From 4343fd29585a59aff459343be289a5968a4197f0 Mon Sep 17 00:00:00 2001 From: Jacob Bates Date: Wed, 15 Jan 2020 13:45:56 -0500 Subject: [PATCH 1/3] Implement Cidi fix for same-site cookies --- config/localConfig.template.php | 9 +++++++++ config/settings.php | 6 ++++++ lib/UdoitUtils.php | 28 ++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+) diff --git a/config/localConfig.template.php b/config/localConfig.template.php index 2afcefd8c..0ba65bedc 100755 --- a/config/localConfig.template.php +++ b/config/localConfig.template.php @@ -10,6 +10,15 @@ $oauth2_uri = ''; // EX: https://udoit.my-org.edu/oauth2response.php or https://udoit.my-org.edu/udoit/public/oauth2response.php $oauth2_enforce_scopes = false; // Set to true if you have a scoped developer key. +/* Set session cookie options + * expire - The cookie expiration time in seconds (0 means it does not expire) + * path - The path of the application + */ +$session_cookie_options = [ + 'expire' => 0, + 'path' => '/' +]; + /* Disable headings check character count */ $doc_length = '1500'; diff --git a/config/settings.php b/config/settings.php index 04c57f5b9..298f5acd3 100755 --- a/config/settings.php +++ b/config/settings.php @@ -11,6 +11,9 @@ // Initialize db_options. This may be overridden in the local config $db_options = []; +// Initialize session cookie options. This may be overridden in the local config. +$session_cookie_options = []; + // LOAD LOCAL, TEST or HEROKU CONFIG $local_config = getenv('USE_HEROKU_CONFIG') ? 'herokuConfig.php' : 'localConfig.php'; $local_config = getenv('UNITTEST') ? 'localConfig.test.php' : $local_config; @@ -35,6 +38,9 @@ // SET DEFAULT ENVIRONMENT isset($UDOIT_ENV) || $UDOIT_ENV = ENV_PROD; // !! override in your localConfig.php +// SET UP PHP SESSION COOKIE SAMESITE SESSIONS +UdoitUtils::setupSession($session_cookie_options); + // SET UP OAUTH $oauth2_scopes = [ // assigments diff --git a/lib/UdoitUtils.php b/lib/UdoitUtils.php index 0e3e1d799..0e242e760 100644 --- a/lib/UdoitUtils.php +++ b/lib/UdoitUtils.php @@ -64,6 +64,34 @@ public static function setupOauth($id, $key, $uri, $consumer_key, $secret, $curl self::$canvas_scopes = $scopes; } + /** + * Support samesite cookie flag in both PHP < 7.3 and > PHP >= 7.3 + * @param array $options + * + * @return void + */ + public static function setupSession($options) + { + $expire = isset($options['expire']) ? $options['expire'] : 0; + $path = isset($options['path']) ? $options['path'] : '/'; + $domain = isset($options['domain']) ? $options['domain'] : null; + $secure = isset($options['secure']) ? $options['secure'] : true; + $httponly = isset($options['httponly']) ? $options['httponly'] : false; + + if (PHP_VERSION_ID < 70300) { + session_set_cookie_params($expire, "$path; samesite=None", $domain, $secure, $httponly); + } else { + session_set_cookie_params([ + 'expires' => $expire, + 'path' => $path, + 'domain' => $domain, + 'samesite' => 'None', + 'secure' => $secure, + 'httponly' => $httponly, + ]); + } + } + public function getYouTubeId($link_url) { $matches = null; From 931e44ae52f6114a699fd6316baa6f5e472a3624 Mon Sep 17 00:00:00 2001 From: Jacob Bates Date: Wed, 15 Jan 2020 16:50:18 -0500 Subject: [PATCH 2/3] Move cookie settings to top of settings file. Add to config template --- config/localConfig.template.php | 12 ++++++++---- config/settings.php | 25 ++++++++++++++++++++----- lib/UdoitUtils.php | 28 ---------------------------- 3 files changed, 28 insertions(+), 37 deletions(-) diff --git a/config/localConfig.template.php b/config/localConfig.template.php index 0ba65bedc..0fa2471b7 100755 --- a/config/localConfig.template.php +++ b/config/localConfig.template.php @@ -10,13 +10,17 @@ $oauth2_uri = ''; // EX: https://udoit.my-org.edu/oauth2response.php or https://udoit.my-org.edu/udoit/public/oauth2response.php $oauth2_enforce_scopes = false; // Set to true if you have a scoped developer key. -/* Set session cookie options +/* Set session cookie options * expire - The cookie expiration time in seconds (0 means it does not expire) - * path - The path of the application + * path - which application on this domain the cookie is visible to + * */ $session_cookie_options = [ - 'expire' => 0, - 'path' => '/' + 'expire' => getenv('SESSION_COOKIE_EXPIRE') ?: 0, + 'path' => getenv('SESSION_COOKIE_PATH') ?: '/', + 'domain' => getenv('SESSION_COOKIE_DOMAIN') ?: null, + 'secure' => getenv('SESSION_COOKIE_SECURE') ?: true, + 'httponly' => getenv('SESSION_COOKIE_HTTPONLY') ?: false, ]; /* Disable headings check character count */ diff --git a/config/settings.php b/config/settings.php index 298f5acd3..07ba0b301 100755 --- a/config/settings.php +++ b/config/settings.php @@ -5,15 +5,32 @@ define('UDOIT_VERSION', '2.6.0'); +// SET UP PHP SESSION COOKIE SAMESITE SESSIONS +$expire = isset($session_cookie_options['expire']) ? $session_cookie_options['expire'] : 0; +$path = isset($session_cookie_options['path']) ? $session_cookie_options['path'] : '/'; +$domain = isset($session_cookie_options['domain']) ? $session_cookie_options['domain'] : null; +$secure = isset($session_cookie_options['secure']) ? $session_cookie_options['secure'] : true; +$httponly = isset($session_cookie_options['httponly']) ? $session_cookie_options['httponly'] : false; + +if (PHP_VERSION_ID < 70300) { + session_set_cookie_params($expire, "$path; samesite=None", $domain, $secure, $httponly); +} else { + session_set_cookie_params([ + 'expires' => $expire, + 'path' => $path, + 'domain' => $domain, + 'samesite' => 'None', + 'secure' => $secure, + 'httponly' => $httponly, + ]); +} + // SET UP AUTOLOADER (uses autoload rules from composer) require_once(__DIR__.'/../vendor/autoload.php'); // Initialize db_options. This may be overridden in the local config $db_options = []; -// Initialize session cookie options. This may be overridden in the local config. -$session_cookie_options = []; - // LOAD LOCAL, TEST or HEROKU CONFIG $local_config = getenv('USE_HEROKU_CONFIG') ? 'herokuConfig.php' : 'localConfig.php'; $local_config = getenv('UNITTEST') ? 'localConfig.test.php' : $local_config; @@ -38,8 +55,6 @@ // SET DEFAULT ENVIRONMENT isset($UDOIT_ENV) || $UDOIT_ENV = ENV_PROD; // !! override in your localConfig.php -// SET UP PHP SESSION COOKIE SAMESITE SESSIONS -UdoitUtils::setupSession($session_cookie_options); // SET UP OAUTH $oauth2_scopes = [ diff --git a/lib/UdoitUtils.php b/lib/UdoitUtils.php index 0e242e760..0e3e1d799 100644 --- a/lib/UdoitUtils.php +++ b/lib/UdoitUtils.php @@ -64,34 +64,6 @@ public static function setupOauth($id, $key, $uri, $consumer_key, $secret, $curl self::$canvas_scopes = $scopes; } - /** - * Support samesite cookie flag in both PHP < 7.3 and > PHP >= 7.3 - * @param array $options - * - * @return void - */ - public static function setupSession($options) - { - $expire = isset($options['expire']) ? $options['expire'] : 0; - $path = isset($options['path']) ? $options['path'] : '/'; - $domain = isset($options['domain']) ? $options['domain'] : null; - $secure = isset($options['secure']) ? $options['secure'] : true; - $httponly = isset($options['httponly']) ? $options['httponly'] : false; - - if (PHP_VERSION_ID < 70300) { - session_set_cookie_params($expire, "$path; samesite=None", $domain, $secure, $httponly); - } else { - session_set_cookie_params([ - 'expires' => $expire, - 'path' => $path, - 'domain' => $domain, - 'samesite' => 'None', - 'secure' => $secure, - 'httponly' => $httponly, - ]); - } - } - public function getYouTubeId($link_url) { $matches = null; From 2956ebb6ff7454752e54e8ea64f9231d2dd6b369 Mon Sep 17 00:00:00 2001 From: Jacob Bates Date: Wed, 15 Jan 2020 17:02:19 -0500 Subject: [PATCH 3/3] Add session cookie config to heroku --- config/herokuConfig.php | 9 +++++++++ config/localConfig.template.php | 8 +++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/config/herokuConfig.php b/config/herokuConfig.php index 21a88dcd3..218c7952c 100755 --- a/config/herokuConfig.php +++ b/config/herokuConfig.php @@ -12,6 +12,15 @@ $oauth2_uri = getenv('OAUTH2_URI'); $oauth2_enforce_scopes = (getenv('OAUTH2_ENFORCE_SCOPES')) == 'true'; +/* Set session cookie options */ +$session_cookie_options = [ + 'expire' => getenv('SESSION_COOKIE_EXPIRE') ?: 0, + 'path' => getenv('SESSION_COOKIE_PATH') ?: '/', + 'domain' => getenv('SESSION_COOKIE_DOMAIN') ?: null, + 'secure' => getenv('SESSION_COOKIE_SECURE') ?: true, + 'httponly' => getenv('SESSION_COOKIE_HTTPONLY') ?: false, +]; + /* Tool name for display in Canvas Navigation */ $canvas_nav_item_name = getenv('CANVAS_NAV_ITEM_NAME'); diff --git a/config/localConfig.template.php b/config/localConfig.template.php index 0fa2471b7..cee06895b 100755 --- a/config/localConfig.template.php +++ b/config/localConfig.template.php @@ -11,9 +11,11 @@ $oauth2_enforce_scopes = false; // Set to true if you have a scoped developer key. /* Set session cookie options - * expire - The cookie expiration time in seconds (0 means it does not expire) - * path - which application on this domain the cookie is visible to - * + * expire - the cookie expiration time in seconds (0 means it does not expire) + * path - the applications on this domain to which the cookie is visible + * domain - the domain to which this cookie is visible + * secure - 'true' to send the cookie only over secure connections + * httponly - 'true' to set the 'httponly' flag when setting the cookie */ $session_cookie_options = [ 'expire' => getenv('SESSION_COOKIE_EXPIRE') ?: 0,