Merge remote-tracking branch 'upstream/3.1-stable' into dev

Signed-off-by: Florian Pritz <bluewind@xinu.at>

1 files changed, 30 insertions, 10 deletions

diff --git a/system/core/Security.php b/system/core/Security.php
index e1dc2a92f..d1d4f8432 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -193,7 +193,7 @@ class CI_Security {
 			$this->_csrf_set_hash();
 		}
 
-		$this->charset = strtoupper(config_item('charset'));
+		$this->charset = strtoupper((string) config_item('charset'));
 
 		log_message('info', 'Security Class Initialized');
 	}
@@ -272,15 +272,35 @@ class CI_Security {
 			return FALSE;
 		}
 
-		setcookie(
-			$this->_csrf_cookie_name,
-			$this->_csrf_hash,
-			$expire,
-			config_item('cookie_path'),
-			config_item('cookie_domain'),
-			$secure_cookie,
-			config_item('cookie_httponly')
-		);
+		if (is_php('7.3'))
+		{
+			setcookie(
+				$this->_csrf_cookie_name,
+				$this->_csrf_hash,
+				array(
+					'expires'  => $expire,
+					'path'     => config_item('cookie_path'),
+					'domain'   => config_item('cookie_domain'),
+					'secure'   => $secure_cookie,
+					'httponly' => config_item('cookie_httponly'),
+					'samesite' => 'Strict'
+				)
+			);
+		}
+		else
+		{
+			$domain = trim(config_item('cookie_domain'));
+			header('Set-Cookie: '.$this->_csrf_cookie_name.'='.$this->_csrf_hash
+					.'; Expires='.gmdate('D, d-M-Y H:i:s T', $expire)
+					.'; Max-Age='.$this->_csrf_expire
+					.'; Path='.rawurlencode(config_item('cookie_path'))
+					.($domain === '' ? '' : '; Domain='.$domain)
+					.($secure_cookie ? '; Secure' : '')
+					.(config_item('cookie_httponly') ? '; HttpOnly' : '')
+					.'; SameSite=Strict'
+			);
+		}
+
 		log_message('info', 'CSRF cookie sent');
 
 		return $this;