Session: by default uses sameSite: Lax (BC break)

Author: dg

src/Http/Session.php

@@ -39,6 +39,7 @@ class Session
 		// cookies
 		'cookie_lifetime' => 0,   // until the browser is closed
 		'cookie_httponly' => true, // must be enabled to prevent Session Hijacking
+		'cookie_samesite' => 'Lax',// must be enabled to prevent CSRF
 
 		// other
 		'gc_maxlifetime' => self::DEFAULT_FILE_LIFETIME, // 3 hours

tests/Http/Session.cookies.phpt

@@ -25,6 +25,7 @@ Assert::same([
 	'use_trans_sid' => 0,
 	'cookie_lifetime' => 0,
 	'cookie_httponly' => true,
+	'cookie_samesite' => 'Lax',
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/user/',
 	'cookie_domain' => 'nette.org',

tests/Http/Session.sameSite.phpt

@@ -15,10 +15,6 @@ if (PHP_SAPI === 'cli') {
 $factory = new Nette\Http\RequestFactory;
 $session = new Nette\Http\Session($factory->createHttpRequest(), new Nette\Http\Response);
 
-$session->setOptions([
-	'cookie_samesite' => 'Lax',
-]);
-
 $session->start();
 
 Assert::contains(

tests/Http/Session.setOptions.phpt

@@ -22,6 +22,7 @@ Assert::same([
 	'use_trans_sid' => 0,
 	'cookie_lifetime' => 0,
 	'cookie_httponly' => true,
+	'cookie_samesite' => 'Lax',
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/',
 	'cookie_domain' => '',
@@ -39,6 +40,7 @@ Assert::same([
 	'use_trans_sid' => 0,
 	'cookie_lifetime' => 0,
 	'cookie_httponly' => true,
+	'cookie_samesite' => 'Lax',
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/',
 	'cookie_secure' => false,
@@ -55,6 +57,7 @@ Assert::same([
 	'use_trans_sid' => 0,
 	'cookie_lifetime' => 0,
 	'cookie_httponly' => true,
+	'cookie_samesite' => 'Lax',
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/',
 	'cookie_secure' => false,