implement same site cookie

see https://bugs.php.net/bug.php?id=72230
see https://tools.ietf.org/html/draft-west-first-party-cookies-07
see https://scotthelme.co.uk/csrf-is-dead/

Author: frederikbosch

ext/session/php_session.h

@@ -157,6 +157,7 @@ typedef struct _php_ps_globals {
 	char *cookie_domain;
 	zend_bool  cookie_secure;
 	zend_bool  cookie_httponly;
+	char *cookie_samesite;
 	ps_module *mod;
 	ps_module *default_mod;
 	void *mod_data;

ext/session/session.c

@@ -799,6 +799,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("session.cookie_domain",      "",          PHP_INI_ALL, OnUpdateSessionString, cookie_domain,      php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cookie_secure",      "0",         PHP_INI_ALL, OnUpdateSessionBool,   cookie_secure,      php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cookie_httponly",    "0",         PHP_INI_ALL, OnUpdateSessionBool,   cookie_httponly,    php_ps_globals,    ps_globals)
+	STD_PHP_INI_ENTRY("session.cookie_samesite",    "",          PHP_INI_ALL, OnUpdateString,        cookie_samesite,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.use_cookies",        "1",         PHP_INI_ALL, OnUpdateSessionBool,   use_cookies,        php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.use_only_cookies",   "1",         PHP_INI_ALL, OnUpdateSessionBool,   use_only_cookies,   php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.use_strict_mode",    "0",         PHP_INI_ALL, OnUpdateSessionBool,   use_strict_mode,    php_ps_globals,    ps_globals)
@@ -1357,6 +1358,11 @@ static int php_session_send_cookie(void) /* {{{ */
 		smart_str_appends(&ncookie, COOKIE_HTTPONLY);
 	}
 
+	if (PS(cookie_samesite)[0]) {
+    	smart_str_appends(&ncookie, COOKIE_SAMESITE);
+    	smart_str_appends(&ncookie, PS(cookie_samesite));
+    }
+
 	smart_str_0(&ncookie);
 
 	php_session_remove_cookie(); /* remove already sent session ID cookie */
@@ -1655,18 +1661,18 @@ PHPAPI void session_adapt_url(const char *url, size_t urllen, char **new, size_t
    * Userspace exported functions *
    ******************************** */
 
-/* {{{ proto bool session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure[, bool httponly]]]])
+/* {{{ proto void session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure[, bool httponly[, string samesite]]]]])
    Set session cookie parameters */
 static PHP_FUNCTION(session_set_cookie_params)
 {
 	zval *lifetime;
-	zend_string *path = NULL, *domain = NULL;
+	zend_string *path = NULL, *domain = NULL, *samesite = NULL;
 	int argc = ZEND_NUM_ARGS();
 	zend_bool secure = 0, httponly = 0;
 	zend_string *ini_name;
 
 	if (!PS(use_cookies) ||
-		zend_parse_parameters(argc, "z|SSbb", &lifetime, &path, &domain, &secure, &httponly) == FAILURE) {
+		zend_parse_parameters(argc, "z|SSbbS", &lifetime, &path, &domain, &secure, &httponly, &samesite) == FAILURE) {
 		return;
 	}
 
@@ -1724,6 +1730,12 @@ static PHP_FUNCTION(session_set_cookie_params)
 		zend_string_release(ini_name);
 	}
 
+    if (argc > 5) {
+        ini_name = zend_string_init("session.cookie_samesite", sizeof("session.cookie_samesite") - 1, 0);
+        zend_alter_ini_entry(ini_name, samesite, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
+        zend_string_release(ini_name);
+    }
+
 	RETURN_TRUE;
 }
 /* }}} */
@@ -1743,6 +1755,7 @@ static PHP_FUNCTION(session_get_cookie_params)
 	add_assoc_string(return_value, "domain", PS(cookie_domain));
 	add_assoc_bool(return_value, "secure", PS(cookie_secure));
 	add_assoc_bool(return_value, "httponly", PS(cookie_httponly));
+	add_assoc_string(return_value, "samesite", PS(cookie_samesite));
 }
 /* }}} */
 
@@ -2621,6 +2634,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_session_set_cookie_params, 0, 0, 1)
 	ZEND_ARG_INFO(0, domain)
 	ZEND_ARG_INFO(0, secure)
 	ZEND_ARG_INFO(0, httponly)
+	ZEND_ARG_INFO(0, samesite)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO(arginfo_session_class_open, 0)

ext/session/tests/session_get_cookie_params_basic.phpt

@@ -8,6 +8,7 @@ session.cookie_path="/"
 session.cookie_domain=""
 session.cookie_secure=0
 session.cookie_httponly=0
+session.cookie_samesite=""
 --FILE--
 <?php
 
@@ -22,17 +23,17 @@ ob_start();
 echo "*** Testing session_get_cookie_params() : basic functionality ***\n";
 
 var_dump(session_get_cookie_params());
-var_dump(session_set_cookie_params(3600, "/path", "blah", FALSE, FALSE));
+var_dump(session_set_cookie_params(3600, "/path", "blah", FALSE, FALSE, "foo"));
 var_dump(session_get_cookie_params());
-var_dump(session_set_cookie_params(1234567890, "/guff", "foo", TRUE, TRUE));
+var_dump(session_set_cookie_params(1234567890, "/guff", "foo", TRUE, TRUE, "blah"));
 var_dump(session_get_cookie_params());
 
 echo "Done";
 ob_end_flush();
 ?>
 --EXPECTF--
 *** Testing session_get_cookie_params() : basic functionality ***
-array(5) {
+array(6) {
   ["lifetime"]=>
   int(0)
   ["path"]=>
@@ -43,9 +44,11 @@ array(5) {
   bool(false)
   ["httponly"]=>
   bool(false)
+  ["samesite"]=>
+  string(0) ""
 }
 bool(true)
-array(5) {
+array(6) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -56,9 +59,11 @@ array(5) {
   bool(false)
   ["httponly"]=>
   bool(false)
+  ["samesite"]=>
+  string(3) "foo"
 }
 bool(true)
-array(5) {
+array(6) {
   ["lifetime"]=>
   int(1234567890)
   ["path"]=>
@@ -69,5 +74,7 @@ array(5) {
   bool(true)
   ["httponly"]=>
   bool(true)
+  ["samesite"]=>
+  string(4) "blah"
 }
 Done

ext/session/tests/session_get_cookie_params_variation1.phpt

@@ -8,6 +8,7 @@ session.cookie_path="/"
 session.cookie_domain=""
 session.cookie_secure=0
 session.cookie_httponly=0
+session.cookie_samesite=""
 --FILE--
 <?php
 
@@ -32,13 +33,15 @@ ini_set("session.cookie_secure", TRUE);
 var_dump(session_get_cookie_params());
 ini_set("session.cookie_httponly", TRUE);
 var_dump(session_get_cookie_params());
+ini_set("session.cookie_samesite", "foo");
+var_dump(session_get_cookie_params());
 
 echo "Done";
 ob_end_flush();
 ?>
 --EXPECTF--
 *** Testing session_get_cookie_params() : variation ***
-array(5) {
+array(6) {
   ["lifetime"]=>
   int(0)
   ["path"]=>
@@ -49,8 +52,10 @@ array(5) {
   bool(false)
   ["httponly"]=>
   bool(false)
+  ["samesite"]=>
+  string(0) ""
 }
-array(5) {
+array(6) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -61,8 +66,10 @@ array(5) {
   bool(false)
   ["httponly"]=>
   bool(false)
+  ["samesite"]=>
+  string(0) ""
 }
-array(5) {
+array(6) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -73,8 +80,10 @@ array(5) {
   bool(false)
   ["httponly"]=>
   bool(false)
+  ["samesite"]=>
+  string(0) ""
 }
-array(5) {
+array(6) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -85,8 +94,10 @@ array(5) {
   bool(false)
   ["httponly"]=>
   bool(false)
+  ["samesite"]=>
+  string(0) ""
 }
-array(5) {
+array(6) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -97,8 +108,10 @@ array(5) {
   bool(true)
   ["httponly"]=>
   bool(false)
+  ["samesite"]=>
+  string(0) ""
 }
-array(5) {
+array(6) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -109,6 +122,22 @@ array(5) {
   bool(true)
   ["httponly"]=>
   bool(true)
+  ["samesite"]=>
+  string(0) ""
+}
+array(6) {
+  ["lifetime"]=>
+  int(3600)
+  ["path"]=>
+  string(5) "/path"
+  ["domain"]=>
+  string(3) "foo"
+  ["secure"]=>
+  bool(true)
+  ["httponly"]=>
+  bool(true)
+  ["samesite"]=>
+  string(3) "foo"
 }
 Done
 

ext/session/tests/session_set_cookie_params_variation3.phpt

@@ -10,7 +10,7 @@ session.cookie_domain=foo
 ob_start();
 
 /* 
- * Prototype : void session_set_cookie_params(int $lifetime [, string $path [, string $domain [, bool $secure [, bool $httponly]]]])
+ * Prototype : void session_set_cookie_params(int $lifetime [, string $path [, string $domain [, bool $secure [, bool $httponly[, string $samesite]]]]])
  * Description : Set the session cookie parameters
  * Source code : ext/session/session.c 
  */

ext/session/tests/session_set_cookie_params_variation5.phpt

@@ -10,7 +10,7 @@ session.cookie_httponly=TRUE
 ob_start();
 
 /* 
- * Prototype : void session_set_cookie_params(int $lifetime [, string $path [, string $domain [, bool $secure [, bool $httponly]]]])
+ * Prototype : void session_set_cookie_params(int $lifetime [, string $path [, string $domain [, bool $secure [, bool $httponly[, string $samesite]]]]])
  * Description : Set the session cookie parameters
  * Source code : ext/session/session.c 
  */

ext/session/tests/session_set_cookie_params_variation6.phpt

@@ -0,0 +1,50 @@
+--TEST--
+Test session_set_cookie_params() function : variation
+--INI--
+session.cookie_samesite=test
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+ob_start();
+
+/*
+ * Prototype : void session_set_cookie_params(int $lifetime [, string $path [, string $domain [, bool $secure [, bool $samesite[, string $samesite]]]]])
+ * Description : Set the session cookie parameters
+ * Source code : ext/session/session.c
+ */
+
+echo "*** Testing session_set_cookie_params() : variation ***\n";
+
+var_dump(ini_get("session.cookie_samesite"));
+var_dump(session_set_cookie_params(3600, "/path", "blah", FALSE, FALSE, "nothing"));
+var_dump(ini_get("session.cookie_samesite"));
+var_dump(session_start());
+var_dump(ini_get("session.cookie_samesite"));
+var_dump(session_set_cookie_params(3600, "/path", "blah", FALSE, TRUE, "test"));
+var_dump(ini_get("session.cookie_samesite"));
+var_dump(session_destroy());
+var_dump(ini_get("session.cookie_samesite"));
+var_dump(session_set_cookie_params(3600, "/path", "blah", FALSE, FALSE, "other"));
+var_dump(ini_get("session.cookie_samesite"));
+
+echo "Done";
+ob_end_flush();
+?>
+--EXPECTF--
+*** Testing session_set_cookie_params() : variation ***
+string(4) "test"
+bool(true)
+string(7) "nothing"
+bool(true)
+string(7) "nothing"
+
+Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in %s on line 18
+bool(false)
+string(7) "nothing"
+bool(true)
+string(7) "nothing"
+bool(true)
+string(5) "other"
+Done

ext/standard/basic_functions.c

@@ -1425,6 +1425,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_setcookie, 0, 0, 1)
 	ZEND_ARG_INFO(0, domain)
 	ZEND_ARG_INFO(0, secure)
 	ZEND_ARG_INFO(0, httponly)
+	ZEND_ARG_INFO(0, samesite)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_setrawcookie, 0, 0, 1)
@@ -1435,6 +1436,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_setrawcookie, 0, 0, 1)
 	ZEND_ARG_INFO(0, domain)
 	ZEND_ARG_INFO(0, secure)
 	ZEND_ARG_INFO(0, httponly)
+	ZEND_ARG_INFO(0, samesite)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_headers_sent, 0, 0, 0)