Allow to specify the cookie type for appframework responses

In general it is good to set them to Lax. But also to give devs more
control over them is not a bad thing.

Helps with #21474

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Author: rullzer

lib/private/AppFramework/App.php

@@ -151,14 +151,20 @@ public static function main(string $controllerName, string $methodName, DIContai
 			if ($value['expireDate'] instanceof \DateTime) {
 				$expireDate = $value['expireDate']->getTimestamp();
 			}
+			$sameSite = 'Lax';
+			if (isset($value['sameSite'])) {
+				$sameSite = $value['sameSite'];
+			}
+
 			$io->setCookie(
 				$name,
 				$value['value'],
 				$expireDate,
 				$container->getServer()->getWebRoot(),
 				null,
 				$container->getServer()->getRequest()->getServerProtocol() === 'https',
-				true
+				true,
+				$sameSite
 			);
 		}
 

lib/private/AppFramework/Http/Output.php

@@ -92,8 +92,20 @@ public function getHttpResponseCode() {
 	 * @param bool $secure
 	 * @param bool $httpOnly
 	 */
-	public function setCookie($name, $value, $expire, $path, $domain, $secure, $httpOnly) {
+	public function setCookie($name, $value, $expire, $path, $domain, $secure, $httpOnly, $sameSite = 'Lax') {
 		$path = $this->webRoot ? : '/';
-		setcookie($name, $value, $expire, $path, $domain, $secure, $httpOnly);
+
+		if (PHP_VERSION_ID < 70300) {
+			setcookie($name, $value, $expire, $path, $domain, $secure, $httpOnly);
+		} else {
+			setcookie($name, $value, [
+				'expires' => $expire,
+				'path' => $path,
+				'domain' => $domain,
+				'secure' => $secure,
+				'httponly' => $httpOnly,
+				'samesite' => $sameSite
+			]);
+		}
 	}
 }

lib/public/AppFramework/Http/IOutput.php

@@ -72,7 +72,8 @@ public function setHttpResponseCode($code);
 	 * @param string $domain
 	 * @param bool $secure
 	 * @param bool $httpOnly
+	 * @param string $sameSite (added in 20)
 	 * @since 8.1.0
 	 */
-	public function setCookie($name, $value, $expire, $path, $domain, $secure, $httpOnly);
+	public function setCookie($name, $value, $expire, $path, $domain, $secure, $httpOnly, $sameSite = 'Lax');
 }

lib/public/AppFramework/Http/Response.php

@@ -133,11 +133,12 @@ public function cacheFor(int $cacheSeconds, bool $public = false) {
 	 * @param \DateTime|null $expireDate Date on that the cookie should expire, if set
 	 * 									to null cookie will be considered as session
 	 * 									cookie.
+	 * @param string $sameSite The samesite value of the cookie. Defaults to Lax. Other possibilities are Strict or None
 	 * @return $this
 	 * @since 8.0.0
 	 */
-	public function addCookie($name, $value, \DateTime $expireDate = null) {
-		$this->cookies[$name] = ['value' => $value, 'expireDate' => $expireDate];
+	public function addCookie($name, $value, \DateTime $expireDate = null, $sameSite = 'Lax') {
+		$this->cookies[$name] = ['value' => $value, 'expireDate' => $expireDate, 'sameSite' => $sameSite];
 		return $this;
 	}