diff options
author | Mario <mario@mariovavti.com> | 2022-01-10 11:36:20 +0000 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2022-01-10 11:36:20 +0000 |
commit | 105d1211991d354932421bcc88d97baca8518b43 (patch) | |
tree | 433f3866d9e821a65d0d3795b8a64e5f0492ebec /Zotlabs | |
parent | 37d662f2f5944169507501e0ac2dc9837b5eebfc (diff) | |
download | volse-hubzilla-105d1211991d354932421bcc88d97baca8518b43.tar.gz volse-hubzilla-105d1211991d354932421bcc88d97baca8518b43.tar.bz2 volse-hubzilla-105d1211991d354932421bcc88d97baca8518b43.zip |
set samesite cookie flag to none - some browsers start to default the flag to lax (previous none)
Diffstat (limited to 'Zotlabs')
-rw-r--r-- | Zotlabs/Web/Session.php | 75 |
1 files changed, 56 insertions, 19 deletions
diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index 6f92a0319..443a02d20 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -25,7 +25,7 @@ class Session { ini_set('session.cookie_httponly', 1); $this->custom_handler = boolval(get_config('system', 'session_custom', false)); - + /* * Set our session storage functions. */ @@ -67,23 +67,24 @@ class Session { } - // Force cookies to be secure (https only) if this site is SSL enabled. + // Force cookies to be secure (https only) if this site is SSL enabled. // Must be done before session_start(). $arr = session_get_cookie_params(); - + // Note when setting cookies: set the domain to false which creates a single domain // cookie. If you use a hostname it will create a .domain.com wildcard which will - // have some nasty side effects if you have any other subdomains running hubzilla. - - session_set_cookie_params( - ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0), - ((isset($arr['path'])) ? $arr['path'] : '/'), - (($arr['domain']) ? $arr['domain'] : false), - ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), - ((isset($arr['httponly'])) ? $arr['httponly'] : true) - ); + // have some nasty side effects if you have any other subdomains running hubzilla. + + session_set_cookie_params([ + 'lifetime' => ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0), + 'path' => ((isset($arr['path'])) ? $arr['path'] : '/'), + 'domain' => (($arr['domain']) ? $arr['domain'] : false), + 'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), + 'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true), + 'samesite' => 'None' + ]); register_shutdown_function('session_write_close'); @@ -127,13 +128,36 @@ class Session { $this->handler->read(session_id()); } } - else + else logger('no session handler'); if (x($_COOKIE, 'jsdisabled')) { - setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); + setcookie( + 'jsdisabled', + $_COOKIE['jsdisabled'], + [ + 'expires' => $newxtime, + 'path' => '/', + 'domain' => false, + 'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), + 'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true), + 'samesite' => 'None' + ] + ); } - setcookie(session_name(),session_id(),$newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); + + setcookie( + session_name(), + session_id(), + [ + 'expires' => $newxtime, + 'path' => '/', + 'domain' => false, + 'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), + 'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true), + 'samesite' => 'None' + ] + ); $arr = array('expire' => $xtime); call_hooks('new_cookie', $arr); @@ -148,8 +172,21 @@ class Session { $xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 ); - if($xtime) - setcookie(session_name(),session_id(),(time() + $xtime), '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); + if($xtime) { + setcookie( + session_name(), + session_id(), + [ + 'expires' => time() + $xtime, + 'path' => '/', + 'domain' => false, + 'secure' => ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), + 'httponly' => ((isset($arr['httponly'])) ? $arr['httponly'] : true), + 'samesite' => 'None' + ] + ); + } + $arr = array('expire' => $xtime); call_hooks('extend_cookie', $arr); @@ -169,8 +206,8 @@ class Session { if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) { logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); - $partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.')); - $partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.')); + $partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.')); + $partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.')); $paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia')); |