Adds support for "SameSite" cookie property

[kdckrs]

Description (*)

This PR adds support to set the SameSite cookie property and is compatible with both the new setcookie signature (>= PHP 7.3) and the old one (< PHP 7.3).

By default the property is set to "None". The value can be changed in the admin-panel under System -> Configuration -> Web -> Session Cookie Management -> Same-Site

Related Pull Requests

/

Fixed Issues (if relevant)

1. Fixes Support "SameSite" cookie property #414
2. Fixes Magento cookie same site support (Support "SameSite" cookie property) mollie/Magento#187

Manual testing scenarios (*)

1. Open the console i(Network-tab) in your browser and be ready to inspect the Set-cookie header
2. Navigate to your shop to OpenMage shop
3. Confirm that the Set-cookie header contains "SameSite=None"
4. In another tab, go to the admin panel, go to "System -> Configuration -> Web -> Session Cookie Management -> Same-Site" and update the value to "Strict". (Flush cache...)
5. Go to your initial tab and refresh the page
6. Confirm that the Set-cookie header contains "SameSite=Strict"

Questions or comments

Open for feedback, first contribution to OpenMage ;)

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All automated tests passed successfully (all builds are green)

[rvelhote]

This looks good from the commit. I will test this later.

In app/code/core/Mage/Core/Model/Cookie.php there is a delete method that that uses setcookie. Should we use the same procedure as the set method? (i.e. check for PHP version and pass the samesite parameter if applicable).

[kdckrs]

This looks good from the commit. I will test this later.

In app/code/core/Mage/Core/Model/Cookie.php there is a delete method that that uses setcookie. Should we use the same procedure as the set method? (i.e. check for PHP version and pass the samesite parameter if applicable).

For consistency one could say it would also be nice to have the same code in the "public function delete()", although the presence here isn't as critical as in the "public function renew()". If I can find some time today I will try and make this more complete.

[rvelhote]

Another upgrade that would be great is the ability to specify a different policy for the backend and the frontend. Perhaps this is mostly useful for the session cookie. For example I would configure the backend to have Strict and for the frontend Lax or None.

[nimasan]

Hello,

I reviewed the code and I wonder if we did have to force $secure to true if same site is None because of the specification : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#SameSiteNone_requires_Secure

[kdckrs]

This looks good from the commit. I will test this later.

In app/code/core/Mage/Core/Model/Cookie.php there is a delete method that that uses setcookie. Should we use the same procedure as the set method? (i.e. check for PHP version and pass the samesite parameter if applicable).

I have made some changes. The delete function now re-uses the "set function", only with forced "null" values for cookie value and period. (Same way the renew function was already implemented).

[kdckrs]

Hello,

I reviewed the code and I wonder if we did have to force $secure to true if same site is None because of the specification : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#SameSiteNone_requires_Secure

I have reviewed the specifications you have linked and you are indeed correct. I have made the required changes to make sure the secure flag is enforced of the SameSite is set to None.

[Flyingmana]

sorry, had no time to review this yet, but I saw M2 did release something related. Did someone already have a look at what they did?

[kdckrs]

Any update guys?

[rvelhote]

@kdckrs We finally were able to test this PR in our development environment and it worked as expected. We will deploy into production next week and report back.

[nimasan]

Feedback about experience.

We used your solution in production on our website since almost 2 months.
It seems to work as expected.

Thx for it.

[kdckrs]

@Flyingmana I saw there was a new release without this PR, any chance it will be included in the next one? We have been using this in a production environment for a while now and everything seems to be working correctly. (Others have mentioned this too, see previous comments)

[Flyingmana]

lets see, comments from @kkrieger85 and @nimajneb-torram are resolved.
@rvelhote and @nimajneb-torram have tested it.
Should be fine, so I will merge it for the next release.

[colinmollenhour]

The code looks good but the current behavior (no SameSite flag) is equivalent to "Lax" but the PR makes "None" the default. This has the effect of actually reducing security and also potentially breaking non-https sites (although these really shouldn't remain anyway). I propose making Lax the default.

[github-actions]

Unit Test Results

1 files  1 suites   0s ⏱️
0 tests 0 ✔️ 0 💤 0 ❌
2 runs  2 ✔️ 0 💤 0 ❌

Results for commit 26b9eee.

[ansgarbecker]

In the backend, on General > Web, Magento's autoloader attempts to load Mage_Adminhtml_Model_System_Config_Source_Cookie_Samesite , while the class file is named "SameSite.php" (with an upper "Site" in it). The file is not auto-loaded on case sensitive filesystems, and causes wild errors.
I'd recommend to rename the file (and class) Unix-friendly to "Samesite.php".

*Edit: Not sure if that's worth a bug report, just shout if so.

[kdckrs]

@ansgarbecker you are right! Fixing!

Edit: PR #1390 has been created for this ;)