PHP-Auth icon indicating copy to clipboard operation
PHP-Auth copied to clipboard

Published 20 hours ago verified publisher icon delight-im

Allow for 'SameSite' cookie attribute and 'X-Frame-Options' header to be disabled to support framing

Open ocram opened this issue 7 years ago • 2 comments

The X-Frame-Options header can already be disabled as documented:

\header_remove('X-Frame-Options');

Of course, this should be replaced with a proper option passed to this library so that setting and then removing the header is not necessary.

ocram avatar Sep 04 '18 15:09 ocram

Disabling the SameSite attribute on cookies:

  • vendor/delight-im/auth/src/UserManager.php
    • Replace Session::regenerate(true); with Session::regenerate(true, null);
  • vendor/delight-im/auth/src/Auth.php
    • Replace @Session::start(); with @Session::start(null);
    • Replace Session::regenerate(true); with Session::regenerate(true, null);
    • After $cookie->setSecureOnly($params['secure']); append $cookie->setSameSiteRestriction(null); in all three (!) occurrences

ocram avatar Mar 11 '19 14:03 ocram