cartalyst / sentinel

A framework agnostic authentication & authorization system.
BSD 3-Clause "New" or "Revised" License
1.52k stars 240 forks source link

samesite option for native cookie #510

Open 8633brown opened 5 years ago

8633brown commented 5 years ago

Description

Currently the native cookie uses a list of arguments passed to setcookie. Most of these arguments are already in an array which could be passed somewhat directly to setcookie.

https://github.com/cartalyst/sentinel/blob/c7420487cd82ef135ed384a75056674902b755bb/src/Cookies/NativeCookie.php#L119-L130

Passing an array directly to setcookie also allows the additional usage of the samesite option which can be used as an additional defense to csrf attacks

Example

could be made better with array_merge but that may include breaking changes.


    protected function setCookie($value, int $lifetime, string $path = null, string $domain = null, bool $secure = null, bool $httpOnly = null)
    {
        $options['expires'] = $lifetime;
        $options['path'] = $path ?? $this->options['path'];
        $options['domain'] = $domain ?? $this->options['domain'];
        $options['secure'] = $secure ?? $this->options['secure'];
        $options['httponly'] = $httpOnly ?? $this->options['http_only'];
        $options['samesite'] = $samesite ?? $this->options['samesite'];
        setcookie(
            $this->options['name'],
            json_encode($value),
            $options
        );
    }