523 lines
22 KiB
PHP
523 lines
22 KiB
PHP
<?php
|
|
|
|
/*
|
|
* PHP-Cookie (https://github.com/delight-im/PHP-Cookie)
|
|
* Copyright (c) delight.im (https://www.delight.im/)
|
|
* Licensed under the MIT License (https://opensource.org/licenses/MIT)
|
|
*/
|
|
namespace WP_Ultimo\Dependencies\Delight\Cookie;
|
|
|
|
/**
|
|
* Modern cookie management for PHP
|
|
*
|
|
* Cookies are a mechanism for storing data in the client's web browser and identifying returning clients on subsequent visits
|
|
*
|
|
* All cookies that have successfully been set will automatically be included in the global `$_COOKIE` array with future requests
|
|
*
|
|
* You can set a new cookie using the static method `Cookie::setcookie(...)` which is compatible to PHP's built-in `setcookie(...)` function
|
|
*
|
|
* Alternatively, you can construct an instance of this class, set properties individually, and finally call `save()`
|
|
*
|
|
* Note that cookies must always be set before the HTTP headers are sent to the client, i.e. before the actual output starts
|
|
*/
|
|
final class Cookie
|
|
{
|
|
/** @var string name prefix indicating that the cookie must be from a secure origin (i.e. HTTPS) and the 'secure' attribute must be set */
|
|
const PREFIX_SECURE = '__Secure-';
|
|
/** @var string name prefix indicating that the 'domain' attribute must *not* be set, the 'path' attribute must be '/' and the effects of {@see PREFIX_SECURE} apply as well */
|
|
const PREFIX_HOST = '__Host-';
|
|
const HEADER_PREFIX = 'Set-Cookie: ';
|
|
const SAME_SITE_RESTRICTION_NONE = 'None';
|
|
const SAME_SITE_RESTRICTION_LAX = 'Lax';
|
|
const SAME_SITE_RESTRICTION_STRICT = 'Strict';
|
|
/** @var string the name of the cookie which is also the key for future accesses via `$_COOKIE[...]` */
|
|
private $name;
|
|
/** @var mixed|null the value of the cookie that will be stored on the client's machine */
|
|
private $value;
|
|
/** @var int the Unix timestamp indicating the time that the cookie will expire at, i.e. usually `time() + $seconds` */
|
|
private $expiryTime;
|
|
/** @var string the path on the server that the cookie will be valid for (including all sub-directories), e.g. an empty string for the current directory or `/` for the root directory */
|
|
private $path;
|
|
/** @var string|null the domain that the cookie will be valid for (including subdomains) or `null` for the current host (excluding subdomains) */
|
|
private $domain;
|
|
/** @var bool indicates that the cookie should be accessible through the HTTP protocol only and not through scripting languages */
|
|
private $httpOnly;
|
|
/** @var bool indicates that the cookie should be sent back by the client over secure HTTPS connections only */
|
|
private $secureOnly;
|
|
/** @var string|null indicates that the cookie should not be sent along with cross-site requests (either `null`, `None`, `Lax` or `Strict`) */
|
|
private $sameSiteRestriction;
|
|
/**
|
|
* Prepares a new cookie
|
|
*
|
|
* @param string $name the name of the cookie which is also the key for future accesses via `$_COOKIE[...]`
|
|
*/
|
|
public function __construct($name)
|
|
{
|
|
$this->name = $name;
|
|
$this->value = null;
|
|
$this->expiryTime = 0;
|
|
$this->path = '/';
|
|
$this->domain = null;
|
|
$this->httpOnly = \true;
|
|
$this->secureOnly = \false;
|
|
$this->sameSiteRestriction = self::SAME_SITE_RESTRICTION_LAX;
|
|
}
|
|
/**
|
|
* Returns the name of the cookie
|
|
*
|
|
* @return string the name of the cookie which is also the key for future accesses via `$_COOKIE[...]`
|
|
*/
|
|
public function getName()
|
|
{
|
|
return $this->name;
|
|
}
|
|
/**
|
|
* Returns the value of the cookie
|
|
*
|
|
* @return mixed|null the value of the cookie that will be stored on the client's machine
|
|
*/
|
|
public function getValue()
|
|
{
|
|
return $this->value;
|
|
}
|
|
/**
|
|
* Sets the value for the cookie
|
|
*
|
|
* @param mixed|null $value the value of the cookie that will be stored on the client's machine
|
|
* @return static this instance for chaining
|
|
*/
|
|
public function setValue($value)
|
|
{
|
|
$this->value = $value;
|
|
return $this;
|
|
}
|
|
/**
|
|
* Returns the expiry time of the cookie
|
|
*
|
|
* @return int the Unix timestamp indicating the time that the cookie will expire at, i.e. usually `time() + $seconds`
|
|
*/
|
|
public function getExpiryTime()
|
|
{
|
|
return $this->expiryTime;
|
|
}
|
|
/**
|
|
* Sets the expiry time for the cookie
|
|
*
|
|
* @param int $expiryTime the Unix timestamp indicating the time that the cookie will expire at, i.e. usually `time() + $seconds`
|
|
* @return static this instance for chaining
|
|
*/
|
|
public function setExpiryTime($expiryTime)
|
|
{
|
|
$this->expiryTime = $expiryTime;
|
|
return $this;
|
|
}
|
|
/**
|
|
* Returns the maximum age of the cookie (i.e. the remaining lifetime)
|
|
*
|
|
* @return int the maximum age of the cookie in seconds
|
|
*/
|
|
public function getMaxAge()
|
|
{
|
|
return $this->expiryTime - \time();
|
|
}
|
|
/**
|
|
* Sets the expiry time for the cookie based on the specified maximum age (i.e. the remaining lifetime)
|
|
*
|
|
* @param int $maxAge the maximum age for the cookie in seconds
|
|
* @return static this instance for chaining
|
|
*/
|
|
public function setMaxAge($maxAge)
|
|
{
|
|
$this->expiryTime = \time() + $maxAge;
|
|
return $this;
|
|
}
|
|
/**
|
|
* Returns the path of the cookie
|
|
*
|
|
* @return string the path on the server that the cookie will be valid for (including all sub-directories), e.g. an empty string for the current directory or `/` for the root directory
|
|
*/
|
|
public function getPath()
|
|
{
|
|
return $this->path;
|
|
}
|
|
/**
|
|
* Sets the path for the cookie
|
|
*
|
|
* @param string $path the path on the server that the cookie will be valid for (including all sub-directories), e.g. an empty string for the current directory or `/` for the root directory
|
|
* @return static this instance for chaining
|
|
*/
|
|
public function setPath($path)
|
|
{
|
|
$this->path = $path;
|
|
return $this;
|
|
}
|
|
/**
|
|
* Returns the domain of the cookie
|
|
*
|
|
* @return string|null the domain that the cookie will be valid for (including subdomains) or `null` for the current host (excluding subdomains)
|
|
*/
|
|
public function getDomain()
|
|
{
|
|
return $this->domain;
|
|
}
|
|
/**
|
|
* Sets the domain for the cookie
|
|
*
|
|
* @param string|null $domain the domain that the cookie will be valid for (including subdomains) or `null` for the current host (excluding subdomains)
|
|
* @return static this instance for chaining
|
|
*/
|
|
public function setDomain($domain = null)
|
|
{
|
|
$this->domain = self::normalizeDomain($domain);
|
|
return $this;
|
|
}
|
|
/**
|
|
* Returns whether the cookie should be accessible through HTTP only
|
|
*
|
|
* @return bool whether the cookie should be accessible through the HTTP protocol only and not through scripting languages
|
|
*/
|
|
public function isHttpOnly()
|
|
{
|
|
return $this->httpOnly;
|
|
}
|
|
/**
|
|
* Sets whether the cookie should be accessible through HTTP only
|
|
*
|
|
* @param bool $httpOnly indicates that the cookie should be accessible through the HTTP protocol only and not through scripting languages
|
|
* @return static this instance for chaining
|
|
*/
|
|
public function setHttpOnly($httpOnly)
|
|
{
|
|
$this->httpOnly = $httpOnly;
|
|
return $this;
|
|
}
|
|
/**
|
|
* Returns whether the cookie should be sent over HTTPS only
|
|
*
|
|
* @return bool whether the cookie should be sent back by the client over secure HTTPS connections only
|
|
*/
|
|
public function isSecureOnly()
|
|
{
|
|
return $this->secureOnly;
|
|
}
|
|
/**
|
|
* Sets whether the cookie should be sent over HTTPS only
|
|
*
|
|
* @param bool $secureOnly indicates that the cookie should be sent back by the client over secure HTTPS connections only
|
|
* @return static this instance for chaining
|
|
*/
|
|
public function setSecureOnly($secureOnly)
|
|
{
|
|
$this->secureOnly = $secureOnly;
|
|
return $this;
|
|
}
|
|
/**
|
|
* Returns the same-site restriction of the cookie
|
|
*
|
|
* @return string|null whether the cookie should not be sent along with cross-site requests (either `null`, `None`, `Lax` or `Strict`)
|
|
*/
|
|
public function getSameSiteRestriction()
|
|
{
|
|
return $this->sameSiteRestriction;
|
|
}
|
|
/**
|
|
* Sets the same-site restriction for the cookie
|
|
*
|
|
* @param string|null $sameSiteRestriction indicates that the cookie should not be sent along with cross-site requests (either `null`, `None`, `Lax` or `Strict`)
|
|
* @return static this instance for chaining
|
|
*/
|
|
public function setSameSiteRestriction($sameSiteRestriction)
|
|
{
|
|
$this->sameSiteRestriction = $sameSiteRestriction;
|
|
return $this;
|
|
}
|
|
/**
|
|
* Saves the cookie
|
|
*
|
|
* @return bool whether the cookie header has successfully been sent (and will *probably* cause the client to set the cookie)
|
|
*/
|
|
public function save()
|
|
{
|
|
return self::addHttpHeader((string) $this);
|
|
}
|
|
/**
|
|
* Saves the cookie and immediately creates the corresponding variable in the superglobal `$_COOKIE` array
|
|
*
|
|
* The variable would otherwise only be available starting from the next HTTP request
|
|
*
|
|
* @return bool whether the cookie header has successfully been sent (and will *probably* cause the client to set the cookie)
|
|
*/
|
|
public function saveAndSet()
|
|
{
|
|
$_COOKIE[$this->name] = $this->value;
|
|
return $this->save();
|
|
}
|
|
/**
|
|
* Deletes the cookie
|
|
*
|
|
* @return bool whether the cookie header has successfully been sent (and will *probably* cause the client to delete the cookie)
|
|
*/
|
|
public function delete()
|
|
{
|
|
// create a temporary copy of this cookie so that it isn't corrupted
|
|
$copiedCookie = clone $this;
|
|
// set the copied cookie's value to an empty string which internally sets the required options for a deletion
|
|
$copiedCookie->setValue('');
|
|
// save the copied "deletion" cookie
|
|
return $copiedCookie->save();
|
|
}
|
|
/**
|
|
* Deletes the cookie and immediately removes the corresponding variable from the superglobal `$_COOKIE` array
|
|
*
|
|
* The variable would otherwise only be deleted at the start of the next HTTP request
|
|
*
|
|
* @return bool whether the cookie header has successfully been sent (and will *probably* cause the client to delete the cookie)
|
|
*/
|
|
public function deleteAndUnset()
|
|
{
|
|
unset($_COOKIE[$this->name]);
|
|
return $this->delete();
|
|
}
|
|
public function __toString()
|
|
{
|
|
return self::buildCookieHeader($this->name, $this->value, $this->expiryTime, $this->path, $this->domain, $this->secureOnly, $this->httpOnly, $this->sameSiteRestriction);
|
|
}
|
|
/**
|
|
* Sets a new cookie in a way compatible to PHP's `setcookie(...)` function
|
|
*
|
|
* @param string $name the name of the cookie which is also the key for future accesses via `$_COOKIE[...]`
|
|
* @param mixed|null $value the value of the cookie that will be stored on the client's machine
|
|
* @param int $expiryTime the Unix timestamp indicating the time that the cookie will expire at, i.e. usually `time() + $seconds`
|
|
* @param string|null $path the path on the server that the cookie will be valid for (including all sub-directories), e.g. an empty string for the current directory or `/` for the root directory
|
|
* @param string|null $domain the domain that the cookie will be valid for (including subdomains) or `null` for the current host (excluding subdomains)
|
|
* @param bool $secureOnly indicates that the cookie should be sent back by the client over secure HTTPS connections only
|
|
* @param bool $httpOnly indicates that the cookie should be accessible through the HTTP protocol only and not through scripting languages
|
|
* @param string|null $sameSiteRestriction indicates that the cookie should not be sent along with cross-site requests (either `null`, `None`, `Lax` or `Strict`)
|
|
* @return bool whether the cookie header has successfully been sent (and will *probably* cause the client to set the cookie)
|
|
*/
|
|
public static function setcookie($name, $value = null, $expiryTime = 0, $path = null, $domain = null, $secureOnly = \false, $httpOnly = \false, $sameSiteRestriction = null)
|
|
{
|
|
return self::addHttpHeader(self::buildCookieHeader($name, $value, $expiryTime, $path, $domain, $secureOnly, $httpOnly, $sameSiteRestriction));
|
|
}
|
|
/**
|
|
* Builds the HTTP header that can be used to set a cookie with the specified options
|
|
*
|
|
* @param string $name the name of the cookie which is also the key for future accesses via `$_COOKIE[...]`
|
|
* @param mixed|null $value the value of the cookie that will be stored on the client's machine
|
|
* @param int $expiryTime the Unix timestamp indicating the time that the cookie will expire at, i.e. usually `time() + $seconds`
|
|
* @param string|null $path the path on the server that the cookie will be valid for (including all sub-directories), e.g. an empty string for the current directory or `/` for the root directory
|
|
* @param string|null $domain the domain that the cookie will be valid for (including subdomains) or `null` for the current host (excluding subdomains)
|
|
* @param bool $secureOnly indicates that the cookie should be sent back by the client over secure HTTPS connections only
|
|
* @param bool $httpOnly indicates that the cookie should be accessible through the HTTP protocol only and not through scripting languages
|
|
* @param string|null $sameSiteRestriction indicates that the cookie should not be sent along with cross-site requests (either `null`, `None`, `Lax` or `Strict`)
|
|
* @return string the HTTP header
|
|
*/
|
|
public static function buildCookieHeader($name, $value = null, $expiryTime = 0, $path = null, $domain = null, $secureOnly = \false, $httpOnly = \false, $sameSiteRestriction = null)
|
|
{
|
|
if (self::isNameValid($name)) {
|
|
$name = (string) $name;
|
|
} else {
|
|
return null;
|
|
}
|
|
if (self::isExpiryTimeValid($expiryTime)) {
|
|
$expiryTime = (int) $expiryTime;
|
|
} else {
|
|
return null;
|
|
}
|
|
$forceShowExpiry = \false;
|
|
if (\is_null($value) || $value === \false || $value === '') {
|
|
$value = 'deleted';
|
|
$expiryTime = 0;
|
|
$forceShowExpiry = \true;
|
|
}
|
|
$maxAgeStr = self::formatMaxAge($expiryTime, $forceShowExpiry);
|
|
$expiryTimeStr = self::formatExpiryTime($expiryTime, $forceShowExpiry);
|
|
$headerStr = self::HEADER_PREFIX . $name . '=' . \urlencode($value);
|
|
if (!\is_null($expiryTimeStr)) {
|
|
$headerStr .= '; expires=' . $expiryTimeStr;
|
|
}
|
|
// The `Max-Age` property is supported on PHP 5.5+ only (https://bugs.php.net/bug.php?id=23955).
|
|
if (\PHP_VERSION_ID >= 50500) {
|
|
if (!\is_null($maxAgeStr)) {
|
|
$headerStr .= '; Max-Age=' . $maxAgeStr;
|
|
}
|
|
}
|
|
if (!empty($path) || $path === 0) {
|
|
$headerStr .= '; path=' . $path;
|
|
}
|
|
if (!empty($domain) || $domain === 0) {
|
|
$headerStr .= '; domain=' . $domain;
|
|
}
|
|
if ($secureOnly) {
|
|
$headerStr .= '; secure';
|
|
}
|
|
if ($httpOnly) {
|
|
$headerStr .= '; httponly';
|
|
}
|
|
if ($sameSiteRestriction === self::SAME_SITE_RESTRICTION_NONE) {
|
|
// if the 'secure' attribute is missing
|
|
if (!$secureOnly) {
|
|
\trigger_error('When the \'SameSite\' attribute is set to \'None\', the \'secure\' attribute should be set as well', \E_USER_WARNING);
|
|
}
|
|
$headerStr .= '; SameSite=None';
|
|
} elseif ($sameSiteRestriction === self::SAME_SITE_RESTRICTION_LAX) {
|
|
$headerStr .= '; SameSite=Lax';
|
|
} elseif ($sameSiteRestriction === self::SAME_SITE_RESTRICTION_STRICT) {
|
|
$headerStr .= '; SameSite=Strict';
|
|
}
|
|
return $headerStr;
|
|
}
|
|
/**
|
|
* Parses the given cookie header and returns an equivalent cookie instance
|
|
*
|
|
* @param string $cookieHeader the cookie header to parse
|
|
* @return \Delight\Cookie\Cookie|null the cookie instance or `null`
|
|
*/
|
|
public static function parse($cookieHeader)
|
|
{
|
|
if (empty($cookieHeader)) {
|
|
return null;
|
|
}
|
|
if (\preg_match('/^' . self::HEADER_PREFIX . '(.*?)=(.*?)(?:; (.*?))?$/i', $cookieHeader, $matches)) {
|
|
$cookie = new self($matches[1]);
|
|
$cookie->setPath(null);
|
|
$cookie->setHttpOnly(\false);
|
|
$cookie->setValue(\urldecode($matches[2]));
|
|
$cookie->setSameSiteRestriction(null);
|
|
if (\count($matches) >= 4) {
|
|
$attributes = \explode('; ', $matches[3]);
|
|
foreach ($attributes as $attribute) {
|
|
if (\strcasecmp($attribute, 'HttpOnly') === 0) {
|
|
$cookie->setHttpOnly(\true);
|
|
} elseif (\strcasecmp($attribute, 'Secure') === 0) {
|
|
$cookie->setSecureOnly(\true);
|
|
} elseif (\stripos($attribute, 'Expires=') === 0) {
|
|
$cookie->setExpiryTime((int) \strtotime(\substr($attribute, 8)));
|
|
} elseif (\stripos($attribute, 'Domain=') === 0) {
|
|
$cookie->setDomain(\substr($attribute, 7));
|
|
} elseif (\stripos($attribute, 'Path=') === 0) {
|
|
$cookie->setPath(\substr($attribute, 5));
|
|
} elseif (\stripos($attribute, 'SameSite=') === 0) {
|
|
$cookie->setSameSiteRestriction(\substr($attribute, 9));
|
|
}
|
|
}
|
|
}
|
|
return $cookie;
|
|
} else {
|
|
return null;
|
|
}
|
|
}
|
|
/**
|
|
* Checks whether a cookie with the specified name exists
|
|
*
|
|
* @param string $name the name of the cookie to check
|
|
* @return bool whether there is a cookie with the specified name
|
|
*/
|
|
public static function exists($name)
|
|
{
|
|
return isset($_COOKIE[$name]);
|
|
}
|
|
/**
|
|
* Returns the value from the requested cookie or, if not found, the specified default value
|
|
*
|
|
* @param string $name the name of the cookie to retrieve the value from
|
|
* @param mixed $defaultValue the default value to return if the requested cookie cannot be found
|
|
* @return mixed the value from the requested cookie or the default value
|
|
*/
|
|
public static function get($name, $defaultValue = null)
|
|
{
|
|
if (isset($_COOKIE[$name])) {
|
|
return $_COOKIE[$name];
|
|
} else {
|
|
return $defaultValue;
|
|
}
|
|
}
|
|
private static function isNameValid($name)
|
|
{
|
|
$name = (string) $name;
|
|
// The name of a cookie must not be empty on PHP 7+ (https://bugs.php.net/bug.php?id=69523).
|
|
if ($name !== '' || \PHP_VERSION_ID < 70000) {
|
|
if (!\preg_match('/[=,; \\t\\r\\n\\013\\014]/', $name)) {
|
|
return \true;
|
|
}
|
|
}
|
|
return \false;
|
|
}
|
|
private static function isExpiryTimeValid($expiryTime)
|
|
{
|
|
return \is_numeric($expiryTime) || \is_null($expiryTime) || \is_bool($expiryTime);
|
|
}
|
|
private static function calculateMaxAge($expiryTime)
|
|
{
|
|
if ($expiryTime === 0) {
|
|
return 0;
|
|
} else {
|
|
$maxAge = $expiryTime - \time();
|
|
// The value of the `Max-Age` property must not be negative on PHP 7.0.19+ (< 7.1) and
|
|
// PHP 7.1.5+ (https://bugs.php.net/bug.php?id=72071).
|
|
if (\PHP_VERSION_ID >= 70019 && \PHP_VERSION_ID < 70100 || \PHP_VERSION_ID >= 70105) {
|
|
if ($maxAge < 0) {
|
|
$maxAge = 0;
|
|
}
|
|
}
|
|
return $maxAge;
|
|
}
|
|
}
|
|
private static function formatExpiryTime($expiryTime, $forceShow = \false)
|
|
{
|
|
if ($expiryTime > 0 || $forceShow) {
|
|
if ($forceShow) {
|
|
$expiryTime = 1;
|
|
}
|
|
return \gmdate('D, d-M-Y H:i:s T', $expiryTime);
|
|
} else {
|
|
return null;
|
|
}
|
|
}
|
|
private static function formatMaxAge($expiryTime, $forceShow = \false)
|
|
{
|
|
if ($expiryTime > 0 || $forceShow) {
|
|
return (string) self::calculateMaxAge($expiryTime);
|
|
} else {
|
|
return null;
|
|
}
|
|
}
|
|
private static function normalizeDomain($domain = null)
|
|
{
|
|
// make sure that the domain is a string
|
|
$domain = (string) $domain;
|
|
// if the cookie should be valid for the current host only
|
|
if ($domain === '') {
|
|
// no need for further normalization
|
|
return null;
|
|
}
|
|
// if the provided domain is actually an IP address
|
|
if (\filter_var($domain, \FILTER_VALIDATE_IP) !== \false) {
|
|
// let the cookie be valid for the current host
|
|
return null;
|
|
}
|
|
// for local hostnames (which either have no dot at all or a leading dot only)
|
|
if (\strpos($domain, '.') === \false || \strrpos($domain, '.') === 0) {
|
|
// let the cookie be valid for the current host while ensuring maximum compatibility
|
|
return null;
|
|
}
|
|
// unless the domain already starts with a dot
|
|
if ($domain[0] !== '.') {
|
|
// prepend a dot for maximum compatibility (e.g. with RFC 2109)
|
|
$domain = '.' . $domain;
|
|
}
|
|
// return the normalized domain
|
|
return $domain;
|
|
}
|
|
private static function addHttpHeader($header)
|
|
{
|
|
if (!\headers_sent()) {
|
|
if (!empty($header)) {
|
|
\header($header, \false);
|
|
return \true;
|
|
}
|
|
}
|
|
return \false;
|
|
}
|
|
}
|