Skip to content

Instantly share code, notes, and snippets.

@mallorydxw

mallorydxw/samesite-cookies.php

Last active February 11, 2020 21:40
Show Gist options
  • Save mallorydxw/9d7eced5f951680d6eeb52fe6a7a48dc to your computer and use it in GitHub Desktop.
Save mallorydxw/9d7eced5f951680d6eeb52fe6a7a48dc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
samesite-cookies.php
<?php
/*
Plugin name: SameSite Cookies
Description: A WordPress plugin for using SameSite=Lax with auth cookies
*/
add_filter('send_auth_cookies', function () {
return false;
});
add_action('set_logged_in_cookie', function ($logged_in_cookie, $expire, $expiration, $user_id, $logged_in, $token) {
$secure = is_ssl();
$secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME );
$secure = apply_filters( 'secure_auth_cookie', $secure, $user_id );
$secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure );
setcookie_samesite(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true, apply_filters('samesite_cookie', 'Lax'));
if ( COOKIEPATH != SITECOOKIEPATH ) {
setcookie_samesite(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true, apply_filters('samesite_cookie', 'Lax'));
}
}, 10, 6);
add_action('set_auth_cookie', function ($auth_cookie, $expire, $expiration, $user_id, $scheme, $token) {
$secure = is_ssl();
$secure = apply_filters( 'secure_auth_cookie', $secure, $user_id );
if ( $secure ) {
$auth_cookie_name = SECURE_AUTH_COOKIE;
$scheme = 'secure_auth';
} else {
$auth_cookie_name = AUTH_COOKIE;
$scheme = 'auth';
}
setcookie_samesite($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true, apply_filters('samesite_cookie', 'Lax'));
setcookie_samesite($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true, apply_filters('samesite_cookie', 'Lax'));
}, 10, 6);
// Below taken from: https://gist.github.com/bohwaz/f7c7cc08fa11399f485be3e65f19a4f4
// This function should be rewritten from scratch as there is no licence
/**
* Setcookie function with support for SameSite
* @param string|null $samesite 'Lax' or 'Strict'
*/
function setcookie_samesite($name, $value = '', $expire = 0, $path = null, $domain = null, $secure = false, $httponly = false, $samesite = null)
{
$params = array(
rawurlencode($name) . '=' . rawurlencode($value),
);
if ($expire)
{
$params[] = sprintf('expires=%d', $expire);
}
if (!is_null($path))
{
$params[] = sprintf('path=%s', $path);
}
if (!is_null($domain))
{
$params[] = sprintf('domain=%s', rawurlencode($domain));
}
if ($secure)
{
$params[] = 'secure';
}
if ($httponly)
{
$params[] = 'httponly';
}
if ($samesite)
{
$params[] = sprintf('samesite=%s', rawurlencode($samesite));
}
$header = sprintf('Set-Cookie: %s', implode('; ', $params));
return header($header, false);
}
@knutsp
Copy link

knutsp commented Jul 25, 2018

Thank for this. Have tried it. Hard to tell if it works, since cookies-inspectors only show know attributes.
On a site I installed it login was not possible with Microsoft Edge browser. It seems not to accept such cookie at all. After activating, check that login works, especially with Edge.

@soderlind
Copy link

soderlind commented Aug 6, 2018
edited

According to https://caniuse.com/#search=samesite, SameSite is available in Windows build version 16299+. Can confirm that it's not working on Windows build 16299.547

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment