From 4b22470872811fdd17da2c524db93a301724e3e0 Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Wed, 25 Aug 2021 16:21:33 +0200
Subject: [PATCH] set php session security related settings (correctly in every
 case)

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 index.php    | 6 ++++++
 lib/init.php | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/index.php b/index.php
index a8c33ea33..ee1031d01 100644
--- a/index.php
+++ b/index.php
@@ -28,6 +28,12 @@
 }
 
 if (session_status() == PHP_SESSION_NONE) {
+	ini_set("session.name", "s");
+	ini_set("url_rewriter.tags", "");
+	ini_set("session.use_cookies", false);
+	ini_set("session.cookie_httponly", true);
+	ini_set("session.cookie_secure", $is_ssl);
+	session_id($s);
 	session_start();
 }
 
diff --git a/lib/init.php b/lib/init.php
index 84c6e6272..11d48d101 100644
--- a/lib/init.php
+++ b/lib/init.php
@@ -161,7 +161,9 @@
 /**
  * If Froxlor was called via HTTPS -> enforce it for the next time by settings HSTS header according to settings
  */
+$is_ssl = false;
 if (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off')) {
+	$is_ssl = true;
 	$maxage = Settings::Get('system.hsts_maxage');
 	if (empty($maxage)) {
 		$maxage = 0;
@@ -217,6 +219,8 @@
 	ini_set("session.name", "s");
 	ini_set("url_rewriter.tags", "");
 	ini_set("session.use_cookies", false);
+	ini_set("session.cookie_httponly", true);
+	ini_set("session.cookie_secure", $is_ssl);
 	session_id($s);
 	session_start();
 	$query = "SELECT `s`.*, `u`.* FROM `" . TABLE_PANEL_SESSIONS . "` `s` LEFT JOIN `";