Add support for SameSite cookie session setting

mentalstring · mentalstring · commit 39e8b8cf8a53 · 2025-09-16T18:38:10.000+01:00
Starting from PHP 7.3 there's native support for SameSite cookies (RFC6265bis) which requires using a new session_get_cookie_params() parameter syntax.
diff --git a/lib/response/sfWebResponse.class.php b/lib/response/sfWebResponse.class.php
@@ -169,10 +169,11 @@ public function isHeaderOnly()
      * @param string $domain   Domain name
      * @param bool   $secure   If secure
      * @param bool   $httpOnly If uses only HTTP
+     * @param bool   $samesite If uses Same-site cookies
      *
      * @throws sfException If fails to set the cookie
      */
-    public function setCookie($name, $value, $expire = null, $path = '/', $domain = '', $secure = false, $httpOnly = false)
+    public function setCookie($name, $value, $expire = null, $path = '/', $domain = '', $secure = false, $httpOnly = false, $samesite = '')
     {
         if (null !== $expire) {
             if (is_numeric($expire)) {
@@ -193,6 +194,7 @@ public function setCookie($name, $value, $expire = null, $path = '/', $domain =
             'domain' => $domain,
             'secure' => $secure ? true : false,
             'httpOnly' => $httpOnly,
+            'samesite' => $samesite,
         ];
     }
 
@@ -359,7 +361,14 @@ public function sendHttpHeaders()
         foreach ($this->cookies as $cookie) {
             $expire = isset($cookie['expire']) ? $cookie['expire'] : 0;
             $domain = isset($cookie['domain']) ? $cookie['domain'] : '';
-            setrawcookie($cookie['name'], $cookie['value'], $expire, $cookie['path'], $domain, $cookie['secure'], $cookie['httpOnly']);
+            setrawcookie($cookie['name'], $cookie['value'], [
+                'expires' => $expire,
+                'path' => $cookie['path'],
+                'domain' => $domain,
+                'secure' => $cookie['secure'],
+                'httpOnly' => $cookie['httpOnly'],
+                'samesite' => $cookie['samesite'],
+            ]);
 
             if ($this->options['logging']) {
                 $this->dispatcher->notify(new sfEvent($this, 'application.log', [sprintf('Send cookie "%s": "%s"', $cookie['name'], $cookie['value'])]));
diff --git a/lib/storage/sfSessionStorage.class.php b/lib/storage/sfSessionStorage.class.php
@@ -36,6 +36,7 @@ class sfSessionStorage extends sfStorage
      *  * session_cookie_domain:   Cookie domain
      *  * session_cookie_secure:   Cookie secure
      *  * session_cookie_httponly: Cookie http only (only for PHP >= 5.2)
+     *  * session.cookie_samesite: Cookie same site (only for PHP >= 7.3)
      *
      * The default values for all 'session_cookie_*' options are those returned by the session_get_cookie_params() function
      *
@@ -56,6 +57,7 @@ public function initialize($options = null)
             'session_cookie_domain' => $cookieDefaults['domain'],
             'session_cookie_secure' => $cookieDefaults['secure'],
             'session_cookie_httponly' => isset($cookieDefaults['httponly']) ? $cookieDefaults['httponly'] : false,
+            'session_cookie_samesite' => isset($cookieDefaults['samesite']) ? $cookieDefaults['samesite'] : '',
             'session_cache_limiter' => null,
             'gc_maxlifetime' => 1800,
         ], $options);
@@ -77,7 +79,16 @@ public function initialize($options = null)
         $domain = $this->options['session_cookie_domain'];
         $secure = $this->options['session_cookie_secure'];
         $httpOnly = $this->options['session_cookie_httponly'];
-        session_set_cookie_params($lifetime, $path, $domain, $secure, $httpOnly);
+        $samesite = $this->options['session_cookie_samesite'];
+        session_set_cookie_params([
+            'lifetime' => $lifetime,
+            'path'     => $path,
+            'domain'   => $domain,
+            'secure'   => $secure,
+            'httponly' => $httpOnly,
+            'samesite' => $samesite,
+        ]);
+
 
         if (null !== $this->options['session_cache_limiter']) {
             session_cache_limiter($this->options['session_cache_limiter']);
diff --git a/lib/vendor/swiftmailer b/lib/vendor/swiftmailer
@@ -1 +1 @@
-Subproject commit a8ac681a42dd6c4dde66e67d5d7ae2b56b9e7abb
+Subproject commit 181b89f18a90f8925ef805f950d47a7190e9b950
diff --git a/test/unit/response/sfWebResponseTest.php b/test/unit/response/sfWebResponseTest.php
@@ -281,7 +281,7 @@ public function normalizeHeaderName($name)
 // ->setCookie() ->getCookies()
 $t->diag('->setCookie() ->getCookies()');
 $response->setCookie('foo', 'bar');
-$t->is($response->getCookies(), ['foo' => ['name' => 'foo', 'value' => 'bar', 'expire' => null, 'path' => '/', 'domain' => '', 'secure' => false, 'httpOnly' => false]], '->setCookie() adds a cookie for the response');
+$t->is($response->getCookies(), ['foo' => ['name' => 'foo', 'value' => 'bar', 'expire' => null, 'path' => '/', 'domain' => '', 'secure' => false, 'httpOnly' => false, 'samesite' => '']], '->setCookie() adds a cookie for the response');
 
 // ->setHeaderOnly() ->getHeaderOnly()
 $t->diag('->setHeaderOnly() ->isHeaderOnly()');
