Skip to content

Commit

Permalink
set php session security related settings (correctly in every case)
Browse files Browse the repository at this point in the history 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
  • Loading branch information
@d00p
d00p committed Aug 25, 2021
1 parent ec1c37a commit 4b22470
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
6 changes: 6 additions & 0 deletions index.php
View file
Expand Up @@ -28,6 +28,12 @@
}

if (session_status() == PHP_SESSION_NONE) {
ini_set("session.name", "s");
ini_set("url_rewriter.tags", "");
ini_set("session.use_cookies", false);
ini_set("session.cookie_httponly", true);
ini_set("session.cookie_secure", $is_ssl);
session_id($s);
session_start();
}

Expand Down
4 changes: 4 additions & 0 deletions lib/init.php
View file
Expand Up @@ -161,7 +161,9 @@
/**
* If Froxlor was called via HTTPS -> enforce it for the next time by settings HSTS header according to settings
*/
$is_ssl = false;
if (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off')) {
$is_ssl = true;
$maxage = Settings::Get('system.hsts_maxage');
if (empty($maxage)) {
$maxage = 0;
Expand Down Expand Up @@ -217,6 +219,8 @@
ini_set("session.name", "s");
ini_set("url_rewriter.tags", "");
ini_set("session.use_cookies", false);
ini_set("session.cookie_httponly", true);
ini_set("session.cookie_secure", $is_ssl);
session_id($s);
session_start();
$query = "SELECT `s`.*, `u`.* FROM `" . TABLE_PANEL_SESSIONS . "` `s` LEFT JOIN `";
Expand Down

0 comments on commit 4b22470

Please sign in to comment.