Change SameSite attribute on session cookies to "lax" (pterodactyl#2592)

Spirit55555 · web-flow · commit a271b590925f · 2020-10-25T13:15:49.000-07:00
diff --git a/app/Console/Commands/Environment/AppSettingsCommand.php b/app/Console/Commands/Environment/AppSettingsCommand.php
@@ -144,6 +144,11 @@ public function handle()
             $this->variables['APP_ENVIRONMENT_ONLY'] = $this->confirm(trans('command/messages.environment.app.settings'), true) ? 'false' : 'true';
         }
 
+        // Make sure session cookies are set as "secure" when using HTTPS
+        if (strpos($this->variables['APP_URL'], 'https://') === 0) {
+            $this->variables['SESSION_SECURE_COOKIE'] = 'true';
+        }
+
         $this->checkForRedis();
         $this->writeToEnvironment($this->variables);
 
diff --git a/config/session.php b/config/session.php
@@ -188,5 +188,5 @@
     |
     */
 
-    'same_site' => null,
+    'same_site' => env('SESSION_SAMESITE_COOKIE', 'lax'),
 ];

Original file line number	Diff line number	Diff line change
`@@ -188,5 +188,5 @@`
`188`	`188`	`\|`
`189`	`189`	`*/`
`190`	`190`
`191`		`- 'same_site' => null,`
	`191`	`+ 'same_site' => env('SESSION_SAMESITE_COOKIE', 'lax'),`
`192`	`192`	`];`