From 162513d7608a43d53f178f744543e30dafc15f9b Mon Sep 17 00:00:00 2001
From: Thomas Steur <tsteur@users.noreply.github.com>
Date: Wed, 29 Jan 2020 13:54:07 +1300
Subject: Use SameSite none for session token when embedded into iframe
 (#15439)

---
 core/Session.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'core/Session.php')

diff --git a/core/Session.php b/core/Session.php
index 683c3e0410..ff5d76af53 100644
--- a/core/Session.php
+++ b/core/Session.php
@@ -186,6 +186,17 @@ class Session extends Zend_Session
         return self::$sessionStarted;
     }
 
+    public static function getSameSiteCookieValue()
+    {
+        $config = Config::getInstance();
+        $general = $config->General;
+        if (!empty($general['enable_framed_pages']) && ProxyHttp::isHttps()) {
+            return 'None';
+        }
+
+        return 'Lax';
+    }
+
     /**
      * Write cookie header.  Similar to the native setcookie() function but also supports
      * the SameSite cookie property.
-- 
cgit v1.2.3


From 071f505d19924503691d4f4028ad58c4f50ffb50 Mon Sep 17 00:00:00 2001
From: diosmosis <diosmosis@users.noreply.github.com>
Date: Wed, 19 Feb 2020 19:05:15 -0800
Subject: =?UTF-8?q?Fix=20couple=20issues=20w/=20samesite=20handling=20in?=
 =?UTF-8?q?=20session,=20make=20sure=20session=20=E2=80=A6=20(#15561)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/Session.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'core/Session.php')

diff --git a/core/Session.php b/core/Session.php
index ff5d76af53..3f7bdfc02f 100644
--- a/core/Session.php
+++ b/core/Session.php
@@ -190,7 +190,15 @@ class Session extends Zend_Session
     {
         $config = Config::getInstance();
         $general = $config->General;
-        if (!empty($general['enable_framed_pages']) && ProxyHttp::isHttps()) {
+
+        $module = Piwik::getModule();
+        $action = Piwik::getAction();
+
+        $isOptOutRequest = $module == 'CoreAdminHome' && $action == 'optOut';
+        $isOverlay = $module == 'Overlay';
+        $shouldUseNone = !empty($general['enable_framed_pages']) || $isOptOutRequest || $isOverlay;
+
+        if ($shouldUseNone && ProxyHttp::isHttps()) {
             return 'None';
         }
 
@@ -231,6 +239,7 @@ class Session extends Zend_Session
         if ($sameSite) {
             $headerStr .= '; SameSite=' . rawurlencode($sameSite);
         }
+        Common::sendHeader($headerStr);
         return $headerStr;
     }
 }
-- 
cgit v1.2.3


From 4c8fe7cf71e59bee91ff034c3d1f818a287acd14 Mon Sep 17 00:00:00 2001
From: Stefan Giehl <stefan@matomo.org>
Date: Sat, 22 Feb 2020 01:03:37 +0100
Subject: Ensure cookies are not set with encoded parameters (#15602)

---
 core/Session.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'core/Session.php')

diff --git a/core/Session.php b/core/Session.php
index 3f7bdfc02f..f2f984d357 100644
--- a/core/Session.php
+++ b/core/Session.php
@@ -222,10 +222,10 @@ class Session extends Zend_Session
     {
         $headerStr = 'Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value);
         if ($expires) {
-            $headerStr .= '; expires=' . rawurlencode($expires);
+            $headerStr .= '; expires=' . $expires;
         }
         if ($path) {
-            $headerStr .= '; path=' . rawurlencode($path);
+            $headerStr .= '; path=' . $path;
         }
         if ($domain) {
             $headerStr .= '; domain=' . rawurlencode($domain);
@@ -237,8 +237,9 @@ class Session extends Zend_Session
             $headerStr .= '; httponly';
         }
         if ($sameSite) {
-            $headerStr .= '; SameSite=' . rawurlencode($sameSite);
+            $headerStr .= '; SameSite=' . $sameSite;
         }
+
         Common::sendHeader($headerStr);
         return $headerStr;
     }
-- 
cgit v1.2.3