From df4c2cf86eac3f54484ba3a4dd84f05259c0b8a4 Mon Sep 17 00:00:00 2001
From: Ayumi <57409060+ayumi-cloud@users.noreply.github.com>
Date: Mon, 12 Oct 2020 19:10:17 +0100
Subject: [PATCH] Default session.same_site to Lax (#5293)

---
 config/session.php                 | 28 +++++++++++++++++++++-------
 modules/system/ServiceProvider.php |  7 +++++++
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/config/session.php b/config/session.php
index ab762f221..8e2f8fa57 100644
--- a/config/session.php
+++ b/config/session.php
@@ -169,17 +169,31 @@ return [
     |--------------------------------------------------------------------------
     |
     | This option determines how your cookies behave when cross-site requests
-    | take place, and can be used to mitigate CSRF attacks. By default, we
-    | do not enable this as other CSRF protection services are in place.
+    | take place and can be used to mitigate CSRF attacks.
     |
-    | In the strict mode, the cookie is not sent with any cross-site usage
-    | even if the user follows a link to another website. Lax cookies are
-    | only sent with a top-level get request.
+    | Cookies that match the domain of the current site, i.e. what's displayed
+    | in the browser's address bar, are referred to as first-party cookies.
+    | Similarly, cookies from domains other than the current site are referred
+    | to as third-party cookies.
     |
-    | Supported: "lax", "strict"
+    | Cookies without a SameSite attribute will be treated as `SameSite=Lax`,
+    | meaning the default behaviour will be to restrict cookies to first party
+    | contexts only.
+    |
+    | Cookies for cross-site usage must specify `same_site` as 'None' and `secure`
+    | as `true` to work correctly.
+    |
+    | Lax - Cookies are allowed to be sent with top-level navigations and will
+    | be sent along with GET request initiated by third party website.
+    | This is the default value in modern browsers.
+    |
+    | Strict - Cookies will only be sent in a first-party context and not be
+    | sent along with requests initiated by third party websites.
+    |
+    | Supported: "Lax", "Strict" and "None"
     |
     */
 
-    'same_site' => null,
+    'same_site' => 'Lax',
 
 ];
diff --git a/modules/system/ServiceProvider.php b/modules/system/ServiceProvider.php
index 0a7b5fda7..e18477565 100644
--- a/modules/system/ServiceProvider.php
+++ b/modules/system/ServiceProvider.php
@@ -97,6 +97,13 @@ class ServiceProvider extends ModuleServiceProvider
             }
         }
 
+        /*
+         * Set a default samesite config value for invalid values
+         */
+        if (!in_array(strtolower(Config::get('session.same_site')), ['lax', 'strict', 'none'])) {
+            Config::set('session.same_site', 'Lax');
+        }
+
         Paginator::useBootstrapThree();
         Paginator::defaultSimpleView('system::pagination.simple-default');