Support SameSite cookie - Printable Version

Support SameSite cookie - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: CodeIgniter 3.x (https://forum.codeigniter.com/forumdisplay.php?fid=17)
+--- Thread: Support SameSite cookie (/showthread.php?tid=78800)

Support SameSite cookie - nicojmb - 03-12-2021

Hi,

I've a web that's run latest CI3 version, it's impossible to us upgrade to 4.X now and we need support for SameSite cookie.

I think than the CI3 Developers must publish a minor version of CI3 with SameSite support asap.

A lot of CI3 users need this features.

Regards!

RE: Support SameSite cookie - InsiteFX - 03-12-2021

You can do it yourself for the time being.

Secure better your website with SameSite cookies

RE: Support SameSite cookie - nicojmb - 03-17-2021

(03-12-2021, 05:56 PM)InsiteFX Wrote: You can do it yourself for the time being.

Secure better your website with SameSite cookies

Yes, i know, but is a basic feature and i think easy to implement y CI3 core.

RE: Support SameSite cookie - kenjis - 03-17-2021

(03-17-2021, 09:24 AM)nicojmb Wrote: Yes, i know, but is a basic feature and i think easy to implement y CI3 core.

If it is really easy, why does CI3 not have it yet?

RE: Support SameSite cookie - CINewb - 03-22-2021

(03-12-2021, 05:56 PM)InsiteFX Wrote: You can do it yourself for the time being.

Secure better your website with SameSite cookies

Out of interest, what's the easiest way of doing this? So far I had to extend the built in session library class, copy the class contructor and add the samesite attribute there.

I toyed around with ini_set('session.samesite', 1); but it didn't seem to work.

RE: Support SameSite cookie - CINewb - 03-27-2021

Further to my comment above, I've since ditched the idea of extending the session class and have instead added the samesite cookie attribute to my core system file. I know this is terrible practice but it was less messy than extending the session class, and I'm hoping the samesite attribute is included in a future patch/version, therefore rendering my change temporary.

I did this by modifying line 163 in /system/libraries/Session/Session.php from:

PHP Code:
setcookie(
    $this->_config['cookie_name'],
    session_id(),
    (empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
    $this->_config['cookie_path'],
    $this->_config['cookie_domain'],
    $this->_config['cookie_secure'],
    TRUE
); 

PHP Code:
setcookie(
    $this->_config['cookie_name'],
    session_id(),
    [
    'expires' => (empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
    'path' => $this->_config['cookie_path'],
    'domain' => $this->_config['cookie_domain'],
    'secure' => $this->_config['cookie_secure'],
    'httponly' => TRUE,
    'samesite' => 'Lax',
    ]
); 

Really the samesite attribute should be configurable rather than hardcoded, and again I realise changing core system files is generally not acceptable. In our case I just want to set this attribute with as little fuss as possible, and hope for a more permanent solution in the future.

Note: The above also assumes you are on PHP 7.3 or higher.