diff options
| author | Andrey Andreev <narf@devilix.net> | 2021-03-24 12:26:50 +0100 |
|---|---|---|
| committer | Andrey Andreev <narf@devilix.net> | 2021-03-24 12:26:50 +0100 |
| commit | 0286ab3513ade8681a7172c78440a81059435e22 (patch) | |
| tree | 5a3972c84c4ec5e6b088f36e43d58f53d7cb8bde | |
| parent | e3810cb84d3fa341e3808d6aa9c3e18f8bda3305 (diff) | |
[ci skip] Add SameSite=Strict to CSRF cookie
| -rw-r--r-- | system/core/Security.php | 38 | ||||
| -rw-r--r-- | user_guide_src/source/changelog.rst | 1 |
2 files changed, 30 insertions, 9 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index e1dc2a92f..f6b0407f8 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -272,15 +272,35 @@ class CI_Security { return FALSE; } - setcookie( - $this->_csrf_cookie_name, - $this->_csrf_hash, - $expire, - config_item('cookie_path'), - config_item('cookie_domain'), - $secure_cookie, - config_item('cookie_httponly') - ); + if (is_php('7.3')) + { + setcookie( + $this->_csrf_cookie_name, + $this->_csrf_hash, + array( + 'expires' => $expire, + 'path' => config_item('cookie_path'), + 'domain' => config_item('cookie_domain'), + 'secure' => $secure_cookie, + 'httponly' => config_item('cookie_httponly'), + 'samesite' => 'Strict' + ) + ); + } + else + { + $domain = trim(config_item('cookie_domain')); + header('Set-Cookie: '.$this->_csrf_cookie_name.'='.$this->_csrf_hash + .'; Expires='.gmdate('D, d-M-Y H:i:s T', $expire) + .'; Max-Age='.$this->_csrf_expire + .'; Path='.rawurlencode(config_item('cookie_path')) + .($domain === '' ? '' : '; Domain='.$domain) + .($secure_cookie ? '; Secure' : '') + .(config_item('cookie_httponly') ? '; HttpOnly' : '') + .'; SameSite=Strict' + ); + } + log_message('info', 'CSRF cookie sent'); return $this; diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 4c081ad84..812016050 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -15,6 +15,7 @@ Release Date: Not Released - Added support for detecting WebP image type to :doc:`File Uploading Library <libraries/file_uploading>`. - Added method :doc:`Database Library <database/index>` method ``trans_active()`` to expose transaction state. - Updated :doc:`Database Library <database/index>` 'pdo' driver to attempt to free resources in order to allow connections to be closed. + - Added ``SameSite=Strict`` attribute to the CSRF cookie sent by the :doc:`Security Class <libraries/security>`. Bug fixes for 3.1.12 ==================== |