Skip to content

Adds support for the SameSite attribute in cookies. #19104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
iangcarroll wants to merge 7 commits into from
Closed

Adds support for the SameSite attribute in cookies. #19104

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a5ab3ba
Adds support for the SameSite attribute in cookies.
iangcarroll Jun 18, 2016
85310fe
Remove spaces on empty lines.
iangcarroll Jun 18, 2016
b60cb05
Improvements
iangcarroll Jun 22, 2016
2988969
Fix indentation in PHPDoc.
iangcarroll Jun 22, 2016
b78fad6
Fix PHPDoc typo.
iangcarroll Jun 22, 2016
3e54e4a
Check and add constants for the sameSite parameter.
iangcarroll Jun 22, 2016
38e9039
Use array()
iangcarroll Jun 22, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 26 additions & 1 deletion src/Symfony/Component/HttpFoundation/Cookie.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ class Cookie
protected $secure;
protected $httpOnly;
private $raw;
private $sameSite;

const SAMESITE_LAX = 'lax';
const SAMESITE_STRICT = 'strict';

/**
* Constructor.
Expand All @@ -38,10 +42,11 @@ class Cookie
* @param bool $secure Whether the cookie should only be transmitted over a secure HTTPS connection from the client
* @param bool $httpOnly Whether the cookie will be made accessible only through the HTTP protocol
* @param bool $raw Whether the cookie value should be sent with no url encoding
* @param string|null $sameSite Whether the cookie will be available for cross-site requests
*
* @throws \InvalidArgumentException
*/
public function __construct($name, $value = null, $expire = 0, $path = '/', $domain = null, $secure = false, $httpOnly = true, $raw = false)
public function __construct($name, $value = null, $expire = 0, $path = '/', $domain = null, $secure = false, $httpOnly = true, $raw = false, $sameSite = null)
{
// from PHP source code
if (preg_match("/[=,; \t\r\n\013\014]/", $name)) {
Expand Down Expand Up @@ -71,6 +76,12 @@ public function __construct($name, $value = null, $expire = 0, $path = '/', $dom
$this->secure = (bool) $secure;
$this->httpOnly = (bool) $httpOnly;
$this->raw = (bool) $raw;

if (!in_array($sameSite, array(self::SAMESITE_LAX, self::SAMESITE_STRICT, null))) {
Copy link
Member

@fabpot fabpot Jun 23, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should pass true as a third argument

Copy link
Member

@fabpot fabpot Jun 23, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see 4223997

throw new \InvalidArgumentException('The sameSite parameter is not valid.');
Copy link
Member

@fabpot fabpot Jun 23, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "sameSite" parameter value is not valid.?

Copy link
Member

@fabpot fabpot Jun 23, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see 4223997

}

$this->sameSite = $sameSite;
Copy link
Contributor

@ro0NL ro0NL Jun 19, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about validating the domain? I.e. allowed values ("strict"/Cookie::SAMESITE_STRICT, "lax"/Cookie::SAMESITE_LAX or false/null)

Copy link
Member

@fabpot fabpot Jun 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

}

/**
Expand Down Expand Up @@ -108,6 +119,10 @@ public function __toString()
$str .= '; httponly';
}

if (null !== $this->getSameSite()) {
$str .= '; samesite='.$this->getSameSite();
}

return $str;
}

Expand Down Expand Up @@ -200,4 +215,14 @@ public function isRaw()
{
return $this->raw;
}

/**
* Gets the SameSite attribute.
*
* @return string|null
*/
public function getSameSite()
{
return $this->sameSite;
}
}