Removed Mage_Persistent and improved cookie handling (#36)

Author: justinbeaty

.phpstan.baseline.neon

@@ -2025,11 +2025,6 @@ parameters:
 			count: 1
 			path: app/code/core/Mage/Core/Model/Config.php
 
-		-
-			message: "#^Method Mage_Core_Model_Cookie\\:\\:getHttponly\\(\\) should return bool but returns null\\.$#"
-			count: 1
-			path: app/code/core/Mage/Core/Model/Cookie.php
-
 		-
 			message: "#^Binary operation \"\\+\" between string and string results in an error\\.$#"
 			count: 1

app/code/core/Mage/Adminhtml/Block/Sales/Order/Create/Items/Grid.php

@@ -65,16 +65,6 @@ public function getItems()
         return $items;
     }
 
-    /**
-     * Returns the session
-     *
-     * @return Mage_Persistent_Helper_Session
-     */
-    public function getSession()
-    {
-        return $this->getParentBlock()->getSession();
-    }
-
     /**
      * Returns the item's calculation price
      *

app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field/Cookie/Lifetime.php

@@ -0,0 +1,35 @@
+<?php
+/**
+ * Maho
+ *
+ * @category   Mage
+ * @package    Mage_Adminhtml
+ * @copyright  Copyright (c) 2024 Maho (https://mahocommerce.com)
+ * @license    https://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+ */
+
+/**
+ * Adminhtml system config cookie lifetime field renderer
+ *
+ * @category   Mage
+ * @package    Mage_Adminhtml
+ */
+class Mage_Adminhtml_Block_System_Config_Form_Field_Cookie_Lifetime extends Mage_Adminhtml_Block_System_Config_Form_Field
+{
+    #[\Override]
+    public function render(Varien_Data_Form_Element_Abstract $element): string
+    {
+        if ($element->getHtmlId() === 'admin_security_session_cookie_lifetime') {
+            $min = Mage_Adminhtml_Controller_Action::SESSION_MIN_LIFETIME;
+            $max = Mage_Adminhtml_Controller_Action::SESSION_MAX_LIFETIME;
+        } else {
+            $min = Mage_Core_Controller_Front_Action::SESSION_MIN_LIFETIME;
+            $max = Mage_Core_Controller_Front_Action::SESSION_MAX_LIFETIME;
+        }
+
+        $element->setComment(Mage::helper('core')->__('Value must be between %d and %d', $min, $max));
+        $element->addClass("validate-digits validate-digits-range digits-range-$min-$max");
+
+        return parent::render($element);
+    }
+}

app/code/core/Mage/Adminhtml/Controller/Action.php

@@ -24,9 +24,14 @@ class Mage_Adminhtml_Controller_Action extends Mage_Core_Controller_Varien_Actio
     public const FLAG_IS_URLS_CHECKED = 'check_url_settings';
 
     /**
-     * Session namespace to refer in other places
+     * Session constants to refer in other places
+     *
+     * Max lifetime is set to 400 days, as chromium based browsers will not allow anything higher
+     * https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-cookie-lifetime-limits
      */
-    public const SESSION_NAMESPACE = 'adminhtml';
+    public const SESSION_NAMESPACE = 'maho_admin_session';
+    public const SESSION_MIN_LIFETIME = 60;
+    public const SESSION_MAX_LIFETIME = 60 * 60 * 24 * 400;
 
     /**
      * ACL resource

app/code/core/Mage/Adminhtml/Helper/Help/Mapping.php

@@ -155,7 +155,6 @@ abstract class Mage_Adminhtml_Helper_Help_Mapping extends Mage_Core_Helper_Abstr
             'system_config/edit/section/customer' => 'configuration/customers/customer-configuration.html',
             'system_config/edit/section/wishlist' => 'configuration/customers/wishlist.html',
             'system_config/edit/section/promo' => 'configuration/customers/promotions.html',
-            'system_config/edit/section/persistent' => 'configuration/customers/persistent-shopping-cart.html',
             'system_config/edit/section/sales' => 'configuration/sales/sales.html',
             'system_config/edit/section/sales_email' => 'configuration/sales/sales-emails.html',
             'system_config/edit/section/sales_pdf' => 'configuration/sales/pdf-print-outs.html',

app/code/core/Mage/Adminhtml/Model/Observer.php

@@ -66,4 +66,22 @@ public function clearCacheConfigurationFilesAccessLevelVerification()
         Mage::app()->removeCache(Mage_Adminhtml_Block_Notification_Security::VERIFICATION_RESULT_CACHE_KEY);
         return $this;
     }
+
+    /**
+     * Set the admin's session lifetime based on config
+     */
+    public function setCookieLifetime(Varien_Event_Observer $observer): void
+    {
+        /** @var Mage_Core_Model_Session $session */
+        $session = Mage::getSingleton('adminhtml/session');
+        if ($session->getSessionName() === Mage_Adminhtml_Controller_Action::SESSION_NAMESPACE) {
+            $lifetime = Mage::getStoreConfigAsInt('admin/security/session_cookie_lifetime');
+            $lifetime = min($lifetime, Mage_Adminhtml_Controller_Action::SESSION_MAX_LIFETIME);
+            $lifetime = max($lifetime, Mage_Adminhtml_Controller_Action::SESSION_MIN_LIFETIME);
+
+            /** @var Mage_Core_Model_Cookie $cookie */
+            $cookie = $observer->getCookie();
+            $cookie->setLifetime($lifetime);
+        }
+    }
 }

app/code/core/Mage/Adminhtml/etc/config.xml

@@ -72,6 +72,14 @@
                     </configuration_files_access_level_verification>
                 </observers>
             </admin_user_authenticate_after>
+            <session_before_renew_cookie>
+                <observers>
+                    <adminhtml_session_before_renew_cookie>
+                        <class>adminhtml/observer</class>
+                        <method>setCookieLifetime</method>
+                    </adminhtml_session_before_renew_cookie>
+                </observers>
+            </session_before_renew_cookie>
         </events>
     </global>
     <admin>

app/code/core/Mage/Checkout/Helper/Data.php

@@ -349,12 +349,4 @@ public function isCustomerMustBeLogged(): bool
     {
         return $this->isRedirectRegisterStep();
     }
-
-    public function isPersistentEnabled(): bool
-    {
-        if (Mage::helper('core')->isModuleEnabled('Mage_Persistent')) {
-            return Mage::helper('persistent')->isEnabled();
-        }
-        return false;
-    }
 }

app/code/core/Mage/Checkout/Model/Type/Onepage.php

@@ -757,7 +757,9 @@ protected function _involveNewCustomer()
             );
         } else {
             $customer->sendNewAccountEmail('registered', '', $this->getQuote()->getStoreId());
-            $this->getCustomerSession()->loginById($customer->getId());
+            $this->getCustomerSession()
+                 ->setRememberMe($this->_checkoutSession->getRememberMe())
+                 ->loginById($customer->getId());
         }
         return $this;
     }

app/code/core/Mage/Checkout/controllers/OnepageController.php

@@ -386,6 +386,10 @@ public function saveBillingAction()
                 }
             }
 
+            /** @var Mage_Checkout_Model_Session */
+            $session = Mage::getSingleton('checkout/session');
+            $session->setRememberMe((bool)$this->getRequest()->getPost('remember_me'));
+
             $this->_prepareDataJSON($result);
         }
     }

app/code/core/Mage/Core/Controller/Front/Action.php

@@ -19,9 +19,15 @@
 class Mage_Core_Controller_Front_Action extends Mage_Core_Controller_Varien_Action
 {
     /**
-     * Session namespace to refer in other places
+     * Session constants to refer in other places
+     *
+     * Max lifetime is set to 400 days, as chromium based browsers will not allow anything higher
+     * https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-cookie-lifetime-limits
      */
-    public const SESSION_NAMESPACE = 'om_frontend';
+    public const SESSION_NAMESPACE = 'maho_session';
+    public const SESSION_LEGACY_NAMESPACES = ['om_frontend', 'frontend'];
+    public const SESSION_MIN_LIFETIME = 60 * 60;
+    public const SESSION_MAX_LIFETIME = 60 * 60 * 24 * 400;
 
     /**
      * Add secret key to url config path

app/code/core/Mage/Core/Model/Config.php

@@ -76,7 +76,6 @@ class Mage_Core_Model_Config extends Mage_Core_Model_Config_Base
         'Mage_ImportExport' => 57,
         'Mage_Api2' => 58,
         'Mage_PageCache' => 59,
-        'Mage_Persistent' => 60,
         'Mage_Weee' => 61,
         'Mage_CurrencySymbol' => 62
     ];

app/code/core/Mage/Core/Model/Cookie.php

@@ -24,6 +24,8 @@ class Mage_Core_Model_Cookie
     public const XML_PATH_COOKIE_HTTPONLY  = 'web/cookie/cookie_httponly';
     public const XML_PATH_COOKIE_SAMESITE  = 'web/cookie/cookie_samesite';
 
+    public const DEFAULT_COOKIE_LIFETIME   = 60 * 60 * 24 * 365;
+
     protected $_lifetime;
 
     /**
@@ -123,15 +125,7 @@ public function getPath()
      */
     public function getLifetime()
     {
-        if (!is_null($this->_lifetime)) {
-            $lifetime = $this->_lifetime;
-        } else {
-            $lifetime = Mage::getStoreConfig(self::XML_PATH_COOKIE_LIFETIME, $this->getStore());
-        }
-        if (!is_numeric($lifetime)) {
-            $lifetime = 3600;
-        }
-        return $lifetime;
+        return $this->_lifetime ?? self::DEFAULT_COOKIE_LIFETIME;
     }
 
     /**
@@ -153,28 +147,27 @@ public function setLifetime($lifetime)
      */
     public function getHttponly()
     {
-        $httponly = Mage::getStoreConfig(self::XML_PATH_COOKIE_HTTPONLY, $this->getStore());
-        if (is_null($httponly)) {
-            return null;
-        }
-        return (bool)$httponly;
+        return Mage::getStoreConfigFlag(self::XML_PATH_COOKIE_HTTPONLY, $this->getStore());
     }
 
     /**
      * Retrieve use SameSite
      */
     public function getSameSite(): string
     {
-        $sameSite = Mage::getStoreConfig(self::XML_PATH_COOKIE_SAMESITE, $this->getStore());
-        if (is_null($sameSite)) {
-            return 'None';
+        $value = Mage::getStoreConfig(self::XML_PATH_COOKIE_SAMESITE, $this->getStore());
+
+        // Do not permit SameSite=None on unsecure pages, upgrade to Lax
+        // https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
+        if ($value === 'None' && $this->isSecure() === false) {
+            return 'Lax';
         }
-        return (string)$sameSite;
+
+        return $value;
     }
 
     /**
-     * Is https secure request
-     * Use secure on adminhtml only
+     * Retrieve use secure cookie
      *
      * @return bool
      */
@@ -212,57 +205,28 @@ public function set($name, $value, $period = null, $path = null, $domain = null,
             return $this;
         }
 
+        $period ??= $this->getLifetime();
         if ($period === true) {
-            $period = 3600 * 24 * 365;
-        } elseif (is_null($period)) {
-            $period = $this->getLifetime();
+            $period = self::DEFAULT_COOKIE_LIFETIME;
         }
-
         if ($period == 0) {
-            $expire = 0;
+            $expires = 0;
         } else {
-            $expire = time() + $period;
-        }
-        if (is_null($path)) {
-            $path = $this->getPath();
-        }
-        if (is_null($domain)) {
-            $domain = $this->getDomain();
-        }
-        if (is_null($secure)) {
-            $secure = $this->isSecure();
-        }
-        if (is_null($httponly)) {
-            $httponly = $this->getHttponly();
-        }
-        if (is_null($sameSite)) {
-            $sameSite = $this->getSameSite();
+            $expires = time() + $period;
         }
 
-        if ($sameSite === 'None') {
-            // Enforce specification SameSite None requires secure
-            $secure = true;
-        }
-
-        if (PHP_VERSION_ID >= 70300) {
-            setcookie(
-                $name,
-                (string)$value,
-                [
-                    'expires'  => $expire,
-                    'path'     => $path,
-                    'domain'   => $domain,
-                    'secure'   => $secure,
-                    'httponly' => $httponly,
-                    'samesite' => $sameSite
-                ]
-            );
-        } else {
-            if (!empty($sameSite)) {
-                $path .= "; samesite={$sameSite}";
-            }
-            setcookie($name, (string)$value, $expire, $path, $domain, $secure, $httponly);
-        }
+        setcookie(
+            $name,
+            (string)$value,
+            [
+                'expires'  => $expires,
+                'path'     => $path ?? $this->getPath(),
+                'domain'   => $domain ?? $this->getDomain(),
+                'secure'   => $secure ?? $this->isSecure(),
+                'httponly' => $httponly ?? $this->getHttponly(),
+                'samesite' => $sameSite ?? $this->getSameSite(),
+            ]
+        );
 
         return $this;
     }
@@ -281,9 +245,6 @@ public function set($name, $value, $period = null, $path = null, $domain = null,
      */
     public function renew($name, $period = null, $path = null, $domain = null, $secure = null, $httponly = null, $sameSite = null)
     {
-        if (($period === null) && !$this->getLifetime()) {
-            return $this;
-        }
         $value = $this->_getRequest()->getCookie($name, false);
         if ($value !== false) {
             $this->set($name, $value, $period, $path, $domain, $secure, $httponly, $sameSite);
@@ -315,13 +276,6 @@ public function get($name = null)
      */
     public function delete($name, $path = null, $domain = null, $secure = null, $httponly = null, $sameSite = null)
     {
-        /**
-         * Check headers sent
-         */
-        if (!$this->_getResponse()->canSendHeaders(false)) {
-            return $this;
-        }
-
         return $this->set($name, '', null, $path, $domain, $secure, $httponly, $sameSite);
     }
 }