From ecf0bc5b36e2e881a287ffdcb43af05d6d125b5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E4=B8=9C=E4=BA=91?= Date: Wed, 12 Jul 2023 11:05:58 +0800 Subject: [PATCH] =?UTF-8?q?fix(middleware.session):=20=E4=BF=AE=E5=A4=8D?= =?UTF-8?q?=20secure=20=E5=AD=97=E6=AE=B5=E6=9C=AA=E8=AE=BE=E7=BD=AE?= =?UTF-8?q?=E7=9A=84=E9=97=AE=E9=A2=98=EF=BC=8C=E5=A2=9E=E5=8A=A0=E4=BA=86?= =?UTF-8?q?=20http=20=E4=B8=8D=E5=93=8D=E5=BA=94=20sameSite=20=E7=9A=84?= =?UTF-8?q?=E9=80=BB=E8=BE=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/Middleware/SessionMiddleware.php | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/Middleware/SessionMiddleware.php b/src/Middleware/SessionMiddleware.php index 1d3097f..fbec21b 100644 --- a/src/Middleware/SessionMiddleware.php +++ b/src/Middleware/SessionMiddleware.php @@ -81,16 +81,28 @@ class SessionMiddleware implements MiddlewareInterface ResponseInterface $response, SessionInterface $session ): ResponseInterface { + $protocol = $request->hasHeader('x-forwarded-proto') + ? $request->getHeaderLine('x-forwarded-proto') + : $request->getUri()->getScheme(); + $secure = $this->config->get('session.options.secure') ?? $protocol === 'https'; + + $samesite = $this->config->get('session.options.samesite'); + if (!$secure && $samesite === Cookie::SAMESITE_NONE) { + $samesite = null; + } else { + $samesite ??= Cookie::SAMESITE_LAX; + } $cookie = new Cookie( name: $session->getName(), value: $session->getId(), expire: $this->getCookieExpirationDate(), path: $this->config->get('session.options.path', '/'), domain: $this->config->get('session.options.domain', $request->getUri()->getHost()), - secure: strtolower($request->getUri()->getScheme()) === 'https', + secure: $secure, httpOnly: true, - sameSite: $this->config->get('session.options.samesite', Cookie::SAMESITE_LAX) + sameSite: $samesite ); + if (!method_exists($response, 'withCookie')) { return $response->withHeader('Set-Cookie', (string)$cookie); }