Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use browser 2020 recommendations for SameSite cookie rules #5293

Merged
merged 12 commits into from
Oct 12, 2020
Merged

Use browser 2020 recommendations for SameSite cookie rules #5293

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
531a5dc
SameSiet Cookie
Oct 1, 2020
22f7435
Remove whitespace as per Travis request
Oct 1, 2020
4d684ba
set default + lax
Oct 2, 2020
c057715
correction - my bad
Oct 2, 2020
450f26f
indents issue
Oct 2, 2020
95b7ba9
credit to @Samuell1 suggestion
Oct 2, 2020
f6e0418
Update session.php
Oct 7, 2020
5a53968
Update modules/cms/classes/Controller.php
LukeTowers Oct 8, 2020
0931104
need a rebase
Oct 9, 2020
2800a22
Merge branch 'samesite' of https://github.com/ayumi-cloud/october int…
Oct 9, 2020
af1eebc
Merge remote-tracking branch 'upstream/develop' into samesite
Oct 9, 2020
7c56ef9
Update ServiceProvider.php
Oct 9, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 21 additions & 7 deletions config/session.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,17 +169,31 @@
|--------------------------------------------------------------------------
|
| This option determines how your cookies behave when cross-site requests
| take place, and can be used to mitigate CSRF attacks. By default, we
| do not enable this as other CSRF protection services are in place.
| take place and can be used to mitigate CSRF attacks.
|
| In the strict mode, the cookie is not sent with any cross-site usage
| even if the user follows a link to another website. Lax cookies are
| only sent with a top-level get request.
| Cookies that match the domain of the current site, i.e. what's displayed
| in the browser's address bar, are referred to as first-party cookies.
| Similarly, cookies from domains other than the current site are referred
| to as third-party cookies.
|
| Supported: "lax", "strict"
| Cookies without a SameSite attribute will be treated as `SameSite=Lax`,
| meaning the default behaviour will be to restrict cookies to first party
| contexts only.
|
| Cookies for cross-site usage must specify `SameSite=None` and
| `Secure=true` to enable inclusion in third party context.
summercms marked this conversation as resolved.
Show resolved Hide resolved
|
| Lax - Cookies are allowed to be sent with top-level navigations and will
| be sent along with GET request initiated by third party website.
| This is the default value in modern browsers.
|
| Strict - Cookies will only be sent in a first-party context and not be
| sent along with requests initiated by third party websites.
|
| Supported: "Lax", "Strict" and "None"
summercms marked this conversation as resolved.
Show resolved Hide resolved
|
*/

'same_site' => null,
'same_site' => 'Lax',

];
7 changes: 7 additions & 0 deletions modules/cms/classes/Controller.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,13 @@ public function run($url = '/')
$result = $event;
}

/*
* Set a default samesite config value for invalid values
*/
if (!in_array(strtolower(Config::get('session.same_site')), ['lax', 'strict', 'none'])) {
LukeTowers marked this conversation as resolved.
Show resolved Hide resolved
Config::set('session.same_site', 'Lax');
}
summercms marked this conversation as resolved.
Show resolved Hide resolved

/*
* Prepare and return response
* @see \System\Traits\ResponseMaker
Expand Down