Merging develop to master in preparation for 1.4.0 release.

Author: weierophinney

.travis.yml

@@ -12,24 +12,18 @@ env:
 matrix:
   fast_finish: true
   include:
-    - php: 7.1
+    - php: 7.3
       env:
         - DEPS=lowest
-    - php: 7.1
+    - php: 7.3
       env:
         - DEPS=latest
         - CS_CHECK=true
         - TEST_COVERAGE=true
-    - php: 7.2
-      env:
-        - DEPS=lowest
-    - php: 7.2
-      env:
-        - DEPS=latest
-    - php: 7.3
+    - php: 7.4
       env:
         - DEPS=lowest
-    - php: 7.3
+    - php: 7.4
       env:
         - DEPS=latest
 

CHANGELOG.md

@@ -2,11 +2,11 @@
 
 All notable changes to this project will be documented in this file, in reverse chronological order by release.
 
-## 1.3.2 - TBD
+## 1.4.0 - 2020-06-17
 
 ### Added
 
-- Nothing.
+- [#3](https://github.com/mezzio/mezzio-session-cache/pull/3) adds support for SameSite cookies. By default, the SameSite attribute will be set to "Lax", but the value can be configured via the mezzio-session-cache.cookie_same_site configuration setting.
 
 ### Changed
 

composer.json

@@ -23,16 +23,16 @@
     },
     "extra": {
         "branch-alias": {
-            "dev-master": "1.3.x-dev",
-            "dev-develop": "1.4.x-dev"
+            "dev-master": "1.4.x-dev",
+            "dev-develop": "1.5.x-dev"
         },
         "laminas": {
             "config-provider": "Mezzio\\Session\\Cache\\ConfigProvider"
         }
     },
     "require": {
-        "php": "^7.1",
-        "dflydev/fig-cookies": "^1.0.2 || ^2.0",
+        "php": "^7.3",
+        "dflydev/fig-cookies": "^2.0.1",
         "laminas/laminas-zendframework-bridge": "^1.0",
         "mezzio/mezzio-session": "^1.2",
         "psr/cache": "^1.0",

docs/book/v1/config.md

@@ -8,6 +8,7 @@ This package allows configuring the following items:
 - The session cookie path.
 - The session cookie secure option.
 - The session cookie httponly option.
+- The session cookie SameSite attribute (since 1.4.0).
 - The cache limiter (which controls how resources using sessions are cached by the browser).
 - When the session expires.
 - When the resource using a session was last modified.
@@ -117,6 +118,23 @@ return [
         // by scripting languages, such as JavaScript.
         'cookie_http_only' => false,
 
+        // Available since 1.4.0
+        //
+        // Asserts that a cookie must not be sent with cross-origin requests,
+        // providing some protection against cross-site request forgery attacks (CSRF).
+        //
+        // Allowed values:
+        // - Strict: The browser sends the cookie only for same-site requests
+        //   (that is, requests originating from the same site that set the cookie).
+        //   If the request originated from a different URL than the current one,
+        //   no cookies with the SameSite=Strict attribute are sent.
+        // - Lax: The cookie is withheld on cross-site subrequests, such as calls
+        //   to load images or frames, but is sent when a user navigates to the URL
+        //   from an external site, such as by following a link.
+        // - None: The browser sends the cookie with both cross-site and same-site
+        //   requests.
+        'cookie_same_site' => 'Lax',
+
         // Governs the various cache control headers emitted when
         // a session cookie is provided to the client. Value may be one
         // of "nocache", "public", "private", or "private_no_expire";

docs/book/v1/manual.md

@@ -33,6 +33,9 @@ The following details the constructor of the `Mezzio\Session\Cache\CacheSessionP
  * @param bool $cookieHttpOnly Whether or not the cookie may be accessed
  *     by client-side apis (e.g., Javascript). An http-only cookie cannot
  *     be accessed by client-side apis.
+ * @param string $cookieSameSite The same-site rule to apply to the persisted
+ *    cookie. Options include "Lax", "Strict", and "None".
+ *    Available since 1.4.0
  *
  * @todo reorder these arguments so they make more sense and are in an
  *     order of importance
@@ -47,7 +50,8 @@ public function __construct(
     bool $persistent = false,
     string $cookieDomain = null,
     bool $cookieSecure = false,
-    bool $cookieHttpOnly = false
+    bool $cookieHttpOnly = false,
+    string $cookieSameSite = 'Lax'
 ) {
 ```
 

src/CacheSessionPersistence.php

@@ -14,6 +14,7 @@
 use DateTimeImmutable;
 use Dflydev\FigCookies\FigRequestCookies;
 use Dflydev\FigCookies\FigResponseCookies;
+use Dflydev\FigCookies\Modifier\SameSite;
 use Dflydev\FigCookies\SetCookie;
 use Mezzio\Session\Session;
 use Mezzio\Session\SessionCookiePersistenceInterface;
@@ -85,6 +86,9 @@ class CacheSessionPersistence implements SessionPersistenceInterface
     /** @var bool */
     private $cookieHttpOnly;
 
+    /** @var string */
+    private $cookieSameSite;
+
     /** @var false|string */
     private $lastModified;
 
@@ -121,6 +125,8 @@ class CacheSessionPersistence implements SessionPersistenceInterface
      * @param bool $cookieHttpOnly Whether or not the cookie may be accessed
      *     by client-side apis (e.g., Javascript). An http-only cookie cannot
      *     be accessed by client-side apis.
+     * @param string $cookieSameSite The same-site rule to apply to the persisted
+     *    cookie. Options include "Lax", "Strict", and "None".
      *
      * @todo reorder the constructor arguments
      */
@@ -134,7 +140,8 @@ public function __construct(
         bool $persistent = false,
         string $cookieDomain = null,
         bool $cookieSecure = false,
-        bool $cookieHttpOnly = false
+        bool $cookieHttpOnly = false,
+        string $cookieSameSite = 'Lax'
     ) {
         $this->cache = $cache;
 
@@ -151,6 +158,8 @@ public function __construct(
 
         $this->cookieHttpOnly = $cookieHttpOnly;
 
+        $this->cookieSameSite = $cookieSameSite;
+
         $this->cacheLimiter = in_array($cacheLimiter, self::SUPPORTED_CACHE_LIMITERS, true)
             ? $cacheLimiter
             : 'nocache';
@@ -197,7 +206,8 @@ public function persistSession(SessionInterface $session, ResponseInterface $res
             ->withDomain($this->cookieDomain)
             ->withPath($this->cookiePath)
             ->withSecure($this->cookieSecure)
-            ->withHttpOnly($this->cookieHttpOnly);
+            ->withHttpOnly($this->cookieHttpOnly)
+            ->withSameSite(SameSite::fromString($this->cookieSameSite));
 
         $persistenceDuration = $this->getPersistenceDuration($session);
         if ($persistenceDuration) {

src/CacheSessionPersistenceFactory.php

@@ -31,6 +31,7 @@ public function __invoke(ContainerInterface $container)
         $cookiePath     = $config['cookie_path'] ?? '/';
         $cookieSecure   = $config['cookie_secure'] ?? false;
         $cookieHttpOnly = $config['cookie_http_only'] ?? false;
+        $cookieSameSite = $config['cookie_same_site'] ?? 'Lax';
         $cacheLimiter   = $config['cache_limiter'] ?? 'nocache';
         $cacheExpire    = $config['cache_expire'] ?? 10800;
         $lastModified   = $config['last_modified'] ?? null;
@@ -46,7 +47,8 @@ public function __invoke(ContainerInterface $container)
             $persistent,
             $cookieDomain,
             $cookieSecure,
-            $cookieHttpOnly
+            $cookieHttpOnly,
+            $cookieSameSite
         );
     }
 }

test/CacheSessionPersistenceFactoryTest.php

@@ -59,6 +59,7 @@ public function testFactoryUsesSaneDefaultsForConstructorArguments()
         $this->assertAttributeSame(null, 'cookieDomain', $persistence);
         $this->assertAttributeSame(false, 'cookieSecure', $persistence);
         $this->assertAttributeSame(false, 'cookieHttpOnly', $persistence);
+        $this->assertAttributeSame('Lax', 'cookieSameSite', $persistence);
         $this->assertAttributeSame('nocache', 'cacheLimiter', $persistence);
         $this->assertAttributeSame(10800, 'cacheExpire', $persistence);
         $this->assertAttributeNotEmpty('lastModified', $persistence);
@@ -79,6 +80,7 @@ public function testFactoryAllowsConfiguringAllConstructorArguments()
                 'cookie_path'      => '/api',
                 'cookie_secure'    => true,
                 'cookie_http_only' => true,
+                'cookie_same_site' => 'None',
                 'cache_limiter'    => 'public',
                 'cache_expire'     => 300,
                 'last_modified'    => $lastModified,
@@ -97,6 +99,7 @@ public function testFactoryAllowsConfiguringAllConstructorArguments()
         $this->assertAttributeSame('example.com', 'cookieDomain', $persistence);
         $this->assertAttributeSame(true, 'cookieSecure', $persistence);
         $this->assertAttributeSame(true, 'cookieHttpOnly', $persistence);
+        $this->assertAttributeSame('None', 'cookieSameSite', $persistence);
         $this->assertAttributeSame('public', 'cacheLimiter', $persistence);
         $this->assertAttributeSame(300, 'cacheExpire', $persistence);
         $this->assertAttributeSame(

test/CacheSessionPersistenceTest.php

@@ -12,6 +12,7 @@
 
 use DateInterval;
 use DateTimeImmutable;
+use Dflydev\FigCookies\Modifier\SameSite;
 use Laminas\Diactoros\Response;
 use Mezzio\Session\Cache\CacheSessionPersistence;
 use Mezzio\Session\Cache\Exception;
@@ -275,6 +276,7 @@ public function testConstructorUsesDefaultsForOptionalArguments()
         $this->assertAttributeSame('/', 'cookiePath', $persistence);
         $this->assertAttributeSame(false, 'cookieSecure', $persistence);
         $this->assertAttributeSame(false, 'cookieHttpOnly', $persistence);
+        $this->assertAttributeSame('Lax', 'cookieSameSite', $persistence);
         $this->assertAttributeSame('nocache', 'cacheLimiter', $persistence);
         $this->assertAttributeSame(10800, 'cacheExpire', $persistence);
         $this->assertAttributeNotEmpty('lastModified', $persistence);
@@ -307,7 +309,8 @@ public function testConstructorAllowsProvidingAllArguments($cacheLimiter)
             false,
             'example.com',
             true,
-            true
+            true,
+            'None'
         );
 
         $this->assertAttributeSame($this->cachePool->reveal(), 'cache', $persistence);
@@ -316,6 +319,7 @@ public function testConstructorAllowsProvidingAllArguments($cacheLimiter)
         $this->assertAttributeSame('example.com', 'cookieDomain', $persistence);
         $this->assertAttributeSame(true, 'cookieSecure', $persistence);
         $this->assertAttributeSame(true, 'cookieHttpOnly', $persistence);
+        $this->assertAttributeSame('None', 'cookieSameSite', $persistence);
         $this->assertAttributeSame($cacheLimiter, 'cacheLimiter', $persistence);
         $this->assertAttributeSame(100, 'cacheExpire', $persistence);
         $this->assertAttributeSame(