From 418787ca78f49be053c35fb6486ec55c4c7e94b2 Mon Sep 17 00:00:00 2001 From: Christian Schneider Date: Mon, 13 Jan 2020 14:53:19 +0100 Subject: Use SameSite policy Lax for uid cookie --- it_user.class | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/it_user.class b/it_user.class index 26046cf..18c4bbd 100644 --- a/it_user.class +++ b/it_user.class @@ -30,6 +30,7 @@ define('IT_USER_STATUS_SESSION', 5); /* Has a valid session */ define('_IT_USER_UID_COOKIE', 'UID'); define('_IT_USER_UID_COOKIE_LIFETIME', 0x7FFFFFFF); /* Forever :-) */ define('_IT_USER_STATUS_INVALID', 0); /* INTERNAL: Not yet evaluated */ +define('_IT_USER_COOKIE_SAMESITE', 'Lax'); class it_user extends it_dbi { @@ -205,7 +206,7 @@ function _set_uid($uid) if (!isset($_COOKIE[$this->p['uidcookiename']]) || ($_COOKIE[$this->p['uidcookiename']] != $uid)) { - @setcookie($this->p['uidcookiename'], $uid, _IT_USER_UID_COOKIE_LIFETIME, "/", $this->domain, false, true); + it::setcookie($this->p['uidcookiename'], $uid, [ 'expires' => _IT_USER_UID_COOKIE_LIFETIME, 'path' => "/", 'domain' => $this->domain, 'secure' => false, 'httponly' => true, 'samesite' => _IT_USER_COOKIE_SAMESITE ]); $_COOKIE[$this->p['uidcookiename']] = $uid; } } @@ -499,5 +500,3 @@ function check_url($withsession = false) } } /* End class it_user */ - -?> -- cgit v1.2.3