forked from extern/egroupware
* Security: allow to configure SameSite cookie attribute
This commit is contained in:
parent
074b884133
commit
ca73a54d89
@ -239,6 +239,15 @@
|
|||||||
<option value="insecure">No</option>
|
<option value="insecure">No</option>
|
||||||
</select>
|
</select>
|
||||||
</row>
|
</row>
|
||||||
|
<row>
|
||||||
|
<description value="SameSite cookie attribute (send cookie if browser addressbar show a different domain)"/>
|
||||||
|
<select id="newsettings[cookie_samesite_attribute]">
|
||||||
|
<option value="">{Do not set attribute} - {current default}</option>
|
||||||
|
<option value="Lax">"Lax" - {allowed for get requests, default in modern browsers, if attribute is not set}</option>
|
||||||
|
<option value="Strict">"Strict" - {do not send cookie} - {more secure}</option>
|
||||||
|
<option value="None">"None" - {required to embed EGroupware via iframe eg. for LTI}</option>
|
||||||
|
</select>
|
||||||
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<description value="Cookie path (allows multiple eGW sessions with different directories, has problemes with SiteMgr!)" label="%s:"/>
|
<description value="Cookie path (allows multiple eGW sessions with different directories, has problemes with SiteMgr!)" label="%s:"/>
|
||||||
<select id="newsettings[cookiepath]">
|
<select id="newsettings[cookiepath]">
|
||||||
|
@ -1668,11 +1668,29 @@ class Session
|
|||||||
|
|
||||||
if(!headers_sent()) // gives only a warning, but can not send the cookie anyway
|
if(!headers_sent()) // gives only a warning, but can not send the cookie anyway
|
||||||
{
|
{
|
||||||
setcookie($cookiename, $cookievalue,
|
$options = [
|
||||||
!$cookietime && $is_iOS ? time()+self::IOS_SESSION_COOKIE_LIFETIME : $cookietime,
|
'expires' => !$cookietime && $is_iOS ? time()+self::IOS_SESSION_COOKIE_LIFETIME : $cookietime,
|
||||||
is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain,
|
'path' => is_null($cookiepath) ? self::$cookie_path : $cookiepath,
|
||||||
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
|
'domain' => self::$cookie_domain,
|
||||||
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && Header\Http::schema() === 'https', true);
|
// if called via HTTPS, only send cookie for https
|
||||||
|
'secure' => empty($GLOBALS['egw_info']['server']['insecure_cookies']) && Header\Http::schema() === 'https',
|
||||||
|
'httponly' => true, // only allow cookie access via HTTP, not client-side via JavaScript
|
||||||
|
];
|
||||||
|
// admin specified to send SameSite cookie attribute AND we use PHP 7.3+
|
||||||
|
if (!empty($GLOBALS['egw_info']['server']['cookie_samesite_attribute']) &&
|
||||||
|
in_array($GLOBALS['egw_info']['server']['cookie_samesite_attribute'], ['Lax', 'Strict', 'None']))
|
||||||
|
{
|
||||||
|
$options['samesite'] = $GLOBALS['egw_info']['server']['cookie_samesite_attribute'];
|
||||||
|
}
|
||||||
|
if ((float)PHP_VERSION >= 7.3)
|
||||||
|
{
|
||||||
|
setcookie($cookiename, $cookievalue, $options);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
setcookie($cookiename, $cookievalue,
|
||||||
|
$options['expires'], $options['path'], $options['domain'], $options['secure'], $options['httponly']);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user