Use appropriate SameSite value for session cookie (#15186)

* Set SameSite=lax for session cookie * Update warning text when Matomo is installed on HTTP * urlencode all session cookie values
author: Kate Butler <kate@innocraft.com> 2019-12-10 02:53:05 +0300
committer: Thomas Steur <tsteur@users.noreply.github.com> 2019-12-10 02:53:05 +0300
commit: eec0711a0031d1378793d338ac302b4c3699caac (patch)
tree: 8b0b981348674786d822accb9986324afd84c7ec /libs
parent: 89007f29c299d22e7554ebdbf1567ebf60721f32 (diff)
1 files changed, 32 insertions, 3 deletions
diff --git a/libs/Zend/Session.php b/libs/Zend/Session.php
index 73668507aa..793f76b8ed 100644
--- a/libs/Zend/Session.php
+++ b/libs/Zend/Session.php
@@ -313,11 +313,38 @@ class Zend_Session extends Zend_Session_Abstract
         } else {
             if (!self::$_unitTestEnabled) {
                 session_regenerate_id(true);
+                self::rewriteSessionCookieWithSameSiteDirective();
             }
             self::$_regenerateIdState = 1;
         }
     }
 
+    /**
+     * Check if there is a Set-Cookie header present - if so, overwrite it with
+     * a similar header which also includes a SameSite directive. This workaround
+     * is needed because the SameSite property on the session cookie is not supported
+     * by PHP until 7.3.
+     */
+    private static function rewriteSessionCookieWithSameSiteDirective()
+    {
+        $headers = headers_list();
+        $cookieHeader = '';
+        foreach ($headers as $header) {
+            if (strpos($header, 'Set-Cookie: ' . \Piwik\Session::SESSION_NAME) === 0) {
+                $cookieHeader = $header;
+                break;
+            }
+        }
+
+        if (! $cookieHeader) {
+            return;
+        }
+
+        if (stripos($cookieHeader, 'SameSite') === false) {
+            $cookieHeader .= '; SameSite=Lax';
+            header($cookieHeader);
+        }
+    }
 
     /**
      * rememberMe() - Write a persistent cookie that expires after a number of seconds in the future. If no number of
@@ -763,14 +790,16 @@ class Zend_Session extends Zend_Session_Abstract
         if (isset($_COOKIE[session_name()])) {
             $cookie_params = session_get_cookie_params();
 
-            setcookie(
+            \Piwik\Session::writeCookie(
                 session_name(),
                 false,
                 315554400, // strtotime('1980-01-01'),
                 $cookie_params['path'],
                 $cookie_params['domain'],
-                $cookie_params['secure']
-                );
+                $cookie_params['secure'],
+                false,
+                'lax'
+            );
         }
     }
author	Kate Butler <kate@innocraft.com>	2019-12-10 02:53:05 +0300
committer	Thomas Steur <tsteur@users.noreply.github.com>	2019-12-10 02:53:05 +0300
commit	eec0711a0031d1378793d338ac302b4c3699caac (patch)
tree	8b0b981348674786d822accb9986324afd84c7ec /libs
parent	89007f29c299d22e7554ebdbf1567ebf60721f32 (diff)