I have just read about preventing CSRF with the same-site cookie attribute and I think it would be a good idea to set this for the cookies DokuWiki uses as an additional protection. I expect that in most use cases this should not have any negative side effects but use cases like site A embeds a protected image hosted in a wiki on site B that loads if you are logged in on site B would break. However, given that this becomes default in Chrome 78, this would break anyway soon.
The SameSite attribute has been introduced in PHP 7.3.0 for session_set_cookie_params and setcookie, therefore, until the minimum supported PHP version is 7.3.0, we would need to check for the required PHP version and use the old function calls otherwise.
Not sure if this needs to be a default, or an option. It's possible to have usage of linking DokuWiki-protected image somewhere else.
Related to #2836, #1676.
Without any changes, Chrome 80 will enable SameSite=lax by default (and Chrome 78 in the beta version). This means if we believe that SameSite=lax is a problem, we need to release a new version of DokuWiki with SameSite=None this year (unless Google should change the schedule). Protected DokuWiki pages that are embedded in a frame and protected images being used on a different site are the two use cases I can think of here. However, I don't believe they are frequent. Therefore I don't see any reason why DokuWiki shouldn't set this at least by default to lax so users of all browsers enjoy the same kind of protection. https://web.dev/samesite-cookies-explained provides a nice explanation of which cookies are sent in what kind of request.
It sounds like I am very conservative, but honestly I feel more and more skeptical about what Google decides nowadays on their Chrome default. (Just need one more browser vendor's opinion on this.)
One thing about this cookie config, different from other features discussed in #1676, is that a plugin cannot override this at all. Maybe it's worthwhile to implemented this in core, but again, I am not sure if this needs an option.
Firefox (and Edge) will do exactly the same thing, just with no ETA set yet AFAIK. Please default to a restrictive cookie setting on dokuwiki, with an divergent option for those rare cases that need it.
I am of the opinion that the SameSite attribute should be implemented for at least the DW
Most helpful comment
Firefox (and Edge) will do exactly the same thing, just with no ETA set yet AFAIK. Please default to a restrictive cookie setting on dokuwiki, with an divergent option for those rare cases that need it.