Fix salesagility#10249 salesagility/SuiteCRM-Core#447

Fix salesagility#10249 salesagility/SuiteCRM-Core#447 Sets cookie `samesite` attribute to value in `php.ini` `session.cookie_samesite` if any, or defaults to `Strict`.
chris001 · Mar 8, 2024 · b737e06 · b737e06
1 parent c18af35
commit b737e06
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/include/MVC/SugarApplication.php b/include/MVC/SugarApplication.php
@@ -781,6 +781,7 @@ protected static function validateMessageType($type)
      * @param null $domain
      * @param bool $secure
      * @param bool $httponly
+     * @param string $samesite
      */
     public static function setCookie(
         $name,
@@ -790,7 +791,7 @@ public static function setCookie(
         $domain = null,
         $secure = false,
         $httponly = true,
-        $samesite = "Strict"
+        $samesite = null
     ) {
         if (isSSL()) {
             $secure = true;
@@ -812,9 +813,18 @@ public static function setCookie(
             }
         }
 
+        $defaultCookieSameSite = ini_get('session.cookie_samesite');
+        if ($samesite === null) {
+            if(empty($defaultCookieSameSite)) {
+                $samesite = 'Strict';
+            } else {
+                $path = $defaultCookieSameSite;
+            }
+        }
+
         if (!headers_sent()) {
-            setcookie($name, $value, ["expires" => $expire, "path" => $path, "domain" => $domain, 
-                                      "secure" => $secure, "httponly" => $httponly, "samesite" => $samesite]);
+            setcookie($name, $value, ['expires' => $expire, 'path' => $path, 'domain' => $domain, 
+                                      'secure' => $secure, 'httponly' => $httponly, 'samesite' => $samesite]);
         }
 
         $_COOKIE[$name] = $value;