openrat-cms

# OpenRat Content Management System
git clone http://git.code.weiherhei.de/openrat-cms.git
Log | Files | Refs
commit 95e2fbef7be0ecf7c5a1eda415a2f0eb7adae8d3
parent 431750af2084c7ee1170c978ff38f2cb8e27ded3
Author: Jan Dankert <develop@jandankert.de>
Date:   Sat, 22 Aug 2020 23:13:01 +0200

Security: Configuration-setting for the SameSite-Cookie-Policy.

Diffstat:

modules/cms/Dispatcher.class.php | 3++-


modules/cms/action/Action.class.php | 18+++++++++++++++++-


modules/cms/action/ProfileAction.class.php | 1+


modules/util/config-default.php | 1+


4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/modules/cms/Dispatcher.class.php b/modules/cms/Dispatcher.class.php
@@ -40,7 +40,8 @@ class Dispatcher
     public function doAction()
     {
         // Start the session. All classes should have been loaded up to now.
-        session_start();
+        session_name('or_sid');
+		session_start();
 
         $this->checkConfiguration();
 
diff --git a/modules/cms/action/Action.class.php b/modules/cms/action/Action.class.php
@@ -411,7 +411,23 @@ namespace cms\action {
 
             $secure   = config('security', 'cookie', 'secure');
             $httponly = config('security', 'cookie', 'httponly');
-            setcookie($name , $value, $expire,COOKIE_PATH, '', $secure, $httponly);
+			$samesite = config('security', 'cookie', 'samesite');
+
+            $cookieAttributes = [
+            	rawurlencode($name).'='.rawurlencode($value),
+				'Expires='.date('r',$expire),
+				'Path='.COOKIE_PATH
+			];
+
+            if   ( $secure )
+            	$cookieAttributes[] = 'Secure';
+
+            if   ( $httponly )
+            	$cookieAttributes[] = 'HttpOnly';
+
+            $cookieAttributes[] = 'SameSite='.$samesite;
+
+            header('Set-Cookie: '.implode('; ',$cookieAttributes) );
         }
     }
 
diff --git a/modules/cms/action/ProfileAction.class.php b/modules/cms/action/ProfileAction.class.php
@@ -305,6 +305,7 @@ class ProfileAction extends BaseAction
         $conf['language'] = $language->getLanguage($l,PRODUCTION);
         $conf['language']['language_code'] = $l;
         Session::setConfig($conf);
+        $this->setCookie('or_language',$l);
     }
 
 
diff --git a/modules/util/config-default.php b/modules/util/config-default.php
@@ -723,6 +723,7 @@ function createDefaultConfig()
     $conf['security']['cookie']=array();
     $conf['security']['cookie']['secure']=false;
     $conf['security']['cookie']['httponly']=true;
+    $conf['security']['cookie']['samesite']='Strict';
     $conf['security']['cookie']['expire']=720;
     $conf['security']['readonly']=false;
     $conf['security']['nopublish']=false;