openinfra/openstackid
Code Issues Proposed changes

Updated Cookies Attributes

Browse Source 
* Set explicitly Cookie SameSite
* Updated security policies for cookies

Change-Id: Iaf23a0fcb599753c778108e29e03c8dcd573a4dc
This commit is contained in:
smarcet 2020-02-14 23:58:55 -03:00
parent 87a701c098
commit 9090f8c404
3 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/Services/OAuth2/PrincipalService.php
View File

@ -51,7 +51,8 @@ final class PrincipalService implements IPrincipalService
$domain = Config::get("session.domain"), $domain = Config::get("session.domain"),
$secure = true, $secure = true,
$httpOnly = false, $httpOnly = false,
$sameSite = 'None' $raw = false,
$sameSite = 'none'
); );
} }
$principal->setState $principal->setState
@ -110,7 +111,8 @@ final class PrincipalService implements IPrincipalService
$domain = Config::get("session.domain"), $domain = Config::get("session.domain"),
$secure = true, $secure = true,
$httpOnly = false, $httpOnly = false,
$sameSite = 'None' $raw = false,
$sameSite = 'none'
); );
Log::debug(sprintf("PrincipalService::register op_browser_state %s", $op_browser_state)); Log::debug(sprintf("PrincipalService::register op_browser_state %s", $op_browser_state));
Session::put(self::OPBrowserState, $op_browser_state); Session::put(self::OPBrowserState, $op_browser_state);
@ -136,7 +138,8 @@ final class PrincipalService implements IPrincipalService
$domain = Config::get("session.domain"), $domain = Config::get("session.domain"),
$secure = true, $secure = true,
$httpOnly = false, $httpOnly = false,
$sameSite = 'None' $raw = false,
$sameSite = 'none'
); );
} }

6
app/libs/Auth/AuthService.php
View File

@ -130,7 +130,8 @@ final class AuthService implements IAuthService
$domain = Config::get("session.domain"), $domain = Config::get("session.domain"),
$secure = true, $secure = true,
$httpOnly = true, $httpOnly = true,
$sameSite = 'None' $raw = false,
$sameSite = 'none'
); );
} }
@ -312,7 +313,8 @@ final class AuthService implements IAuthService
$domain = Config::get("session.domain"), $domain = Config::get("session.domain"),
$secure = true, $secure = true,
$httpOnly = true, $httpOnly = true,
$sameSite = 'None' $raw = false,
$sameSite = 'none'
); );
} }

4
config/session.php
View File

@ -148,7 +148,7 @@ return [
| |
*/ */
'secure' => env('SESSION_COOKIE_SECURE', false), 'secure' => true,
/* /*
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
@ -176,6 +176,6 @@ return [
| |
*/ */
'same_site' => null, 'same_site' => 'none',
]; ];