1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
|
<?php
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
function handleRequest(ServerRequestInterface $req, ResponseInterface $resp): ResponseInterface
{
$resp->getBody()->write(strtoupper($req->getCookieParams()['input']));
return $resp->withAddedHeader(
"Set-Cookie",
(new Cookie('output', 'cookie-output'))->createHeader()
);
}
final class Cookie
{
/**
* The name of the cookie.
*
* @var string
*/
private $name = '';
/**
* The value of the cookie. This value is stored on the clients computer; do not store sensitive
* information.
*
* @var string|null
*/
private $value = null;
/**
* Cookie lifetime. This value specified in seconds and declares period of time in which cookie
* will expire relatively to current time() value.
*
* @var int|null
*/
private $lifetime = null;
/**
* The path on the server in which the cookie will be available on.
*
* If set to '/', the cookie will be available within the entire domain. If set to '/foo/',
* the cookie will only be available within the /foo/ directory and all sub-directories such as
* /foo/bar/ of domain. The default value is the current directory that the cookie is being set
* in.
*
* @var string|null
*/
private $path = null;
/**
* The domain that the cookie is available. To make the cookie available on all subdomains of
* example.com then you'd set it to '.example.com'. The . is not required but makes it
* compatible with more browsers. Setting it to www.example.com will make the cookie only
* available in the www subdomain. Refer to tail matching in the spec for details.
*
* @var string|null
*/
private $domain = null;
/**
* Indicates that the cookie should only be transmitted over a secure HTTPS connection from the
* client. When set to true, the cookie will only be set if a secure connection exists.
* On the server-side, it's on the programmer to send this kind of cookie only on secure
* connection
* (e.g. with respect to $_SERVER["HTTPS"]).
*
* @var bool|null
*/
private $secure = null;
/**
* When true the cookie will be made accessible only through the HTTP protocol. This means that
* the cookie won't be accessible by scripting languages, such as JavaScript. This setting can
* effectively help to reduce identity theft through XSS attacks (although it is not supported
* by all browsers).
*
* @var bool
*/
private $httpOnly = true;
/**
* New Cookie instance, cookies used to schedule cookie set while dispatching Response.
*
* @link http://php.net/manual/en/function.setcookie.php
*
* @param string $name The name of the cookie.
* @param string $value The value of the cookie. This value is stored on the clients
* computer; do not store sensitive information.
* @param int $lifetime Cookie lifetime. This value specified in seconds and declares period
* of time in which cookie will expire relatively to current time()
* value.
* @param string $path The path on the server in which the cookie will be available on.
* If set to '/', the cookie will be available within the entire
* domain.
* If set to '/foo/', the cookie will only be available within the
* /foo/
* directory and all sub-directories such as /foo/bar/ of domain. The
* default value is the current directory that the cookie is being set
* in.
* @param string $domain The domain that the cookie is available. To make the cookie
* available
* on all subdomains of example.com then you'd set it to
* '.example.com'.
* The . is not required but makes it compatible with more browsers.
* Setting it to www.example.com will make the cookie only available in
* the www subdomain. Refer to tail matching in the spec for details.
* @param bool $secure Indicates that the cookie should only be transmitted over a secure
* HTTPS connection from the client. When set to true, the cookie will
* only be set if a secure connection exists. On the server-side, it's
* on the programmer to send this kind of cookie only on secure
* connection (e.g. with respect to $_SERVER["HTTPS"]).
* @param bool $httpOnly When true the cookie will be made accessible only through the HTTP
* protocol. This means that the cookie won't be accessible by
* scripting
* languages, such as JavaScript. This setting can effectively help to
* reduce identity theft through XSS attacks (although it is not
* supported by all browsers).
*/
public function __construct(
string $name,
string $value = null,
int $lifetime = null,
string $path = null,
string $domain = null,
bool $secure = false,
bool $httpOnly = true
) {
$this->name = $name;
$this->value = $value;
$this->lifetime = $lifetime;
$this->path = $path;
$this->domain = $domain;
$this->secure = $secure;
$this->httpOnly = $httpOnly;
}
/**
* The name of the cookie.
*
* @return string
*/
public function getName(): string
{
return $this->name;
}
/**
* The value of the cookie. This value is stored on the clients computer; do not store sensitive
* information.
*
* @return string|null
*/
public function getValue()
{
return $this->value;
}
/**
* The time the cookie expires. This is a Unix timestamp so is in number of seconds since the
* epoch. In other words, you'll most likely set this with the time function plus the number of
* seconds before you want it to expire. Or you might use mktime.
*
* Will return null if lifetime is not specified.
*
* @return int|null
*/
public function getExpires()
{
if ($this->lifetime === null) {
return null;
}
return time() + $this->lifetime;
}
/**
* The path on the server in which the cookie will be available on.
*
* If set to '/', the cookie will be available within the entire domain. If set to '/foo/',
* the cookie will only be available within the /foo/ directory and all sub-directories such as
* /foo/bar/ of domain. The default value is the current directory that the cookie is being set
* in.
*
* @return string|null
*/
public function getPath()
{
return $this->path;
}
/**
* The domain that the cookie is available. To make the cookie available on all subdomains of
* example.com then you'd set it to '.example.com'. The . is not required but makes it
* compatible with more browsers. Setting it to www.example.com will make the cookie only
* available in the www subdomain. Refer to tail matching in the spec for details.
*
* @return string|null
*/
public function getDomain()
{
return $this->domain;
}
/**
* Indicates that the cookie should only be transmitted over a secure HTTPS connection from the
* client. When set to true, the cookie will only be set if a secure connection exists.
* On the server-side, it's on the programmer to send this kind of cookie only on secure
* connection
* (e.g. with respect to $_SERVER["HTTPS"]).
*
* @return bool
*/
public function isSecure(): bool
{
return $this->secure;
}
/**
* When true the cookie will be made accessible only through the HTTP protocol. This means that
* the cookie won't be accessible by scripting languages, such as JavaScript. This setting can
* effectively help to reduce identity theft through XSS attacks (although it is not supported
* by all browsers).
*
* @return bool
*/
public function isHttpOnly(): bool
{
return $this->httpOnly;
}
/**
* Get new cookie with altered value. Original cookie object should not be changed.
*
* @param string $value
*
* @return Cookie
*/
public function withValue(string $value): self
{
$cookie = clone $this;
$cookie->value = $value;
return $cookie;
}
/**
* Convert cookie instance to string.
*
* @link http://www.w3.org/Protocols/rfc2109/rfc2109
* @return string
*/
public function createHeader(): string
{
$header = [
rawurlencode($this->name) . '=' . rawurlencode($this->value)
];
if ($this->lifetime !== null) {
$header[] = 'Expires=' . gmdate(\DateTime::COOKIE, $this->getExpires());
$header[] = 'Max-Age=' . $this->lifetime;
}
if (!empty($this->path)) {
$header[] = 'Path=' . $this->path;
}
if (!empty($this->domain)) {
$header[] = 'Domain=' . $this->domain;
}
if ($this->secure) {
$header[] = 'Secure';
}
if ($this->httpOnly) {
$header[] = 'HttpOnly';
}
return join('; ', $header);
}
/**
* New Cookie instance, cookies used to schedule cookie set while dispatching Response.
* Static constructor.
*
* @link http://php.net/manual/en/function.setcookie.php
*
* @param string $name The name of the cookie.
* @param string $value The value of the cookie. This value is stored on the clients
* computer; do not store sensitive information.
* @param int $lifetime Cookie lifetime. This value specified in seconds and declares period
* of time in which cookie will expire relatively to current time()
* value.
* @param string $path The path on the server in which the cookie will be available on.
* If set to '/', the cookie will be available within the entire
* domain.
* If set to '/foo/', the cookie will only be available within the
* /foo/
* directory and all sub-directories such as /foo/bar/ of domain. The
* default value is the current directory that the cookie is being set
* in.
* @param string $domain The domain that the cookie is available. To make the cookie
* available
* on all subdomains of example.com then you'd set it to
* '.example.com'.
* The . is not required but makes it compatible with more browsers.
* Setting it to www.example.com will make the cookie only available in
* the www subdomain. Refer to tail matching in the spec for details.
* @param bool $secure Indicates that the cookie should only be transmitted over a secure
* HTTPS connection from the client. When set to true, the cookie will
* only be set if a secure connection exists. On the server-side, it's
* on the programmer to send this kind of cookie only on secure
* connection (e.g. with respect to $_SERVER["HTTPS"]).
* @param bool $httpOnly When true the cookie will be made accessible only through the HTTP
* protocol. This means that the cookie won't be accessible by
* scripting
* languages, such as JavaScript. This setting can effectively help to
* reduce identity theft through XSS attacks (although it is not
* supported by all browsers).
*
* @return Cookie
*/
public static function create(
string $name,
string $value = null,
int $lifetime = null,
string $path = null,
string $domain = null,
bool $secure = false,
bool $httpOnly = true
): self {
return new self($name, $value, $lifetime, $path, $domain, $secure, $httpOnly);
}
/**
* @return string
*/
public function __toString(): string
{
return $this->createHeader();
}
}
|
