Set the XSRF-Token cookie to SameSite=lax

As it turns out, `strict` is too strict for some use cases of the average user,
as it might suppress the cookie when the user researches something while
writing a post and ultimately comes back to the community via an external link.

This request will not have the XSRF-Token cookie attached due to violating the
`strict` policy, resulting in WoltLab Suite sending a fresh cookie in response.
This will then invalidate the token stored in the form where the user is in the
process of writing their post, ultimately resulting in an error message.

The `SameSite` value is meant as a defense in depth measure to protect the user
even if they current token leaked in some way. Reducing the strictness does not
reduce the security in a measurable way.

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index a5f07047be2411254c00d43650c8742bee158d06..327bd6d90ad0c85c5dc3665a16a376cb3fdce5ed 100644 (file)
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -483,7 +483,7 @@ final class SessionHandler extends SingletonFactory
             // We construct the cookie manually instead of using HeaderUtil::setCookie(), because:
             // 1) We don't want the prefix. The `XSRF-TOKEN` cookie name is a standard name across applications
             //    and it is supported by default in common JavaScript frameworks.
-            // 2) We want to set the SameSite=strict parameter.
+            // 2) We want to set the SameSite=lax parameter.
             // 3) We don't want the HttpOnly parameter.
             $sameSite = $cookieDomain = '';
 
@@ -493,9 +493,9 @@ final class SessionHandler extends SingletonFactory
                 $cookieDomain = HeaderUtil::getCookieDomain();
                 $cookieDomain = ($cookieDomain !== null ? '; domain=' . $cookieDomain : '');
             } else {
-                // SameSite=strict is not supported in a multi domain set-up, because
+                // SameSite=lax is not supported in a multi domain set-up, because
                 // it breaks cross-application requests.
-                $sameSite = '; SameSite=strict';
+                $sameSite = '; SameSite=lax';
             }
 
             if (!HTTP_SEND_X_FRAME_OPTIONS) {