From 3931a03ad7c9edd29750a88ef82d84b1bbd8a910 Mon Sep 17 00:00:00 2001 From: slackero Date: Sun, 22 Aug 2021 09:22:52 +0200 Subject: [PATCH] Secure sessions and cookies by httpOnly, Secure and when possible by SameSite --- download.php | 2 +- filebrowser.php | 4 +--- fileinfo.php | 5 +---- img/blank.php | 2 +- img/cmsimage.php | 6 ++++-- include/config/dist.conf.inc.php | 2 ++ include/inc_act/act_addchat.php | 3 +-- include/inc_act/act_articlecontent.php | 4 +--- include/inc_act/act_cache.php | 3 +-- include/inc_act/act_download.php | 3 +-- include/inc_act/act_export.php | 3 +-- include/inc_act/act_file.php | 3 +-- include/inc_act/act_filecat.php | 3 +-- include/inc_act/act_frontendcss.php | 3 +-- include/inc_act/act_frontendsetup.php | 3 +-- include/inc_act/act_ftptakeover.php | 3 +-- include/inc_act/act_guestbook.php | 3 +-- include/inc_act/act_message.php | 3 +-- include/inc_act/act_phpinfo.php | 3 +-- include/inc_act/act_schedule.php | 3 +-- include/inc_act/act_sendnewsletter.php | 4 ++-- include/inc_act/act_startuptext.php | 3 +-- include/inc_act/act_structure.php | 4 ++-- include/inc_act/act_upload.php | 16 ++++------------ include/inc_act/act_user.php | 3 +-- include/inc_act/act_usergroup.php | 3 +-- include/inc_act/ajax_connector.php | 4 ++-- include/inc_front/content/cnt18.article.inc.php | 2 +- include/inc_front/content/cnt28.article.inc.php | 4 +++- include/inc_front/front.func.inc.php | 2 +- include/inc_lib/backend.functions.inc.php | 6 +++--- include/inc_lib/default.inc.php | 15 +++++++++++++++ include/inc_lib/general.inc.php | 14 ++++++++------ include/inc_lib/helper.session.php | 8 ++++++++ .../inc_module/mod_ads/inc/ads.fe_init.inc.php | 2 +- include/inc_tmpl/be_start.tmpl.php | 6 +++--- include/inc_tmpl/content/cnt51.open.php | 3 +-- login.php | 6 ++---- phpwcms.php | 4 +--- setup/inc/setup.func.inc.php | 2 ++ setup/setup.conf.inc.php | 2 ++ .../frontend_render/disabled/access_dialog.php | 4 ++-- .../frontend_render/disabled/lang_replace.php | 4 ++-- .../frontend_render/disabled/switchCSS.php | 2 +- .../frontend_render/disabled/switchFontSize.php | 2 +- 45 files changed, 94 insertions(+), 95 deletions(-) diff --git a/download.php b/download.php index d10851709..7b0031d76 100644 --- a/download.php +++ b/download.php @@ -14,7 +14,7 @@ require_once 'include/config/conf.inc.php'; if( !empty($phpwcms['SESSION_FEinit']) ) { - @session_start(); + $phpwcms['SESSION_START'] = true; } require_once 'include/inc_lib/default.inc.php'; diff --git a/filebrowser.php b/filebrowser.php index 257ff70b1..ed6c444ef 100644 --- a/filebrowser.php +++ b/filebrowser.php @@ -20,9 +20,7 @@ * - Issue 265 based on TB's post */ -session_start(); - -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); $phpwcms_root = rtrim(str_replace('\\', '/', dirname(__FILE__)), '/'); $js_files_all = array(); $js_files_select = array(); diff --git a/fileinfo.php b/fileinfo.php index 79c81a733..23d5679e1 100644 --- a/fileinfo.php +++ b/fileinfo.php @@ -9,15 +9,12 @@ * **/ -session_start(); - -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once 'include/config/conf.inc.php'; if(empty($_SESSION["wcs_user_lang"])) { session_destroy(); headerRedirect($phpwcms['site'].$phpwcms["root"]); - } else { require 'include/inc_lang/backend/en/lang.ext.inc.php'; $cust_lang = 'include/inc_lang/backend/'.substr($_SESSION["wcs_user_lang"],0,2).'/lang.ext.inc.php'; diff --git a/img/blank.php b/img/blank.php index 2fc36b982..172c9dcc5 100644 --- a/img/blank.php +++ b/img/blank.php @@ -38,7 +38,7 @@ if(empty($_COOKIE['phpwcmsAdsUserId']) || !preg_match('/^[0-9a-f]{32}$/', ($ads_userid = $_COOKIE['phpwcmsAdsUserId']) ) ) { $ads_userid = md5($ads_userip.microtime()); - setcookie('phpwcmsAdsUserId', $ads_userid, time()+63072000, '/', getCookieDomain() ); + setcookie('phpwcmsAdsUserId', $ads_userid, time()+63072000, '/', getCookieDomain(), PHPWCMS_SSL, true); } $t = array(); diff --git a/img/cmsimage.php b/img/cmsimage.php index a3ff2b03b..988a52e04 100644 --- a/img/cmsimage.php +++ b/img/cmsimage.php @@ -124,7 +124,8 @@ if(is_intval($hash)) { - @session_start(); + $phpwcms['SESSION_START'] = true; + require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; $file_public = empty($_SESSION["wcs_user_id"]) ? 'f_public=1' : '(f_public=1 OR f_uid='.intval($_SESSION["wcs_user_id"]).')'; require_once(PHPWCMS_ROOT.'/include/inc_lib/dbcon.inc.php'); @@ -154,7 +155,8 @@ } elseif(strlen($hash) === 32 && (!$ext || !is_file(PHPWCMS_ROOT.'/'.PHPWCMS_FILES.$hash.'.'.$ext))) { - @session_start(); + $phpwcms['SESSION_START'] = true; + require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; $file_public = empty($_SESSION["wcs_user_id"]) ? 'f_public=1' : '(f_public=1 OR f_uid='.intval($_SESSION["wcs_user_id"]).')'; require_once PHPWCMS_ROOT.'/include/inc_lib/dbcon.inc.php'; diff --git a/include/config/dist.conf.inc.php b/include/config/dist.conf.inc.php index 453c5865f..3c24ab7f4 100644 --- a/include/config/dist.conf.inc.php +++ b/include/config/dist.conf.inc.php @@ -153,6 +153,8 @@ $phpwcms['markdown_extra'] = false; // Enable/disable Markdown Extra https://michelf.ca/projects/php-markdown/extra/ $phpwcms['disable_generator'] = false; // Disable and header `X-phpwcms-Release` $phpwcms['disable_processed_in'] = false; // Hide header `X-phpwcms-Page-Processed-In` +$phpwcms['session.cookie_httponly.off'] = false; // Set this to `true` if the session Cookie should also be accessible by JavaScript +$phpwcms['session.cookie_samesite'] = 'Lax'; // Define the Cookie sameSite setting None (deprecated), Lax, Strict, use PHP 7.3+ otherwise it's not or not well supported // Email specific settings (based on phpMailer) $phpwcms['SMTP_FROM_EMAIL'] = 'info@localhost'; // reply/from email address diff --git a/include/inc_act/act_addchat.php b/include/inc_act/act_addchat.php index 29b464f3c..fca67f7b6 100644 --- a/include/inc_act/act_addchat.php +++ b/include/inc_act/act_addchat.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; diff --git a/include/inc_act/act_articlecontent.php b/include/inc_act/act_articlecontent.php index 67bae65e1..1c0ee43e7 100644 --- a/include/inc_act/act_articlecontent.php +++ b/include/inc_act/act_articlecontent.php @@ -9,9 +9,7 @@ * **/ -session_start(); - -$phpwcms = array(); +$phpwcms = array('session_start' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; diff --git a/include/inc_act/act_cache.php b/include/inc_act/act_cache.php index 04ffe5512..acb733121 100644 --- a/include/inc_act/act_cache.php +++ b/include/inc_act/act_cache.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; diff --git a/include/inc_act/act_download.php b/include/inc_act/act_download.php index 2579264fc..63e0335f7 100644 --- a/include/inc_act/act_download.php +++ b/include/inc_act/act_download.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; diff --git a/include/inc_act/act_export.php b/include/inc_act/act_export.php index 870c229ba..2037020f2 100644 --- a/include/inc_act/act_export.php +++ b/include/inc_act/act_export.php @@ -8,8 +8,7 @@ * @link http://www.phpwcms.org **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; require_once PHPWCMS_ROOT . '/include/inc_lib/helper.session.php'; diff --git a/include/inc_act/act_file.php b/include/inc_act/act_file.php index db8b1f0f2..4fb750937 100644 --- a/include/inc_act/act_file.php +++ b/include/inc_act/act_file.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; diff --git a/include/inc_act/act_filecat.php b/include/inc_act/act_filecat.php index e8954129b..59ac9d46c 100644 --- a/include/inc_act/act_filecat.php +++ b/include/inc_act/act_filecat.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; diff --git a/include/inc_act/act_frontendcss.php b/include/inc_act/act_frontendcss.php index 8bc5a0947..00af1616f 100644 --- a/include/inc_act/act_frontendcss.php +++ b/include/inc_act/act_frontendcss.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; diff --git a/include/inc_act/act_frontendsetup.php b/include/inc_act/act_frontendsetup.php index f2eaa6ffe..2f449738a 100644 --- a/include/inc_act/act_frontendsetup.php +++ b/include/inc_act/act_frontendsetup.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; diff --git a/include/inc_act/act_ftptakeover.php b/include/inc_act/act_ftptakeover.php index 814eb580d..1b33e349f 100644 --- a/include/inc_act/act_ftptakeover.php +++ b/include/inc_act/act_ftptakeover.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); $PHPWCMS_ROOT = dirname(dirname(dirname(__FILE__))); require_once $PHPWCMS_ROOT.'/include/config/conf.inc.php'; diff --git a/include/inc_act/act_guestbook.php b/include/inc_act/act_guestbook.php index 5c8060c17..f3d624959 100644 --- a/include/inc_act/act_guestbook.php +++ b/include/inc_act/act_guestbook.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; diff --git a/include/inc_act/act_message.php b/include/inc_act/act_message.php index 68f645fa5..a131b5592 100644 --- a/include/inc_act/act_message.php +++ b/include/inc_act/act_message.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; diff --git a/include/inc_act/act_phpinfo.php b/include/inc_act/act_phpinfo.php index d7fa20be0..4d38b46b6 100644 --- a/include/inc_act/act_phpinfo.php +++ b/include/inc_act/act_phpinfo.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; diff --git a/include/inc_act/act_schedule.php b/include/inc_act/act_schedule.php index a8767761c..299eeb58b 100644 --- a/include/inc_act/act_schedule.php +++ b/include/inc_act/act_schedule.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; diff --git a/include/inc_act/act_sendnewsletter.php b/include/inc_act/act_sendnewsletter.php index 34f0c30f5..4399b1761 100644 --- a/include/inc_act/act_sendnewsletter.php +++ b/include/inc_act/act_sendnewsletter.php @@ -9,8 +9,8 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); + require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; diff --git a/include/inc_act/act_startuptext.php b/include/inc_act/act_startuptext.php index 8c3c79ab3..05f9ee1a8 100644 --- a/include/inc_act/act_startuptext.php +++ b/include/inc_act/act_startuptext.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; diff --git a/include/inc_act/act_structure.php b/include/inc_act/act_structure.php index ab77cd1d4..d8d81a064 100644 --- a/include/inc_act/act_structure.php +++ b/include/inc_act/act_structure.php @@ -12,8 +12,8 @@ //19-11-2004 Fernando Batista -> Copy article, Copy strutures http://fernandobatista.net //31-03-2005 Fernando Batista -> Copy/Cut Article Content http://fernandobatista.net -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); + require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; diff --git a/include/inc_act/act_upload.php b/include/inc_act/act_upload.php index 247b67a23..62c2dca79 100644 --- a/include/inc_act/act_upload.php +++ b/include/inc_act/act_upload.php @@ -9,20 +9,12 @@ * **/ -session_start(); - -if(empty($_SESSION["wcs_user_id"])) { - - die('{"success":false}'); - -} - -$phpwcms = array(); -require '../../include/config/conf.inc.php'; -require '../inc_lib/default.inc.php'; +$phpwcms = array('SESSION_START' => true); +require_once '../../include/config/conf.inc.php'; +require_once '../inc_lib/default.inc.php'; require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; -if(!validate_csrf_get_token()) { +if(empty($_SESSION["wcs_user_id"]) || !validate_csrf_get_token()) { die('{"success":false}'); } diff --git a/include/inc_act/act_user.php b/include/inc_act/act_user.php index b8857cacd..d16b22c3d 100644 --- a/include/inc_act/act_user.php +++ b/include/inc_act/act_user.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; diff --git a/include/inc_act/act_usergroup.php b/include/inc_act/act_usergroup.php index ec2017958..99a20b62d 100644 --- a/include/inc_act/act_usergroup.php +++ b/include/inc_act/act_usergroup.php @@ -9,8 +9,7 @@ * **/ -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); require_once '../../include/config/conf.inc.php'; require_once '../inc_lib/default.inc.php'; diff --git a/include/inc_act/ajax_connector.php b/include/inc_act/ajax_connector.php index b3d31f1e4..f43bf0dad 100644 --- a/include/inc_act/ajax_connector.php +++ b/include/inc_act/ajax_connector.php @@ -11,8 +11,8 @@ // general wrapper for ajax based queries -session_start(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); + require '../../include/config/conf.inc.php'; require '../inc_lib/default.inc.php'; require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; diff --git a/include/inc_front/content/cnt18.article.inc.php b/include/inc_front/content/cnt18.article.inc.php index 45a6cb34d..f49d9581d 100644 --- a/include/inc_front/content/cnt18.article.inc.php +++ b/include/inc_front/content/cnt18.article.inc.php @@ -409,7 +409,7 @@ function($matches) { $guestbook['readform'] = 1; if($guestbook['cookie'] && $guestbook['time']) { - setcookie('phpwcms_guestbook'.$guestbook['cid'], time(), time()+intval($guestbook['time'])); + setcookie('phpwcms_guestbook'.$guestbook['cid'], time(), time()+intval($guestbook['time']), '/', getCookieDomain(), PHPWCMS_SSL, true); } // check if notify email should be sent diff --git a/include/inc_front/content/cnt28.article.inc.php b/include/inc_front/content/cnt28.article.inc.php index c9468757f..b67a4ec97 100644 --- a/include/inc_front/content/cnt28.article.inc.php +++ b/include/inc_front/content/cnt28.article.inc.php @@ -89,7 +89,9 @@ $_loginData['login'].'##-|-##'.md5($_loginData['password']).'##-|-##'.$_loginData['validate_db']['userdetail'].'##-|-##'.$_loginData['validate_db']['backenduser'], time()+$_loginData['felogin_cookie_expire'], '/', - getCookieDomain() + getCookieDomain(), + PHPWCMS_SSL, + true ); } diff --git a/include/inc_front/front.func.inc.php b/include/inc_front/front.func.inc.php index 4ee0c49d6..adba89880 100755 --- a/include/inc_front/front.func.inc.php +++ b/include/inc_front/front.func.inc.php @@ -3701,7 +3701,7 @@ function _checkFrontendUserAutoLogin() { // logout if(session_id() && (isset($_POST['feLogout']) || isset($_GET['feLogout']))) { unset($_SESSION[ session_id() ]); - setcookie('phpwcmsFeLoginRemember', '', time()-3600, '/', getCookieDomain() ); + setcookie('phpwcmsFeLoginRemember', '', time()-3600, '/', getCookieDomain(), PHPWCMS_SSL, true); } define('FEUSER_LOGIN_STATUS', _getFeUserLoginStatus() ); } diff --git a/include/inc_lib/backend.functions.inc.php b/include/inc_lib/backend.functions.inc.php index d362a9beb..729ce257f 100644 --- a/include/inc_lib/backend.functions.inc.php +++ b/include/inc_lib/backend.functions.inc.php @@ -609,7 +609,7 @@ function set_status_message($msg='', $type='info', $replace=array()) { } function set_language_cookie() { - setcookie('phpwcmsBELang', $_SESSION["wcs_user_lang"], time()+(3600*24*365), '/', getCookieDomain() ); + setcookie('phpwcmsBELang', $_SESSION["wcs_user_lang"], time()+(3600*24*365), '/', getCookieDomain(), PHPWCMS_SSL, true); } // checks for alias and sets unique value @@ -939,8 +939,8 @@ function _dbSaveCategories($categories=array(), $type='', $pid=0, $seperator=',' function setItemsPerPage($default=25) { if( isset($_GET['showipp']) ) { - $ipp = intval( is_numeric($_GET['showipp']) ? $_GET['showipp'] : $default ); - setcookie('phpwcmsBEItemsPerPage', $ipp, time()+157680000, '/', getCookieDomain() ); + $ipp = intval(is_numeric($_GET['showipp']) ? $_GET['showipp'] : $default); + setcookie('phpwcmsBEItemsPerPage', $ipp, time()+157680000, '/', getCookieDomain(), PHPWCMS_SSL, true); } elseif(isset($_SESSION['PAGE_FILTER'])) { $ipp = $_SESSION['PAGE_FILTER']['IPP']; } elseif( isset($_COOKIE['phpwcmsBEItemsPerPage']) ) { diff --git a/include/inc_lib/default.inc.php b/include/inc_lib/default.inc.php index 091688dee..0281fca4f 100755 --- a/include/inc_lib/default.inc.php +++ b/include/inc_lib/default.inc.php @@ -949,6 +949,21 @@ function headerRedirect($target = '', $type = 0, $session_close = true) { } function _initSession() { + $GLOBALS['phpwcms']['session_cookie_params'] = session_get_cookie_params(); + $GLOBALS['phpwcms']['session_cookie_params']['httponly'] = empty($GLOBALS['phpwcms']['session.cookie_httponly.off']) ? true : false; + $GLOBALS['phpwcms']['session_cookie_params']['domain'] = $GLOBALS['phpwcms']['parse_url']['host']; + $GLOBALS['phpwcms']['session_cookie_params']['path'] = PHPWCMS_BASEPATH; + if (empty($GLOBALS['phpwcms']['session.cookie_samesite'])) { + $GLOBALS['phpwcms']['session_cookie_params']['secure'] = PHPWCMS_SSL; + if (PHPWCMS_SSL && empty($GLOBALS['phpwcms']['session_cookie_params']['samesite'])) { + $GLOBALS['phpwcms']['session_cookie_params']['samesite'] = 'Lax'; + } + } else { + $GLOBALS['phpwcms']['session_cookie_params']['secure'] = true; + $GLOBALS['phpwcms']['session_cookie_params']['samesite'] = $GLOBALS['phpwcms']['session.cookie_samesite']; + } + @session_set_cookie_params($GLOBALS['phpwcms']['session_cookie_params']); + if (!session_id()) { session_start(); } diff --git a/include/inc_lib/general.inc.php b/include/inc_lib/general.inc.php index 88f3d3c22..0fc384939 100755 --- a/include/inc_lib/general.inc.php +++ b/include/inc_lib/general.inc.php @@ -1581,13 +1581,15 @@ function parse_ini_str($Str, $ProcessSections = true, $SplitInNameValue = false) } function getCookieDomain() { - $domain = parse_url(PHPWCMS_URL); - $domain = strtolower($domain['host']); - if (strpos($domain, 'www') === 0) { - $domain = substr($domain, 3); + if (empty($GLOBALS['phpwcms']['parse_url']['host'])) { + $domain = parse_url(PHPWCMS_URL); + $domain = strtolower($domain['host']); + if (strpos($domain, 'www') === 0) { + $domain = substr($domain, 3); + } + $GLOBALS['phpwcms']['parse_url']['host'] = $domain; } - - return $domain; + return $GLOBALS['phpwcms']['parse_url']['host']; } function _mkdir($target) { diff --git a/include/inc_lib/helper.session.php b/include/inc_lib/helper.session.php index 6b36c2c67..cbe425eb3 100644 --- a/include/inc_lib/helper.session.php +++ b/include/inc_lib/helper.session.php @@ -8,6 +8,14 @@ * @link http://www.phpwcms.org * **/ +if (!defined('PHPWCMS_ROOT')) { + die("You Cannot Access This Script Directly, Have a Nice Day."); +} + +// Cookie settings +if (!empty($phpwcms['SESSION_START'])) { + _initSession(); +} /** * Set session var. diff --git a/include/inc_module/mod_ads/inc/ads.fe_init.inc.php b/include/inc_module/mod_ads/inc/ads.fe_init.inc.php index c37e7d9c3..f3221d556 100644 --- a/include/inc_module/mod_ads/inc/ads.fe_init.inc.php +++ b/include/inc_module/mod_ads/inc/ads.fe_init.inc.php @@ -41,7 +41,7 @@ if(empty($_COOKIE['phpwcmsAdsUserId']) || !preg_match('/^[0-9a-f]{32}$/', ($ads_userid = $_COOKIE['phpwcmsAdsUserId']) ) ) { $ads_userid = md5($ads_userip.microtime()); - setcookie('phpwcmsAdsUserId', $ads_userid, time()+63072000, '/', getCookieDomain() ); + setcookie('phpwcmsAdsUserId', $ads_userid, time()+63072000, '/', getCookieDomain(), PHPWCMS_SSL, true); } $sql = 'INSERT DELAYED INTO '.DB_PREPEND.'phpwcms_ads_tracking ('; diff --git a/include/inc_tmpl/be_start.tmpl.php b/include/inc_tmpl/be_start.tmpl.php index bee964d6d..5a77fac45 100644 --- a/include/inc_tmpl/be_start.tmpl.php +++ b/include/inc_tmpl/be_start.tmpl.php @@ -24,15 +24,15 @@ if(isset($_POST['homeMaxArticles'])) { if($_phpwcms_home['homeMaxArticles'] = intval($_POST['homeMaxArticles'])) { - @setcookie('homeMaxArticles', strval($_phpwcms_home['homeMaxArticles']) , time()+31536000); // store cookie for 1 year + @setcookie('homeMaxArticles', strval($_phpwcms_home['homeMaxArticles']) , time()+31536000, '/', getCookieDomain(), PHPWCMS_SSL, true); // store cookie for 1 year } } if(isset($_POST['homeMaxCntParts'])) { if($_phpwcms_home['homeMaxCntParts'] = intval($_POST['homeMaxCntParts'])) { - @setcookie('homeMaxCntParts', strval($_phpwcms_home['homeMaxCntParts']) , time()+31536000); // store cookie for 1 year + @setcookie('homeMaxCntParts', strval($_phpwcms_home['homeMaxCntParts']) , time()+31536000, '/', getCookieDomain(), PHPWCMS_SSL, true); // store cookie for 1 year } $_phpwcms_home['homeCntType'] = clean_slweg($_POST['homeCntType']); - @setcookie('homeCntType', $_phpwcms_home['homeCntType'], time()+31536000); // store cookie for 1 year + @setcookie('homeCntType', $_phpwcms_home['homeCntType'], time()+31536000, '/', getCookieDomain(), PHPWCMS_SSL, true); // store cookie for 1 year $_SESSION['phpwcms_backend_search'] = ''; } diff --git a/include/inc_tmpl/content/cnt51.open.php b/include/inc_tmpl/content/cnt51.open.php index 8d7686c11..a297374fb 100644 --- a/include/inc_tmpl/content/cnt51.open.php +++ b/include/inc_tmpl/content/cnt51.open.php @@ -9,9 +9,8 @@ * **/ -session_start(); +$phpwcms = array('SESSION_START' => true); -$phpwcms = array(); require_once '../../../include/config/conf.inc.php'; require_once '../../../include/inc_lib/default.inc.php'; require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; diff --git a/login.php b/login.php index 3f9f4475d..2cfe2a7e5 100644 --- a/login.php +++ b/login.php @@ -9,9 +9,7 @@ * **/ -session_start(); - -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); $BL = array(); // Check if config is still at the old position @@ -102,7 +100,7 @@ if( isset( $BL[ $temp_lang ] ) ) { $_SESSION["wcs_user_lang"] = strtolower($temp_lang); } else { - setcookie('phpwcmsBELang', '', time() - 3600); + setcookie('phpwcmsBELang', '', time() - 3600, '/', getCookieDomain(), PHPWCMS_SSL, true); } } if(isset($_POST['form_lang'])) { diff --git a/phpwcms.php b/phpwcms.php index aef6a2d87..addfec42b 100644 --- a/phpwcms.php +++ b/phpwcms.php @@ -13,14 +13,12 @@ list($usec, $sec) = explode(' ', microtime()); $phpwcms_rendering_start = $usec + $sec; -session_start(); - //define used var names $body_onload = ''; $forward_to_message_center = false; $wcsnav = array(); $indexpage = array(); -$phpwcms = array(); +$phpwcms = array('SESSION_START' => true); $BL = array(); $BE = array('HTML' => '', 'BODY_OPEN' => array(), 'BODY_CLOSE' => array(), 'HEADER' => array(), 'LANG' => 'en'); $PHPWCMS_ROOT = dirname(__FILE__); diff --git a/setup/inc/setup.func.inc.php b/setup/inc/setup.func.inc.php index a78ee9850..e2a586f3c 100644 --- a/setup/inc/setup.func.inc.php +++ b/setup/inc/setup.func.inc.php @@ -286,6 +286,8 @@ function write_conf_file($val) { $conf_file .= "\$phpwcms['markdown_extra'] = false; // Enable/disable Markdown Extra https://michelf.ca/projects/php-markdown/extra/.\n"; $conf_file .= "\$phpwcms['disable_generator'] = false; // Disable and header `X-phpwcms-Release`\n"; $conf_file .= "\$phpwcms['disable_processed_in'] = false; // Hide header `X-phpwcms-Page-Processed-In`\n"; + $conf_file .= "\$phpwcms['session.cookie_httponly.off'] = false; // Set this to `true` if the session Cookie should also be accessible by JavaScript\n"; + $conf_file .= "\$phpwcms['session.cookie_samesite'] = 'Lax'; // Define the Cookie sameSite setting None (deprecated), Lax, Strict, use PHP 7.3+ otherwise it's not or not well supported\n"; $conf_file .= "\n// Email specific settings (based on phpMailer)\n"; $conf_file .= "\$phpwcms['SMTP_FROM_EMAIL'] = '" . escape_quote($val["SMTP_FROM_EMAIL"]) . "'; // reply/from email address\n"; diff --git a/setup/setup.conf.inc.php b/setup/setup.conf.inc.php index 09cd623c9..2d3c49252 100644 --- a/setup/setup.conf.inc.php +++ b/setup/setup.conf.inc.php @@ -153,6 +153,8 @@ $phpwcms['markdown_extra'] = false; // Enable/disable Markdown Extra https://michelf.ca/projects/php-markdown/extra/ $phpwcms['disable_generator'] = false; // Disable and header `X-phpwcms-Release` $phpwcms['disable_processed_in'] = false; // Hide header `X-phpwcms-Page-Processed-In` +$phpwcms['session.cookie_httponly.off'] = false; // Set this to `true` if the session Cookie should also be accessible by JavaScript +$phpwcms['session.cookie_samesite'] = 'Lax'; // Define the Cookie sameSite setting None (deprecated), Lax, Strict, use PHP 7.3+ otherwise it's not or not well supported // Email specific settings (based on phpMailer) $phpwcms['SMTP_FROM_EMAIL'] = 'info@localhost'; // reply/from email address diff --git a/template/inc_script/frontend_render/disabled/access_dialog.php b/template/inc_script/frontend_render/disabled/access_dialog.php index cacc4a9af..d39deb653 100644 --- a/template/inc_script/frontend_render/disabled/access_dialog.php +++ b/template/inc_script/frontend_render/disabled/access_dialog.php @@ -24,7 +24,7 @@ if(isset($_SESSION['phpwcmsAgree'])) { unset($_SESSION['phpwcmsAgree']); } - setcookie('phpwcmsAgree', '0', time()-1000000, '/'); + setcookie('phpwcmsAgree', '0', time()-1000000, '/', getCookieDomain(), PHPWCMS_SSL, true); if(isset($_POST['agree_redirect'])) { $redirect = clean_slweg($_POST['agree_redirect']); @@ -40,7 +40,7 @@ } else { - setcookie('phpwcmsAgree', '1', 0, '/'); + setcookie('phpwcmsAgree', '1', 0, '/', getCookieDomain(), PHPWCMS_SSL, true); $_SESSION['phpwcmsAgree'] = true; } diff --git a/template/inc_script/frontend_render/disabled/lang_replace.php b/template/inc_script/frontend_render/disabled/lang_replace.php index 87dfc2ea6..2002ed110 100644 --- a/template/inc_script/frontend_render/disabled/lang_replace.php +++ b/template/inc_script/frontend_render/disabled/lang_replace.php @@ -18,7 +18,7 @@ if(isset($_GET['lang'])) { $language_current = strtolower( substr($_GET['lang'], 0, 2) ); $_SESSION['phpwcmsFrontendLanguage'] = $language_current; - setcookie('phpwcmsFrontendLanguage', $language_current, time()+$language_cookie_duration, '/' ); + setcookie('phpwcmsFrontendLanguage', $language_current, time()+$language_cookie_duration, '/', getCookieDomain(), PHPWCMS_SSL, true); } elseif(isset($_SESSION['phpwcmsFrontendLanguage'])) { $language_current = $_SESSION['phpwcmsFrontendLanguage']; } elseif(isset($_COOKIE['phpwcmsFrontendLanguage'])) { @@ -27,7 +27,7 @@ if(!in_array($language_current, $phpwcms['allowed_lang'])) { $language_current = $language_default; $_SESSION['phpwcmsFrontendLanguage'] = $language_current; - setcookie('phpwcmsFrontendLanguage', $language_current, time()+$language_cookie_duration, '/' ); + setcookie('phpwcmsFrontendLanguage', $language_current, time()+$language_cookie_duration, '/', getCookieDomain(), PHPWCMS_SSL, true); } // init language replacements diff --git a/template/inc_script/frontend_render/disabled/switchCSS.php b/template/inc_script/frontend_render/disabled/switchCSS.php index a8706ce37..a3daf8cd7 100644 --- a/template/inc_script/frontend_render/disabled/switchCSS.php +++ b/template/inc_script/frontend_render/disabled/switchCSS.php @@ -24,7 +24,7 @@ $_user_CSS = clean_slweg($_GET['switchCSS']); // try to write FontSizeCookie - setcookie('switchCSS', $_user_CSS, time()+86400); + setcookie('switchCSS', $_user_CSS, time()+86400, '/', getCookieDomain(), PHPWCMS_SSL, true); } elseif(isset($_SESSION['switchCSS'])) { diff --git a/template/inc_script/frontend_render/disabled/switchFontSize.php b/template/inc_script/frontend_render/disabled/switchFontSize.php index c2f0d8cac..29a1199cd 100644 --- a/template/inc_script/frontend_render/disabled/switchFontSize.php +++ b/template/inc_script/frontend_render/disabled/switchFontSize.php @@ -22,7 +22,7 @@ $userFontSize = clean_slweg($_GET['switchFontSize']); // try to write FontSizeCookie - setcookie('switchFontSize', $userFontSize, time()+86400); + setcookie('switchFontSize', $userFontSize, time()+86400, '/', getCookieDomain(), PHPWCMS_SSL, true); } elseif(isset($_SESSION['FontSize'])) { $userFontSize = $_SESSION['FontSize'];