Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Adds support for the SameSite attribute in cookies. #19104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 7 commits into from
Closed

Adds support for the SameSite attribute in cookies. #19104

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a5ab3ba
Adds support for the SameSite attribute in cookies.
iangcarroll Jun 18, 2016
85310fe
Remove spaces on empty lines.
iangcarroll Jun 18, 2016
b60cb05
Improvements
iangcarroll Jun 22, 2016
2988969
Fix indentation in PHPDoc.
iangcarroll Jun 22, 2016
b78fad6
Fix PHPDoc typo.
iangcarroll Jun 22, 2016
3e54e4a
Check and add constants for the sameSite parameter.
iangcarroll Jun 22, 2016
38e9039
Use array()
iangcarroll Jun 22, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Adds support for the SameSite attribute in cookies. 
$sameSite can be set to false, "lax", or "strict".

You can read about what the different modes do here: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
  • Loading branch information
@iangcarroll
iangcarroll authored Jun 18, 2016
commit a5ab3ba6da4750a35bd2670f97208aa2e34dc247
29 changes: 28 additions & 1 deletion 29 src/Symfony/Component/HttpFoundation/Cookie.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ class Cookie
protected $secure;
protected $httpOnly;
private $raw;
protected $sameSite;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be private


/**
* Constructor.
Expand All @@ -38,10 +39,11 @@ class Cookie
* @param bool $secure Whether the cookie should only be transmitted over a secure HTTPS connection from the client
* @param bool $httpOnly Whether the cookie will be made accessible only through the HTTP protocol
* @param bool $raw Whether the cookie value should be sent with no url encoding
* @param bool|string $sameSite Whether the cookie will be available for cross-site requests
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wouldn't $crossSite be more descriptive?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's good practice to adhere to the spec name, i.e. samesite => setSameSite.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

string|null would be better than string|bool IMO (especially given that true is not a valid value for this argument)

*
* @throws \InvalidArgumentException
*/
public function __construct($name, $value = null, $expire = 0, $path = '/', $domain = null, $secure = false, $httpOnly = true, $raw = false)
public function __construct($name, $value = null, $expire = 0, $path = '/', $domain = null, $secure = false, $httpOnly = true, $raw = false, $sameSite = false)
{
// from PHP source code
if (preg_match("/[=,; \t\r\n\013\014]/", $name)) {
Expand Down Expand Up @@ -71,6 +73,7 @@ public function __construct($name, $value = null, $expire = 0, $path = '/', $dom
$this->secure = (bool) $secure;
$this->httpOnly = (bool) $httpOnly;
$this->raw = (bool) $raw;
$this->sameSite = $sameSite;
Copy link
Contributor

@ro0NL ro0NL Jun 19, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about validating the domain? I.e. allowed values ("strict"/Cookie::SAMESITE_STRICT, "lax"/Cookie::SAMESITE_LAX or false/null)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

}

/**
Expand Down Expand Up @@ -107,6 +110,10 @@ public function __toString()
if (true === $this->isHttpOnly()) {
$str .= '; httponly';
}

if (false !== $this->hasSameSite()) {
$str .= '; samesite='.$this->getSameSite();
}

return $str;
}
Expand Down Expand Up @@ -200,4 +207,24 @@ public function isRaw()
{
return $this->raw;
}

/**
* Gets the SameSite attribute.
*
* @return string|bool
*/
public function getSameSite()
{
return $this->sameSite;
}

/**
* Checks if the cookie value should be sent with a SameSite attribute.
*
* @return bool
*/
public function hasSameSite()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about isSameSite? Seems more consistent with isSecure and isHttpOnly.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As it's not a pure boolean property, you could also consider getSameSite and instead of false use null as default value.. (so it's more in line with set/getDomain for instance, a key-value property).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to remove this method, using getSameSite is the way to go, no need for such a simple "helper"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, hah, getSameSite is defined already. Then remove, yes 👍

{
return $this->sameSite !== false;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, use Yoda condition.

}
}
Morty Proxy This is a proxified and sanitized view of the page, visit original site.