commit e4e112490125c80d1a46e7d461a255f0eb6f09ca
parent 933ed6da9c1ab0c5a6f9fded17ddcc4b8369e634
Author: Jan Dankert <develop@jandankert.de>
Date: Sat, 24 Oct 2020 00:23:19 +0200
Fix: Do not set strict cookies (as they are not send on the first request); Using new configuraton class.
Diffstat:
2 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/modules/cms/action/Action.class.php b/modules/cms/action/Action.class.php
@@ -403,16 +403,20 @@ class Action
}
+ /**
+ * Sets a cookie.
+ *
+ * @param $name cookie name
+ * @param string $value cookie value, null to delete
+ */
protected function setCookie($name,$value='' ) {
- if (empty($value))
+ $cookieConfig = Configuration::subset('security')->subset('cookie');
+
+ if ( ! $value )
$expire = time(); // Cookie wird gelöscht.
else
- $expire = time() + 60 * 60 * 24 * Configuration::config('security', 'cookie', 'expire');
-
- $secure = Configuration::config('security', 'cookie', 'secure');
- $httponly = Configuration::config('security', 'cookie', 'httponly');
- $samesite = Configuration::config('security', 'cookie', 'samesite');
+ $expire = time() + 60 * 60 * 24 * $cookieConfig->get('expire',2*365); // default: 2 years
$cookieAttributes = [
rawurlencode($name).'='.rawurlencode($value),
@@ -420,13 +424,13 @@ class Action
'Path='.COOKIE_PATH
];
- if ( $secure )
+ if ( $cookieConfig->is('secure',false ) )
$cookieAttributes[] = 'Secure';
- if ( $httponly )
+ if ( $cookieConfig->is('httponly',true ) )
$cookieAttributes[] = 'HttpOnly';
- $cookieAttributes[] = 'SameSite='.$samesite;
+ $cookieAttributes[] = 'SameSite='.$cookieConfig->get('samesite','Lax');
header('Set-Cookie: '.implode('; ',$cookieAttributes) );
}
diff --git a/modules/cms/base/DefaultConfig.class.php b/modules/cms/base/DefaultConfig.class.php
@@ -532,7 +532,7 @@ class DefaultConfig {
[
'secure' => false,
'httponly' => true,
- 'samesite' => 'Strict',
+ 'samesite' => 'Lax',
'expire' => 720,
],
'readonly' => false,
