Change SameSite attribute on session cookies to "lax" (#2592)

2020-10-25 21:15:49 +01:00 · 2020-10-25 21:15:49 +01:00 · a271b59092
commit a271b59092
parent cfaf41ce24
2 changed files with 6 additions and 1 deletions
--- a/app/Console/Commands/Environment/AppSettingsCommand.php
+++ b/app/Console/Commands/Environment/AppSettingsCommand.php
@ -144,6 +144,11 @@ class AppSettingsCommand extends Command
            $this->variables['APP_ENVIRONMENT_ONLY'] = $this->confirm(trans('command/messages.environment.app.settings'), true) ? 'false' : 'true';
        }

+        // Make sure session cookies are set as "secure" when using HTTPS
+        if (strpos($this->variables['APP_URL'], 'https://') === 0) {
+            $this->variables['SESSION_SECURE_COOKIE'] = 'true';
+        }
+
        $this->checkForRedis();
        $this->writeToEnvironment($this->variables);

--- a/config/session.php
+++ b/config/session.php
@ -188,5 +188,5 @@ return [
    |
    */

-    'same_site' => null,
+    'same_site' => env('SESSION_SAMESITE_COOKIE', 'lax'),
 ];