summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2021-03-24 12:26:50 +0100
committerAndrey Andreev <narf@devilix.net>2021-03-24 12:26:50 +0100
commit0286ab3513ade8681a7172c78440a81059435e22 (patch)
tree5a3972c84c4ec5e6b088f36e43d58f53d7cb8bde
parente3810cb84d3fa341e3808d6aa9c3e18f8bda3305 (diff)
[ci skip] Add SameSite=Strict to CSRF cookie
-rw-r--r--system/core/Security.php38
-rw-r--r--user_guide_src/source/changelog.rst1
2 files changed, 30 insertions, 9 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index e1dc2a92f..f6b0407f8 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -272,15 +272,35 @@ class CI_Security {
return FALSE;
}
- setcookie(
- $this->_csrf_cookie_name,
- $this->_csrf_hash,
- $expire,
- config_item('cookie_path'),
- config_item('cookie_domain'),
- $secure_cookie,
- config_item('cookie_httponly')
- );
+ if (is_php('7.3'))
+ {
+ setcookie(
+ $this->_csrf_cookie_name,
+ $this->_csrf_hash,
+ array(
+ 'expires' => $expire,
+ 'path' => config_item('cookie_path'),
+ 'domain' => config_item('cookie_domain'),
+ 'secure' => $secure_cookie,
+ 'httponly' => config_item('cookie_httponly'),
+ 'samesite' => 'Strict'
+ )
+ );
+ }
+ else
+ {
+ $domain = trim(config_item('cookie_domain'));
+ header('Set-Cookie: '.$this->_csrf_cookie_name.'='.$this->_csrf_hash
+ .'; Expires='.gmdate('D, d-M-Y H:i:s T', $expire)
+ .'; Max-Age='.$this->_csrf_expire
+ .'; Path='.rawurlencode(config_item('cookie_path'))
+ .($domain === '' ? '' : '; Domain='.$domain)
+ .($secure_cookie ? '; Secure' : '')
+ .(config_item('cookie_httponly') ? '; HttpOnly' : '')
+ .'; SameSite=Strict'
+ );
+ }
+
log_message('info', 'CSRF cookie sent');
return $this;
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 4c081ad84..812016050 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -15,6 +15,7 @@ Release Date: Not Released
- Added support for detecting WebP image type to :doc:`File Uploading Library <libraries/file_uploading>`.
- Added method :doc:`Database Library <database/index>` method ``trans_active()`` to expose transaction state.
- Updated :doc:`Database Library <database/index>` 'pdo' driver to attempt to free resources in order to allow connections to be closed.
+ - Added ``SameSite=Strict`` attribute to the CSRF cookie sent by the :doc:`Security Class <libraries/security>`.
Bug fixes for 3.1.12
====================