[FrameworkBundle] Added new "auto" mode for framework.session.cookie_secure to turn it on when https is used#28244
Conversation
65a6c9d to
b695d91
Compare
b695d91 to
99580ee
Compare
Pierstoval
left a comment
There was a problem hiding this comment.
I'm also using it by default on my projects because it's important, making it default seems to be a good option to me 👍
| && ($storage = $this->container->get('session_storage')) instanceof NativeSessionStorage | ||
| && $this->container->get('request_stack')->getMasterRequest()->isSecure() | ||
| ) { | ||
| $storage->setOptions(array('cookie_secure' => true)); |
There was a problem hiding this comment.
Might be a silly question but are we sure that this is called before the storage start?
There was a problem hiding this comment.
We can throw a deprecation if that's not the case so that we ensure we can provide good security in 5.0. WDYT?
There was a problem hiding this comment.
Yep, sounds good to me 👍
Also, this option should only be set when framework.session.cookie_secure === auto, not all the time. Looks like it is calling this option even if the option is set as false here.
There was a problem hiding this comment.
Actually, we don't care: NativeSessionStorage::setOptions starts with:
if (headers_sent() || \PHP_SESSION_ACTIVE === session_status()) {
return;
}There was a problem hiding this comment.
But... we do care because if it is called after the start then the cookie_secure will not be configured which will end up having the secure cookie not configured 🤔
There was a problem hiding this comment.
"auto" must mean "best effort".
If you want to be sure to have secure, just make your config explicit.
| && ($storage = $this->container->get('session_storage')) instanceof NativeSessionStorage | ||
| && $this->container->get('request_stack')->getMasterRequest()->isSecure() | ||
| ) { | ||
| $storage->setOptions(array('cookie_secure' => true)); |
There was a problem hiding this comment.
Yep, sounds good to me 👍
Also, this option should only be set when framework.session.cookie_secure === auto, not all the time. Looks like it is calling this option even if the option is set as false here.
99580ee to
3b161ff
Compare
Which is already the case because "session_storage" is passed to "session.listener" only when |
3b161ff to
39d069a
Compare
| $container->findDefinition('security.http_utils')->addArgument(sprintf('{^%s$}i', $domainRegexp)); | ||
| if ('auto' === ($sessionOptions['cookie_secure'] ?? null)) { | ||
| $secureDomainRegexp = sprintf('{^https://%s$}i', $domainRegexp); | ||
| $domainRegexp = 'https?://'.$domainRegexp; |
There was a problem hiding this comment.
moving the regex composition to runtime would solve #28051
worth to have look in this PR?
There was a problem hiding this comment.
that's independent, it would deserve its own line in the changelog
39d069a to
4a59670
Compare
| * Deprecated auto-injection of the container in AbstractController instances, register them as service subscribers instead | ||
| * Deprecated processing of services tagged `security.expression_language_provider` in favor of a new `AddExpressionLanguageProvidersPass` in SecurityBundle. | ||
| * Enabled autoconfiguration for `Psr\Log\LoggerAwareInterface` | ||
| * Added new "auto" mode for `framework.session.cookie_secure` to turn it on when https is used |
…_secure` to turn it on when https is used
4a59670 to
4f7b41a
Compare
|
Thank you @nicolas-grekas. |
….session.cookie_secure` to turn it on when https is used (nicolas-grekas) This PR was merged into the 4.2-dev branch. Discussion ---------- [FrameworkBundle] Added new "auto" mode for `framework.session.cookie_secure` to turn it on when https is used | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - I'm pretty sure we're many forgetting to make session cookies "secure". Here is an "auto" mode that makes them secure automatically when the session is started on requests with the "https" scheme. Commits ------- 4f7b41a [FrameworkBundle] Added new "auto" mode for `framework.session.cookie_secure` to turn it on when https is used
|
I've created symfony/symfony-docs#10284 to document this new feature. Please, don't forget to create a doc issue for every new feature, specially for important and security-related features like this one. Thanks! |
…ty (yceruto) This PR was merged into the 4.2 branch. Discussion ---------- [HttpKernel] Fix get session when the request stack is empty | Q | A | ------------- | --- | Branch? | 4.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT This bug happen behind an exception on a kernel response event, when one collector (e.g. `RequestDataCollector`) is trying to get the request session and the request stack is currently empty. **Reproducer** https://github.com/yceruto/get-session-bug (`GET /`) See logs on terminal: ```bash Apr 15 20:29:03 |ERROR| PHP 2019-04-15T20:29:03-04:00 Call to a member function isSecure() on null Apr 15 20:29:03 |ERROR| PHP PHP Fatal error: Uncaught Symfony\Component\Debug\Exception\FatalThrowableError: Call to a member function isSecure() on null in /home/yceruto/demos/getsession/vendor/symfony/http-kernel/EventListener/SessionListener.php:43 Apr 15 20:29:03 |DEBUG| PHP Stack trace: Apr 15 20:29:03 |DEBUG| PHP #0 /home/yceruto/demos/getsession/vendor/symfony/http-kernel/EventListener/AbstractSessionListener.php(59): Symfony\Component\HttpKernel\EventListener\SessionListener->getSession() Apr 15 20:29:03 |DEBUG| PHP #1 /home/yceruto/demos/getsession/vendor/symfony/http-foundation/Request.php(707): Symfony\Component\HttpKernel\EventListener\AbstractSessionListener->Symfony\Component\HttpKernel\EventListener\{closure}() Apr 15 20:29:03 |DEBUG| PHP #2 /home/yceruto/demos/getsession/vendor/symfony/http-kernel/DataCollector/RequestDataCollector.php(65): Symfony\Component\HttpFoundation\Request->getSession() Apr 15 20:29:03 |DEBUG| PHP #3 /home/yceruto/demos/getsession/vendor/symfony/http-kernel/Profiler/Profiler.php(167): Symfony\Component\HttpKernel\DataCollector\RequestDataCollector->collect(Object(Symfony\Component\HttpFoundation\Request), Object(Symfony\Component\HttpFoundation\Respo in /home/yceruto/demos/getsession/vendor/symfony/http-kernel/EventListener/SessionListener.php on line 43 ``` Friendly ping @nicolas-grekas as author of the previous PR symfony/symfony#28244 Commits ------- d62ca37 Fix get session when the request stack is empty
I'm pretty sure we're many forgetting to make session cookies "secure".
Here is an "auto" mode that makes them secure automatically when the session is started on requests with the "https" scheme.