Session: default sameSite is 'Lax' (BC break)

dg · dg · commit 2147863d56ed · 2021-01-04T03:04:08.000+01:00
diff --git a/src/Http/Session.php b/src/Http/Session.php
@@ -39,6 +39,7 @@ class Session
 
 	/** @var array default configuration */
 	private $options = [
+		'cookie_samesite' => IResponse::SAME_SITE_LAX,
 		'cookie_lifetime' => 0,   // for a maximum of 3 hours or until the browser is closed
 		'gc_maxlifetime' => self::DEFAULT_FILE_LIFETIME, // 3 hours
 	];
diff --git a/tests/Http.DI/SessionExtension.cookieSecure.auto.phpt b/tests/Http.DI/SessionExtension.cookieSecure.auto.phpt
@@ -37,8 +37,8 @@ test('', function () {
 
 	Assert::same(
 		PHP_VERSION_ID >= 70300
-			? ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => false, 'httponly' => true, 'samesite' => '']
-			: ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => false, 'httponly' => true],
+			? ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => false, 'httponly' => true, 'samesite' => 'Lax']
+			: ['lifetime' => 0, 'path' => '/; SameSite=Lax', 'domain' => '', 'secure' => false, 'httponly' => true],
 		session_get_cookie_params()
 	);
 });
@@ -66,8 +66,8 @@ test('', function () {
 
 	Assert::same(
 		PHP_VERSION_ID >= 70300
-			? ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => true, 'httponly' => true, 'samesite' => '']
-			: ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => true, 'httponly' => true],
+			? ['lifetime' => 0, 'path' => '/', 'domain' => '', 'secure' => true, 'httponly' => true, 'samesite' => 'Lax']
+			: ['lifetime' => 0, 'path' => '/; SameSite=Lax', 'domain' => '', 'secure' => true, 'httponly' => true],
 		session_get_cookie_params()
 	);
 });
diff --git a/tests/Http/Session.cookies.phpt b/tests/Http/Session.cookies.phpt
@@ -19,6 +19,7 @@ $response->cookieDomain = 'nette.org';
 $response->cookieSecure = true;
 
 Assert::same([
+	'cookie_samesite' => 'Lax',
 	'cookie_lifetime' => 0,
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/user/',
diff --git a/tests/Http/Session.setOptions.phpt b/tests/Http/Session.setOptions.phpt
@@ -16,6 +16,7 @@ $factory = new Nette\Http\RequestFactory;
 $session = new Nette\Http\Session($factory->fromGlobals(), new Nette\Http\Response);
 
 Assert::same([
+	'cookie_samesite' => 'Lax',
 	'cookie_lifetime' => 0,
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/',
@@ -28,6 +29,7 @@ $session->setOptions([
 ]);
 Assert::same([
 	'cookie_domain' => '.domain.com',
+	'cookie_samesite' => 'Lax',
 	'cookie_lifetime' => 0,
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/',
@@ -39,6 +41,7 @@ $session->setOptions([
 ]);
 Assert::same([
 	'cookie_domain' => '.domain.org',
+	'cookie_samesite' => 'Lax',
 	'cookie_lifetime' => 0,
 	'gc_maxlifetime' => 10800,
 	'cookie_path' => '/',
