From 4362b7d9f39189472950589ce47a483b6025f5e9 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 5 Jan 2022 17:52:40 +0200 Subject: Merge pull request #6025 from gxgpet/develop SameSite attribute implementation for CI_Input::set_cookie --- user_guide_src/source/changelog.rst | 1 + user_guide_src/source/libraries/input.rst | 21 ++++++++++++--------- 2 files changed, 13 insertions(+), 9 deletions(-) (limited to 'user_guide_src') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 1fbb0116e..0c61136c3 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -16,6 +16,7 @@ Release Date: Not Released - Added method :doc:`Database Library ` method ``trans_active()`` to expose transaction state. - Updated :doc:`Database Library ` 'pdo' driver to attempt to free resources in order to allow connections to be closed. - Added ``SameSite=Strict`` attribute to the CSRF cookie sent by the :doc:`Security Class `. + - Added ``$config['cookie_samesite']`` option and ``$samesite`` parameter to :doc:`Input Library ` method ``set_cookie()``. - Added a wrapper class around :doc:`Session ` drivers to deal with compatibility between PHP 8.1 and older versions. - Updated a lot of code for PHP 8.0 and 8.1 compatibility. diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst index 300f47112..3dc734c12 100644 --- a/user_guide_src/source/libraries/input.rst +++ b/user_guide_src/source/libraries/input.rst @@ -285,7 +285,7 @@ Class Reference This method is identical to ``get()``, ``post()`` and ``cookie()``, only it fetches the *php://input* stream data. - .. php:method:: set_cookie($name = ''[, $value = ''[, $expire = ''[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = NULL[, $httponly = NULL]]]]]]]) + .. php:method:: set_cookie($name = ''[, $value = ''[, $expire = ''[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = NULL[, $httponly = NULL[, $samesite = NULL]]]]]]]]) :param mixed $name: Cookie name or an array of parameters :param string $value: Cookie value @@ -295,6 +295,7 @@ Class Reference :param string $prefix: Cookie name prefix :param bool $secure: Whether to only transfer the cookie through HTTPS :param bool $httponly: Whether to only make the cookie accessible for HTTP requests (no JavaScript) + :param string $samesite: SameSite attribute ('Lax', 'Strict', 'None') :rtype: void @@ -308,13 +309,14 @@ Class Reference parameter:: $cookie = array( - 'name' => 'The Cookie Name', - 'value' => 'The Value', - 'expire' => '86500', - 'domain' => '.some-domain.com', - 'path' => '/', - 'prefix' => 'myprefix_', - 'secure' => TRUE + 'name' => 'The Cookie Name', + 'value' => 'The Value', + 'expire' => 86500, + 'domain' => '.some-domain.com', + 'path' => '/', + 'prefix' => 'myprefix_', + 'secure' => TRUE, + 'samesite' => 'Strict' ); $this->input->set_cookie($cookie); @@ -340,13 +342,14 @@ Class Reference The *httponly* and *secure* flags, when omitted, will default to your ``$config['cookie_httponly']`` and ``$config['cookie_secure']`` settings. + The *samesite* parameter can be ``'Lax'``, ``'Strict'`` or ``'None'``. If not set, the same-site cookie attribute will default to ``'Lax'``. **Discrete Parameters** If you prefer, you can set the cookie by passing data using individual parameters:: - $this->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure); + $this->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure, $samesite); .. php:method:: ip_address() -- cgit v1.2.3-24-g4f1b From 1a2651040ef701e750b1c13cd69cc70814b079d0 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 5 Jan 2022 18:52:24 +0200 Subject: Add SameSite cookie support to Session library --- user_guide_src/source/changelog.rst | 1 + user_guide_src/source/libraries/sessions.rst | 2 ++ 2 files changed, 3 insertions(+) (limited to 'user_guide_src') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 0c61136c3..0e347f891 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -17,6 +17,7 @@ Release Date: Not Released - Updated :doc:`Database Library ` 'pdo' driver to attempt to free resources in order to allow connections to be closed. - Added ``SameSite=Strict`` attribute to the CSRF cookie sent by the :doc:`Security Class `. - Added ``$config['cookie_samesite']`` option and ``$samesite`` parameter to :doc:`Input Library ` method ``set_cookie()``. + - Added ``SameSite`` support through ``$config['sess_samesite']`` option to the :doc:`Session Library `. - Added a wrapper class around :doc:`Session ` drivers to deal with compatibility between PHP 8.1 and older versions. - Updated a lot of code for PHP 8.0 and 8.1 compatibility. diff --git a/user_guide_src/source/libraries/sessions.rst b/user_guide_src/source/libraries/sessions.rst index 994dc2e08..ced4463d0 100644 --- a/user_guide_src/source/libraries/sessions.rst +++ b/user_guide_src/source/libraries/sessions.rst @@ -438,6 +438,8 @@ Preference Default Options ============================ =============== ======================================== ============================================================================================ **sess_driver** files files/database/redis/memcached/*custom* The session storage driver to use. **sess_cookie_name** ci_session [A-Za-z\_-] characters only The name used for the session cookie. +**sess_samesite** ci_session 'Lax', 'Strict' or 'None' SameSite attribute value for session cookies. + Defaults to ``session.cookie_samesite`` on PHP 7.3+ or 'Lax' if not present at all. **sess_expiration** 7200 (2 hours) Time in seconds (integer) The number of seconds you would like the session to last. If you would like a non-expiring session (until browser is closed) set the value to zero: 0 **sess_save_path** NULL None Specifies the storage location, depends on the driver being used. -- cgit v1.2.3-24-g4f1b