diff --git a/system/blueprints/config/system.yaml b/system/blueprints/config/system.yaml index d697519b9..8899c2854 100644 --- a/system/blueprints/config/system.yaml +++ b/system/blueprints/config/system.yaml @@ -1223,12 +1223,6 @@ form: label: PLUGIN_ADMIN.SESSION_PATH help: PLUGIN_ADMIN.SESSION_PATH_HELP - session.samesite: - type: text - size: small - label: PLUGIN_ADMIN.SESSION_SAMESITE - help: PLUGIN_ADMIN.SESSION_SAMESITE_HELP - session.split: type: toggle label: PLUGIN_ADMIN.SESSION_SPLIT diff --git a/system/config/system.yaml b/system/config/system.yaml index a1b86caf6..438d0e326 100644 --- a/system/config/system.yaml +++ b/system/config/system.yaml @@ -161,7 +161,6 @@ session: uniqueness: path # Should sessions be `path` based or `security.salt` based secure: false # Set session secure. If true, indicates that communication for this cookie must be over an encrypted transmission. Enable this only on sites that run exclusively on HTTPS httponly: true # Set session HTTP only. If true, indicates that cookies should be used only over HTTP, and JavaScript modification is not allowed. - samesite: # Set session SameSite. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite split: true # Sessions should be independent between site and plugins (such as admin) path: diff --git a/system/src/Grav/Common/Service/SessionServiceProvider.php b/system/src/Grav/Common/Service/SessionServiceProvider.php index 7521dac6a..84d23d354 100644 --- a/system/src/Grav/Common/Service/SessionServiceProvider.php +++ b/system/src/Grav/Common/Service/SessionServiceProvider.php @@ -36,7 +36,6 @@ class SessionServiceProvider implements ServiceProviderInterface $cookie_httponly = (bool)$config->get('system.session.httponly', true); $cookie_lifetime = (int)$config->get('system.session.timeout', 1800); $cookie_path = $config->get('system.session.path'); - $cookie_samesite = $config->get('system.session.samesite'); if (null === $cookie_path) { $cookie_path = '/' . trim(Uri::filterPath($uri->rootUrl(false)), '/'); } @@ -88,8 +87,7 @@ class SessionServiceProvider implements ServiceProviderInterface 'cookie_path' => $cookie_path, 'cookie_domain' => $cookie_domain, 'cookie_secure' => $cookie_secure, - 'cookie_httponly' => $cookie_httponly, - 'cookie_samesite' => $cookie_samesite + 'cookie_httponly' => $cookie_httponly ] + (array) $config->get('system.session.options'); $session = new Session($options); diff --git a/system/src/Grav/Framework/Session/Session.php b/system/src/Grav/Framework/Session/Session.php index 8ff27776c..4fd2e974a 100644 --- a/system/src/Grav/Framework/Session/Session.php +++ b/system/src/Grav/Framework/Session/Session.php @@ -135,7 +135,6 @@ class Session implements SessionInterface 'use_strict_mode' => true, 'use_cookies' => true, 'use_only_cookies' => true, - 'cookie_samesite' => true, 'referer_check' => true, 'cache_limiter' => true, 'cache_expire' => true, @@ -212,19 +211,14 @@ class Session implements SessionInterface if ($sessionExists) { $params = session_get_cookie_params(); - $cookie_options = array ( - 'expires' => time() + $params['lifetime'], - 'path' => $params['path'], - 'domain' => $params['domain'], - 'secure' => $params['secure'], - 'httponly' => $params['httponly'], - 'samesite' => $params['samesite'] - ); - setcookie( $sessionName, session_id(), - $cookie_options + time() + $params['lifetime'], + $params['path'], + $params['domain'], + $params['secure'], + $params['httponly'] ); } @@ -237,20 +231,14 @@ class Session implements SessionInterface public function invalidate() { $params = session_get_cookie_params(); - - $cookie_options = array ( - 'expires' => time() - 42000, - 'path' => $params['path'], - 'domain' => $params['domain'], - 'secure' => $params['secure'], - 'httponly' => $params['httponly'], - 'samesite' => $params['samesite'] - ); - setcookie( session_name(), '', - $cookie_options + time() - 42000, + $params['path'], + $params['domain'], + $params['secure'], + $params['httponly'] ); if ($this->isSessionStarted()) {