Merge pull request #472 from ucfopen/issue/459-chrome-cookie

Issue/459 chrome cookie
ucfopen · Jan 15, 2020 · 2532b4d · 2532b4d
2 parents 23a7bc1 + 2956ebb
commit 2532b4d
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 0 deletions.
diff --git a/config/herokuConfig.php b/config/herokuConfig.php
@@ -12,6 +12,15 @@
 $oauth2_uri       = getenv('OAUTH2_URI');
 $oauth2_enforce_scopes = (getenv('OAUTH2_ENFORCE_SCOPES')) == 'true';
 
+/* Set session cookie options */
+$session_cookie_options = [
+    'expire' => getenv('SESSION_COOKIE_EXPIRE') ?: 0,
+    'path' => getenv('SESSION_COOKIE_PATH') ?: '/',
+    'domain' => getenv('SESSION_COOKIE_DOMAIN') ?: null,
+    'secure' => getenv('SESSION_COOKIE_SECURE') ?: true,
+    'httponly' => getenv('SESSION_COOKIE_HTTPONLY') ?: false,
+];
+
 /* Tool name for display in Canvas Navigation */
 $canvas_nav_item_name = getenv('CANVAS_NAV_ITEM_NAME');
 

diff --git a/config/localConfig.template.php b/config/localConfig.template.php
@@ -10,6 +10,21 @@
 $oauth2_uri            = '';    // EX: https://udoit.my-org.edu/oauth2response.php or https://udoit.my-org.edu/udoit/public/oauth2response.php
 $oauth2_enforce_scopes = false; // Set to true if you have a scoped developer key.
 
+/* Set session cookie options
+ * expire - the cookie expiration time in seconds (0 means it does not expire)
+ * path - the applications on this domain to which the cookie is visible
+ * domain - the domain to which this cookie is visible
+ * secure - 'true' to send the cookie only over secure connections
+ * httponly - 'true' to set the 'httponly' flag when setting the cookie
+ */
+$session_cookie_options = [
+    'expire' => getenv('SESSION_COOKIE_EXPIRE') ?: 0,
+    'path' => getenv('SESSION_COOKIE_PATH') ?: '/',
+    'domain' => getenv('SESSION_COOKIE_DOMAIN') ?: null,
+    'secure' => getenv('SESSION_COOKIE_SECURE') ?: true,
+    'httponly' => getenv('SESSION_COOKIE_HTTPONLY') ?: false,
+];
+
 /* Disable headings check character count */
 $doc_length = '1500';
 

diff --git a/config/settings.php b/config/settings.php
@@ -5,6 +5,26 @@
 
 define('UDOIT_VERSION', '2.6.0');
 
+// SET UP PHP SESSION COOKIE SAMESITE SESSIONS
+$expire = isset($session_cookie_options['expire']) ? $session_cookie_options['expire'] : 0;
+$path = isset($session_cookie_options['path']) ? $session_cookie_options['path'] : '/';
+$domain = isset($session_cookie_options['domain']) ? $session_cookie_options['domain'] : null;
+$secure = isset($session_cookie_options['secure']) ? $session_cookie_options['secure'] : true;
+$httponly = isset($session_cookie_options['httponly']) ? $session_cookie_options['httponly'] : false;
+
+if (PHP_VERSION_ID < 70300) {
+    session_set_cookie_params($expire, "$path; samesite=None", $domain, $secure, $httponly);
+} else {
+    session_set_cookie_params([
+        'expires' => $expire,
+        'path' => $path,
+        'domain' => $domain,
+        'samesite' => 'None',
+        'secure' => $secure,
+        'httponly' => $httponly,
+    ]);
+}
+
 // SET UP AUTOLOADER (uses autoload rules from composer)
 require_once(__DIR__.'/../vendor/autoload.php');
 
@@ -35,6 +55,7 @@
 // SET DEFAULT ENVIRONMENT
 isset($UDOIT_ENV) || $UDOIT_ENV = ENV_PROD; // !! override in your localConfig.php
 
+
 // SET UP OAUTH
 $oauth2_scopes = [
     // assigments