From 0286ab3513ade8681a7172c78440a81059435e22 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Wed, 24 Mar 2021 13:26:50 +0200
Subject: [ci skip] Add SameSite=Strict to CSRF cookie

---
 system/core/Security.php            | 38 ++++++++++++++++++++++++++++---------
 user_guide_src/source/changelog.rst |  1 +
 2 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/system/core/Security.php b/system/core/Security.php
index e1dc2a92f..f6b0407f8 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -272,15 +272,35 @@ class CI_Security {
 			return FALSE;
 		}
 
-		setcookie(
-			$this->_csrf_cookie_name,
-			$this->_csrf_hash,
-			$expire,
-			config_item('cookie_path'),
-			config_item('cookie_domain'),
-			$secure_cookie,
-			config_item('cookie_httponly')
-		);
+		if (is_php('7.3'))
+		{
+			setcookie(
+				$this->_csrf_cookie_name,
+				$this->_csrf_hash,
+				array(
+					'expires'  => $expire,
+					'path'     => config_item('cookie_path'),
+					'domain'   => config_item('cookie_domain'),
+					'secure'   => $secure_cookie,
+					'httponly' => config_item('cookie_httponly'),
+					'samesite' => 'Strict'
+				)
+			);
+		}
+		else
+		{
+			$domain = trim(config_item('cookie_domain'));
+			header('Set-Cookie: '.$this->_csrf_cookie_name.'='.$this->_csrf_hash
+					.'; Expires='.gmdate('D, d-M-Y H:i:s T', $expire)
+					.'; Max-Age='.$this->_csrf_expire
+					.'; Path='.rawurlencode(config_item('cookie_path'))
+					.($domain === '' ? '' : '; Domain='.$domain)
+					.($secure_cookie ? '; Secure' : '')
+					.(config_item('cookie_httponly') ? '; HttpOnly' : '')
+					.'; SameSite=Strict'
+			);
+		}
+
 		log_message('info', 'CSRF cookie sent');
 
 		return $this;
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 4c081ad84..812016050 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -15,6 +15,7 @@ Release Date: Not Released
    -  Added support for detecting WebP image type to :doc:`File Uploading Library <libraries/file_uploading>`.
    -  Added method :doc:`Database Library <database/index>` method ``trans_active()`` to expose transaction state.
    -  Updated :doc:`Database Library <database/index>` 'pdo' driver to attempt to free resources in order to allow connections to be closed.
+   -  Added ``SameSite=Strict`` attribute to the CSRF cookie sent by the :doc:`Security Class <libraries/security>`.
 
 Bug fixes for 3.1.12
 ====================
-- 
cgit v1.2.3-24-g4f1b