Merge pull request #591 from leepeuker/improve-session-handling

Improve session handling

public/index.php

@@ -1,7 +1,5 @@
 <?php declare(strict_types=1);
 
-session_start();
-
 /** @var DI\Container $container */
 
 use Movary\HttpController\Web\ErrorController;

settings/routes.php

@@ -192,7 +192,7 @@ function addWebRoutes(RouterService $routerService, FastRoute\RouteCollector $ro
     $routes->add('POST', '/add-movie-to-watchlist', [Web\WatchlistController::class, 'addMovieToWatchlist'], [Web\Middleware\UserIsAuthenticated::class]);
     $routes->add('GET', '/fetchMovieRatingByTmdbdId', [Web\Movie\MovieRatingController::class, 'fetchMovieRatingByTmdbdId'], [Web\Middleware\UserIsAuthenticated::class]);
 
-    $routerService->addRoutesToRouteCollector($routeCollector, $routes);
+    $routerService->addRoutesToRouteCollector($routeCollector, $routes, true);
 }
 
 function addApiRoutes(RouterService $routerService, FastRoute\RouteCollector $routeCollector) : void

src/Domain/User/Service/Authentication.php

@@ -221,7 +221,8 @@ public function logout() : void
 
     public function setAuthenticationCookieAndNewSession(int $userId, string $token, DateTime $expirationDate) : void
     {
-        session_regenerate_id();
+        $this->sessionWrapper->destroy();
+        $this->sessionWrapper->start();
         setcookie(self::AUTHENTICATION_COOKIE_NAME, $token, [
             'expires' => (int)$expirationDate->format('U'),
             'path' => '/',

src/HttpController/Web/Middleware/StartSession.php

@@ -0,0 +1,21 @@
+<?php declare(strict_types=1);
+
+namespace Movary\HttpController\Web\Middleware;
+
+use Movary\Util\SessionWrapper;
+use Movary\ValueObject\Http\Response;
+
+class StartSession implements MiddlewareInterface
+{
+    public function __construct(
+        private readonly SessionWrapper $sessionWrapper,
+    ) {
+    }
+
+    public function __invoke() : ?Response
+    {
+        $this->sessionWrapper->start();
+
+        return null;
+    }
+}

src/Service/Router/RouterService.php

@@ -3,19 +3,25 @@
 namespace Movary\Service\Router;
 
 use FastRoute\RouteCollector;
+use Movary\HttpController\Web;
 use Movary\Service\Router\Dto\RouteList;
 
 class RouterService
 {
-    public function addRoutesToRouteCollector(RouteCollector $routeCollector, RouteList $routeList) : void
+    public function addRoutesToRouteCollector(RouteCollector $routeCollector, RouteList $routeList, bool $isWebRoute = false) : void
     {
         foreach ($routeList as $route) {
+            $middleware = $route->getMiddleware();
+            if ($isWebRoute === true) {
+                $middleware[] = Web\Middleware\StartSession::class;
+            }
+
             $routeCollector->addRoute(
                 $route->getMethod(),
                 $route->getRoute(),
                 [
                     'handler' => $route->getHandler(),
-                    'middleware' => $route->getMiddleware()
+                    'middleware' => $middleware
                 ],
             );
         }

src/Util/SessionWrapper.php

@@ -6,7 +6,29 @@ class SessionWrapper
 {
     public function destroy() : void
     {
+        $_SESSION = array();
+
+        if (ini_get('session.use_cookies')) {
+            $sessionName = session_name();
+            if ($sessionName === false) {
+                throw new \RuntimeException('Could not get session name');
+            }
+
+            $params = session_get_cookie_params();
+
+            setcookie(
+                $sessionName,
+                '',
+                time() - 42000,
+                $params['path'],
+                $params['domain'],
+                $params['secure'],
+                $params['httponly'],
+            );
+        }
+
         session_destroy();
+        session_regenerate_id();
     }
 
     public function find(string $key) : mixed