From 2016e57eab1d970e6edd63370e956f462e56c86c Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Mon, 9 Sep 2019 21:29:58 +0200
Subject: [PATCH] Only send samesite cookies

This makes the last remaining two cookies lax. The session cookie
itself. And the session password as well (on php 7.3 that is). Samesite
cookies are the best cookies!

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/private/Session/CryptoWrapper.php | 18 +++++++++++++++++-
 lib/private/Session/Internal.php      | 12 ++++++++++--
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/lib/private/Session/CryptoWrapper.php b/lib/private/Session/CryptoWrapper.php
index bbaa907b268..b9dbc90edd6 100644
--- a/lib/private/Session/CryptoWrapper.php
+++ b/lib/private/Session/CryptoWrapper.php
@@ -86,7 +86,23 @@ class CryptoWrapper {
 				if($webRoot === '') {
 					$webRoot = '/';
 				}
-				setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true);
+
+				if (PHP_VERSION_ID < 70300) {
+					setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true);
+				} else {
+					setcookie(
+						self::COOKIE_NAME,
+						$this->passphrase,
+						[
+							'expires' => 0,
+							'path' => $webRoot,
+							'domain' => '',
+							'secure' => $secureCookie,
+							'httponly' => true,
+							'samesite' => 'Lax',
+						]
+					);
+				}
 			}
 		}
 	}
diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php
index d235e9eb50b..b9aae76c3b0 100644
--- a/lib/private/Session/Internal.php
+++ b/lib/private/Session/Internal.php
@@ -56,7 +56,7 @@ class Internal extends Session {
 		set_error_handler([$this, 'trapError']);
 		$this->invoke('session_name', [$name]);
 		try {
-			$this->invoke('session_start');
+			$this->startSession();
 		} catch (\Exception $e) {
 			setcookie($this->invoke('session_name'), '', -1, \OC::$WEBROOT ?: '/');
 		}
@@ -106,7 +106,7 @@ class Internal extends Session {
 	public function clear() {
 		$this->invoke('session_unset');
 		$this->regenerateId();
-		$this->invoke('session_start', [], true);
+		$this->startSession();
 		$_SESSION = [];
 	}
 
@@ -214,4 +214,12 @@ class Internal extends Session {
 			$this->trapError($e->getCode(), $e->getMessage());
 		}
 	}
+
+	private function startSession() {
+		if (PHP_VERSION_ID < 70300) {
+			$this->invoke('session_start');
+		} else {
+			$this->invoke('session_start', [['cookie_samesite' => 'Lax']]);
+		}
+	}
 }
-- 
GitLab