MC-36034: Session size configuration

- Added session size configuration
- Added unit test converage

Author: hwyu@adobe.com

app/code/Magento/Security/Block/Config/Backend/Session/SessionSize.php

@@ -0,0 +1,77 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * System config email field backend model
+ */
+declare(strict_types=1);
+
+namespace Magento\Security\Block\Config\Backend\Session;
+
+use Magento\Backend\Block\Template\Context;
+use Magento\Config\Block\System\Config\Form\Field;
+use Magento\Framework\Data\Form\Element\AbstractElement;
+use Magento\Framework\Exception\ValidatorException;
+use Magento\Framework\Serialize\Serializer\Json;
+
+/**
+ * Backend Model for Max Session Size
+ */
+class SessionSize extends Field
+{
+    /**
+     * @var Json
+     */
+    private $json;
+
+    /**
+     * @param Context $context
+     * @param Json $json
+     * @param array $data
+     */
+    public function __construct(
+        Context $context,
+        Json $json,
+        array $data = []
+    ) {
+        parent::__construct($context, $data);
+        $this->json = $json;
+    }
+
+    /**
+     * {@inheritdoc}
+     * @throws ValidatorException
+     */
+    protected function _getElementHtml(AbstractElement $element)
+    {
+        $html = parent::_getElementHtml($element);
+        $originalData = $element->getOriginalData();
+        $maxSessionSizeAdminSelector = '#' . $element->getHtmlId();
+        $jsString = '<script type="text/x-magento-init"> {"' .
+            $maxSessionSizeAdminSelector . '": {
+            "Magento_Security/js/system/config/session-size": {"modalTitleText": ' .
+            $this->json->serialize(__($originalData['modal_title_text'])) . ', "modalContentBody": ' .
+            $this->json->serialize($this->getModalContentBody($originalData['modal_content_body_path']))
+            . '}}}</script>';
+
+        $html .= $jsString;
+        return $html;
+    }
+
+    /**
+     * Get HTML for the modal content body when user switches to disable
+     *
+     * @param string $templatePath
+     * @return string
+     * @throws ValidatorException
+     */
+    private function getModalContentBody(string $templatePath)
+    {
+        $templateFileName = $this->getTemplateFile($templatePath);
+
+        return $this->fetchView($templateFileName);
+    }
+}

app/code/Magento/Security/Model/Config/Backend/Session/SessionSize.php

@@ -0,0 +1,34 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * System config email field backend model
+ */
+declare(strict_types=1);
+
+namespace Magento\Security\Model\Config\Backend\Session;
+
+use Magento\Framework\App\Config\Value;
+
+/**
+ * Backend Model for Max Session Size
+ */
+class SessionSize extends Value
+{
+    /**
+     * @return $this
+     */
+    public function beforeSave()
+    {
+        $value = (int)$this->getValue();
+
+        if ($value === null || $value < 0) {
+            $value = 0;
+        }
+        $this->setValue((string)$value);
+        return $this;
+    }
+}

app/code/Magento/Security/composer.json

@@ -7,6 +7,7 @@
     "require": {
         "php": "~7.3.0||~7.4.0",
         "magento/framework": "*",
+        "magento/module-config": "*",
         "magento/module-backend": "*",
         "magento/module-store": "*",
         "magento/module-user": "*"

app/code/Magento/Security/etc/adminhtml/system.xml

@@ -36,6 +36,29 @@
                 </field>
             </group>
         </section>
+        <section id="system">
+            <group id="security" translate="label" type="text" sortOrder="60" showInDefault="1" showInWebsite="1">
+                <label>Security</label>
+                <field id="max_session_size_admin" translate="label" type="text" sortOrder="1" showInDefault="1" canRestore="1">
+                    <label>Max Session Size in Admin</label>
+                    <attribute type="modal_title_text">Are You Sure About Your Max Session Size in Admin Settings?</attribute>
+                    <attribute type="modal_content_body_path">Magento_Security::system/config/session_size_admin/modal_content_body.phtml</attribute>
+                    <validate>required-entry validate-zero-or-greater validate-digits</validate>
+                    <frontend_model>Magento\Security\Block\Config\Backend\Session\SessionSize</frontend_model>
+                    <backend_model>Magento\Security\Model\Config\Backend\Session\SessionSize</backend_model>
+                    <comment>Limit the maximum session size in bytes. Use 0 to disable.</comment>
+                </field>
+                <field id="max_session_size_storefront" translate="label" type="text" sortOrder="2" showInDefault="1" canRestore="1">
+                    <label>Max Session Size in Storefront</label>
+                    <attribute type="modal_title_text">Are You Sure About Your Max Session Size in Storefront Settings?</attribute>
+                    <attribute type="modal_content_body_path">Magento_Security::system/config/session_size_storefront/modal_content_body.phtml</attribute>
+                    <validate>required-entry validate-zero-or-greater validate-digits</validate>
+                    <frontend_model>Magento\Security\Block\Config\Backend\Session\SessionSize</frontend_model>
+                    <backend_model>Magento\Security\Model\Config\Backend\Session\SessionSize</backend_model>
+                    <comment>Limit the maximum session size in bytes. Use 0 to disable.</comment>
+                </field>
+            </group>
+        </section>s
         <section id="customer">
             <group id="password">
                 <field id="password_reset_protection_type" translate="label" type="select" sortOrder="5" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">

app/code/Magento/Security/etc/config.xml

@@ -16,6 +16,12 @@
                 <session_lifetime>900</session_lifetime>
             </security>
         </admin>
+        <system>
+            <security>
+                <max_session_size_admin>256000</max_session_size_admin>
+                <max_session_size_storefront>256000</max_session_size_storefront>
+            </security>
+        </system>
         <customer>
             <password>
                 <password_reset_protection_type>1</password_reset_protection_type>

app/code/Magento/Security/view/adminhtml/templates/system/config/session_size_admin/modal_content_body.phtml

@@ -0,0 +1,13 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+?>
+<div>
+    <p>
+        <strong><?= $block->escapeHtml(__('Warning')) ?></strong>
+        <?= $block->escapeHtml(__(': You are about to set max session size in admin to be lower than recommended default session size. Low max session size in admin could break admin functionalities such as admin panel login. Are you sure you want to make this change?')) ?>
+    </p>
+</div>

app/code/Magento/Security/view/adminhtml/templates/system/config/session_size_storefront/modal_content_body.phtml

@@ -0,0 +1,13 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+?>
+<div>
+    <p>
+        <strong><?= $block->escapeHtml(__('Warning')) ?></strong>
+        <?= $block->escapeHtml(__(': You are about to set max session size in storefront to be lower than recommended default session size. Low max session size in storefront could break storefront functionalities such as customer login. Are you sure you want to make this change?')) ?>
+    </p>
+</div>

app/code/Magento/Security/view/adminhtml/web/js/system/config/session-size.js

@@ -0,0 +1,58 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+define([
+    'jquery',
+    'mage/translate',
+    'Magento_Ui/js/modal/confirm',
+    'domReady!'
+], function ($, $t, confirm) {
+    'use strict';
+
+    return function (config, inputEl) {
+        var $inputEl = $(inputEl);
+
+        $inputEl.on('blur', function () {
+            var inputVal = parseInt($inputEl.val(), 10);
+
+            if (256000 > inputVal) {
+                confirm({
+                    title: $t(config.modalTitleText),
+                    content: $t(config.modalContentBody),
+                    buttons: [{
+                        text: $t('No'),
+                        class: 'action-secondary action-dismiss',
+
+                        /**
+                         * Close modal and trigger 'cancel' action on click
+                         */
+                        click: function (event) {
+                            this.closeModal(event);
+                        }
+                    }, {
+                        text: $t('Yes'),
+                        class: 'action-primary action-accept',
+
+                        /**
+                         * Close modal and trigger 'confirm' action on click
+                         */
+                        click: function (event) {
+                            this.closeModal(event, true);
+                        }
+                    }],
+                    actions: {
+
+                        /**
+                         * Revert back to original value
+                         */
+                        cancel: function () {
+                            $inputEl.val(256000);
+                        }
+                    }
+                });
+            }
+        });
+    };
+});

app/code/Magento/Store/etc/di.xml

@@ -174,6 +174,11 @@
         <argument name="scopeType" xsi:type="const">Magento\Store\Model\ScopeInterface::SCOPE_STORE</argument>
         </arguments>
     </type>
+    <type name="Magento\Framework\Session\SessionMaxSizeConfig">
+        <arguments>
+            <argument name="scopeType" xsi:type="const">Magento\Store\Model\ScopeInterface::SCOPE_STORE</argument>
+        </arguments>
+    </type>
     <type name="Magento\Framework\Session\SidResolver">
         <arguments>
         <argument name="scopeType" xsi:type="const">Magento\Store\Model\ScopeInterface::SCOPE_STORE</argument>

app/etc/di.xml

@@ -1767,6 +1767,11 @@
             <argument name="scopeType" xsi:type="const">Magento\Framework\App\Config\ScopeConfigInterface::SCOPE_TYPE_DEFAULT</argument>
         </arguments>
     </type>
+    <type name="Magento\Framework\Session\SessionMaxSizeConfig">
+        <arguments>
+            <argument name="scopeType" xsi:type="const">Magento\Framework\App\Config\ScopeConfigInterface::SCOPE_TYPE_DEFAULT</argument>
+        </arguments>
+    </type>
     <virtualType name="CsrfRequestValidator" type="Magento\Framework\App\Request\CsrfValidator" />
     <virtualType name="RequestValidator" type="Magento\Framework\App\Request\CompositeValidator">
         <arguments>