From f85efc17b4f63a49cedf60ae776d9d737c7229b3 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 25 May 2021 11:20:52 -0400 Subject: [PATCH] Add samesite when setting cookie for skin and css --- web/index.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/web/index.php b/web/index.php index 5026bb016..ce3d68647 100644 --- a/web/index.php +++ b/web/index.php @@ -139,6 +139,14 @@ $skinBase[] = $skin; zm_session_start(); +$cookie_options = array( + 'expires'=>time()+3600*24*30*12*10, +); +if ( version_compare(phpversion(), '7.3.0', '>=') ) { + # samesite was introduced in 7.3.0 + $cookie_options['samesite'] = 'Strict'; +} + if ( !isset($_SESSION['skin']) || isset($_REQUEST['skin']) || @@ -146,7 +154,7 @@ if ( ($_COOKIE['zmSkin'] != $skin) ) { $_SESSION['skin'] = $skin; - setcookie('zmSkin', $skin, time()+3600*24*30*12*10); + setcookie('zmSkin', $skin, $cookie_options); } if ( @@ -156,7 +164,7 @@ if ( ($_COOKIE['zmCSS'] != $css) ) { $_SESSION['css'] = $css; - setcookie('zmCSS', $css, time()+3600*24*30*12*10); + setcookie('zmCSS', $css, $cookie_options); } # Running is global but only do the daemonCheck if it is actually needed