forked from silverstripe/silverstripe-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCookieJar.php
More file actions
193 lines (177 loc) · 6.08 KB
/
CookieJar.php
File metadata and controls
193 lines (177 loc) · 6.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
<?php
namespace SilverStripe\Control;
use SilverStripe\ORM\FieldType\DBDatetime;
use LogicException;
/**
* A default backend for the setting and getting of cookies
*
* This backend allows one to better test Cookie setting and separate cookie
* handling from the core
*
*/
class CookieJar implements Cookie_Backend
{
/**
* Hold the cookies that were existing at time of instantiation (ie: The ones
* sent to PHP by the browser)
*
* @var array Existing cookies sent by the browser
*/
protected array $existing = [];
/**
* Hold the current cookies (ie: a mix of those that were sent to us and we
* have set without the ones we've cleared)
*
* @var array The state of cookies once we've sent the response
*/
protected array $current = [];
/**
* Hold any NEW cookies that were set by the application and will be sent
* in the next response
*
* @var array New cookies set by the application
*/
protected array $new = [];
/**
* @inheritDoc
*/
public function __construct(array $cookies = [])
{
$this->current = $this->existing = func_num_args()
? ($cookies ?: []) // Convert empty values to blank arrays
: $_COOKIE;
}
/**
* @inheritDoc
*/
public function set(
string $name,
string|false $value,
int $expiry = 90,
?string $path = null,
?string $domain = null,
bool $secure = false,
bool $httpOnly = true,
string $sameSite = ''
): void {
if ($sameSite === '') {
$sameSite = Cookie::getDefaultSameSite();
}
Cookie::validateSameSite($sameSite);
//are we setting or clearing a cookie? false values are reserved for clearing cookies (see PHP manual)
$clear = false;
if ($value === false || $value === '' || $expiry < 0) {
$clear = true;
$value = false;
}
//expiry === 0 is a special case where we set a cookie for the current user session
if ($expiry !== 0) {
//don't do the maths if we are clearing
$expiry = $clear ? -1 : DBDatetime::now()->getTimestamp() + (86400 * $expiry);
}
//set the path up
$path = $path ? $path : Director::baseURL();
//send the cookie
$this->outputCookie($name, $value, $expiry, $path, $domain, $secure, $httpOnly, $sameSite);
//keep our variables in check
if ($clear) {
unset($this->new[$name], $this->current[$name]);
} else {
$this->new[$name] = $this->current[$name] = $value;
}
}
/**
* Get the cookie value by name
*
* Cookie names are normalised to work around PHP's behaviour of replacing incoming variable name . with _
* @inheritDoc
*/
public function get(string $name, bool $includeUnsent = true): ?string
{
$cookies = $includeUnsent ? $this->current : $this->existing;
if (isset($cookies[$name])) {
return $cookies[$name];
}
//Normalise cookie names by replacing '.' with '_'
$safeName = str_replace('.', '_', $name ?? '');
if (isset($cookies[$safeName])) {
return $cookies[$safeName];
}
return null;
}
/**
* @inheritDoc
*/
public function getAll(bool $includeUnsent = true): array
{
return $includeUnsent ? $this->current : $this->existing;
}
/**
* @inheritDoc
*/
public function forceExpiry(
string $name,
?string $path = null,
?string $domain = null,
bool $secure = false,
bool $httpOnly = true,
string $sameSite = ''
): void {
$this->set($name, false, -1, $path, $domain, $secure, $httpOnly, $sameSite);
}
/**
* The function that actually sets the cookie using PHP
*
* @see http://uk3.php.net/manual/en/function.setcookie.php
*
* @param string $name The name of the cookie
* @param string|false $value The value for the cookie to hold. Empty string or false will clear the cookie.
* @param int $expiry A Unix timestamp indicating when the cookie expires; 0 means it will expire at the end of the session
* @param ?string $path The path to save the cookie on (falls back to site base)
* @param ?string $domain The domain to make the cookie available on
* @param bool $secure Can the cookie only be sent over SSL?
* @param bool $httpOnly Prevent the cookie being accessible by JS
* @param string $sameSite The "SameSite" value for the cookie. Must be one of "None", "Lax", or "Strict".
* If $sameSite is left empty, the default will be used.
* @return bool If the cookie was set or not; doesn't mean it's accepted by the browser
*/
protected function outputCookie(
string $name,
string|false $value,
int $expiry = 90,
?string $path = null,
?string $domain = null,
bool $secure = false,
bool $httpOnly = true,
string $sameSite = ''
): bool {
if ($sameSite === '') {
$sameSite = Cookie::getDefaultSameSite();
}
Cookie::validateSameSite($sameSite);
// if headers aren't sent, we can set the cookie
if (!headers_sent($file, $line)) {
return setcookie($name, $value, [
'expires' => $expiry,
'path' => $path ?? '',
'domain' => $domain ?? '',
'secure' => $this->cookieIsSecure($sameSite, (bool) $secure),
'httponly' => $httpOnly,
'samesite' => $sameSite,
]);
}
if (Cookie::config()->uninherited('report_errors')) {
throw new LogicException(
"Cookie '$name' can't be set. The site started outputting content at line $line in $file"
);
}
return false;
}
/**
* Cookies must be secure if samesite is "None"
*/
private function cookieIsSecure(string $sameSite, bool $secure): bool
{
return $sameSite === 'None' ? true : $secure;
}
}