[SecurityBundle] make remember-me cookies auto-secure + inherit their…

… default config from framework.session.cookie_*

CHANGELOG.md

@@ -5,7 +5,8 @@ CHANGELOG
 -----
 
  * The method `Client::submit()` will have a new `$serverParameters` argument 
-   in version 5.0, not defining it is deprecated since version 4.2
+   in version 5.0, not defining it is deprecated
+ * Added ability to read the "samesite" attribute of cookies using `Cookie::getSameSite()`
 
 3.4.0
 -----

Cookie.php

@@ -40,6 +40,7 @@ class Cookie
     protected $secure;
     protected $httponly;
     protected $rawValue;
+    private $samesite;
 
     /**
      * Sets a cookie.
@@ -52,8 +53,9 @@ class Cookie
      * @param bool        $secure       Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client
      * @param bool        $httponly     The cookie httponly flag
      * @param bool        $encodedValue Whether the value is encoded or not
+     * @param string|null $samesite     The cookie samesite attribute
      */
-    public function __construct(string $name, ?string $value, string $expires = null, string $path = null, string $domain = '', bool $secure = false, bool $httponly = true, bool $encodedValue = false)
+    public function __construct(string $name, ?string $value, string $expires = null, string $path = null, string $domain = '', bool $secure = false, bool $httponly = true, bool $encodedValue = false, string $samesite = null)
     {
         if ($encodedValue) {
             $this->value = urldecode($value);
@@ -67,6 +69,7 @@ public function __construct(string $name, ?string $value, string $expires = null
         $this->domain = $domain;
         $this->secure = $secure;
         $this->httponly = $httponly;
+        $this->samesite = $samesite;
 
         if (null !== $expires) {
             $timestampAsDateTime = \DateTime::createFromFormat('U', $expires);
@@ -106,6 +109,10 @@ public function __toString()
             $cookie .= '; httponly';
         }
 
+        if (null !== $this->samesite) {
+            $str .= '; samesite='.$this->samesite;
+        }
+
         return $cookie;
     }
 
@@ -138,6 +145,7 @@ public static function fromString($cookie, $url = null)
             'secure' => false,
             'httponly' => false,
             'passedRawValue' => true,
+            'samesite' => null,
         );
 
         if (null !== $url) {
@@ -186,7 +194,8 @@ public static function fromString($cookie, $url = null)
             $values['domain'],
             $values['secure'],
             $values['httponly'],
-            $values['passedRawValue']
+            $values['passedRawValue'],
+            $values['samesite']
         );
     }
 
@@ -298,4 +307,14 @@ public function isExpired()
     {
         return null !== $this->expires && 0 != $this->expires && $this->expires < time();
     }
+
+    /**
+     * Gets the samesite attribute of the cookie.
+     *
+     * @return string|null The cookie samesite attribute
+     */
+    public function getSameSite(): ?string
+    {
+        return $this->samesite;
+    }
 }

Tests/CookieTest.php

@@ -202,4 +202,13 @@ public function testConstructException()
     {
         $cookie = new Cookie('foo', 'bar', 'string');
     }
+
+    public function testSameSite()
+    {
+        $cookie = new Cookie('foo', 'bar');
+        $this->assertNull($cookie->getSameSite());
+
+        $cookie = new Cookie('foo', 'bar', 0, '/', 'foo.com', false, true, false, 'lax');
+        $this->assertSame('lax', $cookie->getSameSite());
+    }
 }