Simplified changeset to only include 4.x compatibility

jakxnz · jakxnz · commit 655a9e4069fd · 2020-06-17T11:01:13.000+12:00
diff --git a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
@@ -759,9 +759,7 @@ as this prevents an attacker who achieves cross-site scripting from accessing th
 ```php
 use SilverStripe\Control\Cookie;
 
-Cookie::set('cookie-name', 'chocolate-chip', $expiry = strtotime('+30 days'), $path = null, $domain = null, $secure = true, 
-    $httpOnly = false
-);
+Cookie::set('cookie-name', 'chocolate-chip', $expiry = 30, $path = null, $domain = null, $secure = true, $httpOnly = false);
 ```
 
 ## Security Headers
diff --git a/docs/en/02_Developer_Guides/18_Cookies_And_Sessions/01_Cookies.md b/docs/en/02_Developer_Guides/18_Cookies_And_Sessions/01_Cookies.md
@@ -17,55 +17,17 @@ Sets the value of cookie with configuration.
 ```php
 use SilverStripe\Control\Cookie;
 
-Cookie::set($name, $value, $expiry = strtotime('+90 days'), $path = null, $domain = null, $secure = false, $httpOnly = false);
+Cookie::set($name, $value, $expiry = 90, $path = null, $domain = null, $secure = false, $httpOnly = false);
 
 // Cookie::set('MyApplicationPreference', 'Yes');
 ```
 
 #### Expiry
 
-Expiry value is a Unix timestamp of the time the cookie expires (0 expires at the end of the current session).
-
-##### Default expiry
-
-The default expiry is 90 days. This can be configured:
-
-```yaml
-SilverStripe\Control\Cookie:
-  default_cookie_expiry_days: 90
-```
-
-##### Deprecation: `Cookie::set()` `$expiry` in days
-
-In previous versions of SilverStripe, expiry was expressed in days e.g `Cookie::set($name, $value, $expiry = 90)`. This has been deprecated, and will invoke a deprecation notice. If you are experience the deprecation notice, but are unable to control or resolve the cause, the notice can be suppressed using the configuration:
-
-```yaml
-SilverStripe\Control\Cookie:
-  suppress_expiry_as_timestamp_notice: true
-```
-**WARNING Notice should only be suppressed if no further resolution can be met.**
-
-
-###### Customising legacy expiry support
-
-The legacy expiry behaviour can be extended.
-
-```yaml
-SilverStripe\Control\CookieJar:
-  extensions:
-    - CookieJarExtension
-```
-
-```php
-class CookieJarExtension extends DataExtension
-{
-
-    public function updateLegacyExpiry($expiry)
-    {
-        // Customisation goes here
-    }
-}
-```
+SilverStripe's default `Cookie_Backend` supports `$expiry` as
+ - Days: The number of days until the cookie expires
+ - Unix timestamp: The time the cookie expires
+ - 0: Expires at the end of the current session.
 
 ### get
 
diff --git a/src/Control/Cookie.php b/src/Control/Cookie.php
@@ -21,11 +21,6 @@ class Cookie
      */
     private static $report_errors = true;
 
-    /**
-     * @var bool
-     */
-    private static $suppress_expiry_as_timestamp_notice = false;
-
     /**
      * @var int
      */
@@ -44,7 +39,7 @@ public static function get_inst()
     /**
      * Set a cookie variable.
      *
-     * Expiry time is a Unix timestamp; 0 expires at the end of the current session
+     * Expiry time is set in days, and defaults to 90.
      *
      * @param string $name
      * @param mixed $value
@@ -59,21 +54,12 @@ public static function get_inst()
     public static function set(
         $name,
         $value,
-        $expiry = 0,
+        $expiry = 90,
         $path = null,
         $domain = null,
         $secure = false,
         $httpOnly = true
     ) {
-        if ($expiry > 0 && $expiry < DBDatetime::now()->getTimestamp()
-            && !Config::inst()->get(Cookie::class, 'suppress_expiry_as_timestamp_notice')
-        ) {
-            Deprecation::notice(
-                '5.0',
-                'Cookie::set() requires $expiry to be a Unix timestamp of the time the cookie expires'
-            );
-        }
-
         return self::get_inst()->set($name, $value, $expiry, $path, $domain, $secure, $httpOnly);
     }
 
diff --git a/src/Control/CookieJar.php b/src/Control/CookieJar.php
@@ -2,11 +2,9 @@
 
 namespace SilverStripe\Control;
 
-use SilverStripe\Core\Config\Config;
+use LogicException;
 use SilverStripe\Core\Extensible;
-use SilverStripe\Dev\Deprecation;
 use SilverStripe\ORM\FieldType\DBDatetime;
-use LogicException;
 
 /**
  * A default backend for the setting and getting of cookies
@@ -67,16 +65,23 @@ public function __construct($cookies = array())
      *
      * @param string $name The name of the cookie
      * @param string $value The value for the cookie to hold
-     * @param int $expiry A Unix timestamp of the time the cookie expires; 0 expires at the end of the current session
+     * @param int $expiry A Unix timestamp of, or the number of days until, the time the cookie expires;
+     *                    0 expires at the end of the current session
      * @param string $path The path to save the cookie on (falls back to site base)
      * @param string $domain The domain to make the cookie available on
      * @param boolean $secure Can the cookie only be sent over SSL?
      * @param boolean $httpOnly Prevent the cookie being accessible by JS
      */
-    public function set($name, $value, $expiry = -2, $path = null, $domain = null, $secure = false, $httpOnly = true)
+    public function set($name, $value, $expiry = 90, $path = null, $domain = null, $secure = false, $httpOnly = true)
     {
-        // Provide backwards compatibility support for 4.x
-        $expiry = $this->legacyExpiry($expiry);
+        // Treat null as 0
+        $expiry = is_null($expiry) ? 0 : $expiry;
+
+        // Provide backwards compatibility for expiry in days (4.x)
+        if ($expiry > 0 && $expiry < DBDatetime::now()->getTimestamp()) {
+            // Convert days to supported expression
+            $expiry = DBDatetime::now()->getTimestamp()+($expiry*86400);
+        }
 
         // Are we setting or clearing a cookie?
         $clear = $value === false || $value === '' || $expiry < 0;
@@ -86,11 +91,8 @@ public function set($name, $value, $expiry = -2, $path = null, $domain = null, $
             $expiry = -1;
         }
 
-        // Set the path up
-        $path = $path ?: Director::baseURL();
-
         // Send the cookie
-        $this->outputCookie($name, $value, $expiry, $path, $domain, $secure, $httpOnly);
+        $this->outputCookie($name, $value, $expiry, $path ?: Director::baseURL(), $domain, $secure, $httpOnly);
 
         if ($clear) {
             // Clear cookie
@@ -103,36 +105,6 @@ public function set($name, $value, $expiry = -2, $path = null, $domain = null, $
         $this->new[$name] = $this->current[$name] = $value;
     }
 
-    /**
-     * Support $expiry values that are supplied in days (SilverStripe 4.x)
-     *
-     * @param $expiry
-     * @return float|int
-     */
-    protected function legacyExpiry($expiry)
-    {
-        // Establish fallback
-        $default = (int) Config::inst()->get(Cookie::class, 'default_cookie_expiry_days');
-
-        // Treat null as 0
-        $expiry = (int) $expiry;
-
-        if ($expiry > 0 && $expiry < time()) {
-            // Convert days to supported expression
-            $expiry = DBDatetime::now()->getTimestamp()+($expiry*86400);
-        }
-
-        if ($expiry <= -2) {
-            // Supply default expiry
-            $expiry = DBDatetime::now()->getTimestamp()+($default*86400);
-        }
-
-        // Let's provide an extension hook to allow users to clarify legacy behavior as needed
-        $this->extend('updateLegacyExpiry', $expiry);
-
-        return $expiry;
-    }
-
     /**
      * Get the cookie value by name
      *
diff --git a/src/Control/Cookie_Backend.php b/src/Control/Cookie_Backend.php
@@ -30,7 +30,7 @@ public function __construct($cookies = array());
      * @param boolean $secure Can the cookie only be sent over SSL?
      * @param boolean $httpOnly Prevent the cookie being accessible by JS
      */
-    public function set($name, $value, $expiry = 0, $path = null, $domain = null, $secure = false, $httpOnly = true);
+    public function set($name, $value, $expiry = 90, $path = null, $domain = null, $secure = false, $httpOnly = true);
 
     /**
      * Get the cookie value by name
diff --git a/src/Control/Session.php b/src/Control/Session.php
@@ -332,7 +332,7 @@ public function start(HTTPRequest $request)
                     Cookie::set(
                         session_name(),
                         session_id(),
-                        DBDatetime::now()->getTimestamp()+$timeout,
+                        $timeout / 86400, // Convert seconds to days
                         $path,
                         $domain ?: null,
                         $secure,
diff --git a/src/Security/MemberAuthenticator/CookieAuthenticationHandler.php b/src/Security/MemberAuthenticator/CookieAuthenticationHandler.php
@@ -217,13 +217,11 @@ public function logIn(Member $member, $persistent = false, HTTPRequest $request
             $rememberLoginHash = RememberLoginHash::generate($member);
             $tokenExpiryDays = RememberLoginHash::config()->uninherited('token_expiry_days');
             $deviceExpiryDays = RememberLoginHash::config()->uninherited('device_expiry_days');
-            $tokenExpiry = DBDatetime::now()->getTimestamp()+($tokenExpiryDays*86400);
-            $deviceExpiry = DBDatetime::now()->getTimestamp()+($deviceExpiryDays*86400);
             $secure = $this->getTokenCookieSecure();
             Cookie::set(
                 $this->getTokenCookieName(),
                 $member->ID . ':' . $rememberLoginHash->getToken(),
-                $tokenExpiry,
+                $tokenExpiryDays,
                 null,
                 null,
                 $secure,
@@ -232,7 +230,7 @@ public function logIn(Member $member, $persistent = false, HTTPRequest $request
             Cookie::set(
                 $this->getDeviceCookieName(),
                 $rememberLoginHash->DeviceID,
-                $deviceExpiry,
+                $deviceExpiryDays,
                 null,
                 null,
                 $secure,
@@ -268,8 +266,8 @@ public function logOut(HTTPRequest $request = null)
     protected function clearCookies()
     {
         $secure = $this->getTokenCookieSecure();
-        Cookie::set($this->getTokenCookieName(), null, null, null, null, $secure);
-        Cookie::set($this->getDeviceCookieName(), null, null, null, null, $secure);
+        Cookie::set($this->getTokenCookieName(), null, 0, null, null, $secure);
+        Cookie::set($this->getDeviceCookieName(), null, 0, null, null, $secure);
         Cookie::force_expiry($this->getTokenCookieName(), null, null, null, null, $secure);
         Cookie::force_expiry($this->getDeviceCookieName(), null, null, null, null, $secure);
     }
