Respect ini session.use_strict_mode

.github/workflows/build.yml

@@ -56,7 +56,7 @@ jobs:
           php-version: ${{ matrix.php }}
           tools: pecl
           extensions: apc, curl, dom, imagick, intl, mbstring, mcrypt, memcached, mysql, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, sqlite
-          ini-values: date.timezone='UTC'
+          ini-values: date.timezone='UTC', session.save_path="${{ runner.temp }}"
       - name: Install php-sqlsrv
         run: |
             curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add - >/dev/null 2>&1
@@ -114,6 +114,7 @@ jobs:
         uses: shivammathur/setup-php@v2
         with:
           php-version: 7.2
+          ini-values: session.save_path=${{ runner.temp }}
       - name: Get composer cache directory
         id: composer-cache
         run: echo "::set-output name=dir::$(composer config cache-files-dir)"

docs/guide/runtime-sessions-cookies.md

@@ -403,3 +403,4 @@ To use this feature across different PHP versions check the version first. E.g.
 As [noted in PHP manual](https://www.php.net/manual/en/session.security.ini.php), `php.ini` has important
 session security settings. Please ensure recommended settings are applied. Especially `session.use_strict_mode`
 that is not enabled by default in PHP installations.
+This setting can also be set with [[yii\web\Session::useStrictMode]].

framework/CHANGELOG.md

@@ -4,6 +4,7 @@ Yii Framework 2 Change Log
 2.0.39 under development
 ------------------------
 
+- Enh #18247: Added support for the 'session.use_strict_mode' ini directive in `yii\web\Session` (rhertogh)
 - Bug #18263: Fix writing `\yii\caching\FileCache` files to the same directory when `keyPrefix` is set (githubjeka)
 - Bug #18160, #18192: Fixed `registerFile` with argument depends set does not use the position and appendTimestamp argument, also modify the unit view (baleeny)
 - Bug #18290: Fix response with non-seekable streams (schmunk42)

framework/UPGRADE.md

@@ -63,6 +63,41 @@ Upgrade from Yii 2.0.37
 * Resolving DI references inside of arrays in dependencies was made optional and turned off by default. In order
   to turn it on, set `resolveArrays` of container instance to `true`.
 
+* `yii\web\Session` now respects the 'session.use_strict_mode' ini directive.
+  In case you use a custom `Session` class and have overwritten the `Session::openSession()` and/or 
+  `Session::writeSession()` functions changes might be required:
+  * When in strict mode the `openSession()` function should check if the requested session id exists
+    (and mark it for forced regeneration if not).
+    For example, the `DbSession` does this at the beginning of the function as follows:
+    ```php
+    if ($this->getUseStrictMode()) {
+        $id = $this->getId();
+        if (!$this->getReadQuery($id)->exists()) {
+            //This session id does not exist, mark it for forced regeneration
+            $this->_forceRegenerateId = $id;
+        }
+    }
+    // ... normal function continues ...
+    ``` 
+  * When in strict mode the `writeSession()` function should ignore writing the session under the old id.
+    For example, the `DbSession` does this at the beginning of the function as follows:
+    ```php
+    if ($this->getUseStrictMode() && $id === $this->_forceRegenerateId) {
+        //Ignore write when forceRegenerate is active for this id
+        return true;
+    }
+    // ... normal function continues ...
+    ```
+  > Note: The sample code above is specific for the `yii\web\DbSession` class.
+    Make sure you use the correct implementation based on your parent class,
+    e.g. `yii\web\CacheSession`, `yii\redis\Session`, `yii\mongodb\Session`, etc.
+
+  > Note: In case your custom functions call their `parent` functions, there are probably no changes needed to your 
+    code if those parents implement the `useStrictMode` checks.
+
+  > Warning: in case `openSession()` and/or `writeSession()` functions do not implement the `useStrictMode` code
+    the session could be stored under the forced id without warning even if `useStrictMode` is enabled.
+
 Upgrade from Yii 2.0.36
 -----------------------
 

framework/web/CacheSession.php

@@ -69,6 +69,26 @@ public function getUseCustomStorage()
         return true;
     }
 
+    /**
+     * Session open handler.
+     * @internal Do not call this method directly.
+     * @param string $savePath session save path
+     * @param string $sessionName session name
+     * @return bool whether session is opened successfully
+     */
+    public function openSession($savePath, $sessionName)
+    {
+        if ($this->getUseStrictMode()) {
+            $id = $this->getId();
+            if (!$this->cache->exists($this->calculateKey($id))) {
+                //This session id does not exist, mark it for forced regeneration
+                $this->_forceRegenerateId = $id;
+            }
+        }
+
+        return parent::openSession($savePath, $sessionName);
+    }
+
     /**
      * Session read handler.
      * @internal Do not call this method directly.
@@ -91,6 +111,11 @@ public function readSession($id)
      */
     public function writeSession($id, $data)
     {
+        if ($this->getUseStrictMode() && $id === $this->_forceRegenerateId) {
+            //Ignore write when forceRegenerate is active for this id
+            return true;
+        }
+
         return $this->cache->set($this->calculateKey($id), $data, $this->getTimeout());
     }
 

framework/web/DbSession.php

@@ -93,6 +93,26 @@ public function init()
         $this->db = Instance::ensure($this->db, Connection::className());
     }
 
+    /**
+     * Session open handler.
+     * @internal Do not call this method directly.
+     * @param string $savePath session save path
+     * @param string $sessionName session name
+     * @return bool whether session is opened successfully
+     */
+    public function openSession($savePath, $sessionName)
+    {
+        if ($this->getUseStrictMode()) {
+            $id = $this->getId();
+            if (!$this->getReadQuery($id)->exists()) {
+                //This session id does not exist, mark it for forced regeneration
+                $this->_forceRegenerateId = $id;
+            }
+        }
+
+        return parent::openSession($savePath, $sessionName);
+    }
+
     /**
      * {@inheritdoc}
      */
@@ -160,9 +180,7 @@ public function close()
      */
     public function readSession($id)
     {
-        $query = new Query();
-        $query->from($this->sessionTable)
-            ->where('[[expire]]>:expire AND [[id]]=:id', [':expire' => time(), ':id' => $id]);
+        $query = $this->getReadQuery($id);
 
         if ($this->readCallback !== null) {
             $fields = $query->one($this->db);
@@ -182,6 +200,11 @@ public function readSession($id)
      */
     public function writeSession($id, $data)
     {
+        if ($this->getUseStrictMode() && $id === $this->_forceRegenerateId) {
+            //Ignore write when forceRegenerate is active for this id
+            return true;
+        }
+
         // exception must be caught in session write handler
         // https://secure.php.net/manual/en/function.session-set-save-handler.php#refsect1-function.session-set-save-handler-notes
         try {
@@ -240,6 +263,18 @@ public function gcSession($maxLifetime)
         return true;
     }
 
+    /**
+     * Generates a query to get the session from db
+     * @param string $id The id of the session
+     * @return Query
+     */
+    protected function getReadQuery($id)
+    {
+        return (new Query())
+            ->from($this->sessionTable)
+            ->where('[[expire]]>:expire AND [[id]]=:id', [':expire' => time(), ':id' => $id]);
+    }
+
     /**
      * Method typecasts $fields before passing them to PDO.
      * Default implementation casts field `data` to `\PDO::PARAM_LOB`.

framework/web/Session.php

@@ -68,12 +68,25 @@
  * @property bool $useCustomStorage Whether to use custom storage. This property is read-only.
  * @property bool $useTransparentSessionID Whether transparent sid support is enabled or not, defaults to
  * false.
+ * @property bool $useStrictMode Whether strict mode is enabled or not.
+ * Note: Enabling `useStrictMode` on PHP < 5.5.2 is only supported with custom storage classes.
  *
  * @author Qiang Xue <[email protected]>
  * @since 2.0
  */
 class Session extends Component implements \IteratorAggregate, \ArrayAccess, \Countable
 {
+    /**
+     * @var string|null Holds the original session module (before a custom handler is registered) so that it can be
+     * restored when a Session component without custom handler is used after one that has.
+     */
+    static protected $_originalSessionModule = null;
+
+    /**
+     * Polyfill for ini directive session.use-strict-mode for PHP < 5.5.2.
+     */
+    static private $_useStrictModePolyfill = false;
+
     /**
      * @var string the name of the session variable that stores the flash message data.
      */
@@ -82,6 +95,10 @@ class Session extends Component implements \IteratorAggregate, \ArrayAccess, \Co
      * @var \SessionHandlerInterface|array an object implementing the SessionHandlerInterface or a configuration array. If set, will be used to provide persistency instead of build-in methods.
      */
     public $handler;
+    /**
+     * @var string|null Holds the session id in case useStrictMode is enabled and the session id needs to be regenerated
+     */
+    protected $_forceRegenerateId = null;
 
     /**
      * @var array parameter-value pairs to override default session cookie parameters that are used for session_set_cookie_params() function
@@ -136,6 +153,11 @@ public function open()
 
         YII_DEBUG ? session_start() : @session_start();
 
+        if ($this->getUseStrictMode() && $this->_forceRegenerateId) {
+            $this->regenerateID();
+            $this->_forceRegenerateId = null;
+        }
+
         if ($this->getIsActive()) {
             Yii::info('Session started', __METHOD__);
             $this->updateFlashCounters();
@@ -152,6 +174,11 @@ public function open()
      */
     protected function registerSessionHandler()
     {
+        $sessionModuleName = session_module_name();
+        if (static::$_originalSessionModule === null) {
+            static::$_originalSessionModule = $sessionModuleName;
+        }
+
         if ($this->handler !== null) {
             if (!is_object($this->handler)) {
                 $this->handler = Yii::createObject($this->handler);
@@ -180,6 +207,12 @@ protected function registerSessionHandler()
                     [$this, 'gcSession']
                 );
             }
+        } elseif (
+            $sessionModuleName !== static::$_originalSessionModule
+            && static::$_originalSessionModule !== null
+            && static::$_originalSessionModule !== 'user'
+        ) {
+            session_module_name(static::$_originalSessionModule);
         }
     }
 
@@ -191,6 +224,8 @@ public function close()
         if ($this->getIsActive()) {
             YII_DEBUG ? session_write_close() : @session_write_close();
         }
+
+        $this->_forceRegenerateId = null;
     }
 
     /**
@@ -514,6 +549,43 @@ public function setTimeout($value)
         $this->unfreeze();
     }
 
+    /**
+     * @var bool Whether strict mode is enabled or not.
+     * When `true` this setting prevents the session component to use an uninitialized session ID.
+     * Note: Enabling `useStrictMode` on PHP < 5.5.2 is only supported with custom storage classes.
+     * Warning! Although enabling strict mode is mandatory for secure sessions, the default value of 'session.use-strict-mode' is `0`.
+     * @see https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
+     * @since 2.0.38
+     */
+    public function setUseStrictMode($value)
+    {
+        if (PHP_VERSION_ID < 50502) {
+            if ($this->getUseCustomStorage() || !$value) {
+                self::$_useStrictModePolyfill = $value;
+            } else {
+                throw new InvalidConfigException('Enabling `useStrictMode` on PHP < 5.5.2 is only supported with custom storage classes.');
+            }
+        } else {
+            $this->freeze();
+            ini_set('session.use_strict_mode', $value ? '1' : '0');
+            $this->unfreeze();
+        }
+    }
+
+    /**
+     * @return bool Whether strict mode is enabled or not.
+     * @see setUseStrictMode()
+     * @since 2.0.38
+     */
+    public function getUseStrictMode()
+    {
+        if (PHP_VERSION_ID < 50502) {
+            return self::$_useStrictModePolyfill;
+        }
+
+        return (bool)ini_get('session.use_strict_mode');
+    }
+
     /**
      * Session open handler.
      * This method should be overridden if [[useCustomStorage]] returns true.

tests/framework/web/session/AbstractDbSessionTest.php

@@ -9,8 +9,8 @@
 
 use Yii;
 use yii\db\Connection;
-use yii\db\Query;
 use yii\db\Migration;
+use yii\db\Query;
 use yii\web\DbSession;
 use yiiunit\framework\console\controllers\EchoMigrateController;
 use yiiunit\TestCase;
@@ -20,6 +20,8 @@
  */
 abstract class AbstractDbSessionTest extends TestCase
 {
+    use SessionTestTrait;
+
     /**
      * @return string[] the driver names that are suitable for the test (mysql, pgsql, etc)
      */
@@ -266,4 +268,14 @@ public function testInstantiate()
         Yii::$app->set('sessionDb', null);
         ini_set('session.gc_maxlifetime', $oldTimeout);
     }
+
+    public function testInitUseStrictMode()
+    {
+        $this->initStrictModeTest(DbSession::className());
+    }
+
+    public function testUseStrictMode()
+    {
+        $this->useStrictModeTest(DbSession::className());
+    }
 }

tests/framework/web/session/CacheSessionTest.php

@@ -16,6 +16,8 @@
  */
 class CacheSessionTest extends \yiiunit\TestCase
 {
+    use SessionTestTrait;
+
     protected function setUp()
     {
         parent::setUp();
@@ -51,4 +53,14 @@ public function testNotWrittenSessionDestroying()
 
         $this->assertTrue($session->destroySession($session->getId()));
     }
+
+    public function testInitUseStrictMode()
+    {
+        $this->initStrictModeTest(CacheSession::className());
+    }
+
+    public function testUseStrictMode()
+    {
+        $this->useStrictModeTest(CacheSession::className());
+    }
 }