-
-
Notifications
You must be signed in to change notification settings - Fork 437
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds support for "SameSite" cookie property #1246
Conversation
# Conflicts: # app/code/core/Mage/Core/Model/Cookie.php # app/code/core/Mage/Core/etc/system.xml # app/locale/en_US/Mage_Core.csv
This looks good from the commit. I will test this later. In |
For consistency one could say it would also be nice to have the same code in the "public function delete()", although the presence here isn't as critical as in the "public function renew()". If I can find some time today I will try and make this more complete. |
Another upgrade that would be great is the ability to specify a different policy for the backend and the frontend. Perhaps this is mostly useful for the session cookie. For example I would configure the backend to have |
Hello, I reviewed the code and I wonder if we did have to force |
* SameSite consistency for renew and delete functions
I have made some changes. The delete function now re-uses the "set function", only with forced "null" values for cookie value and period. (Same way the renew function was already implemented). |
I have reviewed the specifications you have linked and you are indeed correct. I have made the required changes to make sure the secure flag is enforced of the SameSite is set to None. |
sorry, had no time to review this yet, but I saw M2 did release something related. Did someone already have a look at what they did? |
app/code/core/Mage/Adminhtml/Model/System/Config/Source/Cookie/SameSite.php
Outdated
Show resolved
Hide resolved
Any update guys? |
@kdckrs We finally were able to test this PR in our development environment and it worked as expected. We will deploy into production next week and report back. |
Feedback about experience. We used your solution in production on our website since almost 2 months. Thx for it. |
@Flyingmana I saw there was a new release without this PR, any chance it will be included in the next one? We have been using this in a production environment for a while now and everything seems to be working correctly. (Others have mentioned this too, see previous comments) |
lets see, comments from @kkrieger85 and @nimajneb-torram are resolved. |
The code looks good but the current behavior (no SameSite flag) is equivalent to "Lax" but the PR makes "None" the default. This has the effect of actually reducing security and also potentially breaking non-https sites (although these really shouldn't remain anyway). I propose making Lax the default. |
Unit Test Results1 files 1 suites 0s ⏱️ Results for commit 26b9eee. |
In the backend, on General > Web, Magento's autoloader attempts to load *Edit: Not sure if that's worth a bug report, just shout if so. |
@ansgarbecker you are right! Fixing! Edit: PR #1390 has been created for this ;) |
Description (*)
This PR adds support to set the SameSite cookie property and is compatible with both the new setcookie signature (>= PHP 7.3) and the old one (< PHP 7.3).
By default the property is set to "None". The value can be changed in the admin-panel under System -> Configuration -> Web -> Session Cookie Management -> Same-Site
Related Pull Requests
/
Fixed Issues (if relevant)
Manual testing scenarios (*)
Questions or comments
Open for feedback, first contribution to OpenMage ;)
Contribution checklist (*)