Introduce a new config variable ($cookie_samesite_lax) allowing the s…

…ession cookie SameSite attribute to be relaxed from "Strict" to "Lax".
meeting-room-booking-system · Jun 15, 2024 · c163db8 · c163db8
1 parent 5860a79
commit c163db8
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 8 deletions.
diff --git a/web/lib/MRBS/Session/Session.php b/web/lib/MRBS/Session/Session.php
@@ -15,11 +15,18 @@ abstract class Session
   protected const SAMESITE_NONE = 'None';
   protected const SAMESITE_LAX = 'Lax';
   protected const SAMESITE_STRICT = 'Strict';
-  protected const SAMESITE = self::SAMESITE_STRICT;
+
+  protected $samesite = null;
 
   public function __construct()
   {
-    global $auth;
+    global $auth, $cookie_samesite_lax;
+
+    // Child classes can set $this->samesite
+    if (!isset($this->samesite))
+    {
+      $this->samesite = ($cookie_samesite_lax) ? self::SAMESITE_LAX : self::SAMESITE_STRICT;
+    }
 
     // Start up sessions
     // Default to the behaviour of previous versions of MRBS, use only
@@ -48,8 +55,7 @@ public function init(int $lifetime) : void
     if (version_compare(PHP_VERSION, '7.3', '>='))
     {
       // Only introduced in PHP Version 7.3
-      // Use of static:: allows child classes to override the constant
-      ini_set('session.cookie_samesite', static::SAMESITE);
+      ini_set('session.cookie_samesite', $this->samesite);
     }
     ini_set('session.cookie_secure', (is_https()) ? '1' : '0');
     $sid_bits_per_character = ini_get('session.sid_bits_per_character');

diff --git a/web/lib/MRBS/Session/SessionCas.php b/web/lib/MRBS/Session/SessionCas.php
@@ -11,12 +11,11 @@
 
 class SessionCas extends SessionWithLogin
 {
-  protected const SAMESITE = self::SAMESITE_LAX;
-
 
   public function __construct()
   {
     $this->checkTypeMatchesSession();
+    $this->samesite = self::SAMESITE_LAX;
     auth()->init();  // Initialise CAS
     parent::__construct();
   }

diff --git a/web/lib/MRBS/Session/SessionSaml.php b/web/lib/MRBS/Session/SessionSaml.php
@@ -37,8 +37,6 @@
 
 class SessionSaml extends SessionWithLogin
 {
-  protected const SAMESITE = self::SAMESITE_LAX;
-
   public $ssp;
 
 
@@ -66,6 +64,7 @@ public function __construct()
     $authSource = $auth['saml']['authsource'] ?? 'default-sp';
 
     $this->ssp = new \SimpleSAML\Auth\Simple($authSource);
+    $this->samesite = self::SAMESITE_LAX;
     parent::__construct();
   }
 

diff --git a/web/systemdefaults.inc.php b/web/systemdefaults.inc.php
@@ -1053,6 +1053,13 @@
 // be the case if you have JavaScript disabled on the client.
 $auth["session_php"]["inactivity_expire_time"] = 0; // seconds
 
+// Normally, provided the server is running PHP 7.3 or above,  the session cookies
+// are issued with SameSite attribute of "Strict", unless the session type requires
+// "Lax", eg for CAS and Saml. However, this can be inconvenient for users who might
+// access MRBS from more than one site and expect their login status to be retained.
+// By setting the variable below to true, the attribute can be relaxed to "Lax",
+// although this does trade off some security.
+$cookie_samesite_lax = false;
 
 // Cookie path override. If this value is set it will be used by the
 // 'php' and 'cookie' session schemes to override the default behaviour