Welcome Guest, Not a member yet? Register   Sign In
Support SameSite cookie
#1

Hi,

I've a web that's run latest CI3 version, it's impossible to us upgrade to 4.X now and we need support for SameSite cookie.

I think than the CI3 Developers must publish a minor version of CI3 with SameSite support asap.

A lot of CI3 users need this features.

Regards!
Reply
#2

You can do it yourself for the time being.

Secure better your website with SameSite cookies
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#3

(03-12-2021, 05:56 PM)InsiteFX Wrote: You can do it yourself for the time being.

Secure better your website with SameSite cookies

Yes, i know, but is a basic feature and i think easy to implement y CI3 core.
Reply
#4

(03-17-2021, 09:24 AM)nicojmb Wrote: Yes, i know, but is a basic feature and i think easy to implement y CI3 core.

If it is really easy, why does CI3 not have it yet?
Reply
#5

(03-12-2021, 05:56 PM)InsiteFX Wrote: You can do it yourself for the time being.

Secure better your website with SameSite cookies

Out of interest, what's the easiest way of doing this?  So far I had to extend the built in session library class, copy the class contructor and add the samesite attribute there.

I toyed around with ini_set('session.samesite', 1); but it didn't seem to work.
Reply
#6

(This post was last modified: 03-27-2021, 07:52 AM by CINewb.)

Further to my comment above, I've since ditched the idea of extending the session class and have instead added the samesite cookie attribute to my core system file.  I know this is terrible practice but it was less messy than extending the session class, and I'm hoping the samesite attribute is included in a future patch/version, therefore rendering my change temporary.

I did this by modifying line 163 in /system/libraries/Session/Session.php from:

PHP Code:
setcookie(
    $this->_config['cookie_name'],
    session_id(),
    (empty($this->_config['cookie_lifetime']) ? time() + $this->_config['cookie_lifetime']),
    $this->_config['cookie_path'],
    $this->_config['cookie_domain'],
    $this->_config['cookie_secure'],
    TRUE
); 

to

PHP Code:
setcookie(
    $this->_config['cookie_name'],
    session_id(),
    [
    'expires' => (empty($this->_config['cookie_lifetime']) ? time() + $this->_config['cookie_lifetime']),
    'path' => $this->_config['cookie_path'],
    'domain' => $this->_config['cookie_domain'],
    'secure' => $this->_config['cookie_secure'],
    'httponly' => TRUE,
    'samesite' => 'Lax',
    ]
); 

Really the samesite attribute should be configurable rather than hardcoded, and again I realise changing core system files is generally not acceptable.  In our case I just want to set this attribute with as little fuss as possible, and hope for a more permanent solution in the future.

Note: The above also assumes you are on PHP 7.3 or higher.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB