diff --git a/download.php b/download.php
index d10851709..7b0031d76 100644
--- a/download.php
+++ b/download.php
@@ -14,7 +14,7 @@
require_once 'include/config/conf.inc.php';
if( !empty($phpwcms['SESSION_FEinit']) ) {
- @session_start();
+ $phpwcms['SESSION_START'] = true;
}
require_once 'include/inc_lib/default.inc.php';
diff --git a/filebrowser.php b/filebrowser.php
index 257ff70b1..ed6c444ef 100644
--- a/filebrowser.php
+++ b/filebrowser.php
@@ -20,9 +20,7 @@
* - Issue 265 based on TB's post
*/
-session_start();
-
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
$phpwcms_root = rtrim(str_replace('\\', '/', dirname(__FILE__)), '/');
$js_files_all = array();
$js_files_select = array();
diff --git a/fileinfo.php b/fileinfo.php
index 79c81a733..23d5679e1 100644
--- a/fileinfo.php
+++ b/fileinfo.php
@@ -9,15 +9,12 @@
*
**/
-session_start();
-
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once 'include/config/conf.inc.php';
if(empty($_SESSION["wcs_user_lang"])) {
session_destroy();
headerRedirect($phpwcms['site'].$phpwcms["root"]);
-
} else {
require 'include/inc_lang/backend/en/lang.ext.inc.php';
$cust_lang = 'include/inc_lang/backend/'.substr($_SESSION["wcs_user_lang"],0,2).'/lang.ext.inc.php';
diff --git a/img/blank.php b/img/blank.php
index 2fc36b982..172c9dcc5 100644
--- a/img/blank.php
+++ b/img/blank.php
@@ -38,7 +38,7 @@
if(empty($_COOKIE['phpwcmsAdsUserId']) || !preg_match('/^[0-9a-f]{32}$/', ($ads_userid = $_COOKIE['phpwcmsAdsUserId']) ) ) {
$ads_userid = md5($ads_userip.microtime());
- setcookie('phpwcmsAdsUserId', $ads_userid, time()+63072000, '/', getCookieDomain() );
+ setcookie('phpwcmsAdsUserId', $ads_userid, time()+63072000, '/', getCookieDomain(), PHPWCMS_SSL, true);
}
$t = array();
diff --git a/img/cmsimage.php b/img/cmsimage.php
index a3ff2b03b..988a52e04 100644
--- a/img/cmsimage.php
+++ b/img/cmsimage.php
@@ -124,7 +124,8 @@
if(is_intval($hash)) {
- @session_start();
+ $phpwcms['SESSION_START'] = true;
+ require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
$file_public = empty($_SESSION["wcs_user_id"]) ? 'f_public=1' : '(f_public=1 OR f_uid='.intval($_SESSION["wcs_user_id"]).')';
require_once(PHPWCMS_ROOT.'/include/inc_lib/dbcon.inc.php');
@@ -154,7 +155,8 @@
} elseif(strlen($hash) === 32 && (!$ext || !is_file(PHPWCMS_ROOT.'/'.PHPWCMS_FILES.$hash.'.'.$ext))) {
- @session_start();
+ $phpwcms['SESSION_START'] = true;
+ require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
$file_public = empty($_SESSION["wcs_user_id"]) ? 'f_public=1' : '(f_public=1 OR f_uid='.intval($_SESSION["wcs_user_id"]).')';
require_once PHPWCMS_ROOT.'/include/inc_lib/dbcon.inc.php';
diff --git a/include/config/dist.conf.inc.php b/include/config/dist.conf.inc.php
index 453c5865f..3c24ab7f4 100644
--- a/include/config/dist.conf.inc.php
+++ b/include/config/dist.conf.inc.php
@@ -153,6 +153,8 @@
$phpwcms['markdown_extra'] = false; // Enable/disable Markdown Extra https://michelf.ca/projects/php-markdown/extra/
$phpwcms['disable_generator'] = false; // Disable and header `X-phpwcms-Release`
$phpwcms['disable_processed_in'] = false; // Hide header `X-phpwcms-Page-Processed-In`
+$phpwcms['session.cookie_httponly.off'] = false; // Set this to `true` if the session Cookie should also be accessible by JavaScript
+$phpwcms['session.cookie_samesite'] = 'Lax'; // Define the Cookie sameSite setting None (deprecated), Lax, Strict, use PHP 7.3+ otherwise it's not or not well supported
// Email specific settings (based on phpMailer)
$phpwcms['SMTP_FROM_EMAIL'] = 'info@localhost'; // reply/from email address
diff --git a/include/inc_act/act_addchat.php b/include/inc_act/act_addchat.php
index 29b464f3c..fca67f7b6 100644
--- a/include/inc_act/act_addchat.php
+++ b/include/inc_act/act_addchat.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
diff --git a/include/inc_act/act_articlecontent.php b/include/inc_act/act_articlecontent.php
index 67bae65e1..1c0ee43e7 100644
--- a/include/inc_act/act_articlecontent.php
+++ b/include/inc_act/act_articlecontent.php
@@ -9,9 +9,7 @@
*
**/
-session_start();
-
-$phpwcms = array();
+$phpwcms = array('session_start' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
diff --git a/include/inc_act/act_cache.php b/include/inc_act/act_cache.php
index 04ffe5512..acb733121 100644
--- a/include/inc_act/act_cache.php
+++ b/include/inc_act/act_cache.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
diff --git a/include/inc_act/act_download.php b/include/inc_act/act_download.php
index 2579264fc..63e0335f7 100644
--- a/include/inc_act/act_download.php
+++ b/include/inc_act/act_download.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
diff --git a/include/inc_act/act_export.php b/include/inc_act/act_export.php
index 870c229ba..2037020f2 100644
--- a/include/inc_act/act_export.php
+++ b/include/inc_act/act_export.php
@@ -8,8 +8,7 @@
* @link http://www.phpwcms.org
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
require_once PHPWCMS_ROOT . '/include/inc_lib/helper.session.php';
diff --git a/include/inc_act/act_file.php b/include/inc_act/act_file.php
index db8b1f0f2..4fb750937 100644
--- a/include/inc_act/act_file.php
+++ b/include/inc_act/act_file.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
diff --git a/include/inc_act/act_filecat.php b/include/inc_act/act_filecat.php
index e8954129b..59ac9d46c 100644
--- a/include/inc_act/act_filecat.php
+++ b/include/inc_act/act_filecat.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
diff --git a/include/inc_act/act_frontendcss.php b/include/inc_act/act_frontendcss.php
index 8bc5a0947..00af1616f 100644
--- a/include/inc_act/act_frontendcss.php
+++ b/include/inc_act/act_frontendcss.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
diff --git a/include/inc_act/act_frontendsetup.php b/include/inc_act/act_frontendsetup.php
index f2eaa6ffe..2f449738a 100644
--- a/include/inc_act/act_frontendsetup.php
+++ b/include/inc_act/act_frontendsetup.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
diff --git a/include/inc_act/act_ftptakeover.php b/include/inc_act/act_ftptakeover.php
index 814eb580d..1b33e349f 100644
--- a/include/inc_act/act_ftptakeover.php
+++ b/include/inc_act/act_ftptakeover.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
$PHPWCMS_ROOT = dirname(dirname(dirname(__FILE__)));
require_once $PHPWCMS_ROOT.'/include/config/conf.inc.php';
diff --git a/include/inc_act/act_guestbook.php b/include/inc_act/act_guestbook.php
index 5c8060c17..f3d624959 100644
--- a/include/inc_act/act_guestbook.php
+++ b/include/inc_act/act_guestbook.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
diff --git a/include/inc_act/act_message.php b/include/inc_act/act_message.php
index 68f645fa5..a131b5592 100644
--- a/include/inc_act/act_message.php
+++ b/include/inc_act/act_message.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
diff --git a/include/inc_act/act_phpinfo.php b/include/inc_act/act_phpinfo.php
index d7fa20be0..4d38b46b6 100644
--- a/include/inc_act/act_phpinfo.php
+++ b/include/inc_act/act_phpinfo.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
diff --git a/include/inc_act/act_schedule.php b/include/inc_act/act_schedule.php
index a8767761c..299eeb58b 100644
--- a/include/inc_act/act_schedule.php
+++ b/include/inc_act/act_schedule.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
diff --git a/include/inc_act/act_sendnewsletter.php b/include/inc_act/act_sendnewsletter.php
index 34f0c30f5..4399b1761 100644
--- a/include/inc_act/act_sendnewsletter.php
+++ b/include/inc_act/act_sendnewsletter.php
@@ -9,8 +9,8 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
+
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
diff --git a/include/inc_act/act_startuptext.php b/include/inc_act/act_startuptext.php
index 8c3c79ab3..05f9ee1a8 100644
--- a/include/inc_act/act_startuptext.php
+++ b/include/inc_act/act_startuptext.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
diff --git a/include/inc_act/act_structure.php b/include/inc_act/act_structure.php
index ab77cd1d4..d8d81a064 100644
--- a/include/inc_act/act_structure.php
+++ b/include/inc_act/act_structure.php
@@ -12,8 +12,8 @@
//19-11-2004 Fernando Batista -> Copy article, Copy strutures http://fernandobatista.net
//31-03-2005 Fernando Batista -> Copy/Cut Article Content http://fernandobatista.net
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
+
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
diff --git a/include/inc_act/act_upload.php b/include/inc_act/act_upload.php
index 247b67a23..62c2dca79 100644
--- a/include/inc_act/act_upload.php
+++ b/include/inc_act/act_upload.php
@@ -9,20 +9,12 @@
*
**/
-session_start();
-
-if(empty($_SESSION["wcs_user_id"])) {
-
- die('{"success":false}');
-
-}
-
-$phpwcms = array();
-require '../../include/config/conf.inc.php';
-require '../inc_lib/default.inc.php';
+$phpwcms = array('SESSION_START' => true);
+require_once '../../include/config/conf.inc.php';
+require_once '../inc_lib/default.inc.php';
require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
-if(!validate_csrf_get_token()) {
+if(empty($_SESSION["wcs_user_id"]) || !validate_csrf_get_token()) {
die('{"success":false}');
}
diff --git a/include/inc_act/act_user.php b/include/inc_act/act_user.php
index b8857cacd..d16b22c3d 100644
--- a/include/inc_act/act_user.php
+++ b/include/inc_act/act_user.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
diff --git a/include/inc_act/act_usergroup.php b/include/inc_act/act_usergroup.php
index ec2017958..99a20b62d 100644
--- a/include/inc_act/act_usergroup.php
+++ b/include/inc_act/act_usergroup.php
@@ -9,8 +9,7 @@
*
**/
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
require_once '../../include/config/conf.inc.php';
require_once '../inc_lib/default.inc.php';
diff --git a/include/inc_act/ajax_connector.php b/include/inc_act/ajax_connector.php
index b3d31f1e4..f43bf0dad 100644
--- a/include/inc_act/ajax_connector.php
+++ b/include/inc_act/ajax_connector.php
@@ -11,8 +11,8 @@
// general wrapper for ajax based queries
-session_start();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
+
require '../../include/config/conf.inc.php';
require '../inc_lib/default.inc.php';
require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
diff --git a/include/inc_front/content/cnt18.article.inc.php b/include/inc_front/content/cnt18.article.inc.php
index 45a6cb34d..f49d9581d 100644
--- a/include/inc_front/content/cnt18.article.inc.php
+++ b/include/inc_front/content/cnt18.article.inc.php
@@ -409,7 +409,7 @@ function($matches) {
$guestbook['readform'] = 1;
if($guestbook['cookie'] && $guestbook['time']) {
- setcookie('phpwcms_guestbook'.$guestbook['cid'], time(), time()+intval($guestbook['time']));
+ setcookie('phpwcms_guestbook'.$guestbook['cid'], time(), time()+intval($guestbook['time']), '/', getCookieDomain(), PHPWCMS_SSL, true);
}
// check if notify email should be sent
diff --git a/include/inc_front/content/cnt28.article.inc.php b/include/inc_front/content/cnt28.article.inc.php
index c9468757f..b67a4ec97 100644
--- a/include/inc_front/content/cnt28.article.inc.php
+++ b/include/inc_front/content/cnt28.article.inc.php
@@ -89,7 +89,9 @@
$_loginData['login'].'##-|-##'.md5($_loginData['password']).'##-|-##'.$_loginData['validate_db']['userdetail'].'##-|-##'.$_loginData['validate_db']['backenduser'],
time()+$_loginData['felogin_cookie_expire'],
'/',
- getCookieDomain()
+ getCookieDomain(),
+ PHPWCMS_SSL,
+ true
);
}
diff --git a/include/inc_front/front.func.inc.php b/include/inc_front/front.func.inc.php
index 4ee0c49d6..adba89880 100755
--- a/include/inc_front/front.func.inc.php
+++ b/include/inc_front/front.func.inc.php
@@ -3701,7 +3701,7 @@ function _checkFrontendUserAutoLogin() {
// logout
if(session_id() && (isset($_POST['feLogout']) || isset($_GET['feLogout']))) {
unset($_SESSION[ session_id() ]);
- setcookie('phpwcmsFeLoginRemember', '', time()-3600, '/', getCookieDomain() );
+ setcookie('phpwcmsFeLoginRemember', '', time()-3600, '/', getCookieDomain(), PHPWCMS_SSL, true);
}
define('FEUSER_LOGIN_STATUS', _getFeUserLoginStatus() );
}
diff --git a/include/inc_lib/backend.functions.inc.php b/include/inc_lib/backend.functions.inc.php
index d362a9beb..729ce257f 100644
--- a/include/inc_lib/backend.functions.inc.php
+++ b/include/inc_lib/backend.functions.inc.php
@@ -609,7 +609,7 @@ function set_status_message($msg='', $type='info', $replace=array()) {
}
function set_language_cookie() {
- setcookie('phpwcmsBELang', $_SESSION["wcs_user_lang"], time()+(3600*24*365), '/', getCookieDomain() );
+ setcookie('phpwcmsBELang', $_SESSION["wcs_user_lang"], time()+(3600*24*365), '/', getCookieDomain(), PHPWCMS_SSL, true);
}
// checks for alias and sets unique value
@@ -939,8 +939,8 @@ function _dbSaveCategories($categories=array(), $type='', $pid=0, $seperator=','
function setItemsPerPage($default=25) {
if( isset($_GET['showipp']) ) {
- $ipp = intval( is_numeric($_GET['showipp']) ? $_GET['showipp'] : $default );
- setcookie('phpwcmsBEItemsPerPage', $ipp, time()+157680000, '/', getCookieDomain() );
+ $ipp = intval(is_numeric($_GET['showipp']) ? $_GET['showipp'] : $default);
+ setcookie('phpwcmsBEItemsPerPage', $ipp, time()+157680000, '/', getCookieDomain(), PHPWCMS_SSL, true);
} elseif(isset($_SESSION['PAGE_FILTER'])) {
$ipp = $_SESSION['PAGE_FILTER']['IPP'];
} elseif( isset($_COOKIE['phpwcmsBEItemsPerPage']) ) {
diff --git a/include/inc_lib/default.inc.php b/include/inc_lib/default.inc.php
index 091688dee..0281fca4f 100755
--- a/include/inc_lib/default.inc.php
+++ b/include/inc_lib/default.inc.php
@@ -949,6 +949,21 @@ function headerRedirect($target = '', $type = 0, $session_close = true) {
}
function _initSession() {
+ $GLOBALS['phpwcms']['session_cookie_params'] = session_get_cookie_params();
+ $GLOBALS['phpwcms']['session_cookie_params']['httponly'] = empty($GLOBALS['phpwcms']['session.cookie_httponly.off']) ? true : false;
+ $GLOBALS['phpwcms']['session_cookie_params']['domain'] = $GLOBALS['phpwcms']['parse_url']['host'];
+ $GLOBALS['phpwcms']['session_cookie_params']['path'] = PHPWCMS_BASEPATH;
+ if (empty($GLOBALS['phpwcms']['session.cookie_samesite'])) {
+ $GLOBALS['phpwcms']['session_cookie_params']['secure'] = PHPWCMS_SSL;
+ if (PHPWCMS_SSL && empty($GLOBALS['phpwcms']['session_cookie_params']['samesite'])) {
+ $GLOBALS['phpwcms']['session_cookie_params']['samesite'] = 'Lax';
+ }
+ } else {
+ $GLOBALS['phpwcms']['session_cookie_params']['secure'] = true;
+ $GLOBALS['phpwcms']['session_cookie_params']['samesite'] = $GLOBALS['phpwcms']['session.cookie_samesite'];
+ }
+ @session_set_cookie_params($GLOBALS['phpwcms']['session_cookie_params']);
+
if (!session_id()) {
session_start();
}
diff --git a/include/inc_lib/general.inc.php b/include/inc_lib/general.inc.php
index 88f3d3c22..0fc384939 100755
--- a/include/inc_lib/general.inc.php
+++ b/include/inc_lib/general.inc.php
@@ -1581,13 +1581,15 @@ function parse_ini_str($Str, $ProcessSections = true, $SplitInNameValue = false)
}
function getCookieDomain() {
- $domain = parse_url(PHPWCMS_URL);
- $domain = strtolower($domain['host']);
- if (strpos($domain, 'www') === 0) {
- $domain = substr($domain, 3);
+ if (empty($GLOBALS['phpwcms']['parse_url']['host'])) {
+ $domain = parse_url(PHPWCMS_URL);
+ $domain = strtolower($domain['host']);
+ if (strpos($domain, 'www') === 0) {
+ $domain = substr($domain, 3);
+ }
+ $GLOBALS['phpwcms']['parse_url']['host'] = $domain;
}
-
- return $domain;
+ return $GLOBALS['phpwcms']['parse_url']['host'];
}
function _mkdir($target) {
diff --git a/include/inc_lib/helper.session.php b/include/inc_lib/helper.session.php
index 6b36c2c67..cbe425eb3 100644
--- a/include/inc_lib/helper.session.php
+++ b/include/inc_lib/helper.session.php
@@ -8,6 +8,14 @@
* @link http://www.phpwcms.org
*
**/
+if (!defined('PHPWCMS_ROOT')) {
+ die("You Cannot Access This Script Directly, Have a Nice Day.");
+}
+
+// Cookie settings
+if (!empty($phpwcms['SESSION_START'])) {
+ _initSession();
+}
/**
* Set session var.
diff --git a/include/inc_module/mod_ads/inc/ads.fe_init.inc.php b/include/inc_module/mod_ads/inc/ads.fe_init.inc.php
index c37e7d9c3..f3221d556 100644
--- a/include/inc_module/mod_ads/inc/ads.fe_init.inc.php
+++ b/include/inc_module/mod_ads/inc/ads.fe_init.inc.php
@@ -41,7 +41,7 @@
if(empty($_COOKIE['phpwcmsAdsUserId']) || !preg_match('/^[0-9a-f]{32}$/', ($ads_userid = $_COOKIE['phpwcmsAdsUserId']) ) ) {
$ads_userid = md5($ads_userip.microtime());
- setcookie('phpwcmsAdsUserId', $ads_userid, time()+63072000, '/', getCookieDomain() );
+ setcookie('phpwcmsAdsUserId', $ads_userid, time()+63072000, '/', getCookieDomain(), PHPWCMS_SSL, true);
}
$sql = 'INSERT DELAYED INTO '.DB_PREPEND.'phpwcms_ads_tracking (';
diff --git a/include/inc_tmpl/be_start.tmpl.php b/include/inc_tmpl/be_start.tmpl.php
index bee964d6d..5a77fac45 100644
--- a/include/inc_tmpl/be_start.tmpl.php
+++ b/include/inc_tmpl/be_start.tmpl.php
@@ -24,15 +24,15 @@
if(isset($_POST['homeMaxArticles'])) {
if($_phpwcms_home['homeMaxArticles'] = intval($_POST['homeMaxArticles'])) {
- @setcookie('homeMaxArticles', strval($_phpwcms_home['homeMaxArticles']) , time()+31536000); // store cookie for 1 year
+ @setcookie('homeMaxArticles', strval($_phpwcms_home['homeMaxArticles']) , time()+31536000, '/', getCookieDomain(), PHPWCMS_SSL, true); // store cookie for 1 year
}
}
if(isset($_POST['homeMaxCntParts'])) {
if($_phpwcms_home['homeMaxCntParts'] = intval($_POST['homeMaxCntParts'])) {
- @setcookie('homeMaxCntParts', strval($_phpwcms_home['homeMaxCntParts']) , time()+31536000); // store cookie for 1 year
+ @setcookie('homeMaxCntParts', strval($_phpwcms_home['homeMaxCntParts']) , time()+31536000, '/', getCookieDomain(), PHPWCMS_SSL, true); // store cookie for 1 year
}
$_phpwcms_home['homeCntType'] = clean_slweg($_POST['homeCntType']);
- @setcookie('homeCntType', $_phpwcms_home['homeCntType'], time()+31536000); // store cookie for 1 year
+ @setcookie('homeCntType', $_phpwcms_home['homeCntType'], time()+31536000, '/', getCookieDomain(), PHPWCMS_SSL, true); // store cookie for 1 year
$_SESSION['phpwcms_backend_search'] = '';
}
diff --git a/include/inc_tmpl/content/cnt51.open.php b/include/inc_tmpl/content/cnt51.open.php
index 8d7686c11..a297374fb 100644
--- a/include/inc_tmpl/content/cnt51.open.php
+++ b/include/inc_tmpl/content/cnt51.open.php
@@ -9,9 +9,8 @@
*
**/
-session_start();
+$phpwcms = array('SESSION_START' => true);
-$phpwcms = array();
require_once '../../../include/config/conf.inc.php';
require_once '../../../include/inc_lib/default.inc.php';
require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
diff --git a/login.php b/login.php
index 3f9f4475d..2cfe2a7e5 100644
--- a/login.php
+++ b/login.php
@@ -9,9 +9,7 @@
*
**/
-session_start();
-
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
$BL = array();
// Check if config is still at the old position
@@ -102,7 +100,7 @@
if( isset( $BL[ $temp_lang ] ) ) {
$_SESSION["wcs_user_lang"] = strtolower($temp_lang);
} else {
- setcookie('phpwcmsBELang', '', time() - 3600);
+ setcookie('phpwcmsBELang', '', time() - 3600, '/', getCookieDomain(), PHPWCMS_SSL, true);
}
}
if(isset($_POST['form_lang'])) {
diff --git a/phpwcms.php b/phpwcms.php
index aef6a2d87..addfec42b 100644
--- a/phpwcms.php
+++ b/phpwcms.php
@@ -13,14 +13,12 @@
list($usec, $sec) = explode(' ', microtime());
$phpwcms_rendering_start = $usec + $sec;
-session_start();
-
//define used var names
$body_onload = '';
$forward_to_message_center = false;
$wcsnav = array();
$indexpage = array();
-$phpwcms = array();
+$phpwcms = array('SESSION_START' => true);
$BL = array();
$BE = array('HTML' => '', 'BODY_OPEN' => array(), 'BODY_CLOSE' => array(), 'HEADER' => array(), 'LANG' => 'en');
$PHPWCMS_ROOT = dirname(__FILE__);
diff --git a/setup/inc/setup.func.inc.php b/setup/inc/setup.func.inc.php
index a78ee9850..e2a586f3c 100644
--- a/setup/inc/setup.func.inc.php
+++ b/setup/inc/setup.func.inc.php
@@ -286,6 +286,8 @@ function write_conf_file($val) {
$conf_file .= "\$phpwcms['markdown_extra'] = false; // Enable/disable Markdown Extra https://michelf.ca/projects/php-markdown/extra/.\n";
$conf_file .= "\$phpwcms['disable_generator'] = false; // Disable and header `X-phpwcms-Release`\n";
$conf_file .= "\$phpwcms['disable_processed_in'] = false; // Hide header `X-phpwcms-Page-Processed-In`\n";
+ $conf_file .= "\$phpwcms['session.cookie_httponly.off'] = false; // Set this to `true` if the session Cookie should also be accessible by JavaScript\n";
+ $conf_file .= "\$phpwcms['session.cookie_samesite'] = 'Lax'; // Define the Cookie sameSite setting None (deprecated), Lax, Strict, use PHP 7.3+ otherwise it's not or not well supported\n";
$conf_file .= "\n// Email specific settings (based on phpMailer)\n";
$conf_file .= "\$phpwcms['SMTP_FROM_EMAIL'] = '" . escape_quote($val["SMTP_FROM_EMAIL"]) . "'; // reply/from email address\n";
diff --git a/setup/setup.conf.inc.php b/setup/setup.conf.inc.php
index 09cd623c9..2d3c49252 100644
--- a/setup/setup.conf.inc.php
+++ b/setup/setup.conf.inc.php
@@ -153,6 +153,8 @@
$phpwcms['markdown_extra'] = false; // Enable/disable Markdown Extra https://michelf.ca/projects/php-markdown/extra/
$phpwcms['disable_generator'] = false; // Disable and header `X-phpwcms-Release`
$phpwcms['disable_processed_in'] = false; // Hide header `X-phpwcms-Page-Processed-In`
+$phpwcms['session.cookie_httponly.off'] = false; // Set this to `true` if the session Cookie should also be accessible by JavaScript
+$phpwcms['session.cookie_samesite'] = 'Lax'; // Define the Cookie sameSite setting None (deprecated), Lax, Strict, use PHP 7.3+ otherwise it's not or not well supported
// Email specific settings (based on phpMailer)
$phpwcms['SMTP_FROM_EMAIL'] = 'info@localhost'; // reply/from email address
diff --git a/template/inc_script/frontend_render/disabled/access_dialog.php b/template/inc_script/frontend_render/disabled/access_dialog.php
index cacc4a9af..d39deb653 100644
--- a/template/inc_script/frontend_render/disabled/access_dialog.php
+++ b/template/inc_script/frontend_render/disabled/access_dialog.php
@@ -24,7 +24,7 @@
if(isset($_SESSION['phpwcmsAgree'])) {
unset($_SESSION['phpwcmsAgree']);
}
- setcookie('phpwcmsAgree', '0', time()-1000000, '/');
+ setcookie('phpwcmsAgree', '0', time()-1000000, '/', getCookieDomain(), PHPWCMS_SSL, true);
if(isset($_POST['agree_redirect'])) {
$redirect = clean_slweg($_POST['agree_redirect']);
@@ -40,7 +40,7 @@
} else {
- setcookie('phpwcmsAgree', '1', 0, '/');
+ setcookie('phpwcmsAgree', '1', 0, '/', getCookieDomain(), PHPWCMS_SSL, true);
$_SESSION['phpwcmsAgree'] = true;
}
diff --git a/template/inc_script/frontend_render/disabled/lang_replace.php b/template/inc_script/frontend_render/disabled/lang_replace.php
index 87dfc2ea6..2002ed110 100644
--- a/template/inc_script/frontend_render/disabled/lang_replace.php
+++ b/template/inc_script/frontend_render/disabled/lang_replace.php
@@ -18,7 +18,7 @@
if(isset($_GET['lang'])) {
$language_current = strtolower( substr($_GET['lang'], 0, 2) );
$_SESSION['phpwcmsFrontendLanguage'] = $language_current;
- setcookie('phpwcmsFrontendLanguage', $language_current, time()+$language_cookie_duration, '/' );
+ setcookie('phpwcmsFrontendLanguage', $language_current, time()+$language_cookie_duration, '/', getCookieDomain(), PHPWCMS_SSL, true);
} elseif(isset($_SESSION['phpwcmsFrontendLanguage'])) {
$language_current = $_SESSION['phpwcmsFrontendLanguage'];
} elseif(isset($_COOKIE['phpwcmsFrontendLanguage'])) {
@@ -27,7 +27,7 @@
if(!in_array($language_current, $phpwcms['allowed_lang'])) {
$language_current = $language_default;
$_SESSION['phpwcmsFrontendLanguage'] = $language_current;
- setcookie('phpwcmsFrontendLanguage', $language_current, time()+$language_cookie_duration, '/' );
+ setcookie('phpwcmsFrontendLanguage', $language_current, time()+$language_cookie_duration, '/', getCookieDomain(), PHPWCMS_SSL, true);
}
// init language replacements
diff --git a/template/inc_script/frontend_render/disabled/switchCSS.php b/template/inc_script/frontend_render/disabled/switchCSS.php
index a8706ce37..a3daf8cd7 100644
--- a/template/inc_script/frontend_render/disabled/switchCSS.php
+++ b/template/inc_script/frontend_render/disabled/switchCSS.php
@@ -24,7 +24,7 @@
$_user_CSS = clean_slweg($_GET['switchCSS']);
// try to write FontSizeCookie
- setcookie('switchCSS', $_user_CSS, time()+86400);
+ setcookie('switchCSS', $_user_CSS, time()+86400, '/', getCookieDomain(), PHPWCMS_SSL, true);
} elseif(isset($_SESSION['switchCSS'])) {
diff --git a/template/inc_script/frontend_render/disabled/switchFontSize.php b/template/inc_script/frontend_render/disabled/switchFontSize.php
index c2f0d8cac..29a1199cd 100644
--- a/template/inc_script/frontend_render/disabled/switchFontSize.php
+++ b/template/inc_script/frontend_render/disabled/switchFontSize.php
@@ -22,7 +22,7 @@
$userFontSize = clean_slweg($_GET['switchFontSize']);
// try to write FontSizeCookie
- setcookie('switchFontSize', $userFontSize, time()+86400);
+ setcookie('switchFontSize', $userFontSize, time()+86400, '/', getCookieDomain(), PHPWCMS_SSL, true);
} elseif(isset($_SESSION['FontSize'])) {
$userFontSize = $_SESSION['FontSize'];