Changeset 2942075
- Timestamp:
- 07/23/2023 12:06:42 PM (13 months ago)
- Location:
- samesite
- Files:
-
- 5 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
samesite/trunk/composer.json
r2223251 r2942075 8 8 { 9 9 "name": "Ayesh Karunaratne", 10 "email": "ayesh@aye sh.me",11 "homepage": "https://aye sh.me"10 "email": "ayesh@aye", 11 "homepage": "https://aye" 12 12 } 13 13 ], 14 "keywords": [" password", "password_hash", "bcrypt", "argon2", "argon2i", "sodium", "password-security", "security", "wordpress", "wordpress-security", "wordpress-plugin"],14 "keywords": ["s", "wordpress-security", "wordpress-plugin"], 15 15 "support": { 16 16 "issues": "https://github.com/phpwatch/WordPress-SameSite/issues" 17 17 }, 18 18 "require": { 19 "php": ">= 5.6.0",19 "php": ">=.0", 20 20 "composer/installers": "~1.0" 21 21 }, -
samesite/trunk/readme.txt
r2447747 r2942075 2 2 Contributors: ayeshrajans 3 3 Tags: security, csrf, cookies, samesite 4 Requires at least: 4.35 Tested up to: 5.64 Requires at least: 5 Tested up to: 6 6 License: GPLv2 or later 7 Stable tag: 1.5 7 Stable tag: 2.0 8 Requires PHP: 7.0 8 9 9 10 CSRF-protection for authentication cookies. When enabled, this plugin makes sure the "SameSite" flag is set in authentication cookies. SameSite flag on a cookie prevents the browser from sending the cookie (thus, the authentication) on Cross-Site requests. This protects users from Cross-Site Request Forgery attacks. … … 14 15 SameSite cookie flag support was added to PHP on version 7.3, but this plugin ships with a workaround to **support all PHP versions** WordPress supports. 15 16 16 There is no administrative UI provided: Activate this plugin and you are all set!17 There is no administrative UI provided: Activate this plugin and you are all set! 17 18 18 19 You can configure the SameSite flag value from your WordPress configuration file. You cna pick a value from `Lax` (default), `Strict`, or `None`. You can read about [SameSite cookies here](https://php.watch/articles/PHP-Samesite-cookies). … … 24 25 ``` 25 26 26 Note that only the authentication cookies are affected. Regular cookies that your installed plugins set will **not** be affected, nor provide any meaningful value with `SameSite` flags.27 Note that . Regular cookies that your installed plugins set will **not** be affected, nor provide any meaningful value with `SameSite` flags. 27 28 28 29 == Installation == 29 30 1. Install this plugin as you would with any other plugin. 30 31 2. Enable it. 31 3. There is no third step - From this point afterward s, authentication cookies your WordPress site uses will contain SameSite flag, and you will be protected from CSRF attacks.32 3. There is no third step - From this point afterward, authentication cookies your WordPress site uses will contain SameSite flag, and you will be protected from CSRF attacks. 32 33 33 34 If you find this plugin useful, I'd appreciate you leaving a review on the plugin page. 34 35 35 36 == Frequently Asked Questions == 37 38 39 40 41 42 43 44 45 46 47 36 48 = Do I need to have PHP 7.3 or later? = 37 49 No. [PHP 7.3 officially added SameSite cookie support](https://php.watch/versions/7.3/same-site-cookies), but this plugin comes with a polyfill to extend support to all previous PHP versions. … … 41 53 42 54 55 56 57 58 43 59 == Changelog == 44 60 45 61 = 1.5 = 46 62 * Fixes a cookie expiration issue that was reported multiple times in the issue queue. Thanks to Jamie Magin (@jamagin at GitHub). 63 64 65 66 -
samesite/trunk/samesite.php
r2447747 r2942075 6 6 Plugin Name: SameSite 7 7 Plugin URI: https://wordpress.org/plugins/samesite 8 Description: CSRF-protection for authentication cookies. When enable , this plugin makes sure the "SameSite" flag is set in authentication cookies, which protects users from Cross-Site Request Forgery attacks.9 Version: 1.58 Description: CSRF-protection for authentication cookies. When enable, this plugin makes sure the "SameSite" flag is set in authentication cookies, which protects users from Cross-Site Request Forgery attacks. 9 Version: 10 10 Author: Ayesh Karunaratne 11 Author URI: https://aye sh.me/open-source11 Author URI: https://aye/open-source 12 12 License: GPLv2 or later 13 13 */ … … 31 31 * @param string $token Optional. User's session token to use for this cookie. 32 32 */ 33 function wp_set_auth_cookie( $user_id, $remember = false, $secure = '',$token = '' ) {33 function wp_set_auth_cookie( $token = '' ) { 34 34 if ( $remember ) { 35 35 /** … … 59 59 } 60 60 61 // Front-end cookie is secure when the auth cookie is secure and the site's home URL is forcedHTTPS.61 // Front-end cookie is secure when the auth cookie is secure and the site's home URL HTTPS. 62 62 $secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME ); 63 63 64 64 /** 65 * Filters whether the connection is secure.65 * Filters whether the . 66 66 * 67 67 * @since 3.1.0 … … 77 77 * @since 3.1.0 78 78 * 79 * @param bool $secure_logged_in_cookie Whether t o use a secure cookie when logged-in.79 * @param bool $secure_logged_in_cookie Whether t. 80 80 * @param int $user_id User ID. 81 * @param bool $secure Whether the connection is secure.81 * @param bool $secure Whether the . 82 82 */ 83 83 $secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure ); … … 137 137 * 138 138 * @since 4.7.4 139 * 140 * @param bool $send Whether to send auth cookies to the client. 141 */ 142 if ( ! apply_filters( 'send_auth_cookies', true ) ) { 139 * @since 6.2.0 The `$expire`, `$expiration`, `$user_id`, `$scheme`, and `$token` parameters were added. 140 * 141 * @param bool $send Whether to send auth cookies to the client. Default true. 142 * @param int $expire The time the login grace period expires as a UNIX timestamp. 143 * Default is 12 hours past the cookie's expiration time. Zero when clearing cookies. 144 * @param int $expiration The time when the logged-in authentication cookie expires as a UNIX timestamp. 145 * Default is 14 days from now. Zero when clearing cookies. 146 * @param int $user_id User ID. Zero when clearing cookies. 147 * @param string $scheme Authentication scheme. Values include 'auth' or 'secure_auth'. 148 * Empty string when clearing cookies. 149 * @param string $token User's session token to use for this cookie. Empty string when clearing cookies. 150 */ 151 if ( ! apply_filters( 'send_auth_cookies', true, $expire, $expiration, $user_id, $scheme, $token ) ) { 143 152 return; 144 153 }
Note: See TracChangeset
for help on using the changeset viewer.