Fixed cookie and session handling issues

With this it is necessary to replace the NativeSessionStorage to not mix up strong and regular session ids.
Fixed #68
Fixed also a issue where touch() triggers a restart although the actual content of the php file has not been changed.

Author: marcj

Bootstraps/Symfony.php

@@ -2,6 +2,7 @@
 
 namespace PHPPM\Bootstraps;
 
+use PHPPM\Symfony\StrongerNativeSessionStorage;
 use PHPPM\Utils;
 use Symfony\Component\HttpFoundation\Request;
 
@@ -52,9 +53,35 @@ public function getApplication()
             require './vendor/autoload.php';
         }
 
+        //since we need to change some services, we need to manually change some services
         $app = new \AppKernel($this->appenv, $this->debug);
-        $app->loadClassCache();
-        $app->boot();
+
+        //we need to change some services, before the boot, because they would otherwise
+        //be instantiated and passed to other classes which makes it impossible to replace them.
+        Utils::bindAndCall(function() use ($app) {
+            // init bundles
+            $app->initializeBundles();
+
+            // init container
+            $app->initializeContainer();
+        }, $app);
+
+        //now we can modify the container
+        $nativeStorage = new StrongerNativeSessionStorage(
+            $app->getContainer()->getParameter('session.storage.options'),
+            $app->getContainer()->has('session.handler') ? $app->getContainer()->get('session.handler'): null,
+            $app->getContainer()->get('session.storage.metadata_bag')
+        );
+        $app->getContainer()->set('session.storage.native', $nativeStorage);
+
+        Utils::bindAndCall(function() use ($app) {
+            foreach ($app->getBundles() as $bundle) {
+                $bundle->setContainer($app->container);
+                $bundle->boot();
+            }
+
+            $app->booted = true;
+        }, $app);
 
         //warm up
         $request = new Request();

Bridges/HttpKernel.php

@@ -6,6 +6,7 @@
 use PHPPM\Bootstraps\BootstrapInterface;
 use PHPPM\Bootstraps\HooksInterface;
 use PHPPM\React\HttpResponse;
+use PHPPM\Utils;
 use React\Http\Request as ReactRequest;
 use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\Request as SymfonyRequest;
@@ -65,6 +66,8 @@ public function getStaticDirectory()
      *
      * @param ReactRequest $request
      * @param HttpResponse $response
+     *
+     * @throws \Exception
      */
     public function onRequest(ReactRequest $request, HttpResponse $response)
     {
@@ -111,18 +114,35 @@ public function onRequest(ReactRequest $request, HttpResponse $response)
     protected function mapRequest(ReactRequest $reactRequest)
     {
         $method = $reactRequest->getMethod();
-        $headers = array_change_key_case($reactRequest->getHeaders());
+        $headers = $reactRequest->getHeaders();
         $query = $reactRequest->getQuery();
 
-        $cookies = array();
-        if (isset($headers['Cookie'])) {
-            $headersCookie = explode(';', $headers['Cookie']);
+        $cookies = [];
+        $_COOKIE = [];
+
+        $sessionCookieSet = false;
+
+        if (isset($headers['Cookie']) || isset($headers['cookie'])) {
+            $headersCookie = explode(';', isset($headers['Cookie']) ? $headers['Cookie'] : $headers['cookie']);
             foreach ($headersCookie as $cookie) {
                 list($name, $value) = explode('=', trim($cookie));
                 $cookies[$name] = $value;
+                $_COOKIE[$name] = $value;
+
+                if ($name === session_name()) {
+                    session_id($value);
+                    $sessionCookieSet = true;
+                }
             }
         }
 
+        if (!$sessionCookieSet && session_id()) {
+            //session id already set from the last round but not got from the cookie header,
+            //so generate a new one, since php is not doing it automatically with session_start() if session
+            //has already been started.
+            session_id(Utils::generateSessionId());
+        }
+
         $files = $reactRequest->getFiles();
         $post = $reactRequest->getPost();
 
@@ -144,17 +164,46 @@ protected function mapRequest(ReactRequest $reactRequest)
      */
     protected function mapResponse(HttpResponse $reactResponse, SymfonyResponse $syResponse)
     {
+        //end active session
+        if (PHP_SESSION_ACTIVE === session_status()) {
+            session_write_close();
+            session_unset(); //reset $_SESSION
+        }
+
         $content = $syResponse->getContent();
 
-        $headers = $syResponse->headers->allPreserveCase();
+        $nativeHeaders = [];
+
+        foreach (headers_list() as $header) {
+            if (false !== $pos = strpos($header, ':')) {
+                $name = substr($header, 0, $pos);
+                $value = trim(substr($header, $pos + 1));
+
+                if (isset($nativeHeaders[$name])) {
+                    if (!is_array($nativeHeaders[$name])) {
+                        $nativeHeaders[$name] = [$nativeHeaders[$name]];
+                    }
+
+                    $nativeHeaders[$name][] = $value;
+                } else {
+                    $nativeHeaders[$name] = $value;
+                }
+            }
+        }
+
+        //after reading all headers we need to reset it, so next request
+        //operates on a clean header.
+        header_remove();
+
+        $headers = array_merge($nativeHeaders, $syResponse->headers->allPreserveCase());
         $cookies = [];
 
         /** @var Cookie $cookie */
         foreach ($syResponse->headers->getCookies() as $cookie) {
             $cookieHeader = sprintf('%s=%s', $cookie->getName(), $cookie->getValue());
 
             if ($cookie->getPath()) {
-                $cookieHeader .= '; Path=' . $cookie->getPath();
+                $cookieHeader .= '; Path=' . urlencode($cookie->getPath());
             }
             if ($cookie->getDomain()) {
                 $cookieHeader .= '; Domain=' . $cookie->getDomain();
@@ -174,7 +223,11 @@ protected function mapResponse(HttpResponse $reactResponse, SymfonyResponse $syR
             $cookies[] = $cookieHeader;
         }
 
-        $headers['Set-Cookie'] = $cookies;
+        if (isset($headers['Set-Cookie'])) {
+            $headers['Set-Cookie'] = array_merge((array)$headers['Set-Cookie'], $cookies);
+        } else {
+            $headers['Set-Cookie'] = $cookies;
+        }
 
         $reactResponse->writeHead($syResponse->getStatusCode(), $headers);
 
@@ -184,7 +237,6 @@ protected function mapResponse(HttpResponse $reactResponse, SymfonyResponse $syR
         }
 
         $reactResponse->end($stdOut . $content);
-
     }
 
     /**

Symfony/StrongerNativeSessionStorage.php

@@ -0,0 +1,44 @@
+<?php
+
+namespace PHPPM\Symfony;
+
+/**
+ * Since PHP-PM needs to generate its session ids on its own due to the fact that session_destroy()
+ * does not reset session_id() nor does it generate a new one for a new session, we need
+ * to overwrite Symfonys NativeSessionStorage that uses session_regenerate_id() which generates
+ * the weaker session ids from PHP. So we need to overwrite the method regenerate(), to set a better
+ * session id afterwards.
+ */
+class StrongerNativeSessionStorage extends \Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function regenerate($destroy = false, $lifetime = null)
+    {
+        //since session_regenerate_id also places a setcookie call, we need to deactivate this, to not have
+        //two Set-Cookie headers
+        ini_set('session.use_cookies', 0);
+        if ($isRegenerated = parent::regenerate($destroy, $lifetime)) {
+            $params = session_get_cookie_params();
+
+            session_id(\PHPPM\Utils::generateSessionId());
+            error_log('StrongerNativeSessionStorage::regenerate ' . $params['lifetime'] . ' = ' . session_id());
+
+            setcookie(
+                session_name(),
+                session_id(),
+                $params['lifetime'] ? time() + $params['lifetime'] : null,
+                $params['path'],
+                $params['domain'],
+                $params['secure'],
+                $params['httponly']
+            );
+        }
+        ini_set('session.use_cookies', 1);
+
+        return $isRegenerated;
+    }
+
+
+}