summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2022-01-09 11:31:26 +0100
committerFlorian Pritz <bluewind@xinu.at>2022-01-09 11:31:26 +0100
commit5fb561ed3d972659213de47cb67fdc094adfbc1e (patch)
treefebd9f7e45d93801c2207691532cad144a848179 /system/core/Security.php
parent82141c4baf5a1436b6eca8b1efa6e2bff3991179 (diff)
parentad57720c57c11620c77181655d637a5bfdbe2643 (diff)
Merge remote-tracking branch 'upstream/3.1-stable' into dev
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'system/core/Security.php')
-rw-r--r--system/core/Security.php40
1 files changed, 30 insertions, 10 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index e1dc2a92f..d1d4f8432 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -193,7 +193,7 @@ class CI_Security {
$this->_csrf_set_hash();
}
- $this->charset = strtoupper(config_item('charset'));
+ $this->charset = strtoupper((string) config_item('charset'));
log_message('info', 'Security Class Initialized');
}
@@ -272,15 +272,35 @@ class CI_Security {
return FALSE;
}
- setcookie(
- $this->_csrf_cookie_name,
- $this->_csrf_hash,
- $expire,
- config_item('cookie_path'),
- config_item('cookie_domain'),
- $secure_cookie,
- config_item('cookie_httponly')
- );
+ if (is_php('7.3'))
+ {
+ setcookie(
+ $this->_csrf_cookie_name,
+ $this->_csrf_hash,
+ array(
+ 'expires' => $expire,
+ 'path' => config_item('cookie_path'),
+ 'domain' => config_item('cookie_domain'),
+ 'secure' => $secure_cookie,
+ 'httponly' => config_item('cookie_httponly'),
+ 'samesite' => 'Strict'
+ )
+ );
+ }
+ else
+ {
+ $domain = trim(config_item('cookie_domain'));
+ header('Set-Cookie: '.$this->_csrf_cookie_name.'='.$this->_csrf_hash
+ .'; Expires='.gmdate('D, d-M-Y H:i:s T', $expire)
+ .'; Max-Age='.$this->_csrf_expire
+ .'; Path='.rawurlencode(config_item('cookie_path'))
+ .($domain === '' ? '' : '; Domain='.$domain)
+ .($secure_cookie ? '; Secure' : '')
+ .(config_item('cookie_httponly') ? '; HttpOnly' : '')
+ .'; SameSite=Strict'
+ );
+ }
+
log_message('info', 'CSRF cookie sent');
return $this;