Include SameSite attribute on cookies.

2024-01-24 22:14:42 +00:00 · 2024-01-24 22:14:42 +00:00 · 5a70e3f3f1
parent bd3e055323
commit 5a70e3f3f1
3 changed files with 37 additions and 16 deletions
--- a/assets/misuzu.js/main.js
+++ b/assets/misuzu.js/main.js
@ -62,20 +62,26 @@
            });
    };

-    MszSakuya.trackElements($qa('time'));
-    hljs.highlightAll();
+    try {
+        MszSakuya.trackElements($qa('time'));
+        hljs.highlightAll();

-    MszEmbed.init(`${location.protocol}//uiharu.${location.host}`);
+        MszEmbed.init(`${location.protocol}//uiharu.${location.host}`);

-    // only used by the forum posting form
-    initQuickSubmit();
-    MszForumEditor($q('.js-forum-posting'));
+        // only used by the forum posting form
+        initQuickSubmit();
+        const forumPostingForm = $q('.js-forum-posting');
+        if(forumPostingForm !== null)
+            MszForumEditor(forumPostingForm);

-    const events = new MszSeasonalEvents;
-    events.add(new MszChristmas2019EventInfo);
-    events.dispatch();
+        const events = new MszSeasonalEvents;
+        events.add(new MszChristmas2019EventInfo);
+        events.dispatch();

-    await initLoginPage();
+        await initLoginPage();

-    MszEmbed.handle($qa('.js-msz-embed-media'));
+        MszEmbed.handle($qa('.js-msz-embed-media'));
+    } catch(ex) {
+        console.error(ex);
+    }
 })();
--- a/misuzu.php
+++ b/misuzu.php
@ -20,8 +20,8 @@ define('MSZ_ASSETS', MSZ_ROOT . '/assets');
 require_once MSZ_ROOT . '/vendor/autoload.php';

 Environment::setDebug(MSZ_DEBUG);
-mb_internal_encoding('utf-8');
-date_default_timezone_set('utc');
+mb_internal_encoding('UTF-8');
+date_default_timezone_set('UTC');

 $cfg = SharpConfig::fromFile(MSZ_CONFIG . '/config.cfg');

--- a/src/Auth/AuthTokenCookie.php
+++ b/src/Auth/AuthTokenCookie.php
@ -1,8 +1,9 @@
 <?php
 namespace Misuzu\Auth;

-// is this the right way to do this?
+use DateTimeImmutable;

+// is this the right way to do this?
 final class AuthTokenCookie {
    public static function domain(): string {
        $url = parse_url($_SERVER['HTTP_HOST'], PHP_URL_HOST);
@ -16,10 +17,24 @@ final class AuthTokenCookie {
    }

    public static function apply(string $packed): void {
-        setcookie('msz_auth', $packed, strtotime('+3 months'), '/', self::domain(), !empty($_SERVER['HTTPS']), true);
+        $now = new DateTimeImmutable('now');
+        $threeMonths = $now->modify('+3 months');
+
+        header(sprintf(
+            'Set-Cookie: msz_auth=%s; Expires=%s; Max-Age=%d; Domain=%s; Path=/; SameSite=Lax; HttpOnly;%s',
+            $packed,
+            $threeMonths->format('D, d M Y H:i:s e'),
+            $threeMonths->getTimestamp() - $now->getTimestamp(),
+            self::domain(),
+            filter_has_var(INPUT_SERVER, 'HTTPS') ? ' Secure' : ''
+        ));
    }

    public static function nuke(): void {
-        setcookie('msz_auth', '', -9001, '/', self::domain(), !empty($_SERVER['HTTPS']), true);
+        header(sprintf(
+            'Set-Cookie: msz_auth=; Expires=Wed, 31 Dec 1969 21:29:59 UTC; Max-Age=-9001; Domain=%s; Path=/; SameSite=Lax; HttpOnly;%s',
+            self::domain(),
+            filter_has_var(INPUT_SERVER, 'HTTPS') ? ' Secure' : ''
+        ));
    }
 }