Figured out why it breaks sometimes.
-
--- a/samesite.php
+++ b/samesite.php
@@
function samesite_setcookie($name, $value, array $options) {
$header = 'Set-Cookie:';
$header .= rawurlencode($name) . '=' . rawurlencode($value) . ';';
if (!empty($options['expires']) && $options['expires'] > 0) {
$header .= 'expires=' . \gmdate('D, d-M-Y H:i:s T', (int) $options['expires']) . ';';
$header .= 'Max-Age=' . max(0, (int) ($options['expires'] - time())) . ';';
}
- $header .= 'path=' . rawurlencode($options['path']). ';';
- $header .= 'domain=' . rawurlencode($options['domain']) . ';';
+ // Path/domain attributes must be sent as plain cookie-av values.
+ // Encoding "/" to "%2F" breaks path matching and can force default-path behavior.
+ $path = isset($options['path']) ? (string) $options['path'] : '/';
+ if ($path === '') {
+ $path = '/';
+ }
+ $header .= 'path=' . $path . ';';
+
+ $domain = isset($options['domain']) ? trim((string) $options['domain']) : '';
+ if ($domain !== '') {
+ $header .= 'domain=' . $domain . ';';
+ }
if (!empty($options['secure'])) {
$header .= 'secure;';
}
$header .= 'httponly;';
- $header .= 'SameSite=' . rawurlencode($options['samesite']);
+ $samesite = isset($options['samesite']) ? (string) $options['samesite'] : 'Lax';
+ if (!in_array($samesite, ['Lax', 'Strict', 'None'], true)) {
+ $samesite = 'Lax';
+ }
+ $header .= 'SameSite=' . $samesite;
header($header, false);
$_COOKIE[$name] = $value;
}The issue is that the plugin is urlencoding the path for the cookie — which changes it from
/to%2Fwhich browsers interpret as “the current directory setting the cookie” — so if you’re not in the site root likewp-login.phpthen it’ll set the auth cookie in a subdirectory.
You must be logged in to reply to this topic.
