[SM-CVS] SF.net SVN: squirrelmail:[14917] branches/SM-1_4-STABLE/squirrelmail/ functions/global.php

[<pdo...@us...>]

Revision: 14917
          http://sourceforge.net/p/squirrelmail/code/14917
Author:   pdontthink
Date:     2021-05-07 08:56:16 +0000 (Fri, 07 May 2021)
Log Message:
-----------
Add cookie SameSite attribute; uses default if "Strict" but can be overridden by $same_site_cookies in config_local.php

Modified Paths:
--------------
    branches/SM-1_4-STABLE/squirrelmail/functions/global.php

Modified: branches/SM-1_4-STABLE/squirrelmail/functions/global.php
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/functions/global.php	2021-04-18 08:32:35 UTC (rev 14916)
+++ branches/SM-1_4-STABLE/squirrelmail/functions/global.php	2021-05-07 08:56:16 UTC (rev 14917)
@@ -506,6 +506,16 @@
  *                           transmitted over a secure HTTPS connection.
  * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6/FF2)
  * @param boolean $bReplace  Replace previous cookies with same name?
+ * @param string  $sSameSite Optional override of the default SameSite
+ *                           cookie policy detemined from the global
+ *                           configuration item $same_site_cookies
+ *                           (which can be set in config/config_local.php)
+ *                           (should be NULL to accept the configured global
+ *                           default or one of "Lax" "Strict" or "None"
+ *                           but "None" will not work if $bSecure is FALSE.
+ *                           Can also be set set to an empty string in order
+ *                           to NOT specify the SameSite cookie attribute at
+ *                           all and accept whatever the browser default is)
  *
  * @return void
  *
@@ -513,7 +523,7 @@
  *
  */
 function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="",
-                     $bSecure=false, $bHttpOnly=true, $bReplace=false) {
+                     $bSecure=false, $bHttpOnly=true, $bReplace=false, $sSameSite=NULL) {
 
     // some environments can get overwhelmed by an excessive
     // setting of the same cookie over and over (e.g., many
@@ -548,6 +558,21 @@
     if (!$only_secure_cookies)
         $bSecure = false;
 
+    // use global SameSite setting, but allow override
+    // The global $same_site_cookies (for which an override value
+    // can be specified in config/config_local.php) defaults to
+    // "Strict" when it is NULL (when not given in the config file),
+    // or can be manually set to "Lax" "Strict" or "None" if desired
+    // or can be set to an empty string in order to not specify
+    // SameSite at all and use the browser default
+    if (is_null($sSameSite)) {
+        global $same_site_cookies;
+        if (is_null($same_site_cookies))
+           $sSameSite = 'Strict';
+        else
+           $sSameSite = $same_site_cookies;
+    }
+
     if (false && check_php_version(5,2)) {
        // php 5 supports the httponly attribute in setcookie, but because setcookie seems a bit
        // broken we use the header function for php 5.2 as well. We might change that later.
@@ -568,7 +593,8 @@
                             . (empty($sPath) ? '' : '; path=' . $sPath)
                             . (empty($sDomain) ? '' : '; domain=' . $sDomain)
                             . (!$bSecure ? '' : '; secure')
-                            . (!$bHttpOnly ? '' : '; HttpOnly'), $bReplace);
+                            . (!$bHttpOnly ? '' : '; HttpOnly')
+                            . (empty($sSameSite) ? '' : '; SameSite=' . $sSameSite), $bReplace);
     }
 }
 

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.