diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2019-09-09 21:29:58 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2020-02-06 15:24:35 +0100 |
| commit | 2016e57eab1d970e6edd63370e956f462e56c86c (patch) | |
| tree | ece03de343ce9af606967d73cad1d68ea5deea6a /lib/private/Session/CryptoWrapper.php | |
| parent | daf6887c09b3b706728c5fdef6cb6df0640f1e21 (diff) | |
| download | nextcloud-server-2016e57eab1d970e6edd63370e956f462e56c86c.tar.gz nextcloud-server-2016e57eab1d970e6edd63370e956f462e56c86c.zip | |
Only send samesite cookies
This makes the last remaining two cookies lax. The session cookie
itself. And the session password as well (on php 7.3 that is). Samesite
cookies are the best cookies!
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib/private/Session/CryptoWrapper.php')
| -rw-r--r-- | lib/private/Session/CryptoWrapper.php | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/lib/private/Session/CryptoWrapper.php b/lib/private/Session/CryptoWrapper.php index bbaa907b268..b9dbc90edd6 100644 --- a/lib/private/Session/CryptoWrapper.php +++ b/lib/private/Session/CryptoWrapper.php @@ -86,7 +86,23 @@ class CryptoWrapper { if($webRoot === '') { $webRoot = '/'; } - setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true); + + if (PHP_VERSION_ID < 70300) { + setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true); + } else { + setcookie( + self::COOKIE_NAME, + $this->passphrase, + [ + 'expires' => 0, + 'path' => $webRoot, + 'domain' => '', + 'secure' => $secureCookie, + 'httponly' => true, + 'samesite' => 'Lax', + ] + ); + } } } } |