Set SameSite=Lax Cookie Attribute and Upgrade Requirements to PHP 7.4 #3994
Conversation
Since this has been the default in Chrome for a while, no sideeffects are to be expected.
updates may also be caused by the php platform version increase in the last commit
There was a problem hiding this comment.
In principle I agree with this and this looks good.
Note that SameSite=Lax may break authentication workflows where an external site redirects back to DokuWiki with a POST request. For this reason, Chrome's SameSite=Lax by default behavior sends cookies that are less than two minutes old in top-level cross-origin POST requests (see, e.g., PortSwigger). According to SameSite Updates, this should be temporary but I couldn't find any information about this actually being phased out.
Therefore, it might be interesting to make this configurable with an appropriate security warning. I guess it could in particular be interesting to allow returning to the browser's default behavior but also maybe to allow setting Strict for extra protection or even None if it should, e.g., be possible to embed private images on another domain (but this is already broken in Chrome today, so if nobody complained, it can't be that important).
I'm not saying you should add the configuration option, I just want to make you aware of the potential breakages, I don't know if this actually affects anything in DokuWiki.
As mentioned in #3994 (review) there might be occasions when users might want to change the policy to a stricter one or the somewhat more lenient Lax implementation of current browsers.
This implements #2849 and switches all cookie setting to the new named options array style introduced in PHP 7.3. Subsequently it updates the minimum requirements to PHP 7.4 which is probably the only PHP 7 version still widely in use anyway.