Fix #18535: Set Cookie SameSite to Lax by default

yiisoft · Mar 3, 2021 · 1209f95 · 1209f95
1 parent 4785240
commit 1209f95
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,6 +24,7 @@ Yii Framework 2 Change Log
 - Enh #18518: Add support for ngrok’s `X-Original-Host` header (brandonkelly)
 - Bug #18529: Fix asset files path with `appendTimestamp` option for non-root-relative base URLs (bizley)
 - Bug #18450: Allow empty string to be passed as a nullable typed argument to a controller's action (dicrtarasov, bizley)
+- Bug #18535: Set Cookie SameSite to Lax by default (samdark)
 - Bug #18539: Fix "driver does not support quoting" when using the driver pdo_odbc (xpohoc69)
 
 

diff --git a/web/Cookie.php b/web/Cookie.php
@@ -67,17 +67,12 @@ class Cookie extends \yii\base\BaseObject
     public $httpOnly = true;
     /**
      * @var string SameSite prevents the browser from sending this cookie along with cross-site requests.
-     * Please note that this feature is only supported since PHP 7.3.0
-     * For better security, an exception will be thrown if `sameSite` is set while using an unsupported version of PHP.
-     * To use this feature across different PHP versions check the version first. E.g.
-     * ```php
-     * $cookie->sameSite = PHP_VERSION_ID >= 70300 ? yii\web\Cookie::SAME_SITE_LAX : null,
-     * ```
+     *
      * See https://www.owasp.org/index.php/SameSite for more information about sameSite.
      *
      * @since 2.0.21
      */
-    public $sameSite;
+    public $sameSite = self::SAME_SITE_LAX;
 
 
     /**