diff options
author | Andrey Andreev <narf@devilix.net> | 2021-03-24 12:26:50 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2021-03-24 12:26:50 +0100 |
commit | 0286ab3513ade8681a7172c78440a81059435e22 (patch) | |
tree | 5a3972c84c4ec5e6b088f36e43d58f53d7cb8bde /system | |
parent | e3810cb84d3fa341e3808d6aa9c3e18f8bda3305 (diff) |
[ci skip] Add SameSite=Strict to CSRF cookie
Diffstat (limited to 'system')
-rw-r--r-- | system/core/Security.php | 38 |
1 files changed, 29 insertions, 9 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index e1dc2a92f..f6b0407f8 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -272,15 +272,35 @@ class CI_Security { return FALSE; } - setcookie( - $this->_csrf_cookie_name, - $this->_csrf_hash, - $expire, - config_item('cookie_path'), - config_item('cookie_domain'), - $secure_cookie, - config_item('cookie_httponly') - ); + if (is_php('7.3')) + { + setcookie( + $this->_csrf_cookie_name, + $this->_csrf_hash, + array( + 'expires' => $expire, + 'path' => config_item('cookie_path'), + 'domain' => config_item('cookie_domain'), + 'secure' => $secure_cookie, + 'httponly' => config_item('cookie_httponly'), + 'samesite' => 'Strict' + ) + ); + } + else + { + $domain = trim(config_item('cookie_domain')); + header('Set-Cookie: '.$this->_csrf_cookie_name.'='.$this->_csrf_hash + .'; Expires='.gmdate('D, d-M-Y H:i:s T', $expire) + .'; Max-Age='.$this->_csrf_expire + .'; Path='.rawurlencode(config_item('cookie_path')) + .($domain === '' ? '' : '; Domain='.$domain) + .($secure_cookie ? '; Secure' : '') + .(config_item('cookie_httponly') ? '; HttpOnly' : '') + .'; SameSite=Strict' + ); + } + log_message('info', 'CSRF cookie sent'); return $this; |