From 418787ca78f49be053c35fb6486ec55c4c7e94b2 Mon Sep 17 00:00:00 2001
From: Christian Schneider
Date: Mon, 13 Jan 2020 14:53:19 +0100
Subject: Use SameSite policy Lax for uid cookie

---
 it_user.class | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'it_user.class')

diff --git a/it_user.class b/it_user.class
index 26046cf..18c4bbd 100644
--- a/it_user.class
+++ b/it_user.class
@@ -30,6 +30,7 @@ define('IT_USER_STATUS_SESSION', 5);	/* Has a valid session */
 define('_IT_USER_UID_COOKIE', 'UID');
 define('_IT_USER_UID_COOKIE_LIFETIME', 0x7FFFFFFF);	/* Forever :-) */
 define('_IT_USER_STATUS_INVALID', 0);	/* INTERNAL: Not yet evaluated */
+define('_IT_USER_COOKIE_SAMESITE', 'Lax');
 
 class it_user extends it_dbi
 {
@@ -205,7 +206,7 @@ function _set_uid($uid)
 
 	if (!isset($_COOKIE[$this->p['uidcookiename']]) || ($_COOKIE[$this->p['uidcookiename']] != $uid))
 	{
-		@setcookie($this->p['uidcookiename'], $uid, _IT_USER_UID_COOKIE_LIFETIME, "/", $this->domain, false, true);
+		it::setcookie($this->p['uidcookiename'], $uid, [ 'expires' => _IT_USER_UID_COOKIE_LIFETIME, 'path' => "/", 'domain' => $this->domain, 'secure' => false, 'httponly' => true, 'samesite' => _IT_USER_COOKIE_SAMESITE ]);
 		$_COOKIE[$this->p['uidcookiename']] = $uid;
 	}
 }
@@ -499,5 +500,3 @@ function check_url($withsession = false)
 }
 
 } /* End class it_user */
-
-?>
-- 
cgit v1.2.3