xoops_setcookie() - Code Metrics - XOOPS/XoopsCore25 - Measure and Improve Code Quality continuously with Scrutinizer

xoops_setcookie() F
last analyzed 2025-10-27 22:02 UTC

↳ Parent: Project

Complexity

Conditions	16
Paths	577

Size

Total Lines	67
Code Lines	34

Duplication

Lines	0
Ratio	0 %

Importance

Changes	1
Bugs	0	Features	0

Metric	Value
cc	16
eloc	34
c	1
b	0
f	0
nc	577
nop	8
dl	0
loc	67
rs	1.9875

How to fix Long Method Complexity Many Parameters

<?php
/*
 You may not change or alter any portion of this comment or credits of supporting
 developers from this source code or any supporting source code which is considered
 copyrighted (c) material of the original comment or credit authors.

 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 */

/**
 * Safe, modern cookie setter with RFC 6265 domain validation and SameSite support.
 *
 * This function replaces the legacy func_get_args() version with an explicit
 * signature, making it more robust and easier for static analysis to validate.
 *
 * @copyright       Copyright 2021-2025 The XOOPS Project https://xoops.org
 * @license         GNU GPL 2.0 or later (https://www.gnu.org/licenses/gpl-2.0.html)
 * @author          Richard Griffith <[email protected]>
 *
 * @param string $name The name of the cookie.
 * @param string|null $value The value of the cookie.
 * @param int $expire The time the cookie expires. This is a Unix timestamp.
 * @param string|null $path The path on the server in which the cookie will be available on.
 * @param string|null $domain The (sub)domain that the cookie is available to.
 * @param bool|null $secure Indicates that the cookie should only be transmitted over a secure HTTPS connection.
 * If null, it will be auto-detected.
 * @param bool $httponly When TRUE the cookie will be made accessible only through the HTTP protocol.
 * @param string $samesite The SameSite attribute ('Lax', 'Strict', 'None').
 * @return bool True on success, false on failure.
 */
function xoops_setcookie(
    string $name,
    ?string $value = '',
    int $expire = 0,
    ?string $path = '/',
    ?string $domain = '',
    ?bool $secure = null,
    bool $httponly = true,
    string $samesite = 'Lax'
): bool {
    if (headers_sent()) {
        return false;
    }

    // Convert null values to empty string for compatibility with setcookie.
    $value = $value ?? '';
    $host = parse_url(XOOPS_URL, PHP_URL_HOST);
    if (!is_string($host)) {

        $host = ''; // Fallback for invalid XOOPS_URL
    }
    if (!is_string($domain)) {
        $domain = ''; // Fallback for invalid domain
    }

    // Validate the domain BEFORE using it.
    if (class_exists('\Xoops\RegDom\RegisteredDomain')) {
        if (!\Xoops\RegDom\RegisteredDomain::domainMatches($host, $domain)) {
            $originalDomain = $domain;
            $domain = ''; // Auto-correct to a safe, host-only cookie

            if (defined('XOOPS_DEBUG_MODE') && XOOPS_DEBUG_MODE) {

                error_log(
                    sprintf(
                        '[XOOPS Cookie] Invalid domain "%s" for host "%s" (cookie: %s) - using host-only.',
                        $originalDomain,
                        $host,
                        $name
                    )
                );
            }
        }
    }

    // Auto-detect 'secure' flag if not explicitly set
    if ($secure === null) {
        $secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
            || (!empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443)
            || (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https');
    }

    // Use modern array syntax for PHP 7.3+
    if (PHP_VERSION_ID >= 70300) {
        $options = [
            'expires'  => $expire,
            'path'     => $path,
            'secure'   => $secure,
            'httponly' => $httponly,
            'samesite' => $samesite,
        ];
        if ($domain !== '') {
            $options['domain'] = $domain;
        }
        return setcookie($name, $value, $options);
    }

    // Fallback for older PHP versions
    return setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);
}

/**
 * @param array $args 'name', 'value' and 'options' corresponding to php 7.3 arguments to setcookie()
 *
 * @return string
 */
function xoops_buildCookieHeader($args)
{
    //$optionsKeys = array('expires', 'path', 'domain', 'secure', 'httponly', 'samesite');
    $options = $args['options'];

    $header = 'Set-Cookie: ' . $args['name'] . '=' . rawurlencode($args['value']) . ' ';

    if (isset($options['expires']) && 0 !== $options['expires']) {
        $dateTime = new DateTime();
        if (time() >= $options['expires']) {
            $dateTime->setTimestamp(0);
            $header = 'Set-Cookie: ' . $args['name'] . '=deleted ; expires=' . $dateTime->format(DateTime::COOKIE) . ' ; Max-Age=0 ';
        } else {
            $dateTime->setTimestamp($options['expires']);
            $header .= '; expires=' . $dateTime->format(DateTime::COOKIE) . ' ';
        }
    }

    if (isset($options['path']) && '' !== $options['path']) {
        $header .= '; path=' . $options['path'] . ' ';
    }

    if (isset($options['domain']) && '' !== $options['domain']) {
        $header .= '; domain=' . $options['domain'] . ' ';
    }

    if (isset($options['secure']) && true === (bool) $options['secure']) {
        $header .= '; Secure ';
    }

    if (isset($options['httponly']) && true === (bool) $options['httponly']) {
        $header .= '; HttpOnly ';
    }

    if (isset($options['samesite']) && '' !== $options['samesite']) {
        $header .= '; samesite=' . $options['samesite'] . ' ';
    }

    return $header;
}


1			<?php
2			/*
3			You may not change or alter any portion of this comment or credits of supporting
4			developers from this source code or any supporting source code which is considered
5			copyrighted (c) material of the original comment or credit authors.
6
7			This program is distributed in the hope that it will be useful,
8			but WITHOUT ANY WARRANTY; without even the implied warranty of
9			MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
10			*/
11
12			/**
13			* Safe, modern cookie setter with RFC 6265 domain validation and SameSite support.
14			*
15			* This function replaces the legacy func_get_args() version with an explicit
16			* signature, making it more robust and easier for static analysis to validate.
17			*
18			* @copyright Copyright 2021-2025 The XOOPS Project https://xoops.org
19			* @license GNU GPL 2.0 or later (https://www.gnu.org/licenses/gpl-2.0.html)
20			* @author Richard Griffith <[email protected]>
21			*
22			* @param string $name The name of the cookie.
23			* @param string\|null $value The value of the cookie.
24			* @param int $expire The time the cookie expires. This is a Unix timestamp.
25			* @param string\|null $path The path on the server in which the cookie will be available on.
26			* @param string\|null $domain The (sub)domain that the cookie is available to.
27			* @param bool\|null $secure Indicates that the cookie should only be transmitted over a secure HTTPS connection.
28			* If null, it will be auto-detected.
29			* @param bool $httponly When TRUE the cookie will be made accessible only through the HTTP protocol.
30			* @param string $samesite The SameSite attribute ('Lax', 'Strict', 'None').
31			* @return bool True on success, false on failure.
32			*/
33			function xoops_setcookie(
34			string $name,
35			?string $value = '',
36			int $expire = 0,
37			?string $path = '/',
38			?string $domain = '',
39			?bool $secure = null,
40			bool $httponly = true,
41			string $samesite = 'Lax'
42			): bool {
43			if (headers_sent()) {
44			return false;
45			}
46
47			// Convert null values to empty string for compatibility with setcookie.
48			$value = $value ?? '';
49			$host = parse_url(XOOPS_URL, PHP_URL_HOST);
50			if (!is_string($host)) {
			0 ignored issues – show introduced 2025-10-02 00:57 UTC by Report Bug Copy Issue Report The condition `is_string($host)` is always `true`. Loading history...
51			$host = ''; // Fallback for invalid XOOPS_URL
52			}
53			if (!is_string($domain)) {
54			$domain = ''; // Fallback for invalid domain
55			}
56
57			// Validate the domain BEFORE using it.
58			if (class_exists('\Xoops\RegDom\RegisteredDomain')) {
59			if (!\Xoops\RegDom\RegisteredDomain::domainMatches($host, $domain)) {
60			$originalDomain = $domain;
61			$domain = ''; // Auto-correct to a safe, host-only cookie
62
63			if (defined('XOOPS_DEBUG_MODE') && XOOPS_DEBUG_MODE) {
			0 ignored issues – show Bug introduced 2025-10-01 10:13 UTC by Report Bug Copy Issue Report The constant `XOOPS_DEBUG_MODE` was not found. Maybe you did not declare it correctly or list all dependencies? Loading history...
64			error_log(
65			sprintf(
66			'[XOOPS Cookie] Invalid domain "%s" for host "%s" (cookie: %s) - using host-only.',
67			$originalDomain,
68			$host,
69			$name
70			)
71			);
72			}
73			}
74			}
75
76			// Auto-detect 'secure' flag if not explicitly set
77			if ($secure === null) {
78			$secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
79			\|\| (!empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443)
80			\|\| (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https');
81			}
82
83			// Use modern array syntax for PHP 7.3+
84			if (PHP_VERSION_ID >= 70300) {
85			$options = [
86			'expires' => $expire,
87			'path' => $path,
88			'secure' => $secure,
89			'httponly' => $httponly,
90			'samesite' => $samesite,
91			];
92			if ($domain !== '') {
93			$options['domain'] = $domain;
94			}
95			return setcookie($name, $value, $options);
96			}
97
98			// Fallback for older PHP versions
99			return setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);
100			}
101
102			/**
103			* @param array $args 'name', 'value' and 'options' corresponding to php 7.3 arguments to setcookie()
104			*
105			* @return string
106			*/
107			function xoops_buildCookieHeader($args)
108			{
109			//$optionsKeys = array('expires', 'path', 'domain', 'secure', 'httponly', 'samesite');
110			$options = $args['options'];
111
112			$header = 'Set-Cookie: ' . $args['name'] . '=' . rawurlencode($args['value']) . ' ';
113
114			if (isset($options['expires']) && 0 !== $options['expires']) {
115			$dateTime = new DateTime();
116			if (time() >= $options['expires']) {
117			$dateTime->setTimestamp(0);
118			$header = 'Set-Cookie: ' . $args['name'] . '=deleted ; expires=' . $dateTime->format(DateTime::COOKIE) . ' ; Max-Age=0 ';
119			} else {
120			$dateTime->setTimestamp($options['expires']);
121			$header .= '; expires=' . $dateTime->format(DateTime::COOKIE) . ' ';
122			}
123			}
124
125			if (isset($options['path']) && '' !== $options['path']) {
126			$header .= '; path=' . $options['path'] . ' ';
127			}
128
129			if (isset($options['domain']) && '' !== $options['domain']) {
130			$header .= '; domain=' . $options['domain'] . ' ';
131			}
132
133			if (isset($options['secure']) && true === (bool) $options['secure']) {
134			$header .= '; Secure ';
135			}
136
137			if (isset($options['httponly']) && true === (bool) $options['httponly']) {
138			$header .= '; HttpOnly ';
139			}
140
141			if (isset($options['samesite']) && '' !== $options['samesite']) {
142			$header .= '; samesite=' . $options['samesite'] . ' ';
143			}
144
145			return $header;
146			}
147

XOOPS / XoopsCore25

xoops_setcookie() F last analyzed 2025-10-27 22:02 UTC

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity Many Parameters

Long Method

Many Parameters

Duplication Side-by-Side

Filter issues like

xoops_setcookie() F
last analyzed 2025-10-27 22:02 UTC