diff --git a/application/Espo/Core/Utils/Auth.php b/application/Espo/Core/Utils/Auth.php index 03c8a24b0b..c463f69eaf 100644 --- a/application/Espo/Core/Utils/Auth.php +++ b/application/Espo/Core/Utils/Auth.php @@ -442,7 +442,7 @@ class Auth if ($authToken->get('secret')) { $sentSecret = $_COOKIE['auth-token-secret'] ?? null; if ($sentSecret === $authToken->get('secret')) { - setcookie('auth-token-secret', null, -1, '/'); + $this->setSecretInCookie(null); } } return true; @@ -487,15 +487,21 @@ class Auth $this->getEntityManager()->saveEntity($authLogRecord); } - protected function setSecretInCookie(string $secret) + protected function setSecretInCookie(?string $secret) { + if (!$secret) { + $time = -1; + } else { + $time = strtotime('+1000 days'); + } + if (version_compare(\PHP_VERSION, '7.3.0') < 0) { - setcookie('auth-token-secret', $secret, strtotime('+1000 days'), '/', '', false, true); + setcookie('auth-token-secret', $secret, $time, '/', '', false, true); return; } setcookie('auth-token-secret', $secret, [ - 'expires' => strtotime('+1000 days'), + 'expires' => $time, 'path' => '/', 'httponly' => true, 'samesite' => 'Lax', diff --git a/client/src/app.js b/client/src/app.js index 0021573c5f..54cb7a4699 100644 --- a/client/src/app.js +++ b/client/src/app.js @@ -551,13 +551,13 @@ define( setCookieAuth: function (username, token) { var date = new Date(); date.setTime(date.getTime() + (1000 * 24*60*60*1000)); - document.cookie = 'auth-username='+username+'; expires='+date.toGMTString()+'; path=/'; - document.cookie = 'auth-token='+token+'; expires='+date.toGMTString()+'; path=/'; + document.cookie = 'auth-username='+username+'; SameSite=Lax; expires='+date.toGMTString()+'; path=/'; + document.cookie = 'auth-token='+token+'; SameSite=Lax; expires='+date.toGMTString()+'; path=/'; }, unsetCookieAuth: function () { - document.cookie = 'auth-username' + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/'; - document.cookie = 'auth-token' + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/'; + document.cookie = 'auth-username' + '=; SameSite=Lax; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/'; + document.cookie = 'auth-token' + '=; SameSite=Lax; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/'; }, initUserData: function (options, callback) {