Session: added support for SameSite cookie

dg · dg · commit 0ac4cf748e7b · 2018-08-28T16:00:10.000+02:00
diff --git a/src/Http/Session.php b/src/Http/Session.php
@@ -400,6 +400,9 @@ private function configure(array $config): void
 		}
 
 		if ($cookie !== $origCookie) {
+			if (isset($cookie['samesite'])) {
+				$cookie['path'] .= '; SameSite=' . $cookie['samesite'];
+			}
 			session_set_cookie_params(
 				$cookie['lifetime'], $cookie['path'], $cookie['domain'],
 				$cookie['secure'], $cookie['httponly']
diff --git a/tests/Http/Session.sameSite.phpt b/tests/Http/Session.sameSite.phpt
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+use Tester\Assert;
+
+
+require __DIR__ . '/../bootstrap.php';
+
+if (PHP_SAPI === 'cli') {
+	Tester\Environment::skip('Cookies are not available in CLI');
+}
+
+
+$factory = new Nette\Http\RequestFactory;
+$session = new Nette\Http\Session($factory->createHttpRequest(), new Nette\Http\Response);
+
+$session->setOptions([
+	'cookie_samesite' => 'Lax',
+]);
+
+Assert::same([
+	'cookie_samesite' => 'Lax',
+	'referer_check' => '',
+	'use_cookies' => 1,
+	'use_only_cookies' => 1,
+	'use_trans_sid' => 0,
+	'cookie_lifetime' => 0,
+	'cookie_httponly' => true,
+	'gc_maxlifetime' => 10800,
+	'cookie_path' => '/',
+	'cookie_domain' => '',
+	'cookie_secure' => false,
+], $session->getOptions());
+
+
+$session->start();
+
+Assert::contains(
+	'Set-Cookie: PHPSESSID=' . $session->getId() . '; path=/; SameSite=Lax; HttpOnly',
+	headers_list()
+);

Original file line number	Diff line number	Diff line change
`@@ -400,6 +400,9 @@ private function configure(array $config): void`
`400`	`400`	`}`
`401`	`401`
`402`	`402`	`if ($cookie !== $origCookie) {`
	`403`	`+ if (isset($cookie['samesite'])) {`
	`404`	`+ $cookie['path'] .= '; SameSite=' . $cookie['samesite'];`
	`405`	`+ }`
`403`	`406`	`session_set_cookie_params(`
`404`	`407`	`$cookie['lifetime'], $cookie['path'], $cookie['domain'],`
`405`	`408`	`$cookie['secure'], $cookie['httponly']`