Merge branch '3.1-stable' into develop

1 files changed, 67 insertions, 16 deletions

diff --git a/system/libraries/Session/Session.php b/system/libraries/Session/Session.php
index 6479d7242..f370f7f19 100644
--- a/system/libraries/Session/Session.php
+++ b/system/libraries/Session/Session.php
@@ -154,15 +154,36 @@ class CI_Session {
 		// unless it is being currently created or regenerated
 		elseif (isset($_COOKIE[$this->_config['cookie_name']]) && $_COOKIE[$this->_config['cookie_name']] === session_id())
 		{
-			setcookie(
-				$this->_config['cookie_name'],
-				session_id(),
-				(empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
-				$this->_config['cookie_path'],
-				$this->_config['cookie_domain'],
-				$this->_config['cookie_secure'],
-				TRUE
-			);
+			$expires = empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime'];
+			if (is_php('7.3'))
+			{
+				setcookie(
+					$this->_config['cookie_name'],
+					session_id(),
+					array(
+						'expires' => $expires,
+						'path' => $this->_config['cookie_path'],
+						'domain' => $this->_config['cookie_domain'],
+						'secure' => $this->_config['cookie_secure'],
+						'httponly' => TRUE,
+						'samesite' => $this->_config['cookie_samesite']
+					)
+				);
+			}
+			else
+			{
+				$header = 'Set-Cookie: '.$this->_config['cookie_name'].'='.session_id();
+				$header .= empty($expires) ? '' : '; Expires='.gmdate('D, d-M-Y H:i:s T', $expires).'; Max-Age='.$this->_config['cookie_lifetime'];
+				$header .= '; Path='.$this->_config['cookie_path'];
+				$header .= ($this->_config['cookie_domain'] !== '' ? '; Domain='.$this->_config['cookie_domain'] : '');
+				$header .= ($this->_config['cookie_secure'] ? '; Secure' : '').'; HttpOnly; SameSite='.$this->_config['cookie_samesite'];
+				header($header);
+			}
+
+			if ( ! $this->_config['cookie_secure'] && $this->_config['cookie_samesite'] === 'None')
+			{
+				log_message('error', 'Session:', $this->_config['cookie_name'].' cookie sent with SameSite=None, but without Secure attribute.');
+			}
 		}
 
 		$this->_ci_init_vars();
@@ -281,13 +302,43 @@ class CI_Session {
 		isset($params['cookie_domain']) OR $params['cookie_domain'] = config_item('cookie_domain');
 		isset($params['cookie_secure']) OR $params['cookie_secure'] = (bool) config_item('cookie_secure');
 
-		session_set_cookie_params(
-			$params['cookie_lifetime'],
-			$params['cookie_path'],
-			$params['cookie_domain'],
-			$params['cookie_secure'],
-			TRUE // HttpOnly; Yes, this is intentional and not configurable for security reasons
-		);
+		isset($params['cookie_samesite']) OR $params['cookie_samesite'] = config_item('sess_samesite');
+		if ( ! isset($params['cookie_samesite']) && is_php('7.3'))
+		{
+			$params['cookie_samesite'] = ini_get('session.cookie_samesite');
+		}
+
+		if (isset($params['cookie_samesite']))
+		{
+			$params['cookie_samesite'] = ucfirst(strtolower($params['cookie_samesite']));
+			in_array($params['cookie_samesite'], array('Lax', 'Strict', 'None'), TRUE) OR $params['cookie_samesite'] = 'Lax';
+		}
+		else
+		{
+			$params['cookie_samesite'] = 'Lax';
+		}
+
+		if (is_php('7.3'))
+		{
+			session_set_cookie_params(array(
+				'lifetime' => $params['cookie_lifetime'],
+				'path'     => $params['cookie_path'],
+				'domain'   => $params['cookie_domain'],
+				'secure'   => $params['cookie_secure'],
+				'httponly' => $params['cookie_httponly'],
+				'samesite' => $params['cookie_samesite']
+			));
+		}
+		else
+		{
+			session_set_cookie_params(
+				$params['cookie_lifetime'],
+				$params['cookie_path'],
+				$params['cookie_domain'],
+				$params['cookie_secure'],
+				TRUE // HttpOnly; Yes, this is intentional and not configurable for security reasons
+			);
+		}
 
 		if (empty($expiration))
 		{