ b/www/authmemcookie.php
@@ -60,7 +60,9 @@ try {
 	$sessionID = SimpleSAML_Utilities::generateID();

 	$cookieName = $amc->getCookieName();
-	setcookie($cookieName, $sessionID, 0, '/', NULL, SimpleSAML_Utilities::isHTTPS(), TRUE);
+
+	$sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
+	$sessionHandler->setCookie($cookieName, $sessionID);


 	/* Generate the authentication information. */