From 06c841c10df4608e5303124ae0b99579809d0562 Mon Sep 17 00:00:00 2001 From: Ere Maijala Date: Wed, 15 Jan 2025 11:17:49 +0200 Subject: [PATCH] [FINNA-3033] Add a domain check to session cookie handling. (cherry picked from commit d8ebe10e96a379c728e0ba566ad8bf93559d20d1) --- module/Finna/config/module.config.php | 4 +- .../src/Finna/Session/ManagerFactory.php | 92 +++++++++++++++++++ 2 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 module/Finna/src/Finna/Session/ManagerFactory.php diff --git a/module/Finna/config/module.config.php b/module/Finna/config/module.config.php index 20af9fc8e32..d0c2769a1df 100644 --- a/module/Finna/config/module.config.php +++ b/module/Finna/config/module.config.php @@ -5,7 +5,7 @@ * * PHP version 8 * - * Copyright (C) The National Library of Finland 2014-2024. + * Copyright (C) The National Library of Finland 2014-2025. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, @@ -391,6 +391,8 @@ // Factory overrides for non-Finna classes: 'VuFind\Config\PathResolver' => 'Finna\Config\PathResolverFactory', + \Laminas\Session\SessionManager::class => \Finna\Session\ManagerFactory::class, + 'League\CommonMark\ConverterInterface' => 'Finna\Service\MarkdownFactory', ], 'aliases' => [ diff --git a/module/Finna/src/Finna/Session/ManagerFactory.php b/module/Finna/src/Finna/Session/ManagerFactory.php new file mode 100644 index 00000000000..049ea1c4492 --- /dev/null +++ b/module/Finna/src/Finna/Session/ManagerFactory.php @@ -0,0 +1,92 @@ + + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License + * @link https://vufind.org/wiki/development Wiki + */ + +namespace Finna\Session; + +use Laminas\ServiceManager\Exception\ServiceNotCreatedException; +use Laminas\ServiceManager\Exception\ServiceNotFoundException; +use Psr\Container\ContainerExceptionInterface as ContainerException; +use Psr\Container\ContainerInterface; + +/** + * Factory for instantiating Session Manager + * + * @category VuFind + * @package Session_Handlers + * @author Ere Maijala + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License + * @link https://vufind.org/wiki/development Wiki + * + * @codeCoverageIgnore + */ +class ManagerFactory extends \VuFind\Session\ManagerFactory +{ + /** + * Create an object + * + * @param ContainerInterface $container Service manager + * @param string $requestedName Service being created + * @param null|array $options Extra options (optional) + * + * @return object + * + * @throws ServiceNotFoundException if unable to resolve the service. + * @throws ServiceNotCreatedException if an exception is raised when + * creating a service. + * @throws ContainerException&\Throwable if any other error occurs + */ + public function __invoke( + ContainerInterface $container, + $requestedName, + array $options = null + ) { + $sessionManager = parent::__invoke($container, $requestedName, $options); + + $serverName = $_SERVER['SERVER_NAME'] ?? ''; + + // Verify that any existing session has the correct server name to avoid using + // a cookie from another domain. + $storage = new \Laminas\Session\Container('SessionState', $sessionManager); + if (null !== $storage->serverName) { + if ($storage->serverName !== $serverName) { + // Disable writes temporarily to keep the existing session intact + $sessionManager->getSaveHandler()->disableWrites(); + // Regenerate session ID and reset the session data + $sessionManager->regenerateId(false); + session_unset(); + $sessionManager->getSaveHandler()->enableWrites(); + $storage->serverName = $serverName; + } + } else { + $storage->serverName = $serverName; + } + + return $sessionManager; + } +}