Browse code

use samesite flag for clientcert cookie

Hanno Böck authored on22/04/2020 07:44:27
Showing1 changed files
... ...
@@ -103,7 +103,7 @@ if ($_SESSION['role'] != ROLE_ANONYMOUS && isset($_REQUEST['record']) && isset($
103 103
             $role = find_role($uid, '', true);
104 104
             setup_session($role, $uid);
105 105
             DEBUG("Set Cookie!");
106
-            setcookie('CLIENTCERT_AUTOLOGIN', '1', strtotime("+ 1 year"), '/', '', true, true);
106
+            setcookie('CLIENTCERT_AUTOLOGIN', '1', array('expires'=>strtotime("+ 1 year"), 'path'=>'/', 'secure'=>true, 'httponly'=>true, 'samesite'=>'Lax'));
107 107
             $destination = 'go/index/index';
108 108
             if (check_path($ret[0]['startpage'])) {
109 109
                 $destination = $ret[0]['startpage'];