CookieStore::write() - Code Metrics - Inspection of "Added data unset to stop data being read from outd..." - silverstripe/silverstripe-hybridsessions - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#47)

unknown

created 2019-02-01 00:54 UTC

CookieStore::write() B

↳ Parent: CookieStore

Complexity

Conditions	5
Paths	3

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	40
rs	8.9688
c	0
b	0
f	0
cc	5
nc	3
nop	2

<?php

namespace SilverStripe\HybridSessions\Store;

use SilverStripe\Control\Cookie;
use SilverStripe\HybridSessions\Crypto\CryptoHandler;
use SilverStripe\Core\Config\Config;
use SilverStripe\Core\Injector\Injector;

/**
 * A session store which stores the session data in an encrypted & signed cookie.
 *
 * This way the server doesn't need to open a database connection or have a shared filesystem for reading
 * the session from - the client passes through the session with every request.
 *
 * This approach does have some limitations - cookies can only be quite small (4K total, but we limit to 1K)
 * and can only be set _before_ the server starts sending a response.
 *
 * So we clear the cookie on Session startup (which should always be before the headers get sent), but just
 * fail on Session write if we can't use cookies, assuming there's something watching for that & providing a fallback
 */
class CookieStore extends BaseStore
{

    /**
     * Maximum length of a cookie value in characters
     *
     * @var int
     * @config
     */
    private static $max_length = 1024;

    /**
     * Encryption service
     *
     * @var HybridSessionStore_Crypto
     */
    protected $crypto;

    /**
     * Name of cookie
     *
     * @var string
     */
    protected $cookie;

    /**
     * Known unmodified value of this cookie. If the cookie backend has been read into the application,
     * then the backend is unable to verify the modification state of this value internally within the
     * system, so this will be left null unless written back.
     *
     * If the content exceeds max_length then the backend can also not maintain this cookie, also
     * setting this variable to null.
     *
     * @var string
     */
    protected $currentCookieData;

    public function open($save_path, $name)
    {
        $this->cookie = $name.'_2';

        // Read the incoming value, then clear the cookie - we might not be able
        // to do so later if write() is called after headers are sent
        // This is intended to force a failover to the database store if the
        // modified session cannot be emitted.
        $this->currentCookieData = Cookie::get($this->cookie);

        if ($this->currentCookieData) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            Cookie::set($this->cookie, '');
        }
    }

    public function close()
    {
    }

    /**
     * Get the cryptography store for the specified session
     *
     * @param string $session_id
     * @return HybridSessionStore_Crypto
     */
    protected function getCrypto($session_id)
    {
        $key = $this->getKey();

        if (!$key) {
            return null;
        }

        if (!$this->crypto || $this->crypto->getSalt() != $session_id) {
            $this->crypto = Injector::inst()->create(CryptoHandler::class, $key, $session_id);
        }

        return $this->crypto;
    }

    public function read($session_id)
    {
        // Check ability to safely decrypt content
        if (!$this->currentCookieData
            || !($crypto = $this->getCrypto($session_id))
        ) {
            return;
        }

        // Decrypt and invalidate old data
        $cookieData = $crypto->decrypt($this->currentCookieData);
        $this->currentCookieData = null;

        // Verify expiration
        if ($cookieData) {
            $expiry = (int)substr($cookieData, 0, 10);
            $data = substr($cookieData, 10);

            if ($expiry > $this->getNow()) {
                return $data;
            }
        }
    }

    /**
     * Determine if the session could be verifably written to cookie storage
     *
     * @return bool
     */
    protected function canWrite()
    {
        return !headers_sent();
    }

    public function write($session_id, $session_data)
    {
        // Check ability to safely encrypt and write content
        if (!$this->canWrite()
            || (strlen($session_data) > static::config()->get('max_length'))
            || !($crypto = $this->getCrypto($session_id))
        ) {
            if (strlen($session_data) > static::config()->get('max_length')) {
                $this->currentCookieData = null;
            }

            return false;
        }

        // Prepare content for write
        $params = session_get_cookie_params();
        // Total max lifetime, stored internally
        $lifetime = $this->getLifetime();
        $expiry = $this->getNow() + $lifetime;

        // Restore the known good cookie value
        $this->currentCookieData = $this->crypto->encrypt(
            sprintf('%010u', $expiry) . $session_data
        );

        // Respect auto-expire on browser close for the session cookie (in case the cookie lifetime is zero)
        $cookieLifetime = min((int)$params['lifetime'], $lifetime);

        Cookie::set(
            $this->cookie,
            $this->currentCookieData,
            $cookieLifetime / 86400,
            $params['path'],
            $params['domain'],
            $params['secure'],
            $params['httponly']
        );

        return true;
    }

    public function destroy($session_id)
    {
        $this->currentCookieData = null;

        $params = session_get_cookie_params();

        Cookie::force_expiry(
            $this->cookie,
            $params['path'],
            $params['domain'],
            $params['secure'],
            $params['httponly']
        );
    }

    public function gc($maxlifetime)
    {
        // NOP
    }
}


1			<?php
2
3			namespace SilverStripe\HybridSessions\Store;
4
5			use SilverStripe\Control\Cookie;
6			use SilverStripe\HybridSessions\Crypto\CryptoHandler;
7			use SilverStripe\Core\Config\Config;
8			use SilverStripe\Core\Injector\Injector;
9
10			/**
11			* A session store which stores the session data in an encrypted & signed cookie.
12			*
13			* This way the server doesn't need to open a database connection or have a shared filesystem for reading
14			* the session from - the client passes through the session with every request.
15			*
16			* This approach does have some limitations - cookies can only be quite small (4K total, but we limit to 1K)
17			* and can only be set _before_ the server starts sending a response.
18			*
19			* So we clear the cookie on Session startup (which should always be before the headers get sent), but just
20			* fail on Session write if we can't use cookies, assuming there's something watching for that & providing a fallback
21			*/
22			class CookieStore extends BaseStore
23			{
24
25			/**
26			* Maximum length of a cookie value in characters
27			*
28			* @var int
29			* @config
30			*/
31			private static $max_length = 1024;
32
33			/**
34			* Encryption service
35			*
36			* @var HybridSessionStore_Crypto
37			*/
38			protected $crypto;
39
40			/**
41			* Name of cookie
42			*
43			* @var string
44			*/
45			protected $cookie;
46
47			/**
48			* Known unmodified value of this cookie. If the cookie backend has been read into the application,
49			* then the backend is unable to verify the modification state of this value internally within the
50			* system, so this will be left null unless written back.
51			*
52			* If the content exceeds max_length then the backend can also not maintain this cookie, also
53			* setting this variable to null.
54			*
55			* @var string
56			*/
57			protected $currentCookieData;
58
59			public function open($save_path, $name)
60			{
61			$this->cookie = $name.'_2';
62
63			// Read the incoming value, then clear the cookie - we might not be able
64			// to do so later if write() is called after headers are sent
65			// This is intended to force a failover to the database store if the
66			// modified session cannot be emitted.
67			$this->currentCookieData = Cookie::get($this->cookie);
68
69			if ($this->currentCookieData) {
			0 ignored issues – show Bug Best Practice introduced 2015-11-21 06:21 UTC by Report Bug Copy Issue Report The expression `$this->currentCookieData` of type `string\|null` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
70			Cookie::set($this->cookie, '');
71			}
72			}
73
74			public function close()
75			{
76			}
77
78			/**
79			* Get the cryptography store for the specified session
80			*
81			* @param string $session_id
82			* @return HybridSessionStore_Crypto
83			*/
84			protected function getCrypto($session_id)
85			{
86			$key = $this->getKey();
87
88			if (!$key) {
89			return null;
90			}
91
92			if (!$this->crypto \|\| $this->crypto->getSalt() != $session_id) {
93			$this->crypto = Injector::inst()->create(CryptoHandler::class, $key, $session_id);
94			}
95
96			return $this->crypto;
97			}
98
99			public function read($session_id)
100			{
101			// Check ability to safely decrypt content
102			if (!$this->currentCookieData
103			\|\| !($crypto = $this->getCrypto($session_id))
104			) {
105			return;
106			}
107
108			// Decrypt and invalidate old data
109			$cookieData = $crypto->decrypt($this->currentCookieData);
110			$this->currentCookieData = null;
111
112			// Verify expiration
113			if ($cookieData) {
114			$expiry = (int)substr($cookieData, 0, 10);
115			$data = substr($cookieData, 10);
116
117			if ($expiry > $this->getNow()) {
118			return $data;
119			}
120			}
121			}
122
123			/**
124			* Determine if the session could be verifably written to cookie storage
125			*
126			* @return bool
127			*/
128			protected function canWrite()
129			{
130			return !headers_sent();
131			}
132
133			public function write($session_id, $session_data)
134			{
135			// Check ability to safely encrypt and write content
136			if (!$this->canWrite()
137			\|\| (strlen($session_data) > static::config()->get('max_length'))
138			\|\| !($crypto = $this->getCrypto($session_id))
139			) {
140			if (strlen($session_data) > static::config()->get('max_length')) {
141			$this->currentCookieData = null;
142			}
143
144			return false;
145			}
146
147			// Prepare content for write
148			$params = session_get_cookie_params();
149			// Total max lifetime, stored internally
150			$lifetime = $this->getLifetime();
151			$expiry = $this->getNow() + $lifetime;
152
153			// Restore the known good cookie value
154			$this->currentCookieData = $this->crypto->encrypt(
155			sprintf('%010u', $expiry) . $session_data
156			);
157
158			// Respect auto-expire on browser close for the session cookie (in case the cookie lifetime is zero)
159			$cookieLifetime = min((int)$params['lifetime'], $lifetime);
160
161			Cookie::set(
162			$this->cookie,
163			$this->currentCookieData,
164			$cookieLifetime / 86400,
165			$params['path'],
166			$params['domain'],
167			$params['secure'],
168			$params['httponly']
169			);
170
171			return true;
172			}
173
174			public function destroy($session_id)
175			{
176			$this->currentCookieData = null;
177
178			$params = session_get_cookie_params();
179
180			Cookie::force_expiry(
181			$this->cookie,
182			$params['path'],
183			$params['domain'],
184			$params['secure'],
185			$params['httponly']
186			);
187			}
188
189			public function gc($maxlifetime)
190			{
191			// NOP
192			}
193			}
194

silverstripe / silverstripe-hybridsessions

Pull Request — master (#47)

CookieStore::write() B

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like