bug #36173 [Http Foundation] Fix clear cookie samesite (guillbdx)
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[Http Foundation] Fix clear cookie samesite
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix #36107
| License | MIT
With Chrome Update 80, Cookies are required to be `secure` and `samesite=none` for cross site requests. However they are defaulted to `samesite=lax` if the samesite attribute is not set. In other words: developer has to explicitely opt-in for `samesite=none` in the case of a cross site request.
More details: https://chromestatus.com/feature/5088147346030592
We add the `samesite` argument to `clearCookie` method to allow developer to explicitely set this value.
Commits
-------
4bdea1f2e7
[Http Foundation] Fix clear cookie samesite
This commit is contained in:
commit
b4ec8b9a82
@ -244,10 +244,13 @@ class ResponseHeaderBag extends HeaderBag
|
||||
* @param string $domain
|
||||
* @param bool $secure
|
||||
* @param bool $httpOnly
|
||||
* @param string $sameSite
|
||||
*/
|
||||
public function clearCookie($name, $path = '/', $domain = null, $secure = false, $httpOnly = true)
|
||||
public function clearCookie($name, $path = '/', $domain = null, $secure = false, $httpOnly = true/*, $sameSite = null*/)
|
||||
{
|
||||
$this->setCookie(new Cookie($name, null, 1, $path, $domain, $secure, $httpOnly));
|
||||
$sameSite = \func_num_args() > 5 ? func_get_arg(5) : null;
|
||||
|
||||
$this->setCookie(new Cookie($name, null, 1, $path, $domain, $secure, $httpOnly, false, $sameSite));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -128,6 +128,14 @@ class ResponseHeaderBagTest extends TestCase
|
||||
$this->assertSetCookieHeader('foo=deleted; expires='.gmdate('D, d-M-Y H:i:s T', time() - 31536001).'; Max-Age=0; path=/; secure', $bag);
|
||||
}
|
||||
|
||||
public function testClearCookieSamesite()
|
||||
{
|
||||
$bag = new ResponseHeaderBag([]);
|
||||
|
||||
$bag->clearCookie('foo', '/', null, true, false, 'none');
|
||||
$this->assertSetCookieHeader('foo=deleted; expires='.gmdate('D, d-M-Y H:i:s T', time() - 31536001).'; Max-Age=0; path=/; secure; samesite=none', $bag);
|
||||
}
|
||||
|
||||
public function testReplace()
|
||||
{
|
||||
$bag = new ResponseHeaderBag([]);
|
||||
|
Reference in New Issue
Block a user