From 507ede701a0eb4ccb1ab89dabdf7da0921f28f1b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hanno=20B=C3=B6ck?= <hanno@gentoo.org>
Date: Fri, 24 Apr 2020 20:13:10 +0200
Subject: [PATCH] Simplify cookie option code and set security flags httponly
 and samesite=Lax. Include compatibility code for pre-7.3 PHP versions.

---
 serendipity_config.inc.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/serendipity_config.inc.php b/serendipity_config.inc.php
index 564dac7a..f7c72f49 100644
--- a/serendipity_config.inc.php
+++ b/serendipity_config.inc.php
@@ -10,9 +10,13 @@ if (defined('S9Y_FRAMEWORK')) {
 if (!headers_sent() && php_sapi_name() !== 'cli') {
     // Only set the session name, if no session has yet been issued.
     if (session_id() == '') {
-        $cookieParams = session_get_cookie_params();
-        $cookieParams['secure'] = (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on' ? true : false);
-        session_set_cookie_params($cookieParams['lifetime'], $cookieParams['path'], $cookieParams['domain'], $cookieParams['secure'], $cookieParams['httponly']);
+        $secure = (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on');
+        if (PHP_VERSION_ID >= 70300) {
+            session_set_cookie_params(array("secure"=>$secure, "httponly"=>true, "samesite"=>"Lax"));
+        } else {
+            // Support for PHP before 7.3, can be removed at some point
+            session_set_cookie_params(0, '/', '', $secure, true);
+        }
         session_name('s9y_' . md5(dirname(__FILE__)));
         session_start();
     }