Session: by default uses sameSite: Lax (BC break)

dg · dg · commit 86d83ce41de5 · 2018-08-31T01:00:15.000+02:00
diff --git a/src/Http/Session.php b/src/Http/Session.php
@@ -39,6 +39,7 @@ class Session
 		// cookies
 		'cookie_lifetime' => 0,   // until the browser is closed
 		'cookie_httponly' => true, // must be enabled to prevent Session Hijacking
+		'cookie_samesite' => 'Lax', // must be enabled to prevent CSRF
 
 		// other
 		'gc_maxlifetime' => self::DEFAULT_FILE_LIFETIME, // 3 hours
diff --git a/tests/Http.DI/SessionExtension.config.phpt b/tests/Http.DI/SessionExtension.config.phpt
@@ -37,7 +37,7 @@ $container->getService('session')->start();
 
 Assert::same(
 	PHP_VERSION_ID >= 70300
-		? ['lifetime' => 0, 'path' => '/x', 'domain' => 'nette.org', 'secure' => true, 'httponly' => true, 'samesite' => '']
-		: ['lifetime' => 0, 'path' => '/x', 'domain' => 'nette.org', 'secure' => true, 'httponly' => true],
+		? ['lifetime' => 0, 'path' => '/x', 'domain' => 'nette.org', 'secure' => true, 'httponly' => true, 'samesite' => 'Lax']
+		: ['lifetime' => 0, 'path' => '/x; SameSite=Lax', 'domain' => 'nette.org', 'secure' => true, 'httponly' => true],
 	session_get_cookie_params()
 );
diff --git a/tests/Http/Session.cookies.phpt b/tests/Http/Session.cookies.phpt
@@ -25,6 +25,7 @@ Assert::same([
 	'use_trans_sid' => 0,
 	'cookie_lifetime' => 0,
 	'cookie_httponly' => true,
+	'cookie_samesite' => 'Lax',
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/user/',
 	'cookie_domain' => 'nette.org',
diff --git a/tests/Http/Session.sameSite.phpt b/tests/Http/Session.sameSite.phpt
@@ -15,10 +15,7 @@ if (PHP_SAPI === 'cli') {
 $factory = new Nette\Http\RequestFactory;
 $session = new Nette\Http\Session($factory->createHttpRequest(), new Nette\Http\Response);
 
-$session->setOptions([
-	'cookie_samesite' => 'Lax',
-]);
-
+// is samesite=Lax by default
 $session->start();
 
 Assert::contains(
diff --git a/tests/Http/Session.setOptions.phpt b/tests/Http/Session.setOptions.phpt
@@ -22,6 +22,7 @@ Assert::same([
 	'use_trans_sid' => 0,
 	'cookie_lifetime' => 0,
 	'cookie_httponly' => true,
+	'cookie_samesite' => 'Lax',
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/',
 	'cookie_domain' => '',
@@ -39,6 +40,7 @@ Assert::same([
 	'use_trans_sid' => 0,
 	'cookie_lifetime' => 0,
 	'cookie_httponly' => true,
+	'cookie_samesite' => 'Lax',
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/',
 	'cookie_secure' => false,
@@ -55,6 +57,7 @@ Assert::same([
 	'use_trans_sid' => 0,
 	'cookie_lifetime' => 0,
 	'cookie_httponly' => true,
+	'cookie_samesite' => 'Lax',
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/',
 	'cookie_secure' => false,
