aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Session
diff options
context:
space:
mode:
authorRoeland Jago Douma <roeland@famdouma.nl>2019-09-09 21:29:58 +0200
committerRoeland Jago Douma <roeland@famdouma.nl>2020-02-06 15:24:35 +0100
commit2016e57eab1d970e6edd63370e956f462e56c86c (patch)
treeece03de343ce9af606967d73cad1d68ea5deea6a /lib/private/Session
parentdaf6887c09b3b706728c5fdef6cb6df0640f1e21 (diff)
downloadnextcloud-server-2016e57eab1d970e6edd63370e956f462e56c86c.tar.gz
nextcloud-server-2016e57eab1d970e6edd63370e956f462e56c86c.zip
Only send samesite cookies
This makes the last remaining two cookies lax. The session cookie itself. And the session password as well (on php 7.3 that is). Samesite cookies are the best cookies! Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib/private/Session')
-rw-r--r--lib/private/Session/CryptoWrapper.php18
-rw-r--r--lib/private/Session/Internal.php12
2 files changed, 27 insertions, 3 deletions
diff --git a/lib/private/Session/CryptoWrapper.php b/lib/private/Session/CryptoWrapper.php
index bbaa907b268..b9dbc90edd6 100644
--- a/lib/private/Session/CryptoWrapper.php
+++ b/lib/private/Session/CryptoWrapper.php
@@ -86,7 +86,23 @@ class CryptoWrapper {
if($webRoot === '') {
$webRoot = '/';
}
- setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true);
+
+ if (PHP_VERSION_ID < 70300) {
+ setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true);
+ } else {
+ setcookie(
+ self::COOKIE_NAME,
+ $this->passphrase,
+ [
+ 'expires' => 0,
+ 'path' => $webRoot,
+ 'domain' => '',
+ 'secure' => $secureCookie,
+ 'httponly' => true,
+ 'samesite' => 'Lax',
+ ]
+ );
+ }
}
}
}
diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php
index d235e9eb50b..b9aae76c3b0 100644
--- a/lib/private/Session/Internal.php
+++ b/lib/private/Session/Internal.php
@@ -56,7 +56,7 @@ class Internal extends Session {
set_error_handler([$this, 'trapError']);
$this->invoke('session_name', [$name]);
try {
- $this->invoke('session_start');
+ $this->startSession();
} catch (\Exception $e) {
setcookie($this->invoke('session_name'), '', -1, \OC::$WEBROOT ?: '/');
}
@@ -106,7 +106,7 @@ class Internal extends Session {
public function clear() {
$this->invoke('session_unset');
$this->regenerateId();
- $this->invoke('session_start', [], true);
+ $this->startSession();
$_SESSION = [];
}
@@ -214,4 +214,12 @@ class Internal extends Session {
$this->trapError($e->getCode(), $e->getMessage());
}
}
+
+ private function startSession() {
+ if (PHP_VERSION_ID < 70300) {
+ $this->invoke('session_start');
+ } else {
+ $this->invoke('session_start', [['cookie_samesite' => 'Lax']]);
+ }
+ }
}