summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGeorge Petculescu <gxgpet@gmail.com>2021-03-14 00:56:30 +0100
committerGeorge Petculescu <gxgpet@gmail.com>2021-03-14 00:56:30 +0100
commit2abda9049a8d006673204f56f4680526232b2360 (patch)
tree9021e8255171fd834fdad24f0e3892aaba5dfb68
parentcd192363f777731e8f382fe7288a44183a448213 (diff)
Dropping the possibility that samesite cookie attribute won't be sent; defaults to Lax; all samesite values are ucfirst'ed; log for SameSite=None non-secure cookies
-rw-r--r--application/config/config.php2
-rw-r--r--system/core/Input.php18
-rw-r--r--user_guide_src/source/libraries/input.rst4
3 files changed, 13 insertions, 11 deletions
diff --git a/application/config/config.php b/application/config/config.php
index 4ffd83352..596f8fefe 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -396,7 +396,7 @@ $config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;
-$config['cookie_samesite'] = 'lax';
+$config['cookie_samesite'] = 'Lax';
/*
|--------------------------------------------------------------------------
diff --git a/system/core/Input.php b/system/core/Input.php
index d397850b7..9bde8a4f6 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -300,7 +300,7 @@ class CI_Input {
* @param string $prefix Cookie name prefix
* @param bool $secure Whether to only transfer cookies via SSL
* @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript)
- * @param string $samesite SameSite attribute. NULL will avoid sending the attribute
+ * @param string $samesite SameSite attribute
* @return void
*/
public function set_cookie($name, $value = '', $expire = 0, $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL, $samesite = NULL)
@@ -349,24 +349,26 @@ class CI_Input {
$expire = ($expire > 0) ? time() + $expire : 0;
}
- if ($samesite === NULL && config_item('cookie_samesite') !== NULL)
+ isset($samesite) OR $samesite = config_item('cookie_samesite');
+ if (isset($samesite))
{
- $samesite = strtolower(config_item('cookie_samesite'));
+ $samesite = ucfirst(strtolower($samesite));
+ in_array($samesite, array('Lax', 'Strict', 'None'), TRUE) OR $samesite = 'Lax';
}
- elseif ($samesite !== NULL)
+ else
{
- $samesite = strtolower($samesite);
+ $samesite = 'Lax';
}
- if ( ! in_array($samesite, array('lax', 'strict', 'none', NULL), TRUE))
+ if ($samesite === 'None' && !$secure)
{
- $samesite = NULL;
+ log_message('error', $name.' is a non-secure cookie sent with SameSite=None. It can be discarded by the browser.');
}
$cookie_header = 'Set-Cookie: '.$prefix.$name.'='.rawurlencode($value);
$cookie_header .= ($expire === 0 ? '' : '; expires='.gmdate('D, d-M-Y H:i:s T', $expire));
$cookie_header .= '; path='.$path.($domain !== '' ? '; domain='.$domain : '');
- $cookie_header .= ($secure ? '; secure' : '').($httponly ? '; HttpOnly' : '').($samesite !== NULL ? '; SameSite='.$samesite : '');
+ $cookie_header .= ($secure ? '; secure' : '').($httponly ? '; HttpOnly' : '').'; SameSite='.$samesite;
header($cookie_header);
}
diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst
index 79c128afa..a9255fa87 100644
--- a/user_guide_src/source/libraries/input.rst
+++ b/user_guide_src/source/libraries/input.rst
@@ -252,7 +252,7 @@ Class Reference
:param string $prefix: Cookie name prefix
:param bool $secure: Whether to only transfer the cookie through HTTPS
:param bool $httponly: Whether to only make the cookie accessible for HTTP requests (no JavaScript)
- :param string $samesite: Cookie's SameSite attribute ('lax', 'strict', 'none' or NULL)
+ :param string $samesite: Cookie's SameSite attribute ('Lax', 'Strict', 'None')
:rtype: void
@@ -299,7 +299,7 @@ Class Reference
The *httponly* and *secure* flags, when omitted, will default to your
``$config['cookie_httponly']`` and ``$config['cookie_secure']`` settings.
- The *samesite* parameter can be ``'lax'``, ``'strict'``, ``'none'`` or ``NULL``. When ``NULL``, the same-site cookie attribute is not set at all.
+ The *samesite* parameter can be ``'Lax'``, ``'Strict'`` or ``'None'``. If not set, the same-site cookie attribute will default to ``'Lax'``.
**Discrete Parameters**