tonyair
/
silverstripe-framework
mirror of https://github.com/silverstripe/silverstripe-framework
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
23,205 Commits 29 Branches 510 Tags 146 MiB
Commit Graph

42 Commits

Author SHA1 Message Date
Steve Boyd 137ebcebec API Stop using deprecated API 2022-11-15 18:20:54 +13:00
Steve Boyd 9c453abf89 API Update deprecations 2022-10-13 14:49:15 +13:00
Guy Sartorelli 31c974c528 ENH Add samesite attribute to cookies. 
Co-authored-by: pine3ree <pine3ree@gmail.com>
 2022-06-02 12:01:03 +12:00
Steve Boyd 511b3bb060 ENH PHP 8.1 compatibility 2022-04-14 13:12:59 +12:00
Florian Thoma 9a7c99fc4b FIX Take current request protocol into account when deleting session cookie 2021-08-06 10:55:05 +10:00
Thomas Portelange 2f3c0fc8dd
Update src/Control/Session.php 
Co-Authored-By: Guy Marriott <guy.the.person@gmail.com>
 2020-04-28 19:21:52 +02:00
Thomas Portelange b38c35fe90
Fixes warning if session is not active 
See issue https://github.com/silverstripe/silverstripe-framework/issues/9496
 2020-04-27 13:51:19 +02:00
Daniel Hensby 237b2d5f74
Convert array delcarations to short array syntax 2020-04-20 18:58:09 +01:00
Robbie Averill 53fcd47dfc Merge branch '4.4' into 4.5 2020-01-16 19:59:42 -08:00
Robbie Averill 26e3b6f4e3 Merge branch '4.3' into 4.4 2020-01-16 19:59:24 -08:00
Loz Calver 453945da14 FIX: Session::restart() didn't correctly restart session (fixes #9259) 2019-11-20 14:21:30 +00:00
Aaron Carlino b002ef1171 Merge branch '4.4' into 4 2019-09-24 17:26:50 +12:00
Serge Latyntcev eccfa9b10d [CVE-2019-12203] Session fixation in "change password" form 
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
 2019-09-24 16:03:48 +12:00
Serge Latyntcev 569237c0f4 [CVE-2019-12203] Session fixation in "change password" form 
A potential account hijacking may happen if an attacker has physical access to
victim's computer to perform session fixation. Also possible if the targeted application contains an XSS vulnerability.
Requires the victim to click the password reset link sent to their email.
If all the above happens, attackers may reset the password before the actual user does that.
 2019-09-24 16:00:51 +12:00
Maxime Rainville 4380d7d155 API Add option to disable user-agent header session validation 2019-08-06 22:00:01 +12:00
Robbie Averill d8cd085190 Merge branch '4.3' into 4 2019-01-24 17:14:09 +02:00
Simon Gow c28670ebed #8724 - Session timeout regression 
Only emit the session refresh cookie if the session timeout is set.
 2019-01-18 10:07:53 +13:00
Simon Gow af08328e8e Existing sessions need to set a new cookie on each request, if the 
session exists, otherwise our expiry is never updated and sessions
can't roll on every request.
 2019-01-17 17:37:35 +13:00
Robbie Averill 7c96feef37 Merge branch '4.3' into 4 2019-01-08 12:27:48 +01:00
Simon Gow d01585cc98 #8543 Resolve Duplicate Headers 
- fix linting
 2018-12-19 12:39:32 +13:00
Simon Gow 1edfa4d956 #8543 Resolve Duplicate Headers 
- Replace session name lookup with function to also check secure cookies
- Added timeout which defaults to 0 (same as PHP)
- Removed php7 style of session_start from PR
- moved session_start into headers sent block to prevent warnings.
 2018-12-19 12:39:32 +13:00
Simon Gow 4eb6669c08 #8543 Resolve Duplicate Headers 
Put cookie_lifetime back into the session parameters.
 2018-12-19 12:39:32 +13:00
Simon Gow 2deb8f4176 Resolve Duplicate Headers 
Ensure only a single Set-Cookie header is returned from Session once
we have data to save. Include backwards compatibility for PHP56
 2018-12-19 12:39:32 +13:00
Maxime Rainville 7f6b80f87d Correct session doc typo 2018-12-14 13:01:22 +13:00
Guy Marriott 87b74b9cc1
Correcting Max's eggrigious typos 
Co-Authored-By: maxime-rainville <maxime@rainville.me>
 2018-12-13 13:50:35 +13:00
Maxime Rainville 6e214e2e8b DOCS Updating Session doc to reflect that you need to operation on an instance. 2018-12-13 11:05:49 +13:00
Robbie Averill 4d14e9b6b1
Merge pull request #8421 from creative-commoners/pulls/4.3/psr-5-deprecations 
Update deprecation PHPDocs to be PSR-5 compliant
 2018-09-28 14:18:54 +02:00
Robbie Averill f842ee2eec Update deprecation PHPDocs to be PSR-5 compliant 
See: https://github.com/php-fig/fig-standards/blob/master/proposed/phpdoc-tags.md#55-deprecated
 2018-09-28 10:49:14 +02:00
Sam Minnee b98c87a6c5 FIX: Ensure existing session can be accessed if headers_sent() 
If a session already exists, and Session::start() isn’t called until
after a large enough block of content is output, then headers_sent()
will be false. The previous code prevented the session from being
started in this case. That might makes sense for the creation of a new
session, but it prevent legitimate access to an existing session.

This mostly manifested when running debugging tools such as showqueries,
which may output content before the session is started.
 2018-09-28 13:25:13 +12:00
Ingo Schommer e415bcb44a Fix tests on unset session data 
Thanks Robbie!
 2018-07-19 13:32:08 +12:00
Ingo Schommer 93b0884e19 BUG Lazy session state (fixes #8267) 
Fixes regression from 3.x, where sessions where lazy started as required:
Either because an existing session identifier was sent through with the request,
or because new session data needed to be persisted as part of the request execution.

Without this lazy starting, *every* request will get a session,
which makes all those responses uncacheable by HTTP layers.

Note that 4.x also changed the $data vs. $changedData payloads:
In 3.x, they both contained key/value pairs.
In 4.x, $data contains key/value, while $changedData contains key/boolean to declare isChanged.
While this reduces duplication in the class, it also surfaced a bug which was latent in 3.x:
When an existing session is lazily resumed via start(), $data is set back to an empty array.
In 3.x, any changed data before this point was *also* retained in $changedData,
ensuring it gets merged into existing $_SESSION data.
In 4.x, this clears out data - hence the need for a more complex merge logic.

Since isset($this->data) is no longer an accurate indicator of a started session,
we introduce a separate $this->started flag.

Note that I've chosen not to make lazy an opt-in (e.g. via start($request, $lazy=false)).
We already have a distinction between lazy starting via init(), and force starting via start().
 2018-07-19 13:32:04 +12:00
Damian Mooyman b686b86c34 Session now prevents cache headers being sent unintentionally 2018-06-14 15:59:51 +12:00
Damian Mooyman 740c3326e9
BUG Fix critical issue with incorrectly saved session data 2018-02-02 15:08:52 +13:00
Damian Mooyman d20ab50f9d API Stronger Injector service unregistration 
BUG Fix up test regressions
FIX director references to request object
API Move all middlewares to common namespace
API Implement RequestHandlerMiddlewareAdapter
ENHANCEMENT Improve IP address parsing
Fix up PHPDoc / psr2 linting
BUG Fix property parsing in TrustedProxyMiddleware
BUG Fix Director::is_https()
 2017-06-27 13:32:39 +12:00
Sam Minnee 67887febc5 fix - session now uses request 2017-06-27 13:32:39 +12:00
Sam Minnee e92c63c545 API: Remove $sid argument of Session::start() 
NEW: Pass HTTPRequest to session
NEW: Pass HTTPReuqest optionally to Director statics

The session handler now expects to operate on a specific
HTTPRequest object.
 2017-06-27 13:32:39 +12:00
Damian Mooyman 3873e4ba00 API Refactor bootstrap, request handling 
See https://github.com/silverstripe/silverstripe-framework/pull/7037
and https://github.com/silverstripe/silverstripe-framework/issues/6681

Squashed commit of the following:

commit 8f65e56532
Author: Ingo Schommer <me@chillu.com>
Date:   Thu Jun 22 22:25:50 2017 +1200

    Fixed upgrade guide spelling

commit 76f95944fa
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 16:38:34 2017 +1200

    BUG Fix non-test class manifest including sapphiretest / functionaltest

commit 9379834cb4
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 15:50:47 2017 +1200

    BUG Fix nesting bug in Kernel

commit 188ce35d82
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 15:14:51 2017 +1200

    BUG fix db bootstrapping issues

commit 7ed4660e7a
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 14:49:07 2017 +1200

    BUG Fix issue in DetailedErrorFormatter

commit 738f50c497
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 11:49:19 2017 +1200

    Upgrading notes on mysite/_config.php

commit 6279d28e5e
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 11:43:28 2017 +1200

    Update developer documentation

commit 5c90d53a84
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 22 10:48:44 2017 +1200

    Update installer to not use global databaseConfig

commit f9b2ba4755
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Wed Jun 21 21:04:39 2017 +1200

    Fix behat issues

commit 5b59a912b6
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Wed Jun 21 17:07:11 2017 +1200

    Move HTTPApplication to SilverStripe\Control namespace

commit e2c4a18f63
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Wed Jun 21 16:29:03 2017 +1200

    More documentation
    Fix up remaining tests
    Refactor temp DB into TempDatabase class so it’s available outside of unit tests.

commit 5d235e64f3
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Wed Jun 21 12:13:15 2017 +1200

    API HTTPRequestBuilder::createFromEnvironment() now cleans up live globals
    BUG Fix issue with SSViewer
    Fix Security / View tests

commit d88d4ed4e4
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 20 16:39:43 2017 +1200

    API Refactor AppKernel into CoreKernel

commit f7946aec33
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 20 16:00:40 2017 +1200

    Docs and minor cleanup

commit 12bd31f936
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 20 15:34:34 2017 +1200

    API Remove OutputMiddleware
    API Move environment / global / ini management into Environment class
    API Move getTempFolder into TempFolder class
    API Implement HTTPRequestBuilder / CLIRequestBuilder
    BUG Restore SS_ALLOWED_HOSTS check in original location
    API CoreKernel now requires $basePath to be passed in
    API Refactor installer.php to use application to bootstrap
    API move memstring conversion globals to Convert
    BUG Fix error in CoreKernel nesting not un-nesting itself properly.

commit bba9791146
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 19 18:07:53 2017 +1200

    API Create HTTPMiddleware and standardise middleware for request handling

commit 2a10c2397b
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 19 17:42:42 2017 +1200

    Fixed ORM tests

commit d75a8d1d93
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 19 17:15:07 2017 +1200

    FIx i18n tests

commit 06364af3c3
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 19 16:59:34 2017 +1200

    Fix controller namespace
    Move states to sub namespace

commit 2a278e2953
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 19 12:49:45 2017 +1200

    Fix forms namespace

commit b65c21241b
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 15 18:56:48 2017 +1200

    Update API usages

commit d1d4375c95
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Thu Jun 15 18:41:44 2017 +1200

    API Refactor $flush into HTPPApplication
    API Enforce health check in Controller::pushCurrent()
    API Better global backup / restore
    Updated Director::test() to use new API

commit b220534f06
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 22:05:57 2017 +1200

    Move app nesting to a test state helper

commit 603704165c
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 21:46:04 2017 +1200

    Restore kernel stack to fix multi-level nesting

commit 2f6336a15b
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 17:23:21 2017 +1200

    API Implement kernel nesting

commit fc7188da7d
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 15:43:13 2017 +1200

    Fix core tests

commit a0ae723514
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 15:23:52 2017 +1200

    Fix manifest tests

commit ca03395251
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 15:00:00 2017 +1200

    API Move extension management into test state

commit c66d433977
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Tue Jun 13 14:10:59 2017 +1200

    API Refactor SapphireTest state management into SapphireTestState
    API Remove Injector::unregisterAllObjects()
    API Remove FakeController

commit f26ae75c6e
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 12 18:04:34 2017 +1200

    Implement basic CLI application object

commit 001d559662
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Mon Jun 12 17:39:38 2017 +1200

    Remove references to SapphireTest::is_running_test()
    Upgrade various code

commit de079c041d
Author: Damian Mooyman <damian@silverstripe.com>
Date:   Wed Jun 7 18:07:33 2017 +1200

    API Implement APP object
    API Refactor of Session
 2017-06-22 22:50:45 +12:00
Damian Mooyman 259f957ce8 API Rename services to match FQN of interface / classes 2017-05-16 14:15:49 +12:00
Ingo Schommer 81e5c7ac40 API Removed deprecated Session::set_config() 2017-05-09 11:38:35 +12:00
Damian Mooyman 1b1e921e3d
PSR2: Whitespace-only changes 2016-11-29 12:31:16 +13:00
Daniel Hensby bcc21c2403
Merge branch '3' 2016-11-10 01:09:35 +00:00
Sam Minnee 7a10c194bd NEW: Move code files into src/ folder. 
This updates framework to be more in keeping with PHP conventions.
 2016-11-01 13:37:24 +13:00