✨ improve cookie and session functionalities with samesite option

Author: otengkwame

framework/core/Input.php

@@ -345,21 +345,22 @@ public function input_stream($index = NULL, $xss_clean = NULL)
 
 	/**
 	 * Set cookie
-	 *
-	 * Accepts an arbitrary number of parameters (up to 7) or an associative
-	 * array in the first parameter containing all the values.
-	 *
-	 * @param	string|mixed[]	$name		Cookie name or an array containing parameters
-	 * @param	string		$value		Cookie value
-	 * @param	int		$expire		Cookie expiration time in seconds
-	 * @param	string		$domain		Cookie domain (e.g.: '.yourdomain.com')
-	 * @param	string		$path		Cookie path (default: '/')
-	 * @param	string		$prefix		Cookie name prefix
-	 * @param	bool		$secure		Whether to only transfer cookies via SSL
-	 * @param	bool		$httponly	Whether to only makes the cookie accessible via HTTP (no javascript)
-	 * @return	void
-	 */
-	public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL)
+     *
+     * Accepts an arbitrary number of parameters (up to 7) or an associative
+     * array in the first parameter containing all the values.
+     *
+     * @param   string|mixed[]  $name   Cookie name or an array containing parameters
+     * @param   string      $value      Cookie value
+     * @param   int         $expire     Cookie expiration time in seconds
+     * @param   string      $domain     Cookie domain (e.g.: '.yourdomain.com')
+     * @param   string      $path       Cookie path (default: '/')
+     * @param   string      $prefix     Cookie name prefix
+     * @param   bool        $secure     Whether to only transfer cookies via SSL
+     * @param   bool        $httponly   Whether to only makes the cookie accessible via HTTP (no javascript)
+     * @param   string|NULL $samesite   The SameSite cookie setting (Possible values: 'Lax', 'Strict', 'None', NULL, default: NULL)
+     * @return  void
+     */
+	public function set_cookie($name, $value = '', $expire = 0, $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL, $samesite = NULL)
 	{
 		if (is_array($name))
 		{
@@ -395,17 +396,34 @@ public function set_cookie($name, $value = '', $expire = '', $domain = '', $path
 		$httponly = ($httponly === NULL && config_item('cookie_httponly') !== NULL)
 			? (bool) config_item('cookie_httponly')
 			: (bool) $httponly;
+			
+		// Handle cookie 'samesite' attribute
+		$samesite = ($samesite === NULL && config_item('cookie_samesite') !== NULL)
+			? config_item('cookie_samesite')
+			: 'None';
 
-		if ( ! is_numeric($expire))
+		if ( ! is_numeric($expire) OR $expire < 0)
 		{
-			$expire = time() - 86500;
+			$expire = 1;
 		}
 		else
 		{
 			$expire = ($expire > 0) ? time() + $expire : 0;
 		}
-
-		setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly);
+		
+		// using setcookie with array option to add cookie 'samesite' attribute
+		setcookie(
+			$prefix.$name, 
+			$value, 
+			array(
+				'expires' => $expire, 
+				'path' => $path,
+				'domain' => $domain, 
+				'secure' => $secure, 
+				'httponly' => $httponly,
+				'samesite' => $samesite // add samesite attribute
+			)
+		);
 	}
 
 	// --------------------------------------------------------------------

framework/core/Security.php

@@ -272,35 +272,19 @@ public function csrf_set_cookie()
 			return FALSE;
 		}
 
-		if (is_php('7.3'))
-		{
-			setcookie(
-				$this->_csrf_cookie_name,
-				$this->_csrf_hash,
-				array(
-					'expires'  => $expire,
-					'path'     => config_item('cookie_path'),
-					'domain'   => config_item('cookie_domain'),
-					'secure'   => $secure_cookie,
-					'httponly' => config_item('cookie_httponly'),
-					'samesite' => 'Strict'
-				)
-			);
-		}
-		else
-		{
-			$domain = trim(config_item('cookie_domain'));
-			header('Set-Cookie: '.$this->_csrf_cookie_name.'='.$this->_csrf_hash
-					.'; Expires='.gmdate('D, d-M-Y H:i:s T', $expire)
-					.'; Max-Age='.$this->_csrf_expire
-					.'; Path='.rawurlencode(config_item('cookie_path'))
-					.($domain === '' ? '' : '; Domain='.$domain)
-					.($secure_cookie ? '; Secure' : '')
-					.(config_item('cookie_httponly') ? '; HttpOnly' : '')
-					.'; SameSite=Strict'
-			);
-		}
-
+		// using setcookie with array option to add cookie 'samesite' attribute
+		setcookie(
+			$this->_csrf_cookie_name, 
+			$this->_csrf_hash, 
+			array(
+				'expires' => $expire, 
+				'path' => config_item('cookie_path'),
+				'domain' => config_item('cookie_domain'), 
+				'secure' => $secure_cookie, 
+				'httponly' => config_item('cookie_httponly'),
+				'samesite' => config_item('cookie_samesite') // add samesite attribute
+			)
+		);
 		log_message('info', 'CSRF cookie sent');
 
 		return $this;

framework/helpers/cookie_helper.php

@@ -57,20 +57,21 @@
 	 * Accepts seven parameters, or you can submit an associative
 	 * array in the first parameter containing all the values.
 	 *
-	 * @param	mixed
-	 * @param	string	the value of the cookie
-	 * @param	string	the number of seconds until expiration
-	 * @param	string	the cookie domain.  Usually:  .yourdomain.com
-	 * @param	string	the cookie path
-	 * @param	string	the cookie prefix
-	 * @param	bool	true makes the cookie secure
-	 * @param	bool	true makes the cookie accessible via http(s) only (no javascript)
+	 * @param	string|mixed[] the cookie name or an array containing parameters 
+	 * @param	string $value	the value of the cookie
+	 * @param	int	$expire the number of seconds until expiration
+	 * @param	string $domain the cookie domain.  Usually:  .yourdomain.com
+	 * @param	string $path the cookie path
+	 * @param	string $prefix the cookie prefix
+	 * @param	bool $secure true makes the cookie secure
+	 * @param	bool $httponly true makes the cookie accessible via http(s) only (no javascript)
+	 * @param   string|NULL $samesite the samesite cookie setting (Possible values: 'Lax', 'Strict', 'None', NULL, default: NULL)
 	 * @return	void
 	 */
-	function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL)
+	function set_cookie($name, $value = '', $expire = 0, $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL, $samesite = NULL)
 	{
 		// Set the config file options
-		get_instance()->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure, $httponly);
+		get_instance()->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure, $httponly, $samesite);
 	}
 }
 
@@ -85,9 +86,8 @@ function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/',
 	 * @param	bool
 	 * @return	mixed
 	 */
-	function get_cookie($index, $xss_clean = NULL)
+	function get_cookie($index, $xss_clean = FALSE)
 	{
-		is_bool($xss_clean) OR $xss_clean = (config_item('global_xss_filtering') === TRUE);
 		$prefix = isset($_COOKIE[$index]) ? '' : config_item('cookie_prefix');
 		return get_instance()->input->cookie($prefix.$index, $xss_clean);
 	}

framework/libraries/Session/Session.php

@@ -160,14 +160,18 @@ public function __construct(array $params = array())
 		// unless it is being currently created or regenerated
 		elseif (isset($_COOKIE[$this->_config['cookie_name']]) && $_COOKIE[$this->_config['cookie_name']] === session_id())
 		{
+			// using setcookie with array option to add cookie 'samesite' attribute
 			setcookie(
 				$this->_config['cookie_name'],
-				session_id(),
-				(empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
-				$this->_config['cookie_path'],
-				$this->_config['cookie_domain'],
-				$this->_config['cookie_secure'],
-				TRUE
+				session_id(), 
+				array(
+					'expires' => (empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
+					'path' => $this->_config['cookie_path'],
+					'domain' => $this->_config['cookie_domain'],
+					'secure' => $this->_config['cookie_secure'],
+					'httponly' => TRUE,
+					'samesite' => config_item('cookie_samesite') // add samesite attribute
+				)
 			);
 		}
 
@@ -286,12 +290,18 @@ protected function _configure(&$params)
 		isset($params['cookie_domain']) OR $params['cookie_domain'] = config_item('cookie_domain');
 		isset($params['cookie_secure']) OR $params['cookie_secure'] = (bool) config_item('cookie_secure');
 
+		// additional for cookie 'samesite' attribute
+		isset($params['cookie_samesite']) OR $params['cookie_samesite'] = config_item('cookie_samesite'); 
+		
 		session_set_cookie_params(
-			$params['cookie_lifetime'],
-			$params['cookie_path'],
-			$params['cookie_domain'],
-			$params['cookie_secure'],
-			TRUE // HttpOnly; Yes, this is intentional and not configurable for security reasons
+			array(
+				'lifetime' => $params['cookie_lifetime'],
+				'path' => $params['cookie_path'],
+				'domain' => $params['cookie_domain'],
+				'secure' => $params['cookie_secure'],
+				'httponly' => TRUE, // HttpOnly; Yes, this is intentional and not configurable for security reasons
+				'samesite' => $params['cookie_samesite'] // The value of the samesite element should be either None, Lax or Strict
+			)
 		);
 
 		if (empty($expiration))

framework/libraries/Session/Session_driver.php

@@ -139,14 +139,27 @@ public function php5_validate_id()
 	 */
 	protected function _cookie_destroy()
 	{
+		// return setcookie(
+		// 	$this->_config['cookie_name'],
+		// 	NULL,
+		// 	1,
+		// 	$this->_config['cookie_path'],
+		// 	$this->_config['cookie_domain'],
+		// 	$this->_config['cookie_secure'],
+		// 	TRUE
+		// );
+		// using setcookie with array option to add cookie 'samesite' attribute
 		return setcookie(
 			$this->_config['cookie_name'],
 			NULL,
-			1,
-			$this->_config['cookie_path'],
-			$this->_config['cookie_domain'],
-			$this->_config['cookie_secure'],
-			TRUE
+			array(
+				'expires' => 1, 
+				'path' => $this->_config['cookie_path'],
+				'domain' => $this->_config['cookie_domain'],
+				'secure' => $this->_config['cookie_secure'],
+				'httponly' => TRUE,
+				'samesite' => $this->_config['cookie_samesite'] // add samesite attribute
+			)
 		);
 	}