forked from extern/egroupware
* Security: allow to configure SameSite cookie attribute
This commit is contained in:
parent
074b884133
commit
ca73a54d89
@ -239,6 +239,15 @@
|
||||
<option value="insecure">No</option>
|
||||
</select>
|
||||
</row>
|
||||
<row>
|
||||
<description value="SameSite cookie attribute (send cookie if browser addressbar show a different domain)"/>
|
||||
<select id="newsettings[cookie_samesite_attribute]">
|
||||
<option value="">{Do not set attribute} - {current default}</option>
|
||||
<option value="Lax">"Lax" - {allowed for get requests, default in modern browsers, if attribute is not set}</option>
|
||||
<option value="Strict">"Strict" - {do not send cookie} - {more secure}</option>
|
||||
<option value="None">"None" - {required to embed EGroupware via iframe eg. for LTI}</option>
|
||||
</select>
|
||||
</row>
|
||||
<row>
|
||||
<description value="Cookie path (allows multiple eGW sessions with different directories, has problemes with SiteMgr!)" label="%s:"/>
|
||||
<select id="newsettings[cookiepath]">
|
||||
|
@ -1668,11 +1668,29 @@ class Session
|
||||
|
||||
if(!headers_sent()) // gives only a warning, but can not send the cookie anyway
|
||||
{
|
||||
setcookie($cookiename, $cookievalue,
|
||||
!$cookietime && $is_iOS ? time()+self::IOS_SESSION_COOKIE_LIFETIME : $cookietime,
|
||||
is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain,
|
||||
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
|
||||
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && Header\Http::schema() === 'https', true);
|
||||
$options = [
|
||||
'expires' => !$cookietime && $is_iOS ? time()+self::IOS_SESSION_COOKIE_LIFETIME : $cookietime,
|
||||
'path' => is_null($cookiepath) ? self::$cookie_path : $cookiepath,
|
||||
'domain' => self::$cookie_domain,
|
||||
// if called via HTTPS, only send cookie for https
|
||||
'secure' => empty($GLOBALS['egw_info']['server']['insecure_cookies']) && Header\Http::schema() === 'https',
|
||||
'httponly' => true, // only allow cookie access via HTTP, not client-side via JavaScript
|
||||
];
|
||||
// admin specified to send SameSite cookie attribute AND we use PHP 7.3+
|
||||
if (!empty($GLOBALS['egw_info']['server']['cookie_samesite_attribute']) &&
|
||||
in_array($GLOBALS['egw_info']['server']['cookie_samesite_attribute'], ['Lax', 'Strict', 'None']))
|
||||
{
|
||||
$options['samesite'] = $GLOBALS['egw_info']['server']['cookie_samesite_attribute'];
|
||||
}
|
||||
if ((float)PHP_VERSION >= 7.3)
|
||||
{
|
||||
setcookie($cookiename, $cookievalue, $options);
|
||||
}
|
||||
else
|
||||
{
|
||||
setcookie($cookiename, $cookievalue,
|
||||
$options['expires'], $options['path'], $options['domain'], $options['secure'], $options['httponly']);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user