From ca7ecfbb579e6115b78698ef16ddde56d5bc5076 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Tue, 29 Mar 2022 11:06:18 +0200 Subject: [PATCH] FIX avoid warning for missing cookie samesite params (and more secure) --- htdocs/main.inc.php | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index fe0986e8d13..c13f7cbe2c9 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -265,10 +265,22 @@ if (!empty($_POST["DOL_AUTOSET_COOKIE"])) { $cookiearrayvalue[$tmpkey] = $_POST[$postkey]; } } - $cookiename = $tmpautoset[0]; + $cookiename = (empty($dolibarr_main_force_https) ? $tmpautoset[0] : '__Secure-'.$tmpautoset[0]); // __Secure- || __Host- $cookievalue = json_encode($cookiearrayvalue); //var_dump('setcookie cookiename='.$cookiename.' cookievalue='.$cookievalue); - setcookie($cookiename, empty($cookievalue) ? '' : $cookievalue, empty($cookievalue) ? 0 : (time() + (86400 * 354)), '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // keep cookie 1 year and add tag httponly + if (PHP_VERSION_ID < 70300) { + setcookie($cookiename, empty($cookievalue) ? '' : $cookievalue, empty($cookievalue) ? 0 : (time() + (86400 * 354)), '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // keep cookie 1 year and add tag httponly + } else { + $cookieparams = array( + 'expires' => empty($cookievalue) ? 0 : (time() + (86400 * 354)), + 'path' => '/', + //'domain' => '.mywebsite.com', // the dot at the beginning allows compatibility with subdomains + 'secure' => (empty($dolibarr_main_force_https) ? false : true), + 'httponly' => true, + 'samesite' => 'Lax' // None || Lax || Strict + ); + setcookie($cookiename, empty($cookievalue) ? '' : $cookievalue, $cookieparams); + } if (empty($cookievalue)) { unset($_COOKIE[$cookiename]); } @@ -284,7 +296,7 @@ if (!empty($php_session_save_handler) && $php_session_save_handler == 'db') { // Must be done after the include of filefunc.inc.php so global variables of conf file are defined (like $dolibarr_main_instance_unique_id or $dolibarr_main_force_https). // Note: the function dol_getprefix() is defined into functions.lib.php but may have been defined to return a different key to manage another area to protect. $prefix = dol_getprefix(''); -$sessionname = 'DOLSESSID_'.$prefix; +$sessionname = (empty($dolibarr_main_force_https) ? 'DOLSESSID_'.$prefix : '__Secure-DOLSESSID_'.$prefix); // __Secure- || __Host- $sessiontimeout = 'DOLSESSTIMEOUT_'.$prefix; if (!empty($_COOKIE[$sessiontimeout])) { ini_set('session.gc_maxlifetime', $_COOKIE[$sessiontimeout]); @@ -293,7 +305,19 @@ if (!empty($_COOKIE[$sessiontimeout])) { // This create lock, released by session_write_close() or end of page. // We need this lock as long as we read/write $_SESSION ['vars']. We can remove lock when finished. if (!defined('NOSESSION')) { - session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start. + if (PHP_VERSION_ID < 70300) { + session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start. + } else { + $sessioncookieparams = array( + 'lifetime' => 0, + 'path' => '/', + //'domain' => '.mywebsite.com', // the dot at the beginning allows compatibility with subdomains + 'secure' => (empty($dolibarr_main_force_https) ? false : true), + 'httponly' => true, + 'samesite' => 'Lax' // None || Lax || Strict + ); + session_set_cookie_params($sessioncookieparams); + } session_name($sessionname); session_start(); // This call the open and read of session handler //exit; // this exist generates a call to write and close