feature symfony#19104 Adds support for the SameSite attribute in cookies. (iangcarroll)

fabpot · fabpot · commit b84adede8932 · 2016-06-23T15:32:24.000+02:00
This PR was squashed before being merged into the 3.2-dev branch (closes symfony#19104). Discussion ---------- Adds support for the SameSite attribute in cookies. | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | N/A | License | MIT | Doc PR | N/A $sameSite can be set to false, "lax", or "strict". You can read about what the different modes do here: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ Commits ------- 428d0f7 Adds support for the SameSite attribute in cookies.
diff --git a/src/Symfony/Component/HttpFoundation/Cookie.php b/src/Symfony/Component/HttpFoundation/Cookie.php
@@ -26,6 +26,10 @@ class Cookie
     protected $secure;
     protected $httpOnly;
     private $raw;
+    private $sameSite;
+
+    const SAMESITE_LAX = 'lax';
+    const SAMESITE_STRICT = 'strict';
 
     /**
      * Constructor.
@@ -38,10 +42,11 @@ class Cookie
      * @param bool                          $secure   Whether the cookie should only be transmitted over a secure HTTPS connection from the client
      * @param bool                          $httpOnly Whether the cookie will be made accessible only through the HTTP protocol
      * @param bool                          $raw      Whether the cookie value should be sent with no url encoding
+     * @param string|null                   $sameSite Whether the cookie will be available for cross-site requests
      *
      * @throws \InvalidArgumentException
      */
-    public function __construct($name, $value = null, $expire = 0, $path = '/', $domain = null, $secure = false, $httpOnly = true, $raw = false)
+    public function __construct($name, $value = null, $expire = 0, $path = '/', $domain = null, $secure = false, $httpOnly = true, $raw = false, $sameSite = null)
     {
         // from PHP source code
         if (preg_match("/[=,; \t\r\n\013\014]/", $name)) {
@@ -71,6 +76,12 @@ public function __construct($name, $value = null, $expire = 0, $path = '/', $dom
         $this->secure = (bool) $secure;
         $this->httpOnly = (bool) $httpOnly;
         $this->raw = (bool) $raw;
+
+        if (!in_array($sameSite, array(self::SAMESITE_LAX, self::SAMESITE_STRICT, null))) {
+            throw new \InvalidArgumentException('The sameSite parameter is not valid.');
+        }
+
+        $this->sameSite = $sameSite;
     }
 
     /**
@@ -108,6 +119,10 @@ public function __toString()
             $str .= '; httponly';
         }
 
+        if (null !== $this->getSameSite()) {
+            $str .= '; samesite='.$this->getSameSite();
+        }
+
         return $str;
     }
 
@@ -200,4 +215,14 @@ public function isRaw()
     {
         return $this->raw;
     }
+
+    /**
+     * Gets the SameSite attribute.
+     *
+     * @return string|null
+     */
+    public function getSameSite()
+    {
+        return $this->sameSite;
+    }
 }
