* Security: allow to configure SameSite cookie attribute

2024-11-21 23:43:17 +01:00 · 2020-07-27 14:03:48 +02:00 · 2020-07-27 14:03:48 +02:00 · ca73a54d89
commit ca73a54d89
parent 074b884133
2 changed files with 32 additions and 5 deletions
--- a/admin/templates/default/config.xet
+++ b/admin/templates/default/config.xet
@ -239,6 +239,15 @@
 						<option value="insecure">No</option>
 					</select>
 				</row>
+				<row>
+					<description value="SameSite cookie attribute (send cookie if browser addressbar show a different domain)"/>
+					<select id="newsettings[cookie_samesite_attribute]">
+						<option value="">{Do not set attribute} - {current default}</option>
+						<option value="Lax">"Lax" - {allowed for get requests, default in modern browsers, if attribute is not set}</option>
+						<option value="Strict">"Strict" - {do not send cookie} - {more secure}</option>
+						<option value="None">"None" - {required to embed EGroupware via iframe eg. for LTI}</option>
+					</select>
+				</row>
 				<row>
 					<description value="Cookie path (allows multiple eGW sessions with different directories, has problemes with SiteMgr!)" label="%s:"/>
 					<select id="newsettings[cookiepath]">
--- a/api/src/Session.php
+++ b/api/src/Session.php
@ -1668,11 +1668,29 @@ class Session

 		if(!headers_sent())	// gives only a warning, but can not send the cookie anyway
 		{
-			setcookie($cookiename, $cookievalue,
-				!$cookietime && $is_iOS ? time()+self::IOS_SESSION_COOKIE_LIFETIME : $cookietime,
-				is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain,
-				// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
-				empty($GLOBALS['egw_info']['server']['insecure_cookies']) && Header\Http::schema() === 'https', true);
+			$options = [
+				'expires' => !$cookietime && $is_iOS ? time()+self::IOS_SESSION_COOKIE_LIFETIME : $cookietime,
+				'path'    => is_null($cookiepath) ? self::$cookie_path : $cookiepath,
+				'domain'  => self::$cookie_domain,
+				// if called via HTTPS, only send cookie for https
+				'secure'  => empty($GLOBALS['egw_info']['server']['insecure_cookies']) && Header\Http::schema() === 'https',
+				'httponly' => true, // only allow cookie access via HTTP, not client-side via JavaScript
+			];
+			// admin specified to send SameSite cookie attribute AND we use PHP 7.3+
+			if (!empty($GLOBALS['egw_info']['server']['cookie_samesite_attribute']) &&
+				in_array($GLOBALS['egw_info']['server']['cookie_samesite_attribute'], ['Lax', 'Strict', 'None']))
+			{
+				$options['samesite'] = $GLOBALS['egw_info']['server']['cookie_samesite_attribute'];
+			}
+			if ((float)PHP_VERSION >= 7.3)
+			{
+				setcookie($cookiename, $cookievalue, $options);
+			}
+			else
+			{
+				setcookie($cookiename, $cookievalue,
+					$options['expires'], $options['path'], $options['domain'], $options['secure'], $options['httponly']);
+			}
 		}
 	}