Merge pull request #17075 from nextcloud/enh/samesitecookies

Only send samesite cookies

2 files changed, 27 insertions, 3 deletions

diff --git a/lib/private/Session/CryptoWrapper.php b/lib/private/Session/CryptoWrapper.php
index bbaa907b268..b9dbc90edd6 100644
--- a/lib/private/Session/CryptoWrapper.php
+++ b/lib/private/Session/CryptoWrapper.php
@@ -86,7 +86,23 @@ class CryptoWrapper {
 				if($webRoot === '') {
 					$webRoot = '/';
 				}
-				setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true);
+
+				if (PHP_VERSION_ID < 70300) {
+					setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true);
+				} else {
+					setcookie(
+						self::COOKIE_NAME,
+						$this->passphrase,
+						[
+							'expires' => 0,
+							'path' => $webRoot,
+							'domain' => '',
+							'secure' => $secureCookie,
+							'httponly' => true,
+							'samesite' => 'Lax',
+						]
+					);
+				}
 			}
 		}
 	}
diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php
index d235e9eb50b..b9aae76c3b0 100644
--- a/lib/private/Session/Internal.php
+++ b/lib/private/Session/Internal.php
@@ -56,7 +56,7 @@ class Internal extends Session {
 		set_error_handler([$this, 'trapError']);
 		$this->invoke('session_name', [$name]);
 		try {
-			$this->invoke('session_start');
+			$this->startSession();
 		} catch (\Exception $e) {
 			setcookie($this->invoke('session_name'), '', -1, \OC::$WEBROOT ?: '/');
 		}
@@ -106,7 +106,7 @@ class Internal extends Session {
 	public function clear() {
 		$this->invoke('session_unset');
 		$this->regenerateId();
-		$this->invoke('session_start', [], true);
+		$this->startSession();
 		$_SESSION = [];
 	}
 
@@ -214,4 +214,12 @@ class Internal extends Session {
 			$this->trapError($e->getCode(), $e->getMessage());
 		}
 	}
+
+	private function startSession() {
+		if (PHP_VERSION_ID < 70300) {
+			$this->invoke('session_start');
+		} else {
+			$this->invoke('session_start', [['cookie_samesite' => 'Lax']]);
+		}
+	}
 }