Merge pull request #13799 from cakephp/4.x-cookie

4.x cookie

src/Http/Cookie/Cookie.php

@@ -42,7 +42,7 @@ use InvalidArgumentException;
  * $cookie = $cookie->withValue('0');
  * ```
  *
- * @link https://tools.ietf.org/html/rfc6265
+ * @link https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03
  * @link https://en.wikipedia.org/wiki/HTTP_cookie
  * @see \Cake\Http\Cookie\CookieCollection for working with collections of cookies.
  * @see \Cake\Http\Response::getCookieCollection() for working with response cookies.
@@ -109,7 +109,7 @@ class Cookie implements CookieInterface
      * Samesite
      *
      * @var string|null
-     * @psalm-var CookieInterface::SAMESITE_LAX|CookieInterface::SAMESITE_STRICT|null
+     * @psalm-var CookieInterface::SAMESITE_LAX|CookieInterface::SAMESITE_STRICT|CookieInterface::SAMESITE_NONE|null
      */
     protected $sameSite = null;
 
@@ -194,7 +194,7 @@ class Cookie implements CookieInterface
             }
         }
 
-        return new self(
+        return new static(
             $name,
             $value,
             $options['expires'],

src/Http/Cookie/CookieCollection.php

@@ -357,10 +357,12 @@ class CookieCollection implements IteratorAggregate, Countable
         $hostPattern = '/' . preg_quote($host, '/') . '$/';
 
         foreach ($this->cookies as $i => $cookie) {
-            $expired = $cookie->isExpired($time);
+            if (!$cookie->isExpired($time)) {
+                continue;
+            }
             $pathMatches = strpos($path, $cookie->getPath()) === 0;
             $hostMatches = preg_match($hostPattern, $cookie->getDomain());
-            if ($pathMatches && $hostMatches && $expired) {
+            if ($pathMatches && $hostMatches) {
                 unset($this->cookies[$i]);
             }
         }

src/Http/Cookie/CookieInterface.php

@@ -28,25 +28,33 @@ interface CookieInterface
     public const EXPIRES_FORMAT = 'D, d-M-Y H:i:s T';
 
     /**
-     * SameSite option value: Lax
+     * SameSite attribute value: Lax
      *
      * @var string
      */
     public const SAMESITE_LAX = 'Lax';
 
     /**
-     * SameSite option value: Strict
+     * SameSite attribute value: Strict
      *
      * @var string
      */
     public const SAMESITE_STRICT = 'Strict';
 
     /**
-     * Valid values for "SameSite" option.
+     * SameSite attribute value: None
+     *
+     * @var string
+     */
+    public const SAMESITE_NONE = 'None';
+
+    /**
+     * Valid values for "SameSite" attribute.
      */
     public const SAMESITE_VALUES = [
         self::SAMESITE_LAX,
         self::SAMESITE_STRICT,
+        self::SAMESITE_NONE,
     ];
 
     /**

src/Http/Middleware/CsrfProtectionMiddleware.php

@@ -22,7 +22,6 @@ use Cake\Http\Exception\InvalidCsrfTokenException;
 use Cake\Http\Response;
 use Cake\Utility\Hash;
 use Cake\Utility\Security;
-use DateTimeImmutable;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
@@ -190,20 +189,15 @@ class CsrfProtectionMiddleware implements MiddlewareInterface
      */
     protected function _addTokenCookie(string $token, ServerRequestInterface $request, Response $response): Response
     {
-        $time = $this->_config['expiry'];
-        if (is_string($time)) {
-            $time = strtotime($time);
-        }
-        $expiry = new DateTimeImmutable('@' . $time);
-
-        $cookie = new Cookie(
+        $cookie = Cookie::create(
             $this->_config['cookieName'],
             $token,
-            $expiry,
-            $request->getAttribute('webroot'),
-            '',
-            (bool)$this->_config['secure'],
-            (bool)$this->_config['httpOnly']
+            [
+                'expires' => $this->_config['expiry'] ?: null,
+                'path' => $request->getAttribute('webroot'),
+                'secure' => $this->_config['secure'],
+                'httponly' => $this->_config['httpOnly'],
+            ]
         );
 
         return $response->withCookie($cookie);