diff options
author | Kate Butler <kate@innocraft.com> | 2019-12-10 02:53:05 +0300 |
---|---|---|
committer | Thomas Steur <tsteur@users.noreply.github.com> | 2019-12-10 02:53:05 +0300 |
commit | eec0711a0031d1378793d338ac302b4c3699caac (patch) | |
tree | 8b0b981348674786d822accb9986324afd84c7ec /libs/Zend/Session.php | |
parent | 89007f29c299d22e7554ebdbf1567ebf60721f32 (diff) |
Use appropriate SameSite value for session cookie (#15186)
* Set SameSite=lax for session cookie
* Update warning text when Matomo is installed on HTTP
* urlencode all session cookie values
Diffstat (limited to 'libs/Zend/Session.php')
-rw-r--r-- | libs/Zend/Session.php | 35 |
1 files changed, 32 insertions, 3 deletions
diff --git a/libs/Zend/Session.php b/libs/Zend/Session.php index 73668507aa..793f76b8ed 100644 --- a/libs/Zend/Session.php +++ b/libs/Zend/Session.php @@ -313,11 +313,38 @@ class Zend_Session extends Zend_Session_Abstract } else { if (!self::$_unitTestEnabled) { session_regenerate_id(true); + self::rewriteSessionCookieWithSameSiteDirective(); } self::$_regenerateIdState = 1; } } + /** + * Check if there is a Set-Cookie header present - if so, overwrite it with + * a similar header which also includes a SameSite directive. This workaround + * is needed because the SameSite property on the session cookie is not supported + * by PHP until 7.3. + */ + private static function rewriteSessionCookieWithSameSiteDirective() + { + $headers = headers_list(); + $cookieHeader = ''; + foreach ($headers as $header) { + if (strpos($header, 'Set-Cookie: ' . \Piwik\Session::SESSION_NAME) === 0) { + $cookieHeader = $header; + break; + } + } + + if (! $cookieHeader) { + return; + } + + if (stripos($cookieHeader, 'SameSite') === false) { + $cookieHeader .= '; SameSite=Lax'; + header($cookieHeader); + } + } /** * rememberMe() - Write a persistent cookie that expires after a number of seconds in the future. If no number of @@ -763,14 +790,16 @@ class Zend_Session extends Zend_Session_Abstract if (isset($_COOKIE[session_name()])) { $cookie_params = session_get_cookie_params(); - setcookie( + \Piwik\Session::writeCookie( session_name(), false, 315554400, // strtotime('1980-01-01'), $cookie_params['path'], $cookie_params['domain'], - $cookie_params['secure'] - ); + $cookie_params['secure'], + false, + 'lax' + ); } } |