Mark all necessary cookies as SameSite=None if possible

2025-10-31 18:41:10 +03:00 · 2021-08-28 01:04:59 +03:00 · 2021-08-28 01:04:59 +03:00 · 56418b1551
commit 56418b1551
parent dc9f128b79
4 changed files with 23 additions and 6 deletions
--- a/src/composer.json
+++ b/src/composer.json
@ -30,7 +30,7 @@
    "require": {
        "mibew/handlebars.php": "~0.10.5",
        "mibew/handlebars.php-helpers": "1.*",
-        "symfony/http-foundation": "~2.8.52",
+        "symfony/http-foundation": "~3.2",
        "symfony/routing": "2.6.*",
        "symfony/config": "2.6.*",
        "symfony/yaml": "^5.2",
--- a/src/mibew/libs/classes/Mibew/Application.php
+++ b/src/mibew/libs/classes/Mibew/Application.php
@ -361,7 +361,9 @@ class Application implements
        $response->headers->setCookie(CookieFactory::fromRequest($request)->createCookie(
            LOCALE_COOKIE_NAME,
            get_current_locale(),
-            time() + 60 * 60 * 24 * 1000
+            time() + 60 * 60 * 24 * 1000,
+            true,
+            false
        ));

        $response->prepare($request);
--- a/src/mibew/libs/classes/Mibew/Http/CookieFactory.php
+++ b/src/mibew/libs/classes/Mibew/Http/CookieFactory.php
@ -83,11 +83,14 @@ class CookieFactory
     * @param string $name The name of the cookie.
     * @param string $value The value of the cookie.
     * @param int|string|\DateTime $expire The time the cookie expires.
-     * @param bool $httpOnly Whether the cookie will be made accessible only
+     * @param bool $http_only Whether the cookie will be made accessible only
     *   through the HTTP protocol.
+     * @param bool $same_site Whether the cookie should be used only on the
+     *   original site. Otherwise (but only if it's already marked as secure)
+     *   it will be marked as SameSite=None
     * @return Cookie
     */
-    public function createCookie($name, $value = null, $expire = 0, $http_only = true)
+    public function createCookie($name, $value = null, $expire = 0, $http_only = true, $same_site = true)
    {
        return new Cookie(
            $name,
@ -96,7 +99,9 @@ class CookieFactory
            $this->getPath(),
            $this->getDomain(),
            $this->isSecure(),
-            $http_only
+            $http_only,
+            true,
+            !$same_site && $this->isSecure() ? 'None' : false
        );
    }

--- a/src/mibew/libs/classes/Mibew/RequestProcessor/ThreadProcessor.php
+++ b/src/mibew/libs/classes/Mibew/RequestProcessor/ThreadProcessor.php
@ -553,7 +553,17 @@ class ThreadProcessor extends ClientSideProcessor implements
        $thread->renameUser($args['name']);
        // Update user name in cookies
        $data = strtr(base64_encode($args['name']), '+/=', '-_,');
-        setcookie(USERNAME_COOKIE_NAME, $data, time() + 60 * 60 * 24 * 365);
+
+        $cookie_properties = array( 'expires' => time() + 60 * 60 * 24 * 365 );
+        if (version_compare(phpversion(), '7.3.0', '<')) {
+            setcookie(USERNAME_COOKIE_NAME, $data, $cookie_properties['expires']);
+        } else {
+            if ($this->currentRequest && $this->currentRequest->isSecure()) {
+                $cookie_properties['samesite'] = 'None';
+                $cookie_properties['secure'] = true;
+            }
+            setcookie(USERNAME_COOKIE_NAME, $data, $cookie_properties);
+        }
    }

    /**