From f0d2cd405798fee21bff76b8cc6a8d79e3a913d4 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Fri, 7 May 2021 09:32:04 +0000 Subject: [PATCH] Add cookie SameSite attribute; uses default if "Strict" but can be overridden by $same_site_cookies in config_local.php git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14918 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- config/config_local.example.php | 6 ++++++ functions/global.php | 30 ++++++++++++++++++++++++++++-- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/config/config_local.example.php b/config/config_local.example.php index 1c34e3e7..40644cd2 100644 --- a/config/config_local.example.php +++ b/config/config_local.example.php @@ -200,4 +200,10 @@ * some environments. * $upload_filesize_divisor = 1024; * + * $same_site_cookies allows override of how cookies are set + * with the "SameSite" attribute. Normally you won't want to + * do anything with this. If you do, you can set it to "Lax" + * "Strict" (which is default) or "None" -- or set it to an + * empty string to cause cookies to be sent without adding + * the SameSite attribute at all and use the browser's default */ diff --git a/functions/global.php b/functions/global.php index be2e1a2e..bb7b7be4 100644 --- a/functions/global.php +++ b/functions/global.php @@ -580,6 +580,16 @@ function sqsession_start() { * transmitted over a secure HTTPS connection. * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only) * @param boolean $bReplace Replace previous cookies with same name? + * @param string $sSameSite Optional override of the default SameSite + * cookie policy detemined from the global + * configuration item $same_site_cookies + * (which can be set in config/config_local.php) + * (should be NULL to accept the configured global + * default or one of "Lax" "Strict" or "None" + * but "None" will not work if $bSecure is FALSE. + * Can also be set set to an empty string in order + * to NOT specify the SameSite cookie attribute at + * all and accept whatever the browser default is) * * @return void * @@ -587,7 +597,7 @@ function sqsession_start() { * */ function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="", - $bSecure=false, $bHttpOnly=true, $bReplace=false) { + $bSecure=false, $bHttpOnly=true, $bReplace=false, $sSameSite=NULL) { // some environments can get overwhelmed by an excessive // setting of the same cookie over and over (e.g., many @@ -614,6 +624,21 @@ function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain= if (!$only_secure_cookies) $bSecure = false; + // use global SameSite setting, but allow override + // The global $same_site_cookies (for which an override value + // can be specified in config/config_local.php) defaults to + // "Strict" when it is NULL (when not given in the config file), + // or can be manually set to "Lax" "Strict" or "None" if desired + // or can be set to an empty string in order to not specify + // SameSite at all and use the browser default + if (is_null($sSameSite)) { + global $same_site_cookies; + if (is_null($same_site_cookies)) + $sSameSite = 'Strict'; + else + $sSameSite = $same_site_cookies; + } + if (false && check_php_version(5,2)) { // php 5 supports the httponly attribute in setcookie, but because setcookie seems a bit // broken we use the header function for php 5.2 as well. We might change that later. @@ -634,7 +659,8 @@ function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain= . (empty($sPath) ? '' : '; path=' . $sPath) . (empty($sDomain) ? '' : '; domain=' . $sDomain) . (!$bSecure ? '' : '; secure') - . (!$bHttpOnly ? '' : '; HttpOnly'), $bReplace); + . (!$bHttpOnly ? '' : '; HttpOnly') + . (empty($sSameSite) ? '' : '; SameSite=' . $sSameSite), $bReplace); } } -- 2.25.1