Secure sessions and cookies by httpOnly, Secure and when possible by …

…SameSite

download.php

@@ -14,7 +14,7 @@
 require_once 'include/config/conf.inc.php';
 
 if( !empty($phpwcms['SESSION_FEinit']) ) {
-    @session_start();
+    $phpwcms['SESSION_START'] = true;
 }
 
 require_once 'include/inc_lib/default.inc.php';

filebrowser.php

@@ -20,9 +20,7 @@
  * - Issue 265 based on TB's post
  */
 
-session_start();
-
-$phpwcms            = array();
+$phpwcms            = array('SESSION_START' => true);
 $phpwcms_root       = rtrim(str_replace('\\', '/', dirname(__FILE__)), '/');
 $js_files_all       = array();
 $js_files_select    = array();

fileinfo.php

@@ -9,15 +9,12 @@
  *
  **/
 
-session_start();
-
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 require_once 'include/config/conf.inc.php';
 
 if(empty($_SESSION["wcs_user_lang"])) {
     session_destroy();
     headerRedirect($phpwcms['site'].$phpwcms["root"]);
-
 } else {
     require 'include/inc_lang/backend/en/lang.ext.inc.php';
     $cust_lang = 'include/inc_lang/backend/'.substr($_SESSION["wcs_user_lang"],0,2).'/lang.ext.inc.php';

img/blank.php

@@ -38,7 +38,7 @@
 
 		if(empty($_COOKIE['phpwcmsAdsUserId']) || !preg_match('/^[0-9a-f]{32}$/', ($ads_userid = $_COOKIE['phpwcmsAdsUserId']) ) ) {
 			$ads_userid	= md5($ads_userip.microtime());
-			setcookie('phpwcmsAdsUserId', $ads_userid, time()+63072000, '/', getCookieDomain() );
+			setcookie('phpwcmsAdsUserId', $ads_userid, time()+63072000, '/', getCookieDomain(), PHPWCMS_SSL, true);
 		}
 
 		$t = array();

img/cmsimage.php

@@ -124,7 +124,8 @@
 
         if(is_intval($hash)) {
 
-            @session_start();
+            $phpwcms['SESSION_START'] = true;
+            require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
             $file_public = empty($_SESSION["wcs_user_id"]) ? 'f_public=1' : '(f_public=1 OR f_uid='.intval($_SESSION["wcs_user_id"]).')';
 
             require_once(PHPWCMS_ROOT.'/include/inc_lib/dbcon.inc.php');
@@ -154,7 +155,8 @@
 
         } elseif(strlen($hash) === 32 && (!$ext || !is_file(PHPWCMS_ROOT.'/'.PHPWCMS_FILES.$hash.'.'.$ext))) {
 
-            @session_start();
+            $phpwcms['SESSION_START'] = true;
+            require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
             $file_public = empty($_SESSION["wcs_user_id"]) ? 'f_public=1' : '(f_public=1 OR f_uid='.intval($_SESSION["wcs_user_id"]).')';
 
             require_once PHPWCMS_ROOT.'/include/inc_lib/dbcon.inc.php';

include/config/dist.conf.inc.php

@@ -153,6 +153,8 @@
 $phpwcms['markdown_extra']       = false; // Enable/disable Markdown Extra https://michelf.ca/projects/php-markdown/extra/
 $phpwcms['disable_generator']    = false; // Disable <meta name="generator"> and header `X-phpwcms-Release`
 $phpwcms['disable_processed_in'] = false; // Hide header `X-phpwcms-Page-Processed-In`
+$phpwcms['session.cookie_httponly.off'] = false; // Set this to `true` if the session Cookie should also be accessible by JavaScript
+$phpwcms['session.cookie_samesite'] = 'Lax'; // Define the Cookie sameSite setting None (deprecated), Lax, Strict, use PHP 7.3+ otherwise it's not or not well supported
 
 // Email specific settings (based on phpMailer)
 $phpwcms['SMTP_FROM_EMAIL']      = 'info@localhost'; // reply/from email address

include/inc_act/act_addchat.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';
 require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';

include/inc_act/act_articlecontent.php

@@ -9,9 +9,7 @@
  *
  **/
 
-session_start();
-
-$phpwcms = array();
+$phpwcms = array('session_start' => true);
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';
 require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';

include/inc_act/act_cache.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';
 require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';

include/inc_act/act_download.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';

include/inc_act/act_export.php

@@ -8,8 +8,7 @@
  * @link http://www.phpwcms.org
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';
 require_once PHPWCMS_ROOT . '/include/inc_lib/helper.session.php';

include/inc_act/act_file.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';

include/inc_act/act_filecat.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';

include/inc_act/act_frontendcss.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';

include/inc_act/act_frontendsetup.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';

include/inc_act/act_ftptakeover.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 $PHPWCMS_ROOT = dirname(dirname(dirname(__FILE__)));
 
 require_once $PHPWCMS_ROOT.'/include/config/conf.inc.php';

include/inc_act/act_guestbook.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';

include/inc_act/act_message.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';

include/inc_act/act_phpinfo.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';

include/inc_act/act_schedule.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';
 require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';

include/inc_act/act_sendnewsletter.php

@@ -9,8 +9,8 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
+
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';
 require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';

include/inc_act/act_startuptext.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';

include/inc_act/act_structure.php

@@ -12,8 +12,8 @@
 //19-11-2004 Fernando Batista -> Copy article, Copy strutures http://fernandobatista.net
 //31-03-2005 Fernando Batista -> Copy/Cut Article Content http://fernandobatista.net
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
+
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';
 require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';

include/inc_act/act_upload.php

@@ -9,20 +9,12 @@
  *
  **/
 
-session_start();
-
-if(empty($_SESSION["wcs_user_id"])) {
-
-	die('{"success":false}');
-
-}
-
-$phpwcms = array();
-require '../../include/config/conf.inc.php';
-require '../inc_lib/default.inc.php';
+$phpwcms = array('SESSION_START' => true);
+require_once '../../include/config/conf.inc.php';
+require_once '../inc_lib/default.inc.php';
 require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
 
-if(!validate_csrf_get_token()) {
+if(empty($_SESSION["wcs_user_id"]) || !validate_csrf_get_token()) {
 	die('{"success":false}');
 }
 

include/inc_act/act_user.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';

include/inc_act/act_usergroup.php

@@ -9,8 +9,7 @@
  *
  **/
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
 
 require_once '../../include/config/conf.inc.php';
 require_once '../inc_lib/default.inc.php';

include/inc_act/ajax_connector.php

@@ -11,8 +11,8 @@
 
 // general wrapper for ajax based queries
 
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
+
 require '../../include/config/conf.inc.php';
 require '../inc_lib/default.inc.php';
 require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';

include/inc_front/content/cnt18.article.inc.php

@@ -409,7 +409,7 @@ function($matches) {
 
                 $guestbook['readform'] = 1;
                 if($guestbook['cookie'] && $guestbook['time']) {
-                    setcookie('phpwcms_guestbook'.$guestbook['cid'], time(), time()+intval($guestbook['time']));
+                    setcookie('phpwcms_guestbook'.$guestbook['cid'], time(), time()+intval($guestbook['time']), '/', getCookieDomain(), PHPWCMS_SSL, true);
                 }
 
                 // check if notify email should be sent

include/inc_front/content/cnt28.article.inc.php

@@ -89,7 +89,9 @@
                     $_loginData['login'].'##-|-##'.md5($_loginData['password']).'##-|-##'.$_loginData['validate_db']['userdetail'].'##-|-##'.$_loginData['validate_db']['backenduser'],
                     time()+$_loginData['felogin_cookie_expire'],
                     '/',
-                    getCookieDomain()
+                    getCookieDomain(),
+                    PHPWCMS_SSL,
+                    true
                 );
 
             }

include/inc_front/front.func.inc.php

@@ -3701,7 +3701,7 @@ function _checkFrontendUserAutoLogin() {
     // logout
     if(session_id() && (isset($_POST['feLogout']) || isset($_GET['feLogout']))) {
         unset($_SESSION[ session_id() ]);
-        setcookie('phpwcmsFeLoginRemember', '', time()-3600, '/',  getCookieDomain() );
+        setcookie('phpwcmsFeLoginRemember', '', time()-3600, '/',  getCookieDomain(), PHPWCMS_SSL, true);
     }
     define('FEUSER_LOGIN_STATUS', _getFeUserLoginStatus() );
 }

include/inc_lib/backend.functions.inc.php

@@ -609,7 +609,7 @@ function set_status_message($msg='', $type='info', $replace=array()) {
 }
 
 function set_language_cookie() {
-    setcookie('phpwcmsBELang', $_SESSION["wcs_user_lang"], time()+(3600*24*365), '/', getCookieDomain() );
+    setcookie('phpwcmsBELang', $_SESSION["wcs_user_lang"], time()+(3600*24*365), '/', getCookieDomain(), PHPWCMS_SSL, true);
 }
 
 // checks for alias and sets unique value
@@ -939,8 +939,8 @@ function _dbSaveCategories($categories=array(), $type='', $pid=0, $seperator=','
 
 function setItemsPerPage($default=25) {
     if( isset($_GET['showipp']) ) {
-        $ipp = intval( is_numeric($_GET['showipp']) ? $_GET['showipp'] : $default );
-        setcookie('phpwcmsBEItemsPerPage', $ipp, time()+157680000, '/', getCookieDomain() );
+        $ipp = intval(is_numeric($_GET['showipp']) ? $_GET['showipp'] : $default);
+        setcookie('phpwcmsBEItemsPerPage', $ipp, time()+157680000, '/', getCookieDomain(), PHPWCMS_SSL, true);
     } elseif(isset($_SESSION['PAGE_FILTER'])) {
         $ipp = $_SESSION['PAGE_FILTER']['IPP'];
     } elseif( isset($_COOKIE['phpwcmsBEItemsPerPage']) ) {

include/inc_lib/default.inc.php

@@ -949,6 +949,21 @@ function headerRedirect($target = '', $type = 0, $session_close = true) {
 }
 
 function _initSession() {
+    $GLOBALS['phpwcms']['session_cookie_params'] = session_get_cookie_params();
+    $GLOBALS['phpwcms']['session_cookie_params']['httponly'] = empty($GLOBALS['phpwcms']['session.cookie_httponly.off']) ? true : false;
+    $GLOBALS['phpwcms']['session_cookie_params']['domain'] = $GLOBALS['phpwcms']['parse_url']['host'];
+    $GLOBALS['phpwcms']['session_cookie_params']['path'] = PHPWCMS_BASEPATH;
+    if (empty($GLOBALS['phpwcms']['session.cookie_samesite'])) {
+        $GLOBALS['phpwcms']['session_cookie_params']['secure'] = PHPWCMS_SSL;
+        if (PHPWCMS_SSL && empty($GLOBALS['phpwcms']['session_cookie_params']['samesite'])) {
+            $GLOBALS['phpwcms']['session_cookie_params']['samesite'] = 'Lax';
+        }
+    } else {
+        $GLOBALS['phpwcms']['session_cookie_params']['secure'] = true;
+        $GLOBALS['phpwcms']['session_cookie_params']['samesite'] = $GLOBALS['phpwcms']['session.cookie_samesite'];
+    }
+    @session_set_cookie_params($GLOBALS['phpwcms']['session_cookie_params']);
+
     if (!session_id()) {
         session_start();
     }

include/inc_lib/general.inc.php

@@ -1581,13 +1581,15 @@ function parse_ini_str($Str, $ProcessSections = true, $SplitInNameValue = false)
 }
 
 function getCookieDomain() {
-    $domain = parse_url(PHPWCMS_URL);
-    $domain = strtolower($domain['host']);
-    if (strpos($domain, 'www') === 0) {
-        $domain = substr($domain, 3);
+    if (empty($GLOBALS['phpwcms']['parse_url']['host'])) {
+        $domain = parse_url(PHPWCMS_URL);
+        $domain = strtolower($domain['host']);
+        if (strpos($domain, 'www') === 0) {
+            $domain = substr($domain, 3);
+        }
+        $GLOBALS['phpwcms']['parse_url']['host'] = $domain;
     }
-
-    return $domain;
+    return $GLOBALS['phpwcms']['parse_url']['host'];
 }
 
 function _mkdir($target) {