Add SameSite cookie parameter

administrator/components/com_banners/Controller/TracksController.php

@@ -138,21 +138,27 @@ public function display($cachable = false, $urlparams = array())
 			$this->input->cookie->set(
 				ApplicationHelper::getHash($this->context . '.basename'),
 				$form['basename'],
-				$cookieLifeTime,
-				$cookiePath,
-				$cookieDomain,
-				$isHttpsForced,
-				true
+				[
+					'expires'  => $cookieLifeTime,
+					'path'     => $cookiePath,
+					'domain'   => $cookieDomain,
+					'secure'   => $isHttpsForced,
+					'httponly' => true,
+					'samesite' => 'lax'
+				]
 			);
 
 			$this->input->cookie->set(
 				ApplicationHelper::getHash($this->context . '.compressed'),
 				$form['compressed'],
-				$cookieLifeTime,
-				$cookiePath,
-				$cookieDomain,
-				$isHttpsForced,
-				true
+				[
+					'expires'  => $cookieLifeTime,
+					'path'     => $cookiePath,
+					'domain'   => $cookieDomain,
+					'secure'   => $isHttpsForced,
+					'httponly' => true,
+					'samesite' => 'lax'
+				]
 			);
 
 			// Push the model into the view (as default).

administrator/components/com_config/forms/application.xml

@@ -1098,6 +1098,16 @@
 			size="40"
 		/>
 
+		<field
+			name="cookie_samesite"
+			type="list"
+			label="COM_CONFIG_FIELD_COOKIE_SAMESITE_LABEL"
+			filter="WORD"
+		>
+			<option value="strict">COM_CONFIG_FIELD_COOKIE_SAMESITE_OPTION_STRICT_LABEL</option>
+			<option value="lax">COM_CONFIG_FIELD_COOKIE_SAMESITE_OPTION_LAX_LABEL</option>
+		</field>
+
 	</fieldset>
 
 	<fieldset

administrator/language/en-GB/en-GB.com_config.ini

@@ -36,6 +36,9 @@ COM_CONFIG_FIELD_CACHE_TIME_LABEL="Cache Time (minutes)"
 COM_CONFIG_FIELD_COOKIE_DOMAIN_DESC="Precede domain with '.' if cookie should be valid for all subdomains."
 COM_CONFIG_FIELD_COOKIE_DOMAIN_LABEL="Cookie Domain"
 COM_CONFIG_FIELD_COOKIE_PATH_LABEL="Cookie Path"
+COM_CONFIG_FIELD_COOKIE_SAMESITE_LABEL="Cookie SameSite"
+COM_CONFIG_FIELD_COOKIE_SAMESITE_OPTION_STRICT_LABEL="Strict"
+COM_CONFIG_FIELD_COOKIE_SAMESITE_OPTION_LAX_LABEL="Lax"
 COM_CONFIG_FIELD_DATABASE_HOST_LABEL="Host"
 COM_CONFIG_FIELD_DATABASE_NAME_LABEL="Database Name"
 COM_CONFIG_FIELD_DATABASE_PREFIX_LABEL="Database Tables Prefix"

libraries/src/Session/Storage/JoomlaStorage.php

@@ -298,7 +298,11 @@ public function start(): void
 			if ($session_clean)
 			{
 				$this->setId($session_clean);
-				$cookie->set($session_name, '', time() - 3600);
+				$cookie->set($session_name, '',
+					[
+						'expires'  => time() - 3600,
+					]
+				);
 			}
 		}
 

plugins/authentication/cookie/cookie.php

@@ -101,7 +101,13 @@ public function onUserAuthenticate($credentials, $options, &$response)
 		if (count($cookieArray) !== 2)
 		{
 			// Destroy the cookie in the browser.
-			$this->app->input->cookie->set($cookieName, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+			$this->app->input->cookie->set($cookieName, '',
+				[
+					'expires'  => 1,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+				]
+			);
 			Log::add('Invalid cookie detected.', Log::WARNING, 'error');
 
 			return false;
@@ -149,7 +155,13 @@ public function onUserAuthenticate($credentials, $options, &$response)
 		if (count($results) !== 1)
 		{
 			// Destroy the cookie in the browser.
-			$this->app->input->cookie->set($cookieName, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+			$this->app->input->cookie->set($cookieName, '',
+				[
+					'expires'  => 1,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+				]
+			);
 			$response->status = Authentication::STATUS_FAILURE;
 
 			return false;
@@ -182,7 +194,13 @@ public function onUserAuthenticate($credentials, $options, &$response)
 			}
 
 			// Destroy the cookie in the browser.
-			$this->app->input->cookie->set($cookieName, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+			$this->app->input->cookie->set($cookieName, '',
+				[
+					'expires'  => 1,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+				]
+			);
 
 			// Issue warning by email to user and/or admin?
 			Log::add(Text::sprintf('PLG_AUTH_COOKIE_ERROR_LOG_LOGIN_FAILED', $results[0]->user_id), Log::WARNING, 'security');
@@ -266,7 +284,13 @@ public function onUserAfterLogin($options)
 				$cookieValue   = $this->app->input->cookie->get($oldCookieName);
 
 				// Destroy the old cookie in the browser
-				$this->app->input->cookie->set($oldCookieName, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+				$this->app->input->cookie->set($oldCookieName, '',
+					[
+						'expires'  => 1,
+						'path'     => $this->app->get('cookie_path', '/'),
+						'domain'   => $this->app->get('cookie_domain', ''),
+					]
+				);
 			}
 
 			$cookieArray = explode('.', $cookieValue);
@@ -322,21 +346,23 @@ public function onUserAfterLogin($options)
 
 		// Get the parameter values
 		$lifetime = $this->params->get('cookie_lifetime', 60) * 24 * 60 * 60;
+		$samesite = $this->params->get('cookie_samesite', 'strict');
 		$length   = $this->params->get('key_length', 16);
 
 		// Generate new cookie
 		$token       = UserHelper::genRandomPassword($length);
 		$cookieValue = $token . '.' . $series;
 
 		// Overwrite existing cookie with new value
-		$this->app->input->cookie->set(
-			$cookieName,
-			$cookieValue,
-			time() + $lifetime,
-			$this->app->get('cookie_path', '/'),
-			$this->app->get('cookie_domain', ''),
-			$this->app->isHttpsForced(),
-			true
+		$this->app->input->cookie->set($cookieName, $cookieValue,
+			[
+				'expires'  => time() + $lifetime,
+				'path'     => $this->app->get('cookie_path', '/'),
+				'domain'   => $this->app->get('cookie_domain', ''),
+				'secure'   => $this->app->isHttpsForced(),
+				'httponly' => true,
+				'samesite' => $samesite
+			]
 		);
 
 		$query = $this->db->getQuery(true);
@@ -424,7 +450,13 @@ public function onUserAfterLogout($options)
 		}
 
 		// Destroy the cookie
-		$this->app->input->cookie->set($cookieName, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+		$this->app->input->cookie->set($cookieName, '',
+			[
+				'expires'  => 1,
+				'path'     => $this->app->get('cookie_path', '/'),
+				'domain'   => $this->app->get('cookie_domain', ''),
+			]
+		);
 
 		return true;
 	}

plugins/system/languagefilter/languagefilter.php

@@ -919,11 +919,14 @@ private function setLanguageCookie($languageCode)
 			$this->app->input->cookie->set(
 				ApplicationHelper::getHash('language'),
 				$languageCode,
-				time() + 365 * 86400,
-				$this->app->get('cookie_path', '/'),
-				$this->app->get('cookie_domain', ''),
-				$this->app->isHttpsForced(),
-				true
+				[
+					'expires'  => time() + 365 * 86400,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+					'secure'   => $this->app->isHttpsForced(),
+					'httponly' => true,
+					'samesite' => 'lax'
+				]
 			);
 		}
 		// If not, set the user language in the session (that is already saved in a cookie).

plugins/system/logout/logout.php

@@ -58,7 +58,13 @@ public function __construct(&$subject, $config)
 		if ($this->app->input->cookie->getString($hash))
 		{
 			// Destroy the cookie.
-			$this->app->input->cookie->set($hash, '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+			$this->app->input->cookie->set($hash, '',
+				[
+					'expires'  => 1,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+				]
+			);
 		}
 	}
 
@@ -77,14 +83,15 @@ public function onUserLogout($user, $options = array())
 		if ($this->app->isClient('site'))
 		{
 			// Create the cookie.
-			$this->app->input->cookie->set(
-				ApplicationHelper::getHash('PlgSystemLogout'),
-				true,
-				time() + 86400,
-				$this->app->get('cookie_path', '/'),
-				$this->app->get('cookie_domain', ''),
-				$this->app->isHttpsForced(),
-				true
+			$this->app->input->cookie->set(ApplicationHelper::getHash('PlgSystemLogout'), true,
+				[
+					'expires'  => time() + 86400,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+					'secure'   => $this->app->isHttpsForced(),
+					'httponly' => true,
+					'samesite' => 'lax'
+				]
 			);
 		}
 

plugins/user/joomla/joomla.php

@@ -294,14 +294,15 @@ public function onUserLogin($user, $options = array())
 		// Add "user state" cookie used for reverse caching proxies like Varnish, Nginx etc.
 		if ($this->app->isClient('site'))
 		{
-			$this->app->input->cookie->set(
-				'joomla_user_state',
-				'logged_in',
-				0,
-				$this->app->get('cookie_path', '/'),
-				$this->app->get('cookie_domain', ''),
-				$this->app->isHttpsForced(),
-				true
+			$this->app->input->cookie->set('joomla_user_state', 'logged_in',
+				[
+					'expires'  => 0,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+					'secure'   => $this->app->isHttpsForced(),
+					'httponly' => true,
+					'samesite' => $this->app->get('cookie_samesite', 'strict'),
+				]
 			);
 		}
 
@@ -368,7 +369,13 @@ public function onUserLogout($user, $options = array())
 		// Delete "user state" cookie used for reverse caching proxies like Varnish, Nginx etc.
 		if ($this->app->isClient('site'))
 		{
-			$this->app->input->cookie->set('joomla_user_state', '', 1, $this->app->get('cookie_path', '/'), $this->app->get('cookie_domain', ''));
+			$this->app->input->cookie->set('joomla_user_state', '',
+				[
+					'expires'  => 1,
+					'path'     => $this->app->get('cookie_path', '/'),
+					'domain'   => $this->app->get('cookie_domain', ''),
+				]
+			);
 		}
 
 		return true;