Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: About the SameSite COOKIE RFC changes for PHP > 7.3 #2374

Closed
crustamet opened this issue Oct 29, 2019 · 6 comments
Closed

Feature: About the SameSite COOKIE RFC changes for PHP > 7.3 #2374

crustamet opened this issue Oct 29, 2019 · 6 comments
Labels
bug Verified issues on the current code behavior or pull requests that will fix them
Milestone
4.0.1

Comments

@crustamet
Copy link
Contributor

Hello in the old Codeigniter 3
i had an option to use this directly on the config of cookiePath...
$cookiePath = '/; SameSite=strict'

setcookie('samesite-test', '1', 0, '/; samesite=strict');

Now with the new C4 this doesnt work anymore
Please introduce this SameSite Cookie config setting into the
Config/App.php File
$cookieSameSite = 'strict'; // or lax; i think they are 3 options, none, strict and lax... that have to be implemented..

Please guys send a message if you are thinking of implementing this.
Because for me this is very important !

// by default or something....
@crustamet crustamet added the bug Verified issues on the current code behavior or pull requests that will fix them label Oct 29, 2019
@jim-parry
Copy link
Contributor

@lonnieezell Is this something overlooked? It feels like a feature request more than a bug.

@lonnieezell
Copy link
Member

Looks like OP was using a bit of a hack to get it to work. I think it's a worthy addition - but definitely a new feature. Tag it for the first release after 4.0 I think.

@crustamet
Copy link
Contributor Author

crustamet commented Oct 29, 2019
edited
Loading

The problem for this to fix it well it is a bit of a change if you want to add the feature

i just documented myself, and with the setcookie function the settings of the session should be passed as array not as simple variables....

So i understand for this you will have to change a lot of stuff.

What i think is to make it work now at the present and not focuse on this task in the future...

This is a major concern this will help other problems to be solved...

@jim-parry jim-parry changed the title Bug: About the SameSite COOKIE RFC changes for PHP > 7.3 Feature: About the SameSite COOKIE RFC changes for PHP > 7.3 Oct 29, 2019
@jim-parry jim-parry added this to the 4.0.1 milestone Oct 29, 2019
@natanfelles
Copy link
Contributor

Requires PHP >= 7.3
https://www.php.net/manual/en/function.setcookie.php#refsect1-function.setcookie-changelog

@nControl88
Copy link

nControl88 commented Jul 16, 2020
edited
Loading

There exists a workaround for PHP < 7.3.

Following code is from vendor\codeigniter4\framework\system\Security\Security.php: CSRFSetCookie(RequestInterface $request) with $this->CSRFCookieSameSite as an added attribute:

if (PHP_VERSION_ID < 70300) {
	setcookie(
		$this->CSRFCookieName, $this->CSRFHash, $expire, $this->cookiePath . "; samesite=" . $this->CSRFCookieSameSite, $this->cookieDomain, $secure_cookie, true                // Enforce HTTP only cookie for security
	);
}
else {
	setcookie($this->CSRFCookieName, $this->CSRFHash, [
		'expires' => $expire,
		'path' => $this->cookiePath,
		'domain' => $this->cookieDomain,
		'secure' => $secure_cookie,
		'httponly' => true,         // Enforce HTTP only cookie for security
		'samesite' => $this->CSRFCookieSameSite,
	]);
}

@paulbalandan paulbalandan mentioned this issue Aug 3, 2020
Closed
@crustamet
Copy link
Contributor Author

after 4 months i am happy this was added in, seriously :)

@crustamet crustamet mentioned this issue Aug 26, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Verified issues on the current code behavior or pull requests that will fix them
Projects
None yet
Milestone
4.0.1
Development

No branches or pull requests
5 participants
@lonnieezell @natanfelles @jim-parry @nControl88 @crustamet