diff options
-rw-r--r-- | application/config/config.php | 2 | ||||
-rw-r--r-- | system/core/Input.php | 18 | ||||
-rw-r--r-- | user_guide_src/source/libraries/input.rst | 4 |
3 files changed, 13 insertions, 11 deletions
diff --git a/application/config/config.php b/application/config/config.php index 4ffd83352..596f8fefe 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -396,7 +396,7 @@ $config['cookie_domain'] = ''; $config['cookie_path'] = '/'; $config['cookie_secure'] = FALSE; $config['cookie_httponly'] = FALSE; -$config['cookie_samesite'] = 'lax'; +$config['cookie_samesite'] = 'Lax'; /* |-------------------------------------------------------------------------- diff --git a/system/core/Input.php b/system/core/Input.php index d397850b7..9bde8a4f6 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -300,7 +300,7 @@ class CI_Input { * @param string $prefix Cookie name prefix * @param bool $secure Whether to only transfer cookies via SSL * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) - * @param string $samesite SameSite attribute. NULL will avoid sending the attribute + * @param string $samesite SameSite attribute * @return void */ public function set_cookie($name, $value = '', $expire = 0, $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL, $samesite = NULL) @@ -349,24 +349,26 @@ class CI_Input { $expire = ($expire > 0) ? time() + $expire : 0; } - if ($samesite === NULL && config_item('cookie_samesite') !== NULL) + isset($samesite) OR $samesite = config_item('cookie_samesite'); + if (isset($samesite)) { - $samesite = strtolower(config_item('cookie_samesite')); + $samesite = ucfirst(strtolower($samesite)); + in_array($samesite, array('Lax', 'Strict', 'None'), TRUE) OR $samesite = 'Lax'; } - elseif ($samesite !== NULL) + else { - $samesite = strtolower($samesite); + $samesite = 'Lax'; } - if ( ! in_array($samesite, array('lax', 'strict', 'none', NULL), TRUE)) + if ($samesite === 'None' && !$secure) { - $samesite = NULL; + log_message('error', $name.' is a non-secure cookie sent with SameSite=None. It can be discarded by the browser.'); } $cookie_header = 'Set-Cookie: '.$prefix.$name.'='.rawurlencode($value); $cookie_header .= ($expire === 0 ? '' : '; expires='.gmdate('D, d-M-Y H:i:s T', $expire)); $cookie_header .= '; path='.$path.($domain !== '' ? '; domain='.$domain : ''); - $cookie_header .= ($secure ? '; secure' : '').($httponly ? '; HttpOnly' : '').($samesite !== NULL ? '; SameSite='.$samesite : ''); + $cookie_header .= ($secure ? '; secure' : '').($httponly ? '; HttpOnly' : '').'; SameSite='.$samesite; header($cookie_header); } diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst index 79c128afa..a9255fa87 100644 --- a/user_guide_src/source/libraries/input.rst +++ b/user_guide_src/source/libraries/input.rst @@ -252,7 +252,7 @@ Class Reference :param string $prefix: Cookie name prefix :param bool $secure: Whether to only transfer the cookie through HTTPS :param bool $httponly: Whether to only make the cookie accessible for HTTP requests (no JavaScript) - :param string $samesite: Cookie's SameSite attribute ('lax', 'strict', 'none' or NULL) + :param string $samesite: Cookie's SameSite attribute ('Lax', 'Strict', 'None') :rtype: void @@ -299,7 +299,7 @@ Class Reference The *httponly* and *secure* flags, when omitted, will default to your ``$config['cookie_httponly']`` and ``$config['cookie_secure']`` settings. - The *samesite* parameter can be ``'lax'``, ``'strict'``, ``'none'`` or ``NULL``. When ``NULL``, the same-site cookie attribute is not set at all. + The *samesite* parameter can be ``'Lax'``, ``'Strict'`` or ``'None'``. If not set, the same-site cookie attribute will default to ``'Lax'``. **Discrete Parameters** |