commit 95e2fbef7be0ecf7c5a1eda415a2f0eb7adae8d3
parent 431750af2084c7ee1170c978ff38f2cb8e27ded3
Author: Jan Dankert <develop@jandankert.de>
Date: Sat, 22 Aug 2020 23:13:01 +0200
Security: Configuration-setting for the SameSite-Cookie-Policy.
Diffstat:
4 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/modules/cms/Dispatcher.class.php b/modules/cms/Dispatcher.class.php
@@ -40,7 +40,8 @@ class Dispatcher
public function doAction()
{
// Start the session. All classes should have been loaded up to now.
- session_start();
+ session_name('or_sid');
+ session_start();
$this->checkConfiguration();
diff --git a/modules/cms/action/Action.class.php b/modules/cms/action/Action.class.php
@@ -411,7 +411,23 @@ namespace cms\action {
$secure = config('security', 'cookie', 'secure');
$httponly = config('security', 'cookie', 'httponly');
- setcookie($name , $value, $expire,COOKIE_PATH, '', $secure, $httponly);
+ $samesite = config('security', 'cookie', 'samesite');
+
+ $cookieAttributes = [
+ rawurlencode($name).'='.rawurlencode($value),
+ 'Expires='.date('r',$expire),
+ 'Path='.COOKIE_PATH
+ ];
+
+ if ( $secure )
+ $cookieAttributes[] = 'Secure';
+
+ if ( $httponly )
+ $cookieAttributes[] = 'HttpOnly';
+
+ $cookieAttributes[] = 'SameSite='.$samesite;
+
+ header('Set-Cookie: '.implode('; ',$cookieAttributes) );
}
}
diff --git a/modules/cms/action/ProfileAction.class.php b/modules/cms/action/ProfileAction.class.php
@@ -305,6 +305,7 @@ class ProfileAction extends BaseAction
$conf['language'] = $language->getLanguage($l,PRODUCTION);
$conf['language']['language_code'] = $l;
Session::setConfig($conf);
+ $this->setCookie('or_language',$l);
}
diff --git a/modules/util/config-default.php b/modules/util/config-default.php
@@ -723,6 +723,7 @@ function createDefaultConfig()
$conf['security']['cookie']=array();
$conf['security']['cookie']['secure']=false;
$conf['security']['cookie']['httponly']=true;
+ $conf['security']['cookie']['samesite']='Strict';
$conf['security']['cookie']['expire']=720;
$conf['security']['readonly']=false;
$conf['security']['nopublish']=false;