Dropping the possibility that samesite cookie attribute won't be sent; defaults to Lax; all samesite values are ucfirst'ed; log for SameSite=None non-secure cookies

3 files changed, 13 insertions, 11 deletions

diff --git a/application/config/config.php b/application/config/config.php
index 4ffd83352..596f8fefe 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -396,7 +396,7 @@ $config['cookie_domain']	= '';
 $config['cookie_path']		= '/';
 $config['cookie_secure']	= FALSE;
 $config['cookie_httponly'] 	= FALSE;
-$config['cookie_samesite'] 	= 'lax';
+$config['cookie_samesite'] 	= 'Lax';
 
 /*
 |--------------------------------------------------------------------------
diff --git a/system/core/Input.php b/system/core/Input.php
index d397850b7..9bde8a4f6 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -300,7 +300,7 @@ class CI_Input {
 	 * @param	string		$prefix		Cookie name prefix
 	 * @param	bool		$secure		Whether to only transfer cookies via SSL
 	 * @param	bool		$httponly	Whether to only makes the cookie accessible via HTTP (no javascript)
-	 * @param	string		$samesite	SameSite attribute. NULL will avoid sending the attribute
+	 * @param	string		$samesite	SameSite attribute
 	 * @return	void
 	 */
 	public function set_cookie($name, $value = '', $expire = 0, $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL, $samesite = NULL)
@@ -349,24 +349,26 @@ class CI_Input {
 			$expire = ($expire > 0) ? time() + $expire : 0;
 		}
 
-		if ($samesite === NULL && config_item('cookie_samesite') !== NULL)
+		isset($samesite) OR $samesite = config_item('cookie_samesite');
+		if (isset($samesite))
 		{
-			$samesite = strtolower(config_item('cookie_samesite'));
+			$samesite = ucfirst(strtolower($samesite));
+			in_array($samesite, array('Lax', 'Strict', 'None'), TRUE) OR $samesite = 'Lax';
 		}
-		elseif ($samesite !== NULL)
+		else
 		{
-			$samesite = strtolower($samesite);
+			$samesite = 'Lax';
 		}
 
-		if ( ! in_array($samesite, array('lax', 'strict', 'none', NULL), TRUE))
+		if ($samesite === 'None' && !$secure)
 		{
-			$samesite = NULL;
+			log_message('error', $name.' is a non-secure cookie sent with SameSite=None. It can be discarded by the browser.');
 		}
 
 		$cookie_header = 'Set-Cookie: '.$prefix.$name.'='.rawurlencode($value);
 		$cookie_header .= ($expire === 0 ? '' : '; expires='.gmdate('D, d-M-Y H:i:s T', $expire));
 		$cookie_header .= '; path='.$path.($domain !== '' ? '; domain='.$domain : '');
-		$cookie_header .= ($secure ? '; secure' : '').($httponly ? '; HttpOnly' : '').($samesite !== NULL ? '; SameSite='.$samesite : '');
+		$cookie_header .= ($secure ? '; secure' : '').($httponly ? '; HttpOnly' : '').'; SameSite='.$samesite;
 		header($cookie_header);
 	}
 
diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst
index 79c128afa..a9255fa87 100644
--- a/user_guide_src/source/libraries/input.rst
+++ b/user_guide_src/source/libraries/input.rst
@@ -252,7 +252,7 @@ Class Reference
 		:param	string	$prefix: Cookie name prefix
 		:param	bool	$secure: Whether to only transfer the cookie through HTTPS
 		:param	bool	$httponly: Whether to only make the cookie accessible for HTTP requests (no JavaScript)
-		:param	string	$samesite: Cookie's SameSite attribute ('lax', 'strict', 'none' or NULL)
+		:param	string	$samesite: Cookie's SameSite attribute ('Lax', 'Strict', 'None')
 		:rtype:	void
 
 
@@ -299,7 +299,7 @@ Class Reference
 
 		The *httponly* and *secure* flags, when omitted, will default to your
 		``$config['cookie_httponly']`` and ``$config['cookie_secure']`` settings.
-		The *samesite* parameter can be ``'lax'``, ``'strict'``, ``'none'`` or ``NULL``. When ``NULL``, the same-site cookie attribute is not set at all.
+		The *samesite* parameter can be ``'Lax'``, ``'Strict'`` or ``'None'``. If not set, the same-site cookie attribute will default to ``'Lax'``.
 
 		**Discrete Parameters**