From 293e2251ca7164e6e97b27539f4ace2f6829f15c Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Wed, 3 Jun 2020 22:53:30 -0400 Subject: [PATCH] Fixes #2157, Explicitly set SameSite value for cookies (#2159) * Fixes #2157, Explicitly set SameSite value for cookies by making samesite a config option in config.php. Also contains an update for the cookie library dependency --- composer.json | 2 +- src/Http/CookieFactory.php | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 86a9594b5..0abe741c4 100644 --- a/composer.json +++ b/composer.json @@ -38,7 +38,7 @@ "php": ">=7.2", "axy/sourcemap": "^0.1.4", "components/font-awesome": "5.9.*", - "dflydev/fig-cookies": "^1.0.2", + "dflydev/fig-cookies": "^2.0.1", "doctrine/dbal": "^2.7", "franzl/whoops-middleware": "^0.4.0", "illuminate/bus": "5.8.*", diff --git a/src/Http/CookieFactory.php b/src/Http/CookieFactory.php index 64bed597d..4a9eff3a3 100644 --- a/src/Http/CookieFactory.php +++ b/src/Http/CookieFactory.php @@ -9,6 +9,7 @@ namespace Flarum\Http; +use Dflydev\FigCookies\Modifier\SameSite; use Dflydev\FigCookies\SetCookie; use Flarum\Foundation\Application; use Illuminate\Support\Arr; @@ -43,6 +44,13 @@ class CookieFactory */ protected $secure; + /** + * Same Site cookie value. + * + * @var string + */ + protected $samesite; + /** * @param Application $app */ @@ -56,6 +64,7 @@ class CookieFactory $this->path = $app->config('cookie.path', Arr::get($url, 'path') ?: '/'); $this->domain = $app->config('cookie.domain'); $this->secure = $app->config('cookie.secure', Arr::get($url, 'scheme') === 'https'); + $this->samesite = $app->config('cookie.samesite'); } /** @@ -85,6 +94,9 @@ class CookieFactory $cookie = $cookie->withDomain($this->domain); } + // Explicitly set SameSite value, use sensible default if no value provided + $cookie = $cookie->withSameSite(SameSite::{$this->samesite ?? 'lax'}()); + return $cookie ->withPath($this->path) ->withSecure($this->secure)