Add SameSite cookie flag for CSRF protection

[jekkos]

Most modern browsers now support the SameSite cookie flag, which signals that a site only accepts requests coming from the same domain. This might be an effective hardening measure against CSRF, as Ospos is not used in cross domain setups. This constraint will then of course only be enabled for users that have browsers with support for this flag.

• Need to check on a browser compatibility table for this feature
• Identify possible usecases in which ospos can be used across different domains (none?)
• Check if CI framework offers this protection or add a custom hook to add it to the Cookie headers

[jekkos]

@SteveIreland I think in the longer term it will probably relieve us from sending tokens along with the forms. The ajax case is a bit more complicated as these are done by javascript and thus no php support can be leveraged for it. Beside that I tried to make it very generic by hooking the standard jQuery functionality to fetch the token and send it along, but it might not work for every possible scenario in which it's submitting forms (like at login time).

[jekkos]

This would also allow us to enable #1498, as if SameSite works, we don't need to use js to read data from the cookies, meaning HttpOnly can be enabled without hiccups.

[jekkos]

I'm seeing the following message now locally in FF

Cookie “csrf_cookie_ospos_v3” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Samesite can be enabled by editing the cookiepath in config.php

https://stackoverflow.com/questions/60634341/codeigniter-3-samesite-attribute-for-csrf-protection

$config['cookie_path']      = '/; SameSite=None';

[jekkos]

Ok this last approach does not work and causes some issues. I have added a method override that now adds the SameSite attribute. Should be harmless for browser that don't support it yet.