holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Security: allow to configure SameSite cookie attribute

Browse Source
This commit is contained in:
Ralf Becker 2020-07-27 14:03:48 +02:00
parent 3957a94e47
commit a01cd94966
2 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
admin/templates/default/config.xet
View File

@ -239,6 +239,15 @@
<option value="insecure">No</option> <option value="insecure">No</option>
</select> </select>
</row> </row>
<row>
<description value="SameSite cookie attribute (send cookie if browser addressbar show a different domain)"/>
<select id="newsettings[cookie_samesite_attribute]">
<option value="">{Do not set attribute} - {current default}</option>
<option value="Lax">"Lax" - {allowed for get requests, default in modern browsers, if attribute is not set}</option>
<option value="Strict">"Strict" - {do not send cookie} - {more secure}</option>
<option value="None">"None" - {required to embed EGroupware via iframe eg. for LTI}</option>
</select>
</row>
<row> <row>
<description value="Cookie path (allows multiple eGW sessions with different directories, has problemes with SiteMgr!)" label="%s:"/> <description value="Cookie path (allows multiple eGW sessions with different directories, has problemes with SiteMgr!)" label="%s:"/>
<select id="newsettings[cookiepath]"> <select id="newsettings[cookiepath]">

28
api/src/Session.php
View File

@ -1668,11 +1668,29 @@ class Session
if(!headers_sent()) // gives only a warning, but can not send the cookie anyway if(!headers_sent()) // gives only a warning, but can not send the cookie anyway
{ {
setcookie($cookiename, $cookievalue, $options = [
!$cookietime && $is_iOS ? time()+self::IOS_SESSION_COOKIE_LIFETIME : $cookietime, 'expires' => !$cookietime && $is_iOS ? time()+self::IOS_SESSION_COOKIE_LIFETIME : $cookietime,
is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain, 'path' => is_null($cookiepath) ? self::$cookie_path : $cookiepath,
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true) 'domain' => self::$cookie_domain,
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && Header\Http::schema() === 'https', true); // if called via HTTPS, only send cookie for https
'secure' => empty($GLOBALS['egw_info']['server']['insecure_cookies']) && Header\Http::schema() === 'https',
'httponly' => true, // only allow cookie access via HTTP, not client-side via JavaScript
];
// admin specified to send SameSite cookie attribute AND we use PHP 7.3+
if (!empty($GLOBALS['egw_info']['server']['cookie_samesite_attribute']) &&
in_array($GLOBALS['egw_info']['server']['cookie_samesite_attribute'], ['Lax', 'Strict', 'None']))
{
$options['samesite'] = $GLOBALS['egw_info']['server']['cookie_samesite_attribute'];
}
if ((float)PHP_VERSION >= 7.3)
{
setcookie($cookiename, $cookievalue, $options);
}
else
{
setcookie($cookiename, $cookievalue,
$options['expires'], $options['path'], $options['domain'], $options['secure'], $options['httponly']);
}
} }
} }