From 2016e57eab1d970e6edd63370e956f462e56c86c Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Mon, 9 Sep 2019 21:29:58 +0200 Subject: Only send samesite cookies This makes the last remaining two cookies lax. The session cookie itself. And the session password as well (on php 7.3 that is). Samesite cookies are the best cookies! Signed-off-by: Roeland Jago Douma --- lib/private/Session/CryptoWrapper.php | 18 +++++++++++++++++- lib/private/Session/Internal.php | 12 ++++++++++-- 2 files changed, 27 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/private/Session/CryptoWrapper.php b/lib/private/Session/CryptoWrapper.php index bbaa907b268..b9dbc90edd6 100644 --- a/lib/private/Session/CryptoWrapper.php +++ b/lib/private/Session/CryptoWrapper.php @@ -86,7 +86,23 @@ class CryptoWrapper { if($webRoot === '') { $webRoot = '/'; } - setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true); + + if (PHP_VERSION_ID < 70300) { + setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true); + } else { + setcookie( + self::COOKIE_NAME, + $this->passphrase, + [ + 'expires' => 0, + 'path' => $webRoot, + 'domain' => '', + 'secure' => $secureCookie, + 'httponly' => true, + 'samesite' => 'Lax', + ] + ); + } } } } diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php index d235e9eb50b..b9aae76c3b0 100644 --- a/lib/private/Session/Internal.php +++ b/lib/private/Session/Internal.php @@ -56,7 +56,7 @@ class Internal extends Session { set_error_handler([$this, 'trapError']); $this->invoke('session_name', [$name]); try { - $this->invoke('session_start'); + $this->startSession(); } catch (\Exception $e) { setcookie($this->invoke('session_name'), '', -1, \OC::$WEBROOT ?: '/'); } @@ -106,7 +106,7 @@ class Internal extends Session { public function clear() { $this->invoke('session_unset'); $this->regenerateId(); - $this->invoke('session_start', [], true); + $this->startSession(); $_SESSION = []; } @@ -214,4 +214,12 @@ class Internal extends Session { $this->trapError($e->getCode(), $e->getMessage()); } } + + private function startSession() { + if (PHP_VERSION_ID < 70300) { + $this->invoke('session_start'); + } else { + $this->invoke('session_start', [['cookie_samesite' => 'Lax']]); + } + } } -- cgit v1.2.3