Skip to content

Commit 8459eca

Browse files
dgdg
committed
Response: setCookie() forces Secure for SameSite=None
A cookie with SameSite=None is rejected by browsers unless it also carries the Secure attribute (RFC 6265bis). setCookie() now enables Secure automatically in that case, overriding both the $secure argument and the cookieSecure default.
1 parent b8bd8ae commit 8459eca

2 files changed

Lines changed: 14 additions & 2 deletions

File tree

src/Http/Response.php

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -249,15 +249,19 @@ public function setCookie(
249249
}
250250

251251
$seconds = Helpers::expirationToSeconds($expire);
252+
$sameSite ??= self::SameSiteLax;
253+
$secure = $sameSite === self::SameSiteNone
254+
? true // SameSite=None requires the Secure attribute, otherwise the browser rejects the cookie
255+
: $secure ?? $this->cookieSecure;
252256
// the value is raw-url-encoded the same way PHP reads it back from $_COOKIE;
253257
// Max-Age takes precedence over expires (RFC 6265), expires is sent too for ancient clients
254258
$cookie = $name . '=' . rawurlencode($value)
255259
. ($seconds === null ? '' : '; expires=' . Helpers::formatDate(time() + $seconds) . '; Max-Age=' . max(0, $seconds))
256260
. '; path=' . ($path ?? ($domain ? '/' : $this->cookiePath))
257261
. (($domain = $domain ?? ($path ? '' : $this->cookieDomain)) === '' ? '' : '; domain=' . $domain)
258-
. (($secure ?? $this->cookieSecure) ? '; secure' : '')
262+
. ($secure ? '; secure' : '')
259263
. (($httpOnly ?? true) ? '; HttpOnly' : '')
260-
. '; SameSite=' . ($sameSite ?? self::SameSiteLax);
264+
. '; SameSite=' . $sameSite;
261265
header('Set-Cookie: ' . $cookie, replace: false);
262266
return $this;
263267
}

tests/Http/Response.setCookie.phpt

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,14 @@ Assert::exception(
101101
);
102102

103103

104+
// SameSite=None forces the Secure attribute (otherwise the browser rejects the cookie)
105+
$response = new Http\Response;
106+
$old = headers_list();
107+
$response->setCookie('test', 'value', null, sameSite: Http\IResponse::SameSiteNone);
108+
$headers = array_values(array_diff(headers_list(), $old, ['Set-Cookie:']));
109+
Assert::same(['Set-Cookie: test=value; path=/; secure; HttpOnly; SameSite=None'], $headers);
110+
111+
104112
// integer 0 is deprecated, but kept as a session cookie for BC
105113
$response = new Http\Response;
106114
$old = headers_list();

0 commit comments

Comments
 (0)