Skip to content
Permalink
Browse files

Revert "Session: by default uses sameSite: Lax (BC break)"

This reverts commit 5e1deeb.
  • Loading branch information...
dg committed Mar 9, 2019
1 parent 9c49a49 commit e358c6682fe74b9c00a1340302bd82ea76b5d19f
@@ -40,7 +40,6 @@ class Session
// cookies
'cookie_lifetime' => 0, // until the browser is closed
'cookie_httponly' => true, // must be enabled to prevent Session Hijacking
'cookie_samesite' => 'Lax', // must be enabled to prevent CSRF
// other
'gc_maxlifetime' => self::DEFAULT_FILE_LIFETIME, // 3 hours
@@ -37,7 +37,7 @@ $container->getService('session')->start();
Assert::same(
PHP_VERSION_ID >= 70300
? ['lifetime' => 0, 'path' => '/x', 'domain' => 'nette.org', 'secure' => true, 'httponly' => true, 'samesite' => 'Lax']
: ['lifetime' => 0, 'path' => '/x; SameSite=Lax', 'domain' => 'nette.org', 'secure' => true, 'httponly' => true],
? ['lifetime' => 0, 'path' => '/x', 'domain' => 'nette.org', 'secure' => true, 'httponly' => true, 'samesite' => '']
: ['lifetime' => 0, 'path' => '/x', 'domain' => 'nette.org', 'secure' => true, 'httponly' => true],
session_get_cookie_params()
);
@@ -37,8 +37,8 @@ test(function () {
Assert::same(
PHP_VERSION_ID >= 70300
? ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => false, 'httponly' => true, 'samesite' => 'Lax']
: ['lifetime' => 0, 'path' => '/; SameSite=Lax', 'domain' => '', 'secure' => false, 'httponly' => true],
? ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => false, 'httponly' => true, 'samesite' => '']
: ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => false, 'httponly' => true],
session_get_cookie_params()
);
});
@@ -66,8 +66,8 @@ test(function () {
Assert::same(
PHP_VERSION_ID >= 70300
? ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => true, 'httponly' => true, 'samesite' => 'Lax']
: ['lifetime' => 0, 'path' => '/; SameSite=Lax', 'domain' => '', 'secure' => true, 'httponly' => true],
? ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => true, 'httponly' => true, 'samesite' => '']
: ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => true, 'httponly' => true],
session_get_cookie_params()
);
});
@@ -26,7 +26,6 @@ Assert::same([
'use_strict_mode' => 1,
'cookie_lifetime' => 0,
'cookie_httponly' => true,
'cookie_samesite' => 'Lax',
'gc_maxlifetime' => 10800,
'cookie_path' => '/user/',
'cookie_domain' => 'nette.org',
@@ -15,7 +15,10 @@ if (PHP_SAPI === 'cli') {
$factory = new Nette\Http\RequestFactory;
$session = new Nette\Http\Session($factory->createHttpRequest(), new Nette\Http\Response);
// is samesite=Lax by default
$session->setOptions([
'cookie_samesite' => 'Lax',
]);
$session->start();
Assert::contains(
@@ -23,7 +23,6 @@ Assert::same([
'use_strict_mode' => 1,
'cookie_lifetime' => 0,
'cookie_httponly' => true,
'cookie_samesite' => 'Lax',
'gc_maxlifetime' => 10800,
'cookie_path' => '/',
'cookie_domain' => '',
@@ -42,7 +41,6 @@ Assert::same([
'use_strict_mode' => 1,
'cookie_lifetime' => 0,
'cookie_httponly' => true,
'cookie_samesite' => 'Lax',
'gc_maxlifetime' => 10800,
'cookie_path' => '/',
'cookie_secure' => false,
@@ -60,7 +58,6 @@ Assert::same([
'use_strict_mode' => 1,
'cookie_lifetime' => 0,
'cookie_httponly' => true,
'cookie_samesite' => 'Lax',
'gc_maxlifetime' => 10800,
'cookie_path' => '/',
'cookie_secure' => false,

0 comments on commit e358c66

Please sign in to comment.
You can’t perform that action at this time.