From 612b6ff16c4fa5099a66dacd8a65aafb086c4f75 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Mon, 20 Sep 2021 13:37:54 +0200
Subject: [PATCH] Set the XSRF-Token cookie to SameSite=lax

As it turns out, `strict` is too strict for some use cases of the average user,
as it might suppress the cookie when the user researches something while
writing a post and ultimately comes back to the community via an external link.

This request will not have the XSRF-Token cookie attached due to violating the
`strict` policy, resulting in WoltLab Suite sending a fresh cookie in response.
This will then invalidate the token stored in the form where the user is in the
process of writing their post, ultimately resulting in an error message.

The `SameSite` value is meant as a defense in depth measure to protect the user
even if they current token leaked in some way. Reducing the strictness does not
reduce the security in a measurable way.
---
 .../files/lib/system/session/SessionHandler.class.php       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index a5f07047be..327bd6d90a 100644
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -483,7 +483,7 @@ final class SessionHandler extends SingletonFactory
             // We construct the cookie manually instead of using HeaderUtil::setCookie(), because:
             // 1) We don't want the prefix. The `XSRF-TOKEN` cookie name is a standard name across applications
             //    and it is supported by default in common JavaScript frameworks.
-            // 2) We want to set the SameSite=strict parameter.
+            // 2) We want to set the SameSite=lax parameter.
             // 3) We don't want the HttpOnly parameter.
             $sameSite = $cookieDomain = '';
 
@@ -493,9 +493,9 @@ final class SessionHandler extends SingletonFactory
                 $cookieDomain = HeaderUtil::getCookieDomain();
                 $cookieDomain = ($cookieDomain !== null ? '; domain=' . $cookieDomain : '');
             } else {
-                // SameSite=strict is not supported in a multi domain set-up, because
+                // SameSite=lax is not supported in a multi domain set-up, because
                 // it breaks cross-application requests.
-                $sameSite = '; SameSite=strict';
+                $sameSite = '; SameSite=lax';
             }
 
             if (!HTTP_SEND_X_FRAME_OPTIONS) {
-- 
2.20.1