aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Web/Session.php
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2022-01-10 11:36:20 +0000
committerMario <mario@mariovavti.com>2022-01-10 11:36:20 +0000
commit105d1211991d354932421bcc88d97baca8518b43 (patch)
tree433f3866d9e821a65d0d3795b8a64e5f0492ebec /Zotlabs/Web/Session.php
parent37d662f2f5944169507501e0ac2dc9837b5eebfc (diff)
downloadvolse-hubzilla-105d1211991d354932421bcc88d97baca8518b43.tar.gz
volse-hubzilla-105d1211991d354932421bcc88d97baca8518b43.tar.bz2
volse-hubzilla-105d1211991d354932421bcc88d97baca8518b43.zip
set samesite cookie flag to none - some browsers start to default the flag to lax (previous none)
Diffstat (limited to 'Zotlabs/Web/Session.php')
-rw-r--r--Zotlabs/Web/Session.php75
1 files changed, 56 insertions, 19 deletions
diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php
index 6f92a0319..443a02d20 100644
--- a/Zotlabs/Web/Session.php
+++ b/Zotlabs/Web/Session.php
@@ -25,7 +25,7 @@ class Session {
ini_set('session.cookie_httponly', 1);
$this->custom_handler = boolval(get_config('system', 'session_custom', false));
-
+
/*
* Set our session storage functions.
*/
@@ -67,23 +67,24 @@ class Session {
}
- // Force cookies to be secure (https only) if this site is SSL enabled.
+ // Force cookies to be secure (https only) if this site is SSL enabled.
// Must be done before session_start().
$arr = session_get_cookie_params();
-
+
// Note when setting cookies: set the domain to false which creates a single domain
// cookie. If you use a hostname it will create a .domain.com wildcard which will
- // have some nasty side effects if you have any other subdomains running hubzilla.
-
- session_set_cookie_params(
- ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0),
- ((isset($arr['path'])) ? $arr['path'] : '/'),
- (($arr['domain']) ? $arr['domain'] : false),
- ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
- ((isset($arr['httponly'])) ? $arr['httponly'] : true)
- );
+ // have some nasty side effects if you have any other subdomains running hubzilla.
+
+ session_set_cookie_params([
+ 'lifetime' => ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0),
+ 'path' => ((isset($arr['path'])) ? $arr['path'] : '/'),
+ 'domain' => (($arr['domain']) ? $arr['domain'] : false),
+ 'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
+ 'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),
+ 'samesite' => 'None'
+ ]);
register_shutdown_function('session_write_close');
@@ -127,13 +128,36 @@ class Session {
$this->handler->read(session_id());
}
}
- else
+ else
logger('no session handler');
if (x($_COOKIE, 'jsdisabled')) {
- setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true));
+ setcookie(
+ 'jsdisabled',
+ $_COOKIE['jsdisabled'],
+ [
+ 'expires' => $newxtime,
+ 'path' => '/',
+ 'domain' => false,
+ 'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
+ 'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),
+ 'samesite' => 'None'
+ ]
+ );
}
- setcookie(session_name(),session_id(),$newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true));
+
+ setcookie(
+ session_name(),
+ session_id(),
+ [
+ 'expires' => $newxtime,
+ 'path' => '/',
+ 'domain' => false,
+ 'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
+ 'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),
+ 'samesite' => 'None'
+ ]
+ );
$arr = array('expire' => $xtime);
call_hooks('new_cookie', $arr);
@@ -148,8 +172,21 @@ class Session {
$xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 );
- if($xtime)
- setcookie(session_name(),session_id(),(time() + $xtime), '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true));
+ if($xtime) {
+ setcookie(
+ session_name(),
+ session_id(),
+ [
+ 'expires' => time() + $xtime,
+ 'path' => '/',
+ 'domain' => false,
+ 'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
+ 'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true),
+ 'samesite' => 'None'
+ ]
+ );
+ }
+
$arr = array('expire' => $xtime);
call_hooks('extend_cookie', $arr);
@@ -169,8 +206,8 @@ class Session {
if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
- $partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.'));
- $partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.'));
+ $partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.'));
+ $partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.'));
$paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia'));