Fixes #2157, Explicitly set SameSite value for cookies (#2159)

* Fixes #2157, Explicitly set SameSite value for cookies by making samesite a config option in config.php. Also contains an update for the cookie library dependency

framework/core/composer.json

@@ -38,7 +38,7 @@
         "php": ">=7.2",
         "axy/sourcemap": "^0.1.4",
         "components/font-awesome": "5.9.*",
-        "dflydev/fig-cookies": "^1.0.2",
+        "dflydev/fig-cookies": "^2.0.1",
         "doctrine/dbal": "^2.7",
         "franzl/whoops-middleware": "^0.4.0",
         "illuminate/bus": "5.8.*",

framework/core/src/Http/CookieFactory.php

@@ -9,6 +9,7 @@
 
 namespace Flarum\Http;
 
+use Dflydev\FigCookies\Modifier\SameSite;
 use Dflydev\FigCookies\SetCookie;
 use Flarum\Foundation\Application;
 use Illuminate\Support\Arr;
@@ -43,6 +44,13 @@ class CookieFactory
      */
     protected $secure;
 
+    /**
+     * Same Site cookie value.
+     *
+     * @var string
+     */
+    protected $samesite;
+
     /**
      * @param Application $app
      */
@@ -56,6 +64,7 @@ class CookieFactory
         $this->path = $app->config('cookie.path', Arr::get($url, 'path') ?: '/');
         $this->domain = $app->config('cookie.domain');
         $this->secure = $app->config('cookie.secure', Arr::get($url, 'scheme') === 'https');
+        $this->samesite = $app->config('cookie.samesite');
     }
 
     /**
@@ -85,6 +94,9 @@ class CookieFactory
             $cookie = $cookie->withDomain($this->domain);
         }
 
+        // Explicitly set SameSite value, use sensible default if no value provided
+        $cookie = $cookie->withSameSite(SameSite::{$this->samesite ?? 'lax'}());
+
         return $cookie
             ->withPath($this->path)
             ->withSecure($this->secure)