Only send samesite cookies

This makes the last remaining two cookies lax. The session cookie
itself. And the session password as well (on php 7.3 that is). Samesite
cookies are the best cookies!

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

diff --git a/lib/private/Session/CryptoWrapper.php b/lib/private/Session/CryptoWrapper.php
index bbaa907b268b7539ea3abedac4f157f263ab1a05..b9dbc90edd6198ced1f09ff78d5eece8866b5402 100644 (file)
--- a/lib/private/Session/CryptoWrapper.php
+++ b/lib/private/Session/CryptoWrapper.php
@@ -86,7 +86,23 @@ class CryptoWrapper {
                                if($webRoot === '') {
                                        $webRoot = '/';
                                }
-                               setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true);
+
+                               if (PHP_VERSION_ID < 70300) {
+                                       setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true);
+                               } else {
+                                       setcookie(
+                                               self::COOKIE_NAME,
+                                               $this->passphrase,
+                                               [
+                                                       'expires' => 0,
+                                                       'path' => $webRoot,
+                                                       'domain' => '',
+                                                       'secure' => $secureCookie,
+                                                       'httponly' => true,
+                                                       'samesite' => 'Lax',
+                                               ]
+                                       );
+                               }
                        }
                }
        }

diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php
index d235e9eb50bb3519a33fb429b23dfa9a65ee149e..b9aae76c3b036129b632a52ab61a5ee597916492 100644 (file)
--- a/lib/private/Session/Internal.php
+++ b/lib/private/Session/Internal.php
@@ -56,7 +56,7 @@ class Internal extends Session {
                set_error_handler([$this, 'trapError']);
                $this->invoke('session_name', [$name]);
                try {
-                       $this->invoke('session_start');
+                       $this->startSession();
                } catch (\Exception $e) {
                        setcookie($this->invoke('session_name'), '', -1, \OC::$WEBROOT ?: '/');
                }
@@ -106,7 +106,7 @@ class Internal extends Session {
        public function clear() {
                $this->invoke('session_unset');
                $this->regenerateId();
-               $this->invoke('session_start', [], true);
+               $this->startSession();
                $_SESSION = [];
        }
 
@@ -214,4 +214,12 @@ class Internal extends Session {
                        $this->trapError($e->getCode(), $e->getMessage());
                }
        }
+
+       private function startSession() {
+               if (PHP_VERSION_ID < 70300) {
+                       $this->invoke('session_start');
+               } else {
+                       $this->invoke('session_start', [['cookie_samesite' => 'Lax']]);
+               }
+       }
 }