[FEATURE] Implement SameSite option for TYPO3 cookies

This change introduces a new security option for setting the SameSite option to all cookies sent by TYPO3 Core. Namely: - Frontend User Sessions ("lax" by default) - Backend User Sessions ("strict" by default) - Install Tool Sessions ("strict", none-configurable) - Last Login Provider in Backend ("strict", non-configurable) - ext:rsaauth via native session handling (“strict”, non-configurable) - workspace preview "ADMCMD_prev" using backend user setting ("strict" by default) This means that these can only be accessed by scripts and requests by the same site, and not by any third-party scripts. Since we're talking about actual cookies for a user, and not ads-related or third-party login-dependant cookies, the default options fit just perfectly. All modern browsers except Internet Explorer respect this option to be set. Please note that Firefox and Chrome will have "SameSite=lax" set in Q1/2020 by default if NO SameSite option is set at all. This change allows to configure this. Backend and Frontend User Cookies can be configured to "strict", "lax" or "none" (= same as before), whereas "none" only works for secure connections (= HTTPS). If "strict" is in place, security via CSRF is not needed anymore, and can be dropped in the future. Resolves: #90351 Releases: master, 9.5, 8.7 Change-Id: I8095e2a552faa9d1fd4fa7855297302a9ec6a75f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63215 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Susanne Moog <look@susi.dev> Tested-by: Georg Ringer <georg.ringer@gmail.com> Tested-by: Richard Haeser <richard@maxserv.com> Reviewed-by: Susanne Moog <look@susi.dev> Reviewed-by: Georg Ringer <georg.ringer@gmail.com> Reviewed-by: Richard Haeser <richard@maxserv.com>
TYPO3 · Feb 17, 2020 · 0d5ae4e · 0d5ae4e
1 parent 79bd294
commit 0d5ae4e
Show file tree

Hide file tree

Showing 12 changed files with 390 additions and 112 deletions.
diff --git a/composer.json b/composer.json
@@ -48,6 +48,7 @@
 		"swiftmailer/swiftmailer": "~5.4.5",
 		"symfony/console": "^2.7 || ^3.0 || ^4.0",
 		"symfony/finder": "^2.7 || ^3.0 || ^4.0",
+		"symfony/http-foundation": "^3.4 || ^4.2",
 		"symfony/polyfill-mbstring": "^1.2",
 		"symfony/yaml": "^2.7 || ^3.0 || ^4.0",
 		"typo3/class-alias-loader": "^1.0",

diff --git a/composer.lock b/composer.lock
diff --git a/typo3/sysext/backend/Classes/Controller/LoginController.php b/typo3/sysext/backend/Classes/Controller/LoginController.php
@@ -16,6 +16,7 @@
 
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use Symfony\Component\HttpFoundation\Cookie;
 use TYPO3\CMS\Backend\Exception;
 use TYPO3\CMS\Backend\LoginProvider\LoginProviderInterface;
 use TYPO3\CMS\Backend\Utility\BackendUtility;
@@ -91,8 +92,6 @@ public function __construct()
     {
         $this->validateAndSortLoginProviders();
 
-        // We need a PHP session session for most login levels
-        session_start();
         $this->redirectUrl = GeneralUtility::sanitizeLocalUrl(GeneralUtility::_GP('redirect_url'));
         $this->loginProviderIdentifier = $this->detectLoginProvider();
 
@@ -492,7 +491,19 @@ protected function detectLoginProvider()
         }
         // Use the secure option when the current request is served by a secure connection:
         $cookieSecure = (bool)$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure'] && GeneralUtility::getIndpEnv('TYPO3_SSL');
-        setcookie('be_lastLoginProvider', $loginProvider, $GLOBALS['EXEC_TIME'] + 7776000, null, null, $cookieSecure, true); // 90 days
+        $cookie = new Cookie(
+            'be_lastLoginProvider',
+            (string)$loginProvider,
+            $GLOBALS['EXEC_TIME'] + 7776000, // 90 days
+            GeneralUtility::getIndpEnv('TYPO3_SITE_PATH') . TYPO3_mainDir,
+            '',
+            $cookieSecure,
+            true,
+            false,
+            Cookie::SAMESITE_STRICT
+        );
+        header('Set-Cookie: ' . $cookie->__toString(), false);
+
         return $loginProvider;
     }