Add config.php options to set defaults for Cookie class #2184

common/defaults/config.php

@@ -70,6 +70,13 @@ return array(
 		'lifetime' => 0,
 		'refresh' => 300,
 	),
+	'cookie' => array(
+		'domain' => null,
+		'path' => null,
+		'secure' => null,
+		'httponly' => null,
+		'samesite' => 'Lax',
+	),
 	'file' => array(
 		'folder_structure' => 2,
 		'umask' => '0022',

common/framework/Cookie.php

@@ -58,17 +58,25 @@ class Cookie
 		}
 
 		// Set defaults.
-		if (!isset($options['path']))
+		if (!array_key_exists('path', $options))
 		{
-			$options['path'] = \RX_BASEURL;
+			$options['path'] = config('cookie.path') ?? \RX_BASEURL;
+		}
+		if (!array_key_exists('domain', $options) && ($default_domain = config('cookie.domain')))
+		{
+			$options['domain'] = $default_domain;
 		}
 		if (!isset($options['secure']))
 		{
 			$options['secure'] = \RX_SSL && !!config('session.use_ssl_cookies');
 		}
+		if (!isset($options['httponly']))
+		{
+			$options['httponly'] = config('cookie.httponly') ?? false;
+		}
 		if (!isset($options['samesite']))
 		{
-			$options['samesite'] = 'Lax';
+			$options['samesite'] = config('cookie.samesite') ?? 'Lax';
 		}
 
 		// PHP 7.3+ supports the samesite attribute natively. PHP 7.2 requires a hack.

modules/admin/controllers/systemconfig/Security.php

@@ -140,6 +140,22 @@ class Security extends Base
 		Config::set('security.x_frame_options', strtoupper($vars->x_frame_options));
 		Config::set('security.x_content_type_options', strtolower($vars->x_content_type_options));
 
+		// Prepare the alternate config key for cookies.
+		if (Config::get('cookie'))
+		{
+			Config::set('cookie.secure', $vars->use_cookies_ssl === 'Y');
+		}
+		else
+		{
+			Config::set('cookie', [
+				'domain' => null,
+				'path' => null,
+				'secure' => $vars->use_cookies_ssl === 'Y',
+				'httponly' => null,
+				'samesite' => 'Lax',
+			]);
+		}
+
 		// Save
 		if (!Config::save())
 		{