fix(core): Don't set samesite cookies on status.php

Fixes an issue where samesite cookies are sent on status.php before
session is started; cookies with webroots other than '/' therefore
have the wrong name and lead to samesite cookie validation failures.

- resolves #54227

Signed-off-by: Scott Shambarger <devel@shambarger.net>

Author: sshambar

lib/base.php

@@ -548,10 +548,11 @@ private static function performSameSiteCookieProtection(IConfig $config): void {
 			return;
 		}
 
+		$requestUri = $request->getScriptName();
+		$processingScript = explode('/', $requestUri);
+		$processingScript = $processingScript[count($processingScript) - 1];
+
 		if (count($_COOKIE) > 0) {
-			$requestUri = $request->getScriptName();
-			$processingScript = explode('/', $requestUri);
-			$processingScript = $processingScript[count($processingScript) - 1];
 
 			if ($processingScript === 'index.php' // index.php routes are handled in the middleware
 				|| $processingScript === 'cron.php' // and cron.php does not need any authentication at all
@@ -573,7 +574,12 @@ private static function performSameSiteCookieProtection(IConfig $config): void {
 					exit();
 				}
 			}
-		} elseif (!isset($_COOKIE['nc_sameSiteCookielax']) || !isset($_COOKIE['nc_sameSiteCookiestrict'])) {
+		} else {
+			// Session not started for status.php, skip setting SS cookies
+			if ($processingScript === 'status.php') {
+				return;
+			}
+			// set nc_sameSiteCookielax and nc_sameSiteCookiestrict
 			self::sendSameSiteCookies();
 		}
 	}