fix: cookie implementation and drop deprecated functionalities

Signed-off-by: otengkwame <developerkwame@gmail.com>

Author: otengkwame

CodeIgniter/Framework/core/Input.php

@@ -665,7 +665,11 @@ public function mimetype()
 	 */
 	public function cookie($index = null, $xss_clean = false)
 	{
-		return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
+		$prefix = isset($_COOKIE[$index])
+			? ''
+			: config_item('cookie_prefix');
+
+		return $this->_fetch_from_array($_COOKIE, $prefix . $index, $xss_clean);
 	}
 
 	// --------------------------------------------------------------------
@@ -820,20 +824,6 @@ public function set_cookie($name, $value = '', $expire = 0, $domain = '', $path
 			log_message('error', $name . ' cookie sent with SameSite=None, but without Secure attribute.');
 		}
 
-		if (!is_php('7.3')) {
-			$maxage = $expire - time();
-			if ($maxage < 1) {
-				$maxage = 0;
-			}
-
-			$cookie_header = 'Set-Cookie: ' . $prefix . $name . '=' . rawurlencode($value);
-			$cookie_header .= ($expire === 0 ? '' : '; Expires=' . gmdate('D, d-M-Y H:i:s T', $expire)) . '; Max-Age=' . $maxage;
-			$cookie_header .= '; Path=' . $path . ($domain !== '' ? '; Domain=' . $domain : '');
-			$cookie_header .= ($secure ? '; Secure' : '') . ($httponly ? '; HttpOnly' : '') . '; SameSite=' . $samesite;
-			header($cookie_header);
-			return;
-		}
-
 		// using setcookie with array option to add cookie 'samesite' attribute
 		$setcookie_options = [
 			'expires' => $expire,
@@ -843,6 +833,7 @@ public function set_cookie($name, $value = '', $expire = 0, $domain = '', $path
 			'httponly' => $httponly,
 			'samesite' => $samesite,
 		];
+
 		setcookie($prefix . $name, $value, $setcookie_options);
 	}
 

CodeIgniter/Framework/core/Security.php

@@ -267,7 +267,7 @@ public function csrf_verify()
 	 * CSRF Set Cookie
 	 *
 	 * @codeCoverageIgnore
-	 * @return	CI_Security
+	 * @return	CI_Security|bool
 	 */
 	public function csrf_set_cookie()
 	{
@@ -278,32 +278,18 @@ public function csrf_set_cookie()
 			return false;
 		}
 
-		if (is_php('7.3')) {
-			setcookie(
-				$this->_csrf_cookie_name,
-				$this->_csrf_hash,
-				[
-					'expires'  => $expire,
-					'path'     => config_item('cookie_path'),
-					'domain'   => config_item('cookie_domain'),
-					'secure'   => $secure_cookie,
-					'httponly' => config_item('cookie_httponly'),
-					'samesite' => 'Strict'
-				]
-			);
-		} else {
-			$domain = trim(config_item('cookie_domain'));
-			header(
-				'Set-Cookie: ' . $this->_csrf_cookie_name . '=' . $this->_csrf_hash
-					. '; Expires=' . gmdate('D, d-M-Y H:i:s T', $expire)
-					. '; Max-Age=' . $this->_csrf_expire
-					. '; Path=' . rawurlencode(config_item('cookie_path'))
-					. ($domain === '' ? '' : '; Domain=' . $domain)
-					. ($secure_cookie ? '; Secure' : '')
-					. (config_item('cookie_httponly') ? '; HttpOnly' : '')
-					. '; SameSite=Strict'
-			);
-		}
+		setcookie(
+			$this->_csrf_cookie_name,
+			$this->_csrf_hash,
+			[
+				'expires'  => $expire,
+				'path'     => config_item('cookie_path'),
+				'domain'   => config_item('cookie_domain'),
+				'secure'   => $secure_cookie,
+				'httponly' => config_item('cookie_httponly'),
+				'samesite' => config_item('cookie_samesite') ?: 'Strict'
+			]
+		);
 
 		log_message('info', 'CSRF cookie sent');
 

CodeIgniter/Framework/helpers/cookie_helper.php

@@ -106,6 +106,6 @@ function get_cookie($index, $xss_clean = false)
 	 */
 	function delete_cookie($name, $domain = '', $path = '/', $prefix = '')
 	{
-		set_cookie($name, '', '', $domain, $path, $prefix);
+		set_cookie($name, '', 0, $domain, $path, $prefix);
 	}
 }

CodeIgniter/Framework/libraries/Session/Session.php

@@ -129,27 +129,20 @@ public function __construct(array $params = [])
 		// unless it is being currently created or regenerated
 		elseif (isset($_COOKIE[$this->_config['cookie_name']]) && $_COOKIE[$this->_config['cookie_name']] === session_id()) {
 			$expires = empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime'];
-			if (is_php('7.3')) {
-				setcookie(
-					$this->_config['cookie_name'],
-					session_id(),
-					[
-						'expires' => $expires,
-						'path' => $this->_config['cookie_path'],
-						'domain' => $this->_config['cookie_domain'],
-						'secure' => $this->_config['cookie_secure'],
-						'httponly' => true,
-						'samesite' => $this->_config['cookie_samesite']
-					]
-				);
-			} else {
-				$header = 'Set-Cookie: ' . $this->_config['cookie_name'] . '=' . session_id();
-				$header .= empty($expires) ? '' : '; Expires=' . gmdate('D, d-M-Y H:i:s T', $expires) . '; Max-Age=' . $this->_config['cookie_lifetime'];
-				$header .= '; Path=' . $this->_config['cookie_path'];
-				$header .= ($this->_config['cookie_domain'] !== '' ? '; Domain=' . $this->_config['cookie_domain'] : '');
-				$header .= ($this->_config['cookie_secure'] ? '; Secure' : '') . '; HttpOnly; SameSite=' . $this->_config['cookie_samesite'];
-				header($header);
-			}
+
+			setcookie(
+				$this->_config['cookie_name'],
+				session_id(),
+				[
+					'expires' => $expires,
+					'path' => $this->_config['cookie_path'],
+					'domain' => $this->_config['cookie_domain'],
+					'secure' => $this->_config['cookie_secure'],
+					'httponly' => true,
+					'samesite' => $this->_config['cookie_samesite']
+				]
+			);
+
 
 			if (!$this->_config['cookie_secure'] && $this->_config['cookie_samesite'] === 'None') {
 				log_message('error', "Session: '" . $this->_config['cookie_name'] . "' cookie sent with SameSite=None, but without Secure attribute.'");
@@ -175,12 +168,8 @@ public function __construct(array $params = [])
 	 */
 	protected function _ci_load_classes($driver)
 	{
-		// PHP 7 compatibility
-		interface_exists('SessionUpdateTimestampHandlerInterface', false) or require_once(BASEPATH . 'libraries/Session/SessionUpdateTimestampHandlerInterface.php');
 
-		require_once(BASEPATH . 'libraries/Session/CI_Session_driver_interface.php');
-		$wrapper = is_php('8.0') ? 'PHP8SessionWrapper' : 'OldSessionWrapper';
-		require_once(BASEPATH . 'libraries/Session/' . $wrapper . '.php');
+		require_once(BASEPATH . 'libraries/Session/PHP8SessionWrapper.php');
 
 		$prefix = config_item('subclass_prefix');
 
@@ -259,8 +248,9 @@ protected function _configure(&$params)
 		isset($params['cookie_domain']) or $params['cookie_domain'] = config_item('cookie_domain');
 		isset($params['cookie_secure']) or $params['cookie_secure'] = (bool) config_item('cookie_secure');
 
-		isset($params['cookie_samesite']) or $params['cookie_samesite'] = config_item('sess_samesite');
-		if (!isset($params['cookie_samesite']) && is_php('7.3')) {
+		isset($params['cookie_samesite']) or $params['cookie_samesite'] = config_item('cookie_samesite');
+
+		if (!isset($params['cookie_samesite'])) {
 			$params['cookie_samesite'] = ini_get('session.cookie_samesite');
 		}
 
@@ -271,24 +261,15 @@ protected function _configure(&$params)
 			$params['cookie_samesite'] = 'Lax';
 		}
 
-		if (is_php('7.3')) {
-			session_set_cookie_params([
-				'lifetime' => $params['cookie_lifetime'],
-				'path'     => $params['cookie_path'],
-				'domain'   => $params['cookie_domain'],
-				'secure'   => $params['cookie_secure'],
-				'httponly' => true,
-				'samesite' => $params['cookie_samesite']
-			]);
-		} else {
-			session_set_cookie_params(
-				$params['cookie_lifetime'],
-				$params['cookie_path'] . '; SameSite=' . $params['cookie_samesite'],
-				$params['cookie_domain'],
-				$params['cookie_secure'],
-				true // HttpOnly; Yes, this is intentional and not configurable for security reasons
-			);
-		}
+		session_set_cookie_params([
+			'lifetime' => $params['cookie_lifetime'],
+			'path'     => $params['cookie_path'],
+			'domain'   => $params['cookie_domain'],
+			'secure'   => $params['cookie_secure'],
+			'httponly' => true,
+			'samesite' => $params['cookie_samesite']
+		]);
+
 
 		if (empty($expiration)) {
 			$params['expiration'] = (int) ini_get('session.gc_maxlifetime');
@@ -309,8 +290,7 @@ protected function _configure(&$params)
 		ini_set('session.use_cookies', 1);
 		ini_set('session.use_only_cookies', 1);
 
-		// $this->_configure_sid_length();
-		$this->_polyfill_configure_sid_length();
+		$this->_configure_sid_length();
 	}
 
 	// ------------------------------------------------------------------------
@@ -332,66 +312,20 @@ protected function _configure(&$params)
 	 */
 	protected function _configure_sid_length()
 	{
-		if (PHP_VERSION_ID < 70100) {
-			$hash_function = ini_get('session.hash_function');
-			if (ctype_digit($hash_function)) {
-				if ($hash_function !== '1') {
-					ini_set('session.hash_function', 1);
-				}
+		$bits_per_character = (int) ini_get('session.sid_bits_per_character');
+		$sid_length        = (int) ini_get('session.sid_length');
 
-				$bits = 160;
-			} elseif (!in_array($hash_function, hash_algos(), true)) {
-				ini_set('session.hash_function', 1);
-				$bits = 160;
-			} elseif (($bits = strlen(hash($hash_function, 'dummy', false)) * 4) < 160) {
-				ini_set('session.hash_function', 1);
-				$bits = 160;
+		// We force the PHP defaults.
+		if (PHP_VERSION_ID < 90000) {
+			if ($bits_per_character !== 4) {
+				ini_set('session.sid_bits_per_character', '4');
 			}
-
-			$bits_per_character = (int) ini_get('session.hash_bits_per_character');
-			$sid_length         = (int) ceil($bits / $bits_per_character);
-		} else {
-			$bits_per_character = (int) ini_get('session.sid_bits_per_character');
-			$sid_length         = (int) ini_get('session.sid_length');
-			if (($bits = $sid_length * $bits_per_character) < 160) {
-				// Add as many more characters as necessary to reach at least 160 bits
-				$sid_length += (int) ceil((160 % $bits) / $bits_per_character);
-				ini_set('session.sid_length', $sid_length);
+			if ($sid_length !== 32) {
+				ini_set('session.sid_length', '32');
 			}
 		}
 
-		// Yes, 4,5,6 are the only known possible values as of 2016-10-27
-		switch ($bits_per_character) {
-			case 4:
-				$this->_sid_regexp = '[0-9a-f]';
-				break;
-			case 5:
-				$this->_sid_regexp = '[0-9a-v]';
-				break;
-			case 6:
-				$this->_sid_regexp = '[0-9a-zA-Z,-]';
-				break;
-		}
-
-		$this->_sid_regexp .= '{' . $sid_length . '}';
-	}
-
-	protected function _polyfill_configure_sid_length()
-	{
-		$bits_per_character = (int) ini_get('session.sid_bits_per_character');
-        $sid_length        = (int) ini_get('session.sid_length');
-
-        // We force the PHP defaults.
-        if (PHP_VERSION_ID < 90000) {
-            if ($bits_per_character !== 4) {
-                ini_set('session.sid_bits_per_character', '4');
-            }
-            if ($sid_length !== 32) {
-                ini_set('session.sid_length', '32');
-            }
-        }
-
-        $this->_sid_regexp = '[0-9a-f]{32}';
+		$this->_sid_regexp = '[0-9a-f]{32}';
 	}
 
 	// ------------------------------------------------------------------------

CodeIgniter/Framework/libraries/Session/Session_driver.php

@@ -51,6 +51,11 @@
 abstract class CI_Session_driver
 {
 
+	/**
+	 * Config values
+	 * 
+	 * @var string|array
+	 */
 	protected $_config;
 
 	/**
@@ -117,16 +122,6 @@ public function __construct(&$params)
 	 */
 	protected function _cookie_destroy()
 	{
-		if (!is_php('7.3')) {
-			$header = 'Set-Cookie: ' . $this->_config['cookie_name'] . '=';
-			$header .= '; Expires=' . gmdate('D, d-M-Y H:i:s T', 1) . '; Max-Age=-1';
-			$header .= '; Path=' . $this->_config['cookie_path'];
-			$header .= ($this->_config['cookie_domain'] !== '' ? '; Domain=' . $this->_config['cookie_domain'] : '');
-			$header .= ($this->_config['cookie_secure'] ? '; Secure' : '') . '; HttpOnly; SameSite=' . $this->_config['cookie_samesite'];
-			header($header);
-			return;
-		}
-
 		return setcookie(
 			$this->_config['cookie_name'],
 			'',