summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2022-01-05 16:52:40 +0100
committerAndrey Andreev <narf@devilix.net>2022-01-05 16:58:34 +0100
commit4362b7d9f39189472950589ce47a483b6025f5e9 (patch)
tree191cc7a930af06b7b4b536a173ac155b581afb73
parent22f4f5079b9fdf9090add2ac728fafd91a24ed2f (diff)
Merge pull request #6025 from gxgpet/develop
SameSite attribute implementation for CI_Input::set_cookie
-rw-r--r--application/config/config.php2
-rw-r--r--system/core/Input.php42
-rw-r--r--user_guide_src/source/changelog.rst1
-rw-r--r--user_guide_src/source/libraries/input.rst21
4 files changed, 54 insertions, 12 deletions
diff --git a/application/config/config.php b/application/config/config.php
index 9ab8248e3..161b95699 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -397,6 +397,7 @@ $config['sess_regenerate_destroy'] = FALSE;
| 'cookie_path' = Typically will be a forward slash
| 'cookie_secure' = Cookie will only be set if a secure HTTPS connection exists.
| 'cookie_httponly' = Cookie will only be accessible via HTTP(S) (no javascript)
+| 'cookie_samesite' = Cookie's samesite attribute (Lax, Strict or None)
|
| Note: These settings (with the exception of 'cookie_prefix' and
| 'cookie_httponly') will also affect sessions.
@@ -407,6 +408,7 @@ $config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;
+$config['cookie_samesite'] = 'Lax';
/*
|--------------------------------------------------------------------------
diff --git a/system/core/Input.php b/system/core/Input.php
index c3a0a9094..7205a7aa2 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -357,14 +357,15 @@ class CI_Input {
* @param string $prefix Cookie name prefix
* @param bool $secure Whether to only transfer cookies via SSL
* @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript)
+ * @param string $samesite SameSite attribute
* @return void
*/
- public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL)
+ public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL, $samesite = NULL)
{
if (is_array($name))
{
// always leave 'name' in last place, as the loop will break otherwise, due to $$item
- foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item)
+ foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name', 'samesite') as $item)
{
if (isset($name[$item]))
{
@@ -405,7 +406,42 @@ class CI_Input {
$expire = ($expire > 0) ? time() + $expire : 0;
}
- setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly);
+ isset($samesite) OR $samesite = config_item('cookie_samesite');
+ if (isset($samesite))
+ {
+ $samesite = ucfirst(strtolower($samesite));
+ in_array($samesite, array('Lax', 'Strict', 'None'), TRUE) OR $samesite = 'Lax';
+ }
+ else
+ {
+ $samesite = 'Lax';
+ }
+
+ if ($samesite === 'None' && ! $secure)
+ {
+ log_message('error', $name.' cookie sent with SameSite=None, but without Secure attribute.');
+ }
+
+ if (is_php('7.3'))
+ {
+ $setcookie_options = array(
+ 'expires' => $expire,
+ 'path' => $path,
+ 'domain' => $domain,
+ 'secure' => $secure,
+ 'httponly' => $httponly,
+ 'samesite' => $samesite,
+ );
+ setcookie($prefix.$name, $value, $setcookie_options);
+ }
+ else
+ {
+ $cookie_header = 'Set-Cookie: '.$prefix.$name.'='.rawurlencode($value);
+ $cookie_header .= ($expire === 0 ? '' : '; expires='.gmdate('D, d-M-Y H:i:s T', $expire));
+ $cookie_header .= '; path='.$path.($domain !== '' ? '; domain='.$domain : '');
+ $cookie_header .= ($secure ? '; secure' : '').($httponly ? '; HttpOnly' : '').'; SameSite='.$samesite;
+ header($cookie_header);
+ }
}
// --------------------------------------------------------------------
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 1fbb0116e..0c61136c3 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -16,6 +16,7 @@ Release Date: Not Released
- Added method :doc:`Database Library <database/index>` method ``trans_active()`` to expose transaction state.
- Updated :doc:`Database Library <database/index>` 'pdo' driver to attempt to free resources in order to allow connections to be closed.
- Added ``SameSite=Strict`` attribute to the CSRF cookie sent by the :doc:`Security Class <libraries/security>`.
+ - Added ``$config['cookie_samesite']`` option and ``$samesite`` parameter to :doc:`Input Library <libraries/input>` method ``set_cookie()``.
- Added a wrapper class around :doc:`Session <libraries/sessions>` drivers to deal with compatibility between PHP 8.1 and older versions.
- Updated a lot of code for PHP 8.0 and 8.1 compatibility.
diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst
index 300f47112..3dc734c12 100644
--- a/user_guide_src/source/libraries/input.rst
+++ b/user_guide_src/source/libraries/input.rst
@@ -285,7 +285,7 @@ Class Reference
This method is identical to ``get()``, ``post()`` and ``cookie()``,
only it fetches the *php://input* stream data.
- .. php:method:: set_cookie($name = ''[, $value = ''[, $expire = ''[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = NULL[, $httponly = NULL]]]]]]])
+ .. php:method:: set_cookie($name = ''[, $value = ''[, $expire = ''[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = NULL[, $httponly = NULL[, $samesite = NULL]]]]]]]])
:param mixed $name: Cookie name or an array of parameters
:param string $value: Cookie value
@@ -295,6 +295,7 @@ Class Reference
:param string $prefix: Cookie name prefix
:param bool $secure: Whether to only transfer the cookie through HTTPS
:param bool $httponly: Whether to only make the cookie accessible for HTTP requests (no JavaScript)
+ :param string $samesite: SameSite attribute ('Lax', 'Strict', 'None')
:rtype: void
@@ -308,13 +309,14 @@ Class Reference
parameter::
$cookie = array(
- 'name' => 'The Cookie Name',
- 'value' => 'The Value',
- 'expire' => '86500',
- 'domain' => '.some-domain.com',
- 'path' => '/',
- 'prefix' => 'myprefix_',
- 'secure' => TRUE
+ 'name' => 'The Cookie Name',
+ 'value' => 'The Value',
+ 'expire' => 86500,
+ 'domain' => '.some-domain.com',
+ 'path' => '/',
+ 'prefix' => 'myprefix_',
+ 'secure' => TRUE,
+ 'samesite' => 'Strict'
);
$this->input->set_cookie($cookie);
@@ -340,13 +342,14 @@ Class Reference
The *httponly* and *secure* flags, when omitted, will default to your
``$config['cookie_httponly']`` and ``$config['cookie_secure']`` settings.
+ The *samesite* parameter can be ``'Lax'``, ``'Strict'`` or ``'None'``. If not set, the same-site cookie attribute will default to ``'Lax'``.
**Discrete Parameters**
If you prefer, you can set the cookie by passing data using individual
parameters::
- $this->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure);
+ $this->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure, $samesite);
.. php:method:: ip_address()