Refactoring Session management

Engine/Modules/AdminBackend/Core/Controller/Backend/LoginController.php

@@ -10,7 +10,7 @@
 use Oforge\Engine\Modules\Core\Annotation\Endpoint\EndpointClass;
 use Oforge\Engine\Modules\Core\Exceptions\ServiceNotFoundException;
 use Oforge\Engine\Modules\Core\Helper\RouteHelper;
-use Oforge\Engine\Modules\Core\Services\Session\SessionManagementService;
+use Oforge\Engine\Modules\Core\Manager\SessionManager;
 use Oforge\Engine\Modules\Core\Services\TokenService;
 use Oforge\Engine\Modules\I18n\Helper\I18N;
 use Slim\Http\Request;
@@ -112,9 +112,7 @@ public function processAction(Request $request, Response $response) {
             return RouteHelper::redirect($response, 'backend_login');
         }
 
-        /** @var SessionManagementService $sessionManagement */
-        $sessionManagement = Oforge()->Services()->get('session.management');
-        $sessionManagement->regenerateSession();
+        SessionManager::regenerate();
 
         $_SESSION['auth'] = $jwt;
 

Engine/Modules/AdminBackend/Core/Controller/Backend/LogoutController.php

@@ -8,7 +8,7 @@
 use Oforge\Engine\Modules\Core\Annotation\Endpoint\EndpointAction;
 use Oforge\Engine\Modules\Core\Annotation\Endpoint\EndpointClass;
 use Oforge\Engine\Modules\Core\Helper\RouteHelper;
-use Oforge\Engine\Modules\Core\Services\Session\SessionManagementService;
+use Oforge\Engine\Modules\Core\Manager\SessionManager;
 use Slim\Http\Request;
 use Slim\Http\Response;
 
@@ -33,9 +33,7 @@ public function initPermissions() {
      * @EndpointAction()
      */
     public function indexAction(Request $request, Response $response) {
-        /** @var SessionManagementService $sessionManager */
-        $sessionManager = Oforge()->Services()->get('session.management');
-        $sessionManager->sessionDestroy();
+        SessionManager::destroy();
 
         return RouteHelper::redirect($response, 'backend_login');
     }

Engine/Modules/Core/.meta/.phpstorm.meta.php

@@ -12,7 +12,6 @@
             'plugin.access'      => \Oforge\Engine\Modules\Core\Services\PluginAccessService::class,
             'plugin.state'       => \Oforge\Engine\Modules\Core\Services\PluginStateService::class,
             'redirect'           => \Oforge\Engine\Modules\Core\Services\RedirectService::class,
-            'session.management' => \Oforge\Engine\Modules\Core\Services\Session\SessionManagementService::class,
             'store.keyvalue'     => \Oforge\Engine\Modules\Core\Services\KeyValueStoreService::class,
             'token'              => \Oforge\Engine\Modules\Core\Services\TokenService::class,
         ]));

Engine/Modules/Core/BlackSmith.php

@@ -14,6 +14,7 @@
 use Oforge\Engine\Modules\Core\Manager\Modules\ModuleManager;
 use Oforge\Engine\Modules\Core\Manager\Plugins\PluginManager;
 use Oforge\Engine\Modules\Core\Manager\Services\ServiceManager;
+use Oforge\Engine\Modules\Core\Manager\SessionManager;
 use Oforge\Engine\Modules\Core\Manager\Slim\SlimRouteManager;
 use Slim\Container;
 use Slim\Exception\MethodNotAllowedException;
@@ -296,8 +297,7 @@ public function forge($start = true, $test = false) {
         $this->forgeSlimApp = ForgeSlimApp::getInstance();
         $this->container    = $this->App()->getContainer();
         if ($start) {
-
-            $this->forgeSlimApp->sessionStart();
+            SessionManager::start();
 
             if ($this->forgeSlimApp->returnCachedResult()) {
                 return;

Engine/Modules/Core/Bootstrap.php

@@ -25,7 +25,7 @@
 use Oforge\Engine\Modules\Core\Services\PluginAccessService;
 use Oforge\Engine\Modules\Core\Services\PluginStateService;
 use Oforge\Engine\Modules\Core\Services\RedirectService;
-use Oforge\Engine\Modules\Core\Services\Session\SessionManagementService;
+use Oforge\Engine\Modules\Core\Services\Session\SessionManager;
 use Oforge\Engine\Modules\Core\Services\TokenService;
 
 /**
@@ -61,7 +61,6 @@ public function __construct() {
             'plugin.access'      => PluginAccessService::class,
             'plugin.state'       => PluginStateService::class,
             'redirect'           => RedirectService::class,
-            'session.management' => SessionManagementService::class,
             'store.keyvalue'     => KeyValueStoreService::class,
             'token'              => TokenService::class,
         ];

Engine/Modules/Core/Forge/ForgeSlimApp.php

@@ -95,45 +95,10 @@ public static function getInstance() : ForgeSlimApp {
         return self::$instance;
     }
 
-    /**
-     * Start the session
-     *
-     * @param int $lifetimeSeconds
-     * @param string $path
-     * @param null $domain
-     * @param null $secure
-     */
-    public function sessionStart($lifetimeSeconds = 0, $path = '/', $domain = null, $secure = null) {
-        $sessionStatus = session_status();
-
-        if ($sessionStatus != PHP_SESSION_ACTIVE) {
-            session_name("oforge_session");
-            if (!empty($_SESSION['deleted_time'])
-                && $_SESSION['deleted_time'] < time() - 180) {
-                session_destroy();
-            }
-            // Set the domain to default to the current domain.
-            $domain = isset($domain) ? $domain : $_SERVER['SERVER_NAME'];
-
-            // Set the default secure value to whether the site is being accessed with SSL
-            $secure = isset($secure) ? $secure : isset($_SERVER['HTTPS']) ? true : false;
-
-            // Set the cookie settings and start the session
-            session_set_cookie_params($lifetimeSeconds, $path, $domain, $secure, true);
-            session_start();
-            $_SESSION['created_time'] = time();
-        }
-    }
-
     public function returnCachedResult($silent = false) : bool {
-        /**
-         * @var $response ResponseInterface
-         */
+        /** @var ResponseInterface $response */
         $response = $this->getContainer()->get('response');
-
-        /**
-         * @var $request ServerRequestInterface
-         */
+        /** @var ServerRequestInterface $request */
         $request = $this->getContainer()->get('request');
 
         $mode            = Oforge()->Settings()->get("mode");
@@ -201,14 +166,10 @@ public function returnCachedResult($silent = false) : bool {
     }
 
     public function run($silent = false) {
-        /**
-         * @var $response ResponseInterface
-         */
+        /** @var ResponseInterface $response */
         $response = $this->getContainer()->get('response');
 
-        /**
-         * @var $request ServerRequestInterface
-         */
+        /** @var ServerRequestInterface $request */
         $request = $this->getContainer()->get('request');
 
         $mode            = Oforge()->Settings()->get("mode");

Engine/Modules/Core/Manager/SessionManager.php

@@ -0,0 +1,110 @@
+<?php
+
+namespace Oforge\Engine\Modules\Core\Manager;
+
+/**
+ * Service to create secure sessions
+ * Class SessionManager
+ */
+class SessionManager
+{
+    private const SESSION_COOKIE_NAME = 'oforge_session';
+    /** @var int $lifetimeSeconds */
+    private static $lifetimeSeconds;
+    /** @var string $path */
+    private static $path;
+    /** @var string|null $domain */
+    private static $domain;
+    /** @var bool|null $secure */
+    private static $secure;
+    /** @var string $samesite */
+    private static $samesite;
+
+    /** Prevent isntance */
+    private function __construct()
+    {
+    }
+
+    /**
+     * Start the session
+     *
+     * @param int $lifetimeSeconds
+     * @param string $path
+     * @param string|null $domain
+     * @param bool|null $secure
+     * @param string $samesite
+     */
+    public static function start(int $lifetimeSeconds = 0, string $path = '/', ?string $domain = null, ?bool $secure = null, string $samesite = 'strict') : void
+    {
+        $sessionStatus = session_status();
+
+        if ($sessionStatus === PHP_SESSION_ACTIVE) {
+            return;
+        }
+        session_name("oforge_session");
+        if ( !empty($_SESSION['deleted_time']) && $_SESSION['deleted_time'] < time() - 180) {
+            unset($_COOKIE[self::SESSION_COOKIE_NAME]);
+            session_destroy();
+        }
+        // Set the domain to default to the current domain.
+        $domain = $domain ?? $_SERVER['SERVER_NAME'];
+        // Set the default secure value to whether the site is being accessed with SSL
+        $secure   = $secure ?? isset($_SERVER['HTTPS']);
+        $httponly = true;
+
+        self::$lifetimeSeconds = $lifetimeSeconds;
+        self::$path            = $path;
+        self::$domain          = $domain;
+        self::$secure          = $secure;
+        self::$samesite        = $samesite;
+        // Set the cookie settings and start the session
+        if (PHP_VERSION_ID < 70300) {
+            if ( !empty($samesite)) {
+                $path .= '; samesite=' . $samesite;
+            }
+            session_set_cookie_params($lifetimeSeconds, $path, $domain, $secure, $httponly);
+        } else {
+            $params = [
+                'lifetime' => $lifetimeSeconds,
+                'path'     => $path,
+                'domain'   => $domain,
+                'secure'   => $secure,
+                'httponly' => $httponly,
+            ];
+            if ( !empty($samesite)) {
+                $params['samesite'] = $samesite;
+            }
+            session_set_cookie_params($params);
+        }
+        session_start();
+        $_SESSION['created_time'] = time();
+    }
+
+    /**
+     * Regenerate the session
+     */
+    public static function regenerate() : void
+    {
+        if (session_status() != PHP_SESSION_ACTIVE) {
+            session_start();
+        }
+
+        $oldSessionData = $_SESSION;
+        self::destroy();
+        self::start(self::$lifetimeSeconds, self::$path, self::$domain, self::$secure, self::$samesite);
+        $_SESSION                 = array_merge($_SESSION, $oldSessionData);
+        $_SESSION['created_time'] = time();
+    }
+
+    /**
+     * Destroy the session an the corresponding cookie
+     */
+    public static function destroy() : void
+    {
+        $_SESSION = [];
+        unset($_COOKIE[self::SESSION_COOKIE_NAME]);
+        session_destroy();
+        session_id(session_create_id());
+    }
+
+}

Engine/Modules/Core/Middleware/SessionMiddleware.php

@@ -4,8 +4,8 @@
 
 use Oforge\Engine\Modules\Core\Exceptions\ConfigElementNotFoundException;
 use Oforge\Engine\Modules\Core\Exceptions\ServiceNotFoundException;
+use Oforge\Engine\Modules\Core\Manager\SessionManager;
 use Oforge\Engine\Modules\Core\Services\ConfigService;
-use Oforge\Engine\Modules\Core\Services\Session\SessionManagementService;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 
@@ -26,9 +26,7 @@ class SessionMiddleware {
      * @throws ServiceNotFoundException
      */
     public function __invoke($request, $response, $next) {
-        /** @var SessionManagementService $sessionManager */
-        $sessionManager = Oforge()->Services()->get('session.management');
-        $sessionManager->sessionStart();
+        SessionManager::start();
         /** @var ConfigService $configService */
         $configService = Oforge()->Services()->get('config');
         $debugMode     = $configService->get('debug_mode');

Engine/Modules/UserManagement/Controller/Backend/ProfileController.php

@@ -19,7 +19,7 @@
 use Oforge\Engine\Modules\Core\Exceptions\NotFoundException;
 use Oforge\Engine\Modules\Core\Exceptions\ServiceNotFoundException;
 use Oforge\Engine\Modules\Core\Helper\RouteHelper;
-use Oforge\Engine\Modules\Core\Services\Session\SessionManagementService;
+use Oforge\Engine\Modules\Core\Manager\SessionManager;
 use Oforge\Engine\Modules\I18n\Helper\I18N;
 use Oforge\Engine\Modules\UserManagement\Services\BackendUsersCrudService;
 use Slim\Http\Request;
@@ -94,9 +94,7 @@ public function loginDataAction(Request $request, Response $response) {
                 $user['type'] = $oldUser['type'];
                 $user['role'] = $oldUser['role'];
                 $backendUserService->update($user);
-                /** @var SessionManagementService $sessionManagement */
-                $sessionManagement = Oforge()->Services()->get('session.management');
-                $sessionManagement->regenerateSession();
+                SessionManager::regenerate();
                 $_SESSION['auth'] = $authService->createJWT($user);
                 Oforge()->View()->Flash()->addMessage('success', I18N::translate('profile_login_data_update_success', [
                     'en' => 'Login data successfully updated',