Add cookie SameSite attribute; uses default if "Strict" but can be overridden by $same_site_cookies in config_local.php

config/config_local.example.php

@@ -200,4 +200,10 @@
  * some environments.
  * $upload_filesize_divisor = 1024;
  *
+ * $same_site_cookies allows override of how cookies are set
+ * with the "SameSite" attribute. Normally you won't want to
+ * do anything with this. If you do, you can set it to "Lax"
+ * "Strict" (which is default) or "None" -- or set it to an
+ * empty string to cause cookies to be sent without adding
+ * the SameSite attribute at all and use the browser's default
  */

functions/global.php

@@ -580,6 +580,16 @@ function sqsession_start() {
  *                           transmitted over a secure HTTPS connection.
  * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only)
  * @param boolean $bReplace  Replace previous cookies with same name?
+ * @param string  $sSameSite Optional override of the default SameSite
+ *                           cookie policy detemined from the global
+ *                           configuration item $same_site_cookies
+ *                           (which can be set in config/config_local.php)
+ *                           (should be NULL to accept the configured global
+ *                           default or one of "Lax" "Strict" or "None"
+ *                           but "None" will not work if $bSecure is FALSE.
+ *                           Can also be set set to an empty string in order
+ *                           to NOT specify the SameSite cookie attribute at
+ *                           all and accept whatever the browser default is)
  *
  * @return void
  *
@@ -587,7 +597,7 @@ function sqsession_start() {
  *
  */
 function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="",
-                     $bSecure=false, $bHttpOnly=true, $bReplace=false) {
+                     $bSecure=false, $bHttpOnly=true, $bReplace=false, $sSameSite=NULL) {
  
     // some environments can get overwhelmed by an excessive
     // setting of the same cookie over and over (e.g., many
@@ -614,6 +624,21 @@ function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain=
     if (!$only_secure_cookies)
         $bSecure = false;
 
+    // use global SameSite setting, but allow override
+    // The global $same_site_cookies (for which an override value
+    // can be specified in config/config_local.php) defaults to
+    // "Strict" when it is NULL (when not given in the config file),
+    // or can be manually set to "Lax" "Strict" or "None" if desired
+    // or can be set to an empty string in order to not specify
+    // SameSite at all and use the browser default
+    if (is_null($sSameSite)) {
+        global $same_site_cookies;
+        if (is_null($same_site_cookies))
+           $sSameSite = 'Strict';
+        else
+           $sSameSite = $same_site_cookies;
+    }
+
     if (false && check_php_version(5,2)) {
        // php 5 supports the httponly attribute in setcookie, but because setcookie seems a bit
        // broken we use the header function for php 5.2 as well. We might change that later.
@@ -634,7 +659,8 @@ function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain=
                             . (empty($sPath) ? '' : '; path=' . $sPath)
                             . (empty($sDomain) ? '' : '; domain=' . $sDomain)
                             . (!$bSecure ? '' : '; secure')
-                            . (!$bHttpOnly ? '' : '; HttpOnly'), $bReplace);
+                            . (!$bHttpOnly ? '' : '; HttpOnly')
+                            . (empty($sSameSite) ? '' : '; SameSite=' . $sSameSite), $bReplace);
     }
 }