-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds support for the SameSite attribute in cookies. #19104
Conversation
$sameSite can be set to false, "lax", or "strict". You can read about what the different modes do here: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
@@ -38,10 +39,11 @@ class Cookie | |||
* @param bool $secure Whether the cookie should only be transmitted over a secure HTTPS connection from the client | |||
* @param bool $httpOnly Whether the cookie will be made accessible only through the HTTP protocol | |||
* @param bool $raw Whether the cookie value should be sent with no url encoding | |||
* @param bool|string $sameSite Whether the cookie will be available for cross-site requests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wouldn't $crossSite
be more descriptive?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's good practice to adhere to the spec name, i.e. samesite
=> setSameSite
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
string|null
would be better than string|bool
IMO (especially given that true
is not a valid value for this argument)
@@ -26,6 +26,7 @@ class Cookie | |||
protected $secure; | |||
protected $httpOnly; | |||
private $raw; | |||
protected $sameSite; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be private
@@ -38,10 +39,11 @@ class Cookie | |||
* @param bool $secure Whether the cookie should only be transmitted over a secure HTTPS connection from the client | |||
* @param bool $httpOnly Whether the cookie will be made accessible only through the HTTP protocol | |||
* @param bool $raw Whether the cookie value should be sent with no url encoding | |||
* @param bool|null $sameSite Whether the cookie will be available for cross-site requests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
string|null
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whoops.
@@ -71,6 +76,12 @@ public function __construct($name, $value = null, $expire = 0, $path = '/', $dom | |||
$this->secure = (bool) $secure; | |||
$this->httpOnly = (bool) $httpOnly; | |||
$this->raw = (bool) $raw; | |||
|
|||
if (!in_array($sameSite, array(self::SAMESITE_LAX, self::SAMESITE_STRICT, null))) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should pass true
as a third argument
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see 4223997
Thank you @iangcarroll. |
I just spent two hours, trying to make use of the SameSite flag. What I did not know was, that Cookie allows setting of the flag, but Response::sendHeaders() does not handle it. Maybe Response should throw an Exception, that PHP does not yet support sending of the SameSite flag? |
Please open a new issue if you think that something is not working as expected. |
Indeed, this "feature" is very misleading as the SameSite attribute is never even passed to |
Btw: A simple workaround is to add the following line to your apache config: |
$sameSite can be set to false, "lax", or "strict".
You can read about what the different modes do here: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/