Codeigniter 3 SameSite attribute for csrf protection

Question

I have applications that make CORS calls to each other. Google in April 2020 will need SameSite cookies = none. https://www.chromestatus.com/feature/5633521622188032

Since chrome version 80+ all user that use chrome browser impact this csrf error. how to fix this problem on Codeigniter framework that using PHP 7.3

score 11 · Answer 1 · edited May 30 '20 at 14:19

11

I had this same problem but my PHP 7.2 and my CI 3.X. The problem was solved by making the following change to the applications / config / config.php file

$config['cookie_prefix']    = '';
$config['cookie_domain']    = ''; 
$config['cookie_path']      = '/; SameSite=None';
$config['cookie_secure']    = TRUE;
$config['cookie_httponly']  = FALSE;

edited May 30 '20 at 14:19

David Buck

3,752
35
31
35

answered May 30 '20 at 13:55

Wilker Alves

111
1
3

Welcome to SO; for the next time, please take a minute to see how to properly format your code (done it for you now). – desertnaut May 30 '20 at 14:13
1

just a warning, that technique won't work in PHP 7.3 because it will begin escaping the semicolon in the cookie path. Might want to look at https://stackoverflow.com/a/46971326/62536 – pbarney Jun 01 '20 at 03:25
This solved my problem, the marked as solution does not work with php 7.2 – Irodoku Jun 09 '20 at 21:13
This is useless $config['cookie_path'] = '/; SameSite=None'; but this line work for me $config['cookie_secure'] = TRUE; – Syed Naeem Tariq May 05 '21 at 22:22

score 5 · Answer 2 · answered Aug 25 '20 at 11:07

Never modify the files in the SYSTEM directory, because you may have problems updating the codeigniter. It is better that, in APPLICATION/CORE, you create a file called MY_Security.php and extend the Security controller.

Example:

<?php defined('BASEPATH') OR exit('No direct script access allowed');

class MY_Security extends CI_Security {

    /**
     * CSRF Set Cookie with samesite
     *
     * @codeCoverageIgnore
     * @return  CI_Security
     */
    public function csrf_set_cookie()
    {
        $expire = time() + $this->_csrf_expire;
        $secure_cookie = (bool) config_item('cookie_secure');

        if ($secure_cookie && ! is_https())
        {
            return FALSE;
        }
        
        setcookie($this->_csrf_cookie_name,
                  $this->_csrf_hash,
                  ['samesite' => 'Strict',
                   'secure'   => true,
                   'expires'  => $expire,
                   'path'     => config_item('cookie_path'),
                   'domain'   => config_item('cookie_domain'),
                   'httponly' => config_item('cookie_httponly')]);
        
        log_message('info', 'CSRF cookie sent');

        return $this;
    }
}

score 2 · Answer 3 · answered Mar 11 '20 at 11:07

Problem is solved

1.ADD this config at application/config/config.php for all cookie in framework

ini_set('session.cookie_samesite', 'None');
ini_set('session.cookie_secure', TRUE);

2.Edit this line at system/core/Security.php line ~273 replace from

setcookie(
                        $this->_csrf_cookie_name,
                        $this->_csrf_hash,
                        $expire,
                        config_item('cookie_path'),
                        config_item('cookie_domain'),
                        $secure_cookie,
                        config_item('cookie_httponly')
                );

to

setcookie($this->_csrf_cookie_name, $this->_csrf_hash, ['samesite' => 'None', 'secure' => true,'expires' => $expire, 'path' => config_item('cookie_path'), 'domain' => config_item('cookie_domain'), 'httponly' => config_item('cookie_httponly')]);

for csrf support SameSite attribute.

Not working on all browsers and versions they will have different behaviors. it is not the final solution: setcookie('same-site-cookie', 'foo', ['samesite' => 'Lax']); setcookie('cross-site-cookie', 'bar', ['samesite' => 'None', 'secure' => true]); For earlier versions of PHP, you can also set the header() directly: header('Set-Cookie: same-site-cookie=foo; SameSite=Lax'); header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure'); — Aggarat .J, Mar 16 '20 at 07:48

score 2 · Answer 4 · answered Jul 21 '20 at 08:19

2

There is an official issue on CI for this issue, check this : https://github.com/bcit-ci/CodeIgniter/issues/5791

Note that this fix needs PHP 7.3

answered Jul 21 '20 at 08:19

Mike

21
1

Codeigniter 3 SameSite attribute for csrf protection

4 Answers4