Update setcookie calls to use associative array syntax for improved readability and stricter cookie handling options (samesite: Strict).

msyk · msyk · commit 837db4624e19 · 2026-04-11T16:05:21.000+09:00
diff --git a/src/php/Auth/OAuthAuth.php b/src/php/Auth/OAuthAuth.php
@@ -258,13 +258,15 @@ public function userInfoToLogin(?string $currentUser = null, ?string $password =
                 $generatedClientID = IMUtil::generateClientId('', $credential);
                 $challenge = IMUtil::generateChallenge();
                 $dbProxy->saveChallenge($param["username"], $challenge, $generatedClientID, "+");
-                setcookie('_im_credential_token',
-                    $dbProxy->generateCredential($challenge, $generatedClientID, $credential),
-                    time() + $authExpired, '/', "", false, true);
-                setcookie("_im_username_{$oAuthRealm}",
-                    $param["username"], time() + $authExpired, '/', "", false, false);
-                setcookie("_im_clientid_{$oAuthRealm}",
-                    $generatedClientID, time() + $authExpired, '/', "", false, false);
+                setcookie('_im_credential_token', $dbProxy->generateCredential($challenge, $generatedClientID, $credential),
+                    ['expires' => time() + $authExpired, 'path' => '/', 'domain' => '',
+                        'secure' => false, 'httponly' => true, 'samesite' => 'Strict']);
+                setcookie("_im_username_{$oAuthRealm}", $param["username"],
+                    ['expires' => time() + $authExpired, 'path' => '/', 'domain' => '',
+                        'secure' => false, 'httponly' => false, 'samesite' => 'Strict']);
+                setcookie("_im_clientid_{$oAuthRealm}", $generatedClientID,
+                    ['expires' => time() + $authExpired, 'path' => '/', 'domain' => '',
+                        'secure' => false, 'httponly' => false, 'samesite' => 'Strict']);
             }
 
             if ($this->debugMode) {
diff --git a/src/php/DB/Support/ActionHandlers/ActionHandler.php b/src/php/DB/Support/ActionHandlers/ActionHandler.php
@@ -425,18 +425,19 @@ protected function setCookieOfChallenge(string $key, string $challenge, string $
         Logger::getInstance()->setDebugMessage("[setCookieOfChallenge] key={$key} value{$challenge}/{$generatedClientID}/{$hashedPassword}", 2);
         $proxy = $this->proxy;
         $dbSettings = $proxy->dbSettings;
-        setcookie($key,
-            $proxy->generateCredential($challenge, $generatedClientID, $hashedPassword),
-            time() + $dbSettings->getAuthenticationItem('authexpired'), '/',
-            $proxy->credentialCookieDomain, false, true);
+        setcookie($key, $proxy->generateCredential($challenge, $generatedClientID, $hashedPassword),
+            ['expires' => time() + $dbSettings->getAuthenticationItem('authexpired'), 'path' => '/',
+                'domain' => $proxy->credentialCookieDomain, 'secure' => false, 'httponly' => true, 'samesite' => 'Strict']);
     }
 
     /** Clears authentication cookies.
      * @return void
      */
     protected function clearAuthenticationCookies(): void
     {
-        setcookie("_im_credential_token", "", time() - 3600); // Should be removed.
-        setcookie("_im_credential_2FA", "", time() - 3600); // Should be removed.
+        setcookie("_im_credential_token", "",
+            ['expires' => time() - 3600, 'path' => '/', 'samesite' => 'Strict']); // Should be removed.
+        setcookie("_im_credential_2FA", "",
+            ['expires' => time() - 3600, 'path' => '/', 'samesite' => 'Strict']); // Should be removed.
     }
 }
diff --git a/src/php/DB/Support/ActionHandlers/AuthPasskeyHandler.php b/src/php/DB/Support/ActionHandlers/AuthPasskeyHandler.php
@@ -128,13 +128,15 @@ public function handleChallenge(): void
             $generatedClientID = IMUtil::generateClientId('', $this->credential);
             $challenge = IMUtil::generateChallenge();
             $this->proxy->saveChallenge($this->username, $challenge, $generatedClientID, "+");
-            setcookie('_im_credential_token',
-                $this->proxy->generateCredential($challenge, $generatedClientID, $this->credential),
-                time() + $authExpired, '/', "", false, true);
-            setcookie("_im_username_{$authRealm}",
-                $this->username, time() + $authExpired, '/', "", false, false);
-            setcookie("_im_clientid_{$authRealm}",
-                $generatedClientID, time() + $authExpired, '/', "", false, false);
+            setcookie('_im_credential_token', $this->proxy->generateCredential($challenge, $generatedClientID, $this->credential),
+                ['expires' => time() + $authExpired, 'path' => '/', 'domain' => '',
+                    'secure' => false, 'httponly' => true, 'samesite' => 'Strict']);
+            setcookie("_im_username_{$authRealm}", $this->username,
+                ['expires' => time() + $authExpired, 'path' => '/', 'domain' => '',
+                    'secure' => false, 'httponly' => false, 'samesite' => 'Strict']);
+            setcookie("_im_clientid_{$authRealm}", $generatedClientID,
+                ['expires' => time() + $authExpired, 'path' => '/', 'domain' => '',
+                    'secure' => false, 'httponly' => false, 'samesite' => 'Strict']);
         }
     }
 }
diff --git a/src/php/DB/Support/Proxy_Auth.php b/src/php/DB/Support/Proxy_Auth.php
@@ -245,11 +245,11 @@ public function handleMediaToken(): void
                 $cookieNameToken .= ('_' . $realm);
             }
             setcookie($cookieNameToken, $generatedChallenge,
-                time() + $this->dbSettings->getAuthenticationItem('authexpired'), '/',
-                $this->credentialCookieDomain, false, true);
+                ['expires' => time() + $this->dbSettings->getAuthenticationItem('authexpired'), 'path' => '/',
+                    'domain' => $this->credentialCookieDomain, 'secure' => false, 'httponly' => true, 'samesite' => 'Strict']);
             setcookie($cookieNameUser, $this->paramAuthUser,
-                time() + $this->dbSettings->getAuthenticationItem('authexpired'), '/',
-                $this->credentialCookieDomain, false, false);
+                ['expires' => time() + $this->dbSettings->getAuthenticationItem('authexpired'), 'path' => '/',
+                    'domain' => $this->credentialCookieDomain, 'secure' => false, 'httponly' => false, 'samesite' => 'Strict']);
             $this->logger->setDebugMessage("mediatoken stored", 2);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -245,11 +245,11 @@ public function handleMediaToken(): void`
`245`	`245`	`$cookieNameToken .= ('_' . $realm);`
`246`	`246`	`}`
`247`	`247`	`setcookie($cookieNameToken, $generatedChallenge,`
`248`		`- time() + $this->dbSettings->getAuthenticationItem('authexpired'), '/',`
`249`		`- $this->credentialCookieDomain, false, true);`
	`248`	`+ ['expires' => time() + $this->dbSettings->getAuthenticationItem('authexpired'), 'path' => '/',`
	`249`	`+ 'domain' => $this->credentialCookieDomain, 'secure' => false, 'httponly' => true, 'samesite' => 'Strict']);`
`250`	`250`	`setcookie($cookieNameUser, $this->paramAuthUser,`
`251`		`- time() + $this->dbSettings->getAuthenticationItem('authexpired'), '/',`
`252`		`- $this->credentialCookieDomain, false, false);`
	`251`	`+ ['expires' => time() + $this->dbSettings->getAuthenticationItem('authexpired'), 'path' => '/',`
	`252`	`+ 'domain' => $this->credentialCookieDomain, 'secure' => false, 'httponly' => false, 'samesite' => 'Strict']);`
`253`	`253`	`$this->logger->setDebugMessage("mediatoken stored", 2);`
`254`	`254`	`}`
`255`	`255`	`}`