|
<?php |
|
|
|
/* |
|
Plugin name: SameSite Cookies |
|
Description: A WordPress plugin for using SameSite=Lax with auth cookies |
|
*/ |
|
|
|
add_filter('send_auth_cookies', function () { |
|
return false; |
|
}); |
|
|
|
add_action('set_logged_in_cookie', function ($logged_in_cookie, $expire, $expiration, $user_id, $logged_in, $token) { |
|
$secure = is_ssl(); |
|
$secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME ); |
|
$secure = apply_filters( 'secure_auth_cookie', $secure, $user_id ); |
|
$secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure ); |
|
|
|
setcookie_samesite(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true, apply_filters('samesite_cookie', 'Lax')); |
|
if ( COOKIEPATH != SITECOOKIEPATH ) { |
|
setcookie_samesite(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true, apply_filters('samesite_cookie', 'Lax')); |
|
} |
|
}, 10, 6); |
|
|
|
add_action('set_auth_cookie', function ($auth_cookie, $expire, $expiration, $user_id, $scheme, $token) { |
|
$secure = is_ssl(); |
|
$secure = apply_filters( 'secure_auth_cookie', $secure, $user_id ); |
|
if ( $secure ) { |
|
$auth_cookie_name = SECURE_AUTH_COOKIE; |
|
$scheme = 'secure_auth'; |
|
} else { |
|
$auth_cookie_name = AUTH_COOKIE; |
|
$scheme = 'auth'; |
|
} |
|
|
|
setcookie_samesite($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true, apply_filters('samesite_cookie', 'Lax')); |
|
setcookie_samesite($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true, apply_filters('samesite_cookie', 'Lax')); |
|
}, 10, 6); |
|
|
|
// Below taken from: https://gist.github.com/bohwaz/f7c7cc08fa11399f485be3e65f19a4f4 |
|
// This function should be rewritten from scratch as there is no licence |
|
|
|
/** |
|
* Setcookie function with support for SameSite |
|
* @param string|null $samesite 'Lax' or 'Strict' |
|
*/ |
|
function setcookie_samesite($name, $value = '', $expire = 0, $path = null, $domain = null, $secure = false, $httponly = false, $samesite = null) |
|
{ |
|
$params = array( |
|
rawurlencode($name) . '=' . rawurlencode($value), |
|
); |
|
if ($expire) |
|
{ |
|
$params[] = sprintf('expires=%d', $expire); |
|
} |
|
if (!is_null($path)) |
|
{ |
|
$params[] = sprintf('path=%s', $path); |
|
} |
|
if (!is_null($domain)) |
|
{ |
|
$params[] = sprintf('domain=%s', rawurlencode($domain)); |
|
} |
|
if ($secure) |
|
{ |
|
$params[] = 'secure'; |
|
} |
|
if ($httponly) |
|
{ |
|
$params[] = 'httponly'; |
|
} |
|
if ($samesite) |
|
{ |
|
$params[] = sprintf('samesite=%s', rawurlencode($samesite)); |
|
} |
|
$header = sprintf('Set-Cookie: %s', implode('; ', $params)); |
|
return header($header, false); |
|
} |
Thank for this. Have tried it. Hard to tell if it works, since cookies-inspectors only show know attributes.
On a site I installed it login was not possible with Microsoft Edge browser. It seems not to accept such cookie at all. After activating, check that login works, especially with Edge.